Safety aspect of a Nuclear Power Plant's Operation

• From the outset, there has been a strong awareness of the potential hazard of both nuclear criticality and release of radioactive materials. 
• There have been three major reactor accidents in the history of civil nuclear power - Three Mile Island, Chernobyl and Fukushima. One was contained without harm to anyone, the next involved an intense fire without provision for containment, and the third severely tested the containment, allowing significant release of radioactivity. 
• These are the only major accidents to have occurred in over 14,500 cumulative reactor-years of commercial operation in 32 countries. 
• The risks from western nuclear power plants, in terms of the consequences of an accident or terrorist attack, are minimal compared with other commonly accepted risks. Nuclear power plants are very robust. 
• Safety is achieved through "defence in depth". 

Achieving optimum nuclear safety

To achieve optimum safety, nuclear plants in the western world operate using a 'defence-in-depth' approach, with multiple safety systems supplementing the natural features of the reactor core. Key aspects of the approach are:

• high-quality design & construction,
• equipment which prevents operational disturbances or human failures and errors developing into problems,
• comprehensive monitoring and regular testing to detect equipment or operator failures,
• redundant and diverse systems to control damage to the fuel and prevent significant radioactive releases,
• provision to confine the effects of severe fuel damage (or any other problem) to the plant itself.

These can be summed up as: Prevention, Monitoring, and Action (to mitigate consequences of failures).
The safety provisions include a series of physical barriers between the radioactive reactor core and the environment, the provision of multiple safety systems, each with backup and designed to accommodate human error. Safety systems account for about one quarter of the capital cost of such reactors.  As well as the physical aspects of safety, there are institutional aspects which are no less important - see following section on International Collaboration.
The barriers in a typical plant are: the fuel is in the form of solid ceramic (UO2) pellets, and radioactive fission products remain largely bound inside these pellets as the fuel is burned. The pellets are packed inside sealed zirconium alloy tubes to form fuel rods. These are confined inside a large steel pressure vessel with walls up to 30 cm thick - the associated primary water cooling pipework is also substantial. All this, in turn, is enclosed inside a robust reinforced concrete containment structure with walls at least one metre thick.  This amounts to three significant barriers around the fuel, which itself is stable up to very high temperatures.
These barriers are monitored continually. The fuel cladding is monitored by measuring the amount of radioactivity in the cooling water. The high pressure cooling system is monitored by the leak rate of water, and the containment structure by periodically measuring the leak rate of air at about five times atmospheric pressure.

Looked at functionally, the three basic safety functions in a nuclear reactor are: to control reactivity, to cool the fuel and to contain radioactive substances.

The main safety features of most reactors are inherent - negative temperature coefficient and negative void coefficient. The first means that beyond an optimal level, as the temperature increases the efficiency of the reaction decreases (this in fact is used to control power levels in some new designs). The second means that if any steam has formed in the cooling water there is a decrease in moderating effect so that fewer neutrons are able to cause fission and the reaction slows down automatically.

In the 1950s and '60s some experimental reactors in the Idaho desert were deliberately tested to destruction to verify that large reactivity excursions were self-limiting and would automatically shut down the fission reaction. These tests verified that this was the case.

Beyond the control rods which are inserted to absorb neutrons and regulate the fission process, the main engineered safety provisions are the back-up emergency core cooling system (ECCS) to remove excess heat (though it is more to prevent damage to the plant than for public safety) and the containment.
Traditional reactor safety systems are 'active' in the sense that they involve electrical or mechanical operation on command. Some engineered systems operate passively, eg pressure relief valves. Both require parallel redundant systems. Inherent or full passive safety design depends only on physical phenomena such as convection, gravity or resistance to high temperatures, not on functioning of engineered components. All reactors have some elements of inherent safety as mentioned above, but in some recent designs the passive or inherent features substitute for active systems in cooling etc.  Such a design would have averted the Fukushima accident, where loss of electrical power resulted is loss of cooling function.
The basis of design assumes a threat where due to accident or malign intent (eg terrorism) there is core melting and a breach of containment. This double possibility has been well studied and provides the basis of exclusion zones and contingency plans. Apparently during the Cold War neither Russia nor the USA targeted the other's nuclear power plants because the likely damage would be modest.
Nuclear power plants are designed with sensors to shut them down automatically in an earthquake, and this is a vital consideration in many parts of the world. (see paper on Earthquakes)

The Three Mile Island accident in 1979 demonstrated the importance of the inherent safety features. Despite the fact that about half of the reactor core melted, radionuclides released from the melted fuel mostly plated out on the inside of the plant or dissolved in condensing steam. The containment building which housed the reactor further prevented any significant release of radioactivity. The accident was attributed to mechanical failure and operator confusion. The reactor's other protection systems also functioned as designed. The emergency core cooling system would have prevented any damage to the reactor but for the intervention of the operators.

Investigations following the accident led to a new focus on the human factors in nuclear safety. No major design changes were called for in western reactors, but controls and instrumentation were improved and operator training was overhauled.

By way of contrast, the Chernobyl reactor did not have a containment structure like those used in the West or in post-1980 Soviet designs.

At Fukushima Daiichi in March 2011 the three operating reactors shut down automatically, and were being cooled as designed by the normal residual heat removal system using power from the back-up generators, until the tsunami swamped them an hour later. The emergency core cooling systems then failed. Days later, a separate problem emerged as spent fuel ponds lost water. Full analysis of the accident is pending.