Senior Program Manager
Division of Risk Assessment, Performance and Reliability Branch
Defense-in-depth is a central theme in the NRC’s regulatory oversight of the nuclear power industry. As our agency historian, Tom Wellock, discussed in Monday’s post, the concept of defense-in-depth emerged during the trench warfare of World War I. The idea of multiple lines of defense was applied to nuclear safety in the 1950s as the leading concept for protecting the public from the consequences of a nuclear reactor accident.
The NRC’s predecessor agency, the U.S. Atomic Energy Commission, spelled out defense-in-depth in a 1957 report called WASH-740, Possibilities and Consequences of Major Accidents in Large Nuclear Power Plants. “Should some unfortunate sequence of failures lead to destruction of the reactor core … no hazard to the safety of the public would occur unless two additional lines of defense were also breached,” the report said.
These words are at the heart of defense-in-depth as it has been practiced for six decades: multiple layers of defense to protect against accidents and their effects to ensure the risk to the public is acceptably low.
In a recent report issued this spring, Historical Review and Observations of Defense-in-Depth (NUREG/KM-0009), the NRC looks at how the concept has evolved in practice over the years. It also includes views from other government agencies and the international community.
As the report explains, defense-in-depth recognizes that our knowledge is imperfect. Although we plan for all conceivable accidents, the unexpected may still occur. Even if we have anticipated an event, its characteristics and impacts may be unpredictable. Our design and operation of nuclear plants need to be robust enough to compensate for this lack of knowledge. Defense-in-depth offers multiple layers of protection in case one or more layers fail.
So we don’t just rely on preventing an accident; we also need strong defenses to mitigate the effects of any accident that does occur. This applies to nuclear power plants, waste management and security as well.
In practice, defense-in-depth addresses three principles that should be factored into the design and operation of systems and components to provide additional confidence that an accident would not compromise the defensive layers:
- Redundancy means more than one component performs the same function – for example, having multiple pumps instead of a single one;
- Independence means these multiple components rely on separate and distinct attributes to function – the multiple pumps have separate piping from the water tank to where they discharge, and are housed in separate compartments; and
- Diversity means the multiple components performing the same function rely on different design features to operate – motor-driven pumps versus steam-powered pumps.
In reactor safety, the layers of defense might be:
- Maintain reactor stability by limiting the ability of events to disrupt operation (with protective measures such as fire-safe or flood-tight doors, seismically designed buildings)
- Protect the reactor should operation be disrupted (emergency reactor core cooling with redundant pumps)
- Barrier integrity to guard against a release of radioactivity to the environment (leak-tight containment structures, filtered vents, containment sprays) and
- Protect the public if a release does occur (emergency preparedness plans)
This versatile framework can apply whether the risk to the public comes from the reactor, spent fuel pool, nuclear waste or security threats.
16 thoughts on “Part II: How the NRC Uses a Defense-in-Depth Approach Today to Protect the Public”
Stay tuned! We’ll have a whole blog post on the subject later this week.
TY Donna, these “Walmart grade” dry casks are a real risk. Especially when the dry casks are expected to be stored indefinitely right at the Nuke plant, like at San Onofre. shame on them.
Bro- In post haste I almost forgot there was another SRP guidance in Severe Accident Mitigation new guidance on Aircraft Impact Assessment SRP 19.5 – Adequacy of Design features and functional capabilities identified and described for withstanding Aircraft Impacts. This may also dispel your doubts on the subject you raised. Sorry
Bro- The guidance what you are looking for due to aircraft impact (terror related or otherwise) when you lose large areas (LOLA) are codified under 10 CFR 50.54(hh)(2). This section requires power reactor licensees (new) to develop guidance and strategies for addressing the LOLAs of the plant due to explosions and are included in a new section (published 2015) in the Standard Review Plan under SRP 19.4 Rev 0 – Strategies And guidance to address loss of large areas of the plant due to explosions and fires (NEI guidance 06-12, Revision 3). These were developed tacitly following the implementation of Section B.5.b of the NRC’s Interim Compensatory Measures (ICM) order issued February 25, 2002 following 9/11 attacks to protect operating reactors in the U.S at that time. These were knee-jerk enforcements actions that agency implemented one-on-one and in confidence with individual reactor licensees. Subsequently, they were developed into generic SRP guidance and issued for new reactor applicants to comply with, at present. So, to dispel your fears the NRC staff had this issue under control all the time (or at least that was the intent) whatever that was necessary to mitigate threats of impacts of perceived terrorism related fires and Loss of Large Areas inside reactors.
Anon, thanks for the straight answer & for giving me some reassurance that action has been taken to address the safety concerns resulting from that near miss accident at Brown’s Ferry so long ago.
I am still very worried though about the consequences of a hijacked airliner being used as a missile at one of our nuclear plants. The Indian Point units in the backyard of NYC are of particular concern. They are just minutes away from seven major airports and many other general aviation airports. I just cannot imagine the awful consequences of a Chernobyl, Fukushima, or even a TMI-type disaster at Indian Point. Just calling for an evacuation in the event of an emergency there would result in deaths & injuries just from people trying to get out of “Dodge”. For example over 1000 deaths have resulted from the evacuation process in Japan due to the Fukushima accident. Not only folks dying from the evacuation itself but folks dying because they give up hope as they can never return to their homes. Of course the biggest impact there has been to the elderly.
Anon, it is just not worth the risk & it would be, in my opinion, foolhardy of the NRC to extend the licenses of the Indian Point nuke units.
Donna — I’m sad that the NRC has not added a response to your excellent comment, since you (and Ace) have posted information that should be of VITAL interest to the NRC, since they are in charge of safety of our nuclear plants!
Bro – Here the agency and staff deserve credit for making those 23 plants NFPA 805 compliant and the positive paper trail in transitioning to Industry Standard NEI-04-02. There was substantial effort and time invested on the part of Agency over the years and attention paid to this fire protection stuff – it was indeed sticking out like a sore thumb prior years. In the case of Browns Ferry, it is known that, staff issued a license amendment late last year, that the station has transitioned to NFPA 805 and we can breathe easy over that. However, If there were something god awful stuff were to happen in future, we now know whom to blame! For, how Browns Ferry satisfied the staff, with what exists inside that colossal three unit containment – makes one wonder how did they do it?
Scott, so in short you have answered. Thanks. So I assume the even shorter answer is a yes to my first question & a no my last question. Is that correct Scott? Just trying to pin you down Scott, but trying to do so, I believe, is really like trying to nail jelly to a tree.
The answers to both of your questions can be located in the cited blog posts as well as various places on the website and in NRC documents. In short, however, the NRC has concluded all U.S. nuclear power plants have appropriate fire protection programs in place and all U.S. nuclear power plants can keep the public safe even if severe events affect installed safety systems.
Thanks Scott I can always depend on a straight-forward answer from you. Also, although I like to read, I can always depend on you to considerably beef up my reading backlog.
As you have no specific answer to my common cause fire concerns perhaps you could refer these two questions to Mary…
It has been over 40 years since the fire at Browns Ferry. By now have all US nuclear plants been fully upgraded to meet the more exacting fire protection standards specified in 10 CFR Part 50 Appendix R?
Can an airliner crash into a nuclear plant compromise Defense in Depth and result in nuclear fuel melt?
A simple yes or no answer to each question would be fine.
The NRC has required U.S. nuclear power plants to enhance their fire protection on an ongoing basis since the Browns Ferry fire. https://public-blog.nrc-gateway.gov/2015/11/10/browns-ferry-a-new-milestone-in-nuclear-plant-fire-protection-2/
The NRC’s actions after Fukushima to require Mitigation Strategies (which build on post-9/11 actions) ensure U.S. nuclear power plants are prepared to maintain key safety functions after a severe event. https://public-blog.nrc-gateway.gov/2014/10/16/making-sure-safer-resources-are-ready-to-go/ These strategies must be available regardless of the severe event, which can include flooding or large fires and explosions at a site. The NRC has also ensured U.S. plants have appropriately incorporated flooding re-evaluation information into the plants’ strategies. https://public-blog.nrc-gateway.gov/2015/07/30/lining-up-new-protections-with-new-flood-info/
What a comprehensive recap of DiD (Defense in Depth) you have shepherded. Thank you. Going back over 60 years & trying to recap this important aspect of nuclear power plant safety had to be quite a task.
In reading this historical review of DiD I was struck by how the original concepts & basics of reactor & nuclear power plant safety have remained so steadfast over those many years.
DiD to me helps ensure that used nuclear fuel is always maintained subcritical, covered with water, and adequately cooled to ensure its integrity.
However, as pointed out in this review, DiD can be compromised & in fact defeated by so-called common-cause failures (CCF). That no matter to what extent a nuclear plant’s built-in redundancy, independence, or diversity; fires, floods (internal or external), seismic events, and more recently acts of terrorism can compromise DiD.
I am worried that the NRC has not done enough to protect our aging nuclear fleet from such CCFs.
Regarding fire as a CCF.
The devastating fire at Browns Ferry occurred over 40 years ago & yet some nuclear plants have yet to be appropriately upgraded to meet improved fire safety standards.
In the history the NRC provided it is noted that “The studies confirm that even in the unlikely event of a radiological release due to terrorist use of a large aircraft, NRC’s emergency planning basis remains valid.” This conclusion was also supported by a Nuclear Energy Institute study a couple years after 9/11. But both these studies were horribly flawed in that neither addressed the raging fire that would occur in the plant itself. The studies only concluded that a hijacked aircraft would not penetrate the containment structure itself and would not in fact directly impact fuel in the adjacent spent fuel pool. None of us will forget those images of the raging fires in the twin towers caused by all that burning aviation fuel. A raging fire in the auxiliary building that surrounds the containment structure at a nuclear plant will soon destroy the ability for operators to safely monitor & maintain the reactor inside the containment building itself. Without power sources & power cabling available for cooling the reactor or the fuel in the spent fuel pool, fuel melt will occur within hours. Even individual compartment 3-hour rated fire barriers, penetrations, & doors are simply no match for such a fire. As you know even twin tower structural steel was compromised in that fire.
Just as the Brown Ferry fire in the cable spread room below the control room there threatened to take away the “keys” from the operators, so would a raging fire between the control room and the containment building due to an aircraft crash do the same.
I also have additional concerns regarding a CCF due to either external or internal flooding at a nuclear power plant.
I will try to address those concerns separately as this comment is getting just too long.
I would appreciate any information you could provide Mary to allay my concerns.
In addition to Donna Gilmore’s comments, I’d like to know why in the world Stainless Steel would be used so close (a hundred feet or so) from the Pacific Ocean? To quote from the most widely-read and intensively researched book on corrosion, “Rust: The Longest War” by Jonathan Waldman: “Stainless steel doesn’t do well in saltwater” and “Salt is bad news because chlorine is as reactive as oxygen, and more persistent…chloride ions embed like tics. Salting has much to do with the deficient condition of the country’s bridges…” The same bridges over and under which the casks will have to move — eventually. And not to mention the unknown condition of the nation’s thousands of thin stainless steel dry casks (with about 10,000 more dry casks needed for the spent fuel already in existence in the pools and reactors) since, as Donna points out and a Southern California Edison employee confirmed at a recent Community “Enragement” Panel, they can’t be inspected.
Then why does the NRC approve thin-walled mostly 1/2″ thick stainless steel spent nuclear fuel canisters that the NRC knows can crack and leak, resulting in radioactive gases being released through the overpack air vents? And with Zirconium clad spent fuel that can become brittle and fail. And with damaged fuel cans that do not protect from releases, since the ends of the cans are vented. Why is the NRC approving any dry storage system that cannot be inspected, maintained, repaired, lacks defense in depth (no redundancy), and provides an inadequate monitoring system that does not warn in time to prevent radiation releases? Other countries have standardized on thick metal casks that would meet all these requirements. Details at SanOnofreSafety.org
This article timing seems odd when you look at how many emergency shutdowns our old nuke plants are having, including todays story at Salem 2 and multiple shutdowns.
The Salem 2 reactor automatically tripped off-line on June 28 after its generator shut down because of an alarm indicating some sort of problem.
hmmm….the nuke plant trips off and all that is known that it is “some sort of problem”
This is the second largest nuclear complex in the USA. And they don’t know whats wrong. Soup of them clunkers and put the pedal to the metal!
Comments are closed.