Defense in Depth
Defense in depth as an approach to facility safety has extensive precedent in nuclear safety
philosophy. It builds in layers of defense against release of hazardous materials so that no
one layer by itself, no matter how good, is completely relied upon. To compensate for
potential human and mechanical failures, defense in depth is based on several layers of
protection with successive barriers to prevent the release of hazardous material to the
environment. This approach includes protection of the barriers to avert damage to the
plant and to the barriers themselves. It includes further measures to protect the public,
workers, and the environment from harm in case these barriers are not fully effective.
The defense- in-depth philosophy is a fundamental approach to hazard control for
nonreactor nuclear facilities even though they do not possess the catastrophic accident
potential associated with nuclear power plants. In keeping with the graded-approach
concept, no requirement to demonstrate a generic, minimum number of layers of defense in
depth is imposed. However, defining defense in depth as it exists at a given facility is
crucial for determining a safety basis. Operators of DOE facilities need to use the
rigorous application of defense-in-depth thinking in their designs and operations. Such
an approach is representative of industrial operations with an effective commitment to
public and worker safety and the minimization of environmental releases.
For high hazard operations, there are typically multiple layers of defense in dept h. The
inner layer of defense in depth relies upon a high level of design quality so that important
systems, structures, and components will perform their required functions with high
reliability and high tolerance against degradation. The inner layer also relies on
competent operating personnel who are well trained in operations and maintenance
procedures. Competent personnel translate into fewer malfunctions, failures, or errors
and, thus, minimize challenges to the next layer of defense.
In the event that the inner layer of defense in depth is compromised from either equipment
malfunction (from whatever cause) or operator error and there is a progression from the
normal to an abnormal range of operation, the next layer of defense in depth is relied upo n.
It can consist of: (1) automatic systems; or (2) means to alert the operator to take action or
manually activate systems that correct the abnormal situation and halt the progression of
events toward a serious accident.
Mitigation of the consequences of accidents is provided in the outer layer of defense in
depth. Passive, automatically or manually activated features (e.g., containment or
programs (i.e., emergency response) minimize consequences in the event that all other
layers have been breached. The contribution of emergency response actions to
minimizing consequences of a given accident cannot be neglected as they represent a
truly final measure of protection for releases that cannot be prevented.
Structures, systems, or components that are major contributors to defense in depth are
designated as safety-significant SSCs. Additionally, this Standard provides guidance on
grading the safety management programs (e.g., radia tion protection, hazardous material
protection, maintenance, procedures, training) that a facility must commit to compliance
in order to establish an adequate safety basis. The discipline imposed by safety