Part II: How the NRC Uses a Defense-in-Depth Approach Today to Protect the Public

Mary Drouin
Senior Program Manager
Division of Risk Assessment, Performance and Reliability Branch

Defense-in-depth is a central theme in the NRC’s regulatory oversight of the nuclear power industry. As our agency historian, Tom Wellock, discussed in Monday’s post, the concept of defense-in-depth emerged during the trench warfare of World War I. The idea of multiple lines of defense was applied to nuclear safety in the 1950s as the leading concept for protecting the public from the consequences of a nuclear reactor accident.

The NRC’s predecessor agency, the U.S. Atomic Energy Commission, spelled out defense-in-depth in a 1957 report called WASH-740, Possibilities and Consequences of Major Accidents in Large Nuclear Power Plants. “Should some unfortunate sequence of failures lead to destruction of the reactor core … no hazard to the safety of the public would occur unless two additional lines of defense were also breached,” the report said.

These words are at the heart of defense-in-depth as it has been practiced for six decades: multiple layers of defense to protect against accidents and their effects to ensure the risk to the public is acceptably low.

In a recent report issued this spring, Historical Review and Observations of Defense-in-Depth (NUREG/KM-0009), the NRC looks at how the concept has evolved in practice over the years. It also includes views from other government agencies and the international community.

As the report explains, defense-in-depth recognizes that our knowledge is imperfect. Although we plan for all conceivable accidents, the unexpected may still occur. Even if we have anticipated an event, its characteristics and impacts may be unpredictable. Our design and operation of nuclear plants need to be robust enough to compensate for this lack of knowledge. Defense-in-depth offers multiple layers of protection in case one or more layers fail.

So we don’t just rely on preventing an accident; we also need strong defenses to mitigate the effects of any accident that does occur. This applies to nuclear power plants, waste management and security as well.

In practice, defense-in-depth addresses three principles that should be factored into the design and operation of systems and components to provide additional confidence that an accident would not compromise the defensive layers:

  • Redundancy means more than one component performs the same function – for example, having multiple pumps instead of a single one;
  • Independence means these multiple components rely on separate and distinct attributes to function – the multiple pumps have separate piping from the water tank to where they discharge, and are housed in separate compartments; and
  • Diversity means the multiple components performing the same function rely on different design features to operate – motor-driven pumps versus steam-powered pumps.

dindgraphicIn reactor safety, the layers of defense might be:

  • Maintain reactor stability by limiting the ability of events to disrupt operation (with protective measures such as fire-safe or flood-tight doors, seismically designed buildings)
  • Protect the reactor should operation be disrupted (emergency reactor core cooling with redundant pumps)
  • Barrier integrity to guard against a release of radioactivity to the environment (leak-tight containment structures, filtered vents, containment sprays) and
  • Protect the public if a release does occur (emergency preparedness plans)

This versatile framework can apply whether the risk to the public comes from the reactor, spent fuel pool, nuclear waste or security threats.

When A Strike is a Possibility at a Plant

Diane Screnci
Senior Public Affairs Officer
Region I

Unionized workers at the James A. FitzPatrick nuclear power plant in Oswego, N.Y. recently voted to accept a new contract days before the current pact was to expire. The union representing operations, maintenance and radiation protection staff and Entergy, the company that owns the plant, reached a new four-year agreement.

While it was good news to learn an agreement had been reached, the agency had been tracking the status of the negotiations all along and was prepared to oversee that the unit would be operated safely during any job action.

We have procedures to make sure the owner is taking all of the appropriate steps to ensure continued safe operation in the event of a strike. For example, as a contract expiration is drawing near, the NRC Resident Inspectors assigned to the site and specialist inspectors from the Regional Office in King of Prussia, Pa., review the company’s contingency plans for staffing and other actions to prepare for a strike.

We don’t get involved in contract negotiations. We ensure that the requirements of the facility’s license and technical specifications are maintained at all times. At FitzPatrick and other plants facing an impending contract expiration, NRC inspectors ensure all emergency plan positions are properly staffed and that qualified licensed operators operate the plant. They also review the qualifications of replacement workers to verify they were properly trained to step in.

In the event of a strike at any plant, the NRC Resident Inspectors would be supplemented by additional NRC inspectors to provide round-the-clock NRC inspection coverage for the first 48 hours. We’d have continued additional site coverage for at least the first two weeks. If need be, we could continue enhanced inspector coverage for as long as necessary.