Czechs plan to heavily expand nuclear power

Surrounded by corn fields, bicycle routes and a nature reserve, the eight huge cooling towers of the Dukovany nuclear power plant have dominated the Czech countryside near the Austrian border for almost three decades.

Against the odds, the government has worked to keep it that way for many years to come.

Defying growing global skepticism over the use of atomic energy, it is planning to dramatically increase the country’s nuclear power production — a move that would give the country a place among Europe’s most nuclear-dependent nations.

The Czech plan reflects a sharp division over nuclear use among European nations, and relations with neighboring countries that have decided to go nuclear free could be seriously harmed.

German Chancellor Angela Merkel’s government decided to phase out nuclear energy by 2022 following the March meltdown at Japan’s Fukushima plant, and Switzerland has followed suit. Austria abandoned nuclear energy after the 1986 Chernobyl nuclear disaster and strictly opposes the Czech nuclear program.

Other former Soviet bloc nations, now in the EU, are following the Czechs’ lead on nuclear power — reflecting diverging economic needs between east and west.

Slovakia is currently building more nuclear facilities. And Poland has engaged in talks with French, U.S. and Japanese firms about know-how and technology for its first nuclear installation to be completed by 2030.

The Czechs argue nuclear energy is needed because it is a clean and cost efficient source.

They currently rely on six nuclear reactors — four 440-megawatt reactors in Dukovany and two 1,000-megawatt reactors at another plant in Temelin located an hour’s drive north of the Austrian border — for 33 percent of their total electricity. The government hopes to at least double that output.

“We consider increasing electricity production in nuclear plants from some 30 percent to about 60 percent by 2050,” Deputy Industry and Trade Minister Tomas Huner told the Associated Press.

“We have been mining uranium and there’s no doubt nuclear energy is irreplaceable for us in the long term,” said Huner, whose ministry has to present the new energy overhaul for the next 50 years to the government by year’s end.

A trio of big players — U.S.-based Westinghouse Electric Co., a subsidiary of Japan’s Toshiba Corp., France’s state-owned nuclear engineering giant Areva SA and a consortium led by Russia’s Atomstroyexport — are already bidding to win a lucrative multibillion tender to build two more reactors at the Temelin plant. The reactors are expected to be operational in the middle of the next decade.

The plant has been heavily protested by Austrian environmentalists who demand it be closed because of security concerns. Czech authorities insist both plants are safe and will have no problems passing so-called nuclear reactor stress tests currently being conducted across Europe after the Japanese disaster.

Opened a year before the Chernobyl disaster, Dukovany’s life was expected to expire in some 30 years. Germany is closing plants of the same age — but the Czechs refuse to do that despite international pressure.


IAEA: Fukushima starts thyroid tests

Experts from the International Atomic Energy Agency arrived in the Japanese city of Fukushima on Sunday to observe the massive decontamination effort following the world's worst nuclear disaster since Chernobyl.

Local doctors also began a long-term survey of children for thyroid abnormalities, a problem associated with radiation exposure. Officials hope to test some 360,000 people who were under the age of 18 when the nuclear crisis began in March, and then provide follow-ups throughout their lifetimes.

The 12-member IAEA group was to visit farms, schools and government offices throughout Fukushima prefecture in northeastern Japan to observe the cleanup process. It is the U.N. atomic agency's second major mission to Japan since the crisis at Fukushima's Dai-ichi nuclear power plant began.

Nearly 20,000 people were killed when the earthquake and tsunami hit Japan on March 11, and the disaster severely damaged the Fukushima complex. Officials say the plant is now relatively stable, but tens of thousands of people still cannot -- or choose not to -- return to their homes because of the radioactive contamination.

No one has died from radiation in the nuclear crisis, but concerns remain high over how the lingering contamination will impact the safety of Fukushima's children.

The thyroid testing program is intended to allay those fears and build a database that might help deal with future disasters. On its opening day Sunday, more than 100 children, whose thyroid glands are more susceptible to radioactive iodine than adults, were checked.

The results were not made public, but officials have said that if any abnormalities are discovered, the children -- to be tested every two years until age 20, and then every five years after that -- will be provided with further care.

More than 6,000 cases of thyroid cancer have been detected in people who were children or adolescents when exposed to high levels of radioactive fallout in the period immediately after the 1986 Chernobyl disaster.

A 12-mile (20-kilometer) no-go zone remains in effect around the Fukushima nuclear plant. Japan recently lifted other advisories that warned residents just outside of that zone to be prepared to evacuate at any time, a move largely aimed at reassuring evacuees that it is safe to return.

To further bring down contamination levels, towns outside of the no-go zone have begun washing down public areas and removing the top soil in parks and schoolyards.

The task is a daunting one because the nuclear accident spread radiation unevenly over a broad swath of Fukushima, leaving some areas near the plant relatively safe, while creating dangerous hotspots farther away.

Japan's government has acknowledged that the effort could take years. According to a report Sunday in the Asahi, a major newspaper, officials are aiming to complete the decontamination outside of the exclusion zone by the end of March 2014.


Examples of reactors using passive safety features

Three Mile Island Unit 2 was unable to contain about 480 PBq of radioactive noble gases from release into the environment and around 120 kL of radioactive contaminated cooling water from release beyond the containment into a neighbouring building. The pilot-operated relief valve at TMI-2 was designed to shut automatically after relieving excessive pressure inside the reactor into a quench tank. However the valve mechanically failed causing the PORV quench tank to fill, and the relief diaphragm to eventually rupture into the containment building. The containment building sump pumps automatically pumped the contaminated water outside the containment building. Both a working PORV with quench tank and separately the containment building with sump provided two layers of passive safety. An unreliable PORV negated its designed passive safety. The plant design featured only a single open/close indicator for the PORV rather than separate open and close indicators. This rendered the mechanical reliability of the PORV indeterminate directly, and therefore its passive safety status indeterminate. The automatic sump pumps and/or insufficient containment sump capacity negated the containment building designed passive safety.

The notorious RBMK graphite moderated, water cooled reactors of Chernobyl Power Plant disaster were designed with a positive void coefficient with boron control rods on electromagnetic grapples for reaction speed control. To the degree that the control systems were reliable, this design did have a corresponding degree of active inherent safety. The reactor was unsafe at low power levels because erroneous control rod movement would have a counter-intuitively magnified effect. Chernobyl Reactor 4 was built instead with manual crane driven boron control rods that were tipped with the moderator substance, graphite, a neutron reflector. It was designed with an Emergency Core Cooling System (ECCS) that depended on either grid power or the backup Diesel generator to be operating. The ECCS safety component was decidedly not passive. The design featured a partial containment consisting of a concrete slab above and below the reactor - with pipes and rods penetrating, an inert gas filled metal vessel to keep oxygen away from the water cooled hot graphite, a fire-proof roof, and the pipes below the vessel sealed in secondary water filled boxes. The roof, metal vessel, concrete slabs and water boxes are examples of passive safety components. The roof in the Chernobyl Power Plant complex was made of bitumen - against design - rendering it ignitable. Unlike the Three Mile Island accident, neither the concrete slabs nor the metal vessel could contain a steam, graphite and oxygen driven hydrogen explosion. The water boxes could not sustain high pressure failure of the pipes. The passive safety components as designed were inadequate to fulfil the safety requirements of the system.

The General Electric Company ESBWR (Economic Simplified Boiling Water Reactor, a BWR) is a design reported to use passive safety components. In the event of coolant loss, no operator action is required for three days.

The Westinghouse Electric Company AP-1000 ("AP" standing for "Advanced Passive") is a design reported to use passive safety components. In the event of an accident, no operator action is required for 72 hours.

The integral fast reactor was a fast breeder reactor run by the Argonne National Laboratory. It was a sodium cooled reactor capable of withstanding a loss of (coolant) flow without SCRAM and loss of heatsink without SCRAM. This was demonstrated throughout a series of safety tests in which the reactor successfully shut down without operator intervention. The project was canceled due to proliferation concerns before it could be copied elsewhere.

The Molten-Salt Reactor Experiment was a molten salt reactor run by the Oak Ridge National Laboratory. It was a fluoride salt cooled reactor in which the fuel molecules function also as a molten fluoride salt coolant. It featured thermochemical freeze valves in which the molten salt was actively cooled to freezing point by air in flattened sections of the Hastelloy-N salt piping to block flow. If the reactor vessel developed excessive heat or if electric power was lost to the air cooling, then the fuel and coolant could thermochemically penetrate the valve into drain tanks away from the neutron reflector becoming sub-critical enroute for passive or active water cooling. During testing, it was observed that about 6–10% of the calculated 54 Ci/day (2.0 TBq/day) production of tritium diffused out of the fuel system into the containment cell atmosphere and another 6–10% reached the air through the heat removal system. Inhalation of 70 GBq of tritium is equivalent to an adult human dose of 3 Sv in which 50% of cases would be expected to die within 30 days. The fluoride salt molecular bond passive safety component failed to prevent tritium production from fission thus presenting a proliferation risk. The fluoride salt molecular bonds did not prevent tritium from leaking into the containment.

The fleet of BWRs and PWRs operating within the last 10 years in the United States have reported on 42 occasions a quarterly average daily tritium emission level of more than 22 mCi/day (70 GBq/day) from a power plant. During the first quarter of 2001 Palo Verde Unit 1 released on average 9 Ci/day (333 GBq/day) tritium gas. The passive safety component of water as neutron moderator failed to prevent excessive tritium gas (hydrogen with 2 neutrons) from being released from the plant as gas for dilution with air rather than water diluted tritiated water. Inhalation of tritium is absorbed at almost twice the rate as ingested tritium.

Examples of passive safety in operation

Traditional reactor safety systems are active in the sense that they involve electrical or mechanical operation on command systems (e.g., high-pressure water pumps). But some engineered reactor systems operate entirely passively, e.g., using pressure relief valves to manage overpressure. Parallel redundant systems are still required. Combined inherent and passive safety depends only on physical phenomena such as pressure differentials, convection, gravity or the natural response of materials to high temperatures to slow or shut down the reaction, not on the functioning of engineered components such as high-pressure water pumps.

Current pressurized water reactors and boiling water reactors are systems that have been designed with one kind of passive safety feature. In the event of an excessive-power condition, as the water in the nuclear reactor core boils pockets of steam are formed. These steam voids moderate fewer neutrons, causing the power level inside the reactor to lower. The BORAX experiments and the SL-1 meltdown accident proved this principle.

A reactor design whose inherently safe process directly provides a passive safety component during a specific failure condition in all operational modes is typically described as relatively fail-safe to that failure condition. However most current water cooled and moderated reactors, when scrammed, can not remove residual production and decay heat without either process heat transfer or the active cooling system. In other words, whilst the inherently safe heat transfer process provides a passive safety component preventing excessive heat in operational mode "On", the same inherently safe heat transfer process does not provide a passive safety component in operational mode "Off (SCRAM)". The Three Mile Island accident exposed this design deficiency: the reactor and steam generator were "Off" but with loss of coolant it still suffered a partial meltdown.

Third generation designs improve on early designs by incorporating passive or inherent safety features which require no active controls or (human) operational intervention to avoid accidents in the event of malfunction, and may rely on pressure differentials, gravity, natural convection, or the natural response of materials to high temperatures.

In some designs the core of a fast breeder reactor is immersed into a pool of liquid metal. If the reactor overheats, thermal expansion of the metallic fuel and cladding causes more neutrons to escape the core, and the nuclear chain reaction can no longer be sustained. The large mass of liquid metal also acts as a heatsink capable of absorbing the decay heat from the core, even if the normal cooling systems would fail.

The pebble bed reactor is an example of a reactor exhibiting an inherently safe process that is also capable of providing a passive safety component for all operational modes. As the temperature of the fuel rises, Doppler broadening increases the probability that neutrons are captured by U-238 atoms. This reduces the chance that the neutrons are captured by U-235 atoms and initiate fission, thus reducing the reactor's power output and placing an inherent upper limit on the temperature of the fuel. The geometry and design of the fuel pebbles provides an important passive safety component.

Single fluid fluoride molten salt reactors feature fissile, fertile and actinide radioisotopes in molecular bonds with the fluoride coolant. The molecular bonds provide a passive safety feature in that a loss-of-coolant event corresponds with a loss-of-fuel event. The molten fluoride fuel can not itself reach criticality but only reaches criticality by the addition of a neutron reflector such as pyrolytic graphite. The higher density of the fuel along with additional lower density FLiBe fluoride coolant without fuel provides a flotation layer passive safety component in which lower density graphite that breaks off control rods or an immersion matrix during mechanical failure does not induce criticality. Gravity driven drainage of reactor liquids provides a passive safety component.

Some reactors such as the liquid metal and molten salt variants use Thorium-232 fuel which is more abundant in nature than Uranium isotopes and requires no enrichment. The difficulty of enrichment in the Uranium fuel cycle provides a passive safety component against nuclear proliferation. Neutron capture of Thorium-232 breeds both the fissile Uranium-233 and trace amounts of Uranium-232 by neutron knock-off. Neutron cross-section and decay products of Uranium-232 complicate designs and damage electronics if built into nuclear weapons, although Operation Teapot demonstrated its plausibility. Isolation of Uranium-233 from Uranium-232 is not currently believed possible providing a partial passive safety component against nuclear proliferation.

Low power pool-type reactors such as the SLOWPOKE and TRIGA have been licensed for unattended operation in research environments because as the temperature of the low-enriched (19.75% U-235) uranium alloy hydride fuel rises, the molecular bound hydrogen in the fuel cause the heat to be transferred to the fission neutrons as they are ejected. This Doppler shifting or spectrum hardening dissipates heat from the fuel more rapidly throughout the pool the higher the fuel temperature increases ensuring rapid cooling of fuel whilst maintaining a much lower water temperature than the fuel. Prompt, self-dispersing, high efficiency hydrogen-neutron heat transfer rather than inefficient radionuclide-water heat transfer ensures the fuel cannot melt through accident alone. In uranium-zirconium alloy hydride variants, the fuel itself is also chemically corrosion resistant ensuring a sustainable safety performance of the fuel molecules throughout their lifetime. A large expanse of water and the concrete surround provided by the pool for high energy neutrons to penetrate ensures the process has a high degree of intrinsic safety. The core is visible through the pool and verification measurements can be made directly on the core fuel elements facilitating total surveillance and providing nuclear non-proliferation safety. Both the fuel molecules themselves and the open expanse of the pool are passive safety components. Quality implementations of these designs are arguably the safest nuclear reactors.

Passive Nuclear Safety

Passive nuclear safety is a safety feature of a nuclear reactor that does not require operator actions or electronic feedback in order to shut down safely in the event of a particular type of emergency (usually overheating resulting from a loss of coolant or loss of coolant flow). Such reactors tend to rely more on the engineering of components such that their predicted behaviour according to known laws of physics would slow, rather than accelerate, the nuclear reaction in such circumstances. This is in contrast to some older reactor designs, where the natural tendency for the reaction was to accelerate rapidly from increased temperatures, such that either electronic feedback or operator triggered intervention was necessary to prevent damage to the reactor.

Terming a reactor 'passively safe' is more a description of the strategy used in maintaining a degree of safety, than it is a description of the level of safety. Whether a reactor employing passive safety systems is to be considered safe or dangerous will depend on the criteria used to evaluate the safety level. This said, modern reactor designs have focused on increasing the amount of passive safety, and thus most passively-safe designs incorporate both active and passive safety systems, making them substantially safer than older installations. They can be said to be "relatively safe" compared to previous designs.

Reactor vendors like to call their new generation reactors 'passively safe' but this term is sometimes confused with 'inherently safe' in the public perception. It is very important to understand that there are no 'passively safe' reactors or 'passively safe' systems, only 'passively safe' components of safety systems exist. Safety systems are used to maintain control of the plant if it goes outside normal conditions in case of anticipated operational occurrences or accidents, while the control systems are used to operate the plant under normal conditions. Sometimes a system combines both features. Passive safety refers to safety system components, whereas inherent safety refers to control system process regardless of the presence or absence of safety specific subsystems.

As an example of a safety system with 'passively safe' components, let us consider the containment of a nuclear reactor. 'Passively safe' components are the concrete walls and the steel liner, but in order to fulfil its mission active systems have to operate, e.g. valves to ensure the closure of the piping leading outside the containment, feedback of reactor status to external instrumentation and control (I&C) both of which may require external power to function.

The International Atomic Energy Agency (IAEA) classifies the degree of "passive safety" of components from category A to D depending on what the system does not make use of:

  1. no moving working fluid
  2. no moving mechanical part
  3. no signal inputs of 'intelligence'
  4. no external power input or forces

In category A (1+2+3+4) is the fuel cladding using none of these: It is always closed and keeps the fuel and the fission products inside and is not open before arriving at the reprocessing plant. In category B (2+3+4) is the surge line, which connects the hot leg with the pressurizer and helps to control the pressure in the primary loop of a PWR and uses a moving working fluid when fulfilling its mission. In category C (3+4) is the accumulator, which does not need signal input of 'intelligence' or external power. Once the pressure in the primary circuit drops below the set point of the spring loaded accumulator valves, the valves open and water is injected into the primary circuit by compressed nitrogen. In category D (4 only) is the SCRAM which utilizes moving working fluids, moving mechanical parts and signal inputs of 'intelligence' but not external power or forces: the control rods drop driven by gravity once they have been released from their magnetic clamp. But nuclear safety engineering is never that simple: Once released the rod may not fulfil its mission: It may get stuck due to earthquake conditions or due to deformed core structures. This shows that though it is a passively safe system and has been properly actuated, it may not fulfil its mission. Nuclear engineers have taken this into consideration: Typically only a part of the rods dropped are necessary to shut down the reactor. Samples of safety systems with passive safety components can be found in almost all nuclear power stations: the containment, hydro-accumulators in PWRs or pressure suppression systems in BWRs.

In most texts on 'passively safe' components in next generation reactors, the key issue is that no pumps are needed to fulfil the mission of a safety system and that all active components (generally I&C and valves) of the systems work with the electric power from batteries.

IAEA explicitly uses the following caveat:

... passivity is not synonymous with reliability or availability, even less with assured adequacy of the safety feature, though several factors potentially adverse to performance can be more easily counteracted through passive design (public perception). On the other hand active designs employing variable controls permit much more precise accomplishment of safety functions; this may be particularly desirable under accident management conditions.

Nuclear reactor response properties such as Temperature coefficient of reactivity and Void coefficient of reactivity usually refer to the thermodynamic and phase-change response of the neutron moderator heat transfer process respectively. Reactors whose heat transfer process has the operational property of a negative void coefficient of reactivity are said to possess an inherent safety process feature. An operational failure mode could potentially alter the process to render such a reactor unsafe.

Reactors could be fitted with a hydraulic safety system component that increases the inflow pressure of coolant (esp. water) in response to increased outflow pressure of the moderator and coolant without control system intervention. Such reactors would be described as fitted with such a passive safety component that could - if so designed - render in a reactor a negative void coefficient of reactivity, regardless of the operational property of the reactor in which it is fitted. The feature would only work if it responded faster than an emerging (steam) void and the reactor components could sustain the increased coolant pressure. A reactor fitted with both safety features - if designed to constructively interact - is an example of a safety interlock. Rarer operational failure modes could render both such safety features useless and detract from the overall relative safety of the reactor.

Nuclear Criticality Safety

Nuclear criticality safety is a field of nuclear engineering dedicated to the prevention of nuclear and radiation accidents resulting from an inadvertent, self-sustaining nuclear chain reaction. Additionally, nuclear criticality safety is concerned with mitigating the consequences of a nuclear criticality accident. A nuclear criticality accident occurs from operations that involve fissile material and results in a tremendous and potentially lethal release of radiation. Nuclear criticality safety practitioners attempt to minimize the probability of a nuclear criticality accident by analyzing normal and abnormal fissile material operations and providing controls on the processing of fissile materials. A common practice is to apply a double contingency analysis to the operation in which two or more independent, concurrent and unlikely changes in process conditions must occur before a nuclear criticality accident can occur. For example, the first change in conditions may be complete or partial flooding and the second change a re-arrangement of the fissile material. Controls (requirements) on process parameters (e.g., fissile material mass, equipment) result from this analysis. These controls, either passive (physical), active (mechanical), or administrative (human), are implemented by inherently safe or fault-tolerant plant designs, or, if such designs are not practicable, by administrative controls such as operating procedures, job instructions and other means to minimize the potential for significant process changes that could lead to a nuclear criticality accident.

Seven factors influence a criticality system.

  1. Geometry or shape of the fissile material: If neutrons escape (leak from) the fissile system they are not available to interact with the fissile material to cause a fission event. Therefore the shape of the fissile material affects the probability of occurrence of fission events. A large surface area such as a thin slab has lots of leakage and is safer than the same amount of fissile material in a small, compact shape such as a cube or a sphere.
  2. Interaction of units: Neutrons leaking from one unit can enter another. Two units, which by themselves are sub-critical, could interact with each other to form a critical system. The distance separating the units and any material between them influences the effect.
  3. Reflection: When neutrons collide with other atomic particles (primarily nuclei) and are not absorbed, they change direction. If the change in direction is large enough, the neutron may travel back into the system, increasing the likelihood of interaction (fission). This is called ‘reflection’. Good reflectors include hydrogen, beryllium, carbon, lead, uranium, water, polyethylene, concrete, Tungsten carbide and steel.
  4. Moderation: Neutrons resulting from fission are typically fast (high energy). These fast neutrons do not cause fission as readily as slower (less energetic) ones. Neutrons are slowed down (moderated) by collision with atomic nuclei. The most effective moderating nuclei are hydrogen, deuterium, beryllium and carbon. Hence hydrogenous materials including oil, polyethylene, water, wood, paraffin, and the human body are good moderators. Note that moderation comes from collisions; therefore most moderators are also good reflectors.
  5. Absorption: Absorption removes neutrons from the system. Large amounts of absorbers are used to control or reduce the probability of a criticality. Good absorbers are boron, cadmium, gadolinium, silver, and indium.
  6. Enrichment: The probability of a neutron reacting with a fissile nucleus is influenced by the relative numbers of fissile and non-fissile nuclei in a system. The process of increasing the relative number of fissile nuclei in a system is called enrichment. Typically, low enrichment means less likelihood of a criticality and high enrichment means a greater likelihood.
  7. Mass: The probability of fission increases as the total number of fissile nuclei increases. The relationship is not linear. There is a threshold below which criticality can not occur. This threshold is called the critical mass.

To determine whether a system containing fissile material is safe, calculations are performed using computer programmes. The analyst describes the geometry of the system and the materials, usually with conservative or pessimistic assumptions. The density and size of any neutron absorbers is minimised while the amount of fissile material is maximised. As some moderators are also absorbers, the analyst must be careful when modelling these to be pessimistic. Computer programmes allow analysts to describe a three dimensional system with boundary conditions. These boundary conditions can represent real boundaries such as concrete walls or the surface of a pond, or can be used to represent an artificial infinite system using a periodic boundary condition. These are useful when representing a large system consisting of many repeated units.

Computer codes used for criticality safety analyses include MONK(UK), KENO(USA), MCNP(USA) and CRISTAL(France).

Traditional criticality analyses assume that the fissile material is in its most reactive condition, which is usually at maximum enrichment, with no irradiation. For spent nuclear fuel storage and transport, burnup credit may be used to allow fuel to be more closely packed, reducing space and allowing more fuel to be handled safely. In order to implement burnup credit, fuel is modeled as irradiated using pessimistic conditions which produce an isotopic composition representative of all irradiated fuel. Fuel irradiation produces actinides consisting of both neutron absorbers and fissionable isotopes as well as fission products which absorb neutrons.

In fuel storage pools using burnup credit, separate regions are designed for storage of fresh and irradiating fuel. In order to store fuel in the irradiating fuel store it must satisfy a loading curve which is dependent on initial enrichment and irradiation.

Advanced Nuclear Reactors Technology

More than a dozen advanced reactor designs are in various stages of development. Some are evolutionary from the PWR, BWR and PHWR designs above, some are more radical departures. The former include the Advanced Boiling Water Reactor (ABWR), two of which are now operating with others under construction, and the planned passively safe ESBWR and AP1000 units (see Nuclear Power 2010 Program).

  • The Integral Fast Reactor (IFR) was built, tested and evaluated during the 1980s and then retired under the Clinton administration in the 1990s due to nuclear non-proliferation policies of the administration. Recycling spent fuel is the core of its design and it therefore produces only a fraction of the waste of current reactors.
  • The Pebble Bed Reactor, a High Temperature Gas Cooled Reactor (HTGCR), is designed so high temperatures reduce power output by doppler broadening of the fuel's neutron cross-section. It uses ceramic fuels so its safe operating temperatures exceed the power-reduction temperature range. Most designs are cooled by inert helium. Helium is not subject to steam explosions, resists neutron absorption leading to radioactivity, and does not dissolve contaminants that can become radioactive. Typical designs have more layers (up to 7) of passive containment than light water reactors (usually 3). A unique feature that may aid safety is that the fuel-balls actually form the core's mechanism, and are replaced one-by-one as they age. The design of the fuel makes fuel reprocessing expensive.
  • The Small Sealed Transportable Autonomous Reactor (SSTAR) is being primarily researched and developed in the US, intended as a fast breeder reactor that is passively safe and could be remotely shut down in case the suspicion arises that it is being tampered with.
  • The Clean And Environmentally Safe Advanced Reactor (CAESAR) is a nuclear reactor concept that uses steam as a moderator — this design is still in development.
  • The Hydrogen Moderated Self-regulating Nuclear Power Module (HPM) is a reactor design emanating from the Los Alamos National Laboratory that uses uranium hydride as fuel.
  • Subcritical reactors are designed to be safer and more stable, but pose a number of engineering and economic difficulties. One example is the Energy amplifier.
  • Thorium based reactors. It is possible to convert Thorium-232 into U-233 in reactors specially designed for the purpose. In this way, thorium, which is more plentiful than uranium, can be used to breed U-233 nuclear fuel. U-233 is also believed to have favourable nuclear properties as compared to traditionally used U-235, including better neutron economy and lower production of long lived transuranic waste.
    • Advanced Heavy Water Reactor (AHWR)— A proposed heavy water moderated nuclear power reactor that will be the next generation design of the PHWR type. Under development in the Bhabha Atomic Research Centre (BARC), India.
    • KAMINI — A unique reactor using Uranium-233 isotope for fuel. Built in India by BARC and Indira Gandhi Center for Atomic Research (IGCAR).
    • India is also planning to build fast breeder reactors using the thorium – Uranium-233 fuel cycle. The FBTR (Fast Breeder Test Reactor) in operation at Kalpakkam (India) uses Plutonium as a fuel and liquid sodium as a coolant.

Generation 2 Nuclear Reactor

A generation 2 nuclear reactor is a design classification for a nuclear reactor, and refers to the class of commercial reactors built up to the end of the 1990s. Prototypical generation II reactors include the PWR, CANDU, BWR, AGR, and VVER.

These are contrasted to generation I reactors, which refer to the early prototype and power reactors, such as Shippingport, Magnox, Fermi 1, and Dresden. The nomenclature for reactor designs, describing four 'generations', was proposed by the US Department of Energy when it introduced the concept of generation IV reactors.

The designation generation II+ reactor is sometimes used for modernised generation II designs built post-2000, such as the Chinese CPR-1000, in competition with more expensive generation III reactor designs. Typically the modernisation includes improved safety systems and a 60 year design life.

Generation II reactor designs generally had an original design life of 30 or 40 years. However many generation II reactor are being life-extended to 50 or 60 years, and a second life-extension to 80 years may also be economic in many cases.

Advantages and disadvantages of Gen IV

Advantages and disadvantages of Generation 4 nuclear reactor:

Relative to current nuclear power plant technology, the claimed benefits for 4th generation reactors include:

  • Nuclear waste that lasts a few centuries instead of millennia
  • 100-300 times more energy yield from the same amount of nuclear fuel
  • The ability to consume existing nuclear waste in the production of electricity
  • Improved operating safety
One disadvantage of any new reactor technology is that safety risks may be greater initially as reactor operators have little experience with the new design. Nuclear engineer David Lochbaum has explained that almost all serious nuclear accidents have occurred with what was at the time the most recent technology. He argues that "the problem with new reactors and accidents is twofold: scenarios arise that are impossible to plan for in simulations; and humans make mistakes". As one director of a U.S. research laboratory put it, "fabrication, construction, operation, and maintenance of new reactors will face a steep learning curve: advanced technologies will have a heightened risk of accidents and mistakes. The technology may be proven, but people are not".

Generation 4 Nuclear Reactor

Generation 4 Nuclear Reactors (Gen IV) are a set of theoretical nuclear reactor designs currently being researched. Most of these designs are generally not expected to be available for commercial construction before 2030, with the exception of a version of the Very High Temperature Reactor (VHTR) called the Next Generation Nuclear Plant (NGNP). The NGNP is to be completed by 2021. Current reactors in operation around the world are generally considered second- or third-generation systems, with most of the first-generation systems having been retired some time ago. Research into these reactor types was officially started by the Generation IV International Forum (GIF) based on eight technology goals, including to improve nuclear safety, improve proliferation resistance, minimize waste and natural resource utilization, and decrease the cost to build and run such plants.

The reactors are intended for use in nuclear power plants to produce nuclear power from nuclear fuel.

Reactor types

Many reactor types were considered initially; however, the list was downsized to focus on the most promising technologies and those that could most likely meet the goals of the Gen IV initiative. Three systems are nominally thermal reactors and three are fast reactors. The VHTR is also being researched for potentially providing high quality process heat for hydrogen production. The fast reactors offer the possibility of burning actinides to further reduce waste and of being able to breed more fuel than they consume. These systems offer significant advances in sustainability, safety and reliability, economics, proliferation resistance and physical protection.

Thermal reactors

Very-high-temperature reactor (VHTR)

The very high temperature reactor concept uses a graphite-moderated core with a once-through uranium fuel cycle, using helium or molten salt as the coolant. This reactor design envisions an outlet temperature of 1,000 °C. The reactor core can be either a prismatic-block or a pebble bed reactor design. The high temperatures enable applications such as process heat or hydrogen production via the thermochemical iodine-sulfur process. It would also be passively safe.

The planned construction of the first VHTR, the South African PBMR (pebble bed modular reactor), lost government funding in February, 2010. A pronounced increase of costs and concerns about possible unexpected technical problems had discouraged potential investors and customers.

Supercritical-water-cooled reactor (SCWR)

The supercritical water reactor (SCWR) is a concept that uses supercritical water as the working fluid. SCWRs are basically light water reactors (LWR) operating at higher pressure and temperatures with a direct, once-through cycle. As most commonly envisioned, it would operate on a direct cycle, much like a Boiling Water Reactor (BWR), but since it uses supercritical water (not to be confused with critical mass) as the working fluid, would have only one phase present, like the Pressurized Water Reactor (PWR). It could operate at much higher temperatures than both current PWRs and BWRs.

Supercritical water-cooled reactors (SCWRs) are promising advanced nuclear systems because of their high thermal efficiency (i.e., about 45% vs. about 33% efficiency for current LWRs) and considerable plant simplification.

The main mission of the SCWR is generation of low-cost electricity. It is built upon two proven technologies, LWRs, which are the most commonly deployed power generating reactors in the world, and supercritical fossil fuel fired boilers, a large number of which are also in use around the world. The SCWR concept is being investigated by 32 organizations in 13 countries.

Molten-salt reactor (MSR)

A molten salt reactor is a type of nuclear reactor where the coolant is a molten salt. There have been many designs put forward for this type of reactor and a few prototypes built. The early concepts and many current ones rely on nuclear fuel dissolved in the molten fluoride salt as uranium tetrafluoride (UF4) or thorium tetrafluoride (ThF4), the fluid would reach criticality by flowing into a graphite core which would also serve as the moderator. Many current concepts rely on fuel that is dispersed in a graphite matrix with the molten salt providing low pressure, high temperature cooling.

Fast reactors

Gas-cooled fast reactor (GFR)

The gas-cooled fast reactor (GFR) system features a fast-neutron spectrum and closed fuel cycle for efficient conversion of fertile uranium and management of actinides. The reactor is helium-cooled, with an outlet temperature of 850 °C and using a direct Brayton cycle gas turbine for high thermal efficiency. Several fuel forms are being considered for their potential to operate at very high temperatures and to ensure an excellent retention of fission products: composite ceramic fuel, advanced fuel particles, or ceramic clad elements of actinide compounds. Core configurations are being considered based on pin- or plate-based fuel assemblies or prismatic blocks.

Sodium-cooled fast reactor (SFR)

The SFR is a project that builds on two closely related existing projects, the liquid metal fast breeder reactor and the Integral Fast Reactor.

The goals are to increase the efficiency of uranium usage by breeding plutonium and eliminating the need for transuranic isotopes ever to leave the site. The reactor design uses an unmoderated core running on fast neutrons, designed to allow any transuranic isotope to be consumed (and in some cases used as fuel). In addition to the benefits of removing the long half-life transuranics from the waste cycle, the SFR fuel expands when the reactor overheats, and the chain reaction automatically slows down. In this manner, it is passively safe.

The Integral Fast Reactor or IFR is a design for a nuclear reactor with a specialized nuclear fuel cycle. A prototype of the reactor was built, but the project was cancelled before it could be copied elsewhere.

The SFR reactor concept is cooled by liquid sodium and fueled by a metallic alloy of uranium and plutonium. The fuel is contained in steel cladding with liquid sodium filling in the space between the clad elements which make up the fuel assembly. One of the design challenges of an SFR is the risks of handling sodium, which reacts explosively if it comes into contact with water. However, the use of liquid metal instead of water as coolant allows the system to work at atmospheric pressure, reducing the risk of leakage.

Lead-cooled fast reactor (LFR)

The lead-cooled fast reactor features a fast-neutron-spectrum lead or lead/bismuth eutectic (LBE) liquid-metal-cooled reactor with a closed fuel cycle. Options include a range of plant ratings, including a "battery" of 50 to 150 MW of electricity that features a very long refueling interval, a modular system rated at 300 to 400 MW, and a large monolithic plant option at 1,200 MW. (The term battery refers to the long-life, factory-fabricated core, not to any provision for electrochemical energy conversion.) The fuel is metal or nitride-based containing fertile uranium and transuranics. The LFR is cooled by natural convection with a reactor outlet coolant temperature of 550 °C, possibly ranging up to 800 °C with advanced materials. The higher temperature enables the production of hydrogen by thermochemical processes.

Generation III Nuclear Reactor

A generation III nuclear reactor is a development of any of the generation II nuclear reactor designs incorporating evolutionary improvements in design developed during the lifetime of the generation II reactor designs. These include improved fuel technology, superior thermal efficiency, passive safety systems and standardized design for reduced maintenance and capital costs.

Improvements in reactor technology result in a longer operational life (60 years of operation, extendable to 120+ years of operation prior to complete overhaul and reactor pressure vessel replacement) compared with currently used generation II reactors (designed for 40 years of operation, extendable to 80+ years of operation prior to complete overhaul and RPV replacement). Furthermore, core damage frequencies for these reactors are lower than for Generation II reactors — 60 core damage events per 1000 million reactor–year for the EPR; 3 core damage events per 1000 million reactor–year for the ESBWR significantly lower than the 10,000 core damage events per 1000 million reactor–year for BWR/4 generation II reactors.

The first generation III reactors were built in Japan, while several others have been approved for construction in Europe. A Westinghouse AP1000 reactor is scheduled to become operational in Sanmen, China in 2013.

Generation III reactors

  • Advanced Boiling Water Reactor (ABWR) — A GE design that first went online in Japan in 1996.
  • Advanced Pressurized Water Reactor (APWR) — developed by Mitsubishi Heavy Industries.
  • Enhanced CANDU 6 (EC6) — developed by Atomic Energy of Canada Limited.
  • VVER-1000/392 (PWR) — in various modifications into AES-91 and AES-92

Designs not adopted

  • AP600 — A Westinghouse Electric Company design that received final design approval from the NRC in 1998; the EIA states that "Westinghouse has deemphasized the AP600 in favor of the larger, though potentially even less expensive (on a cost per kilowatt or capacity basis) AP1000 design."
  • System 80+ — a Combustion Engineering (now incorporated into Westinghouse) design, which "provides a basis for the APR1400 (Generation III+) design that has been developed in Korea for future deployment and possible export."

Generation III+ reactors

Generation III+ designs offer significant improvements in safety and economics over Generation III advanced reactor designs certified by the NRC in the 1990s.

  • Advanced CANDU Reactor (ACR-1000)
  • AP1000 — based on the AP600 with increased power output
  • European Pressurized Reactor (EPR) — an evolutionary descendant of the Framatome N4 and Siemens Power Generation Division KONVOI reactors.
  • Economic Simplified Boiling Water Reactor (ESBWR) — based on the ABWR
  • APR-1400 — an advanced PWR design evolved from the U.S. System 80+, which is the basis for the Korean Next Generation Reactor or KNGR
  • VVER-1200/392M (PWR) — in design of AES-2006 with mainly passive safety features
  • VVER-1200/491 (PWR) — in design of AES-2006 with mainly active safety features, international sold as MIR.1200
  • EU-ABWR — based on the ABWR with increased powert output and compliance with EU safety standard.
  • Advanced PWR (APWR) — 4th Generation of PWR from Mitsubishi Heavy Industries

Generation III++ reactors

  • B&W mPower — an Advanced Light Water Reactor in development by Babcock and Wilcox and Bechtel

Notable activations of BWR safety systems

General Electric defended the design of the reactor, stating that the station blackout caused by the 2011 Tōhoku earthquake and tsunami was a "beyond-design-basis" event which led to Fukushima I nuclear accidents. According the Nuclar Energy Institute, "Coincident long-term loss of both on-site and off-site power for an extended period of time is a beyond-design-basis event for the primary containment on any operating nuclear power plant".

The reactors shut down as designed after the earthquake. However, the tsunami disabled all diesel backup generators which operated the emergency cooling systems and pumps. Pumps were designed to circulate hot fluid from the reactor to be cooled in the wetwell, but they did not have any power. The reactor cores overheated and likely melted. Radioactivity was released into the air as fuel rods were damaged due to overheating by exposure to air as water levels fell below safe levels. As an emergency measure, operators resorted to injecting seawater into the drywell to cool the reactors, but would also ruin them for future operation. Reactors 1–3, and by some reports 4 all suffered violent hydrogen explosions March 2011 which damaged or destroyed their top levels or lower suppression level (unit 2). Fires in spent fuel ponds also released radiation.

As emergency measures, helicopters attempted to drop water from the ocean onto the open rooftops. Later water was sprayed from fire engines onto the roof of reactor 3. A concrete pump was used to pump water into the spent fuel pond in unit 4.

The accident released up to 10,000 terabecquerels of radioactive iodine-131 per hour in the initial days, and up to 630,000 terabequerels total, about one tenth the 5.2 million terabecquerels released at Chernobyl.

Design Basis Accident (DBA) for a nuclear power plant

The Design Basis Accident (DBA) for a nuclear power plant is the most severe possible single accident that the designers of the plant and the regulatory authorities could reasonably expect. It is, also, by definition, the accident the safety systems of the reactor are designed to respond to successfully, even if it occurs when the reactor is in its most vulnerable state. The DBA for the BWR consists of the total rupture of a large coolant pipe in the location that is considered to place the reactor in the most danger of harm—specifically, for older BWRs (BWR/1-BWR/6), the DBA consists of a "guillotine break" in the coolant loop of one of the recirculation jet pumps, which is substantially below the core waterline (LBLOCA, large break loss of coolant accident) combined with loss of feedwater to make up for the water boiled in the reactor (LOFW, loss of proper feedwater), combined with a simultaneous collapse of the regional power grid, resulting in a loss of power to certain reactor emergency systems (LOOP, loss of offsite power). The BWR is designed to shrug this accident off without core damage.

The description of this accident is applicable for the BWR/4, which is the oldest model of BWR in common service.

The immediate result of such a break (call it time T+0) would be a pressurized stream of water well above the boiling point shooting out of the broken pipe into the drywell, which is at atmospheric pressure. As this water stream flashes into steam, due to the decrease in pressure and that it is above the water boiling point at normal atmospheric pressure, the pressure sensors within the drywell will report a pressure increase anomaly within it to the reactor protection system at latest T+0.3. The RPS will interpret this pressure increase signal, correctly, as the sign of a break in a pipe within the drywell. As a result, the RPS immediately initiates a full SCRAM, closes the main steam isolation valve (isolating the containment building), trips the turbines, attempts to begin the spinup of RCIC and HPCI, using residual steam, and starts the diesel pumps for LPCI and CS.

Now let us assume that the power outage hits at T+0.5. The RPS is on a float uninterruptable power supply, so it continues to function; its sensors, however, are not, and thus the RPS assumes that they are all detecting emergency conditions. Within less than a second from power outage, auxiliary batteries and compressed air supplies are starting the Emergency Diesel Generators. Power will be restored by T+25 seconds.

Let us return to the reactor core. Due to the closure of the MSIV (complete by T+2), a wave of backpressure will hit the rapidly depressurizing RPV but this is immaterial, as the depressurization due to the recirculation line break is so rapid and complete that no steam voids will likely collapse to liquid water. HPCI and RCIC will fail due to loss of steam pressure in the general depressurization, but this is again immaterial, as the 2,000 L/min (600 US gal/min) flow rate of RCIC available after T+5 is insufficient to maintain the water level; nor would the 19,000 L/min (5,000 US gal/min) flow of HPCI, available at T+10, be enough to maintain the water level, if it could work without steam. At T+10, the temperature of the reactor core, at approximately 285 °C (550 °F) at and before this point, begins to rise as enough coolant has been lost from the core that voids begin to form in the coolant between the fuel rods and they begin to heat rapidly. By T+12 seconds from the accident start, fuel rod uncovery begins. At approximately T+18 areas in the rods have reached 540 °C (1000 °F). Some relief comes at T+20 or so, as the negative temperature coefficient and the negative void coefficient slows the rate of temperature increase. T+25 sees power restored; however, LPCI and CS will not be online until T+40.

At T+40, core temperature is at 650 °C (1200 °F) and rising steadily; CS and LPCI kick in and begins deluging the steam above the core, and then the core itself. First, a large amount of steam still trapped above and within the core has to be knocked down first, or the water will be flashed to steam prior to it hitting the rods. This happens after a few seconds, as the approximately 200,000 L/min (3,300 L/s, 52,500 US gal/min, 875 US gal/s) of water these systems release begin to cool first the top of the core, with LPCI deluging the fuel rods, and CS suppressing the generated steam until at approximately T+100 seconds, all of the fuel is now subject to deluge and the last remaining hot-spots at the bottom of the core are now being cooled. The peak temperature that was attained was 900 °C (1650 °F) (well below the maximum of 1200 °C (2200 °F) established by the NRC) at the bottom of the core, which was the last hot spot to be affected by the water deluge.

The core is cooled rapidly and completely, and following cooling to a reasonable temperature, below that consistent with the generation of steam, CS is shut down and LPCI is decreased in volume to a level consistent with maintenance of a steady-state temperature among the fuel rods, which will drop over a period of days due to the decrease in fission-product decay heat within the core.

After a few days of LPCI, decay heat will have sufficiently abated to the point that defueling of the reactor is able to commence with a degree of caution. Following defueling, LPCI can be shut down. A long period of physical repairs will be necessary to repair the broken recirculation loop; overhaul the ECCS; diesel pumps; and diesel generators; drain the drywell; fully inspect all reactor systems, bring non-conformal systems up to spec, replace old and worn parts, etc. At the same time, different personnel from the licensee working hand in hand with the NRC will evaluate what the immediate cause of the break was; search for what event led to the immediate cause of the break (the root causes of the accident); and then to analyze the root causes and take corrective actions based on the root causes and immediate causes discovered. This is followed by a period to generally reflect and post-mortem the accident, discuss what procedures worked, what procedures didn't, and if it all happened again, what could have been done better, and what could be done to ensure it doesn't happen again; and to record lessons learned to propagate them to other BWR licensees. When this is accomplished, the reactor can be refueled, resume operations, and begin producing power once more.

The ABWR and ESBWR, the most recent models of the BWR, are not vulnerable to anything like this incident in the first place, as they have no liquid penetrations (pipes) lower than several feet above the waterline of the core, and thus, the reactor pressure vessel holds in water much like a deep swimming pool in the event of a feedwater line break or a steam line break. The BWR 5s and 6s have additional tolerance, deeper water levels, and much faster emergency system reaction times. Fuel rod uncovery will briefly take place, but maximum temperature will only reach 600 °C (1,100 °F), far below the NRC safety limit.

Prior to the incidents at the Fukushima Daiichi reactor complex (involving BWR 3 and BWR 4 reactors) caused by the March 2011 Tōhoku earthquake and tsunami, no incident approaching the DBA or even a LBLOCA in severity had occurred with a BWR. The Fukushima incidents are still ongoing and it would be premature to draw conclusions on their ultimate severity, but they already exceed the severity of the DBA in several respects. For example, the primary containment vessels have had to be flooded with seawater containing boric acid, which is likely to preclude any resumption of operation. Nothing similar to the chemical explosions that have occurred at the Fukushima Daiichi reactors was anticipated in the DBA scenario.

Before this incident there had been minor incidents involving the ECCS, but in these circumstances it had performed at or beyond expectations. The most severe incident that had previously occurred with a BWR was in 1975 due to a fire caused by extremely flammable urethane foam installed in the place of fireproofing materials at the Browns Ferry Nuclear Power Plant; for a short time, the control room's monitoring equipment was cut off from the reactor, but the reactor shut down successfully, and, as of 2009, is still producing power for the Tennessee Valley Authority, having sustained no damage to systems within the containment. The fire had nothing to do with the design of the BWR – it could have occurred in any power plant, and the lessons learned from that incident resulted in the creation of a separate backup control station, compartmentalization of the power plant into fire zones and clearly documented sets of equipment which would be available to shut down the reactor plant and maintain it in a safe condition in the event of a worst case fire in any one fire zone. These changes were retrofitted into every existing US and most Western nuclear power plants and built in to new plants from that point forth.

BWR Hydrogen Management

During normal plant operations and in normal operating temperatures, the hydrogen generation is not significant. When the nuclear fuel overheats, zirconium in Zircaloy cladding used in fuel rods oxidizes in reaction with steam:

Zr + 2H2O → ZrO2 + 2H2
When mixed with air, hydrogen is flammable, and hydrogen detonation or deflagration may damage the reactor containment. In reactor designs with small containment volumes, such as in Mark I or II containments, the preferred method for managing hydrogen is pre-inerting with inert gas—generally nitrogen—to reduce the oxygen concentration in air below that needed for hydrogen combustion, and the use of thermal recombiners. Pre-inerting is considered impractical with larger containment volumes where thermal recombiners and deliberate ignition are used.

BWR Containment System

The ultimate safety system inside and outside of every BWR are the numerous levels of physical shielding that both protect the reactor from the outside world and protect the outside world from the reactor.

There are five levels of shielding:

  1. The fuel rods inside the reactor pressure vessel are coated in thick Zircaloy shielding;
  2. The reactor pressure vessel itself is manufactured out of 6-inch-thick (150 mm) steel, with extremely high temperature, vibration, and corrosion resistant surgical stainless steel grade grade 316L plate on both the inside and outside;
  3. The primary containment structure is made of steel 1 inch thick;
  4. The secondary containment structure is made of steel-reinforced, pre-stressed concrete 1.2–2.4 meters (4–8 ft) thick.
  5. The reactor building (the shield wall/missile shield) is also made of steel-reinforced, pre-stressed concrete 0.3 m to 1 m (1–3 feet) thick.

If every possible measure standing between safe operation and core damage fails, the containment can be sealed indefinitely, and it will prevent any substantial release of radiation to the environment from occurring in nearly any circumstance.

Varieties of BWR containments

As illustrated by the descriptions of the systems above, BWRs are quite divergent in design from PWRs. Unlike the PWR, which has generally followed a very predictable external containment design (the stereotypical dome atop a cylinder), BWR containments are varied in external form but their internal distinctiveness is extremely striking in comparison to the PWR. There are five major varieties of BWR containments:

  • The "premodern" containment (Generation I); spherical in shape, and featuring a steam drum separator, or an out-of-RPV steam separator, and a heat exchanger for low pressure steam, this containment is now obsolete, and is not used by any operative reactor.
  • the Mark I containment, consisting of a rectangular steel-reinforced concrete building, along with an additional layer of steel-reinforced concrete surrounding the steel-lined cylindrical drywell and the steel-lined pressure suppression torus below. The Mark I was the earliest type of containment in wide use, and many reactors with Mark Is are still in service today. There have been numerous safety upgrades made over the years to this type of containment, especially to provide for orderly reduction of containment load caused by pressure in a compounded limiting fault. The reactor building of the Mark I generally is in the form of a large rectangular structure of reinforced concrete.
  • the Mark II containment, similar to the Mark I, but omitting a distinct pressure suppression torus in favor of a cylindrical wetwell below the non-reactor cavity section of the drywell. Both the wetwell and the drywell have a primary containment structure of steel as in the Mark I, as well as the Mark I's layers of steel-reinforced concrete composing the secondary containment between the outer primary containment structure and the outer wall of the reactor building proper. The reactor building of the Mark II generally is in the form of a flat-topped cylinder.
  • the Mark III containment, generally similar in external shape to the stereotypical PWR, and with some similarities on the inside, at least on a superficial level. For example, rather than having a slab of concrete that staff could walk upon while the reactor was not being refueled covering the top of the primary containment and the RPV directly underneath, the Mark III takes the BWR in a more PWRish direction by placing a water pool over this slab. Additional changes include abstracting the wetwell into a pressure-suppression pool with a weir wall separating it from the drywell.
  • Advanced containments; the present models of BWR containments for the ABWR and the ESBWR are harkbacks to the classical Mark I/II style of being quite distinct from the PWR on the outside as well as the inside, though both reactors incorporate the Mark III-ish style of having non-safety-related buildings surrounding or attached to the reactor building, rather than being overtly distinct from it. These containments are also designed to take far more than previous containments were, providing advanced safety. In particular, GE regards these containments as being able to withstand a direct hit by a tornado of Old Fujitsa Scale 6 with winds of 330+ miles per hour. Such a tornado has never been measured on earth. They are also designed to withstand seismic accelerations of .2 G, or nearly 2 meters per second2 in any direction.

Standby Liquid Control System (SLCS)

The standby liquid control system is used in the event of major contingencies as a last measure to prevent core damage. It is not intended ever to be used, as the RPS and ECCS are designed to respond to all contingencies, even if a quite a few of their components fail, but if a complete ECCS failure occurs, during a limiting fault, it could be the only thing capable of preventing core damage. The SLCS consists of a tank containing borated water as a neutron absorber, protected by explosively-opened valves and redundant battery-operated pumps, allowing the injection of the borated water into the reactor against any pressure within; the borated water can and will shut down a reactor gone out of control. The SLCS also provides an additional layer of defense in depth against a ATWS derangement, but this is an extreme measure that can be avoided by numerous other channels (ARI and use of redundant hydraulics).

Versioning note: The SLCS is a system that is never meant to be activated unless all other measures have failed. In the BWR/1 – BWR/6, its activation could cause sufficient damage to the plant that it could make the older BWRs inoperable without a complete overhaul. With the arrival of the ABWR and (E)SBWR, operators do not have to be as reticent about activating the SLCS, as these reactors have a Reactor Water Cleanup System (RWCS) – once the reactor has stabilized, the borated water within the RPV can be filtered through this system to promptly remove the soluble neutron absorbers that it contains and thus avoid damage to the internals of the plant.

Emergency Core-Cooling System (ECCS)

While the reactor protection system is designed to prevent contingencies from happening, the ECCS is designed to respond to contingencies if they do happen. The ECCS is a set of interrelated safety systems that are designed to protect the fuel within the reactor pressure vessel, which is referred to as the "reactor core", from overheating. These systems accomplish this by maintaining reactor pressure vessel (RPV) cooling water level, or if that is impossible, by directly flooding the core with coolant.

These systems are of 3 major types:

  1. High pressure systems: These are designed to protect the core by injecting large quantities of water into it to prevent the fuel from being uncovered by a decreasing water level. Generally used in cases with stuck-open safety valves, small breaks of auxiliary pipes, and particularly violent transients caused by turbine trip and main steam isolation valve closure. If the water level cannot be maintained with high pressure systems alone (the water level still is falling below a preset point with the high-pressure systems working full-bore), the next set of systems responds.
  2. Depressurization systems: These systems are designed to maintain reactor pressure within safety limits. Additionally, if reactor water level cannot be maintained with high-pressure coolant systems alone, the depressurization system can reduce reactor pressure to a level at which the low-pressure coolant systems can function.
  3. Low-pressure systems: These systems are designed to function after the depressurization systems function. They have extremely large capacities compared to the high-pressure systems and are supplied by multiple, redundant power sources. They will maintain any maintainable water level, and, in the event of a large pipe break of the worst type below the core that leads to temporary fuel rod "uncovery", to rapidly mitigate that state prior to the fuel heating to the point where core damage could occur.

High-pressure coolant injection system (HPCI)

The high-pressure coolant injection system is the first line of defense in the emergency core cooling system. HPCI is designed to inject substantial quantities of water into the reactor while it is at high pressure so as to prevent the activation of the automatic depressurization, core spray, and low pressure coolant injection systems. HPCI is powered by steam from the reactor, and takes approximately 10 seconds to spin up from an initiating signal, and can deliver approximately 19,000 L/min (5,000 US gal/min) to the core at any core pressure above 6.8 atm (690 kPa, 100 psi). This is usually enough to keep water levels sufficient to avoid automatic depressurization except in a major contingency, such as a large break in the makeup water line.

Versioning note: The BWR/6 replaces HPCI with high-pressure core spray (HPCS); ABWRs and (E)SBWRs replace HPCI with high-pressure core flooder (HPCF), a mode of the RCIC system, as described below.

Reactor core isolation cooling system (RCIC)

The reactor core isolation cooling system is not a safety-related system proper, but is included because it can help cool the reactor in the event of a contingency, and it has additional functionality in advanced versions of the BWR.

RCIC is designed to remove the residual heat of the fuel from the reactor once it has been shut down. It injects approximately 2,000 L/min (600 gpm) into the reactor core for this purpose, at high pressure. It also takes less time to start than the HPCI system, approximately 5 seconds from an initiating signal.

The RCIC system is operable with no electric power other than battery power. During a station blackout (where all off-site power is lost and the diesel generators fail) the RCIC is capable of providing decay heat removal by itself.

Versioning note: RCIC and HPCF are integrated in ABWRs and (E)SBWRs, with HPCF representing the high-capacity mode of RCIC. In the (E)SBWR series of reactors, there is an additional contingency residual heat removal capability for RCIC, the Isolation Condenser System (IC); in the (E)SBWR, there are several separate trains of heat exchangers located above the RPV in deep pools of water within the reactor building but outside and above the primary containment. In the event of a contingency, the decay heat of the reactor will boil water to steam within the RPV. The RPS will activate several valves connecting the RPV to the IC system; the steam from the RPV decay heat will flow into the heat exchangers (called Isolation Condensers) and be condensed and cooled back to liquid. The water will then return to the RPV through the force of gravity.

Automatic depressurization system (ADS)

The Automatic depressurization system is not a part of the cooling system proper, but is an essential adjunct to the ECCS. It is designed to activate in the event that the RPV is retaining pressure, but RPV water level cannot be maintained using high pressure cooling alone, and low pressure cooling must be initiated. When ADS fires, it rapidly releases pressure from the RPV in the form of steam through pipes that are piped to below the water level in the suppression pool (the torus/wetwell), which is designed to condense the steam released by ADS or other safety valve activation into water), bringing the reactor vessel below 32 atm (3200 kPa, 465 psi), allowing the low pressure cooling systems (LPCS/LPCI/LPCF/GDCS), with extremely large and robust comparative coolant injection capacities to be brought to bear on the reactor core.

Low-pressure core spray system (LPCS)

The low-pressure core spray system is designed to suppress steam generated by a major contingency. As such, it prevents reactor vessel pressure from going above the point where LPCI and LPCS would be ineffective, which is above 32 atm (3200 kPa, 465 psi). It activates below that level, and delivers approximately 48,000 L/min (12,500 US gal/min) of water in a deluge from the top of the core.

Versioning note: In ABWRs and (E)SBWRs, there are additional water spray systems to cool the drywell and the suppression pool.

Low-pressure coolant injection system (LPCI)

The low-pressure coolant injection system, the "heavy artillery" in the ECCS, can be operated at reactor vessel pressures below 465 psi. The LPCI consists of 4 pumps driven by diesel engines, and is capable of injecting a mammoth 150,000 L/min (40,000 US gal/min) of water into the core . Combined with the CS to keep steam pressure low, the LPCI is designed to suppress contingencies by rapidly and completely flooding the core with coolant.

Versioning note: ABWRs replace LPCI with low-pressure core flooder (LPCF), which operates using similar principles. (E)SBWRs replace LPCI with the DPVS/PCCS/GDCS, as described below.

Depressurization valve system (DPVS) / passive containment cooling system (PCCS) / gravity-driven cooling system (GDCS)

The (E)SBWR has an additional ECCS capacity that is completely passive, quite unique, and significantly improves defense in depth. This system is activated when the water level within the RPV reaches Level 1. At this point, a countdown timer is started.

There are several large depressurization valves located near the top of the reactor pressure vessel. These constitute the DPVS. This is a capability supplemental to the ADS, which is also included on the (E)SBWR. The DPVS consists of eight of these valves, four on main steamlines that vent to the drywell when actuated and four venting directly into the drywell.

If Level 1 is not resubmerged within 50 seconds of the timer starting, DPVS will fire and will rapidly vent any pressure contained within the reactor pressure vessel into the drywell. This will cause the water within the RPV to gain in volume (due to the drop in pressure) which will increase the water available to cool the core. In addition, the depressurization will cause a lower boiling point, and thus more steam bubbles will form, decreasing moderation; this, in turn, decreases decay heat production, while still maintaining adequate cooling. (In fact, both the ESBWR and the ABWR are designed so that even in the maximum feasible contingency, the core never loses its layer of water coolant.)

If Level 1 is not again not resubmerged within 100 seconds of DPVS actuation, then the GDCS valves fire. The GDCS is a series of very large water tanks located above and to the side of the Reactor Pressure Vessel within the drywell. When these valves fire, the GDCS is directly connected to the RPV. After ~50 more seconds of depressurization, the pressure within the GDCS will equalize with that of the RPV and drywell, and the water of the GDCS will begin flowing into the RPV.

The water within the RPV will boil into steam from the decay heat, and natural convection will cause it to travel upwards into the drywell, into piping assemblies in the ceiling that will take the steam to four large heat exchangers – the Passive Containment Cooling System (PCCS) – located above the drywell – in deep pools of water. The steam will be cooled, and will condense back into liquid water. The liquid water will drain from the heat exchanger back into the GDCS pool, where it can flow back into the RPV to make up for additional water boiled by decay heat. In addition, if the GDCS lines break, the shape of the RPV and the drywell will ensure that a "lake" of liquid water forms that submerges the bottom of the RPV (and the core within).

There is sufficient water to cool the heat exchangers of the PCCS for 72 hours. At this point, all that needs to happen is for the pools that cool the PCCS heat exchangers to be refilled, which is a comparatively trivial operation, doable with a portable fire pump and hoses.

GE has a computerized animation of how the ESBWR functions during a pipe break incident on their website

Reactor Protection System (RPS)

The Reactor Protection System (RPS) is a system, computerized in later BWR models, that is designed to automatically, rapidly, and completely shut down and make safe the Nuclear Steam Supply System (NSSS – the reactor pressure vessel, pumps, and water/steam piping within the containment) if some event occurs that could result in the reactor entering an unsafe operating condition. In addition, the RPS can automatically spin up the Emergency Core Cooling System (ECCS) upon detection of several signals. It does not require human intervention to operate. However, the reactor operators can override parts of the RPS if necessary. If an operator recognizes a deteriorating condition, and knows an automatic safety system will activate, they are trained to pre-emptively activate the safety system.

If the reactor is at power or ascending to power (i.e. if the reactor is supercritical; the control rods are withdrawn to the point where the reactor generates more neutrons than it absorbs) there are safety-related contingencies that may arise that necessitate a rapid shutdown of the reactor, or, in Western nuclear parlance, a "SCRAM". The SCRAM is a manually triggered or automatically triggered rapid insertion of all control rods into the reactor, which will take the reactor to decay heat power levels within tens of seconds. Since ~ 0.6% of neutrons are emitted from fission products ("delayed" neutrons), which are born seconds/minutes after fission, all fission can not be terminated instantaneously, but the fuel soon returns to decay heat power levels. Manual SCRAMs may be initiated by the reactor operators; while automatic SCRAMs are initiated upon:

  1. Turbine stop-valve or turbine control-valve closure.
    1. If turbine protection systems detect a significant anomaly, admission of steam is halted. Reactor rapid shutdown is in anticipation of a pressure transient that could increase reactivity.
    2. Generator load rejection will also cause closure of turbine valves and trip RPS.
  2. Loss of offsite power (LOOP)
    1. During normal operation, the reactor protection system (RPS) is powered by offsite power
      1. Loss of offsite power would open all relays in the RPS causing all rapid shutdown signals to come in redundantly.
      2. would also cause MSIV to close since RPS is fail-safe; plant assumes a main steam break is coincident with loss of offsite power.
  3. Neutron Monitor Trips – the purpose of these trips are to ensure an even increase in neutron and thermal power during startup.
    1. Source range monitor (SRM) / intermediate-range monitor (IRM) upscale:
      1. The SRM, used during instrument calibration, pre-critical, and early non-thermal criticality, and the IRM, used during ascension to power, middle/late non-thermal, and early/middle thermal stages, both have trips built in that prevent rapid decreases in reactor period when reactor is intensely reactive (e.g. when no voids exist, water is cold, and water is dense) without positive operator confirmation that such decreases in period are their intention. Prior to trips occurring, rod movement blocks will be activated to ensure operator vigilance if preset levels are marginally exceeded.
    2. Average power range monitor (APRM) upscale:
      1. Prevents reactor from exceeding pre-set neutron power level maxima during operation or relative maxima prior to positive operator confirmation of end of startup by transition of reactor state into "Run".
    3. Average power range monitor / coolant flow thermal trip:
      1. Prevents reactor from exceeding variable power levels without sufficient coolant flow for that level being present.
  4. Low reactor water level indicative of:
    1. Loss of coolant contingency (LOCA)
    2. Loss of proper feedwater (LOFW)
    3. etc.
  5. High drywell (primary containment) pressure
    1. Indicative of potential loss of coolant contingency
  6. Main steam isolation valve closure (MSIV)
    1. Redundant backup for turbine trip
    2. Indicative of potential main steam line break
  7. High RPV pressure:
    1. Indicative of MSIV closure.
    2. Decreases reactivity to compensate for boiling void collapse due to high pressure.
    3. Prevents pressure relief valves from opening.
    4. Serves as a backup for several other trips, like turbine trip.

Boiling Water Reactor Safety Systems

Boiling water reactor (BWR) safety systems are nuclear safety systems constructed within boiling water reactors in order to prevent or mitigate environmental and health hazards in the event of accident or natural disaster.

Like the pressurized water reactor, the BWR reactor core continues to produce heat from radioactive decay after the fission reactions have stopped, making a core damage incident possible in the event that all safety systems have failed and the core does not receive coolant. Also like the pressurized water reactor, a boiling water reactor has a negative void coefficient, that is, the neutron (and the thermal) output of the reactor decreases as the proportion of steam to liquid water increases inside the reactor.

However, unlike a pressurized water reactor which contains no steam in the reactor core, a sudden increase in BWR steam pressure (caused, for example, by the actuation of the main steam isolation valve (MSIV) from the reactor) will result in a sudden decrease in the proportion of steam to liquid water inside the reactor. The increased ratio of water to steam will lead to increased neutron moderation, which in turn will cause an increase in the power output of the reactor. This type of event is referred to as a "pressure transient".

The BWR is specifically designed to respond to pressure transients, having a "pressure suppression" type of design which vents overpressure using safety relief valves to below the surface of a pool of liquid water within the containment, known as the "wetwell" or "torus". There are 11 safety overpressure relief valves on BWR/1-BWR/6 models (7 of which are part of the ADS) and 18 safety overpressure relief valves on ABWR models, only a few of which have to function to stop the pressure rise of a transient. In addition, the reactor will already have rapidly shut down before the transient affects the RPV (as described in the Reactor Protection System section below.

Because of this effect in BWRs, operating components and safety systems are designed to ensure that no credible scenario can cause a pressure and power increase that exceeds the systems' capability to quickly shutdown the reactor before damage to the fuel or to components containing the reactor coolant can occur. In the limiting case of an ATWS (Anticipated Transient Without Scram) derangement, high neutron power levels (~ 200%) can occur for less than a second, after which actuation of SRVs will cause the pressure to rapidly drop off. Neutronic power will fall to far below nominal power (the range of 30% with the cessation of circulation, and thus, void clearance) even before ARI or SLCS actuation occurs. Thermal power will be barely affected.

In the event of a contingency that disables all of the safety systems, each reactor is surrounded by a containment building consisting of 1.2–2.4 m (4–8 ft) of steel-reinforced, pre-stressed concrete designed to seal off the reactor from the environment.

However, the containment building does not protect the fuel during the whole fuel cycle. Most importantly, the spent fuel resides long periods of time outside the primary containment. A typical spent fuel storage pool can hold roughly five times the fuel in the core. Since reloads typically discharge one third of a core, much of the spent fuel stored in the pool will have had considerable decay time. But if the pool were to be drained of water, the discharged fuel from the previous two refuelings would still be "fresh" enough to melt under decay heat. However, the zircaloy cladding of this fuel could be ignited during the heatup. The resulting fire would probably spread to most or all of the fuel in the pool. The heat of combustion, in combination with decay heat, would probably drive "borderline aged" fuel into a molten condition. Moreover, if the fire becomes oxygen-starved (quite probable for a fire located in the bottom of a pit such as this), the hot zirconium would rob oxygen from the uranium dioxide fuel, forming a liquid mixture of metallic uranium, zirconium, oxidized zirconium, and dissolved uranium dioxide. This would cause a release of fission products from the fuel matrix quite comparable to that of molten fuel. In addition, although confined, BWR spent fuel pools are almost always located outside of the primary containment. Generation of hydrogen during the process would probably result in an explosion damaging the secondary containment building. Thus, release to the atmosphere is more likely than for comparable accidents involving the reactor core.

A spent fuel pool accident releasing radioactive material to the atmosphere happened in a Mk-1 type BWR reactor in Fukushima, Japan, on March 14, 2011.

Nuclear Reactor Safety Systems

The three primary objectives of nuclear safety systems as defined by the Nuclear Regulatory Commission are to shut down the reactor, maintain it in a shutdown condition, and prevent the release of radioactive material during events and accidents. These objectives are accomplished using a variety of equipment, which is part of different systems, of which each performs specific functions.

Reactor protection system (RPS)

A reactor protection system is composed of systems that are designed to immediately terminate the nuclear reaction. While the reactor is operating, the nuclear reaction continues to produce heat and radiation. By breaking the chain reaction, the source of heat can be eliminated, and other systems can then be used to continue to remove decay heat from the core. All plants have some form of the following reactor protection systems:

Control rods

Control rods are a series of metal rods that can be quickly inserted into the core to absorb neutrons and rapidly terminate the nuclear reaction. See control rods for more information.

Safety injection / standby liquid control

A nuclear reaction can also be stopped by injecting a liquid that absorbs neutrons directly into the core. In boiling water reactors this usually consists of a solution containing boron (such as boric acid), which can be injected to displace the water in the core. A signature of pressurized water reactors is that they use a boron solution in addition to control rods to control the reaction, and so the concentration is simply increased to slow or stop the reaction.

Essential service water system (ESWS)

The essential service water system (ESWS) circulates the water that cools the plant’s heat exchangers and other components before dissipating the heat into the environment. Because this includes cooling the systems that remove decay heat from both the primary system and the spent fuel rod cooling ponds, the ESWS is a safety-critical system. Since the water is frequently drawn from an adjacent river, the sea, or other large body of water, the system can be endangered by large volumes of seaweed, marine organisms, oil pollution, ice and debris. In locations without a large body of water in which to dissipate the heat, water is recirculated via a cooling tower.

The failure of half of the ESWS pumps was one of the factors that endangered safety in the 1999 Blayais Nuclear Power Plant flood, while a total loss occurred during the Fukushima I and Fukushima II nuclear accidents in 2011.

Emergency core cooling system (ECCS)

An emergency core cooling system comprises a series of systems that are designed to safely shut down a nuclear reactor during accident conditions. Under normal conditions, heat is removed from a nuclear reactor by condensing steam after it passes through the turbine. In a boiling water reactor, condensed steam (water) is fed back into the reactor. In a pressurized water reactor, it is fed back through the heat exchanger. In both cases, this keeps the reactor core at a constant temperature. During an accident, the condenser is not used, so alternate methods of cooling are required to prevent damage to the nuclear fuel.

These systems allow the the plant to respond to a variety of accident conditions, and additionally introduce redundancy so that the plant can be shut down even with one or more subsystem failures.

In most plants, ECCS is composed of the following systems:

High pressure coolant injection system (HPCI)

This system consists of a pump or pumps that have sufficient pressure to inject coolant into the reactor vessel while it is pressurized. It is designed to monitor the level of coolant in the reactor vessel and automatically inject coolant when the level drops below certain setpoints. This system is normally the first line of defense for a reactor since it can be used while the reactor vessel is still highly pressurized.

Depressurization system (ADS)

This system consists of a series of valves which open to vent steam several feet under the surface of a large pool of liquid water (known as the wetwell or torus) in pressure suppression type containments, or directly into the primary containment structure, in other types of containments, such as large-dry, ice-condenser, and sub-atmospheric containments. The actuation of these valves depressurizes the reactor vessel and allows lower pressure coolant injection systems to function, which have very large capacities in comparison to high pressure systems. Some depressurization systems are automatic in function but can be inhibited, some are manual and operators may activate if necessary.

Low pressure coolant injection system (LPCI)

This system consists of a pump or pumps which inject additional coolant into the reactor vessel once it has been depressurized.

In some nuclear power plants, LPCI is a mode of operation of a residual heat removal system (RHR or RHS). LPCI is generally not a stand-alone system.

Corespray system

This system uses spargers (special spray nozzles) within the reactor pressure vessel to spray water directly onto the fuel rods, suppressing the generation of steam. Reactor designs can include corespray in high-pressure and low-pressure modes.

Containment spray system

This system consists of a series of pumps and spargers which spray coolant into the primary containment structure. It is designed to condense the steam into liquid water within the primary containment structure to prevent overpressure, which could lead to involuntary depressurization.

Isolation cooling system

This system is often driven by a steam turbine, and is used to provide enough water to safely cool the reactor if the reactor building is isolated from the control and turbine buildings. As it does not require large amounts of electricity to run, and runs off the plant batteries, rather than the diesel generators, it is a defensive system against a condition known as station blackout.

Emergency electrical systems

Under normal conditions, nuclear power plants receive power from off-site. However, during an accident a plant may lose access to this power supply and thus may be required to generate its own power to supply its emergency systems. These electrical systems usually consist of diesel generators and batteries.

Diesel generators

Diesel generators are employed to power the site during emergency situations. They usually are sized such that a single one can provide all the required power for a facility to shutdown during an emergency situation which allows facilities to have multiple generators for redundancy. Additionally, systems which are not required to shutdown the reactor have separate electrical sources (often their own generators) so that they do not affect shutdown capability.

Motor generator flywheels

Loss of electrical power can occur suddenly, and it can damage or undermine equipment. To prevent damage, motor-generators can be tied to flywheels which can provide uninterrupted electrical power to equipment for a brief period of time. Often they are used to provide electrical power until the plant electrical supply can be switched to the batteries and/or diesel generators.


Batteries often form the final redundant backup electrical system and are also capable of providing sufficient electrical power to shutdown a plant. The DC power generated by batteries can be converted to AC power to run AC devices such as motors using an electrical inverter.

Containment systems

Containment systems are designed to prevent the release of radioactive material into the environment.

Fuel cladding

The fuel cladding is the first layer of protection around the nuclear fuel and is designed to protect the fuel from corrosion that would spread fuel material throughout the reactor coolant circuit. In most reactors it takes the form of a sealed metallic or ceramic layer. It also serves to trap fission products, especially ones that are gaseous at the temperatures reached within the reactor, such as krypton, xenon and iodine. Cladding does not constitute shielding, and must be developed such that it absorbs as little radiation as possible. For this reason, materials such as magnesium and zirconium are used for their low neutron capture cross sections.

Reactor vessel

The reactor vessel is the first layer of shielding around the nuclear fuel and usually is designed to trap most of the radiation released during a nuclear reaction. The reactor vessel is also designed to withstand high pressures.

Primary containment

The primary containment system usually consists of a large metal and concrete structure (often cylindrical or bulb shaped) which contains the reactor vessel. In most reactors it also contains all of the radioactive contaminated systems. The primary containment system is designed to withstand strong internal pressures resulting from a leak or intentional depressurization of the reactor vessel.

Secondary containment

Some plants have a secondary containment system which encompasses the primary system. This is very common in BWRs because most of the steam systems, including the turbine, contain radioactive materials.

Core catching

In case of a full melt-down, the fuel would most likely end up on the concrete floor of the primary containment building. Concrete can withstand very much heat, so the thick flat concrete floor in the primary containment will often be sufficient protection against the so-called China Syndrome. The Chernobyl plant didn't have a containment building, but the core was eventually stopped by the concrete foundation. Due to concerns that the core would melt its way through the concrete, a "core catching device" was invented, and a mine was quickly dug under the plant with the intention to install such a device. The device contains a quantity of metal which would melt, diluting the corium and increasing its heat conductivity; the diluted metallic mass could then be cooled by water circulating in the floor. Today, all new Russian-designed reactors are equipped with core-catchers in the bottom of the containment building.

Non-containable events

Nuclear events outside of the primary containment building will not be contained. Any accident involving the spent fuel pool, which is outside of the primary containment, will not be contained.

Ventilation and radiation protection

In case of a radioactive release, most plants have a system designed to remove radiation from the air to reduce the effects of the radiation release on the employees and public. This system usually consists of the following:

Containment ventilation

This system is designed to remove radiation and steam from primary containment in the event that the depressurization system was used to vent steam into primary containment.

Control room ventilation

This system is designed to ensure that the operators who are required to operate the plant are protected in the event of a radioactive release. This system often consists of activated charcoal filters which remove radioactive isotopes from the air.