1.2.2 The “Defence in Depth” concept

The main means of preventing accidents and limiting

their potential consequences is “the Defence in Depth”.

This consists in implementing material or organisational

provisions (sometimes called lines of defence) structured

in consecutive and independent layers, and which are

capable of preventing the development of an accident.

If one level of protection fails, the next level takes over.

An important element for the independence of the levels

of defence is the use of different technologies (“diversified”

systems).

The design of nuclear installations is based on a defence

in depth approach. Five levels of protection are defined

for nuclear reactors:

Level 1: Prevention of abnormal operation

and system failures

This is a question firstly of designing and building the

facility in a robust and conservative manner, integrating

safety margins and planning for resistance with respect

to its own failures or to hazards. It implies conducting

the most exhaustive study possible of normal operating

conditions to determine the severest stresses to which the

systems will be subjected. It is then possible to produce

an initial design basis for the facility, incorporating

safety margins. The facility must then be maintained

in a state at least equivalent to that planned for in its

design through appropriate maintenance. The facility

must be operated in an informed and careful manner.

Level 2: Keeping the installation within authorised

limits

Regulation and governing systems must be designed,

installed and operated such that the installation is kept

within an operating range that is far below the safety limits.

For example, if the temperature in a system increases, a

cooling system starts up before the temperature reaches

the authorised limit. Monitoring of the condition and

correct operation of systems forms part of this level of

defence.

Level 3: Control of accidents without core meltdown

The aimhere is to postulate that certain accidents, chosen

for their “envelope” characteristics (themost penalising in

a given family) canhappen, and todesign and size backup

systems to withstand those conditions.

Such accidents are generally studied with pessimistic

hypotheses, that is to say the various parameters governing

this accident are assumed to be as unfavourable as possible.

The single-failure criterion is also applied, in other words,

in the accident situation we also postulate the failure of

any given component. As a result of this, the systems

coming into play in the event of an accident (safeguard

systems ensuring emergency shutdown, injection of

cooling water into the reactor, etc.) comprise at least

two redundant and independent channels.

Level 4: Control of accidents with core meltdown

These accidents have been considered since the ThreeMile

Island accident (1979) and are now taken into account

in the design of new reactors such as the EPR. The aim

is to preclude such accidents or to design systems that

can withstand them.

Level 5: Mitigation of the radiological consequences

of significant releases

This requires implementation of the measures provided

for in the emergency plans, includingmeasures to protect

the general public: shelter, taking of stable iodine tablets

to saturate the thyroid and avoid fixation of released

radioactive iodine, evacuation, restrictions on consumption

of water and of agricultural products, etc.

THE 5 LEVELS

of “Defence in Depth”

Limiting the consequences of discharges

On-site emergency plan

Limiting the consequences of a severe accident

Serious accident management

Control of accidents

Backup systems,

accident procedures

Maintaining within

the authorised range

Regulation systems,

periodic checks

Prevention

of anomalies

Design

Operation

67

CHAPTER 02:

PRINCIPLES AND STAKEHOLDERS IN THE REGULATION OF NUCLEAR SAFETY AND RADIATION PROTECTION

ASN report on the state of nuclear safety and radiation protection in France in 2015