An Overall Safety Concept For Nuclear Power Plants

Annals of Nuclear Energy 178 (2022) 109353
Contents lists available at ScienceDirect
Annals of Nuclear Energy

journal homepage: www.elsevier.com/locate/anucene
An overall safety concept for nuclear power plants

Juhani Hyvärinen a, Juhani Vihavainen a, Marja Ylönen b, *, Janne Valkonen c
a
Lappeenranta University of Technology, Finland
b
University of Stavanger, Norway and Technical Research Centre of Finland, VTT, Finland
c
Platom Oy, Finland
A R T I C L E I N F O A B S T R A C T
Keywords: A comprehensive understanding of the “safety” of nuclear reactors is essential for effective and efficient safety
Nuclear safety management by licensees and regulation by authorities. Nuclear reactors are designed subject to incomplete
Defence-in-depth knowledge of factors that affect their safety. The idea of defence-in-depth has evolved to combat the threat of the
Overall safety
unknown; it is implemented by means of technical artefacts, leading to a complex set of technical safety re
Safety system design
Institutional strength-in-depth
quirements to prevent accidental radioactive releases. Nuclear power plants have thus become systems of technical
Sociotechnical systems view systems. Similarly, significant human and organizational aspects are involved in nuclear power plant construction
and operation; a nuclear power plant is an organization of organizations. Earlier studies have identified the need
for holistic understanding of safety and accounting for the technical and organizational aspects simultaneously
(Harvey and Stanton, 2014). This paper seeks to clarify the concept of defence-in-depth using the Overall Safety
Concept (ORSAC) developed at LUT (Hyvärinen et al., 2016), and the sociotechnical systems view in the nuclear
power industry context, extending defence-in-depth thinking to the organizational context in one transparent
framework. We show how organizational and technical aspects affect each other in the operation of nuclear
power plants. This paper paves the way for systematic modelling of how technical and organizational aspects
affect each other.
However, Hollnagel (2017) has referred to the paradox of safety. By that

1. Introduction he refers that safety is approached from its negation, from the
perspective of risk and what can go wrong, instead of approaching it
Safety is usually approached in the nuclear industry via a variety of from the perspective what goes well. Though, he admits that those two
technical safety analyses, such as deterministic safety analyses, analyses approaches to safety are complementary.
of material integrity, probabilistic safety analyses, or organizational Furthermore, accident investigations, in particular, have shown that
related analyses such as audits of a safety management system or as accidents are results of both technical and organizational factors and
sessments of safety culture. In nuclear industry, the terms “safe” and that it is difficult to separate them (Harvey and Stanton, 2014; Leveson,
“safety” are understood as relative, not as absolute. Engineers and sci 2004). This interconnectedness of technical and organizational factors
entists involved in material world processes well understand that it is in accident analysis has given rise to a need for a holistic, systemic,
not possible to achieve “absolute” safety in the sense that unwanted sociotechnicalunderstanding of nuclear safety that this paper represents
events (accidents) could be rendered complete absent. Therefore, in this (Dekker et al., 2011; Harvey and Stanton, 2014; Leveson, 2012). Simi
paper, “safe” and “safety” are to be understood as “producing acceptably larly, designing, licensing, and constructing a nuclear power plant is a
low risk” where “risk” is understood as the product of value lost and huge undertaking in which various stakeholders (designers, suppliers,
likelihood of the event, and “acceptable” is understood as “not explicitly manufacturers, end-users, regulators, etc.) exchange large amounts of
challenged by the stakeholders”. (For an interesting discussion of information on many levels of detail. The vast amount of details
various senses of “safe”, and its potential to be used inconsistently, see involved seems to obscure the overall goals of achieving safe and eco
(Hansson, 2012). nomic plants in the minds of the many stakeholders involved.
The Society for Risk Analysis defines safety as: “safety as antonym of As an example, two well-known nuclear power plant projects; in
risk (the safety level is linked to the risk level; a high safety means a low Finland (Olkiluoto 3) and in France (Flamanville 3) have been signifi
risk and vice versa)” (The Society for Risk Analysis (SRA), 2018). cantly delayed due to such issues. Generally speaking, advances in
* Corresponding author.
E-mail address: Marja.k.ylonen@uis.no (M. Ylönen).
https://doi.org/10.1016/j.anucene.2022.109353
Received 14 January 2022; Received in revised form 3 July 2022; Accepted 25 July 2022
Available online 31 July 2022
0306-4549/© 2022 Elsevier Ltd. All rights reserved.
J. Hyvärinen et al. Annals of Nuclear Energy 178 (2022) 109353
Abbreviations NUREG US Nuclear Regulatory Commission Regulation

ORSAC Overall Safety Concept
US EPR system definitions. Some common abbreviations apply to PDS Primary Depressurization System
NuScale as well PRT Pressurizer Relief Tank
AOO-DBA Anticipated Operational Occurrence – Design Basis PSRV Pressurizer Safety Relief Valves
Accident RCB Reactor Containment Building
CCWS Component Cooling Water System RCCA Rod Cluster Control Assembly
CGCS Combustible Gas Control System RCPB Reactor Coolant Pressure Boundary
CHF Critical Heat Flux RHRS Residual Heat Removal System
CIS Containment Isolation System RPV Reactor Pressure Vessel
CMSS Core Melt Stabilization System SAHRS Severe Accident Heat Removal System
CMSS Core Melt Stabilization System SAM Severa Accident Management
CVCS Chemical and Volume Control System SG Steam Generator
CWS Circulating Water System SoS System of Systems thinking
DiD Defense in Depth STS Sociotechnical systems view
EBS Extra Borating System UHS Ultimate Heat Sink
EFWS Emergency Feedwater System U.S NRC United States Nuclear Regulatory Commission
EFQM European Foundation for Quality Management WANO World Association of Nuclear Operators
ESWS Essential Service Water System WENRA Western European Nuclear Regulators Association
IAEA International Atomic Energy Agency
NuScale systems, additional list
INSAG International Nuclear Safety Group
CFDS Containment Flooding and Drain System
IRWST In-containment Refueling Water Storage Tank
CIV Containment Isolation Valves
ISiD Institutional Strength-in-Depth
CNV Containment Vessel
LHSI Low Head Safety Injection
CRA Control Rod Assembly
LWR Light Water Reactor
DHRS Decay Heat Removal System
MFWS Main Feedwater System
ECCS Emergency Core Cooling System
MHSI Medium Head Safety Injection
RCCWS Reactor Component Cooling Water System
MSRT Main Steam Relief Train
RSV Reactor Recirculation Valve
MSSS Main Steam Supply System
SCWS Site Cooling Water System
NGO Non-governmental organisation
technology, more stringent safety requirements, more complex tools for et al., 1960; Harvey and Stanton, 2014; Dekker et al., 2011; Ylönen
designers, and the large number of suppliers with their sub-suppliers are et al., 2017; Aven and Ylönen, 2018). When we describe a sociotechnical
among the reasons cited for the ever increasing complexity of projects. A systems view, we refer to the interconnectedness and complexity of
huge amount of documentation is produced, from which the “big pic social and technical systems (Leveson, 2004; Kleiner et al., 2015).
ture” of the plants’ safety is difficult to discern. This is one reason for In this paper, we propose to integrate the many aspects of nuclear
investigating overall safety and seeking means to tackle the challenge of safety in a comprehensive but transparent framework of overall safety.
complexity and the volume of information. The development starts from the fundamental principle of defence-in-
There is no consensus yet about the definition of an overall safety depth, as used in the functional and structural interpretations of nu
concept. Instead, a wealth of safety principles exists in the nuclear field, clear safety design. We propose a framework in which all the relevant
such as the principles of defence-in-depth, safety culture, and resilience. concepts can be organized so that their roles and interrelations are clear.
Methods, such as deterministic safety analyses, probabilistic risk (or Then we proceed to consider the nuclear community as an organization
safety) analyses, and failure and effect mode analyses are used to verify of organizations and discuss the concept of institutional strength-in-
that concepts such as safety functions, safety margins, conservatism, depth. Finally, we discuss overall safety from the perspective of socio
single-failure criterion, and fail-safes are implemented, justifying the technical systems.
fulfilment of stated safety goals (whether this on the most rudimentary After introduction, Chapter 2 discusses defence-in-depth, which is a
level refers to acceptance criteria for design parameters, or on the fundamental concept in nuclear safety. In Appendix 1, we give a brief
highest level whether it means protection targets for the general popu history of the evolution of the concept. Chapter 2 describes current in
lation). In passing, we note that regulators often avoid explicit assess terpretations of the defence-in-depth approach as (1) structural and (2)
ment whether a design, plant or activity is “safe”; rather, they prefer to functional design philosophy. We also seek to clarify the roles of safety
conclude that the item “complies with applicable regulations”. This is an margins, which we consider as a metric for the confidence that a given
implicit endorsement of the relativity of all engineered safety. (usually structural) barrier will withstand its design loads, and system
All these principles, concepts and methods can be used as a basis for design requirements regarding redundancy, diversity and physical sepa
overall safety thinking. Often there is confusion as to what principles, ration, and fail-safe design, which we consider to be properties that
concepts and methods are fundamental and which are not. Sometimes affect the reliability of safety functions. Chapter 2 concludes with a
one principle can be expanded to cover other principles, thus becoming proposal for a framework to graphically illustrate the interrelation of the
an overarching principle (Leveson, 2012); the best example being the defence-in-depth levels, safety functions, and their design criteria.
idea of defence-in-depth, which has recently been expanded to in In Chapter 3, we apply the model to actual reactor designs, showing
stitutions (synonymous to organizations) (Insag-27., 2017; Ylönen et al., that the degrees of independence between defence lines can vary a great
2017). deal. This sheds light on where real independence can be meaningfully
Furthermore, theories on complexity, sociotechnical systems (STS), gained, and thereby helps to focus design and regulation development
as well as system of systems (SoS) have provided theoretical and con efforts where actual benefits are obtainable. We then proceed to expand
ceptual incentives to approach safety from a holistic perspective (Emery the discussion from technical safety to organizational safety. A nuclear
2
power plant can be viewed as a technical system of systems; analo • The functional interpretation of defence-in-depth concerning the
gously, the organizations involved in its construction and later operation defence levels. Note that a defence-in-depth level is not equal to a
interact with each other, constituting an organization of organizations. safety function. Safety functions are implemented on multiple (often
We also deal with the concept of institutional strength-in-depth, which is all) levels.
a relatively novel conceptualization of the robustness of national nuclear • The role of redundancy, diversity, physical separation, and fail-safe
communities in terms of safety. Then, in Section 3.4 we deal with the design as means to increase the reliability of the safety function
socio-technical systems view and system of systems thinking and discuss implementations.
the requirements that these concepts set on the further development of
overall safety framework. Finally, we propose that the defence-in-depth levels and funda
Finally, Chapter 4 discusses the significance of our main findings, mental safety functions are organized as a matrix framework, upon
and Chapter 5 provides a brief summary of the main points of this paper. which any particular plant safety architecture can be overlaid. This
matrix framework was first proposed in the ORSAC study (Hyvärinen
2. Defence-in-depth as conceptual framework et al., 2016) and is therefore called the ORSAC framework.
This Chapter describes defence-in-depth as defined in the nuclear

safety related international literature, with an emphasis on the latest 2.1. Structural and functional interpretations
IAEA top-level safety guidance, INSAG-12, published in 1999 (INSAG,
1999). This is the first revision of the classic 75-INSAG-3 (1988). By the The ideal structural interpretation of the defence in depth approach,
time of INSAG-12, the defence-in-depth level definitions in the IAEA with three fundamental barriers, fuel cladding, reactor system and
INSAGs had stabilized, indicating that the (technical) concept for containment structure, is illustrated in Fig. 1 below. The fuel matrix and
functional levels had matured. The latest IAEA safety system design the physical distance between the plant and the population are also
guidance, SSR-2/1 Rev. 1 (2016), also follows this definition. included, although they can be considered less fundamental than the
Noteworthy features of the INSAG-12 defence-in-depth definition fuel cladding, the reactor system and the containment structure.
(INSAG, 1999);Section 3.2) are the following: In reality, physical mechanisms that can damage the fuel cladding
also involve damage to the fuel matrix (e.g. pellet cracking and swelling,
1. Defence-in-depth “underlies the safety technology of nuclear power” causing pellet-cladding mechanical interaction); parts of the reactor
but additionally it is clearly recognized as relevant for organizational system either penetrate the containment structure (e.g. let-down and
aspects as well (§44). makeup systems in PWRs; reactor water clean-up and standby cooling
2. The operative definition for defence-in-depth is in terms of “several systems in BWRs), or form part of the containment pressure boundary
levels of protection” which include “successive barriers” preventing (steam generator tubes in PWRs). Therefore, the physical barriers cannot
the release of radioactivity. Protection of barriers and “further be completely independent of each other.
measures to protect the public and environment” are foreseen in case In the structuralist view, barrier integrity is the item of most interest.
the barriers are not fully effective (§46). In order to design the barriers, the physical loads used in dimensioning,
3. The barriers are primarily physical and “may serve operational and in addition to the associated acceptance criteria and desired safety
safety purposes, or may serve safety purposes only” (§48). margins, have been specified. This is illustrated in Fig. 2.
4. Functional defence-in-depth is presented as “The strategy for defence In practice, for every barrier many different challenging loads can be
in depth is twofold: first, to prevent accidents and second, if pre identified (postulated), and also many barrier failure modes. For design
vention fails, to limit the potential consequences of accidents and to purposes, loads are typically divided according to their likelihood of
prevent their evolution to more serious conditions”, which is struc occurrence into categories such as normal, transient, and accident loads.
tured in five levels, four directly pertaining to plant technology, the For example, the fuel cladding in normal operation is subject to
fifth focusing on off-site measures. corrosive loads on both inside and outside surfaces. The cladding tem
5. Treatment of the organizational aspect is rather more sketchy, as perature in normal operation is not a limiting factor. In transient con
obvious in (§50): “Human aspects of defence in depth are brought ditions, dramatic cladding overheating due to exceeding critical heat
into play to protect the integrity of the barriers, such as quality flux must be avoided. In accident situations, the cladding temperature
assurance, administrative controls, safety reviews, independent becomes the variable of main interest, because it controls both the rate
regulation, operating limits, personnel qualification and training, of corrosion in accidental conditions and the mechanical strength of the
and safety culture” but nevertheless the independent layers of per ductile cladding material. Therefore, the relative significance of
formers, verifier/reviewers and independent regulators are clearly
recognisable.
6. The design of barriers and safety systems involves three elements
(§50): “…prevent undue challenges to integrity of physical barriers,
… prevent the failure of a barrier if it is jeopardized, … prevent
consequential damage of multiple barriers in series”; this chain
implicitly raises the notion of safety margin as the measure for how
close to failure the challenge brings the barrier.
7. For safety systems “to the extent practicable … the different safety
systems … are functionally independent under accident conditions”
(§50).
In Section 2.1, we discuss in more detail:
• The structural interpretation of defence-in-depth concerning the

barriers.
• The concept of safety margin in relation to the integrity of the
barriers. Fig. 1. The idealistic notion of the structural physical barriers to prevent
radioactive release.
3
Fig. 2. The design of a barrier involves specification of loads and safety margins against relevant acceptance criteria. It also recognizes that even a properly designed
barrier may still fail to contain the load, therefore mitigation against barrier failure must be provided. For example, fuel overheating in an accident could damage a
small fraction of fuel rods, even when the peak cladding temperature remains below statutory limits.
physically different loads varies depending on the initiating event of the median load is much lower than the median capability. This is, of
interest. course, well known and is manifested in design criteria such as the 95/
95 criterion for exceeding a critical heat flux (CHF) in the anticipated
2.1.1. Role of safety margins against barrier failure operating occurrences (there must be a 95 % degree of confidence that
As described in the NEA Safety Margins Action Plan (SMAP) report 95 % of the fuel rods do not undergo a CHF).
(NEA, 2007), safety margins were traditionally understood to have been The notion of “conservatism” refers to either the load being artifi
introduced in recognition of the fact that uncertainty exists concerning cially exaggerated or the capability artificially reduced to cover (sto
the safety variable value at which damage occurs. By setting the regu chastic) uncertainty in either, or both. Structural defence-in-depth
latory acceptance limit “conservatively” with respect to the point of concerns the presence of successive barriers, not their strengths relative
damage onset (i.e. the limit being less than the damage threshold), a to the loads (or each other). Therefore, we suggest that adding or
sufficient margin should be assured in design basis accidents. It should removing conservatism in the barrier design will not affect the defence
be noted that the safety margin concept applies explicitly to either in depth, it only changes the confidence that the barrier can withstand
barrier or system losses. Therefore, in a complex facility, such as a nu its design load.
clear power plant, there will be as many safety margins as there are We also note in passing that such statistical (stochastic, aleatory)
barriers or systems whose loss is considered to be a safety problem. uncertainty about the parameter values is by no means the only signif
Furthermore, for each barrier or system, a separate safety margin icant source of uncertainty. Much more interesting and challenging is
will exist for each damage mechanism that could lead to the loss of the the epistemic uncertainty, that is, sheer lack of knowledge that would
barrier or system. Therefore, this definition requires a clear identifica have been relevant—e.g. unidentified failure mechanisms or physical
tion of the safety variables, and how they relate to barrier or system processes that have escaped attention (Hyvärinen, 1993; Hyvärinen,
function losses. 1996; Vihavainen, 2014). Defence-in-depth philosophy was developed
A traditional safety margin has been illustrated well in IAEA specifically to address the lack of thorough knowledge of mechanisms
TECDOC-1791 (IAEA, 2016), p. 39, shown here in Fig. 3. In the topmost that could cause some of the physical barriers to fail.
box, “value of parameters that can produce a cliff-edge effect” can be
interpreted as a “barrier failure” meaning a barrier failure representing 2.1.2. Functional interpretation
falling off the cliff. Following the Principles of INSAG-12, the IAEA has defined the
In reality, the knowledge of both the barrier capability and the load functional levels of defence-in-depth in the Specific Safety
are subject to uncertainty. If plenty of data is available on both, then one Requirements-2/1 Rev 1 (Fig. 5) (IAEA, 2016). There are two main
can estimate the safety margin as a margin to damage. This is illustrated levels: (1) “Operational states” that consists of “Normal operation” and
in Fig. 4. “Anticipated operation occurrences”, (2) “Accident conditions” that is
As shown in Fig. 4, barrier failure is statistically possible even when divided into “Design basis accidents” and “Design extension conditions”
Fig. 3. IAEA TECDOC-1791 (IAEA, 2016), p. 39, view of a safety margin.
4
Fig. 4. For most physical loads and physical barriers, both the magnitude of the load and the barrier capability are statistical quantities and a finite probability of the
load exceeding the capability is inevitably present, even when the median load (A) is far below the median capability (B).
Fig. 5. IAEA SSR-2/1 Rev 1 (2016) (IAEA, 2016), Functional defence-in-depth. There are five levels affecting the design of the plant, but for historical reasons, the
level numbering runs from 1 to 4, with Design basis accidents and Design extension conditions without significant fuel degradation being labelled levels 3a and 3b,
respectively. The nominally fifth level of DiD refers to emergency preparedness measures, which mainly take place outside the plant.
the latter of which is subdivided into two categories: “Without signifi where there would be five physically independent means to control the
cant fuel degradation” and ”With core melting”. reactor power level. Therefore, we conclude that it would be best to
A key feature of the defence line representation shown in Fig. 5 is the explicitly recognize this fact of life.
decreasing likelihood of invoking a level (or probability of entering an Note also that the functional defence-in-depth presented in Fig. 5
event category), when moving from left to right across the levels. It is requires that postulated initiating events be allocated in appropriate
certain that a plant will experience “normal operation”; by convention, defence lines. This is done based on the expected event frequency; one
anticipated operational occurrences are postulated to take place once in can envision a decreasing frequency axis running from left to right, so
the plant lifetime, generally with frequency of > 1e-2/a; design basis that normal operation has the highest frequency (~1) and the Design
accidents would be expected to be observed only a few times in a large extension condition With core melt (hopefully) very low frequency. This
population of plants; and so on. The two generally accepted interna defence-in-depth logic allows design requirements to be established to
tional frequency limits seem to be the 1e-2/a for anticipated operational manage events in each defence line (event category). The design pre
occurrences and 1e-5/a as a PRA target value for design extension sumes that event identification and frequencies remain stable; during
conditions leading to the core melting. As an aside, we note that PRA plant operation, operational events may challenge these notions. Either
values for core damage frequencies generally seem to be somewhat the event frequency may prove to be so much higher (or lower) that the
lower than actual experience (Ha-Duong and Journé, 2014). However, event needs to be moved to a different category (defence line), or the
the exact value of the limiting frequency as such is not crucial; important event may present previously unidentified but significant safety chal
is the distinction between accidents without core melt (where massive lenges. For good examples of the latter, see the discussion on boron
damage to fuel integrity is avoided) and with core melt (where fuel dilution in PWRs in (OECD/NEA, 1996) and thermal insulation behav
integrity is largely lost). The latter tends to challenge the containment iour interference with emergency cooling during loss-of-coolant acci
function more severely than the former. dents discussed in e.g. (OECD/NEA, 2013). Root cause analysis of
The above IAEA definition has also served as the foundation of the operating events generally is desirable to ensure that this foundation of
more elaborate WENRA defence-in-depth definitions and has become nuclear safety remains robust.
de-facto state-of-the-art. The exact definitions of the defence-in-depth
levels are provided in Appendix 2. 2.1.3. Safety functions and their design requirements
In their recent discussions of defence-in-depth for future reactors, The IAEA has defined the fundamental safety functions in the Spe
WENRA has insisted that the levels of defence required under the cific Safety Requirements − 2/1 Rev 1 (IAEA, 2016) as:
defence-in-depth principle should be as independent of one another as is “Fulfilment of the following fundamental safety functions for a nu
reasonably achievable. This sounds reasonable but comes with a very a clear power plant shall be ensured for all plant states:
demanding built-in assumption that the defence levels are indeed
physically separable from each other. In reality, this is true to a limited (i) control of reactivity;
degree only, because the same equipment gets credited in multiple (ii) removal of heat from the reactor and from the fuel store; and
defence lines. For instance, there is no design, operating or planned,
5
(iii) confinement of radioactive material, shielding against radiation and configurations are typically 2 × 100 % or 3 × 50 %.
control of planned radioactive releases, as well as limitation of acci Some regulatory systems have expanded the redundancy require
dental radioactive releases.” ment to include the postulate of “concurrent maintenance” on another
component, leading to an N + 2 failure criterion. The N + 2 criterion
The IAEA has illustrated the relation of individual safety functions to increases the pieces of safety equipment (safety trains) in the plant, but
an individual level of defence in TECDOC-1570 (IAEA, 2007). This also enables on-line maintenance of safety equipment, thereby
interrelation is shown in Fig. 6. This view invites an expansion to include providing an availability advantage. N + 2 capable safety system con
the same figure at all levels of defence and for all safety functions, which figurations are typically 3 × 100 % or 4 × 50 %.
we will discuss in Section 2.6. Diversity is a means of combating common mode failures due to
In order to provide confidence in the engineered safety features reasons which are internal to the safety equipment. Redundant systems
(systems, structures, and components), SSR-2/1 Rev 1 requires them to cope well with individual random failures, but are susceptible to com
be designed with adequate redundancy, diversity, and physical separation mon mode failures, which can knock out all similar pieces of equipment
provisions. All these design features are there to increase confidence in in one stroke. Diversity is implemented by providing the same func
successful execution of the safety function in case it is needed. Often it is tionality using different physical principles and different physical
required to design a safety function fail-safe; this can be done if a safe processes—the most typical example being the diversification of the
direction for system failure can be unequivocally identified. The capa control rod scram in light water reactors by carrying out a boron solute
bility to rapidly shut down an operating reactor is a typical example of injection into the reactor.
fail-safe design: control rods causing the shutdown are kept out of the Physical separation is a means of combating common mode failures
reactor core by an active system, and should the system fail, e.g. due to triggered by external conditions (materialising hazards) such as fires or
lack of motive power, the rods will enter the core by gravity or stored gas floods. To be useful, physical separation has to pertain to redundant
pressure, shutting the reactor down. systems, so that redundant trains (or components) are separated from
Redundancy is a means to combat random equipment failures. It is each other so that a hazard affecting one cannot propagate to another
therefore a generalization of the “single failure criterion”, the postulate during its mission time.
that in the case of need, any individual component that would need to
function fails to do so. This leads to the so-called N + 1 failure criterion,
with N understood as the minimum number of affected components
required to fulfil the function in question. N + 1 capable system
Fig. 6. Example of how a safety function relates to a level of the defence-in-depth (top) approach according to TECDOC-1570 (IAEA, 2007), p 23. Note that the Line-
Of-Protection (LOP) in this figure relates to prevention or control of mechanisms that are capable of challenging the proper execution of the safety function.
6
2.2. Institutional Strength-in-Depth (ISiD) as a form of organizational concept, ISiD is not much differentiated from the safety culture concept,
DID and it is not yet a theoretically well-developed concept (NEA, 2007).
Therefore, ISiD needs to draw on the safety culture and organizational
After the Fukushima accident and its lessons learned, the IAEA’s top- theories if it aims to provide deeper insights into inter-organizational
level expert group, the International Nuclear Safety Advisory Group relations, such as the internal and external barriers of organizations.
(INSAG), introduced the concept of institutional strength-in-depth Results of country-specific forums can be used to identify the
(ISiD) (Leveson, 2012). ISiD is to a large degree analogous with strengths and weaknesses in the mindset and practices of the national
defence-in-depth and aims at providing tools to construct a robust nuclear community (OECD NEA, 2018; OECD NEA, 2019). These
overall nuclear safety system at a national level. The concept is based on include the technical rigour with an emphasis on pragmatism, facts, and
the idea that it is not enough that there are good technical tools and science that contributes to thorough problem solving from a technical
safety standards, but these standards need to be implemented efficiently. point of view, but which can be blind towards human aspects (OECD
The ISiD refers to a network of organizations, such as governments, NEA, 2019), or overconfidence in a country’s own national approach,
industry, regulatory bodies, media and NGOs, and the interfaces be such as was noted after the fact in Japan (Report of the Fukushima
tween them that assure that the tools and safety standards are efficiently Nuclear Accident Independent Investigation Commission and Diet,
applied. Fig. 7 provides an illustration of how the core actors contribute 2012). Thus, identification of national cultural features can be used to
to nuclear safety. For instance, strong self-regulation in the context of improve the robustness of a national nuclear community.
industry refers to internal barriers such as experienced staff, strong It is good to note that even though it is possible and important to
safety management systems, a vivid safety culture as well as peer pres recognize national cultural features or a mindset which is common to
sures from national and international industry (e.g. WANO re different organizations in the nuclear field, these organizations have also
quirements). In addition, regulators’ internal barriers consist of their own internal goals and interests which may differ. Even within a
regulator capabilities and competence, organizational structure, inter single organization there are different subcultures (Schein, 2004; Schein
national peer pressure derived e.g. from the IAEA reviews (Leveson, and Schein, 2016), which increase the complexity of organizational life.
2012). Therefore, in addition to the need to recognize national cultural fea
ISiD builds on the existing safety principles, such as the safety cul tures, also various organizational aspects are important to identify when
ture, and the defence-in-depth principle and is thereby extended from trying to create an overall safety framework and to comprehend safety
the technical context to organizational context. The philosophy of from a holistic viewpoint. Therefore, an overall safety framework needs
defence-in-depth means in the organizational context each of the key to recourse also to theories of social science, safety culture, and orga
organizations i.e. industry, regulators, government, and stakeholders in nizations which provide thorough approaches to detect human and
the nuclear domain form an independent safety layer or barrier which is organizational factors from different angles, from societal, inter-
further strengthened by multiple internal barriers, such as competent organizational, organizational, individual, structural and from ideal
actors, safety management systems and a vivid safety culture (INSAG, (mindset) viewpoints. It depends on the context, whether general or
1999). Openness, transparency, and a questioning attitude should pre more detailed analyses of organizations are needed.
vail between the organizations. As such, ISiD complements the defence-
in-depth thinking. Furthermore, the INSAG-27 report suggests that the
IAEA should develop formal ISiD guidelines. 2.3. The overall safety and sociotechnical systems view
ISiD is created for the assessment of the robustness of the national
nuclear community. In this sense, ISiD is a useful concept: it brings into In this Chapter we deal with overall safety related concepts, such as
the same picture the relevant organizations and their roles and re the sociotechnical systems view and system of systems view and review
sponsibilities that need to be fulfilled in order to maintain and improve the related demands for the overall safety framework. We also provide a
the nuclear safety. ISiD gives a name to a phenomenon which is relevant tentative definition of overall safety and a visualization of it. These as
to the overall picture of national nuclear safety. Despite its relevance as a pects contribute to further improvement of the overall safety
framework.
Fig. 7. Interrelation of the nuclear industry, regulators and stakeholders according to INSAG-27 (Leveson, 2012);;Fig. 1.
7
The Framework Plan of the Finnish Research Programme on Nuclear With regard to the development of overall safety frameworks, STS
Power Plant Safety (SAFIR2022) stresses overall safety and a systemic and SoS provide some aspects to reflect upon. Comprehension of overall
approach to safety as relevant research topics. However, there is no safety should include technical, human, organizational, and the orga
consensus about the definition of the overall safety concept; the term nization’s external environment including global and national aspects.
was first used in the defence community to refer to the wholesome In the context of Fig. 8, we provide examples of how organization’s
involvement of society in national defence activities. In the academic external environment has implications on organization’s safety.
literature, the concept of overall safety is rarely used. Instead, other By overall safety we refer to the outcome of safe functioning of a
terms such as a holistic understanding of safety, a sociotechnical systems nuclear power plant (as a technical and socio-technical entity), and safe,
view (STS), or system of systems thinking (SoS) are more commonly sustainable, and successful functioning of licensee’s organization, which
used (Dekker et al., 2011; Harvey and Stanton, 2014; Leveson, 2004; external actors and factors also affect.
Kleiner et al., 2015). Overall safety is visualized in Fig. 8 that borrows ideas from the
By a sociotechnical systems view (STS) we refer to the interconnec quality management of an organization’s ecosystem (EFQM), socio
tedness of social and technical systems (Ylönen et al., 2020; Leveson, technical understanding of safety (Harvey and Stanton, 2014; Ylönen
2004; Kleiner et al., 2015; Ylönen et al., 2017; Wahlström, 2018). STS et al., 2017) and studies on organizations (Schein, 2004).
embraces four dimensions: human, technical, organizational, and In Fig. 8 overall safety is an outcome of interaction between macro-,
external environment, including for instance national cultural, political, meso- and micro-level phenomena. Macro-level factors are external to
regulatory, economic, technological, and geo-political environments. the license holder organization. Macro-level factors include global- and
Intrinsic complexity arises from the multidimensional interactions be national-level societal, political, economic factors, such as economic
tween the components (Dekker et al., 2011; Harvey and Stanton, 2014). depression, and geopolitical uncertainties, but also sociotechnical fac
Close to the sociotechnical systems view is system of systems thinking tors such as technological development, and the availability of raw
(SoS), which refers to a large supersystem that consists of subsystems materials and spare parts. The list is not exhaustive, but it shows some
which are large and complex, and which function autonomously (Har factors that may have influence on overall safety over time. License
vey and Stanton, 2014). Note here the analogy between nuclear power holder’s organization is affected by external factors and it needs to
plant architecture and systems architectures discussed above in Section respond to them e.g., by creating new policies and strategies, or by
2.1. In social systems, the subsystems can have their own goals, but they changing the organizational structure, and these actions may have safety
need to collaborate with other subsystems and to achieve the goals of implications. Hence, macro-level factors can have direct or indirect ef
SoS, just as engineered safety systems need to function together to fects on organizations and safety. Furthermore, new technologies may
implement their safety functions. have both positive implications on safety, but they also may increase
We can think of nuclear power plants as systems of engineered sys security risks with safety implications. When a technological paradigm
tems and as sociotechnical systems consisting of independent sub changes, it is normal that some old failure modes disappear, while new,
systems with their own goals. Interoperability is the key to successful previously irrelevant, failure modes emerge. Appendix 3 provides a
system integration. However, this brings challenges from the safety recent example of such an event describing an incident that happened in
perspective, as it inevitably means that there are increased interfaces Forsmark nuclear power plant. Therefore, the external factors related to
and interactions between multiple components (Harvey and Stanton, the organization are worth considering in terms of overall safety.
2014). The meso level refers to the organizational level that is applicable to
There are some identified challenges regarding the system of systems the license-holding organization, regulatory body, and suppliers. This
view, particularly from the organizational and safety culture perspec meso level consists of four dimensions which also are mutually con
tive. These include the network structure, complexity and external in nected: (1) organizational structures such as organization’s goals and
fluence, the emergent whole (which means that the system is in a state of strategies, as well as resources, decision-making structures, and the
constant change due to the unpredictable interconnectedness of management system, which guides actions and practices within the or
different subsystems, and their outcome (Dekker et al., 2011), infor ganization; (2) social aspects which refer to interaction and action
mation transfer across boundaries, continual change, and culture (Har within an organization to which hierarchies, power relationships, and
vey and Stanton, 2014). For instance, in the network of organizations, it various expectations regarding individual actions’ influence; (3) cultural
is difficult to create a coordinated safety culture, i.e. a similar mindset aspects, such as shared norms, beliefs, and values, which also affect the
and practices regarding safety. social action in an organization: (4) technical aspects which mainly
Fig. 8. Visualization of overall safety. The overall safety of nuclear power plants is affected by macro-, meso- (organizational-level) and micro-level factors.
8
relate to technologies of nuclear power plants’ systems, structures, and each line of defence-in-depth. Therefore, defence-in-depth levels can be
components which require human competences and human-technology viewed as columns in a matrix where the rows represent the three
interactions which organizations’ structures, cultures and hierarchies fundamental safety functions. The elements of the matrix can then be
also affect. filled in, indicating which safety systems perform each safety function
The meso level of an organization can easily be depicted as a on each defence level. This representation provides an overview at one
sequence of layers (defense barriers) surrounding the primary activities glance of the interrelations of systems and components credited with
(Harvey and Stanton, 2014): implementing the safety functions. Therefore, we call this the Overall
Safety Framework.
1. the primary activity, e.g., plant operation; An example of an overlay of the safety functions across the defence
2. owner oversight to verify that company performance goals (safety levels is shown in Fig. 9 for a typical large LWR, using the IAEA defence
indicators among them) are being met; lines for clarity.
3. statutory or regulatory reviews and inspections to verify that safety As is obvious from.
regulations continue being met; Fig. 9, the same physical components (control rods, process systems,
4. national administrative oversight of regulator activities; and finally, containment structure) are credited on multiple defence lines. The five
5. political and general public attention to the performance of all the levels of defence are independent of each other only in theory. In
other actors (1 through 4). practice, there are at most two or three levels of defence that can be
credibly implemented by physically independent means. If two separate
The micro level refers to individual actions. The organization (meso ways of dropping the control rods (breaking the holding current supply)
level) enables and constrains the actions and performance of individuals are provided, then clear functional separation can be achieved between
in terms of safety. For instance, changes in organizational structure may the levels AOO-DBA. Another potentially clear separation line can be
increase the workload of some individuals, thus affecting their ability to implemented between design extension cases without a core melt and
carry out their tasks in a prudent way. Individuals are carriers of orga with a core melt, by requiring that all systems dedicated to the latter have
nization’s structures and culture, but they are not just passive carriers, no functions for the former. However, the containment structure inevi
but also actors who maintain, question, and change structures and tably has to be credited in both defence lines; it is not practicable nor
practices in the organization. necessary to envision separate DBA and Severe Accident containment
The macro, meso and micro levels are thus in continuous interaction structures. In fact, the very rationale for building a containment in the
and cannot be completely isolated from each other. Fig. 8 illustrates the first place was to protect against large release of radioactive materials
levels of overall safety, but it does not examine the sociotechnical in from a massively damaged reactor core.
teractions between them, or between different organizations, which
have different roles, responsibilities, expectations, and strategies. These
aspects create complex interactions between them. In addition, as the 3.2. The ORSAC framework–an SMR example
sociotechnical aspect is defined as the interconnectedness and
complexity of social and technical systems (Leveson, 2004; Kleiner et al., It is possible to construct an ORSAC model based on the NuScale
2015), the overall safety framework needs to be improved so that it can small modular reactor on the basis of material publicly available on the
deal with the interconnectedness of technical and organizational factors U.S. NRC website (Application Documents for the NuScale Design,
simultaneously. The case in Section 3.4 describes the relationships be 2022). This has been done in.
tween the macro-, meso- and micro-level factors in the context of the Fig. 10, using the IAEA defence-in-depth levels and fundamental
nuclear sector. safety functions:
Adopting a sociotechnical systems view, i.e. overall safety, also poses
challenges for safety regulation. Below are some reflections on what - Defence lines: normal operation, anticipated operational occur
sociotechnical safety regulation would entail (Ylönen et al., 2017; Le rences, design basis accidents, design extension conditions, core melt
Coze et al., 2017): accidents
- Fundamental safety functions: criticality control, heat removal,
1. It is necessary to go beyond compliance with regulations since containment of radioactive materials.
compliance alone does not guarantee safe performance in complex
emerging situations. As is obvious, also in the case of an SMR it is not realistic to expect
2. Sociotechnical safety regulation would require broad cooperation more than three physically independent levels of defence. In fact, for a
between different experts, so that various views and alternatives hypothetical core melt accident, the containment structure would be
would be taken into account. credited as a core catcher, therefore only two independent structures can
3. Sociotechnical regulation would require understanding of macro- be distinguished (the process systems and the containment structure).
level economic and political aspects, as well as meso-level in The main advantage of the small size of SMRs is the relative ease of
terfaces within an organization and between organizations, not to decay heat removal from the reactor and the containment structure. For
mention micro-level individual workloads. Heavy workloads may fuels similar to the fuel used in large reactors, the reactor power de
have negative effects on safe performance. Obtaining a broad holistic creases as cube of linear dimensions, but the enveloping surfaces
understanding of the functioning of the organization can be assisted decrease in the square of linear dimensions–therefore heat fluxes
by visualization of overall safety. through the enveloping surface decrease linearly with linear di
mensions. Therefore, small SMRs may be able to remove decay heat
3. Developing an overall (design) safety framework based on adequately without separate dedicated engineered safeguard systems by an
DID inherently natural processes of convection. Thus, the safety function is
fulfilled but dedicated systems with their complex design and imple
3.1. The ORSAC Framework—A large plant example mentation requirements, can be eliminated. However, the physical
structures involved still get credited over a broad range of defence lines!
The foundation for the framework is to apply a functional defence-in- As can be seen by comparing Figs. 9 and 10, the ORSAC framework
depth approach, which posits that there are multiple defence levels in provides a quick overview of the whole safety justification of the con
dependent of each other. The overall safety concept arises from the cepts, and highlights the difference between very complex active design
fundamental recognition that each safety function has to be provided on (the US EPR) and much simplified passively safe design (NuScale).
9
Fig. 9. Three main safety functions overlaid across the defence lines for the US EPR system configuration (Turunen, 2020). Note that almost every system gets
credited on more than one defence line; there is some, though incomplete, separation between Operational and Accident conditions and between the Design
Extension Conditions without and with core melt. (See List of Abbreviations for system identifications.).
3.3. NPP construction and operation – Organization of organizations illustrate the concept organization of organizations. The first example is
the construction of the Olkiluoto 3 nuclear power plant that was in the
The nuclear community consists of several organizations which have commissioning phase in May 2022. The second example is the con
clearly distinct and different roles, while interacting with each other. struction of the Hanhikivi 1 nuclear power plant where the licensee
Socio-technical systems have been studied e.g. by Rasmussen (Ras Fennovoima withdrew the Construction License Application in May
mussen, 1997) who presented a model for the socio-technical system 2022. Key information of the example projects and involved stake
involved in risk management, see Fig. 11 below. holders is presented in Table 1 below.
While quite illuminating, the system in Fig. 11 ignores the fact that Fig. 13 below presents an organization of organizations in a form of a
on the company level, many actors may be present; as one proceeds matrix. The level of involvement of the stakeholders gradually changes
down the ladder, the number of organizations, organizational units, from real design and construction type of work to superficial remote
staff, and work to be done increase rapidly. Given the technology uti oversight of the project. This matrix structure works both for the CFS-
lized and regulated, all people working in the area can find themselves TVO and RAOS-Fennovoima relation, because both are EPC (Engineer
somewhere in this model, forming a community. ing, Procurement, Construction) contracts where the plant supplier (CFS
We suggest that the community, as an organization of organizations, or RAOS) assumes responsibility for the plant delivery.
behaves to some extent like one organization. In other words, there are In Fig. 13, exact correspondence to the defence levels of Fig. 5 is not
some uniform beliefs and feelings which are fundamental and shared by achieved, but the analogy is useful, nevertheless. The players consist of
all members of the community. Interestingly, the most important such the delivery team (CFS, RAOS) doing the actual work, the owner (TVO,
fundamental beliefs are subconscious, perhaps even never explicitly Fennovoima) overseeing the delivery according to the EPC contract, the
articulated. The presence of subconscious fundamental beliefs was technically competent regulator STUK overseeing the activities of the
suggested e.g. by Schein (Schein, 2004), as discussed by Levä in (Levä, licensees (TVO, Fennovoima) and reporting to the supreme authority on
2003). Schein’s three-layer model for an organization’s behaviour and nuclear matters, the Ministry (TEM, forming part of the Government).
its drivers is presented in Fig. 12. The Government is accountable to the Parliament, the members of
As said, the nuclear community forms an organization of organiza which are accountable to their constituents (voters). Therefore, each
tions, with complementary responsibilities but also shared values, level can be thought of as backing up the ones before – much in the same
norms, and beliefs. way that the levels of defence back each other up. Note that Fig. 13
We use here two Finnish nuclear newbuild projects as examples to presents the state of affairs at the time of construction – once the plant is
10
Fig. 10. Small reactor safety: NuScale approach (200 MWth) (Turunen, 2020). In this case, independence of Operational States and Accident Conditions is somewhat
clearer than in a large reactor. There is no comprehensive Severe Accident Management strategy, but NuScale has demonstrated that In-Vessel Retention of core melt
is feasible both in the reactor and in the containment vessel.
commissioned, the roles change, and the owner/operator assumes the By an organization’s external factors we refer to macro-level i.e.
primary role at the first level. global and national-level trends including pandemics, economic
Looking at Fig. 13, one can see that the “independence of levels” depression, availability of raw materials, or technological de
requires all members of the community to stick to their proper roles. For velopments, which all create pressures which organizations need to
example, should the technical regulator assume some of the licensees’ answer to, e.g. via changing their strategies, organizational structures,
obligations regarding interaction with the contractors, it becomes or investing in new technologies, as mentioned in Section 2.3. These
impossible for the regulator to objectively review the licensees’ sub external factors and the way organizations answer to them may have
mitted documents. Note also that insisting that the licensee assume significant safety implications. Therefore, we argue that an overall
larger responsibility for safety necessitates that the licensee be given safety framework would need to include a nuclear power plant’s
latitude to decide how this responsibility is best discharged; this need for external factors, and this would mean an extension of the ORSAC
room to manoeuvre is inherently contradictory to having detailed rules framework.
for the licensee to follow. In addition to macro-level external factors, an overall safety frame
As shown in Fig. 13, the ORSAC framework embraces also organi work would benefit from including meso-level, i.e. organization-level
zational aspects, and it draws on Schein’s (Schein, 2004) theory on or factors which have effects on interactions within and between
ganizations (Schein, 2004). The robustness of national nuclear organizations.
communities in terms of safety is an important topic from the point of Inside each organization it is possible to distinguish between struc
view of overall safety as the IAEA’s institutional strength-in-depth tural, cultural, and social aspects (see Fig. 8 and Fig. 14). By an orga
concept indicates (ISiD) (Leveson, 2012). Fig. 13 is partly in accor nization’s structural aspects we mean the organization’s goals,
dance with ISiD in terms of combining different organizations with strategies, management structure, main functions, departments, re
different functions into the same framework. However, it does not deal sources, written norms and procedures, roles, and responsibilities that
with organizations’ inner barriers, which are relevant to ISiD. In the next structure the activities and safety performance in the organization. By
section we will extend the ORSAC framework to cover also socio social aspects we refer to action in relation to other people’s or groups’
technical aspects and internal barriers based on ISiD. actions, hierarchies, power relationships, expectations, and social
pressures which affect action. Cultural aspects embrace shared values,
3.4. Extension of ORSAC from the sociotechnical and organizational beliefs and understanding in an organization. Cultural aspects provide a
perspectives mindset that guides actions. Structural, social, and cultural aspects are
intertwined and have reciprocal relationships. Structures enable or
The benefit of the ORSAC framework is that it is able to also include constrain actions, e.g. written norms may enable safe performance or
organizations in the same framework, and in this way visualize these constrain it, e.g. in terms of strict rules that cannot be followed. Actions
organizations and their relevant functions in terms of safety. However, may also affect structures, when members of an organization deviate
from the sociotechnical and organizational perspective, the ORSAC from official norms and create new unofficial norms, which may with
model could be further enriched by including factors which are external the passage of time become written norms and new structures.
to the organization in the framework and mechanisms that affect in Furthermore, cultural values and beliefs affect the interpretation of
teractions within and between organizations. structures and actions, and they guide human action. Cultural values
11
Fig. 11. The socio-technical system involved in risk management according to Rasmussen (Rasmussen, 1997).
Table 1
Key information of the two nuclear newbuild projects in Finland.
Olkiluoto 3 project Hanhikivi 1 project
Project acronym OL3 FH1

Licensee organization TVO (Teollisuuden FV (Fennvoima)
Voima)
Plant supplier CFS (Consortium Rusatom Overseas
Framatome Siemens) (RAOS)
Decision-in-Principle (to 2002 2010
construct nuclear power plant)
granted by the Finnish
government
Project phase in May 2022 Commissioning in Construction license
progress application
withdrawn
Fig. 12. The artefacts, expressed values, and fundamental beliefs in the nuclear and beliefs may be manifested in structures, e.g. in an organization’s
community. As an example, “continuous improvement” is an expressed value, policies and strategies. Thus, structures, actions, and cultural beliefs are
but it seems to be driven by a subconscious belief that a change is always for the closely intertwined.
better. This is debatable.
Furthermore, it is possible to approach any activity or relationship in
an organization from structural, social, and cultural perspectives. For
12
Fig. 13. The organization of organizations, with the focus on a new build of a nuclear plant in Finland at design and construction phase. CFS (Consortium Framatome
– Siemens) and RAOS (Rusatom Overseas) represent the consortia responsible for the new build delivery (IO = Inspection Organisations, O&M = Operations and
Management, TEM = Ministry of Economic Affairs and Employment of Finland).
Fig. 14. An organization of organizations, with the focus on a new nuclear plant build in Finland, complemented by macro and meso (organizational) level factors.
instance, safety management can be seen from the structural perspec automation systems, and the regulatory body needs to approve the
tive, i.e. adopting a management system and resource point of view, or it safety assessment. Therefore, both actors need new competences at the
can be seen from an action point of view, such as from a power re micro level (staff competent in new technology).
lationships perspective, as well as from a values and beliefs viewpoint. Each organization has these same mechanisms through which the
This way organizational life can be seen as a more dynamic phenomenon interaction within the organization is structured. Similarly, these
in terms of safety. Fig. 14 visualizes the ORSAC model in the context of a mechanisms also affect inter-organizational relationships. However,
new nuclear build now complemented with macro- and meso- (i.e. significant macro-, meso- and micro-level factors are resolved on a case-
organizational-) level factors. by-case basis. This requires identifying relevant external factors and
We illuminate the relationship between the three levels (macro meso intraorganisational factors in each case.
and micro) with the help of the following case. New technological de A natural next step in the evolution of an organizational ORSAC
velopments (macro-level), such as introduction of programmable auto framework is to provide a more exhaustive list of external macro-level
mation systems (technical systems) have implications for the project factors and an explicit delineation of meso-level interconnections as
owners (meso-level) in terms of decisions related to upgrading of their well as the interconnections between all levels. Overall safety in socio
existing systems. Programmable technology provides self-diagnostics technical systems view requires attention to a nuclear power plant’s
capabilities far beyond what was available in analog automation sys external factors such as societal, political, and technological de
tems (a positive feature), but at the same time introduce new types of velopments. This is an extension to the current safety thinking.
vulnerability to common-mode failures (a negative feature) and there We suggest that the organisation-of-organisations view of a (na
fore challenge the traditional safety demonstration of automation sys tional) nuclear community is also helpful in understanding how the
tems. Project owners are obliged to assess and justify the new community reacts under external pressures beyond its own control, such
13
as major shifts in the geopolitical situation. There are several historical conceptualization of robustness for a national nuclear community in
examples of national policies being triggered by external events: the terms of safety. It is a useful concept because it provides a name for a
decision of France in 1970s to invest heavily in nuclear power to become phenomenon (the robustness of a national nuclear community) that is
independent of oil producers, and the decision of Germany in 2011 to not described by any other concept. However, it is a relatively thin and
abandon nuclear in the aftermath of Fukushima. In such cases, the whole abstract conceptualization in terms of organizational factors. Therefore
community reacts. it needs to be developed further and complemented with organizational
The German example shows that there is a risk that designs formerly and safety culture related theories (Ylönen et al., 2020).
though safe enough become politically unacceptable. Evolution of the The sociotechnical systems view sets requirements for the overall
society is not possible to predict over decades, therefore such a political safety framework in terms of dealing with technical and organizational
risk is inherent all investment decisions involving very long time con factors simultaneously. The ORSAC framework includes both technical
stants. This serves to remind the industry that societal acceptance ne and organizational aspects and is promising in this respect. However,
cessitates continuous effort and interaction with the rest of the society. when there is a need for more detailed examination of the organizational
The societal expectation regarding what qualifies as acceptably safe is factors or interactions between the technical and organizational aspects,
may change, rendering it impossible to predict, assess or guarantee the ORSAC model needs to be developed further towards taking better
upfront the satisfaction of the safety criteria for the whole very long into account the interconnectedness of technical and organizational
operation lifetime of a nuclear power plant. factors, interoperability, information transfer across boundaries, and
We also suggest that this view allows an estimation of the current constant change.
status of the robustness of the national system. This robustness is, The sociotechnical systems view signifies that overall safety needs to
naturally, subject to temporally varying pressures and will change over pay attention also to factors which are external to a nuclear power plant,
time; therefore, periodic re-assessment is appropriate, just as “Periodic such as societal, political, and technological developments. This is an
Safety Reviews” are appropriate, and mandated e.g. in the EU for the extension to the current safety thinking.
technological safety of nuclear plants.
5. Conclusions
4. Discussion
We conclude that defence-in-depth is a powerful conceptual tool,
Defence-in-depth is primarily about providing physical and func upon which an overall safety framework can readily be built. In this
tional barriers against unwanted consequences—in nuclear safety this paper, we suggest that fundamental concepts include the notion of
means against inadvertent radioactive releases. The need for multiple multiple safety barriers and generic safety functions to protect them. We
independent barriers has arisen to address the uncertainties—both present an ORSAC—Overall Safety Concept—that couples independent
aleatory and epistemic—in the knowledge needed to design, dimension, defence lines with fundamental safety functions in a matrix form. The
and assess the barrier performance in both a structural and functional matrix is a transparent and easily accessible visualization of the overall
sense. safety justification of a nuclear power plant, i.e. how well the plant
We propose that conservatisms and failure criteria (including fail-safe meets its top stated safety goals.
principles) are best understood as means to increase confidence in the The ORSAC framework provides a natural role for the concepts of
successful implementation of safety functions, but as such neither are a safety margins, conservatism, a single-failure criterion, and a fail-safe
fundamental part of defence-in-depth. However, the following are design as means of increasing the confidence in barrier performance
fundamental: and/or the reliability of safety functions. These concepts are not parts of
defence-in-depth but rather design options.
1) The notion of multiple defence levels; The ORSAC framework only relies on the definition of multiple
2) Safety functions: the set of (independent) functions that need to be defence lines and generic fundamental safety functions, making it
fulfilled so that damage to physical barriers is minimized under all technology neutral.
postulated challenges. The application of an ORSAC analysis to large LWRs and proposed
SMRs shows that the number of truly independent defence lines is in re
The ORSAC framework is essentially a matrix of safety functions ality much smaller than in theory. This fact should be explicitly recog
overlaying the defence-in-depth lines. The framework is a powerful tool nized to avoid added complexity due to demands for more independence
depicting the whole plant (safety case) as a system of systems, producing between the defence lines, and consequent unwarranted confidence in
an easily understandable overall view of the safety characteristics (plant such designs.
architecture) and safety provisions (systems architectures) of nuclear The ORSAC model can be expanded to organizations as well. The
reactors. nuclear community can be represented as an organization of organiza
The ORSAC framework only relies on the definition of multiple tions. Many useful analogies between technological systems and orga
defence lines and generic fundamental safety functions, making it nizational structures can be easily identified. The institutional strength-
technology neutral. in-depth (ISiD) concept provides a new conceptualization with regard to
The analysis of typical large LWRs and proposed SMRs shows that the the robustness of the national nuclear community in terms of safety, and
number of truly independent defence lines is in reality (3), much smaller therefore the overall safety concept and framework can be developed by
than in theory (5). This fact should be explicitly recognized in interna including ISiD aspects.
tional regulatory guidance to avoid the added complexity due to de The sociotechnical systems view maintains that overall safety needs
mands for more independence between defence lines, and consequent to pay attention also to factors which are external to a nuclear power
unwarranted confidence in such designs. plant, such as societal, political, and technological developments. This is
The ORSAC framework was first developed from the technical an extension of the current safety thinking. The ORSAC framework in
defence-in-depth viewpoint and then extended towards organizational cludes both technical and organizational aspects and is promising in this
aspects. In analogy to the nuclear plant as system of technical systems, respect. However, a simultaneous examination of technical and orga
the nuclear community can be represented as an organization of orga nizational aspects, not to mention their interrelationships would require
nizations. Many useful analogies between technological and organiza further development. Furthermore, as there is a need for more detailed
tional structures can be easily identified, e.g. that each organization examination of the organizational factors or interactions between the
needs to stick to their roles to guarantee independence from each other. technical and organizational aspects, the ORSAC model needs to be
The institutional strength-in-depth (ISiD) concept provides a new improved further towards taking better into account the
14
interconnectedness of technical and organizational factors, interopera Janne Valkonen: Visualization, Conceptualization, Writing – review &
bility, information transfer across boundaries, and constant change. editing.
We argue that even separately presented, the technical and organi
zational aspects of the overall safety framework provide valuable in Declaration of Competing Interest
sights into holistic understanding of safety, and as such they provide
useful tools to examine overall safety. Moreover, organizational and The authors declare that they have no known competing financial
technical aspects of the ORSAC framework can be used to model the interests or personal relationships that could have appeared to influence
overall safety with semantic and system-modelling tools. the work reported in this paper.
CRediT authorship contribution statement Data availability
Juhani Hyvärinen: Conceptualization, Methodology, Visualization, Data will be made available on request.
Data curation, Formal analysis, Funding acquisition, Supervision,
Writing – original draft, Writing – review & editing. Juhani Vihavai Acknowledgments
nen: Conceptualization, Methodology, Visualization, Data curation,
Funding acquisition, Project administration, Supervision, Writing – The work was funded by the Finnish Research Programme on Nu
original draft, Writing – review & editing. Marja Ylönen: Conceptual clear Power Plant Safety (SAFIR 2022) in project OSAFE (Development
ization, Methodology, Visualization, Funding acquisition, Project of overall safety framework, 2019-2020). The support is gratefully
administration, Writing – original draft, Writing – review & editing. acknowledged.
Appendix
Appendix 1. A brief history of defence-in-depth
The concept of defence-in-depth has a long history. This Appendix provides a brief review of the history of the concept to show how it has evolved
over the decades.
The idea of defence-in-depth was originally developed by the military to describe defences spread in multiple consecutive defence lines, instead of
one strong line. In the nuclear industry, the idea of a defence line can be understood as a structure (barrier against release, e.g. fuel cladding) or as a
function (e.g. to mitigate accident consequences in the plant). It is important to recognize that the functional interpretation is not unique, at least two
essentially different interpretations of functional defence-in-depth are possible:
1) A sequence of plant functions dedicated to accident prevention, accident mitigation, and emergency preparedness. This is the modern view
formalized by the IAEA, WENRA and Finnish legislation, and leads to the idea of plant architecture, from which the system architecture can be
derived (WENRA, 2013).
2) Design measures to enhance independence of defence lines and the reliability of systems performing fundamental safety functions that protect
physical barriers, namely criticality control, decay heat removal, and radioactivity confinement. These measures are redundancy, diversity, and
physical separation. This view often appears in the American literature (U.S. NRC, 2016), and drives the system architecture in the plant, while
implicitly creating a plant architecture.
To further complicate matters, the safety margin concept—which is vital for the detailed design of individual defence barriers—is sometimes also
understood to be an element of defence-in-depth.
Early developers of nuclear reactors for power production recognized that reactor operation would create a large inventory of radioactive material
that, if released from the plant uncontrollably, could cause health hazards to the plant operators and the surrounding population. Consequently, they
devised the idea of placing multiple, mutually independent barriers between the radioactive inventory and the public. From quite early on, power
reactors were equipped with containment or “accident localization” structures as a last resort measure against accidents that could develop in the
reactor system itself.
The U.S. NRC compiled a knowledge base of the history and definitions of defence-in-depth in the NUREG/KM-0009 report (Nrc, 2016). According
to the history review provided in the report, the first mention of a defence-in-depth -like concept appears in correspondence on March 14, 1956 from
the U.S. Atomic Energy Commission to the Congress of the United States, in the following form (U.S. NRC, 2016) (p. 3.2):
“1) Recognizing all possible accidents which could release unsafe
amounts of radioactive materials; 2) Designing and operating the
reactor in such a way that the probability of such accident is reduced
to an acceptable minimum; 3) By appropriate combination of
containment and isolation, protecting the public from the conse
quences of such an accident, should it occur.”
Interestingly, this definition can be interpreted both in the structuralist and in the functional ways. Soon afterwards, in 1957, a strong structuralist
viewpoint was formulated in the first risk analysis of power reactors in the WASH-740 report, “Theoretical Possibilities and Consequences of Major
Accidents in Large Nuclear Power Plants” (U.S. NRC, 2016) (p. 3.2), which defined.
“multiple lines of defence … (1) the integrity of the reactor vessel;
and, (2) the integrity of the reactor container or vapor shell.”
Note that the WASH-740 report gave no credit to fuel cladding as the first release barrier. Multiple physical barriers first appeared in the U.S.
literature right after the TMI-2 accident. In 1979, the NUREG-0578 report “TMI-2 Lessons-Learned Task-Force Status Report and Short-term Rec
ommendations” states that (U.S. NRC, 2016) (p. 3.3–3.4):
15
“The underlying philosophy of nuclear reactor safety has provided

multiple levels of protection against the release of radioactivity, i.e.,
the concept of defence-in-depth. It includes diversity and redun
dancy of various safety functions and systems and multiple physical
barriers (the fuel, the cladding, the primary coolant boundary, and
the containment) …” (underlining added),
where again safety system reliability was interpreted to be part of defence-in-depth.
After the Chernobyl accident, the IAEA developed and published the first internationally developed formalization of basic safety principles for
nuclear power plants (75-INSAG-3, 1988), including defence-in-depth. As quoted in (U.S. NRC, 2016) (p. 3–28), 75-INSAG-3 described defence-in-
depth as follows:
“All safety activities, whether organizational, behavioral or equip
ment related, are subject to layers of overlapping provisions, so that
if a failure should occur it would be compensated for or corrected
without causing harm to individuals or the public at large.”
The document then goes on to state the principle of defence-in-depth is:
“To compensate for potential human and mechanical failures, a
defence in depth concept is implemented, centred on several levels of
protection including successive barriers preventing the release of
radioactive material to the environment. The concept includes pro
tection of the barrier by averting damage to the plant and to the
barriers themselves. It includes further measures to protect the
public and the environment from harm in case these barriers are not
fully effective.”
As can be seen, the notion of physical barriers against radioactive release were clearly stated, and an embryonic form of functional defence in depth
can also be recognized in “…protection of the barriers themselves…” and “… further measures to protect the public and the environment from harm in
case these barriers are not fully effective.” Human and mechanical failures were treated on a more or less equal footing.
In 1996, the IAEA dedicated a whole report, INSAG-10 (1996) (INSAG, 1996), to defence-in-depth. INSAG-10 made a distinction between the then
operating reactors and future reactors. At the time of the publication, many plant vendors had begun active development of designs that relied, to a
large extent, on stored energy driven and gravity driven safety systems. These designs were AP600 by Westinghouse, SBWR by GE, and SWR-1000 by
Siemens; they later evolved into AP1000, ESBWR and Kerena, respectively.
In operating plants, defence-in-depth was enhanced, in particular to take into account operating experience feedback, to consider low power and
shutdown conditions in greater detail, and human factors. For future plants, INSAG-10 foresaw improved accident prevention through independence
of defence lines and improved containment functions, to explicitly incorporate severe accidents in plant design. “Independence of defence lines”
implies that the IAEA already then considered “defence lines” as consecutively implemented plant functions, instead of plant internal safety systems.
According to (§123) accident prevention was to be strengthened by, inter alia:
▪ increased thermal inertia (a favourable inherent characteristic),

▪ reduced complexity (however, this natural expectation is contradicted by (§125), which proposes reinforcing Level 2 by more systematic use
of limitation systems, independent from control systems; note that the limitation systems are here limited to I&C systems), and.
▪ passive features (the language is generic and appears to have been carefully chosen, not to market passive systems explicitly).
In addition to discussing the levels, INSAG-10 (§50-54) noted that appropriate conservatism, quality assurance and safety culture are prerequisites
that apply to all defence levels. Conservatism was emphasized for levels 1–3, with best estimate assessment becoming more important for levels 4–5. A
“safety margin” was mentioned as an association with conservatism, but not defined.
INSAG-12, published in 1999 (INSAG, 1999), was the first revision of the classical 75-INSAG-3 (1988). The defence-in-depth level definitions in
INSAG-12 are the same as in INSAG-10, indicating that the (technical) concept for functional levels began to mature.
Appendix 2. IAEA DID level definitions
The IAEA explains the five levels of defence as follows:
(1) The purpose of the first level of defence is to prevent deviations from normal operation and the failure of items important to safety. This leads to re
quirements that the plant be soundly and conservatively sited, designed, constructed, maintained, and operated in accordance with quality management
and appropriate and proven engineering practices. To meet these objectives, careful attention is paid to the selection of appropriate design codes and
materials, and to the quality control of the manufacture of components and construction of the plant, as well as to its commissioning. Design options that
reduce the potential for internal hazards contribute to the prevention of accidents at this level of defence. Attention is also paid to the processes and
procedures involved in design, manufacture, construction, and in-service inspection, maintenance, and testing, to the ease of access for these activities,
and to the way the plant is operated and to how operating experience is utilized. This process is supported by a detailed analysis that determines the
requirements for operation and maintenance of the plant and the requirements for quality management for operational and maintenance practices.
(2) The purpose of the second level of defence is to detect and control deviations from normal operational states in order to prevent anticipated operational
occurrences at the plant from escalating to accident conditions. This is in recognition of the fact that postulated initiating events are likely to occur over the
operating lifetime of a nuclear power plant, despite the care taken to prevent them. This second level of defence necessitates the provision of specific
systems and features in the design, the confirmation of their effectiveness through safety analysis, and the establishment of operating procedures to prevent
such initiating events, or otherwise to minimize their consequences, and to return the plant to a safe state.
16
(3) For the third level of defence, it is assumed that, although very unlikely, the escalation of certain anticipated operational occurrences or postulated
initiating events might not be controlled at a preceding level and that an accident could develop. In the design of the plant, such accidents are postulated to
occur. This leads to the requirement that inherent and/or engineered safety features, safety systems and procedures be capable of preventing damage to
the reactor core or preventing radioactive releases requiring off-site protective actions and returning the plant to a safe state.
(4) The purpose of the fourth level of defence is to mitigate the consequences of accidents that result from failure of the third level of defence in depth. This is
achieved by preventing the progression of such accidents and mitigating the consequences of a severe accident. The safety objective in the case of a severe
accident is that only protective actions that are limited in terms of lengths of time and areas of application would be necessary and that off-site
contamination would be avoided or minimized. Event sequences that would lead to an early radioactive release or a large radioactive release are
required to be ‘practically eliminated’.
(5) The purpose of the fifth and final level of defence is to mitigate the radiological consequences of radioactive releases that could potentially result from
accidents. This requires the provision of adequately equipped emergency response facilities and emergency plans and emergency procedures for on-site
and off-site emergency response.
Appendix 3. The Forsmark 2006 overvoltage incident
The Forsmark incident of 2006 provides an excellent example of failure modes shifting as a consequence of technological change.
In this case, the safety function was to provide uninterrupted AC supply from batteries, a DC power source. In the original design, the DC/AC
conversion was performed by electromechanical means which were very robust against supply voltage overshoots, but mechanically unreliable. Over
the years, electromechanical parts were replaced by power electronics equipment that could perform the DC/AC conversion using solid-state semi
conductor components. The new technology was mechanically very reliable, to the delight of plant maintenance, but also required protection against
supply overvoltage, in order not to burn the semiconductor thyristors. Eventually, there was a plant transient initiated at the switchyard, which caused
the plant to disconnect from the national grid and created a major voltage disturbance that knocked out several of the DC/AC converters, disabling half
of plant safety instruments as a consequence. Among other things, only two out of four emergency diesel generators were able to operate. The situation
was successfully recovered by operator action improvised on the spot in the darkened control room.
References Levä, K. Turvallisuusjohtamisjärjestelmien toimivuus: vahvuudet ja kehityshaasteet

suuronnettomuusvaarallisissa laitoksissa, TUKES-julkaisu 1/2003 (DSc dissertation
in Finnish), 2003.
Application Documents for the NuScale Design, U.S NRC webpages, https://www.nrc.
Leveson, N.G., 2004. A new accident model for engineering safer systems. Saf. Sci. 42 (4),
gov/reactors/new-reactors/smr/nuscale/documents.html, (accessed June 30, 2022).
237–270.
Aven, T., Ylönen, M., 2018. A risk interpretation of sociotechnical perspectives. Reliab.
Leveson, N., 2012. Engineering a Safer World: Systems Thinking Applied to Safety. The
Eng. Syst. Saf. 175, 13–18.
MIT Press, Cambridge, MA.
Dekker, S., Cilliers, P., Hofmeyr, J.H., 2011. The complexity of failure: implications of
NEA 2007. Task Group on Safety Margins Action Plan (SMAP) Safety Margins Action
complexity theory for safety investigations. Saf. Sci. 49 (6), 939–945.
Plan - Final Report, NEA/CSNI/R(2007)9, https://www.oecd-nea.org/nsd/docs/
Emery, F.E., Trist, E.L., 1960. Socio-technical Systems. In: Churchman, C.W.,
2007/csni-r2007-9.pdf.
Verhulst, M. (Eds.), Management Science, Models and Techniques, 2. Pergamon
OECD NEA (2018). Country-Specific Safety Culture Forum: Sweden, OECD Publishing,
Press, pp. 83–97.
Paris, www.oecd-nea.org/hans/pubs/2018/7420-cssc-sweden.pdf.
Ha-Duong, M., Journé, V., 2014. Calculating nuclear accident probabilities from
OECD NEA (2019). Country-Specific Safety Culture Forum: Finland, OECD Publishing,
empirical frequencies. Environ. Syst. Decis. 34 (2), 249–258.
Paris, http://www.oecd-nea.org/hans/pubs/2019/7488-csscf-finland.pdf.
Hansson, S.O., 2012. Safety is an inherently inconsistent concept. Saf. Sci. 50 (7),
OECD/NEA. 1996. Boron reactivity transients. Proceedings of a Specialist Meeting, State
1522–1527.
College, PA, USA, 18-20 October 1995. NEA/CSNI/R(96)3.
Harvey, C., Stanton, N.A., 2014. Safety in System-of-Systems: Ten key challenges. Saf.
OECD/NEA. 2013. Updated Knowledge Base for Long Term Core Cooling Reliability,
Sci. 2014 (70), 358–366.
NEA/CSNI/R(2013)12.
Hollnagel, E., 2017. In: Safety-I and Safety-II. The Past and Future of Safety Management.
Rasmussen, J., 1997. Risk management in a dynamic society: a modelling problem.
CRC Press, London. https://doi.org/10.1201/9781315607511 (Accessed June 29,
Safety Sci. 27 (2/3), 183–213.
2022).
Report of the Fukushima Nuclear Accident Independent Investigation Commission, The
Hyvärinen, J., 1993. The Inherent Boron Dilution Mechanism in Pressurized Water
National Diet of Japan, 2012; https://www.nirs.org/fukushima/naiic_report.pdf.
Reactors. Nucl. Eng. Des. 145, 227–240.
Schein, E.H., 2004. Organizational Culture and Leadership, 3r Edition. Jossey-Bass, San
Hyvärinen, J., Kauppinen, O.P., Vihavainen, J., 2016. Overall Safety conceptual
Francisco.
Framework – ORSAC. Final Report. Nuclear Engineering, LUT School of Energy
Schein, E., Schein, P., 2016. Organizational Culture and Leadership, 5th ed. John Wiley
Systems. Lappeenranta University of Technology.
& Sons, Hoboken.
Hyvärinen, Juhani: On the fundamentals of nuclear reactor safety assessment: inherent
The Society for Risk Analysis (SRA), Glossary Society for Risk Analysis, 2018,
threats and their implications, Dr. Tech. dissertation, STUK-A135, December 1996.
https://www.sra.org/resources. (accessed March 12, 2022).
IAEA, 2007. Proposal for a technology-neutral safety approach for new reactor designs.
Turunen, Mikko. 2020. Overall safety of small modular reactors. MSc thesis. LUT
IAEA-TECDOC-1570. ISBN 978-90-0-107607-6. International Atomic Energy Agency
University 2020. https://urn.fi/URN:NBN:fi-fe2020120499439.
(IAEA), Vienna, 2007.
U.S. NRC, 2016. Historical review and observations of defence-in-depth. Nuclear
IAEA, 2016. Safety of nuclear power plants: design. IAEA Safety Standard Series. Specific
Regulatory Group (NUREG) publication NUREG/KM-0009. United States Nuclear
Safety Requirements (SSR) No. SSR-2/1 (Rev.1). ISBN 978-92-0-109315-8.
Regulatory Commission (U.S. NRC), 2016.
International Atomic Energy Agency (IAEA), Vienna, 2016.
Vihavainen, Juhani: VVER-440 Thermal Hydraulics as a Computer Code Validation
IAEA, 2016. Considerations on the Application of the IAEA Safety Requirements for the
Challenge, Dr. Tech. dissertation, Acta Universitatis Lappeenrantaensis 618,
Design of Nuclear Power Plants. IAEA- TECDOC-1791. ISBN 978–92–0–104116–6.
December 2014.
International Atomic Energy Agency (IAEA), Vienna, May 2016.
Wahlström, B., 2018. Systemic thinking in support of safety management in nuclear
INSAG, 1996. Defence in depth in nuclear safety. A report by the International Nuclear
power plants. Saf. Sci. 109, 201–218.
Safety Advisory Group (INSAG). INSAG series No. INSAG-10. ISBN 92-0-103295-1.
WENRA (2013). Safety objectives for new power plants. Study by the WENRA Reactor
International Atomic Energy Agency (IAEA), Vienna, 1996.
Harmonization Working Group (RHWG). Western European Nuclear Regulators’
INSAG, 1999. Basic safety principles for nuclear power plants 75-INSAG-3 rev. 1. A
Association (WENRA), 2013.
report by the International Nuclear Safety Advisory Group (INSAG). INSAG series
Ylönen, M., 2020. Assessing the goodness of the concept of Institutional strength-in-
No. INSAG-12. ISBN 92-0-102699-4. International Atomic Energy Agency (IAEA),
depth. In: Teperi, A.M., Gotcheva, N. (Eds.), Human Factors in Nuclear Industry.
Vienna, 1999.
Elsevier.
INSAG-27. 2017. Ensuring Robust National Nuclear Safety Systems – Institutional
Strength in Depth. A report by the International Nuclear Safety Group. IAEA.
Kleiner, B.M., Hettinger, L.J., Dejoy, D.M., Huang, Y.-H., Love, P.E.D., 2015.
Sociotechnical attributes of safe and unsafety work systems. Ergonomics 58 (4),
635–649. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4566878/#cit0022.
Le Coze, J.C., Pettersen, K., Engen, O.A, Morsut K., Skotnes, R., Ylönen, M., Heikkilä, J.
and Merlele-Coze, I. 2017. Sociotechnical systems theory and the regulation of safety
in high-risk industries – White paper. VTT Technology 293.
17
Ylönen, M., Engen, O.A., Le Coze, J.C., Heikkilä, J., Skotnes, R., Pettersen, K., Morsut, K., Ylönen, M., Engen, O.A, Le Coze, J.C., Heikkilä, J., Skotnes, R., Pettersen, K. and Morsut
2017. Sociotechnical safety assessment within three risk regulation regimes. VTT K. (2017) Sociotechnical safety assessment within three risk regulation regimes. VTT
Technol. 295. Technology 295. SAF€RA STARS final report.
Ylönen, M., Kari, M. Gotcheva, N. and Talja, H. 2017. Overall safety and organizations -
institutional strength-in-depth and national actors. Research Report, DNRO SAFIR
32/2017. 8.3.2017. VTT-V-113017-16.
18

An Overall Safety Concept For Nuclear Power Plants

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

An Overall Safety Concept For Nuclear Power Plants

Uploaded by

Copyright:

Available Formats

Annals of Nuclear Energy 178 (2022) 109353

Contents lists available at ScienceDirect

Annals of Nuclear Energy

An overall safety concept for nuclear power plants

However, Hollnagel (2017) has referred to the paradox of safety. By that

Abbreviations NUREG US Nuclear Regulatory Commission Regulation

This Chapter describes defence-in-depth as defined in the nuclear

In Section 2.1, we discuss in more detail:

• The structural interpretation of defence-in-depth concerning the

Fig. 3. IAEA TECDOC-1791 (IAEA, 2016), p. 39, view of a safety margin.

Project acronym OL3 FH1

CRediT authorship contribution statement Data availability

Appendix 1. A brief history of defence-in-depth

“The underlying philosophy of nuclear reactor safety has provided

▪ increased thermal inertia (a favourable inherent characteristic),

Appendix 2. IAEA DID level definitions

The IAEA explains the five levels of defence as follows:

Appendix 3. The Forsmark 2006 overvoltage incident

References Levä, K. Turvallisuusjohtamisjärjestelmien toimivuus: vahvuudet ja kehityshaasteet

You might also like