e-learning view The Manual here
Defence in depth: facilities



One final page before we try some examples. The authors of the guidance for facilities recognized that the guidance is very general and may be initially difficult to apply. For this reason, there is a complete section of the Manual which shows how the principles we have learned are applied to specific types of events. This page shows the types of events. We recommend you read these seven pages once you have worked through some of the examples.

Click on the events below for more information.

6.3.1. Events involving failures in cooling systems during reactor shutdown

Most reactor safety systems have been designed for coping with initiators occurring during power operation. Events in hot shutdown or startup condition are quite similar to events in power operation and should be rated using Section 5. Once the reactor is shut down, some of these safety systems are still required to assure the safety functions, but usually more time is available. On the other hand, this time available for manual actions may replace part of the safety provisions in terms of redundancy or diversity (i.e. depending on the status of the plant, a reduction in the redundancy of safety equipment and/or barriers may be acceptable during some periods of cold shutdown). In such shutdown conditions, the configurations of the barriers are sometimes also quite different (e.g., an open primary coolant system or an open containment). It is for these reasons that an alternative approach to rating events is provided for shutdown reactors (i.e. the safety layers approach).

The main factors affecting rating are the number of trains of cooling provided, the time available for corrective actions and the integrity of any pipework for cooling vessels. Some examples based on  pressurized water reactors during cold shutdown are given in section 6.4.1 (Example 41 to Example 46) to give guidance for rating events following the safety layers approach. For other reactor types, it will be necessary to use this as illustrative guidance together with Section 6.2 to rate such events.

6.3.2. Events involving failures in cooling systems affecting the spent fuel pool

After some years of operation, the radioactive inventory of the spent fuel pool may be high. In this case, the rating of events affecting the spent fuel pool with respect to impact on defence in depth may span the full range up to Level 3.

Because of the large water inventory and the comparably low decay heat, there is usually plenty of time available for corrective actions to be taken for events involving degradation of spent fuel pool cooling. This is equally true for a loss of coolant from the spent fuel pool, since the leakage from the pool is limited by design. Thus, a failure of the spent fuel pool cooling system for some hours or a coolant leakage will not usually affect the spent fuel.

Therefore, minor degradation of the pool cooling system or minor leakages should be typically rated at Below Scale/Level 0.

Operation outside the OL&C or a substantial increase in temperature or decrease of the spent fuel pool coolant level should be rated as Level 1.

An indication of Level 2 could be widespread boiling of coolant or fuel elements becoming uncovered. Substantial fuel element uncovering clearly indicates Level 3.

6.3.3. Criticality control

The behaviour of a critical system and its radiological consequences are heavily dependent on the physical conditions and characteristics of the system. In homogeneous fissile solutions, the possible number of fissions, the power level of the criticality excursion and the potential consequences of a criticality excursion are limited by these characteristics. Experience with criticality excursions in fissile solutions shows that typically the total number of fissions is in the order of 1017–1018.

Heterogeneous critical systems such as fuel rod lattices or dry solid critical systems have the potential for high power peaks leading to explosive release of energy and the release of large amounts of radioactive material due to substantial damage to the installation. For such facilities, the maximum potential consequences could exceed Level 4.

For other facilities, the main hazard from a criticality excursion is exposure of personnel due to high radiation fields from direct neutron and gamma radiation. A second consequence might be a release to the atmosphere of short lived radioactive fission products and potentially severe contamination within the facility. For these two scenarios, the maximum potential consequences would be Level 3 or 4.
In accordance with the general guidance:

  • Minor deviations from the criticality safety regime that are within the authorized limits should be rated at Below Scale/Level 0.
  • Operation outside authorized limits should be rated at least at Level 1.
  • An event where a criticality event would have occurred had there been one further failure in the safety provisions or had conditions been slightly different, should be rated at Level 2 for facilities, with maximum potential consequences of Levels 3 or 4. If the maximum potential consequences could have been Level 5 or higher, the event should be rated at Level 3.

If more than one safety layer remains, then a lower level would be appropriate and Table 11 should be used to determine the appropriate rating.

6.3.4. Unauthorized release or spread of contamination

Any event involving transfer of radioactive material that results in a contamination level above the investigation level for the area may justify a rating of Level 1, based on safety culture issues (Section 6.2.4 “failure to maintain proper control over radioactive materials”). Contamination levels in excess of the authorized limit for the area should be rated at Level 1. More significant failures in safety provisions should be rated by considering the maximum potential consequences should all the safety provisions fail and the number of safety layers remaining.

Breaches of discharge authorizations should be rated at least at Level 1.

6.3.5. Dose control

Occasionally, situations may arise when the radiological control procedures and managerial arrangements are inadequate, and employees receive unplanned radiation exposures (internal and external). Such events may justify a rating of Level 1 based on Section 6.2.4 (failure to maintain proper control over radioactive materials). If the event results in the cumulative dose exceeding authorized limits, the event should be rated at least at Level 1 as a violation of authorized limits.

In general, the guidance in Section 6.2.4 should not be used to uprate events related to dose control failure from a basic rating of Level 1. Otherwise, events where dose was prevented will be rated at the same level as those where significant doses in excess of dose limits were actually incurred. However, Level 2 would be appropriate under defence in depth if one or no safety layers remain, and the maximum potential consequences should the safety provisions fail are Level 3 or 4.

6.3.6. Interlocks on doors to shielded enclosures

Inadvertent entry to normally shielded locations is generally prevented by the use of radiation activated interlocking systems on the entrance doors, 119 the use of entry authorization procedures and pre-entry checks on radiation dose rates.

Failure of the shield door interlocking protection can result from loss of electrical supply and/or defects in either the detector(s), or the associated electronic equipment or human error.

As the maximum potential consequences for such events are limited to Level 4, events where a further failure in the safety provisions would result in an accident should be rated at Level 2. Events where some provisions have failed but additional safety layers remain, including administrative arrangements governing authorization for entry, should generally be rated at Level 1.

6.3.7. Failures of extract ventilation, filtration and cleanup systems

In facilities working with significant quantities of radioactive material, there could be up to three separate but interrelated extract ventilation systems. They maintain a pressure gradient between the various vessels, cells/glove boxes and operating areas as well as adequate flow rates through apertures in the cell operating area boundary wall to prevent back diffusion of radioactive material. In addition, cleanup systems, such as high-efficiency particulate air (HEPA) filters or scrubbers are provided to reduce discharges to atmosphere to below pre-defined limits and to prevent back diffusion into areas of lower

The first step in rating events associated with the loss of such systems is to determine the maximum potential consequences should all the safety provisions fail. This should consider the material inventory and the possible means for its dispersion both inside and outside the facility. It is also necessary to consider the potential for decrease in the concentration of inerting gases or the buildup of explosive mixtures. In most cases, unless an explosion is possible, it is unlikely that the maximum potential consequences would exceed Level 4, and therefore the maximum under defence in depth would be Level 2.

The second step is to identify the number of remaining safety layers, including procedures to prevent the generation of further activity by cessation of work.

The rating of such events is illustrated by Example 52 in Section 6.4.2.

6.3.8. Handling events and drops of heavy loads Events not involving fuel assemblies

The impact of handling events or failure of lifting equipment depends on the material involved, the area in which the event occurred and the equipment which was or could have been affected.

Events where a dropped load threatens a spillage of radioactive material (either from the dropped load itself or from affected pipework or vessels), should be rated by considering the maximum potential consequences and the likelihood that such a spillage might have occurred. Events where a dropped load only causes limited damage but had a relatively high probability of causing worse consequences should be rated at the maximum level under defence in depth appropriate to the maximum potential consequences. Similarly, events where only one safety layer prevented the damage should also be rated at the maximum level unless that layer is considered to be of especially high reliability or integrity.

Events where the likelihood is lower or there are additional safety layers should be rated following the guidance in Section 6.2.

Minor handling events, which would be expected over the lifetime of the facility, should be rated at Below Scale/Level 0. Fuel handling events

Events during handling of unirradiated uranium fuel elements with no significant implications for the handling of irradiated fuel should typically be rated as Below Scale/Level 0 if there has been no risk of damaging spent fuel elements or safety-related equipment.

For irradiated fuel, the radioactive inventory of a single fuel element is very much lower than the inventory of the spent fuel pool or the reactor core, and hence the maximum potential consequences are less.

As long as the cooling of the spent fuel element is guaranteed, this provides an important safety layer since the integrity of the fuel matrix will not be degraded by overheating. In general, there will be very long timescales associated with fuel overheating. Depending on the facility configuration, containment will also provide a safety layer in most cases.

Events expected over the lifetime of the facility that do not affect the cooling of the spent fuel element and only result in a minor release or no release typically should be classified as Below Scale/Level 0.

Level 1 should be considered for events:

  • Not expected over the lifetime of the facility;
  • Involving operation outside the authorized limits;
  • Involving limited degradation of cooling not affecting the integrity of the fuel pins;
  • Involving mechanical damage of the fuel pin integrity without degradation of cooling.

Level 2 may be appropriate for events in which there is damage to the fuel pin integrity as a result of substantial heat up of the fuel element.

6.3.9. Loss of electrical power supply

At many facilities, it is often necessary to provide a guaranteed electrical supply to ensure its continued safe operation and to maintain the availability of monitoring equipment and surveillance instruments. Several independent electrical supply routes and diverse supply means are used to prevent common cause failure. While most facilities will be automatically shut down to a safe condition, on total loss of electrical power supplies, in some facilities additional safety provisions, such as the use of inerting gas or backup generators, will be provided.

In order to rate events involving loss of off-site power supplies or failures of on-site supply systems, it is necessary to use the guidance in Section 6.2, taking account of the extent of any remaining supplies, the time for which the supplies were unavailable and the maximum potential consequences. It is particularly important to take account of the time delay acceptable before restoration of supplies is required.

For some facilities, there will be no adverse safety effects, even with a complete loss of power supplies lasting several days, and such events at these facilities should generally be rated at Below Scale/Level 0 or Level 1 as there should be several means available to restore supplies within the available time. Level 1 would be appropriate if the availability of safety systems had been outside the authorized limits.

Partial loss of electric power or loss of electric power from the normal grid with available power supply from standby systems is “expected” over the life of the facility and therefore should be rated Below Scale/Level 0.

6.3.10. Fire and explosion

A fire or explosion within or adjacent to the facility that does not have the potential to degrade any safety provisions would either not be rated on the scale or would be rated Below Scale/Level 0. Fires that are extinguished by the installed protection systems, functioning as intended by design, should be rated similarly.

The significance of fires and explosions at installations depends not only on the material involved but also on the location and the ease with which firefighting operations can be undertaken. The rating depends on the maximum potential consequences, as well as the number and effectiveness of the remaining safety layers, including fire barriers, fire suppression systems and segregated safety systems. The effectiveness of remaining safety layers should take account of the likelihood that they could have been degraded.

Any fire or explosion involving low level waste should be rated at Level 1, owing to deficiencies in procedures or safety culture issues.

6.3.11. External hazards

The occurrence of external hazards, such as external fires, floods, tsunamis, external explosions, hurricanes, tornados or earthquakes may be rated in the same way as other events by considering the effectiveness of remaining safety provisions.

For events involving failures in systems specifically provided for protection against hazards, the number of safety layers should be assessed, including the likelihood of the hazard occurring during the time when the system was unavailable. For most facilities, owing to the low expected frequency of such hazards, a rating greater than Level 1 is unlikely to be appropriate.

6.3.12. Failures in cooling systems

Failures in essential cooling systems can be rated in a similar way to failures in electrical systems by taking account of the maximum potential consequences, the number of safety layers remaining and the time delay that is acceptable before restoration of cooling is required.

In the case of failures in the cooling systems of high level liquid waste or plutonium storage, Level 3 is likely to be appropriate for events where only a single safety layer remains for a significant period of time