Defence in depth: reactors



Here is the table for events with an initator (Table 9).

With a real initiator

Initiator frequency

Safety function operability




A Full

B Minimum required by OL&C

C Adequate

D Inadequate

The first row may surprise you. If an initiator occurs and everything operates as expected, why rate at up to Level 2? The answer is that part of the defence in depth provisions is the prevention of initiators. Indeed for the unlikely initiators, such as major failures of the primary circuit, a lot of design assurance went into making this an unlikely event. If such a failure has occurred, it is a significant event and, in the judgement of the designers of the INES scale, warrants a rating of Level 2. 


At the other end of the table, row D represents events where there has been an initiator and all the provisions have failed. This is likely to result in an accident rated above Level 3 by the other criteria. It will be Level 3 under the defence in depth criteria, but probably higher by the other criteria. This is the meaning of 3+. 


In rows B and C, there is a choice of ratings. In row C and in B2 and B3, if the operability is just adequate, i.e. one further failure would led to an accident, Level 3 is appropriate. Otherwise Level 2.


In B1 if there is considerable redundancy/diversity remaining, choose Level 1.

You may like to read and of the Manual, which also explains how to rate events with an initiator and gives some additional information. Basis of rating

The appropriate ratings for events with a real initiator are given in Table 9. The basis of the values given in the table is as follows.

Clearly, if the safety function is inadequate, an accident will have occurred, and it will need to be rated based on its actual consequences. Such a rating could well exceed Level 3. However, in terms of defence in depth, Level 3 represents the highest rating. This is expressed by 3+ in Table 9.

If the safety function is just adequate, then again Level 3 is appropriate, because a further failure would lead to an accident. However, in other cases even though the operability is less than that required by the OL&C, it may be considerably greater than just adequate, particularly for expected initiators because OL&C requirements often still incorporate significant redundancy or diversity. Therefore, in Table 9, Level 2 or 3 is shown for expected initiators and adequate safety function, the choice depending on the extent to which the operability is greater than just adequate. For unlikely initiators, the operability required by the OL&C is likely to be just adequate and, therefore, in general, Level 3 would be appropriate for adequate operability. However, there may be particular initiators for which there is redundancy, and therefore Table 9 shows Level 2 or 3 for all initiator frequencies.

If there is full safety function operability and an expected initiator occurs, this should clearly be Below Scale/Level 0, as shown in Table 9. However, the occurrence of a possible or unlikely initiator, even though there may be considerable redundancy in the safety systems, represents a failure of one of the important parts of defence in depth, namely the prevention of initiators. For this reason Table 9 shows Level 1 for possible initiators and Level 2 for unlikely initiators.

If the operability of safety functions is the minimum required by OL&C, then in some cases, as already noted, for possible and particularly for unlikely initiators, there will be no further redundancy. Therefore, Level 2 or 3 is appropriate, depending on the remaining redundancy. For expected initiators, there will be additional redundancy, and therefore a lower rating is proposed. Table 9 shows Level 1 or 2, where again the value chosen should depend on the additional redundancy within the safety function. Where the safety function availability is greater than the minimum required by OL&C but less than full, there may be considerable redundancy and diversity available for expected initiators. In such cases, Below Scale/Level 0 would be more appropriate Rating procedure

With the background described in the previous section, events should be rated using the following procedure:

  1. Identify the initiator that has occurred.
  2. Determine the category of frequency allocated to that initiator. In deciding the appropriate category, it is the frequency that was assumed in the safety case (the justification of the safety of the plant and its operating envelope) for the plant that is relevant.
  3. Determine the category of operability of the safety functions challenged by the initiator.
    1. It is important that only those safety functions challenged by the initiator are considered. If the degradation of other safety systems is discovered, it should be assessed using the section on events without a real initiator in Section 5.1.4, using the initiator that would have challenged that safety system.
    2. In deciding whether the operability is within OL&C, it is the operability requirements prior to the event that must be considered, not those that apply during the event.
    3. If the operability is within OL&C but also just adequate, operability category C should be used as there is no additional redundancy (see earlier paragraphs in this section).
  4. The event rating should then be determined from Table 9. Where a choice of rating is given, the choice should be based on the extent of redundancy and diversity available for the initiator being considered.
    1. If the safety function operability is just adequate (i.e. one further failure would have lead to an accident), Level 3 is appropriate.
    2. In cell B1 of Table 9, the lower value would be appropriate if there is still considerable redundancy and/or diversity available.
    3. In some reactor designs, there is a large amount of redundancy/ diversity available for expected initiators. If the safety function operability is considerably greater than the minimum required by OL&C, but slightly less than full, Below Scale/Level 0 would be more appropriate.

Beyond design initiators are not included specifically in Table 9. If such an initiator occurs, then an accident may occur, requiring rating based on actual consequences. If not, Level 2 or 3 is appropriate under defence in depth, depending on the redundancy of the systems providing protection.

The occurrence of internal and external hazards such as fires, floods, tsunamis, explosions, hurricanes, tornados or earthquakes, may be rated using Table 9. The hazard itself should not be considered as the initiator (as the hazard may cause either initiators or degradation of safety systems or both), but the safety systems that remain operable should be assessed against an initiator that occurred and/or against potential initiators.