The defence-in-depth concept
The, Section 2 (1), states as follows: "In order to meet the radiological safety objectives, the radioactive materials present in the nuclear power plant shall be multiple confined by technical barriers and/or retention functions, and their radiation shall be sufficiently shielded. The effectiveness of the barriers and retention functions shall be ensured by the fulfilment of fundamental safety functions. A defence-in-depth concept shall be realised that ensures the fulfilment of the fundamental safety functions and the preservation of the barriers and retention functions on several consecutive levels of defence as well as in the case of any internal and external hazards."
This is elaborated in provisions on the various levels of defence, a concept for the multi-level confinement of the radioactive inventory (barrier concept), a concept for the main safety functions, and concept for protection against internal and external hazards and against emergencies.
The main provisions of the Safety Requirements for Nuclear Power Plants have already been taken as a basis for the design of the first construction lines. For the design, manufacture and operation of equipment at levels of defence 1 to 4a, the following principles for the promotion of safety apply:
- well-founded increased factors of safety in the design of components, depending on the system’s safety significance,
- preference given to inherently safe-acting mechanisms in the design,
- use of verified materials, manufacturing and testing methods,
- maintenance- and test-friendly design of equipment,
- ergonomic design of the workplaces,
- maintenance of high quality during manufacturing, construction and operation,
- performance of regular in-service inspections,
- monitoring of the state of the plant,
- monitoring strategy to detect operation- and ageing-induced damage,
- analysis and consideration of operating experience, with a focus on safety.
In order to ensure sufficient reliability of equipment at level of defence 3 (safety equipment), the following design principles must be applied:
- segregation of redundant subsystems,
- physical separation of redundant subsystems,
- safety-oriented system behaviour upon subsystem or plant component malfunctions,
- preference for passive over active safety equipment,
- high availability of acquired auxiliary and supply systems,
- automation (manual activation by shift workers during the first 30 minutes of an accident is not necessary but possible).
These principles have been realised plant-specifically in all German nuclear installations, as far as is technically feasible and reasonable.
The separation of redundancies is realised not only in process engineering, but also in instrumentation and control. Due to the physical or spatial separation of safety-relevant components, any influence of neighbouring redundancies, e.g. in the case of system-immanent failures (e.g. jet forces), flood, fire or external hazards, is precluded. At the component level, the diversity principle is realised, above all, in those areas where the potential for systematic failures (e.g. common cause failures – CCF) is considerable and highly safety-relevant.
The levels of defence are described and backfitting measures to strengthen the defence-in-depth concept specified below.
The objective of level of defence 1 is to ensure normal operation (undisturbed, specified normal operation) and to avoid abnormal operation.
The objective of level of defence 2 is the control of abnormal operation and the avoidance of incidents. The level of defence is characterised by disturbed, specified normal operation.
At the second level of defence, particular importance is attached to the limitation systems that precede the reactor protection system. There are three types of limitation systems that are classified according to task and requirement. In the case of anticipated operational occurrences, the limitations should automatically limit the process variables to defined values in order to increase the availability of the installation (operational limitations) and to maintain initial states for the incidents considered (state limitations). Furthermore, safety variables are brought back to values at which continuation of specified normal operation is permissible (protective limitations). Operational limitations are instrumentation and control systems with increased reliability which are generally comparable with the control systems.
The overall objective is to reach a high degree of automation to relieve power plant personnel of the need to apply short-term measures; other objectives include providing for comprehensive measures to prevent operational disruptions from escalating into incidents, and achieving high tolerance to human error. The requirement for comprehensive, reliable and user-friendly process information systems is intended to ensure that technical support is available for any action taken by personnel. The aim is to enable personnel to perform their safety-related function within the overall system in an optimal manner.
The objective of level of defence 3 is the control of design basis accidents and the prevention of multiple failure of engineered safety features. For this purpose, highly reliable safety systems and the reactor protection system are used.
The objective of level of defence 4a is the control of events involving an anticipated transient without scram (ATWS).
The objective of level of defence 4b is the control of events with multiple failure of safety systems to prevent accidents with severe fuel assembly damage.
Here, preventive measures of internal accident management (level of defence 4b) are used to maintain or restore core cooling and transfer the installation into a safe state.
Subsection 2.1 (3b) of the Safety Requirements for Nuclear Power Plants stipulates that: “On level of defence 4c, mitigative measures of the internal accident management shall be provided for accidents involving severe fuel assembly damages for the purpose of maintaining – by using all available measures and equipment – the integrity of the containment for as long as possible, excluding or limiting releases of radioactive materials into the environment according to subsection 2.5 (1), and achieving a long-term controllable plant state.”
The measures and equipment of internal accident management provided for in level of defence 4b and 4c aim to exclude events that may lead to
- any releases of radioactive materials caused by the early failure or circumvention of the containment vessel, requiring external accident management measures, for the implementation of which insufficient time is available (early release)
- or any releases of radioactive materials into the environs of the plant, requiring wide-area and long-lasting measures of off-site emergency preparedness (major release),
or to limit their radiological consequences to such an extent that off-site emergency preparedness measures will only be required to a limited spatial and temporal extent. The occurrence of an event, an event sequence or a state may be excluded if the occurrence is physically impossible or can be regarded with a high degree of certainty as extremely improbable. For the nuclear installations in operation, the practical exclusion of events with early or large releases is proven by the interaction of plant operation, high reliability of the safety system and comprehensive internal accident management. In relation to accidents involving severe fuel assembly damage, Section 4.4 of the Safety Requirements for Nuclear Power Plants stipulates that for event sequences or plant conditions for which no accident management measures have been planned in advance or the implemented accident management measures prove to be ineffective, recommendations for action must be in place for the emergency team. As part of the National Action Plan, a manual on mitigative emergency measures has been introduced in all German nuclear installations to supplement existing emergency manuals. The strategies and procedures described in these manuals are in accordance with international recommendations pertaining to Severe Accident Management Guidelines (SAMGs).