e-learning view The Manual here
Defence in depth: facilities



This page summarizes what you have read.
See if you can identify the four main characteristics of high integrity safety layers before revealing the answers.


to cope with all relevant design basis faults


as 'high integrity' in the facility safety justification


through monitoring or inspection


by procedures/long times to respond to any degradation


  • Fuel transport flask
  • Reactor pressure vessel
  • Irradiation facility vault or shielding
  • Naturally occurring convective cooling

If only one safety layer remains, but that safety layer meets all the requirements of a high integrity safety layer, a basic rating of Level 0 would be more appropriate

The demands of a high integrity safety layer are significant. Don’t be tempted to use the concept too easily! For an example of an event involving a high integrity safety layer, read example 48 on page 131 of the Manual.

Example 48. Loss of cooling at a small research reactor - Below Scale/Level 0

Event description

The event occurred at a 100 kW research reactor with a large cooling pool and a heat exchanger/purification system as shown in Fig. 3. In the event of loss of cooling, any heating of the water will be extremely slow.

The event occurred when the pipework downstream of the pump failed, and coolant was pumped out to the bottom of the suction pipe. The pump then failed due to cavitation.

Rating explanation



2. and 3. Actual consequences:

There were no actual consequences from the event.

6.2.1. Maximum potential

There are two safety functions to be considered. One is
the cooling of the fuel, and the other is the shielding to
prevent high worker doses. For both safety functions,
due to the low inventory, the maximum potential
consequences cannot exceed Level 4, and therefore the
maximum under defence in depth is Level 2.

6.2.2. Identification of number
of safety layers:

Considering the cooling function, by design there are
three safety layers. One is the heat exchanger system,
another is the large volume of water in the pool, and the
third is the ability to cool the fuel in the air. The suction side
has been deliberately designed so as to ensure a large
volume of water remains in the pool should the suction pipe
fail. Furthermore, it is clear that the main safety layer is
the volume of water. This can therefore be considered
as a high integrity safety layer for the following reasons:
- The heat input is small compared to the volume of
the water such that any temperature rise will be
extremely slow. It should take many days for the
water level to decrease significantly.
- Any reduction in water level would be readily
detected by the operating personnel, and the water
level could be simply topped up via a number of
- The safety justification for the facility recognizes this
as the key safety layer and demonstrates its integrity.
The suction pipe to the heat exchanger was carefully
designed to ensure that adequate water remained.

6.2.3. Assessment of the basic

The basic rating is considered to be zero because there
are two safety layers remaining, and one is of high
integrity. Considering the shielding safety function,
there is only one safety layer remaining, but it is of high
integrity as the level of water remaining at the bottom
of the suction pipe provides adequate shielding.

6.2.4. Additional factors:

There are no reasons to uprate the event.

Overall rating:

Below Scale/Level 0.