e-learning view The Manual here
Defence in depth: facilities



Let’s look at an example.

Try and answer the questions on how severe and how close and then check your answers. 


  • High activity vitrified waste was moved into an unlocked cell.


  • Caused by failure of key control system and software interlocks using gamma detectors


  • Worker entry requires wearing personal alarm dosimeters


  • Potential for a lethal dose—no one was present

how big?


death of a worker
- Level 4

how close?


a single safety layer remained—controlled entry with dosimeter

So what is the basic rating?


You can see from the table that this event would be rated at Level 2. If you want to read the full event, it is example 53 on page 139 of the Manual.

Example 53. Failure of a shield door interlocking system - Level 2

Event description

The event occurred when a container of highly radioactive vitrified waste was moved into a cell while the shield doors to the cell were open following a maintenance operation. The opening of the doors was controlled by a key exchange system, installed interlocks based on gamma detectors and programmable logic controllers. The original design of the cell access system was modified twice during the commissioning period, in an attempt to improve it. All of these systems failed to prevent the transfer of highly radioactive material into the cell while the shield doors were open.

Entry of personnel to this area is controlled by a permit that requires each person to wear a personal alarming dosimeter.

Personnel who might have been present in the cell or adjacent areas could have received a serious radiation exposure if they had failed to respond to either the container movement or their personal alarming dosimeter sounding a warning. In the event, the operating personnel quickly observed the problem and closed the shield doors. No one received any additional exposure.

The facility design concerning access to the cells had been modified during commissioning, and the consequences of these changes had been inadequately considered.

In particular:
- The commissioning of the interlock key exchange system for the cell shield doors had failed to show that the system was inadequate.
- A programmable logic control system had not been programmed and commissioned correctly.
- The modifications were poorly assessed and controlled because their safety significance was not classified correctly.
- Designers and commissioning staff did not communicate properly

A permit to work authorization had been closed, indicating that the facility had been returned to its normal state, but in fact it had not.

The temporary plant modification proposal (TPMP) system was too frequently used in this facility and inadequately controlled, and the full PMP system in use required improvement.

Training and supervision of active cell entries was inadequate.

Rating explanation



2. and 3. Actual consequences:

There were no actual consequences from the event.

6.2.1. Maximum potential

The maximum potential consequences for such
practices are rated at Level 4 (fatal radiation dose).

6.2.2. Identification of number
of safety layers:

Despite the failure of a number of safety layers, there
was one remaining safety layer, namely the permit to
work authorization procedure for entry to the cells,
requiring the use of personal alarm dosimeters.

6.2.3. Assessment of the basic

Based on Table 11, the maximum rating under defence
in depth of Level 2 is appropriate.

6.2.4. Additional factors:

The rating cannot be updated beyond the maximum
defence in depth rating.

Overall rating:

Level 2