Language selection

Government of Canada / Gouvernement du Canada

Search

Defence in Depth

Defence in depth is an international nuclear safety concept related to the design and operation of nuclear facilities, and that aims to prevent and mitigate accidents.

The key to defence in depth is the creation of multiple independent layers of defence to be implemented for all facility conditions. This concept applies during all major facility lifecycle stage activities, including operation, maintenance outages and decommissioning. To learn more about these criteria, read the International Atomic Energy Agency’s Defence in Depth in Nuclear Safety web page (external PDF, 2 MB).

Watch this video to see how defence in depth is applied to nuclear power plants.

Transcript (click to expand)

Music: Soft, upbeat music begins.

On screen: (The words “Canadian Nuclear Safety Commission” appear. The Canadian flag pops up above the word “Canadian” in a text bubble. A text bubble showing workers and the words “Nuclear regulator” appears below the word “Commission”. A green shape swirls around the word “Safety” as the other words fade out.)

Narrator: The Canadian Nuclear Safety Commission is Canada’s nuclear regulator, and safety is our top priority.

On screen: (The words “Defence in depth” appear on the screen then disappear to reveal a nuclear plant. The shape of a shield overlays the nuclear plant. The shield disappears and 5 different coloured bubbles animate onto the screen. They begin to move in an orbital path around the nuclear plant.)

Narrator: Defence in depth is a safety concept that aims to prevent and mitigate accidents through 5 independent levels of defence, applied to all nuclear power plants in Canada. Level 1 is about prevention, and encompasses the design, construction, processes and maintenance occurring during normal plant operations.

On screen: (A white ball, labelled Level 1, appears then disappears, revealing a scene of level 1 activities, including workers observing activities, reviewing plans, and using meters outside.)

Narrator: Level 2 represents the measures and systems in place to control and correct any unusual occurrences during normal operations.

On screen: (A white ball, labelled Level 2, appears then disappears, revealing a scene of level 2 activities, including workers inside a nuclear plant reviewing information on computers.)

Narrator: Nuclear power plants operate at these levels for the vast majority of the time, safely and without incident.

On screen: (The picture transitions back to the nuclear plant, with 2 balls orbiting it. Then 3 more balls join the orbit.)

Narrator: The next 3 levels are rarely activated, but are frequently exercised, evaluated, maintained and improved upon.

On screen: (A white ball, labelled Level 3, appears then disappears, revealing a scene of level 3 activities, including workers assessing a situation in front of a white board.)

Narrator: Level 3 refers to the plant’s robust safety systems, designed to stop the progression of an accident.

On screen: (A white ball, labelled Level 4, appears then disappears, revealing a scene of level 4 activities, including workers conducting repairs.)

Narrator: Level 4 works to contain radioactive material within a specially designed containment structure.

On screen: (A white ball, labelled Level 5, appears then disappears, revealing a scene of level 5 activities, including various professionals working together at a distance from the nuclear plant.)

Narrator: Level 5 enlists comprehensive off-site emergency response to minimize consequences to the public and the environment.

On screen: (The picture changes to a bubble, which gets smaller and swings into orbit with the 4 other bubbles. The bubbles disappear into the nuclear plant.)

Narrator: With this reactor design, each level of protection is tough. The multiple levels of defence are built in to reinforce, defend and maintain the protection of the public and the environment.

On screen: (The plant stands alone. Nature and civilization begin to flourish around the nuclear plant and in the distance. The CNSC wordmark appears, made up of the Canadian flag symbol and the words “Canadian Nuclear Safety Commission”. The Canada wordmark then appears.)

Music: The music fades out.

On this page

The CNSC’s regulatory framework

Each of the defence levels in the CNSC’s regulatory framework are described below. The information presented is consistent with the IAEA International Nuclear Safety Advisory Group report INSAG-10, Defence in Depth in Nuclear Safety, (external PDF, 2 MB)

Five layers of defence

Nuclear facilities in Canada operate with 5 independent layers of defence in depth.

The following information is adapted from REGDOC-3.5.3, Regulatory Fundamentals.

Level 1 – Prevention of abnormal operation and failures

The first layer of defence encompasses items within the facility itself. The objective is to prevent any change from normal operation, and to prevent failures of structures, systems and components (SSCs) important to safety.

Implementation of Level 1 defence in depth includes the following:

  • Conservative design
  • High-quality materials, manufacturing and construction
  • Suitable site chosen for the plant with consideration of all external hazards
  • Qualification of personnel and training to increase competence
  • Healthy safety culture
  • Operation and maintenance of SSCs in accordance with the safety case

Level 2 – Control of abnormal operation and detection of failures

The second layer of defence deals with detecting incidents and failures. The objective is to detect and intercept any change from normal operation, to prevent failures from escalating to accidents, and to return the plant to a normal state.

Implementation of Level 2 defence in depth includes the following:

  • Inherent and engineered design features to minimize or exclude uncontrolled reactivity, and system temperature and pressure changes to the extent possible and to return the plant to a state of normal operation after any deviations
  • Monitoring systems to identify any change from normal operation
  • Staff training to respond to changes from normal operation, if/when they occur

Level 3 – Control of accidents within the design basis

The third layer aims to control and minimize the consequences of unlikely accidents. The objective is to control accidents within the design parameters, minimize the consequences of accidents and prevent escalation to severe accidents.

Operations at this level are meant to maintain barriers and containment through sophisticated safety systems at the facility level.

Implementation of Level 3 defence in depth includes the following:

  • Inherent safety features, fail-safe design, engineered design features, procedures that minimize design basis accident consequences, redundancy, diversity, segregation, physical separation, independent safety system channels, and protection against single-point failures
  • Instrumentation suitable for accident conditions
  • Design basis accidents guidance to manage accidents and mitigate their consequences as much as possible
  • Staff training for accident response

Level 4 – Control of severe plant conditions

With the defence in depth approach, measures taken at the first 3 levels ensure the structural integrity of the core and limit severity of accidents.

The objective is to control severe plant conditions, to mitigate consequences of severe accidents and to ensure that radioactive releases are kept as low as possible.

Implementation of Level 4 defence in depth includes the following aspects:

  • Guidance to manage accidents and mitigate their consequences as much as possible
  • Strong containment design that includes features to address containment challenges (e.g., filtered venting, hydrogen combustion, overpressure protection, core concrete interactions, molten core spreading and cooling)
  • Complementary design features to prevent accident progression and to mitigate the consequences
  • Features to mitigate radiological releases (e.g., filtered vents)
  • Staff training in accident response

Level 5 – Mitigation of radiological consequences

The fifth layer aims to mitigate consequences of a radiological release, in the highly unlikely event of a severe accident not controlled through the preceding layers. Here, the focus is on comprehensive offsite emergency planning, training and response to address protective actions, interventions and coordination to protect the public and the environment. As with all onsite safety features of operating nuclear facilities in Canada, offsite emergency preparedness must also be exercised regularly. Stringent measures, controls and regulatory oversight are in place to ensure that there is a very low probability of approaching level 5.

Implementation of Level 5 defence in depth includes the following aspects:

  • Emergency support facilities, established exclusion zone and onsite and offsite emergency response plans and provisions
  • Staff training on emergency preparedness and response

New approaches to defence in depth

A robust reactor facility design, and qualified operators supported by an effective management system is required to meet the safety objectives of all 5 levels of defence in depth. This is to prevent uncontrolled releases of radioactive materials to the environment.

The levels of defence in depth are expected to be independent to the extent achievable.

New reactor technology vendors place greater emphasis on passive features (see levels 1 and 2 above) to support accident mitigation (see levels 3, 4 and 5 above), and reduced emphasis (or reliance) on levels 4 and 5.

Applicants and vendors claim that stronger preventative measures (see levels 1 and 2 above) reduce the probability of accidents that would result in significant consequences and minimize the consequences of accidents that may occur.

To support their submissions, applicants/licensees are required to demonstrate that the regulatory requirements are met, including strong defence in depth so that there is no unreasonable risk through the lifecycle of the facility.

For additional information on the application of defence in depth to small modular reactor facilities, read the Application of the Principle of Defence in Depth in Nuclear Safety to Small Modular Reactors | IAEA (PDF, 1 MB).

Suitable evidence

Demonstration of adequate defence in depth includes consideration of:

  • reactor characteristics
  • location
  • external hazards that can breach multiple levels of defence in depth simultaneously
  • common-cause / mode failures that cross-reference with other levels
  • proven-ness of design tools

Suitable evidence supporting demonstration of defence in depth adequacy may include:

  • results of research and development
  • computer modelling
  • consideration of operating experience

Evaluating defence in depth

The overlapping safety measures of defence in depth must be periodically exercised, evaluated, and improved upon. The CNSC has inspectors onsite at every nuclear power plant operating in Canada with the sole purpose of verifying that plant operators demonstrate compliance with safety standards.

Diagram of defence in depth

The diagram below depicts how defence in depth levels are integrated into the overall safety approach for a facility. It includes oversight over: design, construction, operation, and interfaces with key external stakeholders who are part of offsite response plans.

How levels of defence in depth ensure integrated and overlapping safety provisions

The information below is adapted from REGDOC-2.10.1, Nuclear Emergency Preparedness and Response and REGDOC-2.3.2, Accident Management.

This diagram consists of a grid that is roughly aligned by plant state. For each Plant State, the Objective, Strategy, Level of Defence in Depth, Objective, Means of Control, Analysis, Procedures and Response options are listed.
Text Version

This diagram consists of a grid that is roughly aligned by plant state. For each Plant State, the Objective, Strategy, Level of Defence in Depth, Objective, Means of Control, Analysis, Procedures and Response options are listed.

For the plant state of "Normal Operation":

  • the Objective is "Prevention of deviation from normal"
  • the Strategy is "prevention"
  • the Defence in depth is "Level 1"
  • the Means of control are "Process systems"
  • the Analysis is "Design analyses"
  • the Procedures are "Operation manuals"
  • the Response includes "Normal operating systems", "Human and organizational performance", and "Main Control room or secondary control room"

For the plant state of "Anticipated operational occurrences":

  • the Objective is "Control of abnormal operation"
  • the Strategy is "Prevention"
  • the Defence in depth is "Level 2"
  • the Means of control include "Process systems", and "Control & protection systems"
  • the Analysis is "Deterministic safety analyses"
  • the Procedures include "Operation manuals" and "Emergency operating procedures"
  • the Response includes "Normal operating systems", "Human and organizational performance", and "Main Control room or secondary control room"
  • may utilize Accident Management

For the plant state of "Design basis accidents":

  • the Objective is "Control of accidents within design limits"
  • the Strategy is "Prevention" and "Mitigation"
  • the Defence in depth is "Level 3"
  • the Means of control include "Process systems", "Control & protection systems", and "Engineered safety systems & operator actions"
  • the Analysis includes "Deterministic safety analyses" and "Probabilistic analyses"
  • the Procedures include "Emergency operating procedures", and "Emergency response plans & procedures"
  • the Response includes "Human and organizational performance", "Main Control room or secondary control room", "Onsite emergency response actions", "onsite technical support / onsite emergency support", and "Engineered safety features"
  • utilizes Accident Management and the Emergency Preparedness

For the plant state of "Beyond design basis accidents - no or limited core damage":

  • the Objective is "Control of core damage to avoid severe accident"
  • the Strategy is "Prevention" and "Mitigation"
  • the Defence in depth is "Level 4"
  • the Means of control include "Process systems", "Control & protection systems", "Engineered safety systems & operator actions", and "Complementary design features"
  • the Analysis includes "Deterministic safety analyses" and "Probabilistic analyses"
  • the Procedures include "Emergency operating procedures", and "Emergency response plans & procedures"
  • the Response includes "Human and organizational performance", "Main Control room or secondary control room", "Onsite emergency reponse actions", "onsite technical support / onsite emergency support", "Offsite emergency support", "Engineered safety features", and "Containment & design features"
  • utilizes Accident Management and the Emergency Preparedness

For the plant state of "Beyond design basis accidents - severe accidents":

  • the Objective is "Mitigation to confine radioactive materials"
  • the Strategy is "Mitigation"
  • the Defence in depth is "Level 4" or "Level 5"
  • the Means of control includes "Process systems", "Control & protection systems", "Engineered safety systems & operator actions", and "Complementary design features"
  • the Analysis includes "Deterministic safety analyses" and "Probabilistic analyses"
  • the Procedures are "Severe accident management guidelines",
  • the Response includes "Human and organizational performance", "Main Control room or secondary control room", "Onsite emergency response actions", "onsite technical support / onsite emergency support", "Containment & design features", "Offsite emergency support", and "Offsite emergency response actions"
  • utilizes Accident Management and the Emergency Preparedness

For the plant state of "Post accident":

  • the Objective is "Mitigation of radiological consequences"
  • the Strategy is "Mitigation"
  • the Defence in depth is "Level 4" or "Level 5"
  • the Means of control is "Offsite monitoring & protection"
  • the Analysis includes "Probabilistic analyses"
  • the Procedures are "Severe accident management guidelines"
  • the Response includes "Human and organizational performance", "Main Control room or secondary control room", "Onsite emergency response actions", "Onsite technical support / onsite emergency support", "Offsite emergency support", and "Offsite emergency response actions"
  • utilizes Accident Management and the Emergency Preparedness

Related links

Page details

Date modified: