Lecture 3 Basic Principles of Accident Management Module 1b · PDF fileIAEA Summary of Module 1b • Introduction to Accident Management 1. Principles of AM 2. Basic Structure of the
26
IAEA International Atomic Energy Agency Lecture 3 Basic Principles of Accident Management Module 1b IAEA Training Workshop on Severe Accident Management Guideline Development using the IAEA SAMG-D Toolkit Jeff Gabor
IAEA Training Workshop on Severe Accident Management Guideline Development using the IAEA SAMG-D Toolkit
Jeff Gabor
IAEA
Summary of Module 1b
• Introduction to Accident Management 1. Principles of AM 2. Basic Structure of the
Development of AM 3. Main Characteristics of
AM, EOPs and SAMGs 4. Preventative and
Mitigative measures
Presenter
Presentation Notes
Module 1b provides a summary of the basic principles of accident management. The topics covered in this presentation include a summary of the governing principles, a discussion of the general structure of accident management procedures/guidance, the main characteristics of both the Emergency Operating Procedures and the Severe Accident Management Guidelines, and finally, a discussion of both prevention and mitigation strategies. There are 3 very helpful references provided on this slide; the IAEA SAMG-D toolkit, No. 32 of the Safety Reports Series on Implementation of AM programs, and Safety Guide NS-G-2.15, severe accident management programs for NPP.
IAEA
Principles of Accident Management
• Operating procedures exist for • Normal operation • Anticipated occurrences
• Alarm Response procedures • Accident conditions
• Emergency Operating Procedures (EOPs) • Design Basis Accident • Limited or no fuel damage
• Severe Accident Management Guidelines (SAMGs) • Fuel damage
Presenter
Presentation Notes
Procedures exist for several severity levels of accident conditions. First are the normal operating procedures. As we all now, this represents the majority of time spent in the control room. Anticipated occurrences, sometimes called alarm response procedures, define well understood conditions that can likely occur during operation of the plant. Operators respond promptly to these conditions in order to avoid undesired conditions or emergencies. For accident conditions, there are 2 primary levels of procedures and guidance. Prior to fuel damage, most plant operators will use the emergency operating procedures or EOPs to prevent an accident event from progressing to core damage. The well analyzed design basis accidents would be mitigated by the EOPs. Should the accident progress to core uncovery and possible fuel damage, that is the time when severe accident management guidelines would be activated.
IAEA
Definitions (SAMG-D)
• Accident Management is the taking of a set of actions during the evolution of an accident beyond the design basis: • To prevent the escalation of the event into a
severe accident • To mitigate the consequences of a severe
accident; and • To achieve a long term safe stable state
Presenter
Presentation Notes
There some simple definitions provided in the IAEA SAMG-D toolkit. Here the term accident management refers to taking a set of actions during the evolution of an accident that is beyond the design basis of the plant. Accident management actions are performed to prevent the escalation of the event to a severe accident, to mitigate the consequences of the accident, and to ultimately achieve a long term stable condition for the plant.
IAEA
Definitions (cont’d)
• Mitigation can also be called Severe Accident Management • To terminate the progression of core damage
once started, • To maintain the integrity of the containment as
long as possible, and • To minimize releases of radioactive material.
Presenter
Presentation Notes
In the SAMG-D toolkit, the term mitigation can also be what we mean by severe accident management and the actions are performed in order to terminate the progression of core damage, to maintain the integrity of the fission product barriers, and to minimize any potential offsite release of radioactive material.
Severe Accident Management Programmes for Nuclear Power Plants, Safety Guide, No. NS-G-2.15
Presenter
Presentation Notes
The SAMGs should be developed using a top-down approach. The first thing is to establish the objectives for the program. To meet the objectives, strategies for core damage prevention and accident mitigation will need to be developed. The strategies rely on methods and measures to implement them and finally, all of this is combined into a set of procedures and guidelines.
IAEA
Defense in Depth
Objective
Essential means
2 1 3 4 5 Level
Defence in Depth in Nuclear Safety INSAG-10, IAEA
Presenter
Presentation Notes
This figure identifies 5 levels of defense in depth. The first level, shown in the center of this figure, represents the objective to prevent any abnormal operation or failures. The essential means or measures taken to accomplish this objective is through the conservative design of the plant and systems and the use of high quality construction and operation methods. Moving out to Level 4, the objective is to provide for the control of severe plant conditions either by the prevention of core damage or by the mitigation of the severe accident consequences. Severe accident management is essential to ensuring effective defense in depth at the fourth level.
IAEA
Prevention and Mitigation
• As stated in the 4th level of Defense-in-Depth, both prevention and mitigation need to be addressed. • Prevention measures are directed to prevent
core melt and bring the plant to a stable state. • Mitigation measures are directed to protect
remaining fission product barriers and reduce any possible radioactive release.
IAEA
Components of AM Program
Implementation of Accident Management Programmes in Nuclear Power Plants Safety Reports Series, No. 32
Presenter
Presentation Notes
This figure shows the major components of an effective accident management program. On the left side are the components for prevention of core damage. EOPs are the primary vehicle for managing this time period of the accident. The events of interest come from the design basis analysis of the plant as well as insights from the Level 1 PSA. There tend to be significant system evaluations for addressing how to prevent core damage and there are procedures to implement actions for this period of time. Moving to the right side, we now have progressed to the point of fuel damage and the primary objective is to mitigate the accident as best as possible. Inputs to these guidelines come from years of severe accident research, input from a Level 2 PSA and a number of other technical studies.
IAEA
Prevention and Mitigation
• Prevention • Usually in the form of procedures • Emergency Operating Procedures • Supported by Level 1 PSA
• Mitigation • Usually in the form of guidelines • Other names (e.g. Operating Strategies for
Severe Accident – OSSAs) • Supported by Level 2 PSA
Presenter
Presentation Notes
As you may have picked up on, we have distinguished in all cases between prevention of core damage and mitigation of core damage. The first, prevention, is usually accomplished using structured flow charts and procedures. As mentioned, a Level 1 PSA is extremely helpful in identifying the systems that can be used and the time available for operator response to prevent core damage. Mitigation actions usually come in the form of guidelines. An example might be the AREVA Operating Strategies for Severe Accidents. Mitigation actions are not always as clear cut and rely on a more in-depth evaluation of the positive and potential negative outcomes for a particular strategy. A Level 2 PSA provides considerable input to the development of mitigation strategies as it looks at dominant accident scenarios and how severe accident phenomenology impacts the consequences of an event.
IAEA
Preventive Measures
• Use engineered safety systems and other systems as feasible
• System function has priority over system protection, but try and stay within design basis
• Priority is with the core • Actions not limited to design basis • Actions may use other systems (e.g. fire water)
Presenter
Presentation Notes
In the prevention of core damage, any and all systems should be considered. This would include systems not credited for this function as part of the plant design basis, but could have the potential to prevent core damage. Prevention measures should keep the focus on the system function and less on the design basis of the system. A great example of this is the operation of the RCIC system and Daiichi Unit 2. This pump appeared to operate well beyond its design basis and was able the extend the time of core damage for several days. For prevention, the priority is on the core and the actions are not limited by the design basis. Actions should make use of all systems, such as CRD and fire water.
IAEA
Preventive Measures (cont’d)
• Actions are clear-cut, have been pre-analyzed, and their outcome is known before hand
• Therefore, procedures are prescriptive • Decisions usually made by Control Room staff,
with support from Technical Support Center • Instruments are mostly reliable • Procedures can be event-based or symptom-
based
Presenter
Presentation Notes
As we have said, preventive measures are usually well analyzed and a clear path to success is known. Given this, prescriptive procedures are appropriate. The actions are usually taken by the control room operators with some help provided by the technical support center. Most of the EOPs are symptom based procedures.
IAEA
Procedures
• Event-based • Event diagnosis required
• Symptom-based • Event diagnosis not needed • Actions taken to satisfy critical safety functions
Event Based procedures initially utilized, but industry has evolved to more
symptom based
Presenter
Presentation Notes
The difference between an event based procedure and a symptom based procedure involves the level of diagnosis that is needed in order to implement the actions. Example of when an event procedure might be used is for a station blackout event. This type of event is fairly straight forward to diagnose and can quickly allow the operators and plant staff to focus in on the actions to restore power to the plant. Most other procedures are symptom based and the actions taken are only in response to the plant conditions, not what initiated the event or what type of event it is. Symptom based procedures focus in on addressing the critical safety functions of the plant.
IAEA
Procedures (cont’d)
• Example of Critical safety Functions 1. Subcriticality 2. Core cooling 3. Heat sink 4. Primary boundary integrity 5. Containment integrity 6. Reactor coolant system inventory
Presenter
Presentation Notes
For example, procedures are used to maintain these critical safety functions. The actions taken are to control core criticality, provide core cooling, and to maintain a heat sink for the decay energy. In addition, actions are taken to preserve the fuel, primary system and containment fission product barriers along with providing reactor coolant makeup.
IAEA
Advantages of Symptom Based Procedures
• Work for wide range of events • No need to know initiating conditions • Actions are appropriate, irrespective of
initiating events • Event procedures may provide support,
assuming a clear indication of the event (e.g. SBO)
Presenter
Presentation Notes
There are several advantages to symptom based procedures. First, they work over a wide range of events. There is no real need to know the initiating event. The actions taken are appropriate independent of what type of event you are in. As stated previously, event based procedures may be useful in some instances where it is relatively easy to diagnose the event. A very interesting personal observation occurred during the first several weeks and even months of the accidents at Fukushima. As the world followed the events at Daiichi, many of us looked towards our own SAMG guidelines as a basis for recommendations to TEPCO. It became clear to me that the symptom based guidance provided by the BWROG SAMGs was not only appropriate but was still appropriate far into the events.
IAEA
Mitigative Measures
• Mitigative measures use all systems available
• System function has priority over system protection
• Priority shifts to fission product barriers, not just the core
• Actions not as clear cut as the outcome is not as well known before hand
Presenter
Presentation Notes
When we discuss SAMG actions, we are now probably looking at strategies to not necessarily prevent core damage, but those actions to mitigate the consequences of a core damage event. During these periods, we would use any and all systems available and would focus our attention to maintaining all fission product barriers, not just the core. As we move from prevention to mitigation, the precise outcome of our actions are less clear. Uncertainties surrounding severe accident phenomenology become more important and can make it more difficult to predict the future response of the plant.
IAEA
Mitigative Measures (cont’d)
• Employs thought process to consider both positive and negative consequences of actions taken
• Benefit from insights in physics of severe accidents
• Decision making usually outside Control Room with Emergency Response Organization (ERO)
Presenter
Presentation Notes
Because of the nature of severe accident phenomena, mitigation strategies require a thought process where both the positive and negative outcomes need to be well understood. Having a strong background in severe accident physics is important to the prioritization of actions. During this phase of an event, control may shift away from the control room and rely much more on the input from the technical support center or the emergency response organization. In a later lecture, we will discuss technical support guidelines which are tools used by the technical support center to better inform their decisions.
IAEA
Procedures
• Step-by-step instructions • Followed word-for-word • Required actions known before hand • Fuel intact, safety systems intact,
instruments functional • Consequences of actions well understood
EOPs
Presenter
Presentation Notes
So, to summarize the discussions we have had during this lecture, procedures are step-by-step instructions which are meant to be followed word-for-word. The actions and their consequences have been calculated ahead of time and are clearly understood by the plant staff. While using these procedures, the fuel is most likely intact with safety systems operating as normal and with adequate instrumentation available. The consequences are well understood for this portion of the event and the actions contained in the emergency operating procedures.
IAEA
Guidelines
• May be structured (step-by-step) • Deviation allowed; not word-for-word • On-the-spot evaluation to select best actions
from several alternatives • Fuel damage likely, safety systems lost, limited
instrumentation • Severe accident analysis involves considerable
uncertainty
SAMGs
Presenter
Presentation Notes
Guidelines are typically described as a less structured process, however, flow charts can be very useful in providing a logical path for accident mitigation. Guidelines are not always to be followed word-for-word and are meant to support a changing on-the-spot assessment of the best actions from a variety of alternatives. Fuel damage is likely as a result of failed systems and perhaps limited instrumentation. The flexibility of these guidelines reflect the uncertainties surrounding severe accident physics in general. These guidelines are what we refer to in the Severe Accident Management Guidelines or SAMGs.
IAEA
Symptom Based
• Examples of acceptable symptoms include: • Core exit temperature • Primary system pressure • Steam generator level • Containment pressure
• Examples of unacceptable symptoms: • Fuel clad temperature • Break size
Tools may exist for complex calculations, but maybe more risky to rely on
Presenter
Presentation Notes
To support symptom based procedures or guidelines, some examples of acceptable symptoms would include core exit temperature, primary system pressure, steam generator water level, and containment pressure. If these plant parameters can be known, they can provide meaningful input to both prevent and mitigation of core damage. Some parameters that would be less useful would include fuel clad temperature and primary system break size. These would be very difficult to ascertain. Some of the SAMG developments have include calculational aids to further support implementation of the guidelines. An example might be the logic diagram for a BWR to support the determination of vessel breach. As we all know, that has continued to be a challenging determination to make at the 3 Fukushima reactors.
IAEA
Event Based
• EOPs and SAMGs typically symptom based • Some events are easily diagnosed;
• Steam generator tube rupture • Station blackout (SBO) • Extended loss of AC power (ELAP)
Presenter
Presentation Notes
As we have continued to discuss, EOPs and SAMGs are well suited as symptom based procedures and guidelines. There are situations where the accident conditions are more easily identified as would be the case in an event based procedure. Examples of these event based procedures might be station blackout, steam generator tube rupture, and extended loss of AC power.
IAEA
SAMG Principles
• SAMG contain mitigative actions and apply after core damage
• SAMG are guidelines, not procedures • SAMG are symptom based • Challenges to fission product barriers
addressed in SAMG • Actions may have both positive and negative
consequences
Presenter
Presentation Notes
The main principles for severe accident management are that SAMGs contain mitigative actions that apply after the core has been damaged. SAMGs are typically in the form of guidelines, not strict procedures and they are symptom based. Challenges to the fission product barriers will be discussed in a future lecture and are addressed in the SAMGs. And, due to the nature of severe accident physics, actions taken can have both positive and negative impacts, so prioritization of actions is important.
IAEA
SAMG Principles (cont’d)
• Multiple strategies to be prioritized based on positive/negative weighting
• All means used to mitigate accident, including operating systems beyond their design basis
Presenter
Presentation Notes
As stated, there may be multiple strategies available and the challenge is to prioritize those alternatives based on a sound understanding of severe accident response. All means are used to mitigate an event, including the use of systems well beyond their design basis.
IAEA
Preventive Domain
• Goal is to prevent core damage • Maintain critical safety functions • Responsibility with control room • Procedures used in the form of EOPs
Presenter
Presentation Notes
In the preventive domain, the primary goal is to prevent core damage. We do that by maintaining the critical safety functions. Implementation of the actions is usually controlled by the control room operators through the use of procedures such as the emergency operating procedures or EOPs.
IAEA
Mitigation Domain
• Goal is to protect fission product barriers • Establish priorities between measures • Responsibility with ERO • Guidelines used in the form of SAMGs
Presenter
Presentation Notes
The mitigative domain has the goal to protect and preserve the fission product barriers. Multiple strategies are possible and the challenge is to prioritize these actions to obtain the best outcome possible. The responsibility for accident management will typically lie outside of the control room with the emergency response organization. And finally, severe accident management actions are usually communicated in the form of guidelines as apposed to step-by-step procedures.
