Define Your Mission

Section 1: Mission Definition

Every reactor design starts with a mission. The mission drives every subsequent decision.

Power output determines reactor size, fuel inventory, and coolant flow requirements. A 100 MWe small modular reactor (SMR) has very different engineering constraints than a 1,200 MWe pressurized water reactor.

Location drives siting criteria, coolant source, grid integration, emergency planning, and seismic design basis. Inland river sites use river water for cooling and must address flood risk. Coastal sites use seawater but must address tsunamis and storm surge. Remote island or off-grid sites may not connect to a national grid at all.

Grid integration vs. isolated microgrid changes how load-following requirements are handled and what happens if the grid fails (station blackout risk).

Design life affects material fatigue limits, inspection intervals, license renewal requirements, and decommissioning cost reserves. The NRC currently licenses plants for 40 years with 20-year renewal extensions. Some designs are targeting 80-year life.

Typical mission profiles:

- 300 MWe SMR, remote island, isolated grid, 60-year life

- 1,100 MWe PWR, inland river site, national grid, 60-year life

- 1,600 MWe EPR, coastal site, national grid, 60-year life

- 2 × 77 MWe NuScale SMR array, inland site, regional grid, 40-year life

Your Mission Statement

Define your reactor's mission. This becomes the foundation of every design decision that follows.

Reactor Type Trade-Off Analysis

Section 2: Reactor Type Selection

Five major commercial reactor types are in serious consideration today. Each has a different physics basis, fuel cycle, safety profile, and maturity level. You must choose one and defend it.

Pressurized Water Reactor (PWR)

The most common reactor type worldwide (about 70% of operating plants). Light water (H₂O) serves as both coolant and moderator. The primary loop runs at ~155 bar / 325°C — high pressure keeps water liquid. A steam generator transfers heat to a secondary loop, which drives the turbine. Radioactive water stays in the primary loop.

Pros: Decades of operating experience, strong negative void coefficient (water loss causes reactivity decrease), proven safety record, large industrial supply chain.

Cons: High operating pressure (requires thick-walled pressure vessels and heavy-duty pumps), two-loop complexity, loss-of-coolant accident (LOCA) requires active ECCS response.

Boiling Water Reactor (BWR)

Water boils inside the reactor vessel. Steam goes directly to the turbine. Simpler than PWR — no steam generator needed.

Pros: Lower operating pressure than PWR, simpler one-loop design, direct cycle is more efficient.

Cons: Radioactive steam goes to the turbine (turbine building is a radiation area), complex ECCS with multiple injection systems, slightly positive void coefficient at some power levels requires careful design.

CANDU (Canada Deuterium Uranium)

Uses heavy water (D₂O) as moderator and coolant. Can use natural uranium fuel (no enrichment needed). Unique feature: online refueling — fuel channels can be replaced without shutdown.

Pros: No enrichment requirement (fuel cost advantage), online refueling means very high capacity factor, heavy water moderator allows flexible fuel cycle.

Cons: Heavy water is expensive to produce (~$1000/kg), some configurations have slightly positive void coefficient under certain conditions requiring careful safety design, large physical footprint.

Molten Salt Reactor (MSR)

Fuel is dissolved in molten fluoride or chloride salt. No solid fuel to melt — if cooling fails, the salt freezes or drains to a passive freeze plug. Can use thorium fuel cycle.

Pros: Walk-away safe (passive drain makes meltdown physically impossible), operates at atmospheric pressure (no LOCA risk), online refueling, thorium fuel cycle produces far less long-lived waste.

Cons: Materials challenges (structural materials must survive hot, corrosive, radioactive salt for decades), pre-commercial technology — no MSR has operated commercially, tritium production in fluoride salts is a regulatory challenge.

Small Modular Reactor (SMR) — NuScale/Rolls-Royce type

Factory-fabricated PWR or integral PWR modules, typically 50-300 MWe each. Passive safety relies on natural circulation, no pumps required. Multiple modules can be combined for scalability.

Pros: Factory quality control, passive safety systems (no pumps, no AC power needed for cooling), scalable capacity, shorter construction time.

Cons: Higher per-kWe capital cost than large plants, most designs are pre-commercial or just entering operation (NuScale VOYGR certified 2022 but projects cancelled 2023), supply chain not yet developed at scale.

The key safety physics question for any reactor type:

What happens if the coolant temperature rises or coolant is lost? A reactor with a negative temperature coefficient and negative void coefficient will automatically reduce power — a self-correcting, inherently safe response. A reactor with a positive void coefficient (power increases as coolant is lost) requires active systems to shut down safely. This is what made Chernobyl's RBMK so dangerous.

Choose Your Reactor Type

Review the reactor type comparison diagram above before deciding.

Fuel Design Parameters

Section 3: Fuel Design

Fuel design determines how much energy you get, how long the fuel lasts, and what happens in an accident. Every parameter interacts with every other parameter.

Fuel type:

- UO₂ (uranium dioxide): The global standard. Ceramic pellets, high melting point (~2850°C), chemically stable, well-characterized. Slight disadvantage: low thermal conductivity — heat builds up in the pellet center.

- MOX (mixed oxide): Blend of UO₂ and PuO₂. Burns plutonium from weapons or reprocessed spent fuel. Slightly lower melting point than UO₂, requires licensed MOX fabrication facility.

- TRISO (tri-structural isotropic): Microspheres of fuel (UO₂ or UCO) coated with multiple ceramic layers. Each particle is its own tiny containment vessel. Used in high-temperature gas reactors and some advanced designs. Extremely robust — tested to very high temperatures without release.

Enrichment:

- Natural uranium (0.7% U-235): Used in CANDU. No enrichment cost, but requires heavy water moderator.

- LEU 3-5% (low enriched uranium): Standard for PWR and BWR fuel. Enriched to 3-5% U-235.

- HALEU 5-20% (high-assay low enriched uranium): Used in many SMR and advanced reactor designs. Higher enrichment allows smaller, more compact cores and longer fuel cycles. Requires additional safeguards because of higher enrichment.

- HEU >20%: Prohibited in commercial power reactors.

Cladding material:

- Zircaloy-4: Standard cladding worldwide. Low neutron absorption, good mechanical properties up to ~400°C. Critical weakness: above ~1200°C reacts with steam to produce hydrogen gas (Zr + 2H₂O → ZrO₂ + 2H₂). This was the hydrogen source at Fukushima.

- M5 (Zr-Nb alloy): Better corrosion resistance than Zircaloy-4 for high burnup fuel.

- SiC/SiC composite: Advanced accident-tolerant fuel (ATF) cladding. Much higher temperature tolerance, does not produce hydrogen in steam. Active development but not yet in widespread commercial use.

Burnup target:

Standard LWR fuel achieves ~45-50 GWd/tHM (gigawatt-days per metric ton of heavy metal) before removal. High-performance fuel can reach 65-70 GWd/tHM. Some advanced designs target 100+ GWd/tHM for extended cycles. Higher burnup means fewer fuel outages but requires better cladding performance and more enrichment.

Burnable absorbers:

Fresh fuel is highly reactive — too reactive if you load a full core. Burnable absorbers (gadolinium oxide mixed into fuel pellets, or IFBA — integral fuel burnable absorber, a thin ZrB₂ coating) absorb excess neutrons early in life and burn away as the fuel depletes, flattening the power distribution over the cycle.

Core loading pattern:

- In-out loading: Fresh fuel loaded at the center, moved outward as it depletes. Simple but creates high power peaks in the center.

- Low-leakage loading: Fresh fuel placed on the outside of the core, depleted fuel in the center. Reduces neutron leakage (better fuel economy) and reduces fluence on the reactor pressure vessel. Standard practice for modern PWRs.

Specify Your Fuel Design

Consider how your fuel choices interact with your reactor type and mission. A CANDU designer does not need enrichment. An SMR designer might choose HALEU for a compact core. A PWR designer must address cladding and the hydrogen production risk.

Coolant and Moderator Design

Section 4: Coolant and Moderator Compatibility

Your coolant, moderator, fuel, and cladding must be chemically and physically compatible. A mismatch creates either a safety problem or an impossible design.

Light Water (H₂O) — PWR, BWR, SMR:

The best moderator per unit volume. Also excellent coolant. Operates at high pressure (PWR: ~155 bar, BWR: ~70 bar). Key hazard: at high temperature it flashes to steam (loss of moderation and coolant simultaneously — the LOCA scenario). Chemistry control is critical — pH, dissolved oxygen, zinc injection all affect corrosion rates of structural materials. Zircaloy cladding compatible up to ~400°C normal operation.

Heavy Water (D₂O) — CANDU:

Excellent moderator with much lower neutron absorption than H₂O — this is why CANDU can run on natural uranium. Operates at ~100 bar in pressure tubes. Heavy water costs ~$1000/kg to produce (via Girdler-Sulfide or other isotope separation process). Tritium production from D + n → T is an operational challenge — tritium is a beta emitter and must be managed. Chemistry: similar to light water but with different oxygen isotope considerations.

Graphite — RBMK, HTGR:

The RBMK used graphite as moderator with water coolant — a dangerous combination because the positive void coefficient. The HTGR (high temperature gas reactor) uses graphite as moderator with helium coolant — a safe combination because graphite does not contribute to a positive void coefficient with gas coolant. Graphite can also be a fire hazard if it reaches very high temperatures in air — this was a factor in the Windscale fire of 1957.

Molten Salt — MSR:

The salt is both fuel carrier and coolant. No separate moderator needed (except in thermal MSRs that may include graphite). Operates at atmospheric pressure — no high-pressure LOCA risk. Key challenges: fluoride salts are highly corrosive to structural metals, chloride salts may activate under neutron flux. Materials must survive decades of exposure. The freeze plug — a frozen plug of salt cooled by a small fan — melts if power is lost, draining the fuel to a subcritical geometry. This is a passive safety feature.

Sodium — Fast Reactor (SFR):

Liquid sodium is an excellent coolant for fast reactors. Very high thermal conductivity, operates at atmospheric pressure, natural circulation is effective. Severe hazard: sodium burns violently when exposed to air and reacts explosively with water. All sodium systems require double-wall heat exchangers and inert atmosphere. A sodium fire was a major incident at Monju (Japan) and Superphénix (France).

Compatibility matrix (what must all work together):

- Coolant chemistry must not corrode the cladding under irradiation

- Moderator must be compatible with coolant (heavy water and light water are compatible; graphite and water create the RBMK positive void problem)

- Fuel must be chemically stable in the coolant (UO₂ in water: fine. UF₄ in fluoride salt: fine. UO₂ in sodium: fine. But metallic uranium in water corrodes.)

- Operating temperature and pressure must be within material qualification limits

Justify Your Coolant and Moderator

Your reactor type determines your primary coolant. Now justify the compatibility of your full system — coolant, moderator, fuel, and cladding — and identify the main chemical or thermal hazard.

The Three Independent Cooling Loops

Section 5a: Triple Redundant Cooling Systems

Why three cooling loops?

Fukushima had backup cooling. It failed because all backups shared a common vulnerability: they needed AC power, and the same tsunami that knocked out grid power also destroyed the diesels. Single failures cascaded to complete loss of cooling.

Triple redundancy is not just three copies of the same system. True redundancy requires independence across three dimensions:

- Physical separation: Different buildings, different quadrants, different elevations. A flood in one quadrant cannot disable another.

- Different power sources: Different electrical buses, different backup power. A failure of one bus cannot disable another cooling loop.

- Different activation logic: One loop activates on high temperature, another on low pressure, another on no power at all. Different failure modes activate different loops.

The three standard cooling loops for a modern PWR:

Loop 1 — Normal Shutdown Cooling (SCS / Residual Heat Removal, RHR):

Active system. Pumps circulate coolant through heat exchangers to remove decay heat after shutdown. Powered by normal AC or emergency AC. Operates at low pressure after depressurization. Activation setpoint: typically when RCS temperature drops below ~177°C (350°F) and pressure below ~28 bar (400 psi). This is the primary decay heat removal system during planned shutdowns.

Loop 2 — Emergency Core Cooling System (ECCS) — High-Pressure and Low-Pressure Injection:

Active system. Responds to loss-of-coolant accidents. High-pressure injection (HPI) fires for small breaks — maintains reactor coolant system (RCS) pressure, injects borated water. Accumulator injection — large tanks of borated water under nitrogen pressure (~40 bar) — discharge passively when RCS pressure drops below accumulator pressure (no pumps, no power needed for this stage). Low-pressure injection (LPI) takes over after the RCS has fully depressurized. The boron concentration is critical: enough to achieve and maintain cold shutdown without control rods.

Loop 3 — Passive Core Cooling (gravity-fed or natural circulation):

Passive system — no pumps, no AC power, no operator action required. Two approaches:

- AP1000 style (Westinghouse): Large water tank above the reactor (core makeup tanks, passive residual heat removal heat exchangers). Gravity-fed. In accident conditions, natural circulation removes decay heat from primary to tank water, which boils and vents — condensed on steel containment shell, which is cooled by outside air. Completely passive.

- NuScale style: The reactor module sits inside a pool of water. Natural circulation within the primary system transfers heat to the pool. No pumps anywhere in the primary or safety systems.

- PRHR HX (Passive Residual Heat Removal Heat Exchanger): Immersed in a large water-filled tank (in-containment refueling water storage tank, IRWST). Natural circulation through the PRHR HX removes decay heat without any pumps. Operates for 72 hours without any operator action.

Independence verification — what must be true:

- Loop 1, 2, and 3 must draw power from different electrical buses (1A, 1B, 1C or Div I, II, III)

- Loop 3 must function with total loss of AC power

- Each loop must be in a different physical division (separated by barriers or distance)

- Common cause failures — like Fukushima's tsunami — must be analyzed and prevented

Common cause failure analysis:

What single failure could disable all three loops? You must identify it and show how your design prevents it.

- Seismic common cause: all three loops must be in Seismic Category I structures designed for the site SSE

- Flooding common cause: loops in different elevations or flood-protected compartments

- Fire common cause: fire barriers (3-hour rated), separate cable runs, redundant separation

- Loss of heat sink common cause: if all three loops reject heat to the same ultimate heat sink (river, ocean), a loss of that sink must be analyzed

Design Loop 1: Normal Shutdown Cooling

Design your first cooling loop — the normal shutdown cooling / RHR system.

Design Loop 2: ECCS High-Pressure Injection

Loop 2 is your emergency core cooling — activated by accidents, not normal operations.

Design Loop 3: Passive Core Cooling

Loop 3 must work with no AC power and no operator action. It is the last line of defense — the system that prevents the Fukushima scenario.

Common Cause Failure Analysis

You have three cooling loops. Now prove they are truly independent.

Three Independent Ways to Stop the Reaction

Section 5b: Triple Redundant Shutdown Systems

Stopping a chain reaction requires more than control rods. A modern safe reactor has three completely independent shutdown mechanisms, any one of which is sufficient to achieve and maintain cold shutdown.

Why not just control rods?

Control rods failed to shut down Chernobyl's reactor fast enough — the RBMK had a positive scram coefficient: inserting graphite-tipped rods initially caused a brief power spike before shutdown. At TMI, control rods inserted correctly, but operator confusion about coolant level led to an uncovered core anyway. The lesson: no single system should be the sole means of shutdown.

Shutdown System 1 — Control Rods:

The primary shutdown system. Rods containing neutron-absorbing material (boron carbide B₄C, hafnium, or Ag-In-Cd alloy) are inserted into the core. The rods are gravity-inserted or spring-inserted (SCRAM): on loss of power or safety signal, the electromagnets holding the rods up de-energize, and rods fall into the core. SCRAM time: typically rods are fully inserted within 2-4 seconds.

Design requirements: (1) Rod worth — all rods together must be able to shut down the reactor from any operating condition, with the highest-worth rod stuck withdrawn. This is the 'stuck rod criterion.' (2) SCRAM time — measured and verified during startup testing. (3) Test frequency — control rods must be exercised (partially withdrawn and reinserted) on a regular schedule to verify operability.

Shutdown System 2 — Emergency Boration:

Inject borated water into the reactor coolant system. Boron-10 is an excellent neutron absorber. Enough boron injection achieves cold shutdown even if all control rods are stuck withdrawn. Two mechanisms: (1) Standpipe injection — boric acid tank connected to the RCS by pumps and isolation valves. (2) ECCS boron injection — the ECCS accumulator water is already borated; ECCS injection automatically provides boron. The boron concentration required for cold shutdown with all rods stuck is calculated in the safety analysis and is typically 2000-2500 ppm (as boric acid, H₃BO₃).

Shutdown System 3 — Passive Absorber Drain (physics-based, no power):

A diverse, passive shutdown mechanism using a different physical principle. Examples:

- Boron ball injection (CANDU style): Balls of absorber material fall by gravity into separate moderator compartments on loss of power.

- Passive boron injection from elevated tank: An elevated tank of concentrated boric acid drains by gravity into the RCS when a fail-open valve opens on loss of power. No pumps, no signal required.

- Molten salt drain-to-subcritical geometry: For MSRs, the freeze plug melts on loss of cooling power, draining fuel to a geometry that is physically incapable of sustaining a chain reaction (subcritical geometry designed into the drain tank).

- Burnable poison rods with spring-ejection: In some designs, secondary shutdown rods can be spring-ejected upward into the core on loss of the holding mechanism.

Test and surveillance requirements:

Each shutdown system must be tested independently on a regular schedule, with results logged and reported to the NRC. NRC inspection findings of inoperable shutdown systems are reportable events. Testing must demonstrate that each system alone can achieve cold shutdown.

Design Your Three Shutdown Systems

Design all three shutdown systems for your reactor.

Three Independent Power Sources

Section 5c: Triple Redundant Power Sources

Fukushima's core lesson: station blackout — total loss of AC power — must not lead to core damage. The NRC's post-Fukushima requirements (FLEX) mandate that plants demonstrate they can cope with extended station blackout using diverse and independent power sources.

Power Source 1 — Offsite Grid:

The normal power supply. Two or more independent transmission lines from independent substations (different grid circuits). Transformer protection — sudden pressure relay, differential relay, lockout relay — prevents a failed transformer from cascading to other buses. If the plant's main generator trips, offsite power takes over automatically within seconds via the auxiliary transformer.

Weakness: anything that damages the grid (severe weather, seismic event, grid instability) can cut offsite power. Offsite power is the most reliable normal source but the least reliable emergency source.

Power Source 2 — Emergency Diesel Generators (EDGs):

The primary emergency AC power source. NRC minimum: 2 EDGs per unit, each capable of carrying the full emergency loads for one safety division. Start requirement: EDG must reach rated voltage and frequency within 10 seconds of a start signal (NRC requirement). Fuel supply: NRC minimum is 7-day supply at full load. Post-Fukushima best practice: design for 14-day supply, with fuel delivery contracts ensuring replenishment.

Testing: monthly load test (full-speed unloaded start), quarterly load test (at rated load), 18-month endurance test (run at full load for the full test duration).

A typical 1100 MWe PWR has 2-4 EDGs, each rated ~7,000 to 9,000 kW.

Power Source 3 — Station Batteries (DC power, Class 1E):

The ultimate backup power source for instrumentation, control, emergency lighting, valve operation, and communication. DC buses fed from batteries, which are charged from AC buses during normal operation. On loss of all AC: batteries provide DC power independently.

Sizing: each DC bus must be sized to supply its load list for a minimum of 2 hours without AC recharging. Modern designs size for 4-8 hours. The load list includes: control rod drive monitors, safety-related instrumentation, emergency lighting, emergency communication, and critical valve actuators.

Battery replacement: per manufacturer schedule, typically 10-20 years. Battery testing: capacity test annually, discharge test every 18 months.

FLEX Strategy — Post-Fukushima Portable Equipment:

Portable diesel generators, portable pumps, and hoses pre-positioned at multiple locations with diverse access routes (not all reachable by the same flood or fire). Connection points to safety-related buses and cooling systems are pre-installed and tested. FLEX equipment can be deployed by operators without AC power. The NRC requires FLEX strategies to address: station blackout, loss of ultimate heat sink, and combinations.

Design Your Three Power Sources

Design your complete power architecture.

Three Independent Monitoring Channels

Section 5d: Triple Redundant Monitoring and Instrumentation

Instrumentation and control (I&C) failures caused or worsened every major nuclear accident. At TMI, operators were confused by a single indicator (a light showing whether a pilot-operated relief valve had been commanded open, not whether it was actually open) and made decisions that drained the core. At Chernobyl, key instruments were disabled or misleading during the fatal test.

Three independent measurement channels:

Modern reactors divide safety instrumentation into three (or four) independent channels — A, B, and C (or I, II, III, IV). Each channel uses different sensors, routed through separate cable runs in separate conduit, powered from separate safety buses.

Why different technologies?

Common cause failure in sensors: if all three channels use the same sensor model, a systematic defect in that model could cause all three to fail or give the same wrong reading simultaneously. Using different manufacturers or different measurement principles reduces this risk.

2-of-3 voting logic:

Three channels, each giving a yes/no signal for a safety function (e.g., 'high pressure, initiate SCRAM'). The safety action fires if at least 2 of 3 channels agree. Why not 1-of-3? Because a single faulty channel would cause spurious SCRAMs (too many false positives — the plant would be unreliable). Why not 3-of-3? Because a single failed channel would prevent the SCRAM from occurring (too few true positives — the plant would be unsafe). 2-of-3 is the mathematical optimum: resistant to single spurious trip AND single failure to trip.

Post-accident monitoring — NUREG-0696 Category 1 variables:

The following variables must be monitored after an accident, independent of the normal digital control system (DCS), specifically to give operators ground truth even if the DCS is damaged or unreliable:

- Reactor coolant system pressure

- Reactor coolant system temperature (hot leg, cold leg)

- Reactor coolant system water level (in-vessel level)

- Containment pressure

- Containment radiation level

- Effluent radiation monitors (coolant, steam, containment atmosphere)

Environmental and seismic qualification:

All safety-related I&C must be qualified for the environmental conditions they would experience in an accident: temperature up to 150°C, humidity up to 100%, radiation up to 10⁷ rad (100 kGy) cumulative, for the duration of the accident (months). This is called 10 CFR 50 Appendix B / IEEE 323 environmental qualification. Seismic qualification (IEEE 344): must function during and after the site SSE.

Design Your Monitoring Architecture

Design your instrumentation and control safety architecture.

Safety That Works Without Power or Operators

Section 6: Passive Safety Features

Passive safety features work through physics alone — no pumps, no power, no operator action. They are always on, always working, and cannot be disabled by a station blackout.

Negative Doppler Coefficient (always present in uranium fuel):

As fuel temperature rises, the U-238 resonance absorption peaks broaden (Doppler broadening). More neutrons are captured by U-238 without causing fission. This automatically reduces the fission rate as the fuel heats up — a self-limiting, always-present feedback mechanism. It works in all reactor types that use uranium fuel. It is why a uranium reactor cannot run away like an uncontrolled chemical explosion — the physics fight back.

Negative Moderator Temperature Coefficient (for LWRs):

In light-water reactors, as coolant/moderator temperature increases, water density decreases. Less dense water moderates fewer neutrons, so fewer reach thermal energies needed for fission. Reactivity decreases automatically. This is why PWRs and BWRs are inherently self-regulating over a wide range of power levels.

Negative Void Coefficient (for most LWRs at power):

If bubbles form in the coolant or coolant is lost, moderation decreases. In LWRs, this reduces reactivity. This is the safety feature that Chernobyl's RBMK lacked — its large positive void coefficient meant that losing coolant increased power, creating a runaway feedback loop.

Passive Decay Heat Removal — Natural Circulation:

Hot water is less dense than cold water. In the primary loop, hot coolant from the core rises naturally. In designs like the AP1000, this natural circulation drives coolant through the PRHR HX without any pumps. Decay heat is removed by physics alone.

In-Vessel Retention (IVR) — AP1000 approach:

If a severe accident progresses to core damage, the molten corium must be kept inside the reactor vessel. The AP1000 design floods the reactor cavity with water (gravity-fed from the IRWST). The water outside the vessel removes heat from the vessel wall, keeping the steel vessel intact and preventing molten corium from escaping to the containment floor. This was a major design innovation — previous LWRs did not have this feature.

Ex-Vessel Core Catcher — EPR approach:

An alternative to IVR: if corium escapes the vessel, it falls into a spreading compartment (core catcher) designed to spread the melt thinly and cool it from below and above. The EPR (European Pressurized Reactor) uses this approach. Both IVR and core catcher address the same scenario — severe accident progression past vessel breach.

Hydrogen Management — Passive Autocatalytic Recombiners (PARs):

Zircaloy-steam reactions produce hydrogen. Hydrogen accumulates in containment. At 4-75% hydrogen concentration in air, it is flammable; at 13-59%, it detonates. Fukushima hydrogen explosions destroyed Unit 1, 3, and 4 reactor buildings. Modern containments require hydrogen management: PARs (passive autocatalytic recombiners) are devices containing a platinum or palladium catalyst. Hydrogen and oxygen combine on the catalyst surface at room temperature, without ignition, producing water vapor. No power, no fans, no operator action. PARs are placed throughout containment to prevent local accumulation. Required quantity and placement are calculated based on worst-case hydrogen source term.

Four Physical Barriers — Defense in Depth:

The diagram above shows the four physical barriers between the fuel and the environment:

1. Fuel matrix (UO₂ ceramic): retains ~95% of fission products under normal conditions

2. Fuel cladding (Zircaloy or SiC): metal barrier, first containment of any escaped fission products

3. Reactor coolant pressure boundary: thick-walled steel vessel and piping

4. Containment structure: reinforced concrete, typically 1-1.5 meters thick, designed for the pressure and temperature of a worst-case LOCA, and for aircraft impact

Design Your Passive Safety Features

Passive features are built into the physics and geometry of your design — they cannot be turned off.

The Human Safety Layer

Section 7: Human Oversight Design

Every major nuclear accident involved a human factor — not because humans are unreliable, but because the human oversight system was poorly designed. Good design makes it easy to do the right thing and hard to do the wrong thing.

Three minimum qualified staff on site at all times (24/7):

- Reactor Operator (RO): NRC-licensed (10 CFR Part 55). Operates reactor controls. Must pass written exam and operating test on the plant-specific simulator. Licensed for that specific plant — not transferable.

- Senior Reactor Operator (SRO) — Shift Supervisor: NRC-licensed. Supervises the RO. Has independent SCRAM authority — can order an emergency shutdown regardless of any other person's instructions, including management.

- Radiation Protection (RP) Technician / Health Physics Officer: Monitors radiation levels, manages personal dosimetry, authorizes access to controlled areas, tracks cumulative doses.

Independent SCRAM authority:

The shift supervisor has legal authority to initiate an emergency shutdown at any time, based on their professional judgment, without requiring management approval. This is a regulatory requirement under 10 CFR 50.54(x). The TMI lesson: operators should have had the training and authority to quickly recognize an abnormal coolant loss scenario and SCRAMed confidently. Instead, they were confused by conflicting indicators and tried to 'fix' symptoms rather than recognize the underlying condition.

Two-Person Integrity (TPI):

Specified operations — particularly fuel handling, control rod manipulation during certain tests, and access to certain vital areas — require two qualified people present and observing each other. Neither person can complete the operation alone. Physical controls (key switches requiring two simultaneous keys, interlocks) enforce this rather than relying on procedure compliance. TPI prevents individual errors and sabotage.

Shift limits — fatigue management:

Per 10 CFR 26 (Fitness for Duty): maximum shift length is 12 hours. Minimum rest period between shifts is 8 hours. Maximum hours per week is 54 hours (72 in emergencies with management authorization). These limits exist because sleep deprivation significantly impairs decision-making — the same way alcohol does — and nuclear operations require sustained alertness.

Training requirements:

- NRC-certified training program on a plant-specific full-scope simulator

- Initial license: written exam (pass/fail, multiple choice and essay) + operating test (hands-on evaluation by NRC-licensed examiner)

- Requalification: annual written exam, biennial operating exam on simulator

- Evaluated emergency drills: quarterly on-shift drills, annual full-scale emergency response exercise with state and county participation

Emergency Operating Procedures (EOPs):

Symptom-based procedures, approved by the NRC. Rather than 'if you see Event X, do Y,' modern EOPs say 'if you observe these symptoms (high pressure + low level + rising temperature), enter this procedure.' This approach — developed after TMI — is more robust because operators respond to what they observe rather than what they think caused it.

Control room design — post-accident monitoring independent of DCS:

Post-accident monitoring instruments must be readable from the control room even if the plant digital control system (DCS) is completely failed. These are dedicated hardwired displays — analog meters or qualified digital displays with separate power and signal paths.

Design Your Human Oversight System

Human oversight is a safety system. Design it with the same rigor as your cooling loops.

Site Selection and External Hazard Design

Section 8: Siting and Civil Design

The site determines the external hazards your plant must survive. The NRC requires a comprehensive external hazard analysis as part of the FSAR (Final Safety Analysis Report).

Seismic design — Safe Shutdown Earthquake (SSE):

Every plant site has a Safe Shutdown Earthquake (SSE) — the maximum earthquake the plant is designed to survive while achieving and maintaining safe shutdown. Safety-related structures (reactor building, control building, ECCS buildings, EDG buildings) must be Seismic Category I — designed to withstand the SSE and remain functional. The SSE is determined from a probabilistic seismic hazard analysis (PSHA) with a target of 10⁻⁴ annual exceedance probability — a 10,000-year return period event. The Fukushima design basis earthquake was 6.1 magnitude; the actual earthquake was 9.0. Never underestimate the SSE.

Flooding — Probable Maximum Flood (PMF):

The PMF is the maximum flood that could occur at the site based on meteorological and hydrological analysis. Plant grade elevation must be set above the PMF level, or the plant must have flood barriers (walls, doors, hatches) rated to the PMF. Critical lesson from Fukushima: the seawall was designed for 5.7 meters; the actual tsunami was 15 meters. The PMF calculation must be conservative.

External hazards — aircraft impact, extreme wind, external explosions:

- Aircraft impact: post-9/11, the NRC requires large commercial plants to evaluate (not necessarily design for) aircraft impact. New designs like the AP1000 and EPR include aircraft impact resistance in the containment and control room design.

- Extreme wind / tornado: design basis tornado for each site region per Regulatory Guide 1.76. Missile protection — tornado missiles (utility poles, cars) must not be able to penetrate safety-related structures.

- External explosions: proximity to chemical plants, LNG terminals, pipelines, or rail lines with hazardous cargo must be evaluated.

Exclusion Area Boundary (EAB) — 10 CFR 100:

The EAB is the minimum radius around the plant within which the operator has control of the land. During the two hours following a worst-case accident, radiation dose at the EAB must not exceed 25 rem whole body (TEDE). This limit drives the design of the containment and the site boundary setback. A larger plant with a larger source term requires a larger EAB.

Emergency Planning Zones (EPZ):

Two zones around every nuclear plant:

- Plume exposure pathway EPZ: approximately 10-mile radius. Protective actions: evacuation, shelter-in-place, potassium iodide distribution, traffic control plans.

- Ingestion pathway EPZ: approximately 50-mile radius. Protective actions: food and water consumption restrictions, monitoring of crops and dairy products.

EPZ size is not solely determined by plant size — it is fixed by NRC regulation for all commercial reactors (with some flexibility for very small SMRs). Emergency plans must be developed and exercised with state and local governments.

Defend Your Site

Now justify your site and civil design choices.

The NRC Licensing Process

Section 9: Licensing Pathway

Building a reactor without a license is illegal in the United States. The NRC's licensing process under 10 CFR Part 52 is designed to catch safety problems on paper — before concrete is poured. It is also the mechanism by which the public, intervenors, and the NRC's technical staff challenge and improve the design.

10 CFR Part 52 — Combined License (COL):

The primary modern licensing pathway. A COL combines the construction permit and operating license into a single proceeding. The applicant demonstrates that the design meets NRC requirements and that the site is acceptable. The NRC issues the COL before construction. During construction, Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) verify that what was built matches the licensed design.

Design Certification (DC):

A reactor design can be certified by the NRC independently of any specific site. A Design Certification lasts 15 years. Once certified, a utility building a COL plant can reference the DC and does not need to re-litigate the standard design. The AP1000 and ABWR are certified designs. SMR designers (NuScale, GEH BWRX-300, Kairos, TerraPower) are pursuing design certifications for their technologies.

Final Safety Analysis Report (FSAR) — 17 Chapters:

The FSAR is the technical document at the heart of every license application. It describes the plant and demonstrates that it meets all NRC requirements. Key chapters:

- Chapter 1: Introduction and general description

- Chapter 2: Site characteristics (seismic, flooding, meteorology, population)

- Chapter 4: Reactor (fuel design, core physics, thermal-hydraulics)

- Chapter 5: Reactor coolant system (primary loop, pressure boundary, ECCS)

- Chapter 6: Engineered safety features (containment, ECCS, hydrogen control)

- Chapter 7: Instrumentation and control

- Chapter 8: Electric power (offsite, onsite, batteries, FLEX)

- Chapter 9: Auxiliary systems

- Chapter 13: Conduct of operations (organization, training, EOPs)

- Chapter 15: Accident analysis (design basis accidents — LOCA, main steam line break, control rod ejection, etc.)

- Chapter 16: Technical specifications (operational limits and surveillance requirements)

Probabilistic Risk Assessment (PRA):

A quantitative safety analysis that calculates the probability of core damage and large early release. Two key metrics:

- Core Damage Frequency (CDF): probability per reactor-year of core damage. NRC goal: < 1×10⁻⁴/reactor-year. Advanced reactor targets: < 1×10⁻⁵/reactor-year.

- Large Early Release Frequency (LERF): probability per reactor-year of a large, early release of radioactivity before protective actions can be taken. NRC goal: < 1×10⁻⁵/reactor-year.

PRA also identifies the most important accident sequences (dominant contributors to CDF) and the most important systems and components (importance measures) — this directs maintenance, testing, and design improvement resources.

ITAAC — Inspections, Tests, Analyses, and Acceptance Criteria:

For each safety-related system and structure, the COL specifies ITAAC: what must be inspected, tested, or analyzed, and what the acceptance criterion is. Before the NRC authorizes fuel loading, all ITAAC must be completed and reported. If an ITAAC fails, the plant cannot start up until it is corrected and the ITAAC passes.

Construction and Pre-Operational Testing:

After the COL is issued, construction begins. The NRC inspects the construction under Inspection, Testing, Analysis, and Acceptance Criteria (ITAAC). Pre-operational testing verifies each system meets its design specification before fuel is loaded. Fuel load authorization requires NRC staff determination that all ITAAC are met.

Chart Your Licensing Path

Walk through the licensing pathway for your specific reactor design.

Present Your Complete Design

Section 10: Final Design Review

You have designed every major system of a nuclear power plant. Now present your complete design — the way a Chief Nuclear Officer would present to the NRC Safety Review Committee.

Your design must demonstrate:

Complete triple redundancy for all four safety functions:

1. Cooling — three loops (active RHR, active ECCS with passive accumulators, passive PRHR or pool)

2. Shutdown — three systems (control rods, emergency boration, passive absorber drain)

3. Power — three sources (offsite grid, emergency diesels, station batteries) plus FLEX

4. Monitoring — three independent channels (A/B/C) with 2-of-3 voting, post-accident monitoring

Passive safety features:

- Negative Doppler coefficient (always present in uranium fuel)

- Negative moderator/void coefficient for your reactor type

- Passive decay heat removal (natural circulation or pool)

- Severe accident management (IVR, core catcher, or MSR drain-to-subcritical)

- Hydrogen management (PARs distributed in containment)

Human oversight:

- Three qualified roles on-site 24/7

- Two-person integrity with physical enforcement

- Compliant shift limits

- Plant-specific simulator training

- Symptom-based EOPs

Siting:

- Seismic design basis (SSE, Seismic Category I structures)

- Flood protection (PMF or barriers)

- EAB dose limit (25 rem TEDE)

- EPZ (10-mile plume, 50-mile ingestion)

The historical test:

Your design must show how it prevents the specific failure modes of TMI, Chernobyl, and Fukushima.

- TMI: Better post-accident monitoring (direct RCS level), symptom-based EOPs, trained operators

- Chernobyl: Negative void coefficient (no positive scram effect), independent SCRAM authority, no operator disabling of safety systems permitted

- Fukushima: Passive cooling (no AC power needed), elevated FLEX equipment, 14-day diesel fuel, site above PMF

The Complete Design Review

This is your design defense. Answer completely — every omission will be challenged.

How Your Design Prevents TMI, Chernobyl, and Fukushima

Section 11: Preventing the Past

The three major nuclear accidents defined modern reactor safety requirements. Every redundancy system you designed has a specific ancestor in one of these accidents.

Three Mile Island (TMI), 1979 — Pennsylvania, USA:

A stuck-open pilot-operated relief valve (PORV) allowed primary coolant to drain for hours. The indicator light showed the valve had been COMMANDED closed, not that it was actually closed. Operators, confused by conflicting indicators, throttled back ECCS injection because they thought the system was being overfilled. The core was uncovered, overheated, and partially melted.

Lessons: (1) Direct post-accident monitoring — operators must be able to see actual valve position, actual coolant level, actual core temperature. (2) Symptom-based EOPs — operators respond to what they observe, not what they think caused it. (3) Better operator training on accident recognition and response.

Chernobyl, 1986 — Ukrainian SSR, USSR:

A safety test was run with the reactor at low power (unstable region) and with multiple safety systems disabled or bypassed. The RBMK reactor had a large positive void coefficient — as coolant boiled, reactivity increased. When operators attempted to shut down, the graphite-tipped control rods caused a brief power spike (positive scram effect). A power excursion of approximately 30,000 MW destroyed the reactor in a steam explosion and graphite fire.

Lessons: (1) No positive void coefficient in commercial reactors. (2) Safety systems must not be bypassable during normal operations. (3) Independent SCRAM authority — no test director can override the shift supervisor's safety judgment. (4) Operator training on reactor physics, not just procedure-following.

Fukushima Daiichi, 2011 — Japan:

A magnitude 9.0 earthquake triggered a 15-meter tsunami that flooded and destroyed the emergency diesel generators at Fukushima Daiichi. With no AC power and the diesels destroyed, decay heat boiled away coolant in Units 1, 2, and 3. Hydrogen produced by Zircaloy-steam reaction exploded in reactor buildings. Three cores melted over 72 hours.

Lessons: (1) Passive cooling that needs no power. (2) Diesels and batteries located above the flood level or flood-protected. (3) FLEX portable equipment staged in diverse, accessible locations. (4) PMF design basis must be conservative. (5) Extended station blackout must be designed for — not just analyzed.

Connect Your Design to History

This is the final question of the capstone.