Defence in depth is a design philosophy that is applied universally in nuclear reactor design practice. Specific applications differ, of course, as reactor designs are quite different in their needs for protection against various hypothetical events such as sudden closure of turbine shutoff valves, pipe breaks, and accidental control rod ejection. In Canadian design philosophy, for example, each unit incorporates two independent, fully capable and physically diverse shutdown systems to reduce power quickly whenever necessary. There is a fast-acting emergency cooling system that would refill the heat transport circuit in the event of a loss of primary coolant. In addi­tion, the cool moderator water surrounding each fuel channel would remove the decay heat of fission remaining in the fuel, and so prevent fuel melting — as a result, broad dispersion of fission products would not occur. The containment structure features two independent means of sealing the ven­tilation systems, on receipt of one or more signals. These mechanisms are all kept in a ‘poised’ condition and are initiated by highly reliable detection and actuation chains with redundant components and ‘fail-safe’ design characteristics. An exclusion zone surrounds the plant. In this zone no per­manent residence is allowed, so that if radioactive materials were to be released in an accident situation there would be no measurable health damage to humans.

Defence in time is a new preventative concept, intended to specifically identify the need for regular attention to the possibility of sudden or wear — out failures of components and systems in use in an operating nuclear station. The basic idea is to establish a methodology requiring preventive maintenance for each component and system important to safety, at time intervals depending on the life expectancy of the item. Regular mainte­nance ensures that these components and systems are ready to perform their function if required during any possible accident. Testing of these systems is conducted on a regular basis; as a result the system is maintained in an essentially ‘as new’ condition for the whole operating life of the plant. Other jurisdictions have established similar formal structures, usually via some form of regulatory requirement; for an example, see USNRC (1991).