CANDU Reactor Safety

How Safe are CANDU Nuclear Reactors?


  • It is impossible for a nuclear power plant to explode like an atomic bomb.
  • The many safety systems of the CANDU nuclear reactor take into account not only human error but also equipment failure and external risks such as earthquakes.
  • Should an accident occur, CANDU reactors are designed to contain radioactive emissions within reactor buildings.

What is the Safety Philosophy?

The safety philosophy used in CANDU nuclear power plants is to limit the chances of an accident occurring and to limit the effects of an accident, should one occur. This is called the “defence-in-depth” approach and sets high standards for designers, constructors and operators.

CANDU reactor schematic
CANDU reactor schematic.

There are five main aspects to defence-in-depth:

  • high-quality station equipment;
  • nuclear plant operator training;
  • fault detection and correction;
  • special, independent safety systems;
  • containment systems.

What is Meant by High-quality Station Equipment?

All suppliers of components to our CANDU nuclear power plants, such as manufacturers of pumps, valves, piping and electrical systems, must meet stringent qualifications. In addition, critical control components are duplicated. This means that if one component malfunctions, another will take over and the safety of the station will not be jeopardized.

How are Nuclear Reactor Operators Trained?

control room
All aspects of reactor operation are monitored from the control room. CANDU nuclear reactors have a number of independent safety systems capable of shutting down the reactor to prevent accidents..

The training of nuclear reactor operators is a very important aspect of the defence-in-depth nuclear safety philosophy.

Nuclear power station control room operators are carefully selected and spend approximately eight years in training. They must be authorized by the Canadian nuclear regulatory body, the Canadian nuclear Safety Commission (CNSC) (formerly the Atomic Energy Control Board) which sets examinations and reviews the qualifications of the applicants. Part of the training and testing is conducted on simulators that replicate the control room and are capable of simulating normal and emergency operating conditions.

What is Fault Detection and Correction?

Each Canadian nuclear power station is continuously monitored through a program of special testing and inspections of its components and safety systems. Constant and prompt detection ensures that nuclear power stations operate within limits prescribed by the CNSC and set out in the Operating Licence. The Commission has inspectors on-site at these stations and can withdraw an operating licence at any time if regulations or licence conditions are not met.

What are the Special Safety Systems?

All Canadian nuclear reactors are equipped with special safety systems whose sole functions are to automatically shut down the reactor in the event of any major equipment malfunction and to maintain cooling of the fuel in the event of a failure of the reactor cooling system. These systems are:

  • Shutdown system #1 – high-speed insertion of shut-off rods into the reactor to immediately stop the nuclear reaction;
  • Shutdown system #2 – injection of neutron-absorbing materials into the moderator, which can also halt the nuclear reaction;
  • Emergency core cooling system – injection of high-pressure water into the reactor cooling system if there is a failure of the piping.

These systems are designed to be tested while the reactor is operating and must meet stringent availability requirements.

What is the Function of Containment Systems?

A containment system surrounding a nuclear reactor is designed to prevent the release of any radioactive material to the outside environment in the event of an accident.

The containment system at all Canadian nuclear generating stations consists of an airtight reactor containment building (with reinforced concrete walls up to 1.8 meters thick) for each reactor.

Where multiple nuclear reactors exist, such as at the Pickering, Bruce and Darlington stations, each reactor building is connected to a common vacuum building, which assumes the containment function. This building acts like a vacuum cleaner. In the event of a reactor of radioactive steam into the reactor building, this steam would be vented to the vacuum building and prevented from escaping into the environment. Once in the vacuum building, the radioactive steam is condensed into liquid and contained. This safety design is unique to CANDU design.

The Three C’s


Being able to “always maintain control of the nuclear chain reaction at all times” is very important. The first step is the design of the reactor itself. One of the contributing factors leading up to the accident at the Chernobyl nuclear power plant was the design of the reactor itself. The Chernobyl nuclear power plant used an RBMK reactor design with a graphite core. Such a design makes the chain reaction difficult to control and the core itself is a fire hazard. Such a design would never be approved in North America. CANDU heavy water reactors and other light water reactors have a “non-combustible moderator” and are far more stable and easier to control.

Being able to rapidly shut down the reactor is also important. Modern CANDU reactors have two independent emergency shutdown systems. The first uses “cadmium shutoff rods which can be inserted vertically into the reactor to absorb neutrons and stop the nuclear chain reaction.” The second system “involves the injection of gadolinium nitrate dissolved in heavy water,” which absorbs neutrons and terminates the chain reaction.
All CANDU nuclear power plants have redundant or multiple backups for all key mechanical, electrical and computer systems. For example: There are two control rooms. Should a malfunction disable the main control room there is an auxiliary control room whereby operators can still safely operate the plant.

The human part of the equation is also taken into consideration. All staff working at the plant has undergone extensive training, testing and evaluation. In order to become a control room operator, seven years of education and training are required. The plant is also supervised by members of the Canadian Nuclear Safety Commission who are on site 24 hours a day, 7 days a week to monitor plant operations and ensure that all the proper safety procedures and policies are followed. Additionally, the automation of the safety systems means that in all postulated accident scenarios the human operators are not required to intervene in the crucial early moments.


All nuclear power plants convert the heat generated by nuclear fission into electricity. During the fission process it is important that the nuclear fuel does not overheat and melt. In CANDU nuclear reactors, the heavy water used in the reactor core serves as both the “heat transport fluid or primary coolant and the moderator.” “Rapid overheating of the fuel could occur if there were, for example, a large pipe rupture or pump failure so the coolant leaks or stops circulating.” Such an event could melt the core and create large quantities of radioactive steam. To prevent such an event from occurring, there is an Emergency Core Cooling System which can provide water for emergency cooling. All pumps connected to the cooling system have multiple backup pumps.


CANDU power reactors have several layers of containment using the “defence in-depth approach.” The uranium fuel itself is in the form of ceramic fuel oxide pellets surrounded by Zircaloy tubes which make up the fuel bundle. The fuel bundles are contained inside the pressure tubes of the heat transport system which pass through the calandria of the reactor. In CANDU 6 plants, the reactor is housed inside a massive concrete and steel reactor vault, 1.8 metres thick, which is in turn surrounded by a massive concrete and steel containment building.

This building is also 1.8 metres thick and capable of handling the release of high-pressure steam. In power plants which have multiple reactors such as Pickering and Bruce Generating Stations, the reactor buildings are also connected to a negative pressure vacuum building. Should steam be released into the containment building, “water-dousing and air coolers provide short and long term pressure suppression” by condensing the steam back into water. In both cases, these buildings have the dual function of containing the release of any radioactivity and also suppressing the pressure surge of any steam release. If a coolant failure were to occur, radioactive materials would have to breach all of these levels of containment before any radioactive materials were released into the environment. In the case of the Chernobyl accident, radioactive materials were released because many of these systems were not in place or poorly designed.


Hans Tammemagi and David Jackson, Unlocking the Atom: The Canadian Book on Nuclear Technology: (McMaster University Press, 2002)