Most of nuclear power plants introduce a ‘defence-in-depth‘ approach to achieve maximum safety, this approach is constituted of multiple safety systems supplementing the natural features of the reactor core.
According to INSAG-10:
“Defence in depth consists in a hierarchical deployment of different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radioactive materials and workers, the public or the environment, in normal operation, anticipated operational occurrences and, for some barriers, in accidents at the plant.”
Defence-in-depth ensures that a plant is designed, fabricated, constructed, and operated not only to be safe during normal operation but to account safely for the possibility of a spectrum of accidents. The plant has sophisticated safety systems and devices to guard against human error, equipment failures, and malfunctions taking into account such natural phenomena as earthquakes, tornadoes, and floods.
Multiple Barriers to Radionuclide Release
The concept of three protective barriers refers to a series of strong and leak-tight physical barriers between radioactive products and the environment. The barriers prevent releases of radioactive products in all circumstances. The goal of defence-in-depth, introduced in the preceding section, is to ensure basic safety functions, i.e., controlling reactivity, cooling irradiated fuel and containing radioactive substances. These safety functions are necessary to ensure all barriers remain effective.
First barrier – Fuel matrix and fuel cladding
Uranium dioxide is a ceramic refractory uranium compound, in many cases used as a nuclear fuel. The fission products in an operating reactor are contained within U02 pellets that are packed into clad fuel elements which are assembled within the reactor core. Both the fuel matrix and fuel cladding prevent escape of the fission product gases and confine fission fragments during abnormal and most accidents. This barrier is protected by levels 1 – 3 of defence-in-depth. DNB, fuel and cladding temperatures constitute key acceptance criteria. Sometimes, this barrier is mentioned as the first and the second barrier.
Second barrier – Boundary of reactor coolant system
The reactor core is located within a pressure vessel that in turn is located inside a containment building. The primary circuit is a closed circuit made of thick steel. The reactor pressure vessel forms part of this circuit. Fission products that have escaped from the fuel have to be confined by this second barrier. Integrity of the primary circuit is also protected by levels 1 – 3 of defence-in-depth. Maximum system pressure and PTS are key controlled criteria.
Third barrier – Containment building
The containment building is primarily designed to prevent or mitigate the uncontrolled release of radioactive material to the environment in operational states and in accident conditions. Therefore it is considered to be the fourth and final barrier in the defence-in-depth strategy. While the containment plays a crucial role in Design Basis Accidents or in Design Extension conditions, it is “only” designed to condense steam from primary coolant and to contain it inside the building. Integrity of the containment building is also protected by levels 1 – 4 of defence-in-depth.
In normal operation, the barriers are not generally perfectly leaktight: cladding ruptures and leaks in the reactor coolant system and the containment building of limited significance may occur. It is important to mention in this context the particular case of PWR steam generator tubes, which are part of the second and third barriers, since the rupture of a tube may cause the safety valves of the steam generator to open, thus creating a containment bypass.
Levels in Defence-in-depth
Level 1 of Defence-in-depth – Prevention of operating malfunctions and system failures
The first level of defense addresses prevention of accidents through the design of the plant, including quality assurance, redundancy, separation, testing, and inspection. The plant is designed and built to operate as intended with a high degree of reliability. Negative reactivity coefficients that lead to inherently stable operating conditions, safety margins in design, reliable and known materials performance in structures and components, adequate instrumentation and control, and so on, are among the preventive measures employed in reactor design.
Level 2 of Defence-in-depth – Control of operating malfunctions and detection of failures
Level 2 incorporates inherent plant features, such as core stability and thermal inertia, and systems to control abnormal operation (anticipated operational occurrences), with account taken of phenomena capable of causing further deterioration in the plant status. This includes automatic functions and control systems that can return the facility to its normal operating mode as soon as possible. The systems to mitigate the consequences of such operating occurrences are designed according to specific criteria (such as redundancy, layout and qualification).
Level 3 of Defence-in-depth – Comprehensive accident management
In spite of provisions for prevention, accident conditions may occur. Engineered safety features and protection systems are provided to prevent evolution towards severe accidents and also to confine radioactive materials within the containment system. The measures taken at this level are aimed at preventing core damage in particular. Design and operating procedures are also aimed at maintaining the effectiveness of the barriers, especially the containment. For example, the emergency core cooling system (ECCS) is provided to mitigate the consequences of a loss-of-coolant accident (LOCA) even though the first level of defense makes such an occurrence highly unlikely.
Level 4 of Defence-in-depth – Comprehensive management of severe conditions
In addition to engineering and procedures which reduce the risk and severity of accidents, all plants have guidelines for severe accident management or mitigation (SAM). Such plant conditions may be caused by multiple failures, such as the complete loss of all trains of a safety system, or by an extremely unlikely event such as a severe flood. This level of defence-in-depth includes procedures and equipment used to handle situations that are not covered by the first three levels of defence-in-depth; these are accidents that could result in reactor core melt. At level 4, the broad aim is to ensure that the likelihood of an accident entailing severe core damage, and the magnitude of radioactive releases in the unlikely event that a severe plant condition occur, are both kept as low as reasonably achievable. The most important objective for mitigation of the consequences of an accident in Level 4 is the protection of the confinement. Functions that protect the containment, such as containment cooling, penetration control and hydrogen recombiners are typically designed and analysed to the same conservative standards as engineered safety features.
Level 5 of Defence-in-depth – Limiting consequences of radiation in the event of radioactive releases
Despite all the measures described above, radioactive releases may occur. Nuclear safety cannot exclude this probability however this probability is very low. Measures for protecting the public from radioactive releases include off-site emergency plans prepared for each site. Public authorities implement the off-site emergency plan, which organises emergency operations to limit public exposure to radiation in the event of releases.