Nuclear, O&M, Reactors

Lines of Defense

Issue 9 and Volume 120.

By Brian Schimmoller, Contributing Editor

I’ve subscribed to the NRC Blog for several years now, and I have to say that the agency does a great job selecting interesting topics and explaining them using simple language – while simultaneously reinforcing the NRC’s independent oversight role.

A two-part July post on defense-in-depth got me thinking about nuclear plant safety and how it’s perceived relative to personal security. A prerequisite for such a thought exercise is accepting that the only thing that is perfectly safe in this world is the thing that is never invented or used. Some level of risk – and potential threat to safety – is inherent to any application of technology. For nuclear plants, lines of defense can be implemented to reduce the risks and/or minimize the effects of a technological mishap; in other words, defense-in-depth encompasses both accident prevention and accident mitigation.

The NRC Blog post refers readers to a report that explores the evolution of defense-in-depth over the past 50+ years: Historical Review and Observations of Defense-in-Depth (NUREG/KM-0009). The report identifies a distinct shift in thinking over time. For the first 30 years of commercial nuclear power, defense-in-depth reflected a deterministic perspective – basically designing our way to safety through multiple barriers that provided diversity and redundancy to address postulated accident scenarios. In the 1990s, risk analysis and an evolving risk-informed regulatory framework recast defense-in-depth in terms of uncertainty. From this “rationalist” perspective, defense-in-depth represents the sum of provisions made to compensate for inadequacies and uncertainties regarding plant behavior in accident situations.

The yin and yang of the deterministic perspective versus the rationalist perspective continues to evolve. More recent treatments of defense-in-depth blend the two perspectives. The NRC defines defense-in-depth as: “An approach to designing and operating nuclear facilities that prevents and mitigates accidents that release radiation or hazardous materials. The key is creating multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon…”

Interestingly, in 2012, the NRC pointed out some shortcomings with respect to defense-in-depth, noting that “after decades of use, no clear definition or criteria exist on how to define adequate defense-in-depth protections; that the concept of defense-in-depth is not used consistently, and there is no guidance on how much defense-in-depth is sufficient…” [A Proposed Risk Management Regulatory Framework, NUREG-2150].

So where does that leave us? While recognizing the lack of a perfect understanding of defense-in-depth, NRC by no means disavows its importance, reiterating that defense-in-depth is a basic element of its overall safety philosophy. We may not know everything, but by designing as best we can, by recognizing and accounting for uncertainties – and then adjusting for these uncertainties through design changes, operational procedure modifications, emergency planning capabilities, etc. – we are as prepared as possible to prevent and mitigate accidents.

So does the same defense-in-depth perspective hold true for personal safety and security? Let’s look at two everyday examples: vehicles and the internet.

For vehicles, there is clearly some defense-in-depth at play. Our cars are increasingly designed with accident prevention and mitigation in mind, considering everything from antilock brakes and backup cameras to seatbelts, airbags, and bumpers. We’ve even begun factoring uncertainties into vehicle operational safety: collision detection systems, for example, help reduce risks associated with inattentive drivers or overly aggressive drivers. However, until we restrict vehicle speed based on terrain, tire condition, weather, pavement, traffic, etc., we can’t say we’re fully accounting for uncertainties and embracing defense-in-depth.

For the internet, there also is some defense-in-depth involved, but implementation is much less rigorous and more user-dependent. Passwords are notoriously weak and most applications only have protection that’s one level deep, limiting the extent of accident prevention. While there is a degree of accident mitigation, such as limited liability if credit card information is stolen, the immediate economic impacts are often the least of your troubles. And while experts routinely emphasize the uncertainties associated with protection devices such as anti-virus software (warning everyone that they can’t catch everything), the bad guys are usually a step ahead. Yet many of us still are not in the habit of performing regular backups. In the meantime, I’m going to go back up my hard drive.

At the end of the day, I’m comfortable with the defense-in-depth applied to nuclear plant design and operation. It may not be perfect, but it is subjected to thoughtful scrutiny that drives continuous improvement.