SSG-54 Accident Management Programmes for Nuclear Power Plants

Hledej:

Sekce	Odstavec	Text
Main	1.1.	This Safety Guide was prepared under the IAEA’s programme for establishing safety standards. This Safety Guide revises and supersedes the Safety Guide on Severe Accident Management Programmes for Nuclear Power Plants, which was issued in 2009 as IAEA Safety Standards Series No. NS-G-2.15¹. The current Safety Guide provides guidance on setting up a severe accident management programme, from the conceptual stage to the development of a complete set of procedures and guidelines.
Main	1.2.	The IAEA Safety Glossary [1] defines ‘accident management’ as: To prevent escalation to a severe accident; To mitigate the consequences of a severe accident; To achieve a long term safe stable state².”
Main	1.3.	Accident management, including severe accident management, is therefore an essential component of the application of defence in depth [2–5]. Accident management complements the operating procedures that “shall be developed… (for the reactor and its associated facilities) for normal operation, anticipated operational occurrences and accident conditions”, as stated in Requirement 26 of IAEA Safety Standards Series No. SSR-2/2 (Rev. 1), Safety of Nuclear Power Plants: Commissioning and Operation [6].
Main	1.4.	Requirement 19 of SSR-2/2 (Rev. 1) [6] states that “The operating organization shall establish, and shall periodically review and as necessary revise, an accident management programme.” As stated in para. 5.8 of SSR-2/2 (Rev. 1) [6], the accident management programme shall “[cover] the preparatory measures, procedures and guidelines, and equipment that are necessary for preventing the progression of accidents, including accidents more severe than design basis accidents, and for mitigating their consequences if they do occur.”
Main	1.5.	An accident management programme encompasses plans and actions undertaken to ensure that the plant personnel and other operating organization personnel with responsibilities for accident management are adequately prepared to decide on and implement effective on-site actions. The accident management programme needs to be well integrated with the arrangements for emergency preparedness and response established in accordance with, for example, IAEA Safety Standards Series No. GSR Part 7, Preparedness and Response for a Nuclear or Radiological Emergency [7]; IAEA Safety Standards Series No. GSG-2, Criteria for Use in Preparedness and Response for a Nuclear or Radiological Emergency [8]; and IAEA Safety Standards Series No. GS-G-2.1, Arrangements for Preparedness for a Nuclear or Radiological Emergency [9], in terms of human resources, equipment and strategy.
Main	1.6.	If an accident occurs at a nuclear power plant, to restore safety, two types of accident management guidance document are typically used: emergency operating procedures (EOPs) for preventing fuel rod degradation, and severe accident management guidelines (SAMGs) for mitigating significant fuel rod degradation when a severe accident is imminent.³ The development of SAMGs is an essential part of the severe accident management programme.
Main	1.7.	Depending on the plant state during an accident, actions are prioritized as follows: Preventive domain of accident management. Before the onset of fuel rod degradation, priority is given to preventing the escalation of the accident into a severe accident. In this domain, actions are implemented to stop the accident progressing to the onset of significant fuel rod degradation or to delay the time at which significant fuel rod degradation happens and preserve all the fundamental safety functions. Mitigatory domain of accident management. When plant conditions indicate that significant fuel rod degradation is imminent or in progress, priority is given to mitigating the consequences of the severe accident through: Maintaining the integrity of the remaining fission product barriers, particularly the containment, which depending on the design can also include maintaining the integrity of the reactor pressure vessel⁴; Avoiding or limiting fission product releases to the environment; Returning, to the extent possible, to a long term safe stable state. Maintaining the integrity of the remaining fission product barriers, particularly the containment, which depending on the design can also include maintaining the integrity of the reactor pressure vessel⁴; Avoiding or limiting fission product releases to the environment; Returning, to the extent possible, to a long term safe stable state.
Main		Characteristics of the preventive and mitigatory domains of accident management are summarized in the Appendix.
Main	1.8.	This Safety Guide provides recommendations for the development and implementation of an accident management programme to meet the requirements for accident management that are established in sections 3 and 5 of SSR-2/2 (Rev. 1) [6]; sections 2 and 5 of IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), Safety of Nuclear Power Plants: Design [3]; section 4 of IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), Safety Assessment for Facilities and Activities [10]; and Requirement 8 of GSR Part 7 [7], to the extent that these requirements address an imminent or ongoing severe accident. The recommendations are aimed at preventing or mitigating the consequences of accidents with or without damage to the nuclear fuel, whether they are accidents within the design basis or beyond the design basis, including accidents originated by external events.
Main	1.9.	This Safety Guide is intended primarily for use by operating organizations of nuclear power plants and their support organizations. It may also be used by national regulatory bodies and technical support organizations as a reference for developing their relevant safety requirements and for conducting review and assessment.
Main	1.10.	This Safety Guide provides recommendations for the development and implementation of an accident management programme for a nuclear power plant, including all possible fuel locations, particularly the reactor and the spent fuel pool. This Safety Guide is not intended to provide information on the design of structures, systems and components to address design extension conditions, although the capabilities of some structures, systems and components are key in successfully managing a severe accident. For information on this topic, refer to section 5 of SSR-2/1 (Rev. 1) [3].
Main	1.11.	This Safety Guide provides recommendations for an accident management programme on the site. It does not include consideration of all aspects of emergency preparedness and response, which is addressed in GSR Part 7 [7].
Main	1.12.	Although the recommendations of this Safety Guide have been developed primarily for use with water cooled reactors, many of the recommendations provided are generic. The recommendations of this Safety Guide may also be applied with judgement to other types of nuclear installation, including research reactors and nuclear fuel cycle facilities (including facilities for the storage of spent nuclear fuel).
Main	1.13.	This Safety Guide consists of four sections, one appendix and one annex. Section 2 presents the general recommendations for an accident management programme and is organized by topic. More detailed, specific recommendations for the development and implementation of a severe accident management programme are provided in Section 3. Section 3 is organized to follow the development process of a severe accident management programme. Recommendations on the execution of SAMGs are provided in Section 4. The Appendix provides a summary of all aspects of an accident management programme. Examples of the implementation of SAMGs in different States are provided in the Annex.
Main	2.1.	Requirement 19 on accident management in the operation of nuclear power plants in SSR-2/2 (Rev. 1) [6] states: “The operating organization shall establish, and shall periodically review and as necessary revise, an accident management programme.” SSR-2/2 (Rev. 1) [6] also states:
Main	2.2.	Paragraph 2.8 of SSR-2/1 (Rev. 1) [3] states:
Main	2.3.	Paragraph 2.10 of SSR-2/1 (Rev. 1) [3] states:
Main	2.4.	Paragraph 2.13(4) of SSR-2/1 (Rev.1) [3] (footnote omitted) states:
Main	2.5.	Paragraph 5.6 of GSR Part 4 (Rev. 1) [10] requires that “The results of the safety assessment shall be used as an input into planning for on-site and off-site emergency response [7] and accident management”.
Main	2.6.	Paragraph 5.25 of GSR Part 7 [7] states: To prevent escalation of an emergency; To return the facility to a safe and stable state; To reduce the potential for, and to mitigate the consequences of, radioactive releases or exposures.”
Main	2.7.	Paragraph 5.25 of GSR Part 7 [7] further states:
Main	2.8.	An accident management programme consists of all activities and processes developed and undertaken by an operating organization to meet the requirements set out in paras 2.1–2.7 for the prevention and mitigation of accidents. Severe accident management programmes are focused solely on the mitigation of severe accidents. More detailed recommendations on severe accident management programmes are provided in Section 3 of this Safety Guide.
Main	2.9.	An accident management programme should be developed and implemented for the prevention and mitigation of severe accidents, irrespective of the frequency of accident sequences or of the fission product releases considered in the design.
Main	2.10.	The accident management programme should be developed and maintained consistent with the plant design and its current configuration. The accident management programme should be periodically reviewed and revised, when appropriate, to reflect operating experience (including major lessons identified), changes of plant configuration and new results from relevant research. For example, the periodic review of the accident management programme may be accomplished as part of the periodic safety review of the plant [11].
Main	2.11.	The accident management programme should address all modes and states of operation and all fuel locations, including the spent fuel pool, and should take into account possible combinations of events that could lead to an accident. The accident management programme should also consider external hazards more severe than those considered for the design, derived from the site hazard evaluation, that could result in significant damage to the infrastructure on the site or off the site which would hinder actions needed to prevent imminent significant degradation of the fuel rods or to mitigate significant fuel rod degradation (see para. 5.8 of SSR-2/2 (Rev. 1) [6]).
Main	2.12.	A structured top-down approach should be used to develop the accident management guidance. This approach should begin with the objectives (including the identification of plant challenges and plant vulnerabilities) and the strategies, followed by measures to implement the strategies. In combination, these strategies and measures should include consideration of plant capabilities. Finally, procedures and guidelines should be developed to implement these strategies and measures. Accident management guidance should cover both the preventive and the mitigatory domains. Figure 1 illustrates the top-down approach to accident management.
Main	2.13.	When considering objectives on the basis of the vulnerability assessment, accident management strategies should be developed for each individual plant challenge or plant vulnerability. These strategies should take into consideration plant capabilities and an understanding of accident phenomena (see Section 3).
Main	2.14.	Multiple strategies should be identified, evaluated and, when appropriate, developed to achieve the objectives of accident management, which include: Preventing or delaying the occurrence of fuel rod degradation; Terminating the progress of fuel rod degradation once it has started; Maintaining the integrity of the reactor pressure vessel to prevent melt-through, especially at high pressure; Maintaining the integrity of the containment and preventing containment bypass (strategies for maintaining containment integrity and preventing bypass are of the highest priority once the mitigatory domain is entered); Minimizing releases of radioactive substances from the fuel or at other locations where releases of radioactive material could occur; Returning the plant to a long term safe stable state in which the fundamental safety functions can be preserved.
Main	2.15.	In the preventive domain, strategies⁵ should be developed to preserve the fundamental safety functions that are important to prevent fuel damage or the release of radioactive material either in the reactor or at other locations where fuel is located. In the mitigatory domain, strategies should be developed to avoid any early radioactive release or large radioactive release. Strategies should be developed to delay or minimize any early radioactive release or large radioactive release if those strategies become necessary and are reasonably practicable.
Main	2.16.	Accident management strategies should be prioritized with account taken of the plant damage state and the existing and anticipated challenges. The basis for the selection of priorities among accident management strategies should be the following: Before significant fuel rod degradation has occurred: Preventing fuel damage is the first priority, and maintaining or restoring the integrity of the containment is the second priority. After significant fuel rod degradation has occurred: Maintaining the integrity of the containment is the highest priority.
Main	2.17.	When prioritizing accident management strategies, special attention should be paid to the following: The time frames and severity of challenges to the barriers against releases of radioactive material. The availability of support functions, as well as the possibility of their restoration. The initial operating mode of the plant, as accidents can develop in operating modes in which one or more fission product barriers have already been lost at the beginning of the accident. The adequacy of a strategy in the given domain; some strategies can be adequate in the preventive domain but not as relevant in the mitigatory domain owing to changing priorities. For example, cooling the fuel could be the first priority when the fuel is undamaged and the containment is intact, while restoring the containment integrity or limiting fission product releases could be the first priority when the containment is open (e.g. at shutdown) or has been damaged (e.g. cracks resulting from very severe mechanical loadings). The difficulty of implementing several accident management strategies in parallel. The long term implications of or concerns about implementing the accident management strategies.
Main	2.18.	If accident management strategies rely on non-permanent equipment after an extended loss of all AC power, steps should be taken to ensure that personnel can install and operate such equipment within the time frame necessary to avoid loss of the fundamental safety functions, taking into account possible adverse conditions on the site. Support items, such as fuel for non-permanent equipment, should be available.
Main	2.19.	The implementation of specific accident management strategies should be triggered either when certain parameters reach their threshold values or when trends of significant parameters are observed such that their reaching threshold values is imminent. These parameters should be selected to be indicative of challenges to fission product barriers (see IAEA Safety Standards Series No. SSG-2 (Rev.1), Deterministic Safety Analysis for Nuclear Power Plants [12]).
Main	2.20.	When accident management strategies that need to be implemented within a certain time window are considered, the inherent uncertainty in determining accurately the time that has elapsed since the onset of the accident should be taken into account in identifying such a time window. However, care should be exercised not to discard potentially useful strategies.
Main	2.21.	From the accident management strategies, suitable and effective measures for accident management should be derived that correspond to available hardware provisions at the plant. Such measures may include plant modifications where these are deemed important for managing accidents. Actions initiated by personnel in the main control room or actions taken at another location are usually an important part of these measures. During an actual accident, such measures would include the use of systems and equipment still available, the recovery of failed equipment and, potentially, the use of non-permanent equipment⁶ stored on the site or off the site.
Main	2.22.	From the accident management strategies, appropriate instructions or guidance, in the form of procedures (EOPs, preferably used to prevent significant fuel rod degradation) and guidelines (SAMGs, preferably used to mitigate the effects of significant fuel rod degradation) should be developed. There are some situations in which procedures are appropriate for mitigation, such as those in which preventive measures need to be continued during mitigation and those in which the procedures are needed to operate or align specific equipment.
Main	2.23.	The accident management guidance should assist the operating organization personnel in prioritizing, monitoring and executing actions in the harsh environments that may exist during an accident, including accidents resulting from external hazards that are more severe than external events considered for design.
Main	2.24.	The interface with radioactive waste management during accidents should be considered so as to enable access to certain areas in order to perform local accident management actions (see IAEA Safety Standards Series No. GSR Part 5, Predisposal Management of Radioactive Waste [13]).
Main	2.25.	Interfaces between safety and security should be managed appropriately throughout the lifetime of the plant, and in all plant states, in such a way that safety measures and security measures do not compromise one another. In particular, nuclear security measures should be maintained as appropriate during all phases of accident management (see Ref. [14]).
Main	2.26.	Accident management guidance should be developed for all reasonably foreseeable mechanisms that could challenge fundamental safety functions or barriers to a release of radioactive material.
Main	2.27.	Accident management guidance should be an integral part of the overall emergency arrangements and should be coordinated with the on-site emergency plan, established in accordance with GSR Part 7 [7], GSG-2 [8] and GS-G-2.1 [9]. The on-site emergency plan should set out the lines of responsibility and accountability for implementing emergency response actions during the execution of accident management guidance to maintain or restore safety functions throughout the duration of the accident.
Main	2.28.	Accident management guidance should be robust: It should promote consistent implementation by all staff during an accident. It should emphasize the use of components and systems that are not likely to fail in their expected operating regimes, including during severe accidents. It should implement all feasible measures that will either maintain or increase the margin to failure or that will gain time before the failure of safety functions or of barriers to a release of radioactive material. It should address the possibility of adding components, including non-permanent equipment, in the event that existing plant systems are unable to preserve the fundamental safety functions or limit challenges to barriers to a release of radioactive material for conditions not considered in the design. It should consider plant conditions in shutdown modes, particularly when the containment barrier is temporarily not available or when it is difficult to add water for decay heat removal.
Main	2.29.	The accident management guidance should refer to the preferred accident management equipment that is available. Possible equipment failures (e.g. instrumentation failure or equipment lockout) should be considered. Alternate methods of achieving the same purpose should be explored to take into account possible equipment failures, and the availability of alternative equipment should be determined.
Main	2.30.	In the accident management guidance, the entry conditions for use of the EOPs and the plant conditions under which the transition is to be made from EOPs to SAMGs should be specified. The entry conditions for the use of EOPs and the conditions for transition to SAMGs should be based on defined and documented criteria.
Main	2.31.	The accident management guidance should address the full spectrum of events, including credible and relevant internal and external hazards, and possible complications during their evolution that could be caused by additional hardware failures or human and organizational errors. Accident sequences involving inappropriate operator actions (errors of omission or errors of commission) leading to core damage should be considered.
Main	2.32.	Accident management guidance relating to human and organizational factors should include consideration of the following: The performance of personnel under the contextual and adverse boundary conditions given; The command and control structure, including information sharing and cooperation among the staff involved.
Main	2.33.	The operating organization should have full responsibility for the implementation of the accident management guidance and should take steps to ensure that the roles of the different members of the on-site emergency response organization involved in accident management have been clearly defined, allocated and coordinated.
Main	2.34.	Adequate staffing and working conditions (e.g. acceptable levels of radiation, temperature, humidity and lighting, as well as acceptable access to the plant from off the site) should be considered for accident management, including conditions resulting from external hazards more severe than those considered for the design, derived from the site hazard evaluation. Contingency plans should be prepared to ensure that alternate personnel are available to fill the corresponding positions if certain staff are unavailable.
Main	2.35.	Guidance for the assessment of damage to the plant should be part of the accident management programme and should be developed to address challenges to the fundamental safety functions or the fission product barriers before any significant fission product release. Of particular importance is the assessment of access to the site and structural damage to buildings resulting from external hazards more severe than those considered for design, derived from the site hazard evaluation.
Main	2.36.	In accordance with para. 5.8C of SSR-2/2 (Rev. 1) [6], contingency measures — such as compressed air or other gases, mobile electrical power sources and alternative supplies of water — are required to be located and maintained so as to be functional and readily accessible when they are needed.
Main	2.37.	Accident management guidance should be considered for any specific challenges posed by shutdown plant configurations and large scale maintenance. The potential for damage to fuel in the reactor core and in the spent fuel pool, and in on-site dry storage if applicable, should also be considered in the accident management guidance. As large scale maintenance is frequently carried out during planned shutdown states, the protection of workers should be a high priority of accident management.
Main	2.38.	Accident management guidance should be, as far as feasible, based on either directly measurable plant parameters or information derived from simple calculations and should consider the possible loss or unreliability of indications of essential plant parameters for equipment that has not been designed to withstand such accident conditions.
Main	2.39.	The set of accident management guidance, including procedures and guidelines, should include design limits and/or relevant plant parameters that should be monitored, and these limits and parameters should be referenced or linked to the criteria for the initiation, throttling or termination of the various systems. The time needed to obtain adequate information important for accident management should be taken into account when developing accident management guidance.
Main	2.40.	Specific attention should be paid to situations in which instrumentation is lost or incorrect owing to a loss of power or a harsh environment. Arrangements should be established for making adequately informed decisions in such cases. If measurements are not available, parameters should be estimated by means of simple computations (e.g. using steam tables) or precalculated graphs.
Main	2.41.	The accident management guidance should be efficient for actions that are subject to time constraints (e.g. the depressurization of the reactor coolant system; the isolation or venting of the containment).
Accident management guidance in the preventive domain (before significant fuel rod degradation)	2.42.	For accidents without significant fuel rod degrada tion, the accident management guidance should take the form of procedures, usually called EOPs, that are prescriptive in nature. EOPs also typically address design basis accidents.⁷ EOPs may be complemented by other guidance when necessary. The figure in the Appendix shows the relationship between the type of accident management guidance used, the fuel rod status and the plant state.
Accident management guidance in the preventive domain (before significant fuel rod degradation)	2.43.	Further details on the objective, scope, development and implementation of EOPs are given in IAEA Safety Standards Series No. NS-G-2.2, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants [15], and in Ref. [16].
Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)	2.44.	When significant fuel rod degradation is imminent or ongoing, large uncertainties may exist in the plant status, in the availability of the systems and in the timing and outcome of actions. Consequently, the guidance for mitigating significant fuel rod degradation, usually called SAMGs, should distinguish between what can be prescriptive in nature (because there is no doubt as to the benefit of the prescribed actions, for example depressurization of the reactor coolant system for pressurized water reactors) and what cannot be prescriptive in nature. In the latter case, the guidance should include a range of possible mitigatory actions and should allow for additional evaluation and alternative actions.
Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)	2.45.	The guidance for mitigating significant fuel rod degradation should contain a description of the positive and negative potential consequences of the proposed actions, including quantitative data when available and relevant; should be simple, clear and unambiguous; and should contain sufficient information for the plant staff and the staff of support organizations to reach a timely decision on the actions to take during the evolution of a severe accident.
Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)	2.46.	The guidance for mitigating significant fuel rod degradation should be presented in an appropriate form, such as guidelines, manuals, handbooks or procedures. In this Safety Guide, the term ‘guideline’ is used to describe a set of strategies and measures that describe the tasks to be executed at the plant but which are still less strict and prescriptive than the procedures found in the EOPs. Manuals or handbooks typically contain a more general description of the tasks to be executed and the justifications for use of those tasks.
Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)	2.47.	SAMGs should be developed with an appropriate level of detail and in a format that facilitates their effective use under stressful conditions. The form of the SAMGs (i.e. whether they set out step-by-step instructions or are intended to guide flexible decisions) should be considered in the development process and should be clear to the users.
Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)	2.48.	The overall form of the guidelines and the selected level of detail should be evaluated during validation of the guidelines and then tested in exercises. On the basis of such exercises, it should be judged whether the form is appropriate and whether additional detail should be included in the SAMGs. Exercises should enable identification of areas for improvement.
Development of accident management guidance for both the preventive and mitigatory domains	2.49.	Accident management guidance should be written in a predefined format using simple and consistent language and specific terms in accordance with established rules; such rules should preferably be established in a writers’ guide.
Development of accident management guidance for both the preventive and mitigatory domains	2.50.	The team developing accident management guidance, such as the plant vendor or designer, should consider the potential loss of the command and control structure due to damaged infrastructure (e.g. from an external hazard more severe than those considered for the design, derived from the site hazard evaluation) and should develop associated guidance that takes account of the following: The number of affected units (the reactor core and spent fuel pools); The functionality and habitability of control facilities; Damage to essential structures and buildings; The availability of AC and DC power required for the operation of plant systems; Access to essential buildings and equipment; The availability of operating personnel and site staff for implementation of procedures and guidelines; Whether actions can be taken by non-licensed personnel, typically an auxiliary operator; The availability of other on-site control rooms and personnel in separate buildings; The capability of communicating within the plant emergency command and control structure and with off-site organizations.
Development of accident management guidance for both the preventive and mitigatory domains	2.51.	In some situations the arrangements for directing the response might be unavailable owing to, for example, loss of the command and control structure due to loss of the main control room or impairment of the capability to set up the on-site emergency response organization. Supporting procedures or guidelines should be developed on the use of instrumentation and equipment to cope with such conditions. The accident management guidance should include conditions for the use of such supporting procedures or guidelines.
Development of accident management guidance for both the preventive and mitigatory domains	2.52.	The management system of the operating organization should ensure that accident management guidance is not adversely impacted by plant changes, including plant modifications and changes to operating procedures and training programmes.
Development of accident management guidance for both the preventive and mitigatory domains	2.53.	The procedures and guidelines developed for accident management should be supported by appropriate background documentation (this is sometimes referred to as the ‘technical basis document’). This documentation should describe and explain the rationale of the various parts of the accident management guidance and should include an explanation of each step, if necessary. The background documentation does not replace the accident management guidance itself. The background documentation should be made available to all staff involved in evaluation and decision making.
Development of accident management guidance for both the preventive and mitigatory domains	2.54.	Potential changes to the EOPs or the SAMGs should first be made to the relevant background documentation to ensure that the changes are thoroughly evaluated. Updated background documentation, EOPs and SAMGs should be issued to the operating organization simultaneously for validation and training.
Development of accident management guidance for both the preventive and mitigatory domains	2.55.	Hard copies of the EOPs and the SAMGs should always be available in all evaluation and decision making locations, such as the main control room, the supplementary control room and the technical support centre, so that they can be used as necessary, in particular during a station blackout. Hard copies should also be made available in all locations used as backups in case of accidents caused by external hazards more severe than those considered for the design, derived from the site hazard evaluation.
Development of accident management guidance for both the preventive and mitigatory domains	2.56.	Verification and validation processes should assess the technical accuracy and adequacy of the accident management guidance to the extent possible, as well as the ability of personnel to follow and implement this guidance. The verification process should confirm the compatibility of the guidance with the referenced equipment, user aids and supplies (e.g. non-permanent equipment, posted job aids, computational aids) (see Ref. [17]). The validation process should demonstrate that the necessary instructions are provided to implement the guidance.
Development of accident management guidance for both the preventive and mitigatory domains	2.57.	The staff involved in the validation of accident management guidance should be different from those who developed the guidance. Developers and writers of plant specific accident management guidance should prepare appropriate tests and scenarios for validation, and their participation as observers to the validation process may be beneficial (see Ref. [18]).
Development of accident management guidance for both the preventive and mitigatory domains	2.58.	The findings and insights from the verification and validation processes, including consideration of positive and negative consequences of actions, should be documented. This information should be used to provide feedback to the developers of procedures and guidelines for any necessary updates before the documents are brought into force by the management of the operating organization. The documentation should be stored appropriately to enable any future revalidation.
Development of accident management guidance for both the preventive and mitigatory domains	2.59.	Guidance should be prepared for testing the permanent and non-permanent equipment and for testing any assembled subsystems necessary for the equipment to meet its planned performance. The frequency and type of testing should be conducted in accordance with the manufacturer’s recommendations. Tests should address necessary local actions, contingencies, the proper connection of non-permanent equipment to plant equipment, access to the site, off-site actions, emergency lighting and the possibility of events affecting multiple units, as well as the time needed to implement these actions, if appropriate. Accident management guidance should be provided for maintenance and periodic testing to ensure the proper functioning of equipment and may include the need for plant walkdowns.
Development of accident management guidance for both the preventive and mitigatory domains	2.60.	In the accident management programme, external hazards should be considered with a level of severity exceeding the magnitude established in the site evaluation or its equivalent and with a mean annual frequency exceeding the probability of accidents established in the design for the plant⁸ (see IAEA Safety Standards Series No. SSR-1, Site Evaluation for Nuclear Installations [19]).
Development of accident management guidance for both the preventive and mitigatory domains	2.61.	The accident management guidance should also consider that, in the case of external hazards more severe than those considered for the design, derived from the site hazard evaluation, there may be extensive infrastructure damage, so that off-site resources are not readily available; examples of such off-site resources include human resources; means of communication; electrical power supplies; means of transport; and the availability of spare parts, lubricants, compressed air, water and fuel.
Development of accident management guidance for both the preventive and mitigatory domains	2.62.	Accident management guidance should consider the need to remove rubble due to external hazards more severe than those considered for the design, derived from the site hazard evaluation, and consideration should be given to its removal under bad weather conditions. For example, heavy machinery may be necessary.
Development of accident management guidance for both the preventive and mitigatory domains	2.63.	The non-permanent equipment should be located in diverse positions to the extent practicable so as to avoid common cause failures due to external hazards such as earthquakes and tsunamis.
Development of accident management guidance for both the preventive and mitigatory domains	2.64.	Consideration should be given to the provision of multiple hook-up points to facilitate the use of non-permanent equipment during an accident caused by external hazards, taking into account the benefits and the potential negative implications.
Development of accident management guidance for both the preventive and mitigatory domains	2.65.	For a multiple unit nuclear power plant site, the accident management programme is required to consider concurrent accidents affecting multiple units, in accordance with para. 5.8A of SSR-2/2 (Rev. 1) [6].
Development of accident management guidance for both the preventive and mitigatory domains	2.66.	Accident management guidance should include the equipment and supporting procedures necessary to respond to accidents that might affect multiple units on the same site and last for extended periods of time. Personnel should have adequate skills to use such equipment and implement supporting procedures, and adequate staffing plans should be developed for emergency response at sites with multiple units.
Development of accident management guidance for both the preventive and mitigatory domains	2.67.	Some events, especially natural hazards, may result in similar challenges to all units on the site. Therefore, staffing plans should take into account situations in which multiple units at the same site have been affected simultaneously and some plant personnel have been temporarily or permanently incapacitated.
Development of accident management guidance for both the preventive and mitigatory domains	2.68.	In the case of multiple unit sites with shared safety related equipment or systems, the possible continued use of a unit that has not been affected should be taken into account in the accident management guidance. Predefined criteria should be established to decide whether the operating units at the same site should be shut down in the event of a severe accident.
Development of accident management guidance for both the preventive and mitigatory domains	2.69.	Requirement 33 of SSR-2/1 (Rev. 1) [3] states that “Each unit of a multiple unit nuclear power plant shall have its own safety systems and shall have its own safety features for design extension conditions.” To further enhance safety, means of allowing interconnections between units of a multiple unit nuclear power plant are required to be considered in the design for accident management (see para. 5.63 of SSR-2/1 (Rev. 1) [3]). Additionally, the sharing of support systems does occur in old plants. Special care should be used to identify the potential impact on any equipment or systems that might be shared between units to ensure adequate capacity of the shared systems.
Development of accident management guidance for both the preventive and mitigatory domains	2.70.	The effectiveness of equipment and the emergency response facilities (e.g. the main control room, the technical support centre) that are shared by different units should be assessed for cases in which accidents, including accidents more severe than the design basis accidents, occur simultaneously at several units.
Development of accident management guidance for both the preventive and mitigatory domains	2.71.	If structures, systems and components that are used for severe accident management are shared between different units, an assessment should be performed to determine whether safe shutdown will be achievable for the other units in the event of an accident at one unit.
Development of accident management guidance for both the preventive and mitigatory domains	2.72.	When other units are located at a neighbouring site close to the site at which a severe accident has occurred, the sharing of information with the operating organizations of those neighbouring units should be considered. Such communication would help to determine whether expected dose rates and other environmental conditions due to dispersion of radioactive material from the site at which the accident has occurred might affect access to units at the neighbouring site.
Development of accident management guidance for both the preventive and mitigatory domains	2.73.	The accident management guidance should address the possibility that more than one unit, or all units, might be affected concurrently by simultaneous accidents, including the possibility that damage will propagate from one unit to another or that damage to one unit will be caused by actions taken at another unit.
Hardware provisions for severe accident management at multiple unit sites	2.74.	When installing equipment (both permanent and non-permanent equipment) for use in severe accident management, consideration should be given to the possibility of severe accidents occurring simultaneously at more than one unit.
Hardware provisions for severe accident management at multiple unit sites	2.75.	For existing plants, the use of a containment venting system that is shared between more than one unit should not have a detrimental impact on the other units on the site.
Hardware provisions for severe accident management at multiple unit sites	2.76.	Site personnel should consider sharing any available and interconnectable equipment among units during severe accidents at multiple unit sites.
Hardware provisions for severe accident management at multiple unit sites	2.77.	Items important to safety for accident management should be identified and evaluated to ensure that they will fulfil their expected roles. If necessary or beneficial for improving the plant’s safety, existing equipment or instrumentation should be upgraded or new equipment or instrumentation should be installed.
Hardware provisions for severe accident management at multiple unit sites	2.78.	Equipment upgrades should be prioritized in accordance with their safety benefits.
Hardware provisions for severe accident management at multiple unit sites	2.79.	Paragraph 5.37 of SSR-2/1 (Rev. 1) [3] states:
Hardware provisions for severe accident management at multiple unit sites	2.80.	When existing equipment or instrumentation is to be upgraded or used outside its previously considered design basis range, the accident management guidance for the use of such equipment should be updated accordingly.
Hardware provisions for severe accident management at multiple unit sites	2.81.	New equipment necessary for accident management should be designed for predicted accident conditions and for environmental conditions arising from internal and external hazards commensurate with the intended function.
Hardware provisions for severe accident management at multiple unit sites	2.82.	Equipment expected to be used for accident management, either permanent equipment or non-permanent equipment that is stored on the site or off the site, should be protected against postulated hazardous conditions including internal and external hazards. For non-permanent equipment, such as portable or mobile equipment, it should be verified that the equipment can be moved from its storage location to the location where it fulfils its accident management function and that the necessary connections can be established under the conditions existing during the accident and within the necessary time frame.
Hardware provisions for severe accident management at multiple unit sites	2.83.	Maintenance, testing and inspection procedures should be developed for equipment, including non-permanent equipment, to be used in accident management according to the equipment’s safety significance and the manufacturer’s recommendations.
Hardware provisions for severe accident management at multiple unit sites	2.84.	The impact of new or upgraded equipment on staffing needs, as well as on maintenance and testing programmes, should be addressed.
Hardware provisions for severe accident management at multiple unit sites	2.85.	For accident conditions, the decision making authority should be clearly defined and established at an appropriate level, commensurate with the complexity of the task and the potential consequences of the decisions to be made. When EOPs are implemented, the main control room supervisor or other designated official within the operating organization should fulfil this responsibility. When significant fuel rod degradation is imminent or ongoing, decision making necessitates having a perspective of all the measures for accident management and a wider understanding of the implications of the decisions. Some States require that the main control room supervisor be capable of performing actions in all aspects of accident management until the person authorized to manage the emergency starts to execute his or her duties.
Hardware provisions for severe accident management at multiple unit sites	2.86.	Major decisions that could have significant adverse effects on public safety or the environment should involve, where practicable, the person (or persons) who has been assigned legal responsibility for safety at the plant.
Hardware provisions for severe accident management at multiple unit sites	2.87.	The accident management guidance should be compatible with the assignment of responsibilities and should be consistent with the other functions considered in the operating organization’s overall emergency arrangements on the site and, if appropriate, at the corporate level.
Hardware provisions for severe accident management at multiple unit sites	2.88.	The roles assigned to the members of the emergency response organization may be different in the preventive and mitigatory domains, and, when this is the case, transitions of responsibility and authority should be clearly defined.
Hardware provisions for severe accident management at multiple unit sites	2.89.	A specialized team or group of teams (referred to in this Safety Guide as the ‘technical support centre staff’) should be available in an emergency to provide technical support to the operating personnel. The technical support centre staff should have the capability, based on their knowledge of the plant status, to recommend actions appropriate for the situation. Such recommendations should be made after an evaluation of the potential consequences of the recommended actions and the possibility and consequences of using erroneous information. If the technical support centre staff are composed of multiple teams, the role of each team should be specified.
Hardware provisions for severe accident management at multiple unit sites	2.90.	Criteria for the activation of the technical support centre should be unambiguous and clearly specified in plant procedures and the on-site emergency plan. Accident management measures should continue to be decided on and carried out by the control room staff until the technical support centre is functional (i.e. has sufficient staff present who have acquired awareness of the situation). GS-G-2.1 [9] recommends that the technical support centre be activated and functional within one hour after the declaration of an emergency. Additional details on the transfer of responsibility are provided in para. 4.2 of this Safety Guide.
Hardware provisions for severe accident management at multiple unit sites	2.91.	Depending on the situation, the technical support centre may be activated in the preventive domain. In such cases, the technical support centre should provide technical support to the main control room staff.
Hardware provisions for severe accident management at multiple unit sites	2.92.	The mechanisms for ensuring the flow of information between the technical support centre and the main control room, as well as from the technical support centre to other parts of the on-site emergency response organization, including those responsible for the execution of on-site and off-site emergency plans, should be specified. Oral communication between the technical support centre staff and the main control room staff should be undertaken by a member of the technical support centre staff who is a licensed operator or a similarly qualified person.
Hardware provisions for severe accident management at multiple unit sites	2.93.	When off-site support for accident management needs to be obtained, consideration should be given to ensuring coordination and to minimizing the possibility of negative interaction between actions performed by various teams on the site. Accident management should be implemented such that all teams have a common situational awareness.
Hardware provisions for severe accident management at multiple unit sites	2.94.	For multiple unit sites, the on-site emergency plan should include the necessary interfaces between the various parts of the overall on-site emergency response organization responsible for different units. Emergency directors for each unit may be assigned to decide on the appropriate actions at specific units. In this case, an overall emergency director should also be assigned to coordinate activities and priorities among all affected units on the site. Decision making responsibilities should be clearly defined. If there are different operating organizations at a given site, appropriate arrangements should be established for the coordination of emergency response operations, including accident management measures, among those organizations.
Staffing and qualification	2.95.	A list of persons who will be part of accident management should be established, and these persons should be designated as emergency workers. This list should take into account accidents developing over a long period so that adequate shift staffing is maintained at the plant (e.g. during holidays and overnight).
Staffing and qualification	2.96.	Adequate staffing levels and personnel qualifications should be established for the implementation of accident management measures, taking into account (a) the possibility that all units can be affected concurrently by simultaneous accidents and (b) the requirements for emergency response (see GSR Part 7 [7]). Staffing levels should be sufficient to provide an initial response for accident management before the emergency response organization is fully activated and be such that an adequate response can be sustained until additional staff arrive.
Staffing and qualification	2.97.	Appropriate training should be provided to members of the operating organization personnel responsible for accident management; the training should be commensurate with their roles and responsibilities.
Staffing and qualification	2.98.	Personnel responsible for performing accident management measures should be trained to acquire the required knowledge, skills and proficiency to execute their tasks. A comprehensive training programme for accident management should be prepared that includes the interfaces with emergency preparedness and response. Training should include a combination of techniques, such as classroom training, drills, tabletop exercises¹¹ and the use of simulation tools.
Staffing and qualification	2.99.	Decision makers should be trained to understand the consequences and uncertainties inherent in their decisions. Evaluators should ensure that they understand the technical basis on which they will base their recommendations. Implementers should ensure that they understand the actions that they may be asked to take.
Staffing and qualification	2.100.	Training should be developed using a systematic approach to training [20]. This includes identifying training needs, defining the training objectives, specifying the technical basis for training material, developing training material, specifying the appropriate venue for delivering training and measuring the effectiveness of training to provide feedback to the training process.
Staffing and qualification	2.101.	Training should be developed and implemented for each on-site group and off-site group involved in accident management. Training should be commensurate with the tasks and responsibilities of the participants, taking into account the appropriate technical level for each group. In-depth training should be considered for personnel entrusted with critical functions in the accident management programme.
Staffing and qualification	2.102.	Training material should be developed by subject matter experts and qualified trainers. Experts could: Answer questions that are beyond the capability of professional trainers; Provide information about the operation of field and local equipment and the operation of other equipment, including non-permanent equipment, under adverse conditions.
Staffing and qualification	2.103.	Training, including periodic exercises and drills, should be sufficiently realistic and challenging to prepare personnel responsible for accident management duties to cope with and respond to situations that may occur during an event [21]. Drills should extend over a time period long enough to realistically represent the plant response and should allow for the transmission of information during shift changes to be tested. Special exercises and drills should be developed to practice shift changeovers between operations staff and technical support centre staff and information transfer between different teams. Training should cover accidents occurring simultaneously at more than one unit, accidents occurring in different reactor operating states and accidents in the spent fuel pool. Training should consider unconventional line-ups of the plant equipment, the use of non-permanent equipment (e.g. diesel power generators, pumps) and repair of the equipment.
Staffing and qualification	2.104.	Training material should address the implementation of strategies under adverse environmental conditions, including conditions resulting from external hazards with potentially high radiation levels, and under the influence of stress on the anticipated behaviour of staff.
Staffing and qualification	2.105.	Training for new staff, as well as refresher training for existing staff, should be developed for all groups of staff involved in accident management. The frequency of refresher training should be established on the basis of the difficulty and the importance of accident management tasks. A maximum interval for refresher training should be defined, but depending on the outcome of exercises and drills held at the plant, a shorter interval may be selected. Changes in the guidance or in the use of the guidance should be reflected in the training programme. Such changes should be communicated to interested parties.
Staffing and qualification	2.106.	Criteria for evaluating the effectiveness of an exercise or a drill should be established. Such criteria should characterize the ability of the team participating in the exercise or drill to understand and follow the evolution of the plant status, to reach well founded decisions for various events (including unanticipated events), to initiate appropriate actions and to meet the objectives of the exercise or drill (see Ref. [17]).
Staffing and qualification	2.107.	Results from exercises and drills should be systematically evaluated to provide feedback for the improvement of the training programme and, if applicable, the procedures and guidelines, as well as the organizational aspects of accident management.
Staffing and qualification	2.108.	If, within the operating organization, the transfer of authority to direct the accident management actions is considered during an accident, it should be verified that the person to whom authority will be transferred has the required background to efficiently discharge such authority.
Staffing and qualification	2.109.	The transfer of authorities and responsibilities during the emergency response should take place at a point in time that minimizes any risks to safe and effective implementation of accident management measures and, thus, is optimal from the viewpoint of accident management. The transfer of responsibility and authority should not create a ‘vacuum’ in decision making or in the implementation of necessary actions. Hence, any formal transfer of responsibility and authority should not take place until the new decision maker is ready to assume his or her role. Arrangements for the transfer of responsibilities and authorities should be consistent with the arrangements addressed in the on-site emergency plan.
Working conditions	2.110.	Reasonable assurance should be provided that the on-site technical support centre (or emergency response facility) will be operable and habitable under a range of postulated hazardous conditions, including external hazards more severe than those considered for design, derived from the site hazard evaluation.
Working conditions	2.111.	Acceptable habitability should be provided for plant staff and external support staff in situations in which the site is partially or totally isolated from continuous off-site support.
Working conditions	2.112.	Shift turnover documents should be maintained to allow continuity during shift changes. During turnovers, staff on the new shifts should be provided with accident related information as well as other information deemed necessary to maintain continuity in strategies for managing the accident.
Working conditions	2.113.	Contingency plans should be developed for the following: Situations in which staff members involved in accident management have been incapacitated; Situations in which some staff members involved in accident management need to be evacuated; Situations in which outside support may be delayed so that main control room staff and technical support centre staff will need to continue the accident management measures.
Working conditions	2.114.	As part of overall emergency preparedness, arrangements should be put in place to help staff cope with emotional stress affecting performance during the response, in relation to both the circumstances of the accident and any conventional emergency that is occurring simultaneously and affecting their families or property.
Working conditions	2.115.	Suitable, reliable and diverse means of communication should be available at all times for use on the site and for communication with off-site authorities, and guidance should be put in place for measures to be taken if some or all of these means fail. The effects of a station blackout and the potential for damage to the communication equipment from external hazards more severe than those considered for design, derived from the site hazard evaluation, should be considered in these arrangements.
Working conditions	2.116.	A highly reliable communication network based on the principles of redundancy, diversity and physical separation of communication channels should be provided for communication between the main control room, the technical support centre and off-site facilities.
Working conditions	3.1.	All the general recommendations from Section 2 on the development of an accident management programme are also applicable to the development of a severe accident management programme. In this regard, the recommendations in Section 3 can be considered supplementary to the recommendations in Section 2.
Working conditions	3.2.	Six main steps should be executed to set up and develop a severe accident management programme: Identification of challenge mechanisms: Mechanisms that could challenge the fundamental safety functions or the barriers to a release of radioactive material should be identified. Identification of plant vulnerabilities: Plant vulnerabilities should be identified, with consideration given to the challenge mechanisms, including the concurrent loss of the fundamental safety functions. Identification of plant capabilities: For challenges to the fundamental safety functions and fission product barriers, the plant capabilities, including capabilities to delay or mitigate such challenges, in terms of both available equipment and available personnel, should be considered. The available or necessary hardware provisions for the execution of severe accident management strategies should be considered. Development of severe accident management guidance: Suitable severe accident management guidance should be developed and should include the use of permanent and on-site and off-site non-permanent equipment and instrumentation to cope with the vulnerabilities identified. Development of severe accident management guidance should be supported by appropriate analyses. Best estimate analyses are typically used for this purpose. Dependencies between external hazards should be considered. The possibility and consequences of using erroneous information should be considered. The means of obtaining information on the plant status, and the role of instrumentation therein, should be considered, including cases in which the information provided by instrumentation is erroneous and all normal power for instrumentation and control systems is unavailable. Possible restrictions on access to certain areas in order to perform local actions should be considered. Interfaces with actions performed prior to any significant fuel rod degradation should be addressed. Suitable procedures and guidelines for the execution of the strategies and measures should be developed. Severe accident management strategies should consider relevant very low probability events. Establishment of a verification and validation process for the severe accident management programme. Integration of the severe accident management programme into the management system and the emergency preparedness and response arrangements: The lines of decision making, responsibility and authority in the teams that will be in charge of the execution of the accident management guidance should be specified. Human and organizational factors should be considered using a systemic approach to safety [22]. A systematic approach to the periodic evaluation and updating of the guidance and training should be considered; such an evalution should incorporate new information and research insights into severe accident phenomena. Education, training, exercises and drills should be considered. Integration of the severe accident management programme with the emergency arrangements for the plant should be ensured. For challenges to the fundamental safety functions and fission product barriers, the plant capabilities, including capabilities to delay or mitigate such challenges, in terms of both available equipment and available personnel, should be considered. The available or necessary hardware provisions for the execution of severe accident management strategies should be considered. Suitable severe accident management guidance should be developed and should include the use of permanent and on-site and off-site non-permanent equipment and instrumentation to cope with the vulnerabilities identified. Development of severe accident management guidance should be supported by appropriate analyses. Best estimate analyses are typically used for this purpose. Dependencies between external hazards should be considered. The possibility and consequences of using erroneous information should be considered. The means of obtaining information on the plant status, and the role of instrumentation therein, should be considered, including cases in which the information provided by instrumentation is erroneous and all normal power for instrumentation and control systems is unavailable. Possible restrictions on access to certain areas in order to perform local actions should be considered. Interfaces with actions performed prior to any significant fuel rod degradation should be addressed. Suitable procedures and guidelines for the execution of the strategies and measures should be developed. Severe accident management strategies should consider relevant very low probability events. The lines of decision making, responsibility and authority in the teams that will be in charge of the execution of the accident management guidance should be specified. Human and organizational factors should be considered using a systemic approach to safety [22]. A systematic approach to the periodic evaluation and updating of the guidance and training should be considered; such an evalution should incorporate new information and research insights into severe accident phenomena. Education, training, exercises and drills should be considered. Integration of the severe accident management programme with the emergency arrangements for the plant should be ensured.
Working conditions	3.3.	Severe accident sequences should be identified and analysed using a combination of engineering judgement, deterministic methods and probabilistic methods. Sequences for which practicable severe accident management guidance can be implemented should be identified. Acceptable severe accident management guidance should be based on best estimate assumptions, methods and analytical criteria. Activities for developing severe accident management guidance should take into account the following: Operating experience, relevant safety analysis and results from safety research. Accident sequences reviewed against a set of criteria aimed at determining which severe accident challenges should be addressed in the design of the severe accident management programme. Potential design or procedural changes that could either reduce the likelihood of occurrence of these challenges or mitigate their consequences, and decisions on the implementation of such changes. Plant design capabilities, including the possible use of: Systems beyond their originally intended function and anticipated operational states when the use of such systems will not exacerbate the situation; Additional non-permanent systems or components to return the plant to a long term safe stable state or to mitigate the consequences of a severe accident, provided that it can be shown with a good level of confidence that the systems will be able to function in the expected environmental conditions. For multiple unit sites, consideration of the use of available means and/ or support from other units on the site, provided that the safe operation of those units is not compromised. Systems beyond their originally intended function and anticipated operational states when the use of such systems will not exacerbate the situation; Additional non-permanent systems or components to return the plant to a long term safe stable state or to mitigate the consequences of a severe accident, provided that it can be shown with a good level of confidence that the systems will be able to function in the expected environmental conditions.
Working conditions	3.4.	The development of severe accident management guidance should be supported by appropriate analyses of the physical response of the plant. Best estimate analyses are typically used for this purpose. Consideration should be given to uncertainties in knowledge about the timing and magnitude of phenomena that might occur in the progression of the accident. Hence, severe accident management actions should be initiated at the level of parameters and at a time that gives sufficient confidence that the goal intended to be achieved by carrying out the action will be reached.
Working conditions	3.5.	Severe accident management guidance may be developed first on a generic basis by the plant vendor or plant designer, or by another organization duly authorized by the operating organization, and may then be used by the operating organization for the development of a plant specific severe accident management programme. Severe accident management guidance may also be developed on a plant specific basis without the use of generic documentation. When adapting generic severe accident management guidance to plant specific conditions, care should be taken that the transition conditions from EOPs to SAMGs are handled appropriately, including searching for additional vulnerabilities and for strategies to mitigate these vulnerabilities. Any deviations from plant operating requirements and generic severe accident management guidance should be subject to rigorous review that considers the basis for and benefits of the original approach and the potential unintended consequences of deviating from this approach.
Working conditions	3.6.	To ensure the success of the development of the severe accident management programme, a development team of experts with sufficient scope and level of expertise, including all necessary technical disciplines, should be involved, with support from the senior management of the operating organization.
Working conditions	3.7.	The selection of severe accident sequences should be sufficiently comprehensive to provide a basis for the development of severe accident management guidance for plant personnel and support personnel in any identified situation. Level 1 and Level 2 probabilistic safety assessment (PSA) (see IAEA Safety Standards Series No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants [23], and IAEA Safety Standards Series No. SSG-4, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants [24]), engineering judgement or similar studies from other plants, and operating experience at the plant or at other plants, can provide the basis for the selection of severe accident sequences.
Working conditions	3.8.	The severe accident management programme should address the full spectrum of challenges to fission product barriers, including those arising from multiple hardware failures, human error and postulated hazardous conditions, including external hazards more severe than those considered for the design, derived from the site hazard evaluation. The severe accident management programme should also consider possible consequential failures and physical phenomena that may occur during the evolution of a severe accident. In the development process, even very improbable failures should be considered.
Working conditions	3.9.	For determination of the full spectrum of challenges to fission product barriers, useful input can be obtained from the Level 2 PSA for the plant (or similar studies from other plants), engineering judgement and insights from research on severe accidents. However, the identification of potential challenge mechanisms should be as comprehensive as possible to provide a basis for the development of severe accident management guidance for plant personnel in all situations, even if the evolution of the accident would constitute a very unlikely path within the Level 2 PSA.
Working conditions	3.10.	In view of the inherent uncertainties involved in determining credible events, the PSA for the plant should not be used a priori to exclude accident sequences from consideration in the development of severe accident management guidance. If such an approach is considered, extremely low cut-off levels should be specified so as not to underestimate the scope and nature of the accident sequences to be analysed.
Working conditions	3.11.	The vulnerabilities of the plant to challenging conditions should be identified. It should be investigated how specific severe accidents will challenge the fundamental safety functions and, if these are lost and not restored in due time, how the integrity of the fission product barriers will be challenged.
Working conditions	3.12.	The vulnerabilities to postulated hazardous conditions — including external hazards more severe than those considered for the design, derived from the site hazard evaluation — that can impact the use of safety features for severe accident management on both permanent and non-permanent equipment should be identified. It should be investigated how specific hazards might interfere with the use of safety features for severe accident management.
Working conditions	3.13.	When developing guidance on severe accident management, consideration should be given to the full capabilities of the plant, including permanent and non-permanent equipment, as appropriate. Particular care should be taken if the possible use of some systems beyond their originally intended function is foreseen in the severe accident management guidance.
Working conditions	3.14.	All plant capabilities available to fulfil and support the plant’s fundamental safety functions should be identified and characterized. This should include a review of the on-site consumable resources for the plant that would be required to support safety systems, as well as the use of non-dedicated systems and unconventional or alternative line-ups or hook-up connections for non-permanent equipment located on the site or brought in from off the site.
Working conditions	3.15.	Specific consideration should also be given to maintaining the conditions necessary for the continued operation of equipment that is ultimately necessary to prevent early or large radioactive releases.
Working conditions	3.16.	When unconventional or alternative line-ups or hook-up connections are necessary, consideration should be given to the availability of the equipment needed to facilitate the establishment of such connections by the appropriate staff and to possible restrictions of authorized access to such equipment.
Working conditions	3.17.	To minimize the time needed to deploy equipment in unconventional ways after a severe accident, and to ensure that this equipment can be deployed with due regard for the safety of the operators involved, the relevant instructions to take actions safely and effectively should be prepared in advance by defining a set of steps that have been appropriately reviewed and identifying the prerequisites necessary (e.g. the prestaging of any special tools or components).
Working conditions	3.18.	The ability of plant personnel to successfully take unconventional measures to mitigate accident challenges under adverse environmental conditions should be carefully considered.
Working conditions	3.19.	In determining the capabilities of the plant personnel to deploy mitigating equipment in harsh environments, the implications of the following should be considered: Working in high temperature, high pressure or high humidity areas; Working in poorly lit or dark areas; Working in areas ventilated by portable ventilation systems; Working in high radiation areas; Using non-permanent instrumentation or non-permanent power supplies.
Severe accident management strategies	3.20.	On the basis of the vulnerability assessment and identified plant capabilities, as well as the understanding of accident phenomena, severe accident management strategies should be developed for each individual challenge or plant vulnerability.
Severe accident management strategies	3.21.	For cases in which significant fuel rod degradation is imminent or ongoing, strategies should be developed with the following objectives: Maintaining the integrity of the containment or any other remaining confinement barrier and preventing containment bypass; Minimizing or delaying any off-site releases of radioactive material; Returning the plant to a long term safe stable state. Terminating the progress of fuel rod degradation; Maintaining the integrity of the reactor pressure vessel and other fuel retaining structures (such as the spent fuel pool).
Severe accident management strategies	3.22.	Severe accident management strategies may be derived from ‘candidate high level actions’, such as the following: Filling the secondary side of the steam generators to prevent creep rupture of the steam generator tubes; Depressurizing the reactor coolant system to prevent high pressure failure of the reactor pressure vessel and direct containment heating; Flooding the reactor cavity to prevent or delay vessel failure (or facilitate corium spreading on a large area in the case of vessel rupture) and subsequent basemat failure; Mitigating the impact of combustible gases; Depressurizing the containment to prevent its failure by excess pressure or to prevent basemat failure under elevated containment pressure (see Ref. [17]).
Severe accident management strategies	3.23.	A systematic evaluation of the possible severe accident management strategies should be conducted to confirm their feasibility and effectiveness, to determine potential negative impacts and to prioritize the strategies using appropriate methods. Adverse conditions that may affect the execution of a strategy during the evolution of a severe accident should be considered. The evaluation should be documented in the relevant background document.
Severe accident management strategies	3.24.	Particular consideration should be given to severe accident management strategies that have both positive and negative impacts in order to provide a basis for a decision as to which strategies constitute a proper response for a given plant damage state. The background documentation supporting SAMGs should include a full description of the benefits and potential negative implications of the severe accident management strategies.
Severe accident management strategies	3.25.	To minimize the time needed to deploy equipment in unconventional ways following a severe accident, and to ensure that these actions can be taken with due regard for the safety of the operators involved, the relevant instructions should be prepared in advance, by defining a set of steps that have been appropriately reviewed including identifying the prerequisites necessary (e.g. pre-staging of any special tools or components) to take actions safely and effectively.
Severe accident management strategies	3.26.	Severe accident management strategies should also be developed for situations in which DC power is lost after a long term loss of all AC power.
Severe accident management strategies	3.27.	The plant control and logic interlocks that may need to be defeated or reset for the successful implementation of severe accident management strategies should be systematically identified. It should also be verified that the potential negative effects of such actions have been adequately characterized and documented.
Severe accident management strategies	3.28.	The definition and selection of strategies applicable to severe accidents should consider the potential usefulness of maintaining strategies initiated when significant fuel rod degradation had not yet occurred. For example, subcriticality of the core or the core debris should be maintained, and a path should be provided to transfer decay heat from the core or molten core debris to an ultimate heat sink, where possible.
Severe accident management strategies	3.29.	The need to avoid or minimize the accumulation of large amounts of potentially contaminated water, including leakage resulting from damage to the containment, should be considered in the long term strategies for storing and remediating contaminated water.
Severe accident management guidelines	3.30	The SAMGs should aim to monitor, preserve or restore the fundamental safety functions by means of the selected strategies. The strategies and measures outlined in paras 3.20–3.29 of this Safety Guide should be converted into SAMGs. The SAMGs should contain the information and instructions necessary for the responsible personnel to successfully implement the strategies, including the use of equipment.
Severe accident management guidelines	3.31.	The SAMGs should be written in a clear and unambiguous way so that they can be readily executed under high stress and time constrained conditions. The SAMGs should contain sufficient detail to ensure that the focus is on the necessary actions. For example, when primary injection is recommended, it should be identified whether this should be initiated from dedicated sources (borated water) or alternate sources (possibly non-borated water, such as fire extinguishing water). In addition, the line-ups available to achieve the injection should be identified, and guidance should be put in place to enable the configuration of unconventional line-ups, when these are needed. It should be indicated how long water sources will be available and what needs to be done either to replace such water sources or to restore them once they are depleted.
Severe accident management guidelines	3.32.	The SAMGs should be written in such a way that they provide sufficient latitude to deviate from an anticipated path when this might be necessary or beneficial. Such flexibility may be necessary owing to the uncertainty in the status of the plant and in the effectiveness or outcome of actions, and owing to the need to cover unexpected events and complications.
Severe accident management guidelines	3.33.	When immediate and short term actions are necessary to manage a severe accident, there may be no time available for the deliberation of all possible consequences of the actions. In such cases, the SAMGs should directly identify the recommended action.
Severe accident management guidelines	3.34.	The severe accident management guidance (including procedures and guidelines) should contain, as a minimum, the following elements: The objectives and goals of the SAMGs; The interface with the EOPs; The criteria for entry into the mitigatory domain; Potential negative consequences of the actions; Guidance on the monitoring of strategies; Cautions and limitations; The equipment and resources necessary (e.g. AC and DC power, water); Consideration of the necessary human resources; Consideration of the habitability of workplaces at which local measures for accident management may be necessary; Guidance on the use of diagnostic tools and computational aids; The time window within which the actions are to be applied; Local actions sheets (if applicable); Conditions for exit from or termination of the SAMGs; Guidance on the assessment and monitoring of the plant response, including consideration of the effectiveness of implemented actions.
Severe accident management guidelines	3.35.	Preferably, the severe accident management guidance should be set out in such a way that it is not necessary for the responsible staff to identify the accident sequence or to follow preanalysed accidents to be able to execute the accident management guidance correctly.
Severe accident management guidelines	3.36.	It may also be possible to determine the plant status on the basis of an appropriate procedure, plant alarms and indications. Nevertheless, the SAMGs should also be effective when a diagnosis of plant status cannot be obtained or when it has been obtained but has later been found to be incorrect or has changed owing to the evolution of the accident.
Severe accident management guidelines	3.37.	The behaviour of the plant during severe accidents, including severe accidents caused by internal and external hazards, should be well understood, and the phenomena that may occur, together with their expected timing, should be identified. The timing of an actual accident is, in general, different from that expected by analytical results and depends on actual plant conditions and the timing of real events. Decision makers should be cognizant of these differences. A symptom based approach to severe accident management guidance should be preferred so that decision makers can respond to actual plant conditions and not make decisions solely based on stylized analytical results.
Severe accident management guidelines	3.38.	When significant fuel rod degradation has occurred, it should not be necessary to identify the accident sequence or to follow a preanalysed accident sequence in order to use the SAMGs correctly. The main control room staff and the technical support centre staff should be able to identify the challenges to fission product barriers and the plant damage state from the monitoring of plant parameters.
Severe accident management guidelines	3.39.	The SAMGs should be developed in such a way that the potential for an erroneous diagnosis of the plant condition is minimized. The use of redundant and diverse instrumentation and signals is recommended. If there is no redundancy, preference should be given to the use of instrumentation that is designed to withstand the environmental conditions of the accident.
Severe accident management guidelines	3.40.	Priorities should also be defined among the various SAMGs in accordance with the priority of the underlying strategies. Conflicts in priorities, if any, should be resolved. Priorities may change during the course of the accident; hence, the SAMGs should contain a recommendation that the selection of priorities be reviewed on an ongoing basis. The selection of actions should then be changed accordingly.
Severe accident management guidelines	3.41.	The set of accident management guidance that is to be implemented during severe accidents should be integrated to establish a comprehensive strategy for severe accident management. When executing mitigatory actions, there may be a need to use procedures for these actions.
Severe accident management guidelines	3.42.	The transition point from EOPs to SAMGs should be set with careful consideration of the timing and magnitude of subsequent challenges to fission product barriers. Specific and measurable parameter values should be defined for the transition to the use of SAMGs, such as the measured value of the core exit temperature. If the transition point is specified on the basis of conditional criteria (i.e. if certain planned actions in the EOPs are unsuccessful), the time necessary to confirm that the transition point has been reached should be taken into account. For example, as the fuel temperature rises, the degree of fuel rod degradation will affect the anticipated time needed to identify the transition point.
Severe accident management guidelines	3.43.	Protocols for communicating with various interested parties when the transition point has been met or exceeded should be carefully considered. Steps should be taken to ensure that all personnel understand how their roles are about to change during the transition.
Severe accident management guidelines	3.44.	The possibility of transition from EOPs to SAMGs before the technical support centre is operable should be considered in the development of procedures and guidelines. This situation could occur if an event rapidly developed into a severe accident or if the technical support centre could not be activated within the time assumed in the guidance. Any guidance provided to main control room staff in this case should be presented in a way that makes prompt and easy execution possible and, therefore, should be presented in a format that operators are able to work with and are already trained for.
Severe accident management guidelines	3.45.	Proper transition from EOPs to SAMGs should be provided for, when appropriate. Functions and actions from the EOPs that have been identified as relevant in the mitigatory domain should be retained in the SAMGs.
Severe accident management guidelines	3.46.	When EOPs are executed in parallel with SAMGs, the applicability and validity of the EOPs during a severe accident should be demonstrated. In such cases, interfaces between EOP and SAMG actions should be established in order to address possible conflicts.
Severe accident management guidelines	3.47.	In addition to entry conditions for the use of SAMGs, exit conditions or criteria to transition to long term provisions should be specified. A long term safe stable state should be clearly defined, and provisions to maintain the long term safe stable state should be specified.
Severe accident management guidelines	3.48.	Various pieces of equipment may start automatically or change configuration when certain parameters reach predefined values (‘set points’). Such automatic actions may have been designed for events in the preventive domain but may be counterproductive in the mitigatory domain. Hence, all automatic actions should be reviewed for their impact on the mitigation of a severe accident, and automatic actions should be inhibited when appropriate. The need for manual actions on the equipment concerned should then be considered in the guidance.
Severe accident management guidelines	3.49.	Severe accident management guidance should include recommendations on the priorities for restoration actions. In this context, the following should be considered: Possibilities to restore the equipment; Possibilities for unconventional system line-ups; Possibilities to connect portable equipment; Successful recovery times when several pieces of equipment are out of service; Dependence on a number of failed support systems; Doses to personnel involved in the restoration of the equipment or the connection of portable equipment.
Severe accident management guidelines	3.50.	The time needed to recover unavailable equipment or to connect non-permanent equipment may be outside the time window for the prevention of core damage. If this is the case, an earlier transition to SAMGs can be decided on.
Severe accident management guidelines	3.51.	In the development of severe accident management guidance, account should be taken of the habitability, operability and accessibility of the main control room and the technical support centre. The accessibility of other relevant areas, such as areas for local actions, should also be assessed and taken into account in the development of severe accident management guidance. It should be investigated whether expected dose rates and other environmental conditions may give rise to a need for restrictions on personnel access to such areas; if this is found to be the case, appropriate measures should be considered.
Severe accident management guidelines	3.52.	The ability of plant personnel to successfully take unconventional measures to mitigate accident challenges under adverse environmental conditions should be carefully considered. When necessary, personal protective equipment (e.g. protective clothing, breathing equipment) should be provided for the execution of such tasks. Personnel may need to conduct the assigned tasks in hazardous conditions, and procedures and instructions associated with such actions and with the radiation protection of staff should be developed (see SSR-2/1 (Rev. 1) [3], GSR Part 7 [7] and IAEA Safety Standards Series No. GSR Part 3, Radiation Protection and Safety of Radioactive Sources: International Basic Safety Standards [25]).
Severe accident management guidelines	3.53.	If containment venting leading to releases of radioactive material is considered or directed in severe accident management, the following should be considered in the severe accident management guidance: Situations in which all AC and DC power is lost and compressed air is not available; Situations involving high radiation areas and high temperatures in areas where vent valves are located (if local access is required); The notification of relevant off-site response organizations about actions with off-site consequences; The limitation of radioactive releases in the event of containment venting through such means as aerosol deposition, filtration or early venting.
Severe accident management guidelines	3.54.	Precalculated graphs or simple formulas should be developed, when appropriate, to avoid or limit the need for complex calculations during a severe accident. These formulas are often called ‘computational aids’ and should be included in the documentation of the SAMGs. Computer based aids should consider the limited battery life of self-contained computers (laptops) and the potential for loss of AC power.
Severe accident management guidelines	3.55.	Rules of usage should be developed for the application of the severe accident management guidance. Questions to be addressed should include at least the following: If while executing EOPs an entry point for an SAMG is reached, should actions in the EOP then be stopped or continued, if not in conflict with the applicable SAMG? If an SAMG is in execution, but the point of entry for another SAMG is also reached, should that other SAMG be executed in parallel? Should the consideration to initiate another SAMG be delayed while parameters that called for the first SAMG are changing value?
Severe accident management guidelines	3.56.	Adequate background documentation material should be prepared to support the development of SAMGs, and it should be included as a reference for main control room staff and technical support centre staff. The background material should fulfil the following objectives: It should be a self-contained source of reference containing: The technical basis for strategies and deviations from generic strategies, if any; A detailed description of instrumentation needs; Results of supporting analysis; A detailed description of and the basis for steps in procedures and guidelines; The basis for the specification of set points used in the SAMGs. It should provide basic material for training courses for staff involved in accident management. The technical basis for strategies and deviations from generic strategies, if any; A detailed description of instrumentation needs; Results of supporting analysis; A detailed description of and the basis for steps in procedures and guidelines; The basis for the specification of set points used in the SAMGs.
Severe accident management guidelines	3.57.	Relevant management levels in the operating organization of the plant as well as outside organizations, including local authorities responsible for the protection of the public and for the protection of the environment, should be made aware of an imminent or ongoing severe accident.
Severe accident management guidelines	3.58.	The team involved in the development of severe accident management guidance should contain staff responsible for the development and implementation of the severe accident management programme in the plant. The development team should ensure the involvement of staff from the training department, operations staff, maintenance staff, radiation protection staff, staff responsible for instrumentation and control systems, engineering staff, persons responsible for emergency preparedness and response, and external experts, as appropriate. If use of a generic severe accident management programme has been selected, experts familiar with this severe accident management programme may support the development team.
Severe accident management guidelines	3.59.	The main control room staff, supplementary control room staff, technical support centre staff and staff of any other organizational unit responsible for the evaluation, decision making and implementation of accident management actions in the course of a severe accident should be involved at an early stage of development of a severe accident management programme.
Severe accident management guidelines	3.60.	Consideration should be given to the way in which plant personnel will be made available to participate in the development activities of the severe accident management programme in addition to their normal duties. Sufficient time should be granted to plant personnel on the development team in relation to their other obligations.
Severe accident management guidelines	3.61.	Verification and validation processes should assess the technical accuracy and adequacy of the SAMGs and background documents to the extent possible, as well as the ability of personnel to follow and implement them. The verification process should confirm the compatibility of SAMGs and background documents with referenced equipment, user aids and supplies (e.g. non-permanent equipment, posted job aids, computational aids) (see Ref. [17]). The validation process should demonstrate that the necessary instructions are provided to implement the guidance.
Severe accident management guidelines	3.62.	Validation tests should address the organizational aspects of severe accident management, especially the roles of the evaluators and decision makers, including the staff in the main control room and in the technical support centre.
Severe accident management guidelines	3.63.	Changes made to procedures and guidelines should be re-evaluated and revalidated on a periodic basis to maintain the adequacy of the severe accident management programme.
Severe accident management guidelines	3.64.	Possible methods for the validation of the SAMGs and background documents include: (a) an engineering simulator including a full scope simulator (if available) or other plant analysis tool, and (b) a tabletop method. The most appropriate method or combination of methods should be selected, taking into account the role of each functional group of personnel in an emergency.
Severe accident management guidelines	3.65.	If a full scope simulator is used, validation should encompass the uncertainties in the magnitude and timing of phenomena (both phenomena that result from the accident progression and phenomena that result from recovery actions). Consideration should be given to simulating a degraded or unavailable instrumentation response, or a delay in obtaining the information.
Severe accident management guidelines	3.66.	Validation should be performed under conditions that realistically simulate the conditions present during an emergency and should include simulation of other response actions, hazardous work conditions, time constraints and stress. Special attention should be paid to the use of portable and mobile equipment, when such use is considered, and for multiple unit sites, to the practicality of using backup equipment that could be provided by other units.
Severe accident management guidelines	3.67.	A cross-functional safety review of the plant should be performed with the objective of fully understanding all implications of severe accident management. This review should incorporate a plant walkdown to assess the difficulties associated with the practical implementation of severe accident management measures in the event of internal or external hazards.
Severe accident management guidelines	3.68.	All equipment necessary for the severe accident management programme, including non-permanent equipment if any, should be tested in accordance with the importance of the equipment to fulfilling the fundamental safety functions.
Management of the severe accident management programme	3.69.	The development of a severe accident management programme should be the responsibility of the operating organization and should be consistent with the applicable requirements established in SSR-2/1 (Rev. 1) [3] and IAEA Safety Standards Series No. GSR Part 2, Leadership and Management for Safety [22]; with the recommendations provided in IAEA Safety Standards Series No. GS-G-3.1, Application of the Management System for Facilities and Activities [26], and IAEA Safety Standards Series No. GS-G-3.5, The Management System for Nuclear Installations [27]; and with applicable international standards or national requirements.
Management of the severe accident management programme	3.70.	The operating organization should integrate all the elements of the severe accident management programme into its management system so that processes and activities that may affect safety are established and conducted coherently for the protection of site personnel and the public and for the protection of the environment.
Interfaces with emergency preparedness and response	3.71.	Appropriate interfaces, including consideration of reliable communication, between the accident management programme and the emergency response plans and procedures, should be established for an effective and coordinated response to the nuclear or radiological emergency, both on the site and off the site.
Interfaces with emergency preparedness and response	3.72.	The on-site emergency plan should define the overall functions to be performed in an emergency response, and the necessary infrastructure — such as the emergency response organization of a nuclear power plant — should be put in place to support the performance of these functions, as required by GSR Part 7 [7]. The responsibilities defined in the severe accident management programme should be coordinated with the emergency plan to ensure a consistent and integrated response to severe accidents. A review of the emergency plan and the accident management programme and their testing in exercises should be performed on a regular basis to ensure that conflicts do not exist or that they are noted and avoided at the preparedness stage.
Responsibilities and lines of authorization	3.73.	The authority and responsibility for deciding on actions to be taken on the site during a severe accident should be assigned, and the relevant individual should be provided with training to promptly discharge this authority. This person should be trained to lead under extreme conditions and should demonstrate his or her leadership abilities during exercises.
Responsibilities and lines of authorization	3.74.	Responsibilities and authorities for the implementation of certain severe accident management measures on the site that have a potentially significant impact on the site or off the site should be assigned within the on-site emergency response organization. An example layout of the organizational structure of the on-site emergency response organization is depicted in Fig. 2. (For examples of on-site emergency response organizations, incorporating various elements beyond those considered here, refer to the figures in appendix 13 to Ref. [28].)
Responsibilities and lines of authorization	3.75.	The on-site emergency director (or other person with clearly assigned authority for making decisions about the on-site actions to be taken) should have the authority to take any necessary actions to mitigate the consequences of the severe accident without the need for external authorization. Such actions might include venting the containment or injecting low quality water into the reactor pressure vessel or steam generator (see paras 4.15 and 5.23 of GSR Part 7 [7]). However, if such actions could have off-site consequences, the appropriate off-site authorities should be notified as soon as possible under the prevailing circumstances.
Responsibilities and lines of authorization	3.76.	The operating organization personnel involved in severe accident management should be designated as emergency workers and may have one of three categories of function: Evaluation or recommendation (assessment of plant conditions; identification of potential actions; evaluation of the potential impacts of these actions; recommendation of actions to be taken; and, after implementation, assessment of the outcome of the actions): Personnel in charge of such duties are often called ‘evaluators’. Authorization (decision making — approving the recommended action or deciding on other appropriate actions for implementation): Personnel in charge of such duties are often called ‘decision makers’. Implementation and support of the actions (operation of equipment as necessary, including verification of operation; dose assessment in support of accident management actions; and emergency response functions): Personnel in charge of such duties are often called ‘implementers’ or ‘responders’. This function includes remote operations from the main control room and local actions by appropriate personnel to recover or connect equipment.
Responsibilities and lines of authorization	3.77.	Emergency arrangements should take into account cases in which an individual with a certain authority level is incapacitated and should identify an alternative person to discharge the authority.
Responsibilities and lines of authorization	3.78.	Decision making authority should lie with a high level manager, referred to in this Safety Guide as the ‘emergency director’. The emergency director should be granted the authority to decide on the implementation of severe accident management measures, taking into account recommendations by technical support centre staff and, when available, other recommendations (e.g. from the plant designer or the corporate engineering department). The emergency director should maintain a broad understanding of the actual status of the plant, the plant capabilities and vulnerabilities, and key severe accident management actions, including their on-site and off-site consequences.
Transfer of responsibility and authority	3.79.	Responsibilities and decision making authority should be transferred from the main control room staff to an appropriate level of authority in the operating organization if an event is likely to degrade into a severe accident and decision making becomes highly complex owing to the uncertainties involved.
Transfer of responsibility and authority	3.80.	After the overall authority for severe accident management has been transferred from the main control room to the emergency director¹², the functions that remain in the main control room and the actions that can be decided on by the main control room staff independent of the emergency director should be specified. These include activities that main control room staff can carry out independently, such as maintaining support conditions (e.g. service water for room cooling) and responding to some alarms. Activities that the main control room staff should not undertake on their own (e.g. starting up major equipment) should also be specified. As the main control room staff are also responsible for the execution of the measures decided on by the emergency director, consistency and a hierarchy between the two groups of actions should be established.
Technical support centre	3.81.	Selected technical support centre staff should have detailed knowledge of the procedures and guidelines for severe accident management. They should have prompt access to the information on the plant status and a good understanding of the underlying severe accident phenomena. The technical support centre staff should communicate as necessary with the main control room staff to benefit from their expertise and insight into the plant capabilities.
Technical support centre	3.82.	Support from qualified organizations (including the plant vendor or designer) should be sought, as necessary, for additional recommendations on appropriate severe accident management measures. The mechanisms for calling on early support should be established to enable effective implementation of the severe accident management programme, and the capabilities of such support organizations should be verified and tested on a periodic basis.
Technical support centre	3.83.	Rules for information exchange during a severe accident between the various teams of the on-site emergency response organization and with off-site response organizations should be defined. As the occurrence of a severe accident will generate extensive communication between on-site and off-site teams, care should be taken that this communication does not disrupt the management of the accident at the plant.
Technical support centre	3.84.	Information about the performance of instrumentation and control and other equipment (possibly already summarized in the guidance for easy reference) should be made available to the technical support centre. Preferably, the technical support centre should have direct access to plant information. When the manual transfer of plant data between the main control room and the technical support centre is necessary, the transfer should preferably be made either by a dedicated member of the main control room staff or a dedicated member of the technical support centre staff. The plant information in the technical support centre should be recorded and monitored appropriately.
Technical support centre	3.85.	For existing plants, changes in the design should be evaluated when the radiological consequence of challenges to fission product barriers under a severe accident cannot be reduced to an acceptable limit, or when it is necessary to reduce uncertainties in the analytical prediction of such challenges. Such evaluations should consider regulatory acceptance criteria.
Technical support centre	3.86.	For new plants, when additional equipment is provided to mitigate the consequences of severe accidents, such equipment should preferably be independent of the equipment and systems used to cope with design basis accidents.
Technical support centre	3.87.	Equipment upgrades aimed at maintaining the integrity of the containment, or at minimizing releases when the containment has failed or been bypassed, should be considered high priority.
Technical support centre	3.88.	Upgrades should be considered that increase the capability of the equipment, or its margin to failure, against relevant challenges relating to a severe accident for the following functions: Monitoring essential containment parameters, such as temperature, pressure, radiation level and water level; Ensuring the leak-tightness of the containment, including preservation of the functionality of isolation devices, penetrations and airlocks, for a reasonable time after an accident; Establishing or restoring the ultimate heat sink to manage pressure and temperature in the containment; Control of combustible gases, fission products and other materials released during a severe accident, including any necessary instrumentation; Monitoring and control of containment leakages and of fission product releases; Removing the produced heat from the molten core debris to an ultimate heat sink.
Technical support centre	3.89.	Additional hardware provisions should be considered, including the provision of non-permanent on-site and off-site equipment as a backup measure, when the existing equipment is not anticipated to remain functional in the long term after a severe accident or could be disabled by a total loss of AC power or extensive infrastructure damage caused by external hazards more severe than those considered for the design, derived from the site hazard evaluation. In estimating the long term availability of components, the feasibility of performing maintenance or repairs should be evaluated and taken into account.
Technical support centre	3.90.	When the severe accident management strategies rely on non-permanent equipment, the operability of such equipment for anticipated conditions and for the actual configuration and layout should be assessed to confirm that it is likely to meet accident management objectives. Steps should be taken (including obtaining any necessary permits or licenses) to ensure that personnel can install and operate the non-permanent equipment within the time frames necessary even under adverse conditions.
Technical support centre	3.91.	The instrumentation essential for monitoring the conditions of the core, the containment and the spent fuel during a severe accident should be identified. To the extent practicable, these monitoring functions should be maintained throughout an extended loss of AC power. A plant specific assessment should be performed to identify the equipment, materials and actions necessary to restore power to the minimum essential components in the event that installed DC batteries are depleted.
Technical support centre	3.92.	Arrangements for obtaining information from alternate sources should be prepared for the event that the plant parameters derived from instrumentation are not reliable.
Technical support centre	3.93.	Arrangements for disconnecting non-essential loads from batteries should be prepared in advance to extend battery life until such time as the battery can be recharged or an alternate power source can be provided.
Technical support centre	3.94.	Guidance should be provided on validating important instrumentation outputs (i.e. outputs used for symptom based diagnosis of potential challenges to fission product barriers or for confirmation of the effectiveness of implemented strategies). All important instrumentation readings should be verified with other independent information whenever possible. The need for such verification should be emphasized in exercises and drills.
Technical support centre	3.95.	All available information and background documentation on essential instrumentation necessary to support decision making in severe accident management should be made available to appropriate members of the emergency response teams.
Technical support centre	3.96.	The uncertainty of readings of instruments essential for severe accident management should be assessed. In many cases, an instrument indication that displays trends may be more important than the accuracy of the indicated values.
Technical support centre	3.97.	The capabilities of instrumentation essential for severe accident management should be carefully considered. Instrumentation might continue to operate beyond its design range with decreasing accuracy. The following should be taken into account: Instrumentation that is designed for the expected environmental conditions after a severe accident should be the preferred method of obtaining the necessary information. Alternate instrumentation should be identified if the preferred instrumentation becomes unavailable or is not reliable.
Technical support centre	3.98.	The effect of environmental conditions on the instrument reading should be estimated, taking into account that the local environmental conditions can deviate from global environmental conditions and so instrumentation that is qualified under global conditions may not function properly under local conditions. The expected failure mode and resultant instrument indication (e.g. off-scale high, off-scale low, floating) for instrumentation failures in severe accidents should be identified.
Technical support centre	3.99.	The development and implementation of the severe accident management programme should be supported by appropriate computational analysis showing the progression of the accident sequences to be addressed. The results of such analysis should be used in the formulation of the technical basis for the development of strategies, procedures and guidelines. The results of the accident analysis should assist in the following: Specification of the criteria that would indicate the onset of severe core damage; Identification of the symptoms (i.e. parameters and their values) by which staff may determine the condition of the fuel and the state of protective barriers; Identification of the challenges to fission product barriers in different reactor states, including shutdown states; Evaluation of the timing of such challenges to improve the potential for successful human intervention; Identification of the reactor systems and other material resources that may be used for severe accident management purposes; Verification that accident management measures would be effective to counter challenges to protective barriers; Evaluation of the performance of equipment and instrumentation under accident conditions; Development and validation of computational aids for accident management.
Technical support centre	3.100.	Plant capabilities should be analysed in connection with the in-vessel phase of a severe accident, including consideration of the following: Hydrogen production in the vessel and its release, as input information for the design of the hydrogen treatment system; Retention of the molten core within the vessel both by internal and external vessel cooling; The composition and configuration of the molten core and failure of the reactor pressure vessel as inputs to the design of the core catcher; Reliable depressurization to allow low pressure water injection and avoid high pressure vessel failure; Long term release of fission products from the reactor core.
Technical support centre	3.101.	For the ex-vessel phase, plant capabilities should be analysed including: Reliable depressurization of the containment to avoid high pressure containment failure; Sources, distribution and the potential leak paths of combustible gases, as input information for the design of the combustible gas treatment system; Issues relating to ex-vessel steam explosion, high pressure melt ejection and direct containment heating; Composition and configuration of the molten core as inputs to the design of ex-vessel melt retention devices; Fission product sources and the distribution of fission products within the containment, with special attention given to the long term behaviour of such sources.
Technical support centre	3.102.	Best estimate computer codes, assumptions and data regarding initial and boundary plant conditions should be used, providing appropriate consideration is given to uncertainties in the determination of the timing and severity of the phenomena.
Technical support centre	3.103.	Computer codes that can model severe accident phenomena with reasonable accuracy should be used in the prediction of key physical phenomena and of the modes and timing of barrier failures. These codes should be validated to the extent practicable.
Technical support centre	3.104.	All analysis results should be evaluated and interpreted with due consideration given to computer code limitations and associated uncertainties. The appropriateness of carrying out sensitivity analyses should be evaluated when computer code results are relied on when making critical decisions. (Further information on code limitations and associated uncertainties for severe accident analysis is provided in Ref. [29].)
Technical support centre	3.105.	All significant sources of radioactive material in the plant, including the reactor core and spent fuel pools, and the occurrence of accidents in all relevant normal operating and shutdown states (including open reactor or open containment barriers) should be addressed.
Technical support centre	3.106.	All phenomena (e.g. thermohydraulic and structural phenomena) important for the assessment of challenges to the integrity of barriers against releases of radioactive material, as well as for the assessment of the source term, should be addressed. For a multiple unit nuclear power plant site, concurrent accidents affecting all units should be analysed.
Technical support centre	3.107.	A sufficiently broad set of severe accident sequences adequately covering the potential evolution of accidents and a comprehensive set of plant damage states should be identified. Such accident sequences should be grouped into representative plant damage states¹³. A Level 1 PSA and a Level 2 PSA, if available, should be used in combination with engineering judgement for the selection of the severe accident sequences (see SSG-3 [23] and SSG-4 [24]).
Technical support centre	3.108	If generic plant analysis is used for the development of severe accident management guidance, an assessment of its applicability to the specific plant should be performed.
Technical support centre	3.109.	Plant specific data — including plant operational parameters, the configuration of plant systems, and performance characteristics and set points — should preferably be used for the analyses.
Technical support centre	3.110.	Sufficient input for the development of severe accident management guidance should be provided regarding, in particular: The choice of symptoms for diagnosing and monitoring the course of accidents; The identification of key challenges and vulnerable plant systems and barriers; The specification of set points to initiate and exit individual strategies; The positive and negative impacts of severe accident management actions; The time windows available for performing the actions; The prioritization and optimization of strategies; The evaluation of the capability of systems to perform their intended functions; The expected trends in the accident progression; The exit conditions for leaving the severe accident management domain; The development of computational aids.
Technical support centre	3.111.	Sufficient information regarding environmental conditions should be provided for the assessment of the operability of the plant equipment, including the instrumentation necessary in severe accident management, as well as for the assessment of the working conditions and the habitability of working places for personnel involved in the execution of the severe accident management actions.
Technical support centre	3.112.	Decision makers should be trained so that they can cope with the situation in which some mitigatory actions might be necessary owing to the loss or unreliability of plant instrumentation.
Technical support centre	3.113.	The background documentation should be used to support the training of the technical support centre staff on the phenomenology of severe accidents, the basis for SAMGs and the benefits and detriments of various postulated mitigatory actions.
Technical support centre	3.114.	Training, including periodic exercises and drills, should be sufficiently realistic and challenging to prepare personnel responsible for severe accident management duties to cope with and respond to situations that may occur during an event. Drills should extend over a time period long enough to realistically represent the plan response and should allow for the transmission of information during shift changes to be tested. Special exercises and drills should be developed to practice shift changeovers between operations staff and technical support centre staff and information transfer between different teams. Training should cover severe accidents occurring simultaneously at more than one unit and severe accidents occurring in different reactor operating states. Training should consider unconventional line-ups of the plant equipment, the use of non-permanent equipment (e.g. diesel power generators, pumps) and repair of the equipment.
Technical support centre	3.115.	Exercises and drills should be based on scenarios that require the application of a substantial portion of the overall severe accident management programme in concert with emergency response and should simulate realistic conditions characteristic of those that would be encountered in an emergency. Large scale exercises providing an opportunity to observe and evaluate all aspects of severe accident management should be undertaken.
Technical support centre	3.116.	Severe accident management exercises and drills should periodically challenge responders by making unavailable information sources (e.g. the safety parameter display system), equipment and facilities that potentially could be damaged in an accident. Drills that purposely include sources of inaccurate or miscommunicated information to staff members can be used as a way of exercising their questioning attitude, teamwork and evaluation and diagnostic skills. However, caution should be applied so that misinformation does not negatively affect the purpose of the training.
Technical support centre	3.117.	Some of the scenarios used for exercises and drills should assume an extensively damaged state of the core that eventually results in failure of the reactor pressure vessel and the containment. Consideration should be given to conducting exercises that enhance the awareness of main control room staff, technical support centre staff and engineering staff of the need for and possible consequences of defeating or resetting control and logic systems.
Technical support centre	3.118.	The need to update the severe accident management programme should be assessed as new information becomes available that may indicate the potential for new accident scenarios, phenomena or challenges to physical barriers or any other significant effect on accident management that had not been fully considered previously.
Technical support centre	3.119.	The effect of changes to the plant design, the available non-permanent equipment and the operating organization should be evaluated for any impact on the severe accident management programme. A formal process should be developed for making changes when they are deemed necessary.
Technical support centre	3.120.	When modification of the severe accident management programme is deemed appropriate, the operating organization should be responsible for establishing an action plan aimed at prioritizing the activities necessary for implementation of the modifications. When a generic severe accident management programme is used, the development of the action plan should involve the vendor of the generic programme. The action plan should identify the time frame and the organization in charge of the practical implementation of the modifications.
Technical support centre	3.121.	When new information is received that challenges current design assumptions relating to external events, the capability of installed equipment and the severe accident management procedures and guidelines should be evaluated to determine if fundamental safety functions could be compromised. On the basis of this evaluation, measures for updating the severe accident management programme commensurate with the significance of the new information should be identified.
Technical support centre	3.122.	New insights from research on severe accident phenomena and operating experience at the plant and at other plants (including lessons identified from events) should be evaluated on a regular basis, and a judgement should be made by the operating organization as to their potential impact on the severe accident management programme. The exchange of information with operating organizations of other plants should be used as a means of continuously improving the severe accident management guidance.
Technical support centre	3.123.	Any update of the severe accident management programme should include, as appropriate, a revision of background documentation, including the supporting analysis.
Technical support centre	4.1.	In an emergency, in particular an emergency taking place in combination with an internal or external hazard, plant staff should assess the overall situation on the site and ensure that the emergency command and control structure is capable of directing the response in accordance with established accident management guidance. If required, contingencies developed to re-establish the command and control structure should be implemented.
Technical support centre	4.2.	Once the main control room staff, while executing the EOPs, have reached the point of entry into the mitigatory domain, or the emergency director has determined that SAMGs should be applied, or the point of entry to the use of SAMGs is reached on some other specified basis, the transition from EOPs to SAMGs should be made. The main control room staff should initiate actions under the SAMGs, which will apply until the responsibility for recommending or deciding on actions is transferred to another appropriate structure. This transfer occurs once the appropriate structure is operable and its staff are informed about the overall situation, have evaluated the plant status and are ready to give the first recommendation or decision on the execution of an SAMG. The main control room staff should continue to execute actions already initiated in the preventive domain, providing that they are consistent with the rules of usage of the SAMGs.
Technical support centre	4.3.	The technical support centre should reassess conditions at the plant at regular intervals as the severe accident progresses to confirm or adjust the priorities for mitigatory actions. Recommendations should be presented by the technical support centre in written form to the decision maker, who will decide on the course of action to be taken. Records should be kept of all recommendations made.
Technical support centre	4.4.	Decisions on actions to be taken should be given to the control room staff in a form that minimizes misunderstandings. The main control room staff should confirm the actions they are being directed to take and should report back the progress of the actions taken and the impact that these actions have had on the plant. Oral communication (by telephone or other suitable means) with the main control room staff and the supplementary control room staff should preferably be carried out by a staff member of the technical support centre who is or has been a licensed operator. Before recommending or attempting to execute any action, the feasibility of the proposed action should be checked to ensure that there is sufficient time for the action to be effective.
Technical support centre	4.5.	Essential plant parameters should be displayed in the main control room and in the technical support centre in an easily accessible way (e.g. by electronic displays or on a wall board) and in a manner that ensures that long term station blackout will not lead to loss of data. Trends should be noted and recorded. Actions taken should also be recorded, as should other relevant information, such as the EOP or SAMG applicable at the time, emergency alerts for the plant and the planned releases of radioactive material. Adequate technical means should be provided for the recording of actions.
Technical support centre	4.6.	The timing and magnitude of possible future releases as a consequence of SAMG actions (e.g. planned releases) or as a consequence of ineffective SAMG actions, and the possible release paths, should be estimated at regular intervals and should be communicated in a suitable form through proper channels to external organizations responsible for off-site actions.
Technical support centre	4.7.	The work at the technical support centre should be well structured and based on a clear task description for each staff member. The technical support centre staff should convene in sessions at regular times, which should still permit sufficient time for individual staff members to perform their duties.
Technical support centre	4.8.	The staff responsible for the execution of severe accident management measures should be adequately qualified and adequate in number, in accordance with the evolving accident.
Technical support centre	4.9.	The on-site emergency director should ensure that external organizations are aware of planned actions that could impact the plant surroundings. Through consultations, it should be ensured that off-site response organizations are aware of and, as much as possible, prepared for planned releases of radioactive material.
Technical support centre	4.10.	A mechanism should be put in place to assign priorities in case of a conflict between planned radioactive releases and off-site preparedness. In principle, priority should be assigned to the actions that address imminent threats to the integrity of the final fission product barrier, such as the containment, and that avoid significant containment bypass.
Technical support centre	4.11.	The process for decision making should take into account that decisions may have to be made within a very short time frame. In principle, the decision making process should match the time frame of the evolution of the severe accident.
Technical support centre	A.1.	Figure 3 presents a summary of the phases of accident management and their relationship to the state of the fuel and the accident condition. Of particular note in Fig. 3 is that the transition from EOPs to SAMGs is not always at a fixed point and can depend on Member State practices and plant conditions.
Technical support centre	A.2.	Table 1 highlights the main features of accident management presented in this Safety Guide. INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection, 2018 Edition, IAEA, Vienna (in preparation). EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION, INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION, Fundamental Safety Principles, IAEA Safety Standards Series No. SF-1, IAEA, Vienna (2006). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996). INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Basic Safety Principles for Nuclear Power Plants, 75-INSAG-3 (Rev. 1), INSAG-12, IAEA, Vienna (1999). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Commissioning and Operation, IAEA Safety Standards Series No. SSR-2/2 (Rev. 1), IAEA, Vienna (2016). FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL CIVIL AVIATION ORGANIZATION, INTERNATIONAL LABOUR ORGANIZATION, INTERNATIONAL MARITIME ORGANIZATION, INTERPOL, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, PREPARATORY COMMISSION FOR THE COMPREHENSIVE NUCLEAR-TEST-BAN TREATY ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, UNITED NATIONS OFFICE FOR THE COORDINATION OF HUMANITARIAN AFFAIRS, WORLD HEALTH ORGANIZATION, WORLD METEOROLOGICAL ORGANIZATION, Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GSR Part 7, IAEA, Vienna (2015). FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR OFFICE, PAN AMERICAN HEALTH ORGANIZATION, WORLD HEALTH ORGANIZATION, Criteria for Use in Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GSG-2, IAEA, Vienna (2011). FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR OFFICE, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS OFFICE FOR THE COORDINATION OF HUMANITARIAN AFFAIRS, WORLD HEALTH ORGANIZATION, Arrangements for Preparedness for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GS-G-2.1, IAEA, Vienna (2007). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-25, IAEA, Vienna (2013). INTERNATIONAL ATOMIC ENERGY AGENCY, Deterministic Safety Analysis for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-2 (Rev. 1), IAEA, Vienna (in preparation). INTERNATIONAL ATOMIC ENERGY AGENCY, Predisposal Management of Radioactive Waste, IAEA Safety Standards Series No. GSR Part 5, IAEA, Vienna (2009). INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5), IAEA Nuclear Security Series No. 13, IAEA, Vienna (2011). INTERNATIONAL ATOMIC ENERGY AGENCY, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-2.2, IAEA, Vienna (2000). INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Review of Plant Specific Emergency Operating Procedures, Safety Reports Series No. 48, IAEA, Vienna (2006). INTERNATIONAL ATOMIC ENERGY AGENCY, Implementation of Accident Management Programmes in Nuclear Power Plants, Safety Reports Series No. 32, IAEA, Vienna (2004). INTERNATIONAL ATOMIC ENERGY AGENCY, Guidelines for the Review of Accident Management Programmes in Nuclear Power Plants, IAEA Services Series No. 9, IAEA, Vienna (2003). INTERNATIONAL ATOMIC ENERGY AGENCY, Site Evaluation for Nuclear Installations, IAEA Safety Standards Series No. SSR-1, IAEA, Vienna (in preparation). INTERNATIONAL ATOMIC ENERGY AGENCY, Experience in the Use of Systematic Approach to Training (SAT) for Nuclear Power Plant Personnel, IAEA-TECDOC-1057, IAEA, Vienna (1998). INTERNATIONAL ATOMIC ENERGY AGENCY, Recruitment, Qualification and Training of Personnel for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-2.8, IAEA, Vienna (2002). INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for Safety, IAEA Safety Standards Series No. GSR Part 2, IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-3, IAEA, Vienna (2010). INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-4, IAEA, Vienna (2010). EUROPEAN COMMISSION, FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION, Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards, IAEA Safety Standards Series No. GSR Part 3, IAEA, Vienna (2014). INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management System for Facilities and Activities, IAEA Safety Standards Series No. GS-G-3.1, IAEA, Vienna (2006). INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards Series No. GS-G-3.5, IAEA, Vienna (2009). INTERNATIONAL ATOMIC ENERGY AGENCY, Method for Developing Arrangements for Response to a Nuclear or Radiological Emergency, EPR-METHOD-2003, IAEA, Vienna (2003). INTERNATIONAL ATOMIC ENERGY AGENCY, Approaches and Tools for Severe Accident Analysis for Nuclear Power Plants, Safety Reports Series No. 56, IAEA, Vienna (2008).
Technical support centre	A–1.	In France, the severe accident management guidelines (SAMGs) applicable to the Électricité de France nuclear fleet are set out in a ‘guide d’intervention en situation d’accident grave’ (GIAG)¹. The GIAG has been developed in the form of both flow charts and text. Two criteria are used to determine whether the GIAG should be used: (1) a very high core exit temperature, and (2) high containment activity.
Technical support centre	A–2.	Either criterion can justify the use of the GIAG and the subsequent initiation of a whole set of immediate actions by the main control room staff.
Technical support centre	A–3.	When use of the GIAG commences, the use of the emergency operating procedures (EOPs) ceases. However, some specific actions that are called on by the EOPs and are beneficial for severe accident management (e.g. containment venting) may remain operational. The possibility of some recommended actions leading to negative consequences is addressed as follows: Immediate actions: The balance between the pros and cons of these actions has been made during the development of the programme, and it has been determined that they can be implemented without undue risk. Delayed actions: These actions are evaluated by the crisis team while the accident is developing, and decisions have to be made after balancing the pros and cons of such actions. For each action that might be considered, the pros and cons are provided in the GIAG to enable the response teams to make an informed decision.
Technical support centre	A–4.	When use of the GIAG commences, emergency response teams prioritize the actions to be implemented. The first priority is to minimize releases to the environment. If an action is not successful, the GIAG proposes alternatives to specialists in the technical support centres. In the event of an unconventional development of the situation, emergency response teams are also allowed to propose to the emergency director, for approval or rejection, actions they consider appropriate for dealing with the identified development.
Technical support centre	A–5.	The GIAG does not consider any predefined long term provisions, nor does it incorporate exit criteria for the long term measures. Long term provisions are to be decided on by emergency response teams. In relation to the long term operation of Generation II pressurized water reactors (PWRs), strategies with specific provisions for long term management after a severe accident are being developed by Électricité de France.
Technical support centre	A–6.	Obtaining reliable information on plant capabilities and performing actions that are helpful in protecting the third barrier are recognized to be important. Examples of such actions are: Using computational aids to support the diagnosis of the plant status and inform the decision making process and the prognosis for evolution of the accident. Immediately opening all safety relief valves (if not already open)² to prevent failure of the reactor pressure vessel at high pressure and limit the risk of dispersal of debris in the upper parts of the containment (and potential subsequent direct containment heating in the case of failure of the reactor pressure vessel). Limiting the risk of repressurization of the reactor coolant system above 20 bars, before vessel failure, through specific limitations on water injection into the reactor coolant system. Limiting the risk of consequential steam generator tube rupture that would lead to containment bypass through immediate actions implemented when use of the GIAG commences, as follows: Isolating radioactive steam generators; Filling non-radioactive steam generators with water; Depressurizing the reactor coolant system. Detecting failure of the reactor pressure vessel using temperature measurement in the reactor pit, with the potential for confirming the information by cross-checking other sources of information. Injecting water into the core with the objective of limiting core degradation or cooling the molten core. Activating the containment spray system to prevent overpressurization of the containment and to remove thermal energy from the containment atmosphere.³ Using passive autocatalytic recombiners to eliminate hydrogen from the containment atmosphere. Heating the pipe situated between the intake of the sand bed filter inside the containment and the containment filter to prevent steam condensation in the tube and in the filter.⁴ Isolating radioactive steam generators; Filling non-radioactive steam generators with water; Depressurizing the reactor coolant system.
Technical support centre	A–7.	In Germany, although emphasis has been put on the prevention of severe accidents, hardware modifications were put in place and EOPs were developed after the Chernobyl accident; such measures included: Installation of filtered containment venting; Installation of passive autocatalytic recombiners on PWR units; Implementation of containment inertization on boiling water reactor (BWR) units.
Technical support centre	A–8.	The development of SAMGs was started in 2010 and was fully completed at the end of 2014.
Technical support centre	A–9.	The SAMGs for PWRs are set out in a severe accident management manual (SAMM), which includes: Diagnosis of the plant damage state; Related strategies for mitigating the consequences of a severe accident; Detailed sheets of instructions for all measures within the strategies; Links to EOPs that are relevant to mitigatory strategies.
Technical support centre	A–10.	The use of the SAMM is managed using clear criteria in an accident management flow chart. There are two criteria for the use of the SAMM in at-power states. For shutdown states, an additional dedicated criterion is used.
Technical support centre	A–11.	When the use of the SAMM commences, all EOPs remain active. In other words, after the use of the SAMM commences, any EOPs in use remain active until a request for their interruption or termination has been issued.
Technical support centre	A–12.	In a severe accident, the plant state has to be diagnosed on the basis of information provided by the available instrumentation. In currently operating plants, there is no dedicated instrumentation for diagnosing, in a simple way, the status of the containment or the extent of core damage. Therefore, the data provided by the available post-accident instrumentation are used.
Technical support centre	A–13.	To prioritize measures for preventing massive core damage and failure of the reactor pressure vessel, the level of core degradation needs to be known. Three core degradation states are used for this purpose: Core state A characterizes a low degradation level (the core still has a rod-like geometry). Core state B characterizes ongoing core degradation up to failure of the reactor pressure vessel. Core state C means the reactor pressure vessel has failed.
Technical support centre	A–14.	Core states A and B are practically indistinguishable by means of measurement. Therefore, strategies are implemented that apply to both states (‘A/B strategies’). However, these strategies are robust, in the sense that no harmful consequences will arise from using A/B strategies when failure of the reactor pressure vessel is not detected immediately (i.e. when core state C has been reached).
Technical support centre	A–15.	Characterization of the confinement status or identification of the containment damage state is also made using a selection flow chart. For PWRs in Germany, six representative containment damage states have been defined: The containment is intact, and there is no obvious risk of losing containment integrity. The integrity of the containment is challenged. The containment is bypassed to the secondary side of the steam generators. The containment is bypassed to the reactor building annulus. The containment is bypassed to the nuclear auxiliary building, or the isolation of the containment has failed. The containment has been impaired (leak or rupture).
Technical support centre	A–16.	On the basis of these plant damage states, dedicated strategies are implemented to prioritize the performance of adequate mitigatory measures. Although the parallel execution of several measures is not excluded, the performance of previously initiated, more efficient measures (measures with a higher level of priority) is not to be jeopardized. In addition, it is not recommended to postpone the initiation of measures with a lower priority until the success of previously implemented measures has been determined.
Technical support centre	A–17.	When a high level action has been started, the emergency response team goes to the next high level action considered in the flow chart, without the need to evaluate whether previously implemented actions have been successful. To recognize any transition between different plant damage states (see para. A–15), the emergency response team regularly checks the parameters that define the plant damage states to determine whether the implemented actions have been successful. Conditions and criteria for determining the effectiveness of measures and for terminating certain measures are given in the detail sheets. If a change of plant damage state occurs, the implementation of the current strategy must be stopped and the execution of a new strategy starts from the beginning. However, measures currently in execution will not be terminated until termination is explicitly demanded by the new strategy.
Technical support centre	A–18.	For all candidate high level actions, dedicated information is provided. In particular, the negative effects of implementing a specific measure are listed to allow the emergency response team to make an informed decision on what needs to be done. Implementation is recommended only after balancing the pros and cons and having reasonable assurance that the pros exceed the cons. If this is not the case, the emergency response team would not advise implementation of the planned action.
Technical support centre	A–19.	The SAMM neither considers implementation of predefined long term provisions nor establishes any exit criteria for long term measures.
Technical support centre	A–20.	Obtaining reliable information on capabilities that are helpful in protecting barriers and performing actions that would protect such barriers is recognized as being important. Examples of such actions that allow the second barrier or the third barrier to be maintained include the following: Using computational aids to support the diagnosis of the plant damage state, the decision making process and the prognosis on the evolution of the accident, including the determination of the required flow for removing decay heat from the core. Rapid depressurization (i.e. opening of all pressurizer valves) of the reactor coolant system to prevent high pressure core melt that could lead to failure of the reactor pressure vessel and subsequent transfer of core debris to the upper parts of the containment with a potential risk of direct containment heating. This action, however, would not prevent temporary repressurization of the reactor coolant system under some specific plant conditions. Prevention of bypass sequences resulting from steam generator tube rupture that has occurred as a consequence of isolating, in advance, dry steam generators that would likely be impossible to feed during the accident. Mitigating the effects of steam generator tube rupture through isolation of all failed steam generators or through the injection of water into failed non-isolated steam generators. Monitoring parameters that enable confirmation that the reactor pressure vessel has not failed, determining a minimum grace period by deterministic analyses before failure of the reactor pressure vessel and identifying trending parameters that could enable characterization of the failure of the reactor pressure vessel. For cases in which the differentiation between different core states cannot be done using existing instrumentation only, alternate means (e.g. computational aids) can be used. Injecting water into the reactor cavity (via the reactor coolant system) to prevent or limit basemat attack, and scrubbing fission products in case of failure of the reactor pressure vessel. Using a flammability diagram to evaluate the risk of losing containment integrity in a situation involving flammable mixtures, and recommending tripping the containment heat removal systems when measurements indicate that the concentration of hydrogen inside the containment is nearing the flammability limit. Inerting the filtered venting system to prevent its degradation.
Technical support centre	A–21.	Operating plants in the United States of America have been developed by four vendors: Westinghouse, Babcock and Wilcox, Combustion Engineering and General Electric. The first three vendors are PWR vendors; General Electric is the sole vendor of BWR technology in the United States of America. The existence of four main vendors has led to the development of four different approaches to the development of SAMGs, and although all PWR operators are now members of a single owners’ group, the Pressurized Water Reactors Owners’ Group, there is no unique approach for PWRs at this time. However, the Pressurized Water Reactors Owners’ Group is in the process of developing a generic approach that will be used for all PWR operators as a basis document for their individual SAMGs. The generic PWR approach will be modelled after the Westinghouse SAMGs.
Technical support centre	A–22.	After entry into the mitigatory domain, Westinghouse plants rely on two logic diagrams: the first relates to immediate severe challenges to the integrity of fission product barriers and ongoing releases; the second illustrates a certain chronology of anticipated challenges to fission product barriers. The other two PWR vendors rely on logic diagrams to establish plant damage states in accordance with the technical basis report of the Electric Power Research Institute.
Technical support centre	A–23.	Once the mitigatory domain has been entered, all EOPs cease, except in the case of Combustion Engineering plants, in which EOPs and SAMGs are executed in parallel. However, in the approach retained by Westinghouse and General Electric plants, some important actions required in EOPs can be continued, but SAMGs have priority over EOPs. In the approach in Babcock and Wilcox plants, no re-entry into the use of EOPs is considered. The SAMGs of all PWR plants address the pros and cons of expected actions. Westinghouse plants have adopted tables showing the pros and cons of each expected action and possible ways of mitigating the consequences of cons; Combustion Engineering and Babcock and Wilcox have opted to include cautions in each guide.
Technical support centre	A–24.	For PWRs, priorities for implementing strategies or actions are given in a logic diagram, with an answer to a question in a logic diagram being always linked to an earlier question, but implementation of an action does not necessitate full completion of previously implemented actions. For BWRs, all SAMGs relating to core and containment behaviour are executed in parallel. When an action fails, only Westinghouse SAMGs provide alternatives.
Technical support centre	A–25.	There are no predefined long term provisions. Westinghouse SAMGs provide some exit conditions based on core exit temperature, primary pressure, containment pressure, hydrogen concentration and releases.
Technical support centre	A–26.	Obtaining reliable information on capabilities that are helpful in protecting barriers and performing actions that would also protect such barriers is recognized to be important. Examples of protecting the second barrier or the third barrier are: All PWRs use computational aids, while BWR plants use technical support guidelines. Graded depressurization is not considered, except in the most recent version of the BWR SAMGs, which mention slow depressurization as a means of allowing an injection system that uses a steam turbine (the reactor core isolation cooling system) to run as long as possible by using reactor steam. Injection of water into the steam generators (the first priority for Westinghouse plants) or into the core (other PWR plants and BWR plants). Injection of water into the reactor cavity (common to PWR and BWR plants). Monitoring parameters that allow confirmation that the reactor pressure vessel has not failed (for Combustion Engineering and Babcock and Wilcox plants), and the use of logic diagrams to characterize vessel failure (Westinghouse plants have no such diagrams). Use of a flammability diagram to evaluate the risk of losing containment integrity in situations involving flammable mixtures (used at all PWR plants, with various degrees of sophistication). For BWR plants, this issue is addressed in technical support guidelines. Hydrogen risk in venting system filters is not addressed, as filtering is not considered in these systems.
Technical support centre	A–27.	The Japan Nuclear Regulation Authority requires licensees to develop severe accident management measures and to design systems, structures and components for the prevention and mitigation of severe accidents, taking into account lessons from the accident at the Fukushima Daiichi nuclear power plant.
Technical support centre	A–28.	Paragraphs A–29 to A–31 outline chapters 1–3 of the Nuclear Regulation Authority’s new regulatory requirements for severe accident measures at light water nuclear power plants.
Technical support centre		Nuclear Regulation Authority new regulatory requirements, chapter 1: Requirements for severe accident measures (major systems used for each measure)
Technical support centre	A–29.	Chapter 1 of the new regulatory requirements covers the following: Common basic requirements for equipment to be used in severe accident management: Capacity: Equipment for use in severe accident management shall⁵ be designed to have sufficient capacity to cope with postulated beyond design basis accidents. Mobile equipment for use in severe accident management shall be designed to have sufficient capacity with suitable margins, in accordance with the necessary equipment reliability, to cope with postulated beyond design basis accidents. Environmental and load conditions: Equipment for use in severe accident management shall be designed to function as required, with sufficient reliability under environmental and load conditions, during postulated beyond design basis accidents. Operability: Equipment for use in severe accident management shall be designed such that its operation is ensured under the conditions of postulated beyond design basis accidents. Diversity: Permanent equipment for use in the preventive domain in severe accident management shall be designed such that diversity is considered as much as possible with respect to equipment for management of design basis accidents. Mobile equipment for use in the preventive domain in severe accident management shall be as diverse as possible with respect to equipment for the management of design basis accidents and permanent equipment for use in the preventive domain of severe accident management. Prevention of detrimental impacts: Equipment for use in severe accident management shall be installed so as not to cause any detrimental impact to other equipment. Ease of changeover: Equipment and procedures shall be prepared so as to allow easy and reliable changeover from normal line configurations in the event that other equipment is to be used for severe accident management, different from its original use. Reliable connections: Measures shall be taken to standardize connecting methods to ensure that mobile equipment and permanent equipment for severe accident management can be easily and reliably connected and that such equipment can be used interchangeably between systems and units. Furthermore, multiple connections shall be prepared with appropriate spatial dispersion to avoid disconnection due to common mode failure. Seismic and tsunami resistance: Appropriate measures for equipment for use in the mitigatory domain in severe accident management (including piping, valves and electrical cables within the building, in addition to connections to mobile equipment for use in the mitigatory domain in severe accident management) shall be taken so as not to damage the necessary functions for withstanding standard ground motion and a standard tsunami. Equipment for use in the preventive domain in severe accident management (including piping, valves and electrical cables within the building, in addition to connections to mobile equipment for use in the preventive domain in severe accident management) shall have equivalent seismic and tsunami resistance to the corresponding equipment for the management of design basis accidents. Storage locations: Stored mobile equipment for use in severe accident management shall be dispersed in different locations that are not easily impacted by external events (e.g. earthquakes, tsunamis). Mobile equipment for use in severe accident management shall be stored in different locations from permanent equipment for use in severe accident management. On-site working conditions: The locations of equipment for use in severe accident management shall be selected in such a way that the installation, connection, operation and recovery of mobile equipment for use in severe accident management can be done even in the event of a postulated beyond design basis accident, for example by selecting a suitable place that would not be affected severely by the accident or by reinforcing the shielding performance. Securing access routes: Access routes shall be designed and managed effectively so as to ensure the availability of access routes needed to transport mobile equipment for use in severe accident management or to inspect the damage of equipment under the postulated environmental conditions. Prohibition of shared use: In principle, permanent equipment for use in severe accident management shall not be shared by more than two units. However, this rule shall not apply if risks can be reduced and no other detrimental impact is caused by sharing the equipment. Preparation of procedures, implementation of drills and development of organizational systems: Appropriate organizational systems shall be established in advance by the formulation of procedures and the implementation of drills in order to manage beyond design basis accidents rapidly and flexibly. Preparation of equipment and procedures for the following measures: Measures for reactor shutdown. Measures for cooling the reactor at high pressure. Measures for depressurizing reactor coolant pressure boundaries. Measures for cooling the reactor at low pressure. Measures for securing the ultimate heat sink for severe accident management. Measures for cooling, depressurization and reduction of radioactive material in the atmosphere of the containment vessel. Measures for preventing failure of the containment vessel due to overpressure. Measures for cooling molten core fallen to the bottom of the reactor pressure vessel. Measures for preventing hydrogen explosions inside the containment vessel. Measures for preventing hydrogen explosions inside the reactor building and other locations. Measures for cooling, shielding and maintaining the subcriticality of spent fuel storage pools. Measures for securing make-up water and water sources. Measures for securing power sources for the following: Control room; Emergency response centre; Instrumentation devices; Radiation monitoring facilities; Communications devices. Measures for suppressing off-site releases of radioactive material. Capacity: Equipment for use in severe accident management shall⁵ be designed to have sufficient capacity to cope with postulated beyond design basis accidents. Mobile equipment for use in severe accident management shall be designed to have sufficient capacity with suitable margins, in accordance with the necessary equipment reliability, to cope with postulated beyond design basis accidents. Environmental and load conditions: Equipment for use in severe accident management shall be designed to function as required, with sufficient reliability under environmental and load conditions, during postulated beyond design basis accidents. Operability: Equipment for use in severe accident management shall be designed such that its operation is ensured under the conditions of postulated beyond design basis accidents. Diversity: Permanent equipment for use in the preventive domain in severe accident management shall be designed such that diversity is considered as much as possible with respect to equipment for management of design basis accidents. Mobile equipment for use in the preventive domain in severe accident management shall be as diverse as possible with respect to equipment for the management of design basis accidents and permanent equipment for use in the preventive domain of severe accident management. Prevention of detrimental impacts: Equipment for use in severe accident management shall be installed so as not to cause any detrimental impact to other equipment. Ease of changeover: Equipment and procedures shall be prepared so as to allow easy and reliable changeover from normal line configurations in the event that other equipment is to be used for severe accident management, different from its original use. Reliable connections: Measures shall be taken to standardize connecting methods to ensure that mobile equipment and permanent equipment for severe accident management can be easily and reliably connected and that such equipment can be used interchangeably between systems and units. Furthermore, multiple connections shall be prepared with appropriate spatial dispersion to avoid disconnection due to common mode failure. Seismic and tsunami resistance: Appropriate measures for equipment for use in the mitigatory domain in severe accident management (including piping, valves and electrical cables within the building, in addition to connections to mobile equipment for use in the mitigatory domain in severe accident management) shall be taken so as not to damage the necessary functions for withstanding standard ground motion and a standard tsunami. Equipment for use in the preventive domain in severe accident management (including piping, valves and electrical cables within the building, in addition to connections to mobile equipment for use in the preventive domain in severe accident management) shall have equivalent seismic and tsunami resistance to the corresponding equipment for the management of design basis accidents. Storage locations: Stored mobile equipment for use in severe accident management shall be dispersed in different locations that are not easily impacted by external events (e.g. earthquakes, tsunamis). Mobile equipment for use in severe accident management shall be stored in different locations from permanent equipment for use in severe accident management. On-site working conditions: The locations of equipment for use in severe accident management shall be selected in such a way that the installation, connection, operation and recovery of mobile equipment for use in severe accident management can be done even in the event of a postulated beyond design basis accident, for example by selecting a suitable place that would not be affected severely by the accident or by reinforcing the shielding performance. Securing access routes: Access routes shall be designed and managed effectively so as to ensure the availability of access routes needed to transport mobile equipment for use in severe accident management or to inspect the damage of equipment under the postulated environmental conditions. Prohibition of shared use: In principle, permanent equipment for use in severe accident management shall not be shared by more than two units. However, this rule shall not apply if risks can be reduced and no other detrimental impact is caused by sharing the equipment. Equipment for use in severe accident management shall⁵ be designed to have sufficient capacity to cope with postulated beyond design basis accidents. Mobile equipment for use in severe accident management shall be designed to have sufficient capacity with suitable margins, in accordance with the necessary equipment reliability, to cope with postulated beyond design basis accidents. Permanent equipment for use in the preventive domain in severe accident management shall be designed such that diversity is considered as much as possible with respect to equipment for management of design basis accidents. Mobile equipment for use in the preventive domain in severe accident management shall be as diverse as possible with respect to equipment for the management of design basis accidents and permanent equipment for use in the preventive domain of severe accident management. Appropriate measures for equipment for use in the mitigatory domain in severe accident management (including piping, valves and electrical cables within the building, in addition to connections to mobile equipment for use in the mitigatory domain in severe accident management) shall be taken so as not to damage the necessary functions for withstanding standard ground motion and a standard tsunami. Equipment for use in the preventive domain in severe accident management (including piping, valves and electrical cables within the building, in addition to connections to mobile equipment for use in the preventive domain in severe accident management) shall have equivalent seismic and tsunami resistance to the corresponding equipment for the management of design basis accidents. Measures for reactor shutdown. Measures for cooling the reactor at high pressure. Measures for depressurizing reactor coolant pressure boundaries. Measures for cooling the reactor at low pressure. Measures for securing the ultimate heat sink for severe accident management. Measures for cooling, depressurization and reduction of radioactive material in the atmosphere of the containment vessel. Measures for preventing failure of the containment vessel due to overpressure. Measures for cooling molten core fallen to the bottom of the reactor pressure vessel. Measures for preventing hydrogen explosions inside the containment vessel. Measures for preventing hydrogen explosions inside the reactor building and other locations. Measures for cooling, shielding and maintaining the subcriticality of spent fuel storage pools. Measures for securing make-up water and water sources. Measures for securing power sources for the following: Control room; Emergency response centre; Instrumentation devices; Radiation monitoring facilities; Communications devices. Measures for suppressing off-site releases of radioactive material. Control room; Emergency response centre; Instrumentation devices; Radiation monitoring facilities; Communications devices.
Technical support centre		Nuclear Regulation Authority new regulatory requirements, chapter 2: Accident management for external events beyond the design basis
Technical support centre	A–30.	Chapter 2 of the new regulatory requirements covers the following: Accident management with mobile equipment: Procedures shall be prepared for the following activities and measures for situations in which the plant has suffered large scale damage due to a large scale natural or human induced external event. Activities for extinguishing a large scale fire; Measures for mitigating fuel damage; Measures for mitigating failure of the containment vessel; Measures for minimizing the release of radioactive material; Measures for maintaining necessary water levels and measures to mitigate fuel damage in spent fuel storage pools. Furthermore, organizational systems and the necessary equipment enabling these activities in accordance with the procedures shall be prepared. Establishment of a specialized safety facility: The term ‘specialized safety facility’ refers to a facility with the function of suppressing a large release of radioactive material caused by failure of the containment vessel in the event of severe core damage or an almost damaged core as a result of a natural or human induced external event. The specialized safety facility shall be installed in accordance with the following: The specialized safety facility shall be equipped with adequate measures for preventing the loss of necessary functions due to the intentional crashing of a large airplane into the reactor building. The specialized safety facility shall be equipped with adequate measures for preventing the loss of necessary functions due to design basis seismic motion and tsunamis. The specialized safety facility shall be installed with the equipment required to prevent failure of the containment vessel. Equipment shall be designed so as to allow use over a certain period of time. An organization to maintain the functionality of the specialized safety facility shall be established. Procedures shall be prepared for the following activities and measures for situations in which the plant has suffered large scale damage due to a large scale natural or human induced external event. Activities for extinguishing a large scale fire; Measures for mitigating fuel damage; Measures for mitigating failure of the containment vessel; Measures for minimizing the release of radioactive material; Measures for maintaining necessary water levels and measures to mitigate fuel damage in spent fuel storage pools. Furthermore, organizational systems and the necessary equipment enabling these activities in accordance with the procedures shall be prepared. Activities for extinguishing a large scale fire; Measures for mitigating fuel damage; Measures for mitigating failure of the containment vessel; Measures for minimizing the release of radioactive material; Measures for maintaining necessary water levels and measures to mitigate fuel damage in spent fuel storage pools. The term ‘specialized safety facility’ refers to a facility with the function of suppressing a large release of radioactive material caused by failure of the containment vessel in the event of severe core damage or an almost damaged core as a result of a natural or human induced external event. The specialized safety facility shall be installed in accordance with the following: The specialized safety facility shall be equipped with adequate measures for preventing the loss of necessary functions due to the intentional crashing of a large airplane into the reactor building. The specialized safety facility shall be equipped with adequate measures for preventing the loss of necessary functions due to design basis seismic motion and tsunamis. The specialized safety facility shall be installed with the equipment required to prevent failure of the containment vessel. Equipment shall be designed so as to allow use over a certain period of time. An organization to maintain the functionality of the specialized safety facility shall be established. The specialized safety facility shall be equipped with adequate measures for preventing the loss of necessary functions due to the intentional crashing of a large airplane into the reactor building. The specialized safety facility shall be equipped with adequate measures for preventing the loss of necessary functions due to design basis seismic motion and tsunamis. The specialized safety facility shall be installed with the equipment required to prevent failure of the containment vessel. Equipment shall be designed so as to allow use over a certain period of time. An organization to maintain the functionality of the specialized safety facility shall be established.
Technical support centre		Nuclear Regulation Authority new regulatory requirements, chapter 3: Evaluation of the effectiveness of measures for severe accident management
Technical support centre	A–31.	Chapter 3 of the new regulatory requirements covers the following: Evaluation of the effectiveness of preventive measures against core damage and failure of the containment vessel: The licensee has to postulate beyond design basis accidents that could cause severe core damage and prepare appropriate measures to prevent severe core damage. The licensee has to postulate the failure modes of the containment vessel that could occur in conjunction with severe core damage and prepare appropriate measures to prevent failure of the containment vessel. Evaluation of the effectiveness of preventive measures against fuel damage in spent fuel storage pools. Evaluation of the effectiveness of preventive measures against fuel damage in a reactor during shutdown. The licensee has to postulate beyond design basis accidents that could cause severe core damage and prepare appropriate measures to prevent severe core damage. The licensee has to postulate the failure modes of the containment vessel that could occur in conjunction with severe core damage and prepare appropriate measures to prevent failure of the containment vessel.

Sekce

Odstavec

Text

Main

1.1.

This Safety Guide was prepared under the IAEA’s programme for establishing safety standards. This Safety Guide revises and supersedes the Safety Guide on Severe Accident Management Programmes for Nuclear Power Plants, which was issued in 2009 as IAEA Safety Standards Series No. NS-G-2.15¹. The current Safety Guide provides guidance on setting up a severe accident management programme, from the conceptual stage to the development of a complete set of procedures and guidelines.

Main

1.2.

The IAEA Safety Glossary [1] defines ‘accident management’ as:

To prevent escalation to a severe accident;
To mitigate the consequences of a severe accident;
To achieve a long term safe stable state².”

Main

1.3.

Accident management, including severe accident management, is therefore an essential component of the application of defence in depth [2–5]. Accident management complements the operating procedures that “shall be developed… (for the reactor and its associated facilities) for normal operation, anticipated operational occurrences and accident conditions”, as stated in Requirement 26 of IAEA Safety Standards Series No. SSR-2/2 (Rev. 1), Safety of Nuclear Power Plants: Commissioning and Operation [6].

Main

1.4.

Requirement 19 of SSR-2/2 (Rev. 1) [6] states that “The operating organization shall establish, and shall periodically review and as necessary revise, an accident management programme.” As stated in para. 5.8 of SSR-2/2 (Rev. 1) [6], the accident management programme shall “[cover] the preparatory measures, procedures and guidelines, and equipment that are necessary for preventing the progression of accidents, including accidents more severe than design basis accidents, and for mitigating their consequences if they do occur.”

Main

1.5.

An accident management programme encompasses plans and actions undertaken to ensure that the plant personnel and other operating organization personnel with responsibilities for accident management are adequately prepared to decide on and implement effective on-site actions. The accident management programme needs to be well integrated with the arrangements for emergency preparedness and response established in accordance with, for example, IAEA Safety Standards Series No. GSR Part 7, Preparedness and Response for a Nuclear or Radiological Emergency [7]; IAEA Safety Standards Series No. GSG-2, Criteria for Use in Preparedness and Response for a Nuclear or Radiological Emergency [8]; and IAEA Safety Standards Series No. GS-G-2.1, Arrangements for Preparedness for a Nuclear or Radiological Emergency [9], in terms of human resources, equipment and strategy.

Main

1.6.

If an accident occurs at a nuclear power plant, to restore safety, two types of accident management guidance document are typically used: emergency operating procedures (EOPs) for preventing fuel rod degradation, and severe accident management guidelines (SAMGs) for mitigating significant fuel rod degradation when a severe accident is imminent.³ The development of SAMGs is an essential part of the severe accident management programme.

Main

1.7.

Depending on the plant state during an accident, actions are prioritized as follows:

Preventive domain of accident management. Before the onset of fuel rod degradation, priority is given to preventing the escalation of the accident into a severe accident. In this domain, actions are implemented to stop the accident progressing to the onset of significant fuel rod degradation or to delay the time at which significant fuel rod degradation happens and preserve all the fundamental safety functions.
Mitigatory domain of accident management. When plant conditions indicate that significant fuel rod degradation is imminent or in progress, priority is given to mitigating the consequences of the severe accident through:
1. Maintaining the integrity of the remaining fission product barriers, particularly the containment, which depending on the design can also include maintaining the integrity of the reactor pressure vessel⁴;
2. Avoiding or limiting fission product releases to the environment;
3. Returning, to the extent possible, to a long term safe stable state.
Maintaining the integrity of the remaining fission product barriers, particularly the containment, which depending on the design can also include maintaining the integrity of the reactor pressure vessel⁴;
Avoiding or limiting fission product releases to the environment;
Returning, to the extent possible, to a long term safe stable state.

Main

Characteristics of the preventive and mitigatory domains of accident management are summarized in the Appendix.

Main

1.8.

This Safety Guide provides recommendations for the development and implementation of an accident management programme to meet the requirements for accident management that are established in sections 3 and 5 of SSR-2/2 (Rev. 1) [6]; sections 2 and 5 of IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), Safety of Nuclear Power Plants: Design [3]; section 4 of IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), Safety Assessment for Facilities and Activities [10]; and Requirement 8 of GSR Part 7 [7], to the extent that these requirements address an imminent or ongoing severe accident. The recommendations are aimed at preventing or mitigating the consequences of accidents with or without damage to the nuclear fuel, whether they are accidents within the design basis or beyond the design basis, including accidents originated by external events.

Main

1.9.

This Safety Guide is intended primarily for use by operating organizations of nuclear power plants and their support organizations. It may also be used by national regulatory bodies and technical support organizations as a reference for developing their relevant safety requirements and for conducting review and assessment.

Main

1.10.

This Safety Guide provides recommendations for the development and implementation of an accident management programme for a nuclear power plant, including all possible fuel locations, particularly the reactor and the spent fuel pool. This Safety Guide is not intended to provide information on the design of structures, systems and components to address design extension conditions, although the capabilities of some structures, systems and components are key in successfully managing a severe accident. For information on this topic, refer to section 5 of SSR-2/1 (Rev. 1) [3].

Main

1.11.

This Safety Guide provides recommendations for an accident management programme on the site. It does not include consideration of all aspects of emergency preparedness and response, which is addressed in GSR Part 7 [7].

Main

1.12.

Although the recommendations of this Safety Guide have been developed primarily for use with water cooled reactors, many of the recommendations provided are generic. The recommendations of this Safety Guide may also be applied with judgement to other types of nuclear installation, including research reactors and nuclear fuel cycle facilities (including facilities for the storage of spent nuclear fuel).

Main

1.13.

This Safety Guide consists of four sections, one appendix and one annex. Section 2 presents the general recommendations for an accident management programme and is organized by topic. More detailed, specific recommendations for the development and implementation of a severe accident management programme are provided in Section 3. Section 3 is organized to follow the development process of a severe accident management programme. Recommendations on the execution of SAMGs are provided in Section 4. The Appendix provides a summary of all aspects of an accident management programme. Examples of the implementation of SAMGs in different States are provided in the Annex.

Main

2.1.

Requirement 19 on accident management in the operation of nuclear power plants in SSR-2/2 (Rev. 1) [6] states: “The operating organization shall establish, and shall periodically review and as necessary revise, an accident management programme.” SSR-2/2 (Rev. 1) [6] also states:

Main

2.2.

Paragraph 2.8 of SSR-2/1 (Rev. 1) [3] states:

Main

2.3.

Paragraph 2.10 of SSR-2/1 (Rev. 1) [3] states:

Main

2.4.

Paragraph 2.13(4) of SSR-2/1 (Rev.1) [3] (footnote omitted) states:

Main

2.5.

Paragraph 5.6 of GSR Part 4 (Rev. 1) [10] requires that “The results of the safety assessment shall be used as an input into planning for on-site and off-site emergency response [7] and accident management”.

Main

2.6.

Paragraph 5.25 of GSR Part 7 [7] states:

To prevent escalation of an emergency;
To return the facility to a safe and stable state;
To reduce the potential for, and to mitigate the consequences of, radioactive releases or exposures.”

Main

2.7.

Paragraph 5.25 of GSR Part 7 [7] further states:

Main

2.8.

An accident management programme consists of all activities and processes developed and undertaken by an operating organization to meet the requirements set out in paras 2.1–2.7 for the prevention and mitigation of accidents. Severe accident management programmes are focused solely on the mitigation of severe accidents. More detailed recommendations on severe accident management programmes are provided in Section 3 of this Safety Guide.

Main

2.9.

An accident management programme should be developed and implemented for the prevention and mitigation of severe accidents, irrespective of the frequency of accident sequences or of the fission product releases considered in the design.

Main

2.10.

The accident management programme should be developed and maintained consistent with the plant design and its current configuration. The accident management programme should be periodically reviewed and revised, when appropriate, to reflect operating experience (including major lessons identified), changes of plant configuration and new results from relevant research. For example, the periodic review of the accident management programme may be accomplished as part of the periodic safety review of the plant [11].

Main

2.11.

The accident management programme should address all modes and states of operation and all fuel locations, including the spent fuel pool, and should take into account possible combinations of events that could lead to an accident. The accident management programme should also consider external hazards more severe than those considered for the design, derived from the site hazard evaluation, that could result in significant damage to the infrastructure on the site or off the site which would hinder actions needed to prevent imminent significant degradation of the fuel rods or to mitigate significant fuel rod degradation (see para. 5.8 of SSR-2/2 (Rev. 1) [6]).

Main

2.12.

A structured top-down approach should be used to develop the accident management guidance. This approach should begin with the objectives (including the identification of plant challenges and plant vulnerabilities) and the strategies, followed by measures to implement the strategies. In combination, these strategies and measures should include consideration of plant capabilities. Finally, procedures and guidelines should be developed to implement these strategies and measures. Accident management guidance should cover both the preventive and the mitigatory domains. Figure 1 illustrates the top-down approach to accident management.

Main

2.13.

When considering objectives on the basis of the vulnerability assessment, accident management strategies should be developed for each individual plant challenge or plant vulnerability. These strategies should take into consideration plant capabilities and an understanding of accident phenomena (see Section 3).

Main

2.14.

Multiple strategies should be identified, evaluated and, when appropriate, developed to achieve the objectives of accident management, which include:

Preventing or delaying the occurrence of fuel rod degradation;
Terminating the progress of fuel rod degradation once it has started;
Maintaining the integrity of the reactor pressure vessel to prevent melt-through, especially at high pressure;
Maintaining the integrity of the containment and preventing containment bypass (strategies for maintaining containment integrity and preventing bypass are of the highest priority once the mitigatory domain is entered);
Minimizing releases of radioactive substances from the fuel or at other locations where releases of radioactive material could occur;
Returning the plant to a long term safe stable state in which the fundamental safety functions can be preserved.

Main

2.15.

In the preventive domain, strategies⁵ should be developed to preserve the fundamental safety functions that are important to prevent fuel damage or the release of radioactive material either in the reactor or at other locations where fuel is located. In the mitigatory domain, strategies should be developed to avoid any early radioactive release or large radioactive release. Strategies should be developed to delay or minimize any early radioactive release or large radioactive release if those strategies become necessary and are reasonably practicable.

Main

2.16.

Accident management strategies should be prioritized with account taken of the plant damage state and the existing and anticipated challenges. The basis for the selection of priorities among accident management strategies should be the following:

Before significant fuel rod degradation has occurred: Preventing fuel damage is the first priority, and maintaining or restoring the integrity of the containment is the second priority.
After significant fuel rod degradation has occurred: Maintaining the integrity of the containment is the highest priority.

Main

2.17.

When prioritizing accident management strategies, special attention should be paid to the following:

The time frames and severity of challenges to the barriers against releases of radioactive material.
The availability of support functions, as well as the possibility of their restoration.
The initial operating mode of the plant, as accidents can develop in operating modes in which one or more fission product barriers have already been lost at the beginning of the accident.
The adequacy of a strategy in the given domain; some strategies can be adequate in the preventive domain but not as relevant in the mitigatory domain owing to changing priorities. For example, cooling the fuel could be the first priority when the fuel is undamaged and the containment is intact, while restoring the containment integrity or limiting fission product releases could be the first priority when the containment is open (e.g. at shutdown) or has been damaged (e.g. cracks resulting from very severe mechanical loadings).
The difficulty of implementing several accident management strategies in parallel.
The long term implications of or concerns about implementing the accident management strategies.

Main

2.18.

If accident management strategies rely on non-permanent equipment after an extended loss of all AC power, steps should be taken to ensure that personnel can install and operate such equipment within the time frame necessary to avoid loss of the fundamental safety functions, taking into account possible adverse conditions on the site. Support items, such as fuel for non-permanent equipment, should be available.

Main

2.19.

The implementation of specific accident management strategies should be triggered either when certain parameters reach their threshold values or when trends of significant parameters are observed such that their reaching threshold values is imminent. These parameters should be selected to be indicative of challenges to fission product barriers (see IAEA Safety Standards Series No. SSG-2 (Rev.1), Deterministic Safety Analysis for Nuclear Power Plants [12]).

Main

2.20.

When accident management strategies that need to be implemented within a certain time window are considered, the inherent uncertainty in determining accurately the time that has elapsed since the onset of the accident should be taken into account in identifying such a time window. However, care should be exercised not to discard potentially useful strategies.

Main

2.21.

From the accident management strategies, suitable and effective measures for accident management should be derived that correspond to available hardware provisions at the plant. Such measures may include plant modifications where these are deemed important for managing accidents. Actions initiated by personnel in the main control room or actions taken at another location are usually an important part of these measures. During an actual accident, such measures would include the use of systems and equipment still available, the recovery of failed equipment and, potentially, the use of non-permanent equipment⁶ stored on the site or off the site.

Main

2.22.

From the accident management strategies, appropriate instructions or guidance, in the form of procedures (EOPs, preferably used to prevent significant fuel rod degradation) and guidelines (SAMGs, preferably used to mitigate the effects of significant fuel rod degradation) should be developed. There are some situations in which procedures are appropriate for mitigation, such as those in which preventive measures need to be continued during mitigation and those in which the procedures are needed to operate or align specific equipment.

Main

2.23.

The accident management guidance should assist the operating organization personnel in prioritizing, monitoring and executing actions in the harsh environments that may exist during an accident, including accidents resulting from external hazards that are more severe than external events considered for design.

Main

2.24.

The interface with radioactive waste management during accidents should be considered so as to enable access to certain areas in order to perform local accident management actions (see IAEA Safety Standards Series No. GSR Part 5, Predisposal Management of Radioactive Waste [13]).

Main

2.25.

Interfaces between safety and security should be managed appropriately throughout the lifetime of the plant, and in all plant states, in such a way that safety measures and security measures do not compromise one another. In particular, nuclear security measures should be maintained as appropriate during all phases of accident management (see Ref. [14]).

Main

2.26.

Accident management guidance should be developed for all reasonably foreseeable mechanisms that could challenge fundamental safety functions or barriers to a release of radioactive material.

Main

2.27.

Accident management guidance should be an integral part of the overall emergency arrangements and should be coordinated with the on-site emergency plan, established in accordance with GSR Part 7 [7], GSG-2 [8] and GS-G-2.1 [9]. The on-site emergency plan should set out the lines of responsibility and accountability for implementing emergency response actions during the execution of accident management guidance to maintain or restore safety functions throughout the duration of the accident.

Main

2.28.

Accident management guidance should be robust:

It should promote consistent implementation by all staff during an accident.
It should emphasize the use of components and systems that are not likely to fail in their expected operating regimes, including during severe accidents.
It should implement all feasible measures that will either maintain or increase the margin to failure or that will gain time before the failure of safety functions or of barriers to a release of radioactive material.
It should address the possibility of adding components, including non-permanent equipment, in the event that existing plant systems are unable to preserve the fundamental safety functions or limit challenges to barriers to a release of radioactive material for conditions not considered in the design.
It should consider plant conditions in shutdown modes, particularly when the containment barrier is temporarily not available or when it is difficult to add water for decay heat removal.

Main

2.29.

The accident management guidance should refer to the preferred accident management equipment that is available. Possible equipment failures (e.g. instrumentation failure or equipment lockout) should be considered. Alternate methods of achieving the same purpose should be explored to take into account possible equipment failures, and the availability of alternative equipment should be determined.

Main

2.30.

In the accident management guidance, the entry conditions for use of the EOPs and the plant conditions under which the transition is to be made from EOPs to SAMGs should be specified. The entry conditions for the use of EOPs and the conditions for transition to SAMGs should be based on defined and documented criteria.

Main

2.31.

The accident management guidance should address the full spectrum of events, including credible and relevant internal and external hazards, and possible complications during their evolution that could be caused by additional hardware failures or human and organizational errors. Accident sequences involving inappropriate operator actions (errors of omission or errors of commission) leading to core damage should be considered.

Main

2.32.

Accident management guidance relating to human and organizational factors should include consideration of the following:

The performance of personnel under the contextual and adverse boundary conditions given;
The command and control structure, including information sharing and cooperation among the staff involved.

Main

2.33.

The operating organization should have full responsibility for the implementation of the accident management guidance and should take steps to ensure that the roles of the different members of the on-site emergency response organization involved in accident management have been clearly defined, allocated and coordinated.

Main

2.34.

Adequate staffing and working conditions (e.g. acceptable levels of radiation, temperature, humidity and lighting, as well as acceptable access to the plant from off the site) should be considered for accident management, including conditions resulting from external hazards more severe than those considered for the design, derived from the site hazard evaluation. Contingency plans should be prepared to ensure that alternate personnel are available to fill the corresponding positions if certain staff are unavailable.

Main

2.35.

Guidance for the assessment of damage to the plant should be part of the accident management programme and should be developed to address challenges to the fundamental safety functions or the fission product barriers before any significant fission product release. Of particular importance is the assessment of access to the site and structural damage to buildings resulting from external hazards more severe than those considered for design, derived from the site hazard evaluation.

Main

2.36.

In accordance with para. 5.8C of SSR-2/2 (Rev. 1) [6], contingency measures — such as compressed air or other gases, mobile electrical power sources and alternative supplies of water — are required to be located and maintained so as to be functional and readily accessible when they are needed.

Main

2.37.

Accident management guidance should be considered for any specific challenges posed by shutdown plant configurations and large scale maintenance. The potential for damage to fuel in the reactor core and in the spent fuel pool, and in on-site dry storage if applicable, should also be considered in the accident management guidance. As large scale maintenance is frequently carried out during planned shutdown states, the protection of workers should be a high priority of accident management.

Main

2.38.

Accident management guidance should be, as far as feasible, based on either directly measurable plant parameters or information derived from simple calculations and should consider the possible loss or unreliability of indications of essential plant parameters for equipment that has not been designed to withstand such accident conditions.

Main

2.39.

The set of accident management guidance, including procedures and guidelines, should include design limits and/or relevant plant parameters that should be monitored, and these limits and parameters should be referenced or linked to the criteria for the initiation, throttling or termination of the various systems. The time needed to obtain adequate information important for accident management should be taken into account when developing accident management guidance.

Main

2.40.

Specific attention should be paid to situations in which instrumentation is lost or incorrect owing to a loss of power or a harsh environment. Arrangements should be established for making adequately informed decisions in such cases. If measurements are not available, parameters should be estimated by means of simple computations (e.g. using steam tables) or precalculated graphs.

Main

2.41.

The accident management guidance should be efficient for actions that are subject to time constraints (e.g. the depressurization of the reactor coolant system; the isolation or venting of the containment).

Accident management guidance in the preventive domain (before significant fuel rod degradation)

2.42.

For accidents without significant fuel rod degrada tion, the accident management guidance should take the form of procedures, usually called EOPs, that are prescriptive in nature. EOPs also typically address design basis accidents.⁷ EOPs may be complemented by other guidance when necessary. The figure in the Appendix shows the relationship between the type of accident management guidance used, the fuel rod status and the plant state.

Accident management guidance in the preventive domain (before significant fuel rod degradation)

2.43.

Further details on the objective, scope, development and implementation of EOPs are given in IAEA Safety Standards Series No. NS-G-2.2, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants [15], and in Ref. [16].

Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)

2.44.

When significant fuel rod degradation is imminent or ongoing, large uncertainties may exist in the plant status, in the availability of the systems and in the timing and outcome of actions. Consequently, the guidance for mitigating significant fuel rod degradation, usually called SAMGs, should distinguish between what can be prescriptive in nature (because there is no doubt as to the benefit of the prescribed actions, for example depressurization of the reactor coolant system for pressurized water reactors) and what cannot be prescriptive in nature. In the latter case, the guidance should include a range of possible mitigatory actions and should allow for additional evaluation and alternative actions.

Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)

2.45.

The guidance for mitigating significant fuel rod degradation should contain a description of the positive and negative potential consequences of the proposed actions, including quantitative data when available and relevant; should be simple, clear and unambiguous; and should contain sufficient information for the plant staff and the staff of support organizations to reach a timely decision on the actions to take during the evolution of a severe accident.

Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)

2.46.

The guidance for mitigating significant fuel rod degradation should be presented in an appropriate form, such as guidelines, manuals, handbooks or procedures. In this Safety Guide, the term ‘guideline’ is used to describe a set of strategies and measures that describe the tasks to be executed at the plant but which are still less strict and prescriptive than the procedures found in the EOPs. Manuals or handbooks typically contain a more general description of the tasks to be executed and the justifications for use of those tasks.

Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)

2.47.

SAMGs should be developed with an appropriate level of detail and in a format that facilitates their effective use under stressful conditions. The form of the SAMGs (i.e. whether they set out step-by-step instructions or are intended to guide flexible decisions) should be considered in the development process and should be clear to the users.

Accident management guidance in the mitigatory domain (when significant fuel rod degradation is imminent or ongoing)

2.48.

The overall form of the guidelines and the selected level of detail should be evaluated during validation of the guidelines and then tested in exercises. On the basis of such exercises, it should be judged whether the form is appropriate and whether additional detail should be included in the SAMGs. Exercises should enable identification of areas for improvement.

Development of accident management guidance for both the preventive and mitigatory domains

2.49.

Accident management guidance should be written in a predefined format using simple and consistent language and specific terms in accordance with established rules; such rules should preferably be established in a writers’ guide.

Development of accident management guidance for both the preventive and mitigatory domains

2.50.

The team developing accident management guidance, such as the plant vendor or designer, should consider the potential loss of the command and control structure due to damaged infrastructure (e.g. from an external hazard more severe than those considered for the design, derived from the site hazard evaluation) and should develop associated guidance that takes account of the following:

The number of affected units (the reactor core and spent fuel pools);
The functionality and habitability of control facilities;
Damage to essential structures and buildings;
The availability of AC and DC power required for the operation of plant systems;
Access to essential buildings and equipment;
The availability of operating personnel and site staff for implementation of procedures and guidelines;
Whether actions can be taken by non-licensed personnel, typically an auxiliary operator;
The availability of other on-site control rooms and personnel in separate buildings;
The capability of communicating within the plant emergency command and control structure and with off-site organizations.

Development of accident management guidance for both the preventive and mitigatory domains

2.51.

In some situations the arrangements for directing the response might be unavailable owing to, for example, loss of the command and control structure due to loss of the main control room or impairment of the capability to set up the on-site emergency response organization. Supporting procedures or guidelines should be developed on the use of instrumentation and equipment to cope with such conditions. The accident management guidance should include conditions for the use of such supporting procedures or guidelines.

Development of accident management guidance for both the preventive and mitigatory domains

2.52.

The management system of the operating organization should ensure that accident management guidance is not adversely impacted by plant changes, including plant modifications and changes to operating procedures and training programmes.

Development of accident management guidance for both the preventive and mitigatory domains

2.53.

The procedures and guidelines developed for accident management should be supported by appropriate background documentation (this is sometimes referred to as the ‘technical basis document’). This documentation should describe and explain the rationale of the various parts of the accident management guidance and should include an explanation of each step, if necessary. The background documentation does not replace the accident management guidance itself. The background documentation should be made available to all staff involved in evaluation and decision making.

Development of accident management guidance for both the preventive and mitigatory domains

2.54.

Potential changes to the EOPs or the SAMGs should first be made to the relevant background documentation to ensure that the changes are thoroughly evaluated. Updated background documentation, EOPs and SAMGs should be issued to the operating organization simultaneously for validation and training.

Development of accident management guidance for both the preventive and mitigatory domains

2.55.

Hard copies of the EOPs and the SAMGs should always be available in all evaluation and decision making locations, such as the main control room, the supplementary control room and the technical support centre, so that they can be used as necessary, in particular during a station blackout. Hard copies should also be made available in all locations used as backups in case of accidents caused by external hazards more severe than those considered for the design, derived from the site hazard evaluation.

Development of accident management guidance for both the preventive and mitigatory domains

2.56.

Verification and validation processes should assess the technical accuracy and adequacy of the accident management guidance to the extent possible, as well as the ability of personnel to follow and implement this guidance. The verification process should confirm the compatibility of the guidance with the referenced equipment, user aids and supplies (e.g. non-permanent equipment, posted job aids, computational aids) (see Ref. [17]). The validation process should demonstrate that the necessary instructions are provided to implement the guidance.

Development of accident management guidance for both the preventive and mitigatory domains

2.57.

The staff involved in the validation of accident management guidance should be different from those who developed the guidance. Developers and writers of plant specific accident management guidance should prepare appropriate tests and scenarios for validation, and their participation as observers to the validation process may be beneficial (see Ref. [18]).

Development of accident management guidance for both the preventive and mitigatory domains

2.58.

The findings and insights from the verification and validation processes, including consideration of positive and negative consequences of actions, should be documented. This information should be used to provide feedback to the developers of procedures and guidelines for any necessary updates before the documents are brought into force by the management of the operating organization. The documentation should be stored appropriately to enable any future revalidation.

Development of accident management guidance for both the preventive and mitigatory domains

2.59.

Guidance should be prepared for testing the permanent and non-permanent equipment and for testing any assembled subsystems necessary for the equipment to meet its planned performance. The frequency and type of testing should be conducted in accordance with the manufacturer’s recommendations. Tests should address necessary local actions, contingencies, the proper connection of non-permanent equipment to plant equipment, access to the site, off-site actions, emergency lighting and the possibility of events affecting multiple units, as well as the time needed to implement these actions, if appropriate. Accident management guidance should be provided for maintenance and periodic testing to ensure the proper functioning of equipment and may include the need for plant walkdowns.

Development of accident management guidance for both the preventive and mitigatory domains

2.60.

In the accident management programme, external hazards should be considered with a level of severity exceeding the magnitude established in the site evaluation or its equivalent and with a mean annual frequency exceeding the probability of accidents established in the design for the plant⁸ (see IAEA Safety Standards Series No. SSR-1, Site Evaluation for Nuclear Installations [19]).

Development of accident management guidance for both the preventive and mitigatory domains

2.61.

The accident management guidance should also consider that, in the case of external hazards more severe than those considered for the design, derived from the site hazard evaluation, there may be extensive infrastructure damage, so that off-site resources are not readily available; examples of such off-site resources include human resources; means of communication; electrical power supplies; means of transport; and the availability of spare parts, lubricants, compressed air, water and fuel.

Development of accident management guidance for both the preventive and mitigatory domains

2.62.

Accident management guidance should consider the need to remove rubble due to external hazards more severe than those considered for the design, derived from the site hazard evaluation, and consideration should be given to its removal under bad weather conditions. For example, heavy machinery may be necessary.

Development of accident management guidance for both the preventive and mitigatory domains

2.63.

The non-permanent equipment should be located in diverse positions to the extent practicable so as to avoid common cause failures due to external hazards such as earthquakes and tsunamis.

Development of accident management guidance for both the preventive and mitigatory domains

2.64.

Consideration should be given to the provision of multiple hook-up points to facilitate the use of non-permanent equipment during an accident caused by external hazards, taking into account the benefits and the potential negative implications.

Development of accident management guidance for both the preventive and mitigatory domains

2.65.

For a multiple unit nuclear power plant site, the accident management programme is required to consider concurrent accidents affecting multiple units, in accordance with para. 5.8A of SSR-2/2 (Rev. 1) [6].

Development of accident management guidance for both the preventive and mitigatory domains

2.66.

Accident management guidance should include the equipment and supporting procedures necessary to respond to accidents that might affect multiple units on the same site and last for extended periods of time. Personnel should have adequate skills to use such equipment and implement supporting procedures, and adequate staffing plans should be developed for emergency response at sites with multiple units.

Development of accident management guidance for both the preventive and mitigatory domains

2.67.

Some events, especially natural hazards, may result in similar challenges to all units on the site. Therefore, staffing plans should take into account situations in which multiple units at the same site have been affected simultaneously and some plant personnel have been temporarily or permanently incapacitated.

Development of accident management guidance for both the preventive and mitigatory domains

2.68.

In the case of multiple unit sites with shared safety related equipment or systems, the possible continued use of a unit that has not been affected should be taken into account in the accident management guidance. Predefined criteria should be established to decide whether the operating units at the same site should be shut down in the event of a severe accident.

Development of accident management guidance for both the preventive and mitigatory domains

2.69.

Requirement 33 of SSR-2/1 (Rev. 1) [3] states that “Each unit of a multiple unit nuclear power plant shall have its own safety systems and shall have its own safety features for design extension conditions.” To further enhance safety, means of allowing interconnections between units of a multiple unit nuclear power plant are required to be considered in the design for accident management (see para. 5.63 of SSR-2/1 (Rev. 1) [3]). Additionally, the sharing of support systems does occur in old plants. Special care should be used to identify the potential impact on any equipment or systems that might be shared between units to ensure adequate capacity of the shared systems.

Development of accident management guidance for both the preventive and mitigatory domains

2.70.

The effectiveness of equipment and the emergency response facilities (e.g. the main control room, the technical support centre) that are shared by different units should be assessed for cases in which accidents, including accidents more severe than the design basis accidents, occur simultaneously at several units.

Development of accident management guidance for both the preventive and mitigatory domains

2.71.

If structures, systems and components that are used for severe accident management are shared between different units, an assessment should be performed to determine whether safe shutdown will be achievable for the other units in the event of an accident at one unit.

Development of accident management guidance for both the preventive and mitigatory domains

2.72.

When other units are located at a neighbouring site close to the site at which a severe accident has occurred, the sharing of information with the operating organizations of those neighbouring units should be considered. Such communication would help to determine whether expected dose rates and other environmental conditions due to dispersion of radioactive material from the site at which the accident has occurred might affect access to units at the neighbouring site.

Development of accident management guidance for both the preventive and mitigatory domains

2.73.

The accident management guidance should address the possibility that more than one unit, or all units, might be affected concurrently by simultaneous accidents, including the possibility that damage will propagate from one unit to another or that damage to one unit will be caused by actions taken at another unit.

Hardware provisions for severe accident management at multiple unit sites

2.74.

When installing equipment (both permanent and non-permanent equipment) for use in severe accident management, consideration should be given to the possibility of severe accidents occurring simultaneously at more than one unit.

Hardware provisions for severe accident management at multiple unit sites

2.75.

For existing plants, the use of a containment venting system that is shared between more than one unit should not have a detrimental impact on the other units on the site.

Hardware provisions for severe accident management at multiple unit sites

2.76.

Site personnel should consider sharing any available and interconnectable equipment among units during severe accidents at multiple unit sites.

Hardware provisions for severe accident management at multiple unit sites

2.77.

Items important to safety for accident management should be identified and evaluated to ensure that they will fulfil their expected roles. If necessary or beneficial for improving the plant’s safety, existing equipment or instrumentation should be upgraded or new equipment or instrumentation should be installed.

Hardware provisions for severe accident management at multiple unit sites

2.78.

Equipment upgrades should be prioritized in accordance with their safety benefits.

Hardware provisions for severe accident management at multiple unit sites

2.79.

Paragraph 5.37 of SSR-2/1 (Rev. 1) [3] states:

Hardware provisions for severe accident management at multiple unit sites

2.80.

When existing equipment or instrumentation is to be upgraded or used outside its previously considered design basis range, the accident management guidance for the use of such equipment should be updated accordingly.

Hardware provisions for severe accident management at multiple unit sites

2.81.

New equipment necessary for accident management should be designed for predicted accident conditions and for environmental conditions arising from internal and external hazards commensurate with the intended function.

Hardware provisions for severe accident management at multiple unit sites

2.82.

Equipment expected to be used for accident management, either permanent equipment or non-permanent equipment that is stored on the site or off the site, should be protected against postulated hazardous conditions including internal and external hazards. For non-permanent equipment, such as portable or mobile equipment, it should be verified that the equipment can be moved from its storage location to the location where it fulfils its accident management function and that the necessary connections can be established under the conditions existing during the accident and within the necessary time frame.

Hardware provisions for severe accident management at multiple unit sites

2.83.

Maintenance, testing and inspection procedures should be developed for equipment, including non-permanent equipment, to be used in accident management according to the equipment’s safety significance and the manufacturer’s recommendations.

Hardware provisions for severe accident management at multiple unit sites

2.84.

The impact of new or upgraded equipment on staffing needs, as well as on maintenance and testing programmes, should be addressed.

Hardware provisions for severe accident management at multiple unit sites

2.85.

For accident conditions, the decision making authority should be clearly defined and established at an appropriate level, commensurate with the complexity of the task and the potential consequences of the decisions to be made. When EOPs are implemented, the main control room supervisor or other designated official within the operating organization should fulfil this responsibility. When significant fuel rod degradation is imminent or ongoing, decision making necessitates having a perspective of all the measures for accident management and a wider understanding of the implications of the decisions. Some States require that the main control room supervisor be capable of performing actions in all aspects of accident management until the person authorized to manage the emergency starts to execute his or her duties.

Hardware provisions for severe accident management at multiple unit sites

2.86.

Major decisions that could have significant adverse effects on public safety or the environment should involve, where practicable, the person (or persons) who has been assigned legal responsibility for safety at the plant.

Hardware provisions for severe accident management at multiple unit sites

2.87.

The accident management guidance should be compatible with the assignment of responsibilities and should be consistent with the other functions considered in the operating organization’s overall emergency arrangements on the site and, if appropriate, at the corporate level.

Hardware provisions for severe accident management at multiple unit sites

2.88.

The roles assigned to the members of the emergency response organization may be different in the preventive and mitigatory domains, and, when this is the case, transitions of responsibility and authority should be clearly defined.

Hardware provisions for severe accident management at multiple unit sites

2.89.

A specialized team or group of teams (referred to in this Safety Guide as the ‘technical support centre staff’) should be available in an emergency to provide technical support to the operating personnel. The technical support centre staff should have the capability, based on their knowledge of the plant status, to recommend actions appropriate for the situation. Such recommendations should be made after an evaluation of the potential consequences of the recommended actions and the possibility and consequences of using erroneous information. If the technical support centre staff are composed of multiple teams, the role of each team should be specified.

Hardware provisions for severe accident management at multiple unit sites

2.90.

Criteria for the activation of the technical support centre should be unambiguous and clearly specified in plant procedures and the on-site emergency plan. Accident management measures should continue to be decided on and carried out by the control room staff until the technical support centre is functional (i.e. has sufficient staff present who have acquired awareness of the situation). GS-G-2.1 [9] recommends that the technical support centre be activated and functional within one hour after the declaration of an emergency. Additional details on the transfer of responsibility are provided in para. 4.2 of this Safety Guide.

Hardware provisions for severe accident management at multiple unit sites

2.91.

Depending on the situation, the technical support centre may be activated in the preventive domain. In such cases, the technical support centre should provide technical support to the main control room staff.

Hardware provisions for severe accident management at multiple unit sites

2.92.

The mechanisms for ensuring the flow of information between the technical support centre and the main control room, as well as from the technical support centre to other parts of the on-site emergency response organization, including those responsible for the execution of on-site and off-site emergency plans, should be specified. Oral communication between the technical support centre staff and the main control room staff should be undertaken by a member of the technical support centre staff who is a licensed operator or a similarly qualified person.

Hardware provisions for severe accident management at multiple unit sites

2.93.

When off-site support for accident management needs to be obtained, consideration should be given to ensuring coordination and to minimizing the possibility of negative interaction between actions performed by various teams on the site. Accident management should be implemented such that all teams have a common situational awareness.

Hardware provisions for severe accident management at multiple unit sites

2.94.

For multiple unit sites, the on-site emergency plan should include the necessary interfaces between the various parts of the overall on-site emergency response organization responsible for different units. Emergency directors for each unit may be assigned to decide on the appropriate actions at specific units. In this case, an overall emergency director should also be assigned to coordinate activities and priorities among all affected units on the site. Decision making responsibilities should be clearly defined. If there are different operating organizations at a given site, appropriate arrangements should be established for the coordination of emergency response operations, including accident management measures, among those organizations.

Staffing and qualification

2.95.

A list of persons who will be part of accident management should be established, and these persons should be designated as emergency workers. This list should take into account accidents developing over a long period so that adequate shift staffing is maintained at the plant (e.g. during holidays and overnight).

Staffing and qualification

2.96.

Adequate staffing levels and personnel qualifications should be established for the implementation of accident management measures, taking into account (a) the possibility that all units can be affected concurrently by simultaneous accidents and (b) the requirements for emergency response (see GSR Part 7 [7]). Staffing levels should be sufficient to provide an initial response for accident management before the emergency response organization is fully activated and be such that an adequate response can be sustained until additional staff arrive.

Staffing and qualification

2.97.

Appropriate training should be provided to members of the operating organization personnel responsible for accident management; the training should be commensurate with their roles and responsibilities.

Staffing and qualification

2.98.

Personnel responsible for performing accident management measures should be trained to acquire the required knowledge, skills and proficiency to execute their tasks. A comprehensive training programme for accident management should be prepared that includes the interfaces with emergency preparedness and response. Training should include a combination of techniques, such as classroom training, drills, tabletop exercises¹¹ and the use of simulation tools.

Staffing and qualification

2.99.

Decision makers should be trained to understand the consequences and uncertainties inherent in their decisions. Evaluators should ensure that they understand the technical basis on which they will base their recommendations. Implementers should ensure that they understand the actions that they may be asked to take.

Staffing and qualification

2.100.

Training should be developed using a systematic approach to training [20]. This includes identifying training needs, defining the training objectives, specifying the technical basis for training material, developing training material, specifying the appropriate venue for delivering training and measuring the effectiveness of training to provide feedback to the training process.

Staffing and qualification

2.101.

Training should be developed and implemented for each on-site group and off-site group involved in accident management. Training should be commensurate with the tasks and responsibilities of the participants, taking into account the appropriate technical level for each group. In-depth training should be considered for personnel entrusted with critical functions in the accident management programme.

Staffing and qualification

2.102.

Training material should be developed by subject matter experts and qualified trainers. Experts could:

Answer questions that are beyond the capability of professional trainers;
Provide information about the operation of field and local equipment and the operation of other equipment, including non-permanent equipment, under adverse conditions.

Staffing and qualification

2.103.

Training, including periodic exercises and drills, should be sufficiently realistic and challenging to prepare personnel responsible for accident management duties to cope with and respond to situations that may occur during an event [21]. Drills should extend over a time period long enough to realistically represent the plant response and should allow for the transmission of information during shift changes to be tested. Special exercises and drills should be developed to practice shift changeovers between operations staff and technical support centre staff and information transfer between different teams. Training should cover accidents occurring simultaneously at more than one unit, accidents occurring in different reactor operating states and accidents in the spent fuel pool. Training should consider unconventional line-ups of the plant equipment, the use of non-permanent equipment (e.g. diesel power generators, pumps) and repair of the equipment.

Staffing and qualification

2.104.

Training material should address the implementation of strategies under adverse environmental conditions, including conditions resulting from external hazards with potentially high radiation levels, and under the influence of stress on the anticipated behaviour of staff.

Staffing and qualification

2.105.

Training for new staff, as well as refresher training for existing staff, should be developed for all groups of staff involved in accident management. The frequency of refresher training should be established on the basis of the difficulty and the importance of accident management tasks. A maximum interval for refresher training should be defined, but depending on the outcome of exercises and drills held at the plant, a shorter interval may be selected. Changes in the guidance or in the use of the guidance should be reflected in the training programme. Such changes should be communicated to interested parties.

Staffing and qualification

2.106.

Criteria for evaluating the effectiveness of an exercise or a drill should be established. Such criteria should characterize the ability of the team participating in the exercise or drill to understand and follow the evolution of the plant status, to reach well founded decisions for various events (including unanticipated events), to initiate appropriate actions and to meet the objectives of the exercise or drill (see Ref. [17]).

Staffing and qualification

2.107.

Results from exercises and drills should be systematically evaluated to provide feedback for the improvement of the training programme and, if applicable, the procedures and guidelines, as well as the organizational aspects of accident management.

Staffing and qualification

2.108.

If, within the operating organization, the transfer of authority to direct the accident management actions is considered during an accident, it should be verified that the person to whom authority will be transferred has the required background to efficiently discharge such authority.

Staffing and qualification

2.109.

The transfer of authorities and responsibilities during the emergency response should take place at a point in time that minimizes any risks to safe and effective implementation of accident management measures and, thus, is optimal from the viewpoint of accident management. The transfer of responsibility and authority should not create a ‘vacuum’ in decision making or in the implementation of necessary actions. Hence, any formal transfer of responsibility and authority should not take place until the new decision maker is ready to assume his or her role. Arrangements for the transfer of responsibilities and authorities should be consistent with the arrangements addressed in the on-site emergency plan.

Working conditions

2.110.

Reasonable assurance should be provided that the on-site technical support centre (or emergency response facility) will be operable and habitable under a range of postulated hazardous conditions, including external hazards more severe than those considered for design, derived from the site hazard evaluation.

Working conditions

2.111.

Acceptable habitability should be provided for plant staff and external support staff in situations in which the site is partially or totally isolated from continuous off-site support.

Working conditions

2.112.

Shift turnover documents should be maintained to allow continuity during shift changes. During turnovers, staff on the new shifts should be provided with accident related information as well as other information deemed necessary to maintain continuity in strategies for managing the accident.

Working conditions

2.113.

Contingency plans should be developed for the following:

Situations in which staff members involved in accident management have been incapacitated;
Situations in which some staff members involved in accident management need to be evacuated;
Situations in which outside support may be delayed so that main control room staff and technical support centre staff will need to continue the accident management measures.

Working conditions

2.114.

As part of overall emergency preparedness, arrangements should be put in place to help staff cope with emotional stress affecting performance during the response, in relation to both the circumstances of the accident and any conventional emergency that is occurring simultaneously and affecting their families or property.

Working conditions

2.115.

Suitable, reliable and diverse means of communication should be available at all times for use on the site and for communication with off-site authorities, and guidance should be put in place for measures to be taken if some or all of these means fail. The effects of a station blackout and the potential for damage to the communication equipment from external hazards more severe than those considered for design, derived from the site hazard evaluation, should be considered in these arrangements.

Working conditions

2.116.

A highly reliable communication network based on the principles of redundancy, diversity and physical separation of communication channels should be provided for communication between the main control room, the technical support centre and off-site facilities.

Working conditions

3.1.

All the general recommendations from Section 2 on the development of an accident management programme are also applicable to the development of a severe accident management programme. In this regard, the recommendations in Section 3 can be considered supplementary to the recommendations in Section 2.

Working conditions

3.2.

Six main steps should be executed to set up and develop a severe accident management programme:

Identification of challenge mechanisms: Mechanisms that could challenge the fundamental safety functions or the barriers to a release of radioactive material should be identified.
Identification of plant vulnerabilities: Plant vulnerabilities should be identified, with consideration given to the challenge mechanisms, including the concurrent loss of the fundamental safety functions.
Identification of plant capabilities:
1. For challenges to the fundamental safety functions and fission product barriers, the plant capabilities, including capabilities to delay or mitigate such challenges, in terms of both available equipment and available personnel, should be considered.
2. The available or necessary hardware provisions for the execution of severe accident management strategies should be considered.
Development of severe accident management guidance:
1. Suitable severe accident management guidance should be developed and should include the use of permanent and on-site and off-site non-permanent equipment and instrumentation to cope with the vulnerabilities identified.
2. Development of severe accident management guidance should be supported by appropriate analyses. Best estimate analyses are typically used for this purpose.
3. Dependencies between external hazards should be considered.
4. The possibility and consequences of using erroneous information should be considered.
5. The means of obtaining information on the plant status, and the role of instrumentation therein, should be considered, including cases in which the information provided by instrumentation is erroneous and all normal power for instrumentation and control systems is unavailable.
6. Possible restrictions on access to certain areas in order to perform local actions should be considered.
7. Interfaces with actions performed prior to any significant fuel rod degradation should be addressed.
8. Suitable procedures and guidelines for the execution of the strategies and measures should be developed.
9. Severe accident management strategies should consider relevant very low probability events.
Establishment of a verification and validation process for the severe accident management programme.
Integration of the severe accident management programme into the management system and the emergency preparedness and response arrangements:
1. The lines of decision making, responsibility and authority in the teams that will be in charge of the execution of the accident management guidance should be specified.
2. Human and organizational factors should be considered using a systemic approach to safety [22].
3. A systematic approach to the periodic evaluation and updating of the guidance and training should be considered; such an evalution should incorporate new information and research insights into severe accident phenomena.
4. Education, training, exercises and drills should be considered.
5. Integration of the severe accident management programme with the emergency arrangements for the plant should be ensured.
For challenges to the fundamental safety functions and fission product barriers, the plant capabilities, including capabilities to delay or mitigate such challenges, in terms of both available equipment and available personnel, should be considered.
The available or necessary hardware provisions for the execution of severe accident management strategies should be considered.
Suitable severe accident management guidance should be developed and should include the use of permanent and on-site and off-site non-permanent equipment and instrumentation to cope with the vulnerabilities identified.
Development of severe accident management guidance should be supported by appropriate analyses. Best estimate analyses are typically used for this purpose.
Dependencies between external hazards should be considered.
The possibility and consequences of using erroneous information should be considered.
The means of obtaining information on the plant status, and the role of instrumentation therein, should be considered, including cases in which the information provided by instrumentation is erroneous and all normal power for instrumentation and control systems is unavailable.
Possible restrictions on access to certain areas in order to perform local actions should be considered.
Interfaces with actions performed prior to any significant fuel rod degradation should be addressed.
Suitable procedures and guidelines for the execution of the strategies and measures should be developed.
Severe accident management strategies should consider relevant very low probability events.
The lines of decision making, responsibility and authority in the teams that will be in charge of the execution of the accident management guidance should be specified.
Human and organizational factors should be considered using a systemic approach to safety [22].
A systematic approach to the periodic evaluation and updating of the guidance and training should be considered; such an evalution should incorporate new information and research insights into severe accident phenomena.
Education, training, exercises and drills should be considered.
Integration of the severe accident management programme with the emergency arrangements for the plant should be ensured.

Working conditions

3.3.

Severe accident sequences should be identified and analysed using a combination of engineering judgement, deterministic methods and probabilistic methods. Sequences for which practicable severe accident management guidance can be implemented should be identified. Acceptable severe accident management guidance should be based on best estimate assumptions, methods and analytical criteria. Activities for developing severe accident management guidance should take into account the following:

Operating experience, relevant safety analysis and results from safety research.
Accident sequences reviewed against a set of criteria aimed at determining which severe accident challenges should be addressed in the design of the severe accident management programme.
Potential design or procedural changes that could either reduce the likelihood of occurrence of these challenges or mitigate their consequences, and decisions on the implementation of such changes.
Plant design capabilities, including the possible use of:
1. Systems beyond their originally intended function and anticipated operational states when the use of such systems will not exacerbate the situation;
2. Additional non-permanent systems or components to return the plant to a long term safe stable state or to mitigate the consequences of a severe accident, provided that it can be shown with a good level of confidence that the systems will be able to function in the expected environmental conditions.
For multiple unit sites, consideration of the use of available means and/ or support from other units on the site, provided that the safe operation of those units is not compromised.
Systems beyond their originally intended function and anticipated operational states when the use of such systems will not exacerbate the situation;
Additional non-permanent systems or components to return the plant to a long term safe stable state or to mitigate the consequences of a severe accident, provided that it can be shown with a good level of confidence that the systems will be able to function in the expected environmental conditions.

Working conditions

3.4.

The development of severe accident management guidance should be supported by appropriate analyses of the physical response of the plant. Best estimate analyses are typically used for this purpose. Consideration should be given to uncertainties in knowledge about the timing and magnitude of phenomena that might occur in the progression of the accident. Hence, severe accident management actions should be initiated at the level of parameters and at a time that gives sufficient confidence that the goal intended to be achieved by carrying out the action will be reached.

Working conditions

3.5.

Severe accident management guidance may be developed first on a generic basis by the plant vendor or plant designer, or by another organization duly authorized by the operating organization, and may then be used by the operating organization for the development of a plant specific severe accident management programme. Severe accident management guidance may also be developed on a plant specific basis without the use of generic documentation. When adapting generic severe accident management guidance to plant specific conditions, care should be taken that the transition conditions from EOPs to SAMGs are handled appropriately, including searching for additional vulnerabilities and for strategies to mitigate these vulnerabilities. Any deviations from plant operating requirements and generic severe accident management guidance should be subject to rigorous review that considers the basis for and benefits of the original approach and the potential unintended consequences of deviating from this approach.

Working conditions

3.6.

To ensure the success of the development of the severe accident management programme, a development team of experts with sufficient scope and level of expertise, including all necessary technical disciplines, should be involved, with support from the senior management of the operating organization.

Working conditions

3.7.

The selection of severe accident sequences should be sufficiently comprehensive to provide a basis for the development of severe accident management guidance for plant personnel and support personnel in any identified situation. Level 1 and Level 2 probabilistic safety assessment (PSA) (see IAEA Safety Standards Series No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants [23], and IAEA Safety Standards Series No. SSG-4, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants [24]), engineering judgement or similar studies from other plants, and operating experience at the plant or at other plants, can provide the basis for the selection of severe accident sequences.

Working conditions

3.8.

The severe accident management programme should address the full spectrum of challenges to fission product barriers, including those arising from multiple hardware failures, human error and postulated hazardous conditions, including external hazards more severe than those considered for the design, derived from the site hazard evaluation. The severe accident management programme should also consider possible consequential failures and physical phenomena that may occur during the evolution of a severe accident. In the development process, even very improbable failures should be considered.

Working conditions

3.9.

For determination of the full spectrum of challenges to fission product barriers, useful input can be obtained from the Level 2 PSA for the plant (or similar studies from other plants), engineering judgement and insights from research on severe accidents. However, the identification of potential challenge mechanisms should be as comprehensive as possible to provide a basis for the development of severe accident management guidance for plant personnel in all situations, even if the evolution of the accident would constitute a very unlikely path within the Level 2 PSA.

Working conditions

3.10.

In view of the inherent uncertainties involved in determining credible events, the PSA for the plant should not be used a priori to exclude accident sequences from consideration in the development of severe accident management guidance. If such an approach is considered, extremely low cut-off levels should be specified so as not to underestimate the scope and nature of the accident sequences to be analysed.

Working conditions

3.11.

The vulnerabilities of the plant to challenging conditions should be identified. It should be investigated how specific severe accidents will challenge the fundamental safety functions and, if these are lost and not restored in due time, how the integrity of the fission product barriers will be challenged.

Working conditions

3.12.

The vulnerabilities to postulated hazardous conditions — including external hazards more severe than those considered for the design, derived from the site hazard evaluation — that can impact the use of safety features for severe accident management on both permanent and non-permanent equipment should be identified. It should be investigated how specific hazards might interfere with the use of safety features for severe accident management.

Working conditions

3.13.

When developing guidance on severe accident management, consideration should be given to the full capabilities of the plant, including permanent and non-permanent equipment, as appropriate. Particular care should be taken if the possible use of some systems beyond their originally intended function is foreseen in the severe accident management guidance.

Working conditions

3.14.

All plant capabilities available to fulfil and support the plant’s fundamental safety functions should be identified and characterized. This should include a review of the on-site consumable resources for the plant that would be required to support safety systems, as well as the use of non-dedicated systems and unconventional or alternative line-ups or hook-up connections for non-permanent equipment located on the site or brought in from off the site.

Working conditions

3.15.

Specific consideration should also be given to maintaining the conditions necessary for the continued operation of equipment that is ultimately necessary to prevent early or large radioactive releases.

Working conditions

3.16.

When unconventional or alternative line-ups or hook-up connections are necessary, consideration should be given to the availability of the equipment needed to facilitate the establishment of such connections by the appropriate staff and to possible restrictions of authorized access to such equipment.

Working conditions

3.17.

To minimize the time needed to deploy equipment in unconventional ways after a severe accident, and to ensure that this equipment can be deployed with due regard for the safety of the operators involved, the relevant instructions to take actions safely and effectively should be prepared in advance by defining a set of steps that have been appropriately reviewed and identifying the prerequisites necessary (e.g. the prestaging of any special tools or components).

Working conditions

3.18.

The ability of plant personnel to successfully take unconventional measures to mitigate accident challenges under adverse environmental conditions should be carefully considered.

Working conditions

3.19.

In determining the capabilities of the plant personnel to deploy mitigating equipment in harsh environments, the implications of the following should be considered:

Working in high temperature, high pressure or high humidity areas;
Working in poorly lit or dark areas;
Working in areas ventilated by portable ventilation systems;
Working in high radiation areas;
Using non-permanent instrumentation or non-permanent power supplies.

Severe accident management strategies

3.20.

On the basis of the vulnerability assessment and identified plant capabilities, as well as the understanding of accident phenomena, severe accident management strategies should be developed for each individual challenge or plant vulnerability.

Severe accident management strategies

3.21.

For cases in which significant fuel rod degradation is imminent or ongoing, strategies should be developed with the following objectives:

Maintaining the integrity of the containment or any other remaining confinement barrier and preventing containment bypass;
Minimizing or delaying any off-site releases of radioactive material;
Returning the plant to a long term safe stable state.
Terminating the progress of fuel rod degradation;
Maintaining the integrity of the reactor pressure vessel and other fuel retaining structures (such as the spent fuel pool).

Severe accident management strategies

3.22.

Severe accident management strategies may be derived from ‘candidate high level actions’, such as the following:

Filling the secondary side of the steam generators to prevent creep rupture of the steam generator tubes;
Depressurizing the reactor coolant system to prevent high pressure failure of the reactor pressure vessel and direct containment heating;
Flooding the reactor cavity to prevent or delay vessel failure (or facilitate corium spreading on a large area in the case of vessel rupture) and subsequent basemat failure;
Mitigating the impact of combustible gases;
Depressurizing the containment to prevent its failure by excess pressure or to prevent basemat failure under elevated containment pressure (see Ref. [17]).

Severe accident management strategies

3.23.

A systematic evaluation of the possible severe accident management strategies should be conducted to confirm their feasibility and effectiveness, to determine potential negative impacts and to prioritize the strategies using appropriate methods. Adverse conditions that may affect the execution of a strategy during the evolution of a severe accident should be considered. The evaluation should be documented in the relevant background document.

Severe accident management strategies

3.24.

Particular consideration should be given to severe accident management strategies that have both positive and negative impacts in order to provide a basis for a decision as to which strategies constitute a proper response for a given plant damage state. The background documentation supporting SAMGs should include a full description of the benefits and potential negative implications of the severe accident management strategies.

Severe accident management strategies

3.25.

To minimize the time needed to deploy equipment in unconventional ways following a severe accident, and to ensure that these actions can be taken with due regard for the safety of the operators involved, the relevant instructions should be prepared in advance, by defining a set of steps that have been appropriately reviewed including identifying the prerequisites necessary (e.g. pre-staging of any special tools or components) to take actions safely and effectively.

Severe accident management strategies

3.26.

Severe accident management strategies should also be developed for situations in which DC power is lost after a long term loss of all AC power.

Severe accident management strategies

3.27.

The plant control and logic interlocks that may need to be defeated or reset for the successful implementation of severe accident management strategies should be systematically identified. It should also be verified that the potential negative effects of such actions have been adequately characterized and documented.

Severe accident management strategies

3.28.

The definition and selection of strategies applicable to severe accidents should consider the potential usefulness of maintaining strategies initiated when significant fuel rod degradation had not yet occurred. For example, subcriticality of the core or the core debris should be maintained, and a path should be provided to transfer decay heat from the core or molten core debris to an ultimate heat sink, where possible.

Severe accident management strategies

3.29.

The need to avoid or minimize the accumulation of large amounts of potentially contaminated water, including leakage resulting from damage to the containment, should be considered in the long term strategies for storing and remediating contaminated water.