Nuclear Engineering and Design 330 (2018) 157–165

Contents lists available at ScienceDirect

Nuclear Engineering and Design
journal homepage: www.elsevier.com/locate/nucengdes

Integrating quantitative defense-in-depth metrics into new reactor designs☆
⁎

T

Cindy Williams , William J. Galyean, Kent B. Welter
NuScale Power, LLC, 1100 NE Circle Blvd., Suite 200, Corvallis, OR 97330 United States

A R T I C L E I N F O

A B S T R A C T

Keywords:
Defense-in-depth
Risk-informed
Performance-based
PRA
Reactor
Design

Risk-informed, performance-based (RIPB) methods have progressed to the point where high-level guidance can
be used to augment traditional, deterministic, nuclear safety design practices in areas important to nuclear
reactor safety. This paper describes an approach for augmenting the traditional defense-in-depth (DID) qualitative approach with quantitative risk information from a plant-specific probabilistic risk assessment (PRA) in a
way that is structured, can be applied on a consistent basis, and allows for clear acceptance criteria. Adding

performance-based targets that should be achieved is expected to result in safer and more economical plant
designs. Evaluations of DID can be conducted throughout the design process as well as in support of design
certification and operating license applications to identify where defense protections could be enhanced or
relaxed. Consistent with the United States Nuclear Regulatory Commission's policy statement encouraging
greater use of PRA to improve safety decision making and regulatory efficiency, this scenario-based DID method
can be used to evaluate changes and overall plant design as part of the normal design control process. Although
the RIPB method presented in this paper was developed for application to advanced passive light water reactor
designs, the metrics could be tailored to other reactor designs. This risk-informed approach to DID helps to
ensure that public and worker risk insights are integrated into the design process holistically.

1. Introduction
Nuclear power plants must be designed to generate electricity in a
safe, reliable, and economical manner. Design processes for existing
light water reactors (LWRs) have relied heavily on deterministic design
methods and deterministic analyses to ensure safety and comply with
regulatory requirements. Risk evaluations have typically been performed after a significant amount of design work has been completed to
ensure compliance with United States (U.S.) Nuclear Regulatory
Commission (NRC) safety goals. These risk evaluations support, in part,
qualitative and deterministic defense-in-depth (DID) assessments.
Defense-in-depth is a design philosophy aimed at ensuring safety is not
dependent on any one feature; it employs successive levels of redundant
and diverse safety functions in design, construction, and operation to
ensure appropriate barriers, controls, and personnel are in place to
prevent, contain, and mitigate accidents and exposure to radioactive
material. This philosophy has evolved over the history of nuclear power
plant design with the overall goal of ensuring adequate safety to the

public. The purpose of this paper is to outline an approach for a more
quantitative assessment of the effectiveness of the implementation of
the DID design philosophy.

Implementing the philosophy of DID includes a broad set of integrated design processes. They address accident prevention, accident
mitigation, and risk management. Reactor design DID, as described
here, consists of the integration of three strategies:
1. The first strategy employs conservative codes, standards, and analysis methods in the design to ensure margins of safety exist so as to
minimize potential impacts of uncertainty. Multiple and successive
barriers are employed to prevent, contain, and mitigate exposure to
an accidental fission product release.
2. The second strategy involves programs and processes that serve to
ensure fission product barrier function is designed with appropriate
reliability and maintained throughout the life of the plant.
3. The third strategy requires evaluating the effectiveness of these
fission product barriers to maintain their effectiveness and

☆
Funding: This material is based upon work supported by the Department of Energy under Award Number DE-NE0000633, an account of work sponsored by an agency of the United
States government. Neither the United States government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect
those of the United States government or any agency thereof.
⁎
Corresponding author.
E-mail address: (C. Williams).

/>Received 7 September 2017; Received in revised form 29 December 2017; Accepted 2 January 2018
Available online 20 February 2018
0029-5493/ © 2018 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license ( />

Nuclear Engineering and Design 330 (2018) 157–165


C. Williams et al.

uncertainties in safety analyses; the extent to which DID is applied can
be determined, in part, by the use of risk insights (U.S. Nuclear
Regulatory Commission, 2016):
The concept of defense-in-depth has always been and will continue to be
a fundamental tenet of regulatory practice in the nuclear field, particularly regarding nuclear facilities. Risk insights can make the elements of
defense-in-depth more clear by quantifying them to the extent practicable. Although the uncertainties associated with the importance of some
elements of defense may be substantial, the fact that these elements and
uncertainties have been quantified can aid in determining how much
defense makes regulatory sense. Decisions on the adequacy of or the
necessity for elements of defense should reflect risk insights gained
through identification of the individual performance of each defense
system in relation to overall performance.

reliability to ensure they continue to perform their design safety
functions under abnormal conditions.
While the general design criteria in 10 CFR 50 are the key inputs
into the requirements analysis process from a regulatory perspective,
alternate or additional requirements may be needed for new and advanced reactors in cases of unique technologies, designs, or site characteristics (U.S. Code of Federal Regulations, 2015a). While there are
numerous ways in which to integrate risk-informed, performance-based
(RIPB) principles and methods into the design process (e.g., reliability
assurance program), this paper describes the method by which an RIPB
approach is being used within existing NRC guidance to augment the
traditional DID philosophy for advanced passive LWRs.
Although traditional nuclear power plant design was based on deterministic and conservative analysis techniques, the results did not
guarantee a conservative design. Advancements in probabilistic risk
assessment (PRA) methods have led to their use in improving plant
design and operations. Because PRAs realistically reflect actual plant
design, construction, operational practices, and operational experience,

they have proven to be a valuable complement to traditional engineering approaches. Use of PRA in regulatory matters to the extent
supported by state of the art methods and data has resulted in measurable improvements in nuclear reactor safety by reducing the likelihood and consequences of potential severe accidents.
The proposed approach describes a method for augmenting the
traditional DID philosophy with risk information from the PRA that is
structured, quantifiable, and can be applied on a consistent basis; this
approach reduces subjectivity and supports risk-informed decision
making. Metrics are proposed to evaluate the adequacy of DID, which
can be used to: (1) establish a DID baseline for the plant, and (2) serve
as a method for evaluating the adequacy of DID in design changes.
While integration of RIPB principles and methods are most effective
early in the design process when risk insights can be used to support
early trade studies and decision making, caution should be taken since
early versions of the PRA have larger uncertainties due to the lack of
design detail. Evaluations of plant DID can be conducted throughout
the design development process as well as in support of design certification and operating license applications.
Although the metrics proposed here are intended for use on advanced passive LWR designs, it is expected that they can be tailored to
other, technology-specific reactor designs that use similar metrics for
evaluating plant risk such as core damage frequency and large release
frequency. This risk-informed DID approach allows incorporation of
risk insights early, and more broadly, into the design process holistically; it can be used to help ensure the design, construction, and
operation of a new reactor design poses no undue risk to the health and
safety of the public.

While it is widely accepted that DID helps to ensure safe LWR operation, at the same time, it is recognized that DID is challenging to
measure or quantify because philosophies differ (U.S. Nuclear
Regulatory Commission, 2016). Incorporation of risk insights can be
formalized in an RIPB approach to DID, and by extension, to plant
design; this is consistent with the NRC policy statement on the use of
PRA (U.S. Nuclear Regulatory Commission, 1985):
The use of PRA technology should be increased in all regulatory matters

to the extent supported by the state of the art in PRA methods and data,
and in a manner that compliments the NRC’s deterministic approach and
supports the NRC’s traditional DID philosophy.
2.1. Defense-in-depth regulatory requirements
Defense-in-depth has been at the core of the NRC's safety philosophy, and remains fundamental to the safety and security expectations
of NRC’s regulatory structure. The following summarizes key regulatory
documents with regards to DID and risk-informed decision making to
nuclear power licensing:

• 10 CFR 100.1(d), Reactor Site Criteria: states that DID be considered
in reactor siting criteria (U.S. Code of Federal Regulations, 2015b).
• Policy Statement on the Regulation of Advanced Reactors: sets ex•

•

2. Defense-in-depth
The concept of DID is a longstanding principle used in the evaluation of nuclear plant licensing. While somewhat different definitions
have been used in various regulatory documents, the definitions consistently include the concept that implementation of DID helps assure
plant safety by providing barriers to radionuclide release such that
safety is not dependent on a single barrier. The current definition of DID
in the NRC glossary is:
An approach to designing and operating nuclear facilities that prevents
and mitigates accidents that release radiation or hazardous materials.
The key is creating multiple independent and redundant layers of defense
to compensate for potential human and mechanical failures so that no
single layer, no matter how robust, is exclusively relied upon. Defense-indepth includes the use of access controls, physical barriers, redundant
and diverse key safety functions, and emergency response measures.

•


pectation that designs incorporate the DID philosophy by maintaining multiple barriers against radiation release, and by reducing
the potential for, and consequences of, severe accidents (U.S.
Nuclear Regulatory Commission, 2008).
Standard Review Plan Section 19.0, Probabilistic Risk Assessment
and Severe Accident Evaluation for New Reactors: recommends that
applicants identify risk-informed safety insights based on systematic
evaluations of risk such that the design’s robustness, levels of DID,
and tolerance of severe accidents initiated by either internal or external hazards can be evaluated (U.S. Nuclear Regulatory
Commission, 2014).
NUREG-2150, A Proposed Risk Management Regulatory
Framework: observes that, “there is no guidance on how much DID
is sufficient,” and that risk assessment, in combination with other
technical analyses, can inform decisions about appropriate DID
measures (U.S. Nuclear Regulatory Commission, 2012).
Regulatory Guide 1.174, An Approach for Using Probabilistic Risk
Assessment in Risk-Informed Decisions on Plant Specific Changes to
the Licensing Basis: provides the framework for current licensing
decision making, establishes that DID should be maintained to address uncertainties, and encourages the use of risk analysis to provide insights on the “extent of defense-in-depth” (U.S. Nuclear
Regulatory Commission, 2011).

2.2. Objectives of defense-in-depth within a risk-informed and performancebased framework

The concept of DID has further been used to account for

The inclusion of RIPB elements into the philosophy of DID provides
158


Nuclear Engineering and Design 330 (2018) 157–165


C. Williams et al.

framework for risk-informed decision making (International Atomic
Energy Agency, 1996). The five levels of DID described in IAEA INSAG10 have been expanded upon to allow for calculation of a level of DID
adequacy. The calculation of DID adequacy can be used to: (1) establish
a DID baseline of a power plant design, and (2) serve as a method for
evaluating DID adequacy of proposed design changes. This quantitative
RIPB DID evaluation is complimentary to traditional qualitative or
deterministic DID evaluations.
The approach is also consistent with the integrated risk-informed
decision-making framework described in IAEA INSAG-25 (International
Atomic Energy Agency, May 2011). The IAEA INSAG-25 report reinforces a transparent, reproducible, and structured framework of deterministic and probabilistic techniques and findings to help achieve an
integrated decision-making process that serves in an optimal fashion to
ensure nuclear reactor safety.

the ability to assess, on a quantitative and consistent basis, the adequacy of DID. By augmenting the traditional, deterministic DID philosophy with RIPB elements, a more complete depiction of plant risk is
possible. The following objectives were established for using RIPB
methods in a manner that compliments the traditional DID philosophy:

• The existing methods for integrating nuclear safety within the plant
design using the philosophy of DID remain essentially unchanged.
• Defense-in-depth ensures appropriate barriers, controls, and per•
•
•
•

sonnel are provided to prevent, contain, and mitigate events and
incidents leading to exposure to radioactive material according to
the hazard present, the relevant scenarios, and associated uncertainties.
Each DID barrier is designed with sufficient safety margin to

maintain its functionality for relevant scenarios and account for
uncertainties.
Systems needed to ensure the functionality of a DID barrier are
designed to ensure appropriate reliability for relevant scenarios.
Defense-in-depth barriers are subject to performance monitoring.
Defense-in-depth ensures the risks resulting from the failure of some
or all of the established barriers and controls, including human errors, are maintained acceptably low.

2.4. Evaluating the adequacy of defense-in-depth
The method for evaluating the adequacy of DID is based on a multilevel concept where if one level fails, other levels provide the necessary
protection of public safety. The method includes five levels starting
with protection against initial plant upsets, through successive levels
including means to limit potential consequences. The objective of the
first level of protection is the prevention of abnormal operation and
system failures. If the first level fails, abnormal operation is controlled
or failures are detected by a second level of protection. Should the
second level fail, a third level ensures that safety functions are performed by activating specific safety systems and other safety features.
Should the third level fail, a fourth level limits accident progression
through accident management so as to prevent or mitigate severe accident conditions and external releases of radioactive materials. The
last objective is the mitigation of the radiological consequences.
Decision analysis techniques were employed to translate the elements of DID in a systematic and formal manner. As summarized in
Table 1, the method starts with a structured matrix based on the five
levels of DID: (1) prevention, (2) control of abnormal operations, (3)
control of accidents, (4) control of severe plant conditions, and (5)
mitigation. Then, each level is broken down into individual attributes;
the attributes include both qualitative and quantitative metrics based
on traditional DID measures as well as risk insights. The approach depicts the elements that are used to devise, maintain, and improve DID in
a structure that weighs choices between complex alternatives. The
utility of a decision-making algorithm in the form of a matrix also helps
make the process transparent and repeatable.

Although the weighting for each level in Table 1 was chosen to
reflect equal importance of each level of DID, small adjustments in
weightings may be considered to allow slight differences in levels (for
example, based on the premise that prevention is more important than
control, or control is more important than mitigation). This is consistent
with historical approaches to DID that state the principal defense is
through the prevention of accidents through conservative design, followed by a second line of defense that includes protective systems to
prevent or minimize damage from failures, and finally a third line that
includes installed engineered safety features to mitigate the consequences of postulated accidents (U.S. Nuclear Regulatory
Commission, 2016).
Similarly, attribute scores were chosen to provide a scale to infer a
level of robustness beyond the current subjective approach; the relative
strength of individual DID attributes is shown by quantifying them to
the extent practicable. While the numbers are somewhat arbitrary,
exact values are intended to provide a practical way to distinguish

2.3. Basis of the scenario-based defense-in-depth method
The approach to risk-informed evaluation of DID adequacy as described in this paper is based conceptually on NRC Regulatory Guide
1.174 (U.S. Nuclear Regulatory Commission, 2011), the IAEA INSAG-10
report (International Atomic Energy Agency, 1996), and the IAEA
INSAG-25 report (International Atomic Energy Agency, May 2011).
Regulatory Guide 1.174 provides recommendations for using risk information in support of licensee-initiated licensing basis changes to a
nuclear power plant. While it provides an example of a risk-informed
process for evaluating DID for design changes in licensed, operating,
nuclear power plants, it does not address the specific criteria needed for
each nuclear power plant activity or design characteristic that may be
amenable to risk-informed regulation. It also does not provide specific
guidance with respect to risk-informed decision-making in conceptual,
preliminary, detailed, or final design phases. Nevertheless, the guidance
can be adapted to support the design development process for evaluating the adequacy of DID.

Seven factors are identified in Regulatory Guide 1.174 for evaluating the impact of proposed licensing basis changes on DID (U.S.
Nuclear Regulatory Commission, 2011). These factors were considered
in development of the risk-informed DID approach:
1. A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation.
2. Over-reliance on programmatic activities as compensatory measures
is avoided.
3. System redundancy, independence, and diversity are commensurate
with the expected frequency, consequences of challenges to the
system, and uncertainties (e.g., no risk outliers exist).
4. Defenses against potential common-cause failures are included in
the design.
5. Independence of barriers is maintained.
6. Defenses against human errors are maintained.
7. The intent of the plant’s design criteria is maintained.
In addition, the IAEA INSAG-10 report was relied upon for the
concept of an accident-scenario/sequence1-based DID evaluation

(footnote continued)
assessment. This typically comprises an initiating event (i.e., an initial plant upset event)
and a series of system level failure events that ultimately lead to some undesired plant
condition (e.g. core damage).

1
Scenario and sequence are used interchangeably in this paper and are intended to
denote a single core damage pathway through an event tree in a probabilistic risk

159


Nuclear Engineering and Design 330 (2018) 157–165


C. Williams et al.

Table 1
Summary Defense-in-Depth Matrix (evaluated on an accident sequence/scenario basis).
Defense-in-Depth Levels and Attributes

Defense-in-Depth Evaluation Metrics
High (4)

Level 1: Prevention of Abnormal Operation and Failures (Weight 20%)
Internal event initiating event frequency (per year)
≤1E−2
External hazard initiating event frequency (per year)
≤1E−4
Level 2: Control of Abnormal Operation and Detection of Failures (Weight 20%)
Safety system response
Passive
Nonsafety system response
Automatic
Level 3: Control of Accidents within the Design Basis (Weight 20%)
Core damage frequency only considering safety systems (per year)
≤1E−5
Conditional core damage probability
≤1E−5
Level 4: Control of Beyond Design Basis Conditions (Weight 20%)
Conditional containment failure probability
≤0.01
Time to beginning of core damage (hours)
≥8

Coping time (hours)
≥72
Containment isolation response
Fail-safe valves
Level 5: Mitigation of the Consequences of Releases (Weight 20%)
Large release frequency (per year)
≤1E−8
Secondary confinement
Seismic Cat. 1

Low (1)

> 1E−2 and ≤1
> 1E−4 and ≤1E−2

>1
> 1E−2

Automatic control
Control room

Manual control
Local

> 1E−5 and ≤1E−3
> 1E−5 and ≤1E−3

> 1E−3
> 1E−3


> 0.01 and ≤0.1
< 8 and ≥1
< 72 and ≤24
Active valves

> 0.1
<1
< 24
Check valves

> 1E−8 and ≤1E−6
Other

> 1E−6
None

through the role that individual systems play in providing protection
against a release and the effect the individual systems act in concert.
This sequence-based method considers quantitative metrics from an
acceptable PRA2; an acceptable PRA that meets scope, level of detail,
and technical adequacy in accordance with endorsed standards can be
used to support regulatory decision making (U.S. Nuclear Regulatory
Commission, 2011).

between designs with varying degrees of DID. The scoring is simply a
way to provide quantitative risk targets that should be achieved, or
improvements made in the design; they also help gauge the level of
safety of a nuclear power plant design. While this method provides DID
measures that can be directly quantified, it is recognized that judgment
has been exercised in setting level weighting and attribute scoring. By

breaking down the elements of DID, and ranking them through relative
importance, the method provides a systematic and structured approach
to evaluating the adequacy of DID.
Lastly, the scoring of the metrics (i.e., high = 4, medium = 3, and
low = 1) are design based on the premise that a single “low” score
should not be offset by a single “high” score, but in fact requires a twofor-one offset such that at most only a single attribute might be scored
as “low” and still have an overall evaluation of acceptable.
The adequacy of DID may be evaluated on a sequence basis for
system metrics, by frequency-averaging across all sequences for plant
metrics, or both. An overview of the process follows. Each level is described in detail in subsequent sections; they are also graphically depicted in Table 2 through Table 6.

2.4.1. Defense-in-depth prevention metrics
The first level of DID is focused on prevention. The level 1 prevention attributes consider deviations from normal operating conditions, including transients and plant shutdowns. Prevention is measured
by the frequency of a deviation from normal operation.
Deviations or initiating events are perturbations to steady-state
operation that could challenge plant control and safety systems whose
failure could potentially lead to an accident. An initiating event is defined in terms of the change in plant status that results in a condition
requiring an automatic reactor trip (e.g., loss of feedwater, loss of
coolant accident), or a manual trip prompted by conditions other than
those involved in a normal shutdown. An initiating event may result
from human causes, equipment failure from causes internal to the plant
(e.g., hardware faults, floods, or fires) or external to the plant (e.g.,
earthquakes or high winds), or combinations of both. Table 2 includes
the level 1 DID metric for prevention of abnormal operation and failures.
The DID values for internal initiating event frequencies range from
events that are not expected to occur within the plant lifetime to those
that are expected to occur each cycle. Because external hazards such as
earthquakes and tornadoes can potentially impact the ability of plant
systems to respond to an upset condition, the DID values for external
hazard frequencies are lower.

The weighting for the level 1 metric is 20 percent; accident prevention is the first priority. Provisions that prevent deviations from
normal plant operation are generally more effective and more predictable than measures aimed at control or mitigating consequences. A
plant’s performance generally deteriorates when the status of the plant
or a component departs from normal conditions. As such, preventing
degradation of plant performance will provide the most effective protection to the public and environment.

• Each level of defense includes attributes that are evaluated individually based on higher-to-lower levels of DID.
• Each attribute is scored independently (all attributes are shown with
•
•
•

Medium (3)

a default score); note that not all attributes will necessarily be
evaluated for a sequence-based evaluation.
An average score is then calculated for each level, based on the
number of applicable attributes.
The scores for each level are weighted based on the weights shown
in the level headings in Table 2 through Table 6.
The scores are then combined; a total score of greater than 3.0 indicates a higher than nominal level of DID and should, therefore, be
judged as adequate.

In the scoring used in this method, a score of 3 is loosely associated
with design features consistent with the current generation of operating
plants in the U.S. Since these plants have already been evaluated by the
NRC and found to be safe, the DID for these plants is adequate.
However, for advanced designs, the expectation is for improved safety.
Therefore, this “level” of DID (i.e., a score of 3) is therefore termed as
“nominal.”

This quantitative DID evaluation method compliments traditional
qualitative or deterministic DID evaluations and improves on the capability to analyze nuclear power plant designs as integrated systems.
The PRA is used to help determine whether more or less DID is needed

2
Regulatory Guide 1.200 provides guidance on determining the technical adequacy of
a PRA (U.S. Nuclear Regulatory Commission, 2009). This guidance defines a technically
acceptable PRA and provides the NRC’s position on industry PRA consensus standards.

160


Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

Table 2
Defense-in-depth prevention metric (level 1).
Prevention of Abnormal Operation and Failures1
Level 1 Defense-in-Depth Attributes2 (Weight 20%)

High

Medium

Low

Internal event initiating event frequency (per year)
Attribute score
External hazard initiating event frequency (per year)

Attribute score

≤1E−2
4
≤1E−4
4

> 1E−2 and ≤1
3
> 1E−4 and ≤1E−2
3

>1
1
> 1E−2
1

1
2

The level 1 DID prevention metric focuses on conservatism in the design and quality in construction and operation.
Not all attributes will necessarily be evaluated for a sequence-based evaluation.

Table 3
Defense-in-depth control metric (level 2).
Control of Abnormal Operation and Detection of Failures1
Level 2 Defense-in-Depth Attributes (Weight 20%)

High


Medium

Low

Safety system response2
Attribute score
Nonsafety system response2
Attribute score

Passive or fail-safe system
4
Automatic
4

Active system with automatic control
3
Control room action
3

Active system with manual control
1
Local action
1

1
2

The level 2 DID control metric focuses on control, limiting protection systems, and other surveillance features.
If more than one system is involved, each system is evaluated separately and the highest rating is used for the attribute.


Table 4
Defense-in-depth control metric (level 3).
Control of Accidents within the Design Basis1
Level 3 Defense-in-Depth Attributes (Weight 20%)

High

Medium

Low

Core damage frequency only considering safety
systems (i.e., focused PRA) (per year)
Attribute score
Conditional core damage probability
Attribute score

≤1E−5

> 1E−5 and ≤1E−3

> 1E−3

4
≤1E−5
4

3
> 1E−5 and ≤1E−3
3


1
> 1E−3
1

1

The level 3 DID control metric focuses on engineering safety features, accident procedures, limiting protection systems, and other surveillance features.

postulated design-basis accidents (e.g., a loss of coolant accident or
main steam line break). It also includes the conditional core damage
probability which fully utilizes all plant capabilities, including available
nonsafety-related equipment and the role of operators. If the development from an initiating event to a severe accident condition is slow, it is
possible for plant personnel to diagnose the status of the plant and
restore systems and safety functions. Table 4 includes the level 3 control
metric.
The core damage frequency value for high DID covers sequences in
which safety systems alone (i.e., focused PRA) are well above the
quantitative objective established to meet the Commission’s safety goal
(i.e., total core damage frequency of less than 1E−4 per reactor year).
The sequence conditional core damage probability values are based on
the sequence core damage frequency values from the PRA including
credit for nonsafety system response; the sequence conditional core
damage probability considers failures of safety and nonsafety plant
systems and components following an off-normal event.
The final control level, level 4, focuses on protection of containment. As such, this metric includes consideration of the time to the
beginning of core damage. In the event of core damage, the next line of
defense is containment and preventing accident progression and the
potential for a release. Table 5 includes the level 4 control metric.
Similar to the level 3 conditional core damage probability attribute,

the level 4 conditional containment failure probability attribute fully
utilizes all plant capabilities, including available nonsafety-related
equipment and the role of operators. The conditional containment

2.4.2. Defense-in-depth control metrics
The next three levels of defense cover control of the plant following
abnormal operation or system failure. The weighting for control levels 2
through 4 is 20 percent each; the weighting for each is similar to the
prevention metric and represents the capability of the plant to respond
to an abnormal condition and prevent a release.
The level 2 DID metric, control of abnormal operation and detection
of failures, considers inherent plant features and systems to control
abnormal operations. In response to a deviation from steady-state operation, it considers plant response and the systems designed to detect
and bring the plant back to normal operating conditions. The level 2
control attributes consider whether the plant’s response is automatic or
requires manual control. The design of the plant and system response
focuses on the prevention of conditions that might threaten the ability
to remove core heat. Table 3 includes the level 2 control metric.
The DID metrics for safety and nonsafety system response to events
range from passive systems to those that require local, manual control
by plant operators; DID is enhanced through the use of passive and
highly-reliable, power-independent fail-safe safety systems.
The level 3 DID metric covers control of accidents within the design
basis. In spite of the provisions for prevention, accident conditions may
occur. Engineered safety features and protection systems are provided
to prevent evolution towards severe accidents and confine radioactive
materials. The level 3 DID metric focuses on prevention of core damage.
The attributes consider the core damage frequency using only safety
systems (i.e., focused PRA)—those systems designed on the basis of
161



Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

Table 5
Defense-in-depth control metric (level 4).
Control of Severe Plant Conditions, Including Prevention of Accident Progression and Mitigation of the Consequences of Severe Accidents1
Level 4 Defense-in-Depth Attributes2 (Weight 20%)

High

Medium

Low

Conditional containment failure probability
Attribute score
Time to beginning of core damage (hours)
Attribute score
Coping time – for loss of all AC power sequences (hours)

≤0.01
4
≥8
4
≥72
4
Fail-safe actuated valves

4

> 0.01 and ≤0.1
3
< 8 and ≥1
3
< 72 and ≥24
3
Active actuated valves
3

> 0.1
1
<1
1
< 24
1
Only check valves
1

Containment isolation response

1
2

The level 4 DID control metric focuses on complementary measures and accident mitigation.
Not all attributes will necessarily be evaluated for a sequence-based evaluation (i.e., coping time).

failure probability value for high DID covers sequences in which there is
considerable margin to meet the NRC’s Standard Review Plan Chapter

19.0 acceptance criteria for containment failure (i.e., 0.1); the value for
low DID covers sequences that do not meet the criteria. The threshold
values for the time to core damage consider the possibility of additional
resources becoming available to limit core damage progression;
medium DID provides time for emergency operating facility staffing
and low DID limits the control of accident progression to the operator
recovery actions that would be performed in accordance with the
emergency operating procedures. Recovery actions are considered from
the time of the initiating event up to the point at which containment
failure is imminent. This time can be used to take measures to prevent
core degradation and containment failure.
For sequences that involve a complete loss of all AC power, coping
time is considered (i.e., the time from the onset of a station blackout to
the time when AC power is needed to be restored to maintain adequate
core cooling). The coping time for high DID is based on expectations for
passive plants; it is also the time in which outside resources are expected to be available to support FLEX strategies (i.e., portable equipment to support diverse and flexible coping strategies). The coping time
for medium DID is based on expectations for restoring AC power; it is
also the time in which site access is expected to be restored to support
FLEX strategies.
The DID metric for high containment isolation is based on highlyreliable fail-safe components (e.g., valves that fail closed on a loss of
power) while a low valuation is based on a design that only relies on
check valves which historically have not been as reliable for leaktightness.

availability of structures to limit a possible release. Table 6 includes the
level 5 mitigation metric. The weighting for the level 5 metric is 20
percent.
The large release frequency value for high DID covers sequences in
which there is considerable margin to meet the quantitative objective
established to meet the Commission’s safety goal (i.e., total large release frequency of less than 1E−6 per reactor year); the value for low
DID covers sequences that fall short of meeting the safety goal. The DID

metrics for secondary confinement range from a Seismic Category 1
structure which would provide some mitigation to no secondary confinement.

2.4.3. Defense-in-depth mitigation metric
The level 5 metric includes accident management measures aimed
at controlling the course of a severe accident and mitigating its consequences. It considers the frequency of a large release and the

2.5.1. Plant-based example
This section includes an example evaluation of an overall plantbased DID metric for a small modular reactor design using the PRA
developed to support design certification. This new design is less susceptible to severe accidents due to its integrated design and highly reliable passive safety systems that fail-safe on a loss of power and
minimize challenges to core integrity. Compared to existing LWR designs, the small modular reactor design also includes additional fission
product barriers such as a Seismic Category I reactor building. Such
features reduce the potential for core damage and subsequent radionuclide release.

2.5. Results
The evaluation of DID adequacy can be calculated by scoring
the prevention, control, and mitigation DID attributes, calculating
an average score for each level, applying the appropriate weighting
factors, and summing up the results for comparison against the
3.0 nominal level of DID adequacy threshold. As shown in Sections
2.5.1, 2.5.2, and 2.5.3 a quantitative evaluation of the adequacy of
DID can be applied to the overall plant design as well as individual
sequences.
A high level of DID mitigates concerns about uncertainty with regards to the design, construction, maintenance, and operation of a plant
design. A high level of DID also provides assurance of the safety of
power plant operation. As DID is designed to protect the health and
safety of the public and environment, a higher level of DID indicates a
higher level of protection.

Table 6

Defense-in-depth mitigation metric (level 5).
Mitigation of Radiological Consequences of Significant Releases of Radioactive
Materials1
Level 5 Defense-in-Depth
Attributes (Weight 20%)

High

Large release frequency
(per year)
Attribute score
Secondary confinement
(e.g., reactor building)
Attribute score

≤1E−8

> 1E−8 and ≤1E−6

> 1E−6

4
Seismic
Category I
4

3
Other

1

None

3

1

1

Medium

Low

1. The following shows the plant design scoring for the level 1 prevention DID attributes.
- The frequency of internal initiating events was judged to be
medium. The PRA includes a wide range of internal initiating
events from general transients with a frequency of greater than
one per module-year to loss of coolant accidents (LOCAs) with
frequencies of one in 10,000 years.
- The frequency of external hazards was judged to be medium. This

The level 5 DID mitigation metric focuses on off-site emergency response.

162


Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

5. The final DID metric, level 5, considers mitigation of radiological

consequences of significant releases of radioactive material. The
following shows the plant design scoring for the level 5 attributes.
- The large release frequency scores high: the plant-level large release frequency is well below 1E−8 per year.
- Because the design includes a Seismic Category 1 reactor building
that would contain or scrub most releases, the secondary confinement attribute scores as high.

number could go up or down depending on the specific site selected; however site selection will include consideration of the
potential hazards making a low assessment unlikely. The plant
design, however, is below grade and the reactor building is Seismic
Category I which will provide protection from many external hazards.
Considering both attributes, the overall plant-based level 1 DID
metric score is 3.0 [(3 + 3)/2]; the design is found to incorporate a
nominal level of defense for prevention of abnormal operation and
system failures.

For this example design, the overall plant score for the level 5 mitigation of radiological consequences of significant releases of radioactive material is assessed as 4.0 [(4 + 4)/2]; that is, the design is
found to incorporate a higher than nominal level of DID.
The plant design scored equal or higher than the nominal level of
DID for each of the five levels of DID. Combining all five DID metrics,
including weighting, results in an overall plant metric of 3.6
[(3.0 × 20%) + (3.5 × 20%) + (4.0 × 20%) + (3.5 × 20%) + (4.0 ×
20%)]; this is significantly higher than the nominal level of DID for
an overall plant design. The results show that the level of DID in the
small modular reactor design is acceptable in terms of prevention,
control, and mitigation of abnormal operation, design-basis events, and
severe accidents. This level of DID provides reasonable assurance that
the design poses no undue risk to the public health and safety.

2. The following shows the plant design scoring for the level 2, control
of abnormal operation, DID attributes.

- In the plant design, safety system actuation is passive in addition
to being automatic. Therefore, system response scores high.
- The nonsafety system response to off normal conditions scores
medium; most nonsafety system response can be performed from
the control room.
Considering both attributes, the overall plant score for the level 2,
control of abnormal operation, DID metric is a 3.5 [(4 + 3)/2]; the
design is slightly above the nominal level of DID for level 2.
3. The following shows the plant design scoring for the level 3, control
of accidents within the design basis, DID attributes.
- Calculating the core damage frequency crediting only safety-related
systems is significantly less than 1E−5 per year for internal events.
Therefore, safety system core damage frequency scores high.
- The conditional core damage probability calculated from the PRA
also results in a high score. This value is calculated using the PRA
cutsets and setting the associated initiating event frequencies to
certainty (i.e., TRUE).

2.5.2. Sequence-based example A
This section includes an example evaluation of the adequacy of DID
for a specific sequence of the small modular reactor design evaluated in
Section 2.5.1. As shown in Table 7, the sequence is initiated by a LOCA
in the reactor coolant makeup line for a single reactor module. The
LOCA is followed by a success of the reactor trip system, success of the
decay heat removal system, and success of the emergency core cooling
system. However, the sequence leads to core damage and a large release
due to a failure to isolate the break, failure of containment isolation,
and failure to initiate makeup inventory.

Considering both level 3 attributes, the overall plant score for the

level 3, control of accidents within the design basis, DID metric is a 4.0
[(4 + 4)/2 ]; the design is higher than the nominal level of DID for level
3.

1. The following shows the makeup line LOCA sequence scoring for the
level 1 prevention DID attribute.
- The frequency of the initiating event scores high since the makeup
line LOCA has a frequency much less than 1E−2 per module-year.
- Because the external hazard frequency attribute does not apply for
this sequence, the sequence level 1 DID metric is based on a single
attribute with a score of 4.0.
2. The following shows the makeup line LOCA sequence scoring for the
level 2, control of abnormal operation, DID attribute.
- Safety system response scores high. The decay heat removal
system, containment isolation, and emergency core cooling systems are passive, fail-safe systems.
- Nonsafety system plant response scores medium. Backup coolant
injection is available via actions from control room operators.

4. The final DID control metric, level 4, considers control of
severe plant conditions including prevention of accident progression and mitigation of the consequences of a severe accident.
The following shows the example plant design scoring for the
level 4 attributes.
- The conditional containment failure probability is based on the
large release frequency being more than an order of magnitude
below core damage frequency for internal and external hazards.
For this particular example, assume the result is medium.
- The time to core damage is determined from thermal hydraulic
analysis calculations for design-basis and credible beyond-designbasis scenarios. This particular example assumes the result is
medium.
- The station blackout (i.e., loss of all ac power) coping time (i.e.,

the time between an initial loss of ac power and the time at which
core heat removal is lost) scores high; since for this design the
station blackout coping time is unlimited.
- The containment isolation response scores high; the design includes redundant containment isolation valves that fail closed on a
loss of power.

Considering both level 2 attributes, the sequence level 2 DID metric
score is a 3.5 [(4 + 3)/2].
Table 7
Example sequence A.
Makeup Line LOCA Sequence

The overall plant score for the level 4, control of severe plant
conditions including prevention of accident progression and mitigation
of the consequences of a severe accident, DID metric is 3.5
[(3 + 3 + 4 + 4)/4]; the design is higher than the nominal level of DID
for level 4.

Description

Frequency/Probability

LOCA in the normal, primary coolant inventory
makeup line
Common cause failure to close of both isolation valves
in makeup line
Excess flow check valve fails to close an isolate LOCA
Operator fails to initiate backup coolant injection

3E−4


Sequence large release frequency = 6E−12 per module-year.

163

5E−5
1E−1
4E−3


Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

3. The following shows the makeup line LOCA sequence scoring for the
level 3, control of accidents within the design basis, DID attributes.
- The core damage frequency for this sequence using only safety
systems scores high; most mitigating systems considered are
safety-related.
- The conditional core damage probability scores high; core damage
requires failures of both containment isolation valves, the excess
flow check valve, and mitigation via backup injection.

Table 8
Example sequence B.
Loss of offsite power and Station Blackout Sequence

Considering both level 3 attributes are high, the sequence level 3
DID metric score is a 4.0.


Description

Frequency/Probability

Loss of offsite power
Failure of offsite power recovery
Common cause failure of the emergency diesel
generators
Failure to control turbine-driven auxiliary feedwater

3E−2
3E−1
6E−3
8E−3

Sequence large release frequency = 4E−7 per year.

4. The final DID control metric, level 4, considers control of severe
plant conditions including prevention of accident progression
and mitigation of the consequences of a severe accident. The
following shows the makeup line LOCA scoring for the level 4 attributes.
- The conditional containment failure probability scores low.
Although a large release requires failure of both containment
isolation valves and a check valve, the path to core damage involves failure of both isolation valves (i.e., in this case core damage directly leads to a large release and the conditional containment failure probability is 1.0).
- The time to core damage is judged to be medium based on
bounding thermal hydraulic calculations.
- The containment isolation response scores high; the design includes redundant containment isolation valves that fail closed on a
loss of power.

1. The following shows the loss of offsite power sequence scoring for

the level 1 prevention DID attribute.
- The frequency of the initiating event scores medium.
Because the external hazard initiating event frequency attribute
does not apply for this sequence, the sequence level 1 DID metric is
based on a single attribute with a score of 3.0.
2. The following shows the loss of offsite power sequence scoring for
the level 2, control of abnormal operation, DID attribute.
- Safety system response scores medium. Emergency core cooling
and containment isolation require AC power.
- Nonsafety system plant response scores low. Any nonsafety mitigating system would require local control.
Considering both level 2 attributes, the sequence level 2 DID metric
score is a 2.0 [(3 + 1)/2].

The sequence level 4 DID metric is based on three attributes and the
score is a 2.7 [(1 + 3 + 4)/3]; since this is not a station blackout sequence, coping time does not apply.

3. The following shows the loss of offsite power sequence scoring for
the level 3, control of accidents within the design basis, DID attributes.
- The core damage frequency for this sequence using only safety
systems scores high.
- The conditional core damage probability scores medium; core
damage requires failures of both emergency generators and auxiliary feedwater.

5. The final DID metric, level 5, considers mitigation of radiological
consequences of significant releases of radioactive material. The
following shows the makeup line LOCA scoring for the level 5 attributes.
- The large release frequency for this sequence scores high since it is
well below 1E−8 per year.
- Secondary confinement scores high as the design includes a
Seismic Category 1 reactor building that would contain or scrub

most releases.

Considering both level 3 attributes are high, the sequence level 3
DID metric is score is a 3.5 [(4 + 3)/2].

Considering both mitigation attributes score high, the level 5 metric
score is a 4.0.
This sequence scored above the nominal level of DID for four
of the five levels of DID. Combining all five DID metrics, including
weighting, results in a sequence-based DID score of 3.6
[(4.0 × 20%) + (3.5 × 20%) + (4.0 × 20%) + (2.7 × 20%) + (4.0 ×
20%)]. Plant design features result in this sequence providing a higher
than adequate level of DID. This is consistent with the extremely low
frequency of 6E−12 for this sequence and provides assurance of the
safety of the small modular reactor design.
This type of sequence-based DID evaluation can be used, in part, for
evaluating sequences that might be used in establishing the size of
plume exposure emergency planning zones.

4. The final DID control metric, level 4, considers control of severe
plant conditions including prevention of accident progression and
mitigation of the consequences of a severe accident. The following
shows the loss of offsite power sequence scoring for the level 4 attributes.
- The conditional containment failure probability scores low. In this
sequence, the loss of all power leads to a failure of containment
isolation.
- The time to core damage is judged to be medium.
- The coping time scores low.
- The containment isolation response scores medium; although this
design includes redundant containment isolation valves, power is

required for closure.

2.5.3. Sequence-based example B
This section includes an example evaluation of the adequacy of DID
for a sequence in a plant design in which safety systems rely on AC
power. As shown in Table 8, the sequence is initiated by a loss of offsite
power followed by failure of both emergency diesel generators that
results in a station blackout. The sequence progresses to core damage
and a large release following failures of decay heat removal, emergency
core cooling, and containment isolation.

The sequence level 4 DID metric is based on all four attributes and
the score is a 2.0 [(1 + 3 + 1 + 3)/4].
5. The final DID metric, level 5, considers mitigation of radiological
consequences of significant releases of radioactive material. The
following shows the loss of offsite power sequence scoring for the
level 5 attributes.
- The large release frequency for this sequence scores medium.
164


Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

conducted throughout the design process as well as in support of design
certification and operating license applications. Quantification of DID
reduces subjectivity in plant safety assessments, helps to ensure that
public and worker risk insights are integrated into the design process
holistically, and provides assurance of the safety of new reactor designs.


- Secondary confinement scores medium as the design includes a
reactor building.
The sequence level 5 mitigation metric score is a 3.0 [(3 + 3)/2].
Combining all five DID metrics, including weighting, results in a
sequence-based DID score of 2.7 [(3.0 × 20%) + (2.0 × 20%)
+ (3.5 × 20%) + (2.0 × 20%) +
(3.0 × 20%)]. This sequence scored below the nominal level of DID.

References
International Atomic Energy Agency, International Nuclear Safety Advisory Group,
“Defense in Depth in Nuclear Safety,” INSAG-10, Vienna, Austria, 1996.
International Atomic Energy Agency, International Nuclear Safety Advisory Group, “A
Framework for an Integrated Risk Informed Decision Making Process,” INSAG-25,
Vienna, Austria, May 2011.
U.S. Code of Federal Regulations, “General Design Criteria for Nuclear Power Plants,”
Introduction, Appendix A, Part 50, Title 10, “Energy,” 2015 (10 CFR 50 Appendix A).
U.S. Code of Federal Regulations, “Reactor Site Criteria,” Part 100, Chapter I, Title 10,
“Energy,” December 2015 (10 CFR 100).
U.S. Nuclear Regulatory Commission, “Policy Statement on Severe Reactor Accidents
Regarding Future Designs and Existing Plants,” Policy Statement, Federal Register,
Vol. 50, FR 32138, August 8, 1985.
U.S. Nuclear Regulatory Commission, “Policy Statement on the Regulation of Advanced
Reactors,” Final Policy Statement, Federal Register, Vol. 73, FR 60612, October 14,
2008.
U.S. Nuclear Regulatory Commission, “An Approach for Determining the Technical
Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,”
Regulatory Guide 1.200, Rev. 2, March 2009.
U.S. Nuclear Regulatory Commission, “An Approach for Using Probabilistic Risk
Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing

Basis,” Regulatory Guide 1.174, Rev. 2, May 2011.
U.S. Nuclear Regulatory Commission, “A Proposed Risk Management Regulatory
Framework,” NUREG-2150, April 2012.
U.S. Nuclear Regulatory Commission, “Probabilistic Risk Assessment and Severe Accident
Evaluation for New Reactors,” NUREG-0800, Chapter 19, Section 19.0, Draft Rev. 3,
November 2014.
U.S. Nuclear Regulatory Commission, “Historical Review and Observations of Defense-inDepth,” NUREG/KM-0009, March 2016.

3. Conclusions
Consistent with the NRC’s policy statement encouraging greater use
of PRA to improve safety decision making and improve regulatory efficiency, this paper outlines a more robust approach for assessing DID
than what has traditionally been done in the past (i.e., evaluated subjectively and qualitatively). This method can be used to evaluate individual accident sequences, design changes, and the overall plant design as part of the normal design control process. This DID evaluation
method demonstrates one approach to enhance use of RIPB methods as
an integral part of new reactor design development and establishes
quantitative metrics that can be applied on a consistent basis and tailored to a specific design. This performance-based method is intended
to compliment the traditional DID philosophy employed in design development.
As RIPB methods have progressed to the point where the use of PRA
can be extended to augment traditional, deterministic nuclear safety
design practices, this paper demonstrates a quantitative approach to:
(1) establish a DID baseline for a new nuclear power plant design, and
(2) serve as a method for evaluating the adequacy of DID for design
changes and operational decisions. Evaluations of DID can be

165