Notable activations of BWR safety systems

General Electric defended the design of the reactor, stating that the station blackout caused by the 2011 Tōhoku earthquake and tsunami was a "beyond-design-basis" event which led to Fukushima I nuclear accidents. According the Nuclar Energy Institute, "Coincident long-term loss of both on-site and off-site power for an extended period of time is a beyond-design-basis event for the primary containment on any operating nuclear power plant".

The reactors shut down as designed after the earthquake. However, the tsunami disabled all diesel backup generators which operated the emergency cooling systems and pumps. Pumps were designed to circulate hot fluid from the reactor to be cooled in the wetwell, but they did not have any power. The reactor cores overheated and likely melted. Radioactivity was released into the air as fuel rods were damaged due to overheating by exposure to air as water levels fell below safe levels. As an emergency measure, operators resorted to injecting seawater into the drywell to cool the reactors, but would also ruin them for future operation. Reactors 1–3, and by some reports 4 all suffered violent hydrogen explosions March 2011 which damaged or destroyed their top levels or lower suppression level (unit 2). Fires in spent fuel ponds also released radiation.

As emergency measures, helicopters attempted to drop water from the ocean onto the open rooftops. Later water was sprayed from fire engines onto the roof of reactor 3. A concrete pump was used to pump water into the spent fuel pond in unit 4.

The accident released up to 10,000 terabecquerels of radioactive iodine-131 per hour in the initial days, and up to 630,000 terabequerels total, about one tenth the 5.2 million terabecquerels released at Chernobyl.

Design Basis Accident (DBA) for a nuclear power plant

The Design Basis Accident (DBA) for a nuclear power plant is the most severe possible single accident that the designers of the plant and the regulatory authorities could reasonably expect. It is, also, by definition, the accident the safety systems of the reactor are designed to respond to successfully, even if it occurs when the reactor is in its most vulnerable state. The DBA for the BWR consists of the total rupture of a large coolant pipe in the location that is considered to place the reactor in the most danger of harm—specifically, for older BWRs (BWR/1-BWR/6), the DBA consists of a "guillotine break" in the coolant loop of one of the recirculation jet pumps, which is substantially below the core waterline (LBLOCA, large break loss of coolant accident) combined with loss of feedwater to make up for the water boiled in the reactor (LOFW, loss of proper feedwater), combined with a simultaneous collapse of the regional power grid, resulting in a loss of power to certain reactor emergency systems (LOOP, loss of offsite power). The BWR is designed to shrug this accident off without core damage.

The description of this accident is applicable for the BWR/4, which is the oldest model of BWR in common service.

The immediate result of such a break (call it time T+0) would be a pressurized stream of water well above the boiling point shooting out of the broken pipe into the drywell, which is at atmospheric pressure. As this water stream flashes into steam, due to the decrease in pressure and that it is above the water boiling point at normal atmospheric pressure, the pressure sensors within the drywell will report a pressure increase anomaly within it to the reactor protection system at latest T+0.3. The RPS will interpret this pressure increase signal, correctly, as the sign of a break in a pipe within the drywell. As a result, the RPS immediately initiates a full SCRAM, closes the main steam isolation valve (isolating the containment building), trips the turbines, attempts to begin the spinup of RCIC and HPCI, using residual steam, and starts the diesel pumps for LPCI and CS.

Now let us assume that the power outage hits at T+0.5. The RPS is on a float uninterruptable power supply, so it continues to function; its sensors, however, are not, and thus the RPS assumes that they are all detecting emergency conditions. Within less than a second from power outage, auxiliary batteries and compressed air supplies are starting the Emergency Diesel Generators. Power will be restored by T+25 seconds.

Let us return to the reactor core. Due to the closure of the MSIV (complete by T+2), a wave of backpressure will hit the rapidly depressurizing RPV but this is immaterial, as the depressurization due to the recirculation line break is so rapid and complete that no steam voids will likely collapse to liquid water. HPCI and RCIC will fail due to loss of steam pressure in the general depressurization, but this is again immaterial, as the 2,000 L/min (600 US gal/min) flow rate of RCIC available after T+5 is insufficient to maintain the water level; nor would the 19,000 L/min (5,000 US gal/min) flow of HPCI, available at T+10, be enough to maintain the water level, if it could work without steam. At T+10, the temperature of the reactor core, at approximately 285 °C (550 °F) at and before this point, begins to rise as enough coolant has been lost from the core that voids begin to form in the coolant between the fuel rods and they begin to heat rapidly. By T+12 seconds from the accident start, fuel rod uncovery begins. At approximately T+18 areas in the rods have reached 540 °C (1000 °F). Some relief comes at T+20 or so, as the negative temperature coefficient and the negative void coefficient slows the rate of temperature increase. T+25 sees power restored; however, LPCI and CS will not be online until T+40.

At T+40, core temperature is at 650 °C (1200 °F) and rising steadily; CS and LPCI kick in and begins deluging the steam above the core, and then the core itself. First, a large amount of steam still trapped above and within the core has to be knocked down first, or the water will be flashed to steam prior to it hitting the rods. This happens after a few seconds, as the approximately 200,000 L/min (3,300 L/s, 52,500 US gal/min, 875 US gal/s) of water these systems release begin to cool first the top of the core, with LPCI deluging the fuel rods, and CS suppressing the generated steam until at approximately T+100 seconds, all of the fuel is now subject to deluge and the last remaining hot-spots at the bottom of the core are now being cooled. The peak temperature that was attained was 900 °C (1650 °F) (well below the maximum of 1200 °C (2200 °F) established by the NRC) at the bottom of the core, which was the last hot spot to be affected by the water deluge.

The core is cooled rapidly and completely, and following cooling to a reasonable temperature, below that consistent with the generation of steam, CS is shut down and LPCI is decreased in volume to a level consistent with maintenance of a steady-state temperature among the fuel rods, which will drop over a period of days due to the decrease in fission-product decay heat within the core.

After a few days of LPCI, decay heat will have sufficiently abated to the point that defueling of the reactor is able to commence with a degree of caution. Following defueling, LPCI can be shut down. A long period of physical repairs will be necessary to repair the broken recirculation loop; overhaul the ECCS; diesel pumps; and diesel generators; drain the drywell; fully inspect all reactor systems, bring non-conformal systems up to spec, replace old and worn parts, etc. At the same time, different personnel from the licensee working hand in hand with the NRC will evaluate what the immediate cause of the break was; search for what event led to the immediate cause of the break (the root causes of the accident); and then to analyze the root causes and take corrective actions based on the root causes and immediate causes discovered. This is followed by a period to generally reflect and post-mortem the accident, discuss what procedures worked, what procedures didn't, and if it all happened again, what could have been done better, and what could be done to ensure it doesn't happen again; and to record lessons learned to propagate them to other BWR licensees. When this is accomplished, the reactor can be refueled, resume operations, and begin producing power once more.

The ABWR and ESBWR, the most recent models of the BWR, are not vulnerable to anything like this incident in the first place, as they have no liquid penetrations (pipes) lower than several feet above the waterline of the core, and thus, the reactor pressure vessel holds in water much like a deep swimming pool in the event of a feedwater line break or a steam line break. The BWR 5s and 6s have additional tolerance, deeper water levels, and much faster emergency system reaction times. Fuel rod uncovery will briefly take place, but maximum temperature will only reach 600 °C (1,100 °F), far below the NRC safety limit.

Prior to the incidents at the Fukushima Daiichi reactor complex (involving BWR 3 and BWR 4 reactors) caused by the March 2011 Tōhoku earthquake and tsunami, no incident approaching the DBA or even a LBLOCA in severity had occurred with a BWR. The Fukushima incidents are still ongoing and it would be premature to draw conclusions on their ultimate severity, but they already exceed the severity of the DBA in several respects. For example, the primary containment vessels have had to be flooded with seawater containing boric acid, which is likely to preclude any resumption of operation. Nothing similar to the chemical explosions that have occurred at the Fukushima Daiichi reactors was anticipated in the DBA scenario.

Before this incident there had been minor incidents involving the ECCS, but in these circumstances it had performed at or beyond expectations. The most severe incident that had previously occurred with a BWR was in 1975 due to a fire caused by extremely flammable urethane foam installed in the place of fireproofing materials at the Browns Ferry Nuclear Power Plant; for a short time, the control room's monitoring equipment was cut off from the reactor, but the reactor shut down successfully, and, as of 2009, is still producing power for the Tennessee Valley Authority, having sustained no damage to systems within the containment. The fire had nothing to do with the design of the BWR – it could have occurred in any power plant, and the lessons learned from that incident resulted in the creation of a separate backup control station, compartmentalization of the power plant into fire zones and clearly documented sets of equipment which would be available to shut down the reactor plant and maintain it in a safe condition in the event of a worst case fire in any one fire zone. These changes were retrofitted into every existing US and most Western nuclear power plants and built in to new plants from that point forth.

BWR Hydrogen Management

During normal plant operations and in normal operating temperatures, the hydrogen generation is not significant. When the nuclear fuel overheats, zirconium in Zircaloy cladding used in fuel rods oxidizes in reaction with steam:

Zr + 2H2O → ZrO2 + 2H2
When mixed with air, hydrogen is flammable, and hydrogen detonation or deflagration may damage the reactor containment. In reactor designs with small containment volumes, such as in Mark I or II containments, the preferred method for managing hydrogen is pre-inerting with inert gas—generally nitrogen—to reduce the oxygen concentration in air below that needed for hydrogen combustion, and the use of thermal recombiners. Pre-inerting is considered impractical with larger containment volumes where thermal recombiners and deliberate ignition are used.

BWR Containment System

The ultimate safety system inside and outside of every BWR are the numerous levels of physical shielding that both protect the reactor from the outside world and protect the outside world from the reactor.

There are five levels of shielding:

  1. The fuel rods inside the reactor pressure vessel are coated in thick Zircaloy shielding;
  2. The reactor pressure vessel itself is manufactured out of 6-inch-thick (150 mm) steel, with extremely high temperature, vibration, and corrosion resistant surgical stainless steel grade grade 316L plate on both the inside and outside;
  3. The primary containment structure is made of steel 1 inch thick;
  4. The secondary containment structure is made of steel-reinforced, pre-stressed concrete 1.2–2.4 meters (4–8 ft) thick.
  5. The reactor building (the shield wall/missile shield) is also made of steel-reinforced, pre-stressed concrete 0.3 m to 1 m (1–3 feet) thick.

If every possible measure standing between safe operation and core damage fails, the containment can be sealed indefinitely, and it will prevent any substantial release of radiation to the environment from occurring in nearly any circumstance.

Varieties of BWR containments

As illustrated by the descriptions of the systems above, BWRs are quite divergent in design from PWRs. Unlike the PWR, which has generally followed a very predictable external containment design (the stereotypical dome atop a cylinder), BWR containments are varied in external form but their internal distinctiveness is extremely striking in comparison to the PWR. There are five major varieties of BWR containments:

  • The "premodern" containment (Generation I); spherical in shape, and featuring a steam drum separator, or an out-of-RPV steam separator, and a heat exchanger for low pressure steam, this containment is now obsolete, and is not used by any operative reactor.
  • the Mark I containment, consisting of a rectangular steel-reinforced concrete building, along with an additional layer of steel-reinforced concrete surrounding the steel-lined cylindrical drywell and the steel-lined pressure suppression torus below. The Mark I was the earliest type of containment in wide use, and many reactors with Mark Is are still in service today. There have been numerous safety upgrades made over the years to this type of containment, especially to provide for orderly reduction of containment load caused by pressure in a compounded limiting fault. The reactor building of the Mark I generally is in the form of a large rectangular structure of reinforced concrete.
  • the Mark II containment, similar to the Mark I, but omitting a distinct pressure suppression torus in favor of a cylindrical wetwell below the non-reactor cavity section of the drywell. Both the wetwell and the drywell have a primary containment structure of steel as in the Mark I, as well as the Mark I's layers of steel-reinforced concrete composing the secondary containment between the outer primary containment structure and the outer wall of the reactor building proper. The reactor building of the Mark II generally is in the form of a flat-topped cylinder.
  • the Mark III containment, generally similar in external shape to the stereotypical PWR, and with some similarities on the inside, at least on a superficial level. For example, rather than having a slab of concrete that staff could walk upon while the reactor was not being refueled covering the top of the primary containment and the RPV directly underneath, the Mark III takes the BWR in a more PWRish direction by placing a water pool over this slab. Additional changes include abstracting the wetwell into a pressure-suppression pool with a weir wall separating it from the drywell.
  • Advanced containments; the present models of BWR containments for the ABWR and the ESBWR are harkbacks to the classical Mark I/II style of being quite distinct from the PWR on the outside as well as the inside, though both reactors incorporate the Mark III-ish style of having non-safety-related buildings surrounding or attached to the reactor building, rather than being overtly distinct from it. These containments are also designed to take far more than previous containments were, providing advanced safety. In particular, GE regards these containments as being able to withstand a direct hit by a tornado of Old Fujitsa Scale 6 with winds of 330+ miles per hour. Such a tornado has never been measured on earth. They are also designed to withstand seismic accelerations of .2 G, or nearly 2 meters per second2 in any direction.

Standby Liquid Control System (SLCS)

The standby liquid control system is used in the event of major contingencies as a last measure to prevent core damage. It is not intended ever to be used, as the RPS and ECCS are designed to respond to all contingencies, even if a quite a few of their components fail, but if a complete ECCS failure occurs, during a limiting fault, it could be the only thing capable of preventing core damage. The SLCS consists of a tank containing borated water as a neutron absorber, protected by explosively-opened valves and redundant battery-operated pumps, allowing the injection of the borated water into the reactor against any pressure within; the borated water can and will shut down a reactor gone out of control. The SLCS also provides an additional layer of defense in depth against a ATWS derangement, but this is an extreme measure that can be avoided by numerous other channels (ARI and use of redundant hydraulics).

Versioning note: The SLCS is a system that is never meant to be activated unless all other measures have failed. In the BWR/1 – BWR/6, its activation could cause sufficient damage to the plant that it could make the older BWRs inoperable without a complete overhaul. With the arrival of the ABWR and (E)SBWR, operators do not have to be as reticent about activating the SLCS, as these reactors have a Reactor Water Cleanup System (RWCS) – once the reactor has stabilized, the borated water within the RPV can be filtered through this system to promptly remove the soluble neutron absorbers that it contains and thus avoid damage to the internals of the plant.

Emergency Core-Cooling System (ECCS)

While the reactor protection system is designed to prevent contingencies from happening, the ECCS is designed to respond to contingencies if they do happen. The ECCS is a set of interrelated safety systems that are designed to protect the fuel within the reactor pressure vessel, which is referred to as the "reactor core", from overheating. These systems accomplish this by maintaining reactor pressure vessel (RPV) cooling water level, or if that is impossible, by directly flooding the core with coolant.

These systems are of 3 major types:

  1. High pressure systems: These are designed to protect the core by injecting large quantities of water into it to prevent the fuel from being uncovered by a decreasing water level. Generally used in cases with stuck-open safety valves, small breaks of auxiliary pipes, and particularly violent transients caused by turbine trip and main steam isolation valve closure. If the water level cannot be maintained with high pressure systems alone (the water level still is falling below a preset point with the high-pressure systems working full-bore), the next set of systems responds.
  2. Depressurization systems: These systems are designed to maintain reactor pressure within safety limits. Additionally, if reactor water level cannot be maintained with high-pressure coolant systems alone, the depressurization system can reduce reactor pressure to a level at which the low-pressure coolant systems can function.
  3. Low-pressure systems: These systems are designed to function after the depressurization systems function. They have extremely large capacities compared to the high-pressure systems and are supplied by multiple, redundant power sources. They will maintain any maintainable water level, and, in the event of a large pipe break of the worst type below the core that leads to temporary fuel rod "uncovery", to rapidly mitigate that state prior to the fuel heating to the point where core damage could occur.

High-pressure coolant injection system (HPCI)

The high-pressure coolant injection system is the first line of defense in the emergency core cooling system. HPCI is designed to inject substantial quantities of water into the reactor while it is at high pressure so as to prevent the activation of the automatic depressurization, core spray, and low pressure coolant injection systems. HPCI is powered by steam from the reactor, and takes approximately 10 seconds to spin up from an initiating signal, and can deliver approximately 19,000 L/min (5,000 US gal/min) to the core at any core pressure above 6.8 atm (690 kPa, 100 psi). This is usually enough to keep water levels sufficient to avoid automatic depressurization except in a major contingency, such as a large break in the makeup water line.

Versioning note: The BWR/6 replaces HPCI with high-pressure core spray (HPCS); ABWRs and (E)SBWRs replace HPCI with high-pressure core flooder (HPCF), a mode of the RCIC system, as described below.

Reactor core isolation cooling system (RCIC)

The reactor core isolation cooling system is not a safety-related system proper, but is included because it can help cool the reactor in the event of a contingency, and it has additional functionality in advanced versions of the BWR.

RCIC is designed to remove the residual heat of the fuel from the reactor once it has been shut down. It injects approximately 2,000 L/min (600 gpm) into the reactor core for this purpose, at high pressure. It also takes less time to start than the HPCI system, approximately 5 seconds from an initiating signal.

The RCIC system is operable with no electric power other than battery power. During a station blackout (where all off-site power is lost and the diesel generators fail) the RCIC is capable of providing decay heat removal by itself.

Versioning note: RCIC and HPCF are integrated in ABWRs and (E)SBWRs, with HPCF representing the high-capacity mode of RCIC. In the (E)SBWR series of reactors, there is an additional contingency residual heat removal capability for RCIC, the Isolation Condenser System (IC); in the (E)SBWR, there are several separate trains of heat exchangers located above the RPV in deep pools of water within the reactor building but outside and above the primary containment. In the event of a contingency, the decay heat of the reactor will boil water to steam within the RPV. The RPS will activate several valves connecting the RPV to the IC system; the steam from the RPV decay heat will flow into the heat exchangers (called Isolation Condensers) and be condensed and cooled back to liquid. The water will then return to the RPV through the force of gravity.

Automatic depressurization system (ADS)

The Automatic depressurization system is not a part of the cooling system proper, but is an essential adjunct to the ECCS. It is designed to activate in the event that the RPV is retaining pressure, but RPV water level cannot be maintained using high pressure cooling alone, and low pressure cooling must be initiated. When ADS fires, it rapidly releases pressure from the RPV in the form of steam through pipes that are piped to below the water level in the suppression pool (the torus/wetwell), which is designed to condense the steam released by ADS or other safety valve activation into water), bringing the reactor vessel below 32 atm (3200 kPa, 465 psi), allowing the low pressure cooling systems (LPCS/LPCI/LPCF/GDCS), with extremely large and robust comparative coolant injection capacities to be brought to bear on the reactor core.

Low-pressure core spray system (LPCS)

The low-pressure core spray system is designed to suppress steam generated by a major contingency. As such, it prevents reactor vessel pressure from going above the point where LPCI and LPCS would be ineffective, which is above 32 atm (3200 kPa, 465 psi). It activates below that level, and delivers approximately 48,000 L/min (12,500 US gal/min) of water in a deluge from the top of the core.

Versioning note: In ABWRs and (E)SBWRs, there are additional water spray systems to cool the drywell and the suppression pool.

Low-pressure coolant injection system (LPCI)

The low-pressure coolant injection system, the "heavy artillery" in the ECCS, can be operated at reactor vessel pressures below 465 psi. The LPCI consists of 4 pumps driven by diesel engines, and is capable of injecting a mammoth 150,000 L/min (40,000 US gal/min) of water into the core . Combined with the CS to keep steam pressure low, the LPCI is designed to suppress contingencies by rapidly and completely flooding the core with coolant.

Versioning note: ABWRs replace LPCI with low-pressure core flooder (LPCF), which operates using similar principles. (E)SBWRs replace LPCI with the DPVS/PCCS/GDCS, as described below.

Depressurization valve system (DPVS) / passive containment cooling system (PCCS) / gravity-driven cooling system (GDCS)

The (E)SBWR has an additional ECCS capacity that is completely passive, quite unique, and significantly improves defense in depth. This system is activated when the water level within the RPV reaches Level 1. At this point, a countdown timer is started.

There are several large depressurization valves located near the top of the reactor pressure vessel. These constitute the DPVS. This is a capability supplemental to the ADS, which is also included on the (E)SBWR. The DPVS consists of eight of these valves, four on main steamlines that vent to the drywell when actuated and four venting directly into the drywell.

If Level 1 is not resubmerged within 50 seconds of the timer starting, DPVS will fire and will rapidly vent any pressure contained within the reactor pressure vessel into the drywell. This will cause the water within the RPV to gain in volume (due to the drop in pressure) which will increase the water available to cool the core. In addition, the depressurization will cause a lower boiling point, and thus more steam bubbles will form, decreasing moderation; this, in turn, decreases decay heat production, while still maintaining adequate cooling. (In fact, both the ESBWR and the ABWR are designed so that even in the maximum feasible contingency, the core never loses its layer of water coolant.)

If Level 1 is not again not resubmerged within 100 seconds of DPVS actuation, then the GDCS valves fire. The GDCS is a series of very large water tanks located above and to the side of the Reactor Pressure Vessel within the drywell. When these valves fire, the GDCS is directly connected to the RPV. After ~50 more seconds of depressurization, the pressure within the GDCS will equalize with that of the RPV and drywell, and the water of the GDCS will begin flowing into the RPV.

The water within the RPV will boil into steam from the decay heat, and natural convection will cause it to travel upwards into the drywell, into piping assemblies in the ceiling that will take the steam to four large heat exchangers – the Passive Containment Cooling System (PCCS) – located above the drywell – in deep pools of water. The steam will be cooled, and will condense back into liquid water. The liquid water will drain from the heat exchanger back into the GDCS pool, where it can flow back into the RPV to make up for additional water boiled by decay heat. In addition, if the GDCS lines break, the shape of the RPV and the drywell will ensure that a "lake" of liquid water forms that submerges the bottom of the RPV (and the core within).

There is sufficient water to cool the heat exchangers of the PCCS for 72 hours. At this point, all that needs to happen is for the pools that cool the PCCS heat exchangers to be refilled, which is a comparatively trivial operation, doable with a portable fire pump and hoses.

GE has a computerized animation of how the ESBWR functions during a pipe break incident on their website

Reactor Protection System (RPS)

The Reactor Protection System (RPS) is a system, computerized in later BWR models, that is designed to automatically, rapidly, and completely shut down and make safe the Nuclear Steam Supply System (NSSS – the reactor pressure vessel, pumps, and water/steam piping within the containment) if some event occurs that could result in the reactor entering an unsafe operating condition. In addition, the RPS can automatically spin up the Emergency Core Cooling System (ECCS) upon detection of several signals. It does not require human intervention to operate. However, the reactor operators can override parts of the RPS if necessary. If an operator recognizes a deteriorating condition, and knows an automatic safety system will activate, they are trained to pre-emptively activate the safety system.

If the reactor is at power or ascending to power (i.e. if the reactor is supercritical; the control rods are withdrawn to the point where the reactor generates more neutrons than it absorbs) there are safety-related contingencies that may arise that necessitate a rapid shutdown of the reactor, or, in Western nuclear parlance, a "SCRAM". The SCRAM is a manually triggered or automatically triggered rapid insertion of all control rods into the reactor, which will take the reactor to decay heat power levels within tens of seconds. Since ~ 0.6% of neutrons are emitted from fission products ("delayed" neutrons), which are born seconds/minutes after fission, all fission can not be terminated instantaneously, but the fuel soon returns to decay heat power levels. Manual SCRAMs may be initiated by the reactor operators; while automatic SCRAMs are initiated upon:

  1. Turbine stop-valve or turbine control-valve closure.
    1. If turbine protection systems detect a significant anomaly, admission of steam is halted. Reactor rapid shutdown is in anticipation of a pressure transient that could increase reactivity.
    2. Generator load rejection will also cause closure of turbine valves and trip RPS.
  2. Loss of offsite power (LOOP)
    1. During normal operation, the reactor protection system (RPS) is powered by offsite power
      1. Loss of offsite power would open all relays in the RPS causing all rapid shutdown signals to come in redundantly.
      2. would also cause MSIV to close since RPS is fail-safe; plant assumes a main steam break is coincident with loss of offsite power.
  3. Neutron Monitor Trips – the purpose of these trips are to ensure an even increase in neutron and thermal power during startup.
    1. Source range monitor (SRM) / intermediate-range monitor (IRM) upscale:
      1. The SRM, used during instrument calibration, pre-critical, and early non-thermal criticality, and the IRM, used during ascension to power, middle/late non-thermal, and early/middle thermal stages, both have trips built in that prevent rapid decreases in reactor period when reactor is intensely reactive (e.g. when no voids exist, water is cold, and water is dense) without positive operator confirmation that such decreases in period are their intention. Prior to trips occurring, rod movement blocks will be activated to ensure operator vigilance if preset levels are marginally exceeded.
    2. Average power range monitor (APRM) upscale:
      1. Prevents reactor from exceeding pre-set neutron power level maxima during operation or relative maxima prior to positive operator confirmation of end of startup by transition of reactor state into "Run".
    3. Average power range monitor / coolant flow thermal trip:
      1. Prevents reactor from exceeding variable power levels without sufficient coolant flow for that level being present.
  4. Low reactor water level indicative of:
    1. Loss of coolant contingency (LOCA)
    2. Loss of proper feedwater (LOFW)
    3. etc.
  5. High drywell (primary containment) pressure
    1. Indicative of potential loss of coolant contingency
  6. Main steam isolation valve closure (MSIV)
    1. Redundant backup for turbine trip
    2. Indicative of potential main steam line break
  7. High RPV pressure:
    1. Indicative of MSIV closure.
    2. Decreases reactivity to compensate for boiling void collapse due to high pressure.
    3. Prevents pressure relief valves from opening.
    4. Serves as a backup for several other trips, like turbine trip.

Boiling Water Reactor Safety Systems

Boiling water reactor (BWR) safety systems are nuclear safety systems constructed within boiling water reactors in order to prevent or mitigate environmental and health hazards in the event of accident or natural disaster.

Like the pressurized water reactor, the BWR reactor core continues to produce heat from radioactive decay after the fission reactions have stopped, making a core damage incident possible in the event that all safety systems have failed and the core does not receive coolant. Also like the pressurized water reactor, a boiling water reactor has a negative void coefficient, that is, the neutron (and the thermal) output of the reactor decreases as the proportion of steam to liquid water increases inside the reactor.

However, unlike a pressurized water reactor which contains no steam in the reactor core, a sudden increase in BWR steam pressure (caused, for example, by the actuation of the main steam isolation valve (MSIV) from the reactor) will result in a sudden decrease in the proportion of steam to liquid water inside the reactor. The increased ratio of water to steam will lead to increased neutron moderation, which in turn will cause an increase in the power output of the reactor. This type of event is referred to as a "pressure transient".

The BWR is specifically designed to respond to pressure transients, having a "pressure suppression" type of design which vents overpressure using safety relief valves to below the surface of a pool of liquid water within the containment, known as the "wetwell" or "torus". There are 11 safety overpressure relief valves on BWR/1-BWR/6 models (7 of which are part of the ADS) and 18 safety overpressure relief valves on ABWR models, only a few of which have to function to stop the pressure rise of a transient. In addition, the reactor will already have rapidly shut down before the transient affects the RPV (as described in the Reactor Protection System section below.

Because of this effect in BWRs, operating components and safety systems are designed to ensure that no credible scenario can cause a pressure and power increase that exceeds the systems' capability to quickly shutdown the reactor before damage to the fuel or to components containing the reactor coolant can occur. In the limiting case of an ATWS (Anticipated Transient Without Scram) derangement, high neutron power levels (~ 200%) can occur for less than a second, after which actuation of SRVs will cause the pressure to rapidly drop off. Neutronic power will fall to far below nominal power (the range of 30% with the cessation of circulation, and thus, void clearance) even before ARI or SLCS actuation occurs. Thermal power will be barely affected.

In the event of a contingency that disables all of the safety systems, each reactor is surrounded by a containment building consisting of 1.2–2.4 m (4–8 ft) of steel-reinforced, pre-stressed concrete designed to seal off the reactor from the environment.

However, the containment building does not protect the fuel during the whole fuel cycle. Most importantly, the spent fuel resides long periods of time outside the primary containment. A typical spent fuel storage pool can hold roughly five times the fuel in the core. Since reloads typically discharge one third of a core, much of the spent fuel stored in the pool will have had considerable decay time. But if the pool were to be drained of water, the discharged fuel from the previous two refuelings would still be "fresh" enough to melt under decay heat. However, the zircaloy cladding of this fuel could be ignited during the heatup. The resulting fire would probably spread to most or all of the fuel in the pool. The heat of combustion, in combination with decay heat, would probably drive "borderline aged" fuel into a molten condition. Moreover, if the fire becomes oxygen-starved (quite probable for a fire located in the bottom of a pit such as this), the hot zirconium would rob oxygen from the uranium dioxide fuel, forming a liquid mixture of metallic uranium, zirconium, oxidized zirconium, and dissolved uranium dioxide. This would cause a release of fission products from the fuel matrix quite comparable to that of molten fuel. In addition, although confined, BWR spent fuel pools are almost always located outside of the primary containment. Generation of hydrogen during the process would probably result in an explosion damaging the secondary containment building. Thus, release to the atmosphere is more likely than for comparable accidents involving the reactor core.

A spent fuel pool accident releasing radioactive material to the atmosphere happened in a Mk-1 type BWR reactor in Fukushima, Japan, on March 14, 2011.

Nuclear Reactor Safety Systems

The three primary objectives of nuclear safety systems as defined by the Nuclear Regulatory Commission are to shut down the reactor, maintain it in a shutdown condition, and prevent the release of radioactive material during events and accidents. These objectives are accomplished using a variety of equipment, which is part of different systems, of which each performs specific functions.

Reactor protection system (RPS)

A reactor protection system is composed of systems that are designed to immediately terminate the nuclear reaction. While the reactor is operating, the nuclear reaction continues to produce heat and radiation. By breaking the chain reaction, the source of heat can be eliminated, and other systems can then be used to continue to remove decay heat from the core. All plants have some form of the following reactor protection systems:

Control rods

Control rods are a series of metal rods that can be quickly inserted into the core to absorb neutrons and rapidly terminate the nuclear reaction. See control rods for more information.

Safety injection / standby liquid control

A nuclear reaction can also be stopped by injecting a liquid that absorbs neutrons directly into the core. In boiling water reactors this usually consists of a solution containing boron (such as boric acid), which can be injected to displace the water in the core. A signature of pressurized water reactors is that they use a boron solution in addition to control rods to control the reaction, and so the concentration is simply increased to slow or stop the reaction.

Essential service water system (ESWS)

The essential service water system (ESWS) circulates the water that cools the plant’s heat exchangers and other components before dissipating the heat into the environment. Because this includes cooling the systems that remove decay heat from both the primary system and the spent fuel rod cooling ponds, the ESWS is a safety-critical system. Since the water is frequently drawn from an adjacent river, the sea, or other large body of water, the system can be endangered by large volumes of seaweed, marine organisms, oil pollution, ice and debris. In locations without a large body of water in which to dissipate the heat, water is recirculated via a cooling tower.

The failure of half of the ESWS pumps was one of the factors that endangered safety in the 1999 Blayais Nuclear Power Plant flood, while a total loss occurred during the Fukushima I and Fukushima II nuclear accidents in 2011.

Emergency core cooling system (ECCS)

An emergency core cooling system comprises a series of systems that are designed to safely shut down a nuclear reactor during accident conditions. Under normal conditions, heat is removed from a nuclear reactor by condensing steam after it passes through the turbine. In a boiling water reactor, condensed steam (water) is fed back into the reactor. In a pressurized water reactor, it is fed back through the heat exchanger. In both cases, this keeps the reactor core at a constant temperature. During an accident, the condenser is not used, so alternate methods of cooling are required to prevent damage to the nuclear fuel.

These systems allow the the plant to respond to a variety of accident conditions, and additionally introduce redundancy so that the plant can be shut down even with one or more subsystem failures.

In most plants, ECCS is composed of the following systems:

High pressure coolant injection system (HPCI)

This system consists of a pump or pumps that have sufficient pressure to inject coolant into the reactor vessel while it is pressurized. It is designed to monitor the level of coolant in the reactor vessel and automatically inject coolant when the level drops below certain setpoints. This system is normally the first line of defense for a reactor since it can be used while the reactor vessel is still highly pressurized.

Depressurization system (ADS)

This system consists of a series of valves which open to vent steam several feet under the surface of a large pool of liquid water (known as the wetwell or torus) in pressure suppression type containments, or directly into the primary containment structure, in other types of containments, such as large-dry, ice-condenser, and sub-atmospheric containments. The actuation of these valves depressurizes the reactor vessel and allows lower pressure coolant injection systems to function, which have very large capacities in comparison to high pressure systems. Some depressurization systems are automatic in function but can be inhibited, some are manual and operators may activate if necessary.

Low pressure coolant injection system (LPCI)

This system consists of a pump or pumps which inject additional coolant into the reactor vessel once it has been depressurized.

In some nuclear power plants, LPCI is a mode of operation of a residual heat removal system (RHR or RHS). LPCI is generally not a stand-alone system.

Corespray system

This system uses spargers (special spray nozzles) within the reactor pressure vessel to spray water directly onto the fuel rods, suppressing the generation of steam. Reactor designs can include corespray in high-pressure and low-pressure modes.

Containment spray system

This system consists of a series of pumps and spargers which spray coolant into the primary containment structure. It is designed to condense the steam into liquid water within the primary containment structure to prevent overpressure, which could lead to involuntary depressurization.

Isolation cooling system

This system is often driven by a steam turbine, and is used to provide enough water to safely cool the reactor if the reactor building is isolated from the control and turbine buildings. As it does not require large amounts of electricity to run, and runs off the plant batteries, rather than the diesel generators, it is a defensive system against a condition known as station blackout.

Emergency electrical systems

Under normal conditions, nuclear power plants receive power from off-site. However, during an accident a plant may lose access to this power supply and thus may be required to generate its own power to supply its emergency systems. These electrical systems usually consist of diesel generators and batteries.

Diesel generators

Diesel generators are employed to power the site during emergency situations. They usually are sized such that a single one can provide all the required power for a facility to shutdown during an emergency situation which allows facilities to have multiple generators for redundancy. Additionally, systems which are not required to shutdown the reactor have separate electrical sources (often their own generators) so that they do not affect shutdown capability.

Motor generator flywheels

Loss of electrical power can occur suddenly, and it can damage or undermine equipment. To prevent damage, motor-generators can be tied to flywheels which can provide uninterrupted electrical power to equipment for a brief period of time. Often they are used to provide electrical power until the plant electrical supply can be switched to the batteries and/or diesel generators.


Batteries often form the final redundant backup electrical system and are also capable of providing sufficient electrical power to shutdown a plant. The DC power generated by batteries can be converted to AC power to run AC devices such as motors using an electrical inverter.

Containment systems

Containment systems are designed to prevent the release of radioactive material into the environment.

Fuel cladding

The fuel cladding is the first layer of protection around the nuclear fuel and is designed to protect the fuel from corrosion that would spread fuel material throughout the reactor coolant circuit. In most reactors it takes the form of a sealed metallic or ceramic layer. It also serves to trap fission products, especially ones that are gaseous at the temperatures reached within the reactor, such as krypton, xenon and iodine. Cladding does not constitute shielding, and must be developed such that it absorbs as little radiation as possible. For this reason, materials such as magnesium and zirconium are used for their low neutron capture cross sections.

Reactor vessel

The reactor vessel is the first layer of shielding around the nuclear fuel and usually is designed to trap most of the radiation released during a nuclear reaction. The reactor vessel is also designed to withstand high pressures.

Primary containment

The primary containment system usually consists of a large metal and concrete structure (often cylindrical or bulb shaped) which contains the reactor vessel. In most reactors it also contains all of the radioactive contaminated systems. The primary containment system is designed to withstand strong internal pressures resulting from a leak or intentional depressurization of the reactor vessel.

Secondary containment

Some plants have a secondary containment system which encompasses the primary system. This is very common in BWRs because most of the steam systems, including the turbine, contain radioactive materials.

Core catching

In case of a full melt-down, the fuel would most likely end up on the concrete floor of the primary containment building. Concrete can withstand very much heat, so the thick flat concrete floor in the primary containment will often be sufficient protection against the so-called China Syndrome. The Chernobyl plant didn't have a containment building, but the core was eventually stopped by the concrete foundation. Due to concerns that the core would melt its way through the concrete, a "core catching device" was invented, and a mine was quickly dug under the plant with the intention to install such a device. The device contains a quantity of metal which would melt, diluting the corium and increasing its heat conductivity; the diluted metallic mass could then be cooled by water circulating in the floor. Today, all new Russian-designed reactors are equipped with core-catchers in the bottom of the containment building.

Non-containable events

Nuclear events outside of the primary containment building will not be contained. Any accident involving the spent fuel pool, which is outside of the primary containment, will not be contained.

Ventilation and radiation protection

In case of a radioactive release, most plants have a system designed to remove radiation from the air to reduce the effects of the radiation release on the employees and public. This system usually consists of the following:

Containment ventilation

This system is designed to remove radiation and steam from primary containment in the event that the depressurization system was used to vent steam into primary containment.

Control room ventilation

This system is designed to ensure that the operators who are required to operate the plant are protected in the event of a radioactive release. This system often consists of activated charcoal filters which remove radioactive isotopes from the air.