A plant does not earn the label “safe” at commissioning. It has to keep that property while the world around it changes in ways no one can fully anticipate. For man-made hazards, that requirement is particularly unforgiving. Over sixty years, the threat landscape does not merely evolve—it shifts in kind. New delivery mechanisms appear, infrastructure becomes more entangled, and attack strategies move from brute force to exploiting dependencies. Any design that relies on a fixed list of external threats will, sooner or later, find that the list was incomplete.
Underground placement is one of the few choices that does not depend on naming every threat in advance. By placing the reactor and its key safety functions below grade, you remove much of the direct access that many hazards require. Line-of-sight attacks, blast, fragmentation, fire, vehicle impact—these lose effectiveness when they must first dissipate through soil and rock. Undergrounding is a hedge against uncertainty: it reduces the plant’s exposure to whatever specific form a future threat might take.
But this is where the easy narrative breaks. Underground placement is not enough to make a plant safe over its lifetime. If the design is fragile at its core, putting it below grade only delays the problem. It does not remove it.
Lifetime safety cannot depend on stopping every external hazard at the boundary. A determined adversary, given enough time or ingenuity, can always find a way to breach a boundary or to bypass it indirectly. The plant must therefore be able to remain safe even when protection is partially defeated. Not perfectly intact, but intact enough to prevent escalation—to keep decay heat removal available, to avoid rapid loss of cooling, and to maintain control without relying on a single vulnerable path.
A design that remains safe over decades tends to share a few underlying properties. Its safety functions are genuinely separated so that a single intrusion cannot disable them all at once. It degrades gracefully: loss of equipment leads to slower, manageable transients rather than abrupt cliffs. It does not rely on external infrastructure—grid power, communications, or shared services—to maintain a safe state.
Underground placement must not be a compensating measure, but a reinforcing one. It reduces the likelihood that external hazards will push the plant into a degraded state, and it buys time if they do. But the ability to remain safe must already exist without it.
Over a sixty-year lifetime, the question is not whether you identified every hazard correctly. You did not, and you will not. The question is whether the design limits how much that uncertainty can hurt you. A plant that is intrinsically stable, slow to escalate, and independent in its safety functions can ride through changes in the threat environment. One that depends on precise protection against a known set of threats will age poorly.
***
Underground reactors do not alter the physics of Cesium-137; however, they significantly influence how much the outcome relies on everything functioning perfectly. This is especially important in areas where the consequences of an environmental release are particularly severe.
When multiple layers of defense fail, the focus shifts from how the system performs under ideal conditions to how it behaves when several issues occur simultaneously. It’s crucial to assess whether the remaining environment can still effectively slow, capture, and localize any released material.
In many above-ground designs, mitigation systems depend heavily on specific mechanisms functioning correctly, such as sprays, filtration, and maintaining containment integrity. Consequently, performance can decline dramatically if multiple functions fail at once.
In contrast, underground configurations integrate more of the mitigation features into the environment itself. Large internal volumes can absorb expansion, pressure differentials dissipate quickly, and there is minimal sustained force pushing material outward.
Wet surfaces, continuously refreshed by condensation and natural moisture, capture aerosols and convert cesium into a dissolved form without relying on active systems. Additionally, rough and porous materials provide ample opportunities for deposition and retention.
Long, resistive pathways to the external environment ensure that movement is slow and gradual, with each stage removing a portion of what remains. This approach allows transport to be controlled rather than dispersive.
Water pathways guide dissolved cesium toward designated low points through gravity and permeability, meaning that even in compromised conditions, movement tends to remain localized and manageable.
The outcome is a system where mitigation does not depend on a few critical functions working flawlessly. Instead, it is spread across volume, geometry, materials, and natural processes that continue to function even when engineered systems fail.
In my opinion, placing a reactor in or near a densely populated area without this level of inherent resilience is hard to justify. The design must not only be effective when everything is functioning properly but also when multiple layers of defense have already failed.
***
With a vivid imagination and a somewhat unconventional mindset, it is possible to find ways to cause significant damage to a reactor core, especially if deliberate malicious intent is involved. This is particularly relevant given the current situation in Ukraine.
This is why I have always been skeptical about the discussions surrounding the “elimination” of severe accidents.
Elimination suggests achieving a frequency of around 1E-7 per reactor-year, which is two to three orders of magnitude lower than the typical core damage frequency target. Proving this level of safety beyond a reasonable doubt is practically impossible.
A more honest engineering approach is to acknowledge that core damage may still happen at a frequency of approximately 1E-5 per year. Therefore, it is essential to design the plant in such a way that the consequences of any core damage can be mitigated effectively.
This means implementing robust containment systems, ensuring filtered venting where necessary, and developing severe accident management strategies that do not rely on wishful thinking.
Above all, it is crucial to recognize that no engineer is infallible, no analysis is exhaustive, and no design team can anticipate every conceivable risk.
Complex, high-energy systems do not become safe simply by declaring certain outcomes as eliminated. Instead, they become safer when we prepare for the possibility of failure.