Transcription
NR Defense-In-Depth BriefAugust 2015
U.S. Naval Nuclear Propulsion Program2
Naval Reactors96 Reactors Operating WorldwideBettis Atomic Power LabNuclear Powered FleetKnolls Atomic Power LabField Offices(170 federal & military)Report Directly to Admiral Regulatory Oversight Immediate identificationof concernsDedicated Laboratories (GOCO) 7,000 employees at four DOE SitesNaval Reactors FacilityNaval Reactors 82 warships ( 16,000 operators) Over 45% of major combatants All submarines and aircraftcarriersShipyards(495 federal and military) Technical authorityy for reactor pplant systemyand component design, development,manufacturing, maintenance, and disposal Dry Storage Program Expended Core Facility Procurement and logistics support fornuclear fleet 4 Public / 2 Private 64,000 employeesSpecialized Industrial BaseKesselring Site Dedicated equipment primecontractor ( 900 employees) Hundreds of suppliers( 9,000 employees)Moored Training Ships2800 studentst i d per yeartrainedR&D / Training ReactorsSchools(480 fed & mil staff) Nuclear PowerSchool NuclearN lFieldFi ld “A”School 2,905 Instructors and Support Staff3
Naval ReactorsHeadquarters OrganizationNRHQ SectionsS ti HSectionHeadsd – AverageAEExperiencei3131.33 yearsPearl HarborGrrotonPortssmouthNNNSYNNSNPugett SoundNNSNUKUYokosukaWMMFOANSSTR - PAMOO - P/SIBBOB C D E F G H I J K M N O P Q R S T U X Y ZNRRLFOADMIRALNR Field RepresentativesAAverageExperienceEi2020.44 yearsSimple, enduring, lean structure DirectorDirector tenure 8 yearsyears, 4-Star4 Star Admiral/Deputy Administrator in NNSA Dual agency structure with direct access to Secretaries of Energy andNavy Small headquarters,q, field activities;; flat organizationalgstructure Streamlines the flow of information Ensures timely information to make the right decision4
Why Defense-In-Depth? Defense-in-depth is needed because of thesignificant consequences of a loss of ship or areactor accident and insufficient assurance that anyone inherent characteristic or plant system is enoughto prevent those consequences.“BecauseBecause things do happen – especially at sea – we rely on a multilayereddefense against off-normal events. Our reactor designs and operatingprocedures are simple and conservative, and we build in redundancy tocompensate for the risks involved and the operating environment. (Forexample,l ththe pressurizedi d watert reactorstare self-regulating:lfl tiththe reactort iisdesigned to protect itself during normal situations or casualty situations.)The systems and components are rugged – they must be able toperform. In certain keyy systems,y, there arewithstand battle shock and still predundant components so that if one is unable to function, the other cantake over.” (Admiral Bowman, 2003)5
What is Defense-In-Depth? Defense-in-depthp is a pphilosophyp y that there besuccessive compensatory measures to avoid anundesired outcome Defense-in-depthD fi d th iis attemptingttti tot compensatet forf thethuncertainties inherent in design/analysis of anyindividual inherent characteristic or plant system, andto provide margin for the unknown. Defense-in-depth applies to design and operations6
Defense-In-Depth Example“WhileWhile most of NR’sNR s technical requirements are classified,classified it canbe observed that they strongly emphasize the defense-in-depthapproach (figure 3.5), where multiple problems and failures wouldhave to occur to reach an actual unsafe condition. In particular,emphasis is placed on providing a design that allows time foroperators to respond (and back each other up in responding) tocasualties in order to re-establish stable and safe pplant conditions.The technical requirements system explicitly requires severaldifferent analyses to show protection of the reactor and the public.This multiplicity in analyses, performed by different groups,provides different perspectives on the safety of design andoperation, thereby reducing the chance that any major weaknessis overlooked.” (NASA-Navy Benchmarking Exchange Report,Vol me II (NavalVolume(Na al NuclearN clear SubmarineS bmarine SafetySafet AssAssurance),rance) 2003)7
Defense-In-Depth ExampleFrom: NASA-Navy Benchmarking Exchange Report, 20038
Focus on Accident Prevention The NNPP focuses on accident prevention as theprincipal means to ensure reactor safety“SomeSo e specificspec c eexamplesa p es oof thee coconservatismse a s in desdesigng whichc Ihave used are: . Placing particular attention on designing,building and operating the plant so as to prevent accidents, andthus avoid undue reliance on the systems and proceduresprovided to cope with accidents which could occuroccur.”” (AdmiralRickover, 1979)“The submarine hull provided a containment capability, but toprotect the crew, the Navy relied on an accident-preventionstrategy .” (NUREG/CR-6042)9
How is Defense-In-DepthImplemented? The long history of the NNPP has resulted in numeroustechnical requirements embodied in standards These standards have specific requirements for both inherentfeatures and pplant systemsythat make casualties unlikelyy to occur,prevent core damage in the unlikely event of a casualty, andprotect the health and safety of the public in the unlikely event ofcore damage. Multiple levels of independent organizations serve asnecessary to reliably achieve these attributes Multiple independent technical reviews All potentially affected stakeholders concur on design or procedureproposals Oversight of operations Includes operational chain of command and external oversight10
Challenges Regarding Defense-InDepth Biggest challenge: recognition that a change in design oroperation affects the pre-existing defense-in-depth andaction is warranted to restore it to its desired level. Continuous attention is required by NNPP leaders toensure the need for defense-in-depth is consideredagainst the inevitable competing objectives such as Cost and schedule The war fighting needs dictated by the mission of the ship.11
How is Adequacy of Defense-InDepth Determined? Adherence to the principles and processes of the NNPPresult in defense-in-depth. These include: Continuous attention to assuring adequacy of defense-in-depth byall NNPP ppersonnel as reinforced byy senior leaders Compliance with the NNPP design and operations principlesdescribed above, including Conservative,, simplep designsgMultiple backup systemsHighly trained operatorsStrict compliancepto operatingpgpproceduresRigorous oversight and self assessmentEmergency preparedness Most important: Culture of safety12
Conclusion – Adm Bowman, 2003“Within my Headquarters organization, there are clear but overlappinglilinesoff responsibilityibilit iin allll aspectst off our bbusiness.iHHere’s’ anexample: if you selected any component in the reactor plant of anuclear-powered warship, I could show you the individual responsiblefor that componentcomponent. But since that component is also part of aparticular system, I could also show you a different person who isresponsible for that overall system. I could then show you a thirdperson responsible for the materials that component is made of, andso on.Having these overlapping areas of responsibility, what we could alsoterm redundant layers, with every player being responsible for safetyin his or her area provides a few key benefits. First, it drives constantinteraction among the staff and allows for several different points ofview to be addressed when makingg decisions. Second, safetyy reviewsare provided from multiple vantage points. Third, technical decisionsare always based on the technical facts, never on cost or schedule.”13
Acronyms and ReferencesAcronyms:NR – Naval ReactorsNRHQ – Naval Reactors HeadquartersNNPP – Naval Nuclear Propulsion ProgramNNSA – National Nuclear Security Administration, part of Department of EnergyReferences:1. Statement of Admiral H. G. Rickover, U. S. Navy, Director, NNPP, Before theSubcommittee on Energy Research and Production of the Committee onScience and Technology, United States House Of Representatives, May 24,19792 Statement2.St tt off AdmiralAd i l F.F L.L “Skip”“Ski ” Bowman,BU.U S.S Navy,NDirector,Di t NNPP,NNPP BBeforefthe Committee on Science, United States House Of Representatives, October29, 20033. NASANASA-NavyNavy Benchmarking Exchange Report, Volume II (Naval NuclearSubmarine Safety Assurance), 20034. NRC training manual “Perspectives on Reactor Safety”, NUREG/CR-604214Revision 2, dated March 2002
Navy Benchmarking Exchange Report, Volume II (Naval Nuclear Submarine Safety Assurance), 2003 4. NRC training manual "Perspectives on Reactor Safety", NUREG/CR-6042 Revision 2, dated March 2002. Title: NAVAL NRC Defense-In-Depth Brief. Created Date:
