The features described in section 5.1 are present whatever the details of the design. Protection is also given by systems designed deliberately to prevent accidents or to prevent them from causing damage. Very often protective systems serve the dual function of preventing injury to people (plant operating staff and the general public) by stopping the release of radioactivity, and of minimising damage to the reactor itself.

“Active” protective systems depend on detecting that something is wrong and then taking automatic protective action, which is usu­ally to shut down the reactor. The output from a sensor, such as a thermocouple or a neutron monitor, is amplified and compared with a reference, or “trip”, level. If the trip level is exceeded the protective action is taken.

If the trip system is to offer real protection a “fail-safe” system must be employed. This means that if the sensor itself fails the dangerous condition should be indicated. Thus if a thermocouple circuit is broken or short-circuited the amplifier must give an output above the trip level. If the high voltage supply to a neutron detector fails so that it gives zero output the trip circuit must be activated.

It is of course essential to avoid tripping the reactor unnecessarily, and it must certainly not be tripped every time a thermocouple fails. This implies that a “two-out-of-three” system or a variant of it has to be used. Each of the sensors needed for protective action is triplicated. If one indicates danger an alarm is sounded but no other action is taken. If two or more indicate danger the reactor is tripped. This reduces the frequency of spurious trips due to sensor failures because they happen only if two fail at the same time. Introduction of a fourth sensor allows maintenance of one instrument while the reactor is operating without compromising the two-out-of-three reliability. A detailed statistical discussion of the reliability of multiple protective systems is given by Lewis (1977), pp. 103-126.

Different sensors monitor the various reactor parameters that indicate it is operating safely (see section 5.2.2). The output from each two-out-of-three sensor channel feeds in to two or more “guard lines”. These are electrical circuits that, when energised, effect the reactor trip — usually by inserting the control rods. The design logic of guard lines is described by Aitken (1977).

To maximise the reliability of the guard lines they are normally redundant, independent and diverse. Redundancy is achieved by providing at least two independent guard lines, either of which is capable of shutting the reactor down. Independence is achieved by ensuring that they are separate, both physically (the components and cables are in different places remote from each other) and electrically (they are supplied from different sources). Diversity is achieved by ensuring that they operate by different principles. For example one guard line may be based on computer software, whereas another may utilise mechanical relays and switches.

The principal action taken automatically when the reactor is tripped is to insert the neutron-absorbing rods — both control rods and shut-off rods — into the core. It is essential that this insertion should be as reliable as possible. A typical arrangement is for the neutron absorber to be connected to the actuator, by which it is moved in nor­mal operation, by an electromagnet. When the reactor is tripped the action of the guard lines is to interrupt the current to the magnet so that the rod falls into the core under gravity.