Chapter 43: Safety Through Defence-in-Depth

This chapter was published on “Inuitech – Intuitech Technologies for Sustainability” on November 25, 2012.


Defence-in-Depth is a safety philosophy that guides the design, construction, inspection, operation, and regulation of all nuclear facilities. The central tenet of  Defence-in-Depth is to protect the health and safety of the public and plant workers. Other objectives include protecting the environment and ensuring the operational readiness of the facility. Successful  Defence-in-Depth requires creating, maintaining, and updating multiple independent and redundant layers of protection to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon.

The concept of placing multiple barriers between radioactive materials and the environment was gradually developed. However, application of this concept alone cannot provide the necessary assurance of safety, since it does not include the means to provide the barriers themselves with successive layers or levels of protection. In fact, the approach was intended to provide redundant means to ensure the fulfillment of the basic safety functions of controlling the power, cooling the fuel and confining radioactive material.

The concept of Defence-in-Depth was therefore gradually refined to constitute an increasingly effective approach combining both prevention of a wide range of postulated incidents and accidents and mitigation of their consequences. Incidents and accidents were postulated on the basis of single initiating events selected according to the order of magnitude of then frequency, estimated from general industrial experience.

In this early stage, the concept of Defence-in-Depth generally included three levels:

a)     Conservative Design: Providing margins between the operating conditions foreseen (covering normal operation as well as postulated incidents and accidents) and the failure conditions of equipment;

b)    Control of Operation:  Including response to abnormal operation or to any indication of system failure, by the use of control, limiting and protection systems to prevent the evolution of such occurrences into postulated incidents and accidents; and

c)     Engineered Safety Features:  To control postulated incidents or accidents in order to prevent them from progressing to severe accidents or to mitigate their consequences, as appropriate.

Later, the concept of defence-in-depth was further refined to include consideration of external hazards, quality assurance, automation, monitoring and diagnostic tools. Furthermore, additional severe accidents were considered in studies and probabilistic safety analyses.

Defence-in-Depth is an on‐going approach toward ensuring public health and safety.  This approach recognizes that imperfections, failures, and unanticipated events will occur and must be accommodated in the design, operation, and regulation of nuclear facilities.  Defence-in-Depth is implemented through the following measures:

a)      Design and Construction:  Defence-in-Depth requires a high‐quality process for the design, procurement, fabrication, construction, inspection, testing, and licensing of a nuclear facility. Federal, state, and local laws regulate every step in this process;

b)    Multiple Barriers:  Facility designers include multiple, successive barriers to prevent the release of radioactive material. In nuclear power plants licensed in the U.S., multiple physical barriers are present. The primary barriers are the fuel and cladding, which is designed to contain radioactive material under the extreme conditions inside the reactor core. The secondary barrier is the reactor vessel, which contains the coolant used to carry away heat for generating electricity. The final barrier is the primary containment building, which is designed to mitigate the release of radioactive material in the event that both the primary and secondary barriers are compromised. The primary containment is designed to withstand the most severe, credible event — either internal or external — for the location of the plant;

c)     Redundancy and Diversity: Engineered systems that are classified as being important for safety have very robust designs to ensure reliability.  Nevertheless, in the event of a component failure, Defence-in-Depth requires that multiple backup systems are available to replace the safety‐related function of the failed component. In addition, backup systems are designed based on different physical principals or mechanisms to limit the possibilities of common‐mode failures;

d)    Maintenance and Operations:  Facility testing and maintenance procedures are implemented to ensure that each individual system operates to provide its intended function. For safety‐related systems, normal plant operations are not permitted unless sufficient backup capabilities are available. In addition to supporting Defence-in-Depth, proper maintenance and operating procedures help ensure reliable, economic operation of the facility’

e)     Physical Security:  Even prior to 9/11, physical security has been an important component of Defence-in- Depth. A post‐9/11 review of physical security emphasized the tightly interconnected nature of facility safety, physical security, and emergency preparedness. Although major changes were not required, enhancements have been made to improve access controls, training requirements, security exercises, and defensive capabilities; and

f)       Emergency Preparedness:  Emergency preparedness includes communications, sheltering, evacuation, and response plans. Nuclear facilities coordinate with local, state, and Federal authorities to ensure that emergency preparedness plans are well defined and periodically tested through training exercises. Emergency preparedness plans are a licensing requirement for all nuclear facilities regulated by the Nuclear Regulatory Commission.


The principle of Defence-in-Depth, in contrast to the barriers, does not only consist of actual technical solutions; it is rather a framework that includes the whole plant. The approach combines the prevention of abnormal situations and their degradation with the mitigation of their consequences. The Defence-in-Depth concept consists of a set of actions, items of equipment or procedures, classified in levels, the prime aim of each of which is to prevent degradation liable to lead to the next level and to mitigate the consequences of failure of the previous level.

Before describing the different stages involved, the principle can be simply summarized as follows: Although the precautionary measures taken with respect to errors (incidents and accidents) are, in theory, such as to prevent their occurrence, it is nevertheless assumed that accidents do occur and provisions are made for dealing with them so that their consequences can be restricted to levels deemed acceptable.  Here are the five levels:

a)     First Level: Prevention of Abnormal Operation and Failures:  The installation must be designed with excellent intrinsic resistance to its own failures or specified hazards in order to reduce the risk of failure. This implies that following preliminary delineation of the installation, an exhaustive study of its normal and foreseeable operating conditions be conducted to determine the worst (mechanical, thermal, pressure) stresses or those due to environment, layout, etc., for each major system and component, for which allowance must be made. The installation components can then be designed and operated by following clearly defined and qualified rules. The selection of appropriate staff, their appropriate training, the overall organization, the sharing of responsibilities or the operating procedures contribute to the prevention of failures throughout plant life;

b)    Second Level: Control of Abnormal Operation and Detection of Failures:  The installation must be prevented from straying beyond the authorized operating conditions. Control and protection systems must be designed with the capacity to inhibit any abnormal development before equipment is loaded beyond its rated operating conditions. Temperature, pressure and nuclear and thermal power control systems must be installed to prevent excessive incident development. Systems for measuring the radioactivity levels of certain fluids and of the atmosphere in various facilities shall assume monitoring requirements and check the effectiveness of the various barriers and purification systems;

c)     Third Level: Control of Accidents within the Design Basis:  The first two levels of Defence-in-Depth, prevention and keeping the reactor within the authorized limits, are designed to eliminate the risk of failures with a high degree of reliability. However, a series of incidents and accidents is postulated by assuming that failures could be as serious as a total instantaneous main pipe break in a primary coolant loop or a steam line, or could concern reactivity control. Therefore it is required to install safety systems for limiting the effects of these accidents to acceptable levels. Start-up of these systems must be automatic and human intervention should only be required after a time lapse allowing for a carefully considered diagnosis to be reached. In the postulated situations, the correct operation of these systems ensures that core structure integrity will be unaffected, which means that it can subsequently be cooled. Radioactive releases to the environment will consequently be adequately limited;

d)    Fourth level: Control of Severe Plant Conditions including Prevention of Accident Progression and Mitigation of Severe Accident Consequences:  Consider the means required to contend with plant situations which have bypassed the first three levels of the Defence-in-Depth strategy (e.g. cases of multiple failure) or which were considered as part of the residual risk (i.e. the likelihood of such accidents is extremely low). Such situations can lead to higher radioactivity release levels. The concern here is consequently to reduce the probability of such situations by preparing appropriate procedures and equipment to withstand additional scenarios corresponding to multiple failures. Every endeavour would also be necessary to limit radioactive release due to a very serious occurrence and to gain time to arrange for protective measures for the population in the vicinity of the site. It is then essential that the containment function be maintained under the best possible conditions; and

e)     Fifth level: Mitigation of Radiological Consequences of Significant Off-Site Releases of Radioactive Materials:  Population protection measures because of high release levels would only be necessary in the event of failure or inefficiency of the measures described above. The conditions of these measures are within the scope of the public authorities. They are supplemented by the preparation of long- or short-term measures for checking the consumption or marketing of foodstuffs which could be contaminated. Such measures are included in the external emergency plans. Periodical training drills are also necessary in this area to ensure adequate efficiency of the resources and linkups provided.

The levels illustrated above are intended to be independent to the extent practicable. The general objective of  Defence-in-Depth is to ensure that a single failure, whether an equipment failure or a human failure, at one level of, and even a combination of failures at more than one level of, does not propagate to jeopardize  Defence-in-Depth at subsequent levels. The independence of different levels of Defence-in-Depth is crucial to meeting this objective.


3.1        Feedback of Operating Experience:

The feedback of operating experience is a fundamental means of enhancing Defence-in-Depth, and improvements in the means of feedback are particularly important. In the following some aspects are described in which progress seems both desirable and possible.

Determination of the safety significance of events requires a root cause analysis.  Methods for such detailed analysis have been developed and the use of root cause analysis is becoming widespread. The further development of such methods could enhance the effectiveness of the feedback of operating experience.

In principle, all events are assessed for whether they can be regarded as precursors of accidents. A detailed assessment of incidents will determine their safety significance (Including both their direct causes and their root causes) and the appropriateness of the response of the plant systems and the personnel. Systematic analysis of precursors will provide insights into potential deficiencies and challenges to Defence-in-Depth and might indicate the need for improvement. Some precursors of severe accidents may require urgent and effective corrective actions.

3.2       Low Power and Shutdown Conditions:

As the main efforts were initially devoted to postulated incidents and accidents occurring mainly under full power conditions, the implementation of the different levels of  was for a long time less systematic, and is partly still so, for low power and shutdown conditions. The search for initiating events during shutdown was less methodical, meaning that some operating conditions were inadequately investigated, and there was a lack of well-designed monitoring and protective devices, and possibly also of some automatic prevention and mitigatory systems and of well-defined operating procedures.

The unavailability of safety systems due to maintenance activities can contribute to the development of incidents under shutdown conditions; less comprehensive confinement requirements linked to these activities may also increase the potential for external consequences. Specific operating procedures are prepared for these situations.

Recent systematic studies have led to the identification of sequences linked to the introduction of non-borated water into the reactor core of pressurized water reactors under specific conditions as possible initiators of critical accidents. Owing to the potentially significant contributions of these sequences to the probability of critical accidents, complementary preventive measures were taken.

Some Probabilistic Safety Assessment (PSA) have included systematic investigations of the relative contributions of plant shutdown conditions to the probability of core damage. These PSAs provided evidence that shutdown conditions could make significant contributions to this probability.  The contribution to the frequency of core damage for the shutdown state was shown to be of the same order of magnitude as that for operation. In the light of current information, a broader and more systematic consideration of the shutdown state could improve Defence-in-Depth.

3.3       Human Factors:

Initiatives on the part of operators that have been based on adequate understanding and safety culture have been beneficial in some abnormal circumstances not covered clearly by operating procedures. On the other hand, human errors bear a potential for jeopardizing Defence-in-Depth. This ambivalent human role has in some countries stimulated the organization of a kind of human redundancy and diversity, with a safety engineer acting during abnormal occurrences in parallel with the operating staff.

The need for continuous questioning about improvements in safety includes questions relating to automation and the human-machine interface in order to support the beneficial contributions of the staff and to reduce the possibilities and consequences of human errors. However, even though the contribution of human error to risk has been reduced in absolute terms, it remains an important relative contributor since the reliability of technical equipment is constantly being improved.

With regard to the potential degradation of Defence-in-Depth, one major concern is errors of omission:  Erroneous actions either not anticipated or differently foreseen in operating or maintenance procedures rather than omissions of required steps.  Examples are selecting wrong controls, issuing wrong commands or information, changing sequences of tasks, and performing tasks too early or too late. Such errors can occur as a result of errors in decision making by the operators; misinterpreted or vague procedures; misleading instrumentation; misunderstandings; or simply errors by an operator. They bear a considerable potential to trigger common cause failures, as has been seen in some safety significant events, including the accidents at Three Mile Island in the USA in 1979 and at Chernobyl in the Ukrainian Republic in 1986.  The large variety of possible actions adds to the considerable difficulty in taking such errors into account, so they need continuing attention in both the evaluation of operating experience and safety analyses (including PSA).


According to a paper published by the Idaho National Laboratory, the next generation of advanced designs will have the opportunity to advance Defence-in-Depth principles by incorporating risk informed, performance-based design and regulation philosophy early in the design and licensing process.

Based on the analysis of the Nuclear Regulatory Commission (NRC) historical literature, requirements, guidance, and policy papers, and by considering the principles described by the International Atomic Energy Agency (IAEA), it is proposed that the NGNP framework for Defence-in-Depth address the three major elements summarized below and illustrated in Figure 43-01:

4.1          Plant Capability of Defence-in-Depth:

Plant Capability Defense-in-Depth refers to the use of multiple lines of defense and conservative design approaches in the design of SSCs that perform safety functions in a nuclear power plant. These lines of defense include inherent fuel and reactor characteristics, multiple barriers, and engineered features and SSCs whose safety functions serve to protect the integrity of these barriers. Barriers have two roles: that of preventing and mitigating radionuclide transport during normal operation, transients, and accidents, and that of protecting the plant and its SSCs performing safety functions from external hazards. The barriers include fuel design and physical barriers and associated safety systems and structures that prevent or block the movement of radionuclides, as well as intentional time delays in the transport that allow for the radioactive decay and deposition of radionuclides prior to their release to the environment. This important time delay element allows for effective implementation of emergency protective actions. The barriers also include siting considerations for both limiting public exposures and protecting the plant from external hazards.

Barriers used in Plant Capability Defense-in-Depth need to be concentric and independent so that the failure of one barrier does not adversely impact the effectiveness of another. An important insight from PRAs is the fact that when these barriers are not fully concentric, risk significant accident sequences associated with bypass of a barrier may result. Another insight is that the extent to which independence between the barriers can be assured is largely determined by the interactions between the inherent characteristics of the reactors and the barriers themselves during potential accident sequences. The use of barriers as part of Plant Capability Defense-in-Depth is most effective when the barriers are concentric and when the postulated failure modes of one barrier do not lead to the likely failure of another barrier or to significant increases in the probability of failure of that barrier. Full independence among barriers may not be feasible for any reactor concept, but the extent of independence is an important attribute to consider in evaluating the adequacy of Defense-in-Depth.Slide1An important element of Plant Capability Defense-in-Depth is the decision to use the PRA as a tool to support design decisions and to optimize the allocation of resources that are applied in the design to prevent and mitigate accidents. As explained previously, this is an interactive process that provides an opportunity for the use of risk insights into the safety design philosophy and to develop understanding of how the Defense-in-Depth principles have been applied at an early stage of the design.

Here is a table illustrating the key elements:

Elements of Plant Capability Defence-in-Depth:
1.          Inherent features of reactor important   to safety:

  •   Fundamental   properties of core/fuel elements;
  •   Fundamental   properties of reactor coolant;
  •   Fundamental   properties of moderator;
  •   Fundamental   properties of reactor vessel; and
  •   Extended   time available to implement transient and emergency measures.


2.       Use   of multiple barriers to prevent release and protect SSCs from external   hazards:

  •   Fuel   barrier design features;
  •   Coolant   pressure boundary design features;
  •   Suitable   barriers for spent fuel storage;
  •   Reactor   building barrier design features; and
  •   Independence   and concentricity of barriers.


3.       Selection   of robust systems for normal operation and expected transients:

  •   Redundant   and diverse features for start-up, shutdown, and anticipated transients;
  •   Operational   control systems for reliable plant operation; and
  •   Investment   protection features.


4.       Engineered   features to protect barrier integrity:

  •   Reactor   specific safety functions to protect barriers;
  •   Passive   engineered SSCs to perform safety functions; and
  •   Active   engineered SSCs to perform safety functions.


5.       Conservative   design approaches to improve the reliability and capability of SSCs   performing safety functions:

  •   Use of   inherent characteristics to perform safety functions
  •   Use of   passive SSCs;
  •   Conservative   design margins;
  •   Redundancy   where active SSCs are employed to perform safety functions; and
  •   Diversity   and independence among functionally redundant SSCs that perform safety   functions.


6.       Selection   of appropriate reactor sites. 
7.       Time   available to implement emergency measures. 

Table: 43-01

4.2       Programmatic Defence-in-Depth:

Programmatic Defence-in-Depth reflects the programmatic actions for designing, constructing, operating, testing, maintaining, and inspecting the plant so that there is a greater degree of assurance that the Defence-in-Depth factored into the plant capabilities during the design stage is maintained throughout the life of the plant.

Programmatic Defence-in-Depth refers to the use of multiple lines of defense in the programs that are put into place to ensure that SSCs responsible for performing safety functions have adequate reliability and capability, to provide protection against uncertainties in plant design and operation, and to support effective implementation of emergency management. These programs include the special treatment requirements for safety classified SSCs, tests and inspections, monitoring of plant and SSC performance, and oversight.

The Programmatic Defense-in-Depth element includes those steps taken to assure that the Plant Capability Defense-in-Depth as influenced by the Programmatic Defense-in-Depth is realized in the final plant. The programs include design reviews, operator training and practices, emergency operating procedures and their implementation, establishment and implementation of accident management guidelines, development of and adherence to technical specifications, maintenance practices, owner implemented nuclear safety oversight, quality assurance, and evaluation of operating experience to assure adequate and timely correction of any deficiency identified, and the full implementation of a corrective action program.

Here is a table illustrating the key elements:

Elements of Programmatic Defence-in-Depth:
1.          Engineering assurance programs:

  •   Special   treatment requirements;
  •   Independent   design reviews; and
  •   Separate   affects tests.


2.       Organizational   and human factors programs:

  •   Training   and qualification of personnel;
  •   Emergency   operating procedures; and
  •   Accident   management guidelines.


3.       Technical   specifications:

  •   Limiting   conditions for operation
  •   Surveillance   testing requirements
  •   Allowable   outage (completion) times.


4.       Plant   construction and start-up programs:

  •   Equipment   fabrication;
  •   Construction;
  •   Factory   testing and qualification; and
  •   Start-up   testing.


5.       Maintenance   and monitoring of SSC performance programs.

  •   Operation;
  •   In-service   testing;
  •   In-service   inspection;
  •   Maintenance   of SSCs; and
  •   Monitoring   of performance against performance indicators.


6.       Quality   assurance program:

  •   Inspections   and audits;
  •   Procurement;
  •   Independent   reviews; and
  •   Software   verification and validation.


7.       Corrective   action programs:

  •   Event   trending;
  •   Cause   analysis; and
  •   Closure   effectiveness.


8.       Emergency   Planning.

Table: 43-02

4.3       Risk-Informed Evaluation of Defence-in-Depth:

Risk-Informed Evaluation of Defense-in-Depth refers to the multiple lines of defense reflected in the definition of scenarios that form the basis of the deterministic and probabilistic safety evaluations that will be performed to support the NGNP licensing application. The structure of these scenarios, in a manner that permits the identification of prevention and mitigation measures, assures that the strategies of Plant Capability Defense-in-Depth and Programmatic Defense-in-Depth have been adequately implemented. The strategies for preventing and mitigating accidents are identified and evaluated in Risk-Informed Evaluation of Defense-in-Depth based in part on a review of the PRA, whose results have been structured to identify the roles of SSCs in preventing and mitigating accidents. Prevention and mitigation strategies for the NGNP Project are defined somewhat more broadly than for currently licensed reactors, which focus on preventing and mitigating core damage. In the case of the NGNP Project, prevention and mitigation are defined with respect to limiting the release of significant amounts of radioactive material as a result of event sequences that could occur with this design.

Prevention strategies are defined as those strategies employed to reduce the frequency of accidents by improving the reliability of SSCs whose failure would cause initiating events and/or adversely affect the ability to mitigate an event sequence. Mitigation strategies are those employed to improve the capability of SSCs that serve to mitigate the consequences of events and event sequences that may challenge them.  Hence, prevention and mitigation are directly correlated to the reliability and capability of the SSCs responsible for providing the Plant Capability Defense-in-Depth. Evaluating the prevention and mitigation effectiveness of SSCs in the probabilistic and deterministic safety analysis is the domain of the Risk-Informed Evaluation of Defense-in-Depth.

Risk-Informed Evaluation of Defense-in-Depth reflects the evaluation of all plant SSCs to manage daily operational activities, transients, and accidents, including the evaluation of strategies of accident prevention and mitigation. This element of the approach to Defense-in-Depth provides the best estimate of plant performance for deterministic and probabilistic safety evaluations, and thereby helps determine how well various prevention and mitigation strategies have been implemented. This provides a risk-informed framework to delineate the scenarios that the plant design features could be exposed to, as well as a framework for defining programs that contribute to Defense-in-Depth. The scenario framework used in this evaluation defines the challenges to the plant safety features to be included in the plant design basis and the scope of all deterministic and probabilistic safety evaluations. This framework is useful for incorporating information and insights from the PRA and formulating strategies that can be implemented in both the Plant Capability and Programmatic Defense-in-Depth elements.

Here is a table illustrating the key elements:

Elements of Risk-Informed Evaluation of Defence-in-Depth:
1.          Definition of a comprehensive set of   challenges to barrier integrity:

  •   Internal   event scenarios;
  •   Internal   plant hazard scenarios (e.g. fires and floods); and
  •   External   events scenarios (e.g. seismic events and aircraft crashes).


2.       Interface with the risk-informed performance-based licensing approach:

  •   Input   to selection of licensing basis events;
  •   Input   to safety classification of SSCs; and
  •   Input   to definition of special treatment requirements.


3.       Evaluation   of event prevention strategies:

  •   Strategies   to prevent initiating events;
  •   Strategies   to reduce frequency of challenges to safety systems;
  •   Strategies   to prevent initiating events from progressing to accidents;
  •   Strategies   to prevent accidents from exceeding the design basis; and
  •   Strategies   to preclude events with potentially high consequences.


4.       Evaluation   of event mitigation strategies:

  •   Strategies   to limit impact of challenges and loads to barriers and SSCs;
  •   Strategies   to retain and delay transport of radionuclides from barriers during   accidents:
    •   Retention   and delay within fuel;
    •   Retention   and delay within helium pressure boundary;
    •   Retention   and delay within reactor building; and
    •   Strategies   to provide offsite protective actions.


5.       Development   of risk insights to achieve Defense-in-Depth:

  •   Feedback   to enhance plant capabilities;
  •   Feedback   to enhance assurance programs; and
  •   Demonstration   of adequacy and sufficiency of Defense-in-Depth.


6.       Demonstration   that Defense-in-Depth principles have been adequately applied.


Table: 43-03


Defence-in-Depth is expected to remain an essential strategy to ensure nuclear safety for both existing and new plants. However, the proposed approach does not include any quantification of the extent of Defence-in-Depth at a plant nor a prioritization of the provisions of defence. It is intended only for screening, i.e. for determination of both the strengths and weaknesses for which provision should be considered.

There are no strict criteria on what is considered a sufficient level of implementation of individual provisions. The level of detail and completeness of evaluation is at the discretion of the user of the screening approach.

While the approach is primarily intended to facilitate self-assessment of Defence-in-Depth by plant operators, it can also be used by regulators or by independent reviewers. A commitment by the operator to self-assessment is an essential feature of a good safety culture. The approach has been developed to be as complete as possible, but it is sufficiently flexible to allow inclusion of other mechanisms and provisions that are related to specific plant types or that are identified in national standards. In this respect, the approach might be very beneficial for checking the completeness and balance of any measures implemented for major safety improvement or modernization activities or for plant reorganizations.


  1. Argonne – Energy Engineering and System Analysis;
  2. IAEA  in Depth in Nuclear Safety – INSAG-10:
  3. Defence-in-Depth;
  4. Next Generation Nuclear Plant -in-Depth Approach; and
  5. IAEA Safety Reports Series 46 – Assessment of Defence-in-Depth.

Chapter 44

2 Responses to Chapter 43: Safety Through Defence-in-Depth

  1. Hey! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing a few months of hard work due to no backup. Do you have any solutions to protect against hackers?

Comments are closed.