Defense in depth (nuclear engineering)
U.S. non-military nuclear material is regulated by the U.S. Nuclear Regulatory Commission, which uses the concept of defense in depth when protecting the health and safety of the public from the hazards associated with nuclear materials. The NRC defines defense in depth as creating multiple independent and redundant layers of protection and response to failures, accidents, or fires in power plants. For example, defense in depth means that if one fire suppression system fails, there will be another to back it up. The idea is that no single layer, no matter how robust, is exclusively relied upon; access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures are used. Defense in depth is designed to compensate for potential human and mechanical failures, which are assumed to be unavoidable.[1]
Any complex, close-coupled system, no matter how well-engineered, cannot be said to be failure-proof. That is especially true if people operate controls that determine how the system performs.[2]
Fire protection defense in depth
On November 19, 1980, the NRC promulgated 10 CFR 50, Appendix R,[3] Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979, which has a discussion of defense-in-depth. Defense-in-depth includes preventing plant fires; detecting, controlling, and extinguishing fires that occur; and ensuring that a fire, not promptly extinguished, will not prevent the safe shutdown of the plant.
The NRC's granted an exemption to the defense in depth regulations to the Indian Point nuclear plant. The defense in depth rule required electric power cables, which control reactor shutdown in an emergency, to have fire insulation that lasts one hour. The NRC granted Indian Point an exemption to use insulation that lasts 24 minutes.[4] The decision was challenged in Federal District Court with the judge deciding "the NRC's decision to grant the exemption was neither arbitrary nor capricious" and concluded that the agency had performed a comprehensive safety review before issuing the exemption order.[5] However, on appeal, the Federal Circuit Court, determined that the NRC must hold public hearing on any exemption to the defense in depth rule.[4]
Defense in depth in licensing basis changes
NRC's Regulatory Guide 1.174,[6] An Approach for using Probabilistic risk assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, includes a discussion of using defense in depth for changes to a nuclear power plant's licensing basis. Section 2.1.1 enumerates the elements of defense in depth:
- Balance efforts to prevent core damage, containment failure, and mitigation of accident consequences.
- Do not rely on employee training to compensate for changes to the physical systems.
- System redundancy, independence, and diversity is matched to the expected frequency, consequences, and uncertainties of the various failure and accident modes.
- Defenses against potential common-cause failures are preserved.
- Potential for the introduction of new common-cause failure mechanisms is assessed.
- Independence of barriers is not degraded.
- Defenses against human errors are preserved.
- The intent of the plant’s design criteria is maintained.
References
- "NRC: Glossary - Defense-in-depth". Nrc.gov. 2012-12-26. Retrieved 2013-11-11.
- Daniel E Whitney (2003). "Normal Accidents by Charles Perrow" (PDF). Massachusetts Institute of Technology.
- "NRC: 10 CFR Appendix R to Part 50—Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979". Nrc.gov. Retrieved 2013-11-11.
- http://ecowatch.com/2013/01/11/victory-nukes-indian-point/
- "Court Upholds NRC Permits For Entergy Nuclear Plant". Law360. 2011-03-07. Retrieved 2013-11-11.
- "Regulatory Guide 1.174" (PDF). Pbadupws.nrc.gov. Retrieved 2013-11-11.