In typical power reactors, engineered safeguards in the form of sev­eral separate and independent methods of cooling the core under a spec­trum of theoretical accidents are provided. Usually included are systems which will prevent the reactor core from overheating to any damage levels even in the event of a major rapid loss of normal reactor coolant water. The design basis of engineered safeguards is strongly influenced by the understanding and appreciation that a strong barrier keeps fission prod­ucts from being released from power reactors. If the nuclear fuel can be prevented from overheating to the point of melting during various loss-of — coolant situations, then the fission products will be kept principally in the fuel rods.

For purposes of example I shall pay particular attention to the net­work of engineered safeguards commonly referred to as the emergency core cooling network. Consistent with designers’ primary concern for maintaining a barrier for fission product releases, definite criteria were established very early in the design of engineered safeguards for the boil­ing water reactor. As the industry matured and more was learned about the phenomena associated with emergency core cooling, more exacting criteria evolved. Today, criteria for loss-of-coolant accidents are as fol­lows:

1. Fuel cladding temperature will be kept below maximum tempera­tures at which experiments have verified that fuel rod integrity would be maintained. Normal fuel cladding temperatures are about 2,000° F below this, so considerable safety margin exists.

2. For any size of break to the primary system causing the reactor core to lose coolant, at least two completely independent emergency core cooling systems shall be available to provide effective emergency core cooling.

3. The emergency core cooling network for the boiling water reactor will involve at least two methods for the cooling process. Today’s boiling water reactor uses the methods of both reactor core flooding from below the core and reactor core spraying from above the core. If there should be any unknown phenomena associated with either process, the other process will still operate to achieve adequate emergency core cooling.

4. Although there is usually very dependable off-site power provided to the emergency core cooling network, there shall be no reliance upon off-site power. Appropriate on-site diesel generators or gas turbines will be provided to supply the power to run the emergency core cooling net­work.

These are the four basic criteria upon which the emergency core cooling network for today’s boiling water reactor has evolved. Just how the above criteria are satisfied in today’s power reactor is graphically illus­trated on what is now known as the “boiling water reactor bar chart for emergency core cooling” (Fig. 4). For any break size found along the abcissa of the chart, there are always at least two bars representing indi­vidual emergency core cooling systems which could provide adequate protection in case of a loss of coolant. The two major systems on the boil­ing water reactor are the core spray system and the low-pressure coolant

injection system. Two full capacity core spray systems, each with its own pumping and power supply, are provided. Either of these spray systems can provide complete core cooling in case of loss of coolant. The low — pressure coolant injection system has a capacity such that even if one complete section of the system were lost, sufficient time is available to recool the core before any serious overheating. Other systems, such as the high-pressure coolant injection system and the auto-relief system, are also part of this network.

Notice that the entire network of systems is fully integrated. The systems work together as a set, providing protection for the smallest leak up to the hypothetical complete instantaneous severance of one of the main recirculation lines. There is no dependence on off-site power; and the entire system is fully automatic — it does not require operator intervention at any time during the initiation of the emergency core cooling systems. A feature unique to the boiling water reactor, which is a direct-cycle system, is that in spite of any nominally sized loss of coolant which might occur to the primary system, the reactor vessel itself is constantly being supplied with a large flow rate (from 5 to 10 million pounds of water per hour) directly into the pressure vessel for the purpose of steam gen­eration for the turbine. In general, this flow will overwhelm any small leakage which might occur. This is another inherent safety feature of the boiling water reactor, direct-cycle concept.

When the backup core cooling system has been preliminarily de­signed, it is subjected to detailed study to search for possible points of weakness or ways in which it could be improved. In the study, designers of course call upon the experience gained in the industry over the past two and one-half decades of operation of large nuclear reactors of various types. In addition, they are making increasing use of the highly developed techniques of reliability analysis and systems engineering which have been used with such success in the space program.

In the detailed reliability studies, such things as proper electrical power arrangements, proper sensing devices and sensing device arrange­ment, proper inspection programs, and proper redundancy requirements can all be evaluated by the disciplines associated with reliability technol­ogy. Reliability analysis in safeguards work for power reactors is being effectively used in Great Britain, Canada, and Switzerland and is now coming more and more into play in the United States as well. General Electric has employed and intends to continue to employ reliability analy­sis to assure that the highest levels of safety are achieved on power re­actors.

of emergency core cooling equipment, careful analytical investigations must be conducted for each and every type of accident in its full range of magnitude. Detailed analyses, using major digital computer programs, are conducted for entire spectrums of accident conditions. It is these analyti­cal investigations which are the subject of extensive audit during the period that a particular power reactor project is being reviewed by the aec. Another important aspect of the design of each emergency core cool­ing system is the extensive experimental programs that must be conducted to verify that the system performance claimed has indeed been achieved. For example, in each General Electric boiling water reactor in the current product line, the fuel bundles are all identical whatever the reactor size. The fuel bundle consists of a set of 49 fuel rods, each of which is 12 feet long, containing uranium dioxide pellets encased in zirconium tubing. Fuel rods are clustered together by appropriate spacers and tie plates and are encased in a channel box with appropriate nosepiece and upper handle. This individual fuel bundle has been simulated at full scale, with electrical heating in place of the nuclear heating, and the entire simulated fuel bundles have been completely tested to evaluate the performance of the core spray systems and core flood systems. In this system, each fuel bundle receives spray cooling. This was an extensive program, but each of the claims made for the emergency core cooling equipment has now been confirmed.

Containment. If any of the core fission products should be able to find their way through all of the barriers and into the air space outside the reactor process system, they would then encounter the further substantial barriers of the plant containment systems. The containment system com­ponents have no normal operational requirement for retention of radio­active materials. Thus, they are simply insurance and are needed only in case of simultaneous and significant failure of all of the process barriers and engineered safeguards itemized above. The containment structure totally encloses the nuclear steam supply system of a nuclear power reactor. On the boiling water reactor the entire nuclear pressure vessel is inside the primary containment. The feedwater lines from the turbine and the steam lines back to the turbine are the only major lines which pene­trate that containment. The containment structure is of high quality with very stringent leakage requirements placed upon it. The design basis for the containment is that even in the hypothetical event of the complete instantaneous severance of the biggest primary system pipe and the sub­sequent blowdown of the steam and water found in the primary system to the containment structure, the containment structure will remain within its design pressure. Therefore, the containment structure is another safe­guard in the design of nuclear power reactors.

A particular type of containment structure has been associated with the boiling water reactor. The containments of all the modem boiling water reactors to date employ a principle known as pressure suppression in the design of their containments (Fig. 5). By means of vent pipes in the large water source within the containment structure itself, large mag­nitudes of steam which would be released from the nuclear vessel in the event of a hypothetical primary system rupture are forced to condense in the large cold water supply found in the suppression pool. In this way, although the containment may see large pressure levels for a short period of time (still within its design rating), the suppression action of a large body of water soon condenses most of the steam released by the pressure vessel and the pressure level within the containment drops to very low levels. This has strong safety implications. Without suppression action all of the mass released to the containment would stay at high temperature and pressure, thus leading to potential increased leakage rates from the containment. By means of the pressure suppression principle and the rapid reduction of residue pressures within the containment, leakage from the containment is also minimized.

Another important feature of today’s boiling water reactor contain­ment system is the fact that a secondary containment also exists. Around

the structure known as the primary containment, commonly called the drywell and suppression chambers, the entire reactor building forms a secondary containment barrier. By the means of a ventilation system, the building can be held at a slight vacuum so that any leakage at all is from the outside into the building. This ventilation system sends the atmos­phere of the secondary containment through a standby gas treatment system should an accident occur. The standby system, which includes filters for fission products, provides still another barrier to fission product release outside the nuclear power plant.

Recognition of all of these facts points out the extreme measures which have been taken in the use of containment to ensure a maximum of public health and safety — again, a dramatic manifestation of a proper attitude toward reactor safety.