e-learning view The Manual here
Defence in depth: facilities



Now let’s look at another example, this time based on a shutdown reactor.

  • It occurred soon after a shutdown and cooling was being provided through two trains of shutdown cooling (either of which would keep the reactor at a safe temperature).
  • The normal steam generator route was also available and would provide cooling if required.
  • For some reason there was an increase in reactor coolant pressure causing the valves on the right of the diagram to close.
  • The operators were alerted to the problem by alarms and they reduced the pressure and opened the valves.
  • At no time did the temperatures exceed the allowed levels.

how big?


Fuel melting
- Level 5 or more

how close?


  • Four lines of cooling
  • Common procedure to open two lines
  • Long time availability

- Four layers

There are clearly four separate physical lines of cooling, but the two shutdown cooling trains require operator action to reduce pressure and open the valves. As there was plenty of time available to carry out the procedure, the two shutdown lines could be treated as two layers.

So what is the basic rating?


You can see from the table that this event would be rated at Level 0. If you want to read the full event, it is example 41 on page 123 of the Manual.

Example 41. Loss of shutdown cooling due to increase in coolant pressure - Below Scale/Level 0

Event description

Shutdown cooling was being provided by circulation of coolant through two residual heat removal (RHR) heat exchangers via separate suction lines, each with two isolation valves. The valves in each line were controlled by separate pressure transducers and were operable from the control room. The primary circuit was closed. The steam generators were also available, ensuring that any temperature increases from loss of RHR would be very slow. Safety injection was not available, high pressure safety injection (HPSI) pumps are separate from the charging pumps, and relief valves were available to control primary circuit pressure.

The safety provisions are illustrated in Fig. 1.

The event occurred when a rise in coolant pressure caused the isolation valves to close. Alarms in the control room notified the operating personnel of the valve closure and having reduced the pressure, the valves were re-opened. Temperatures did not rise above the limits in Operational Limits and Conditions.

Rating explanation



2. and 3. Actual consequences:

There were no actual consequences from the event.

6.2.1. Maximum potential

The maximum potential consequences for an event
associated with a shutdown power reactor are
Levels 5-7.

6.2.2. Identification of number
of safety layers:

There were four hardware layers and provided the
steam generators remained available, there was plenty
of time for the required actions, sufficient even to allow
repairs to the RHR system to be carried out. As a result
of the long timescales available, the procedure to
re-open the valves can be regarded as more reliable
than a single layer, and all four layers can be considered
as independent.

6.2.3. Assessment of the basic

Based on Table 11, the rating is Below scale/Level 0

Overall rating:

Below Scale/Level 0.