Investigating the implementation of the safety-diagnosability principle to support defence-in-depth in the nuclear industry: A Fukushima Daiichi accident case study
Peer reviewed, Journal article
MetadataShow full item record
‘Defence in depth’ (DID) is a fundamental safety principle applied in several industries, including nuclear. The key is to protect safety critical systems by employing multiple layers of protection, i.e. barriers. The principle states that one single barrier, regardless of how reliable, is insufficient to ensure acceptable safety performance. Obviously then, as the reliability of the layers are associated with the risk of hazardous events, a main safety management activity should be to monitor barrier conditions and performance. However, as experienced in the past, there could be situations where such monitoring is unsatisfactory, challenging the usefulness of the DID. One example, taken from the oil and gas industry, is the 2005 Texas City refinery explosion, where multiple layers of protection failed, resulting in an accident caused by operators with poor situational awareness. Motivated by this assumed weakness, a new principle called the ‘Safety diagnosability principle’ (SDP) has been suggested for use in the oil and gas industry, in combination with the DID principle. The SDP requires that, for DID to function as intended, any degradation of barriers must be diagnosable and reported. The link to DID makes it also relevant to other industries. In this article, we consider the principle for the nuclear industry. The objective of the article is to clarify the benefits, different ways of implementation, and the potential for using SDP in conjunction with DID in the nuclear industry. To assess the value added, we evaluate the principle against different criteria characterising usefulness. Overall, we find the principle attractive, as the detection and diagnosis of safety–critical events or failures are important for safety management. Having such information strengthens the DID. On the other side, it can also be claimed that acquiring such information is already an implicit part of DID. If so, the SDP adds limited value beyond compliance, i.e. making sure the information is acceptable. We conclude that particularly the relevancy, but also the achievability, related to the use of the SPD, do not point in favour of the principle. A discussion on the 2011 Fukushima Daiichi nuclear accident strengthens our conclusions. The case study indicates that the SDP would not have made the outcome very different. However, as a standalone principle, it might be of greater value. Having reliable information about barrier performance is clearly important to safety management.