Most nuclear power plants introduce a ‘defense-in-depth‘ approach to achieve maximum safety. This approach is constituted of multiple safety systems supplementing the natural features of the reactor core.
According to INSAG-10:
“Defence in depth consists in a hierarchical deployment of different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radioactive materials and workers, the public or the environment, in normal operation, anticipated operational occurrences, and, for some barriers, in accidents at the plant.”
Defense-in-depth ensures that a plant is designed, fabricated, constructed, and operated not only to be safe during normal operation but to account safely for the possibility of a spectrum of accidents. The plant has sophisticated safety systems and devices to guard against human error, equipment failures, and malfunctions taking into account such natural phenomena as earthquakes, tornadoes, and floods.
Multiple Barriers to Radionuclide Release
Three protective barriers refer to a series of strong and leak-tight physical barriers between radioactive products and the environment. The barriers prevent release of radioactive products in all circumstances. The goal of defense-in-depth, introduced in the preceding section, is to ensure basic safety functions, i.e., controlling reactivity, cooling irradiated fuel, and containing radioactive substances. These safety functions are necessary to ensure all barriers remain effective.
First barrier – Fuel matrix and fuel cladding
Uranium dioxide is a ceramic refractory uranium compound used as a nuclear fuel in many cases. The fission products in an operating reactor are contained within U02 pellets that are packed into clad fuel elements that are assembled within the reactor core. Both the fuel matrix and fuel cladding prevent the escape of the fission product gases and confine fission fragments during abnormal and most accidents. This barrier is protected by levels 1 – 3 of defense-in-depth. DNB, fuel, and cladding temperatures constitute key acceptance criteria. Sometimes, this barrier is mentioned as the first and the second barrier.
Second barrier – Boundary of the reactor coolant system
The reactor core is located within a pressure vessel that, in turn, is located inside a containment building. The primary circuit is a closed circuit made of thick steel, and the reactor pressure vessel forms part of this circuit. Fission products that have escaped from the fuel must be confined by this second barrier. The integrity of the primary circuit is also protected by levels 1 – 3 of defense-in-depth. Maximum system pressure and PTS are key controlled criteria.
Third barrier – Containment building
The containment building is primarily designed to prevent or mitigate the uncontrolled release of radioactive material to the environment in operational states and accident conditions. Therefore it is considered the fourth and final barrier in the defense-in-depth strategy. While containment plays a crucial role in Design Basis Accidents or Design Extension conditions, it is “only” designed to condense steam from primary coolant and to contain it inside the building. The integrity of the containment building is also protected by levels 1 – 4 of defense-in-depth.
In normal operation, the barriers are not generally perfectly leak-tight: cladding ruptures and leaks in the reactor coolant system and the containment building of limited significance may occur. It is important to mention in this context the particular case of PWR steam generator tubes, which are part of the second and third barriers, since the rupture of a tube may cause the safety valves of the steam generator to open, thus creating a containment bypass.
Levels in Defense-in-depth
Level 1 of Defense-in-depth – Prevention of operating malfunctions and system failures
The first level of defense addresses the prevention of accidents through the plant’s design, including quality assurance, redundancy, separation, testing, and inspection. The plant is designed and built to operate as intended with high degree of reliability. Negative reactivity coefficients that lead to inherently stable operating conditions, safety margins in design, reliable and known materials performance in structures and components, adequate instrumentation and control, and so on, are among the preventive measures employed in reactor design.
Level 2 of Defense-in-depth – Control of operating malfunctions and detection of failures
Level 2 incorporates inherent plant features, such as core stability and thermal inertia, and systems to control abnormal operation (anticipated operational occurrences), taking into account phenomena capable of causing further deterioration in the plant status. This includes automatic functions and control systems that can return the facility to its normal operating mode as soon as possible. The systems to mitigate the consequences of such operating occurrences are designed according to specific criteria (such as redundancy, layout, and qualification).
Level 3 of Defense-in-depth – Comprehensive accident management
Despite provisions for prevention, accident conditions may occur. Engineered safety features and protection systems are provided to prevent evolution towards severe accidents and confine radioactive materials within the containment system. The measures taken at this level aim to prevent core damage in particular. Design and operating procedures are also aimed at maintaining the effectiveness of the barriers, especially the containment. For example, the emergency core cooling system (ECCS) is provided to mitigate the consequences of a loss-of-coolant accident (LOCA), even though the first level of defense makes such an occurrence highly unlikely.
Level 4 of Defense-in-depth – Comprehensive management of severe conditions
In addition to engineering and procedures which reduce the risk and severity of accidents, all plants have guidelines for severe accident management or mitigation (SAM). Such plant conditions may be caused by multiple failures, such as the complete loss of all trains of a safety system, or by an extremely unlikely event, such as a severe flood. This level of defense-in-depth includes procedures and equipment used to handle situations not covered by the first three levels of defense-in-depth; these are accidents that could result in reactor core melt. At level 4, the broad aim is to ensure that the likelihood of an accident entailing severe core damage, and the magnitude of radioactive releases in the unlikely event that a severe plant condition occurs, are both kept as low as reasonably achievable. The most important objective for mitigating the consequences of an accident in Level 4 is the protection of the confinement. Functions that protect the containment, such as containment cooling, penetration control, and hydrogen recombiners, are typically designed and analyzed to the same conservative standards as engineered safety features.
Level 5 of Defense-in-depth – Limiting consequences of radiation in the event of radioactive releases
Despite all the measures described above, radioactive releases may occur. Nuclear safety cannot exclude this probability however, this probability is very low. Measures for protecting the public from radioactive releases include off-site emergency plans prepared for each site. Public authorities implement the off-site emergency plan, which organizes emergency operations to limit public exposure to radiation in the event of releases.