Boiling water reactor safety systems

Boiling water reactor safety systems are nuclear safety systems constructed within boiling water reactors in order to prevent or mitigate environmental and health hazards in the event of accident or natural disaster.

Like the pressurized water reactor, the BWR reactor core continues to produce heat from radioactive decay after the fission reactions have stopped, making a core damage incident possible in the event that all safety systems have failed and the core does not receive coolant. Also like the pressurized water reactor, a boiling water reactor has a negative void coefficient, that is, the neutron (and the thermal) output of the reactor decreases as the proportion of steam to liquid water increases inside the reactor.

However, unlike a pressurized water reactor which contains no steam in the reactor core, a sudden increase in BWR steam pressure (caused, for example, by the actuation of the main steam isolation valve (MSIV) from the reactor) will result in a sudden decrease in the proportion of steam to liquid water inside the reactor. The increased ratio of water to steam will lead to increased neutron moderation, which in turn will cause an increase in the power output of the reactor. This type of event is referred to as a "pressure transient".

Safety systems
The BWR is specifically designed to respond to pressure transients, having a "pressure suppression" type of design which vents overpressure using safety-relief valves to below the surface of a pool of liquid water within the containment, known as the "wetwell", "torus" or "suppression pool". All BWRs utilize a number of safety/relief valves for overpressure; up to 7 of these are a part of the Automatic Depressurization System (ADS) and 18 safety overpressure relief valves on ABWR models, only a few of which have to function to stop the pressure rise of a transient. In addition, the reactor will already have rapidly shut down before the transient affects the RPV (as described in the Reactor Protection System section below. )

Because of this effect in BWRs, operating components and safety systems are designed with the intention that no credible scenario can cause a pressure and power increase that exceeds the systems' capability to quickly shut down the reactor before damage to the fuel or to components containing the reactor coolant can occur. In the limiting case of an ATWS (Anticipated Transient Without Scram) derangement, high neutron power levels (~ 200%) can occur for less than a second, after which actuation of SRVs will cause the pressure to rapidly drop off. Neutronic power will fall to far below nominal power (the range of 30% with the cessation of circulation, and thus, void clearance) even before ARI or SLCS actuation occurs. Thermal power will be barely affected.

In the event of a contingency that disables all of the safety systems, each reactor is surrounded by a containment building consisting of 1.2 – of steel-reinforced, pre-stressed concrete designed to seal off the reactor from the environment.

However, the containment building does not protect the fuel during the whole fuel cycle. Most importantly, the spent fuel resides long periods of time outside the primary containment. A typical spent fuel storage pool can hold roughly five times the fuel in the core. Since reloads typically discharge one third of a core, much of the spent fuel stored in the pool will have had considerable decay time. But if the pool were to be drained of water, the discharged fuel from the previous two refuelings would still be "fresh" enough to melt under decay heat. However, the zircaloy cladding of this fuel could be ignited during the heatup. The resulting fire would probably spread to most or all of the fuel in the pool. The heat of combustion, in combination with decay heat, would probably drive "borderline aged" fuel into a molten condition. Moreover, if the fire becomes oxygen-starved (quite probable for a fire located in the bottom of a pit such as this), the hot zirconium would rob oxygen from the uranium dioxide fuel, forming a liquid mixture of metallic uranium, zirconium, oxidized zirconium, and dissolved uranium dioxide. This would cause a release of fission products from the fuel matrix quite comparable to that of molten fuel. In addition, although confined, BWR spent fuel pools are almost always located outside of the primary containment. Generation of hydrogen during the process would probably result in an explosion, damaging the secondary containment building. Thus, release to the atmosphere is more likely than for comparable accidents involving the reactor core.

Reactor Protection System (RPS)
The Reactor Protection System (RPS) is a system, computerized in later BWR models, that is designed to automatically, rapidly, and completely shut down and make safe the Nuclear Steam Supply System (NSSS – the reactor pressure vessel, pumps, and water/steam piping within the containment) if some event occurs that could result in the reactor entering an unsafe operating condition. In addition, the RPS can automatically spin up the Emergency Core Cooling System (ECCS) upon detection of several signals. It does not require human intervention to operate. However, the reactor operators can override parts of the RPS if necessary. If an operator recognizes a deteriorating condition, and knows an automatic safety system will activate, they are trained to pre-emptively activate the safety system.

If the reactor is at power or ascending to power (i.e. if the reactor is supercritical; the control rods are withdrawn to the point where the reactor generates more neutrons than it absorbs), there are safety-related contingencies that may arise that necessitate a rapid shutdown of the reactor, or, in Western nuclear parlance, a "SCRAM". The SCRAM is a manually triggered or automatically triggered rapid insertion of all control rods into the reactor, which will take the reactor to decay heat power levels within tens of seconds. Since ≈ 0.6% of neutrons are emitted from fission products ("delayed" neutrons), which are born seconds or minutes after fission, all fission can not be terminated instantaneously, but the fuel soon returns to decay heat power levels. Manual SCRAMs may be initiated by the reactor operators, while automatic SCRAMs are initiated upon:


 * 1) Turbine stop-valve or turbine control-valve closure.
 * 2) If turbine protection systems detect a significant anomaly, admission of steam is halted. Reactor rapid shutdown is in anticipation of a pressure transient that could increase reactivity.
 * 3) Generator load rejection will also cause closure of turbine valves and trip RPS.
 * 4) This trip is only active above approximately 1/3 reactor power. Below this amount, the bypass steam system is capable of controlling reactor pressure without causing a reactivity transient in the core.
 * 5) Loss of off-site power (LOOP)
 * 6) During normal operation, the reactor protection system (RPS) is powered by off-site power
 * 7) Loss of off-site power would open all relays in the RPS, causing all rapid shutdown signals to come in redundantly.
 * 8) would also cause MSIV to close since RPS is fail-safe; plant assumes a main steam break is coincident with loss of off-site power.
 * 9) Neutron monitor trips – the purpose of these trips is to ensure an even increase in neutron and thermal power during startup.
 * 10) Source-range monitor (SRM) or intermediate-range monitor (IRM) upscale:
 * 11) The SRM, used during instrument calibration, pre-critical, and early non-thermal criticality, and the IRM, used during ascension to power, middle/late non-thermal, and early or middle thermal stages, both have trips built in that prevent rapid decreases in reactor period when reactor is intensely reactive (e.g. when no voids exist, water is cold, and water is dense) without positive operator confirmation that such decreases in period are their intention. Prior to trips occurring, rod movement blocks will be activated to ensure operator vigilance if preset levels are marginally exceeded.
 * 12) Average power range monitor (APRM) upscale:
 * 13) Prevents reactor from exceeding pre-set neutron power level maxima during operation or relative maxima prior to positive operator confirmation of end of startup by transition of reactor state into "Run".
 * 14) Average power range monitor / coolant flow thermal trip:
 * 15) Prevents reactor from exceeding variable power levels without sufficient coolant flow for that level being present.
 * 16) Oscillation Power Range Monitor
 * 17) Prevents reactor power from rapidly oscillating during low flow high power conditions.
 * 18) Low reactor water level:
 * 19) Loss of coolant contingency (LOCA)
 * 20) Loss of proper feedwater (LOFW)
 * 21) Protects the turbine from excessive moisture carryover if water level is below the steam separator and steam dryer stack.
 * 22) High water level (in BWR6 plants)
 * 23) Prevents flooding of the main steam lines and protects turbine equipment.
 * 24) Limits the rate of cold water addition to the vessel, thus limiting reactor power increase during over-feed transients.
 * 25) High drywell (primary containment) pressure
 * 26) Indicative of potential loss of coolant contingency
 * 27) Also initiates ECCS systems to prepare for core injection once the injection permissives are cleared.
 * 28) Main steam isolation valve closure (MSIV)
 * 29) Protects from pressure transient in the core causing a reactivity transient
 * 30) Only triggers for each channel when the valve is greater than 8% closed
 * 31) One valve may be closed without initiating a reactor trip.
 * 32) High RPV pressure:
 * 33) Indicative of MSIV closure.
 * 34) Decreases reactivity to compensate for boiling void collapse due to high pressure.
 * 35) Prevents pressure relief valves from opening.
 * 36) Serves as a backup for several other trips, like turbine trip.
 * 37) Low RPV pressure:
 * 38) Indicative of a line break in the steam tunnel or other location which does not trigger high drywell pressure
 * 39) Bypassed when the reactor is not in Run mode to allow for pressurization and cooldown without an automatic scram signal
 * 40) Seismic event
 * 41) Generally only plants in high seismic areas have this trip enabled.
 * 42) Scram Discharge Volume High
 * 43) In the event that the scram hydraulic discharge volume begins to fill up, this will scram the reactor prior to the volume filling. This prevents hydraulic lock, which could prevent the control rods from inserting. This is to prevent an ATWS (Anticipated Transient Without Scram).

Emergency core-cooling system (ECCS)
While the reactor protection system is designed to shut down the reactor, ECCS is designed to maintain adequate core cooling. The ECCS is a set of interrelated safety systems that are designed to protect the fuel within the reactor pressure vessel, which is referred to as the "reactor core", from overheating. The five criteria for ECCS are to prevent peak fuel cladding temperature from exceeding 2200 °F (1204 °C), prevent more than 17% oxidation of the fuel cladding, prevent more than 1% of the maximum theoretical hydrogen generation due the zircalloy metal-water reaction, maintain a coolable geometry, and allow for long-term cooling. ECCS systems accomplish this by maintaining reactor pressure vessel (RPV) cooling water level, or if that is impossible, by directly flooding the core with coolant.

These systems are of three major types:
 * 1) High-pressure systems: These are designed to protect the core by injecting large quantities of water into it to prevent the fuel from being uncovered by a decreasing water level. Generally used in cases with stuck-open safety valves, small breaks of auxiliary pipes, and particularly violent transients caused by turbine trip and main steam isolation valve closure. If the water level cannot be maintained with high-pressure systems alone (the water level still is falling below a preset point with the high-pressure systems working full-bore), the next set of systems responds.
 * 2) Depressurization systems: These systems are designed to maintain reactor pressure within safety limits. Additionally, if reactor water level cannot be maintained with high-pressure coolant systems alone, the depressurization system can reduce reactor pressure to a level at which the low-pressure coolant systems can function.
 * 3) Low-pressure systems: These systems are designed to function after the depressurization systems function. They have large capacities compared to the high-pressure systems and are supplied by multiple, redundant power sources. They will maintain any maintainable water level, and, in the event of a large pipe break of the worst type below the core that leads to temporary fuel rod "uncovery", to rapidly mitigate that state prior to the fuel heating to the point where core damage could occur.

High-pressure coolant injection system (HPCI)
The high-pressure coolant injection system is the first line of defense in the emergency core cooling system. HPCI is designed to inject substantial quantities of water into the reactor while it is at high pressure so as to prevent the activation of the automatic depressurization, core spray, and low-pressure coolant injection systems. HPCI is powered by steam from the reactor, and takes approximately 10 seconds to spin up from an initiating signal, and can deliver approximately 19,000 L/min (5,000 US gal/min) to the core at any core pressure above 6.8 atm (690 kPa, 100 psi). This is usually enough to keep water levels sufficient to avoid automatic depressurization except in a major contingency, such as a large break in the makeup water line. HPCI is also able to be run in "pressure control mode", where the HPCI turbine is run without pumping water to the reactor vessel. This allows HPCI to remove steam from the reactor and slowly depressurize it without the need for operating the safety or relief valves. This minimizes the number of times the relief valves need to operate, and reduces the potential for one sticking open and causing a small LOCA.

The typical steam turbine used in the HPCI systems are the "solid wheel" or "water wheel" Terry Steam Turbines manufactured by the Curtiss-Wright Corporation in Summerville, SC.

Versioning note: Some BWR/5s and the BWR/6 replace the steam-turbine driven HPCI pump with the AC-powered high-pressure core spray (HPCS); ABWR replaces HPCI with high-pressure core flooder (HPCF), a mode of the RCIC system, as described below. (E)SBWR does not have an equivalent system as it primarily uses passive safety cooling systems, though ESBWR does offer an alternative active high-pressure injection method using an operating mode of the Control Rod Drive System (CRDS) to supplement the passive system.

Isolation Condenser (IC)
Some reactors, including some BWR/2 and BWR/3 plants, and the (E)SBWR series of reactors, have a passive system called the Isolation Condenser. This is a heat exchanger located above containment in a pool of water open to atmosphere. When activated, decay heat boils steam, which is drawn into the heat exchanger and condensed; then it falls by weight of gravity back into the reactor. This process keeps the cooling water in the reactor, making it unnecessary to use powered feedwater pumps. The water in the open pool slowly boils off, venting clean steam to the atmosphere. This makes it unnecessary to run mechanical systems to remove heat. Periodically, the pool must be refilled, a simple task for a fire truck. The (E)SBWR reactors provide three days' supply of water in the pool. Some older reactors also have IC systems, including Fukushima Dai-ichi reactor 1, however their water pools may not be as large.

Under normal conditions, the IC system is not activated, but the top of the IC condenser is connected to the reactor's steam lines through an open valve. The IC automatically starts on low water level or high steam pressure indications. Once it starts, steam enters the IC condenser and condenses until it is filled with water. When the IC system is activated, a valve at the bottom of the IC condenser is opened which connects to a lower area of the reactor. The water falls to the reactor by gravity, allowing the condenser to fill with steam, which then condenses. This cycle runs continuously until the bottom valve is closed.

Reactor core isolation cooling system (RCIC)
The reactor core isolation cooling system is not an emergency core cooling system proper, but it is included because it fulfills an important-to-safety function which can help to cool the reactor in the event of a loss of normal heat sinking capability; or when all electrical power is lost. It has additional functionality in advanced versions of the BWR.

RCIC is an auxiliary feedwater pump meant for emergency use. It is able to inject cooling water into the reactor at high pressures. It injects approximately 2,000 L/min (600 gpm) into the reactor core. It takes less time to start than the HPCI system, approximately 30 seconds from an initiating signal. It has ample capacity to replace the cooling water boiled off by residual decay heat, and can even keep up with small leaks.

The RCIC system operates on high-pressure steam from the reactor itself, and thus is operable with no electric power other than battery power to operate the control valves. Those turn the RCIC on and off as necessary to maintain correct water levels in the reactor. (If run continuously, the RCIC would overfill the reactor and send water down its own steam supply line.) During a station blackout (where all off-site power is lost and the diesel generators fail) the RCIC system may be "black started" with no AC and manually activated. The RCIC system condenses its steam into the reactor suppression pool. The RCIC can make up this water loss, from either of two sources: a makeup water tank located outside containment, or the wetwell itself. RCIC is not designed to maintain reactor water level during a LOCA or other leak. Similar to HPCI, the RCIC turbine can be run in recirculation mode to remove steam from the reactor and help depressurize the reactor.

The typical steam turbine used in the RCIC systems are the "solid wheel" or "water wheel" Terry Steam Turbines manufactured by the Curtiss-Wright Corporation in Summerville, SC.

Versioning note: RCIC and HPCF are integrated in the ABWRs, with HPCF representing the high-capacity mode of RCIC. Older BWRs such as Fukushima Unit 1 and Dresden as well as the new (E)SBWR do not have a RCIC system, and instead have an Isolation Condenser system.

Automatic depressurization system (ADS)
The Automatic depressurization system is not a part of the cooling system proper, but is an essential adjunct to the ECCS. It is designed to activate in the event that there is either a loss of high-pressure cooling to the vessel or if the high-pressure cooling systems cannot maintain the RPV water level. ADS can be manually or automatically initiated. When ADS receives an auto-start signal when water reaches the Low-Low-Low Water Level Alarm setpoint. ADS then confirms with the Low Alarm Water Level, verifies at least 1 low-pressure cooling pump is operating, and starts a 105-second timer. When the timer expires, or when the manual ADS initiate buttons are pressed, the system rapidly releases pressure from the RPV in the form of steam through pipes that are piped to below the water level in the suppression pool (the torus/wetwell), which is designed to condense the steam released by ADS or other safety valve activation into water), bringing the reactor vessel below 32 atm (3200 kPa, 465 psi), allowing the low-pressure cooling systems (LPCS/LPCI/LPCF/GDCS) to restore reactor water level. During an ADS blowdown, the steam being removed from the reactor is sufficient to ensure adequate core cooling even if the core is uncovered. The water in the reactor will rapidly flash to steam as reactor pressure drops, carrying away the latent heat of vaporization and providing cooling for the entire reactor. Low pressure ECCS systems will re-flood the core prior to the end of the emergency blowdown, ensuring that the core retains adequate cooling during the entire event.

Low-pressure core spray system (LPCS)
The Core Spray system, or Low-Pressure Core Spray system is designed to suppress steam generated by a major contingency and to ensure adequate core cooling for a partially or fully uncovered reactor core. LPCS can deliver up to 48,000 L/min (12,500 US gal/min) of water in a deluge from the top of the core. The core spray system collapses steam voids above the core, aids in reducing reactor pressure when the fuel is uncovered, and, in the event the reactor has a break so large that water level cannot be maintained, core spray is capable of preventing fuel damage by ensuring the fuel is adequately sprayed to remove decay heat. In earlier versions of the BWR (BWR 1 or 2 plants), the LPCS system was the only ECCS, and the core could be adequately cooled by core spray even if it was completely uncovered. Starting with Dresden units 2 and 3, the core spray system was augmented by the HPCI/LPCI systems to provide for both spray cooling and core flooding as methods for ensuring adequate core cooling. For most BWR models, core spray ensures the upper 1/3rd of the core does not exceed 17% cladding oxidation or 1% hydrogen production during a LOCA when used in combination with the LPCI system.

Versioning note: In ABWRs and (E)SBWRs, there are additional water spray systems to cool the drywell and the suppression pool.

Low-pressure coolant injection (LPCI)
Low-pressure coolant injection is the emergency injection mode of the Residual Heat Removal (RHR) system. LPCI can be operated at reactor vessel pressures below 375 psi. LPCI consists of several pumps which are capable of injecting up to 150,000 L/min (40,000 US gal/min) of water into the reactor. Combined with the Core Spray system, the LPCI is designed to rapidly flood the reactor with coolant. The LPCI system was first introduced with Dresden units 2 and 3. The LPCI system can also use the RHR heat exchangers to remove decay heat from the reactor and cool the containment to cold conditions. Early versions of the LPCI system injected through the recirculation loops or into the down comer. Later versions of the BWR moved the injection point directly inside the core shroud to minimize time to reflood the core, substantially reducing the peak temperatures of the reactor during a LOCA.

Versioning note: ABWRs replace LPCI with low-pressure core flooder (LPCF), which operates using similar principles. (E)SBWRs replace LPCI with the DPVS/PCCS/GDCS, as described below.

Depressurization valve system (DPVS) / passive containment cooling system (PCCS) / gravity-driven cooling system (GDCS)
The (E)SBWR has an additional ECCS capacity that is completely passive, quite unique, and significantly improves defense in depth. This system is activated when the water level within the RPV reaches Level 1. At this point, a countdown timer is started.

There are several large depressurization valves located near the top of the reactor pressure vessel. These constitute the DPVS. This is a capability supplemental to the ADS, which is also included on the (E)SBWR. The DPVS consists of eight of these valves, four on main steamlines that vent to the drywell when actuated and four venting directly into the wetwell.

If Level 1 is not resubmerged within 50 seconds after the countdown started, DPVS fires and rapidly vents steam contained within the reactor pressure vessel into the drywell. This will cause the water within the RPV to gain in volume (due to the drop in pressure) which will increase the water available to cool the core. In addition, depressurization reduces the saturation temperature enhancing the heat removal via phase transition. (In fact, both the ESBWR and the ABWR are designed so that even in the maximum feasible contingency, the core never loses its layer of water coolant.)

If Level 1 is still not resubmerged within 100 seconds of DPVS actuation, then the GDCS valves fire. The GDCS is a series of very large water tanks located above and to the side of the Reactor Pressure Vessel within the drywell. When these valves fire, the GDCS is directly connected to the RPV. After ~50 more seconds of depressurization, the pressure within the GDCS will equalize with that of the RPV and drywell, and the water of the GDCS will begin flowing into the RPV.

The water within the RPV will boil into steam from the decay heat, and natural convection will cause it to travel upwards into the drywell, into piping assemblies in the ceiling that will take the steam to four large heat exchangers – the Passive Containment Cooling System (PCCS) – located above the drywell – in deep pools of water. The steam will be cooled, and will condense back into liquid water. The liquid water will drain from the heat exchanger back into the GDCS pool, where it can flow back into the RPV to make up for additional water boiled by decay heat. In addition, if the GDCS lines break, the shape of the RPV and the drywell will ensure that a "lake" of liquid water forms that submerges the bottom of the RPV (and the core within).

There is sufficient water to cool the heat exchangers of the PCCS for 72 hours. At this point, all that needs to happen is for the pools that cool the PCCS heat exchangers to be refilled, which is a comparatively trivial operation, doable with a portable fire pump and hoses.

Standby liquid control system (SLCS)
The SLCS is a backup to the reactor protection system. In the event that RPS is unable to scram the reactor for any reason, the SLCS will inject a liquid boron solution into the reactor vessel to bring it to a guaranteed shutdown state prior to exceeding any containment or reactor vessel limits. The standby liquid control system is designed to deliver the equivalent of 86 gpm of 13% by weight sodium pentaborate solution into a 251-inch BWR reactor vessel. SLCS, in combination with the alternate rod insertion system, the automatic recirculation pump trip and manual operator actions to reduce water level in the core will ensure that the reactor vessel does not exceed its ASME code limits, the fuel does not suffer core damaging instabilities, and the containment does not fail due to overpressure during high power scram failure.

The SLCS consists of a tank containing borated water as a neutron absorber, protected by explosively-opened valves and redundant pumps, allowing the injection of the borated water into the reactor against any pressure within; the borated water will shut down a reactor and maintain it shut down. The SLCS can also be injected during a LOCA or a fuel cladding failure to adjust the ph of the reactor coolant that has spilled, preventing the release of some radioactive materials.

Versioning note: The SLCS is a system that is never meant to be activated unless all other measures have failed. In the BWR/1 – BWR/6, its activation could cause sufficient damage to the plant that it could make the older BWRs inoperable without a complete overhaul. With the arrival of the ABWR and (E)SBWR, operators do not have to be as reluctant about activating the SLCS, as these reactors have a reactor water cleanup system (RWCS) which is designed to remove boron – once the reactor has stabilized, the borated water within the RPV can be filtered through this system to promptly remove the soluble neutron absorbers that it contains and thus avoid damage to the internals of the plant.

Containment system
The ultimate safety system inside and outside of every BWR are the numerous levels of physical shielding that both protect the reactor from the outside world and protect the outside world from the reactor.

There are five levels of shielding:
 * 1) The fuel rods inside the reactor pressure vessel are coated in thick Zircaloy shielding;
 * 2) The reactor pressure vessel itself is manufactured out of 6 in steel, with extremely high temperature, vibration, and corrosion resistant surgical stainless steel grade 316L plate on both the inside and outside;
 * 3) The primary containment structure is made of steel 1 inch thick;
 * 4) The secondary containment structure is made of steel-reinforced, pre-stressed concrete 1.2 – thick.
 * 5) The reactor building (the shield wall/missile shield) is also made of steel-reinforced, pre-stressed concrete 0.3 to 1 m thick.

If every possible measure standing between safe operation and core damage fails, the containment can be sealed indefinitely, and it will prevent any substantial release of radiation to the environment from occurring in nearly any circumstance.

Varieties of BWR containments
As illustrated by the descriptions of the systems above, BWRs are quite divergent in design from PWRs. Unlike the PWR, which has generally followed a very predictable external containment design (the stereotypical dome atop a cylinder), BWR containments are varied in external form but their internal distinctiveness is extremely striking in comparison to the PWR. There are five major varieties of BWR containments:


 * The "premodern" containment (Generation I); spherical in shape, and featuring a steam drum separator, or an out-of-RPV steam separator, and a heat exchanger for low-pressure steam, this containment is now obsolete, and is not used by any operative reactor.
 * the Mark I containment, consisting of a rectangular steel-reinforced concrete building, along with an additional layer of steel-reinforced concrete surrounding the steel-lined cylindrical drywell and the steel-lined pressure suppression torus below. The Mark I was the earliest type of containment in wide use, and many reactors with Mark Is are still in service today. There have been numerous safety upgrades made over the years to this type of containment, especially to provide for orderly reduction of containment load caused by pressure in a compounded limiting fault. The reactor building of the Mark I generally is in the form of a large rectangular structure of reinforced concrete.


 * the Mark II containment, similar to the Mark I, but omitting a distinct pressure suppression torus in favor of a cylindrical wetwell below the non-reactor cavity section of the drywell. Both the wetwell and the drywell have a primary containment structure of steel as in the Mark I, as well as the Mark I's layers of steel-reinforced concrete composing the secondary containment between the outer primary containment structure and the outer wall of the reactor building proper. The reactor building of the Mark II generally is in the form of a flat-topped cylinder.
 * the Mark III containment, generally similar in external shape to the stereotypical PWR, and with some similarities on the inside, at least on a superficial level. For example, rather than having a slab of concrete that staff could walk upon while the reactor was not being refueled covering the top of the primary containment and the RPV directly underneath, the Mark III takes the BWR in a more PWR-like direction by placing a water pool over this slab. Additional changes include abstracting the wetwell into a pressure-suppression pool with a weir wall separating it from the drywell.
 * Advanced containments; the present models of BWR containments for the ABWR and the ESBWR are harkbacks to the classical Mark I/II style of being quite distinct from the PWR on the outside as well as the inside, though both reactors incorporate the Mark III-ish style of having non-safety-related buildings surrounding or attached to the reactor building, rather than being overtly distinct from it. These containments are also designed to take far more stress than previous containments were, providing advanced safety. In particular, GE regards these containments as being able to withstand a direct hit by a tornado beyond Level 5 on the Old Fujita Scale with winds of 330+ miles per hour. Such a tornado has never been measured on earth. They are also designed to withstand seismic accelerations of .2 G, or nearly 2 meters per second2 in any direction.

Containment Isolation System
Many valves passing in and out of the containment are required to be open to operate the facility. During an accident where radioactive material may be released, these valves must shut to prevent the release of radioactive material or the loss of reactor coolant. The containment isolation system is responsible for automatically closing these valves to prevent the release of radioactive material and is an important part of a plant's safety analysis. The isolation system is separated into groups for major system functions. Each group contains its own criteria to trigger an isolation. The isolation system is similar to reactor protection system in that it consists of multiple channels, it is classified as safety-related, and that it requires confirmatory signals from multiple channels to issue an isolation to a system. An example of parameters which are monitored by the isolation system include containment pressure, acoustic or thermal leak detection, differential flow, high steam or coolant flow, low reactor water level, or high radiation readings in the containment building or ventilation system. These isolation signals will lock out all of the valves in the group after closing them and must have all signals cleared before the lockout can be reset.

Isolation valves consist of 2 safety-related valves in series. One is an inboard valve, the other is an outboard valve. The inboard is located inside the containment, and the outboard is located just outside the containment. This provides redundancy as well as making the system immune to the single failure of any inboard or outboard valve operator or isolation signal. When an isolation signal is given to a group, both the inboard and outboard valves stroke closed. Tests of isolation logic must be performed regularly and is a part of each plant's technical specifications. The timing of these valves to stroke closed is a component of each plant's safety analysis and failure to close in the analyzed time is a reportable event.

Examples of isolation groups include the main steamlines, the reactor water cleanup system, the reactor core isolation cooling (RCIC) system, shutdown cooling, and the residual heat removal system. For pipes which inject water into the containment, two safety-related check valves are generally used in lieu of motor operated valves. These valves must be tested regularly as well to ensure they do indeed seal and prevent leakage even against high reactor pressures.

Hydrogen management
During normal plant operations and in normal operating temperatures, the hydrogen generation is not significant. When the nuclear fuel overheats, zirconium in Zircaloy cladding used in fuel rods oxidizes in reaction with steam:
 * Zr + 2H2O → ZrO2 + 2H2

When mixed with air, hydrogen is flammable, and hydrogen detonation or deflagration may damage the reactor containment. In reactor designs with small containment volumes, such as in Mark I or II containments, the preferred method for managing hydrogen is pre-inerting with inert gas—generally nitrogen—to reduce the oxygen concentration in air below that needed for hydrogen combustion, and the use of thermal recombiners. Pre-inerting is considered impractical with larger containment volumes where thermal recombiners and deliberate ignition are used. Mark III containments have hydrogen igniters and hydrogen mixers which are designed to prevent the buildup of hydrogen through either pre-ignition prior to exceeding the lower explosive limit of 4%, or through recombination with Oxygen to make water.

The safety systems in action: the Design Basis Accident
The Design Basis Accident (DBA) for a nuclear power plant is the most severe possible single accident that the designers of the plant and the regulatory authorities could reasonably expect. It is, also, by definition, the accident the safety systems of the reactor are designed to respond to successfully, even if it occurs when the reactor is in its most vulnerable state. The DBA for the BWR consists of the total rupture of a large coolant pipe in the location that is considered to place the reactor in the most danger of harm—specifically, for older BWRs (BWR/1-BWR/6), the DBA consists of a "guillotine break" in the coolant loop of one of the recirculation jet pumps, which is substantially below the core waterline (LBLOCA, large break loss of coolant accident) combined with loss of feedwater to make up for the water boiled in the reactor (LOFW, loss of proper feedwater), combined with a simultaneous collapse of the regional power grid, resulting in a loss of power to certain reactor emergency systems (LOOP, loss of offsite power). The BWR is designed to shrug this accident off without core damage.

The description of this accident is applicable for the BWR/4.

The immediate result of such a break (call it time T+0) would be a pressurized stream of water well above the boiling point shooting out of the broken pipe into the drywell, which is at atmospheric pressure. As this water stream flashes into steam, due to the decrease in pressure and that it is above the water boiling point at normal atmospheric pressure, the pressure sensors within the drywell will report a pressure increase anomaly within it to the reactor protection system at latest T+0.3. The RPS will interpret this pressure increase signal, correctly, as the sign of a break in a pipe within the drywell. As a result, the RPS immediately initiates a full SCRAM, closes the main steam isolation valve (isolating the containment building), trips the turbines, attempts to begin the spinup of RCIC and HPCI, using residual steam, and starts the diesel pumps for LPCI and CS.

Now let us assume that the power outage hits at T+0.5. The RPS is on a float uninterruptible power supply, so it continues to function; its sensors, however, are not, and thus the RPS assumes that they are all detecting emergency conditions. Within less than a second from power outage, auxiliary batteries and compressed air supplies are starting the Emergency Diesel Generators. Power will be restored by T+25 seconds.

Let us return to the reactor core. Due to the closure of the MSIV (complete by T+2), a wave of backpressure will hit the rapidly depressurizing RPV but this is immaterial, as the depressurization due to the recirculation line break is so rapid and complete that no steam voids will likely collapse to liquid water. HPCI and RCIC will fail due to loss of steam pressure in the general depressurization, but this is again immaterial, as the 2,000 L/min (600 US gal/min) flow rate of RCIC available after T+5 is insufficient to maintain the water level; nor would the 19,000 L/min (5,000 US gal/min) flow of HPCI, available at T+10, be enough to maintain the water level, if it could work without steam. At T+10, the temperature of the reactor core, at approximately 285 °C at and before this point, begins to rise as enough coolant has been lost from the core that voids begin to form in the coolant between the fuel rods and they begin to heat rapidly. By T+12 seconds from the accident start, fuel rod uncovery begins. At approximately T+18 areas in the rods have reached 540 °C. Some relief comes at T+20 or so, as the negative temperature coefficient and the negative void coefficient slows the rate of temperature increase. T+25 sees power restored; however, LPCI and CS will not be online until T+40.

At T+40, core temperature is at 650 °C and rising steadily; CS and LPCI kick in and begins deluging the steam above the core, and then the core itself. First, a large amount of steam still trapped above and within the core has to be knocked down first, or the water will be flashed to steam prior to it hitting the rods. This happens after a few seconds, as the approximately 200,000 L/min (3,300 L/s, 52,500 US gal/min, 875 US gal/s) of water these systems release begin to cool first the top of the core, with LPCI deluging the fuel rods, and CS suppressing the generated steam until at approximately T+100 seconds, all of the fuel is now subject to deluge and the last remaining hot-spots at the bottom of the core are now being cooled. The peak temperature that was attained was 900 °C (well below the maximum of 1200 °C established by the NRC) at the bottom of the core, which was the last hot spot to be affected by the water deluge.

The core is cooled rapidly and completely, and following cooling to a reasonable temperature, below that consistent with the generation of steam, CS is shut down and LPCI is decreased in volume to a level consistent with maintenance of a steady-state temperature among the fuel rods, which will drop over a period of days due to the decrease in fission-product decay heat within the core.

After a few days of LPCI, decay heat will have sufficiently abated to the point that defueling of the reactor is able to commence with a degree of caution. Following defueling, LPCI can be shut down. A long period of physical repairs will be necessary to repair the broken recirculation loop; overhaul the ECCS; diesel pumps; and diesel generators; drain the drywell; fully inspect all reactor systems, bring non-conformal systems up to spec, replace old and worn parts, etc. At the same time, different personnel from the licensee working hand in hand with the NRC will evaluate what the immediate cause of the break was; search for what event led to the immediate cause of the break (the root causes of the accident); and then to analyze the root causes and take corrective actions based on the root causes and immediate causes discovered. This is followed by a period to generally reflect and post-mortem the accident, discuss what procedures worked, what procedures didn't, and if it all happened again, what could have been done better, and what could be done to ensure it doesn't happen again; and to record lessons learned to propagate them to other BWR licensees. When this is accomplished, the reactor can be refueled, resume operations, and begin producing power once more.

The ABWR and ESBWR, the most recent models of the BWR, are not vulnerable to anything like this incident in the first place, as they have no liquid penetrations (pipes) lower than several feet above the waterline of the core, and thus, the reactor pressure vessel holds in water much like a deep swimming pool in the event of a feedwater line break or a steam line break. The BWR 5s and 6s have additional tolerance, deeper water levels, and much faster emergency system reaction times. Fuel rod uncovery will briefly take place, but maximum temperature will only reach 600 °C, far below the NRC safety limit.

According to a report by the U.S. Nuclear Regulatory Commission into the Fukushima Daiichi nuclear disaster, the March 2011 Tōhoku earthquake and tsunami that caused that disaster was an event "far more severe than the design basis for the Fukushima Daiichi Nuclear Power Plant". The reactors at this plant were BWR 3 and BWR 4 models. Their primary containment vessels had to be flooded with seawater containing boric acid, which will preclude any resumption of operation and was not anticipated in the DBA scenario. In addition, nothing similar to the chemical explosions that occurred at the Fukushima Daiichi plant was anticipated by the DBA.

Prior to the Fukushima Daiichi disaster, no incident approaching the DBA or even a LBLOCA in severity had occurred with a BWR. There had been minor incidents involving the ECCS, but in those circumstances it had performed at or beyond expectations. The most severe incident that had previously occurred with a BWR was in 1975 due to a fire caused by extremely flammable urethane foam installed in the place of fireproofing materials at the Browns Ferry Nuclear Power Plant; for a short time, the control room's monitoring equipment was cut off from the reactor, but the reactor shut down successfully, and, as of 2009, is still producing power for the Tennessee Valley Authority, having sustained no damage to systems within the containment. The fire had nothing to do with the design of the BWR – it could have occurred in any power plant, and the lessons learned from that incident resulted in the creation of a separate backup control station, compartmentalization of the power plant into fire zones and clearly documented sets of equipment which would be available to shut down the reactor plant and maintain it in a safe condition in the event of a worst-case fire in any one fire zone. These changes were retrofitted into every existing US and most Western nuclear power plants and built into new plants from that point forth.

Notable activations of BWR safety systems
General Electric defended the design of the reactor, stating that the station blackout caused by the 2011 Tōhoku earthquake and tsunami was a "beyond-design-basis" event which led to Fukushima I nuclear accidents. According to the Nuclear Energy Institute, "Coincident long-term loss of both on-site and off-site power for an extended period of time is a beyond-design-basis event for the primary containment on any operating nuclear power plant".

The reactors shut down as designed after the earthquake. However, the tsunami disabled four of the six sets of switchgear and all but three of the diesel backup generators which operated the emergency cooling systems and pumps. Pumps were designed to circulate hot fluid from the reactor to be cooled in the wetwell, but only units 5 and 6 had any power. Units 1, 2 and 3 reactor cores overheated and melted. Radioactivity was released into the air as fuel rods were damaged due to overheating by exposure to air as water levels fell below safe levels. As an emergency measure, operators resorted to using firetrucks and salvaged car batteries to inject seawater into the drywell to cool the reactors, but only achieved intermittent success and three cores overheated. Reactors 1–3, and by some reports 4 all suffered violent hydrogen explosions March 2011 which damaged or destroyed their top levels or lower suppression level (unit 2).

As emergency measures, helicopters attempted to drop water from the ocean onto the open rooftops. Later water was sprayed from fire engines onto the roof of reactor 3. A concrete pump was used to pump water into the spent fuel pond in unit 4.

According to NISA, the accident released up to 10 petabecquerels of radioactive iodine-131 per hour in the initial days, and up to 630 PBq total, about one eighth the 5200 PBq released at Chernobyl.