Defense in depth (nuclear engineering)
U.S. non-military nuclear material is regulated by the U.S. Nuclear Regulatory Commission which uses the concept of defense-in-depth when protecting the health and safety of the public from the hazards associated with nuclear materials. The NRC defines defense-in-depth as creating multiple independent, and redundant, layers of protection, and response, to failures, accidents, or fires in power plants. For example, defense-in-depth means that if one fire suppression system fails, there will be another to back it up. The idea is that no single layer, no matter how robust, is exclusively relied upon. This uses access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures. Defense-in-depth is designed to compensate for potential human and mechanical failures, which will occur.
Any complex, close-coupled, system, no matter how well engineered, cannot be said to be failure-proof. This is especially true if people operate controls that determine how the system performs.
Fire Protection Defense-In-Depth
On November 19, 1980, the NRC promulgated 10 CFR 50, Appendix R, Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979, which has a discussion of defense-in-depth. Defense-in-depth includes preventing plant fires; detecting, controlling, and extinguishing fires that do occur; and ensuring that a fire, not promptly extinguished, will not prevent the safe shutdown of the plant.
The NRC's granted an exemption to the defense-in-depth regulations to the Indian Point nuclear plant. The defense-in-depth rule required that electric power cables, which control reactor shutdown in an emergency, have fire insulation that lasts one hour. The NRC granted Indian Point an exemption to use insulation that lasts 24 minutes. This decision was challenged in Federal District Court with the judge deciding "the NRC's decision to grant the exemption was neither arbitrary nor capricious," concluding that the agency had performed a comprehensive safety review before issuing the exemption order. However, on appeal, the Federal Circuit Court, determined that the NRC must hold public hearing on any exemption to the defense-in-depth rule.
Defense-in-Depth in Licensing Basis Changes
NRC's Regulatory Guide 1.174, An Approach for using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, includes a discussion of using defense-in-depth for changes to a nuclear power plant's licensing basis. Section 2.1.1 enumerates the elements of defense-in-depth:
- Balance efforts to prevent core damage, containment failure, and mitigation of accident consequences.
- Do not rely on employee training to compensate for changes to the physical systems.
- System redundancy, independence, and diversity is matched to the expected frequency, consequences, and uncertainties of the various failure and accident modes.
- Defenses against potential common-cause failures are preserved.
- Potential for the introduction of new common-cause failure mechanisms is assessed.
- Independence of barriers is not degraded.
- Defenses against human errors are preserved.
- The intent of the plant’s design criteria is maintained.
- "NRC: Glossary - Defense-in-depth". Nrc.gov. 2012-12-26. Retrieved 2013-11-11.
- Daniel E Whitney (2003). "Normal Accidents by Charles Perrow". Massachusetts Institute of Technology.
- "NRC: 10 CFR Appendix R to Part 50—Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979". Nrc.gov. Retrieved 2013-11-11.
- "Court Upholds NRC Permits For Entergy Nuclear Plant". Law360. 2011-03-07. Retrieved 2013-11-11.
- "Regulatory Guide 1.174". Pbadupws.nrc.gov. Retrieved 2013-11-11.