Objectives of defence-in-depth
Implementation of defence in depth concept contains several levels of protection, including successive barriers preventing the release of radioactive material to the environment. The objectives are as follows:
When France adopted the pressurised water reactor system this country had already built several major nationally designed installations and perfected an appropriate safety approach, the barrier method.
Protection of the public against the consequences of an accidental release of fission products rests on the interposition of a series of leak tight barriers. The French practice considers three barriers (Fig 13): the fuel cladding, the reactor coolant pressure boundary, the primary containment but it is known that some countries consider the fuel matrix as a first barrier which does not really affect this method. Each of these is examined in detail under three operating conditions:
Safety analysis therefore consists of ensuring the validity of each of these barriers and their correct operation under normal and accident reactor operating conditions. This kind of analysis emphasises the progressive nature of safety by distinguishing three successive but interrelated stages:
This barrier method is deterministic, since it attests the possibility of a certain number of accident situations. Applying it during the first 900 MW(e) PWR unit examinations at the beginning of the 1970s revealed certain difficulties. If the definition of the first barrier is simple despite its extent, this is not true for the other two barriers. The reactor coolant pressure boundary is clearly defined within the reactor building. It branches out, however, in a fairly complex manner in the auxiliary buildings. The spent fuel pit has the same function, despite its free surface. The reactor building containment is not the only place containing spent fuel or primary coolant. Delimitation of the third barrier is thus also fairly complex. Finally and most importantly, this succession of three barriers implies one markedly important fact: the steam generator tubes with a considerable total surface area and a very thin wall simultaneously fulfil the function of primary coolant enclosure and containment (second and third barriers).
These reflections have contributed to the evolution of safety thinking from the barrier method to the defence in depth concept. This concept in fact includes the barrier method, but enables an analysis of installations to be carried out which is both more comprehensive and more detailed.
Levels of defence
The defence in depth concept is not an installation examination technique eliciting a particular technical solution, but a method of reasoning and a general framework enabling more complete examination of an entire installation. It was developed in the USA in the sixties and was notably the design basis for the Westinghouse nuclear power reactors. The approach linking successively prevention, monitoring and mitigating action is broadened to cover all safety related components and structures. We shall see that this approach, initially developed for plant design analysis, is also well adapted to operating organization.
Before describing the different stages involved, the principle can be simply summarised as follows: Although the precautionary measures taken with respect to errors, incidents and accidents are, in theory, such as to prevent their occurrence, it is nevertheless assumed that accidents do occur and provisions are made for dealing with them so that their consequences can be restricted to levels deemed acceptable. This does not obviate the need to study still more severe situations, the causes of which may as yet be unknown, and to be ready to confront them under the best possible conditions.
The approach combines the prevention of abnormal situations and their degradation with the mitigation of their consequences. It is a deterministic method, since a certain number of incidents and accidents are postulated. The defence in depth concept consists of a set of actions, items of equipment or procedures, classified in levels, the prime aim of each of which is to prevent degradation liable to lead to the next level and to mitigate the consequences of failure of the previous level. The efficiency of mitigation must not lead to cutbacks in prevention, which takes precedence.
In July 1995, the IAEA International Nuclear Safety Advisory Group adopted a document on this subject INSAG-10, "Defence in Depth in Nuclear Power Plant Safety", . This document presents the history of the concept since its inception, how it is currently applied and indicates advisable modifications for its application to the next generation of reactors.
The defence in depth concept now comprises five levels. The way in which these levels are structured may vary from one country to another or be influenced by plant design but the main principles are common. The presentation below is consistent with the new INSAG document (See Fig. 14).
The installation must be endowed with excellent intrinsic resistance to its own failures or specified hazards in order to reduce the risk of failure. This implies that following preliminary delineation of the installation, as exhaustive a study as possible of its normal and foreseeable operating conditions be conducted to determine for each major system, structure or component, the worst mechanical, thermal, pressure stresses or those due to environment, layout, etc. for which allowance must be made. Normal operating transients and the various shutdown situations are included in normal operating conditions. The installation components can then be designed, constructed, installed, checked, tested and operated by following clearly defined and qualified rules, while allowing adequate margins with regard to specific limits at all times to underwrite correct behaviour of the installation. These margins should be such that systems designed to deal with abnormal situations need not be actuated on an everyday basis.
A moderate-paced process with a computer-based control system will diminish operating staff stress hazards. Man-machine interface provisions and time allowances for manual intervention can make a significant contribution.
In the same way, the various disturbances or hazards deriving from a source external to the plant and which the installation must be able to withstand without operating disturbances or, in other cases, without causing significant radioactive discharge, shall be specified. Site selection with a view to limiting such constraints can play a decisive role. In this way, it is possible to determine a reference seismic level, extreme meteorological conditions expressed as wind speed, weight of snow, maximum over-pressure wave, temperature range, etc. The new stress factors thus derived shall be used in the same way as before.
Sets of rules and codes define in a precise and prescriptive manner the conditions for design, supply, manufacture, erection, checking, initial and periodic testing, operation and preventive maintenance of all safety related equipment and structures in the plant in order to guarantee their quality in the widest sense of this term. The selection of appropriate staff for each stage, from design to operation, their appropriate training, the overall organization, the sharing of responsibilities or the operating procedures contribute to the prevention of failures throughout plant life. This also applies to the systematic use of operating feedback. On this basis may be defined the authorized operating range for the plant and its general operating rules.
The installation must be prevented from straying beyond the authorized operating conditions which have just been defined and sufficiently reliable regulation, control and protection* systems must be designed with the capacity to inhibit any abnormal development before equipment is loaded beyond its rated operating conditions, so defined as to allow substantial margins with respect to failure risks. Temperature, pressure and nuclear and thermal power control systems shall be installed to prevent excessive incident development without interfering with power plant operation. With a plant design procuring a stable core and high thermal inertia, it is easier to hold the installation within the authorized limits.
Systems for measuring the radioactivity levels of certain fluids and of the atmosphere in various facilities shall assume monitoring requirements and check the effectiveness of the various barriers and purification systems. Malfunctions clearly signalled in the control room can be better dealt with by the operators without undue delay. Finally, the protection systems, the most important of which is the emergency shutdown System but also including, for example, safety valves, shall be capable of rapidly arresting any undesirable phenomenon, inadequately controlled by the relevant systems, even if this entails shutting down the reactor.
Furthermore, a periodic equipment surveillance program enables any abnormal developments in major equipment to be spotted. Such developments would otherwise be likely to lead to failures over a period of time. Periodic weld inspections, crack and leak detection, routine system testing pertain to these preventive surveillance activities.
The first two levels of defence in depth, prevention and keeping the reactor within the authorized limits, are designed to eliminate with a high degree of reliability, the risk of plant failure. However, despite the care devoted to these two levels and with the obvious aim of safety, a complete series of incidents and accidents is postulated by assuming that failures could be as serious as a total instantaneous main pipe break in a primary coolant loop or a steam line or could concern reactivity control. This places us in a deterministic context, which is one of the essential elements of the safety approach.
We are then required to install systems for limiting the effects of these accidents to acceptable levels, even if this involves the design and installation of safety systems having no function under normal plant operating conditions. These are the engineered safeguard systems**. Start-up of these systems must be automatic and human intervention should only be required after a time lapse allowing for a carefully considered diagnosis to be reached. In the postulated situations, the correct operation of these systems ensures that core structure integrity will be unaffected, which means that it can subsequently be cooled. Release to the environment will consequently be limited.
The choice of incidents and accidents must be made from the beginning of the design phase of a project so that those systems required for limiting the consequences of incidents or accidents integrate perfectly with the overall installation design. This choice must be made with the greatest care as it is very difficult to insert major systems in a completed construction at a later date.
In the context of on-going analysis of risks of plant failure, such as the accident which occurred at Three Mile Island in 1979, it was decided to consider cases of multiple failure and, more generally, the means required to contend with plant situations which had bypassed the first three levels of the defence in depth strategy or which were considered as part of the residual risk. Such situations can lead to core meltdown and consequently to even higher release levels. The concern here is consequently to reduce the probability of such situations by preparing appropriate procedures and equipment to withstand additional scenarios corresponding to multiple failures. These are the complementary measures aimed to prevent core meltdown.
Every endeavour would also be necessary to limit radioactive release due to a very serious occurrence which would nevertheless have involved core meltdown and to gain time to arrange for protective measures for the populations in the vicinity of the site. It is then essential that the containment function be maintained under the best possible conditions. The latter accident management actions are defined in emergency procedures and are outlined in the internal emergency plan and will be discussed in detail in Appendix III.
Population protection measures because of high release levels (evacuation, confinement indoors, with doors and windows closed, distribution of stable iodine tablets, restrictions on certain foodstuffs, etc.) would only be necessary in the event of failure or inefficiency of the measures described above. So we are still in a defence in depth connotation. The conditions of this evacuation or confinement are within the scope of the public authorities. They are supplemented by the preparation of long or short term measures for checking the consumption or marketing of foodstuffs which could be contaminated. Such measures are included in the external emergency plans. The decision to implement such measures will be based on analysis of the situation by the operator and the safety organisms and then on environmental radioactivity measurements.
Periodical training drills will also be necessary in this area to ensure adequate efficiency of the resources and linkups provided.
Elements common to the different levels
The notions of conservatism and safety margins, very closely linked with the deterministic approach, apply more to the first three levels of defence. Severe accidents, on the other hand, generally require a less conservative approach, and realistic assessment is preferable when population has to be protected against substantial radioactive release. Each level of defence can be effective only if the quality of design, materials, structures, components and systems, operation and maintenance can be relied upon. Finally, all parties actively involved in plant safety, whether they are operators, constructors, contractors or members of safety organizations, must be thoroughly versed in safety culture.
The notion of successive levels of defence implies that these levels are as independent as possible. It will consequently be very important to ensure that the same event or failure, whether single or multiple, could not affect several levels simultaneously, thereby calling the entire approach into question. This would be the case, for example, if a specific failure inhibited the systems provided to limit the consequences of the event considered. Safety system reliability must be adequate. Special design, layout and maintenance rules are applied to them.
The fourth level was set up to fill in the gaps revealed in the situations envisaged prior to 1975. This level thus covers measures for the prevention of substantial core meltdown that ought to have been included in the third level, and provisions for the management of more severe accidents that fit better into this stage in the phasing of preventive actions.
Until recently, levels 4 and 5 were combined in one level. In accordance with the logic of the defence in depth concept, the need for protective actions with respect to populations in the vicinity of the site effectively corresponds to the failure, or relative failure, of the measures taken at the previous level. There must consequently be a differentiation between the two levels involved.
The efficiency of these principles and methods would be limited if the quality assurance of all activities involved in the design, supply, manufacture, erection, tests and inspections, operating preparations and the actual operation itself were not fully ensured. This depends on the motivation of all concerned and implies appropriate organizational procedures.
Obviously, the quality assurance process is more difficult to apply in the very disturbed situations covered by the severe accident management but mentioning this idea even in this case is recalling the need of well structured decision making process and methods to be prepared for such situations.
* Control systems are sometimes included in first level provisions. The INSAG document places automatic shutdown at third level. But these variations make no difference to the general principle.