Defense in depth
The concept of “defense in depth” involves ensuring the effectiveness of the protective barriers by identifying the threats to their integrity and by providing successive lines of defence to protect them from failure:
• first level: implementation of a safe design, high quality of construction and safe and reliable operation incorporating lessons from experience feedback in order to prevent occurrence of failures;
• second level: means of surveillance for detecting anomalies that could lead to a departure from normal operating conditions, in order to anticipate failures or to detect and intercept deviations from normal operational states in order to prevent anticipated operational occurences from escalading to accident conditions.
The most important of this level is the one that automatically shuts down the reactor by insertion of the control rods into the core which stops the nuclear chain reaction in a few seconds;
• third level: means of action for mitigating the consequences of failures and preventing core melt down.
This level includes use of diverse and redundant systems to automatically bring the reactor to a safe shutdown state.
In addition, a set of safety systems, which also have redundancy, are provided to ensure containment of radioactive products;
• beyond, to further extend the defense in depth approach a failure of all three levels is postulated, resulting in a “severe accident” situation. Means are provided to minimise the consequences of such a situation.
Applying the defense in depth concept leads to the functions of core power and cooling control being protected by multiple redundant systems: fourfold redundancy is used in the EPR™ technology.
Safety functions are ensured by diversified means to minimize the risk of common mode failure.