|Fig. 1: Schematic of a Boiling Water Reactor: (1) Reactor Vessel, (2) Fuel Core, (3) Control Rods, (4) Circulation pump, (5) Control Rod Motors, (6) Steam, (7) Inlet Circulation Water, (8) High Pressure Turbine, (9) Low Pressure Turbine, (10) Electric Generator, (11) Electrical Generator Exciter, (12) Condenser, (13) Cold Water for Condenser, (14) Pre-Warmer, (15) Water Circulation Pump, (16) Condenser Pump, (17) Concrete Enclosure, (18) Electrical Grid Connection (Source: Wikimedia Commons)|
There are currently in excess of 100 Boiling Water Reactors (BWRs) running across the world, mostly in the United States and Japan. Considering that the most recent significant nuclear accident, the Fukushima Daiichi disaster, originated from a BWR facility, it would be natural to wonder what safeguards against similar disasters exist in the other, still-operating, BWRs around the world. This article will introduce BWR operation and design and will explain what safeguards against catastrophe exist in operating BWRs.
BWRs are a type of nuclear reactor designed and constructed for electrical power generation. It functions by sustaining a nuclear fission reaction in its core, using water to mediate the reaction.  The water serves several purposes. First, it serves as a heat sink, keeping the core at the designed temperature. Second, it slows the "fast" neutrons (about 1 MeV of kinetic energy) produced by fission to thermal speeds, which correspond to kinetic energies of about 30 meV. This slowing of neutrons sustains the reaction, as thermal neutrons are significantly more likely to cause fission events than fast neutrons. In accomplishing both of these tasks, the water boils as it absorbs a large amount of the energy released by the reaction. The steam produced in the reactor core then drives a turbine, which converts most of the steam's energy into electrical power (see Fig. 1). Finally, the water condenses and is pumped back into the reactor core, making a circuit. 
As these reactors require water to sustain fission, a safety feature built into the design is that the reaction rate decreases as the proportion of water to steam decreases in the core. As such, an increase in heat generated by the core will cause the water to steam ratio to decrease and the reaction rate to slow and the core to cool. This feature ensures that BWRs are incapable of producing runaway reactions and becoming fission "bombs."
Although BWRs and most types of nuclear power plants are incapable of producing runaway fission reactions, there are still many modes of failure that could result in significant release of radiation into the atmosphere or surrounding areas. These possible failure modes must be taken into consideration and accounted for when commissioning any new reactor to be built. Design Basis Events (DBEs) are events under which the reactor must be able to be safely shut down and that the consequences of accidents resulting in offsite exposure must be mitigated or prevented. Some examples of design basis events include loss of off-site power, low or high reactor water levels, and anomalous seismic activity. For all events considered, multiple layers of protection exist for prevention of catastrophe.
|Fig. 2: An aerial photograph of the Fukushima Power Plant after the 2011 tsunami. Reactors 1 through 4 are pictured from left to right. (Source: Wikimedia Commons)|
Before delving straight into safety mechanisms, it is worth noting that one design basis event that damages the core is expected per 10,000 to 10,000,000 reactor years in BWRs.  That is, if there exist 100 reactors running for 100 years, 1 to 0.001 core damage events are expected. This range is imprecise but still lower than the rate for the most common type of nuclear plant, the Pressurized Water Reactor (PWR).
The first major safety mechanism, which is present in every nuclear reactor, regardless of type, is the reactor protection system, which stops the reaction in a very short time. In BWRs, this task is accomplished through metal control rods, which will be slotted into the core if the reaction ever needs to be stopped immediately. In current BWRs, these rods are inserted from below using a doubly redundant hydraulic system.  In other reactors, the control rods are inserted from the top, falling into place with gravity. The BWR design is potentially problematic when compared to others, as gravity cannot fail and hydraulic systems can.
In the event of an emergency, once the core has stopped reacting, it still must be kept cool, as it will continue to heat due to radioactive decay. The system designed to accomplish this task is the Emergency Core-Cooling System (ECCS), which must keep the fuel cladding temperature under 2200 F, allow for long-term cooling, and prevent hydrogen buildup, among other things. If excess hydrogen were to accumulate in a reactor, it could explode, breaching one or more of the layers of the containment system. In practice, the ECCS is a highly complex system composed of many smaller safeguards that are designed to, in total, account for all possibilities of reactor failure.
The final safeguard present is the containment system, which stops radioactive isotopes from venting to the environment in the event of an accident. This system is multiply redundant in all reactors and varies from reactor to reactor, but generally starts with shieling of the fuel rods. followed by thick steel walls on the reactor pressure vessel. Next is a steel containment structure built around the reactor vessel. That structure is enclosed by a secondary containment structure made of thick reinforced concrete, and, finally, the reactor building, which is also constructed with reinforced concrete, encloses the secondary containment structure.  Containment was one of the systems that failed during the Fukushima incident, when the GE Mark 1 containment system, an early design that was met with the resignation of several GE scientists, released significant radiation into the atmosphere after hydrogen explosions occurred in reactors 1, 2, and 3 of the plant.  (See Fig. 2).
BWRs have a robust system of safety mechanisms, including N-2 redundancy, in place to prevent nuclear catastrophes when subjected to DBEs though some concerns have been raised about the control rod and containment design. Although the Fukushima accident was one of the worst in history, it was classified as a beyond-DBE even though concerns about earthquakes and tsunamis had been raised before the incident. 
©Alex Hughes. The author grants permission to copy, distribute and display this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.
 G. Choppin et al., Radiochemsitry and Nuclear Chemistry (Butterworth-Heinemann, 2013).
 "Boiling Water Reactor Simulator with Passive Safety Systems," International Atomic Energy Agency, October 2009.
 S. Dingman et al., "Core Damage Frequency Prespectives for BWR 3/4 and Westinghouse 4-Loop Plants Based on IPE Results," Sandia National Laboratory, SAND-95-3028C, December 1995.
 M. Mosk, "Fukushima: Mark 1 Nuclear Reactor Design Caused GE Scientist To Quit In Protest," ABC News, 15 Mar 11.
 C. Miller et al., "Recommendations for Enhancing Reactor Safety in the 21st Century: The Near-Term Task Force Review of Insights from the Fukushima Dai-Ichi Accident," U.S. Nuclear Regulatory Commission, July 2011.