U.S. NRC Blog

Transparent, Participate, and Collaborate

Part II: How the NRC Uses a Defense-in-Depth Approach Today to Protect the Public

Mary Drouin
Senior Program Manager
Division of Risk Assessment, Performance and Reliability Branch

Defense-in-depth is a central theme in the NRC’s regulatory oversight of the nuclear power industry. As our agency historian, Tom Wellock, discussed in Monday’s post, the concept of defense-in-depth emerged during the trench warfare of World War I. The idea of multiple lines of defense was applied to nuclear safety in the 1950s as the leading concept for protecting the public from the consequences of a nuclear reactor accident.

The NRC’s predecessor agency, the U.S. Atomic Energy Commission, spelled out defense-in-depth in a 1957 report called WASH-740, Possibilities and Consequences of Major Accidents in Large Nuclear Power Plants. “Should some unfortunate sequence of failures lead to destruction of the reactor core … no hazard to the safety of the public would occur unless two additional lines of defense were also breached,” the report said.

These words are at the heart of defense-in-depth as it has been practiced for six decades: multiple layers of defense to protect against accidents and their effects to ensure the risk to the public is acceptably low.

In a recent report issued this spring, Historical Review and Observations of Defense-in-Depth (NUREG/KM-0009), the NRC looks at how the concept has evolved in practice over the years. It also includes views from other government agencies and the international community.

As the report explains, defense-in-depth recognizes that our knowledge is imperfect. Although we plan for all conceivable accidents, the unexpected may still occur. Even if we have anticipated an event, its characteristics and impacts may be unpredictable. Our design and operation of nuclear plants need to be robust enough to compensate for this lack of knowledge. Defense-in-depth offers multiple layers of protection in case one or more layers fail.

So we don’t just rely on preventing an accident; we also need strong defenses to mitigate the effects of any accident that does occur. This applies to nuclear power plants, waste management and security as well.

In practice, defense-in-depth addresses three principles that should be factored into the design and operation of systems and components to provide additional confidence that an accident would not compromise the defensive layers:

  • Redundancy means more than one component performs the same function – for example, having multiple pumps instead of a single one;
  • Independence means these multiple components rely on separate and distinct attributes to function – the multiple pumps have separate piping from the water tank to where they discharge, and are housed in separate compartments; and
  • Diversity means the multiple components performing the same function rely on different design features to operate – motor-driven pumps versus steam-powered pumps.

dindgraphicIn reactor safety, the layers of defense might be:

  • Maintain reactor stability by limiting the ability of events to disrupt operation (with protective measures such as fire-safe or flood-tight doors, seismically designed buildings)
  • Protect the reactor should operation be disrupted (emergency reactor core cooling with redundant pumps)
  • Barrier integrity to guard against a release of radioactivity to the environment (leak-tight containment structures, filtered vents, containment sprays) and
  • Protect the public if a release does occur (emergency preparedness plans)

This versatile framework can apply whether the risk to the public comes from the reactor, spent fuel pool, nuclear waste or security threats.

Defense in Depth Part I: A War for Safety

Thomas Wellock

One hundred years ago the French and German armies of World War I devised a new defensive strategy called “defense in depth.” Its aim was to prevent an enemy breakthrough of an army’s frontline with a deep system of interconnected trench lines and strong points.

Defense in depth circa WWI. Photo courtesy of the Library of Congress

Defense in depth circa WWI. Photo courtesy of the Library of Congress

Popularized in all its desperation and grisly effectiveness in films such as All Quiet on the Western Front, defense in depth has become the NRC’s official metaphor in the battle to protect the public from radiation hazards. It is the key concept governing nuclear safety in using multiple strategies in safety-system design, operations, and emergency procedures and planning.

The NRC’s use of the term has roots in the Manhattan Project of World War II. Military metaphors seemed particularly apt for those charged with ensuring the safety of the early plutonium production reactors at Hanford, Washington. They worried about the potential for a reactor “catastrophe” from a radiation release of “explosive violence.” Their solution was to erect multiple “lines of defense” of trained operators and emergency personnel, carefully sealed fuel rods, shielding walls, backup cooling and power systems, and even a backup to the backup shutdown system—a final solution so drastic that it would destroy the reactor to save the operators lives. Fittingly, its moniker derived from another military term — the “last ditch” safety device.

After the war, the “lines of defense” in reactor safety were categorized into functions by Atomic Energy Commission safety committees:

  1. Features that made a reactor inherently safe;
  2. “Static,” or physical, barriers, such as containment buildings, were to halt the escape of radiation; and
  3. Active systems were to shut down and cool the reactor in the case of unusual conditions.

While the AEC’s safety approach became more coherent, there was no consensus among experts over the relative importance of each category. Some experts focused mostly on a design’s physical barriers, while others gave weight to all three categories and included reactor operation too.

Over time, “defense in depth” replaced the scattered concept of “lines of defense.” Its first use appears to have been in 1958 to describe safety design in the plutonium extraction processes at Hanford. In a 1965 letter to Congress, AEC Chairman Glenn Seaborg applied the term to civilian reactor safety as an accident prevention and mitigating strategy.

It provided, he wrote, “multiple safeguards against the occurrence of a serious accident, and for containment of fission product release.” The term stuck.

But the story continues. The Office of Nuclear Regulatory Research has published a report on the history of defense in depth up to the present, which covers the term’s application to the whole nuclear fuel cycle. It’s a fascinating look at how this bedrock safety concept has evolved under the influence of events and new knowledge. We’ll have more on this report on Wednesday.



Throwback Thursday – It Happened in 1984

PalladinoNRC Chairman Nunzio J. Palladino visits the Grand Gulf nuclear power plant at Port Gibson, Miss., in July 1984. The operating license for the plant was issued in November that year and commercial operation began a year later, in July 1985. The photo is from the agency’s 1984 annual report.


UPDATE: Keeping U.S. Reactors Safe from Power Pulses

Scott Burnell
Public Affairs Officer

The NRC requires U.S. nuclear power plants to be able to shut down safely in the face of many extreme events – tornados, hurricanes and earthquakes. But the NRC also takes into account far more unusual events, like solar flares and man-made electromagnetic pulse (EMP). Both can affect generators, transformers and other parts of the electric grid – which in turn could affect nuclear power plants.

The NRC has been examining these issues for more than 30 years, starting in the late 1970s when the agency studied how EMP could affect nuclear power plant safe-shutdown systems. In February 1983 the NRC issued the study’s conclusion: nuclear power plants’ safety systems can do their jobs after an EMP event. The agency revisited the issue in 2007 to account for the increasing use of digital computer systems in nuclear plants, which potentially could be more susceptible to EMP. The agency continued to conclude as recently as two years ago that nuclear power plants can safely shut down following an EMP event.

solarflareThe NRC has also examined “solar storms” and their potential to damage the electric grid. A strong geomagnetic storm on March 13, 1989, for example, severely disrupted electrical power equipment in Canada, Scandinavia, and the United States. After studying the event the NRC issued an Information Notice in June 1990, to ensure nuclear power plants understood how severe solar activity could affect transmission systems and other components of the power grid.

Additional research in 2010 analyzed and compared solar or geomagnetically-induced current events to those of the EMP events previously analyzed. This work led to the same conclusion as the EMP studies – U.S. nuclear power plants can safely shut down if a solar storm disrupts the grid.

The edge of the NRC’s authority lies in a nuclear power plant’s electric switchyard, where our rules mesh with those of the Federal Energy Regulatory Commission, which oversees the nation’s electric grids. Another body, the North American Electric Reliability Corporation develops and enforces grid reliability standards. The NRC works closely with FERC and NERC on grid reliability issues, including the effects of solar or geomagnetic storms and EMP. In 2015 FERC began the process of creating reliability standards to protect the grid against these events.

In 2011 a citizen petitioned the NRC to revisit the issue of grid disruption. The petition discussed ensuring U.S. nuclear power plants have emergency systems to keep spent fuel pools cool for two years after an electric grid failure. The NRC’s draft rule on maintaining key plant safety functions after a severe event, issued last year, includes measures to keep spent fuel pools cool.

The NRC is also participating in a White House-led task force on better understanding and dealing with space weather such as solar flares. Much of this work aims to improve society’s ability to forecast and warn against these events. Both the Department of Energy and electric grid companies have started efforts to stockpile specialized electrical equipment (such as large transformers) needed to restore the grid after these events.

The original blog post ran in October 2011.

Happy July 4th


Get every new post delivered to your Inbox.

Join 1,954 other followers

%d bloggers like this: