Overview of Guidelines on Technical Safety Review … · Overview of Guidelines on Technical Safety...


Citation preview

Overview of Guidelines on Technical Safety

Review Services for Accident Management

Presented by Naoki Hiranuma, Nuclear Safety Officer

Safety Assessment Section/Division of Nuclear Installation

Safety/Department of Nuclear Safety and Security (SAS/NSNI/NSS)


IAEA Workshop on the Development of Severe Accident Management Guidelines Using the IAEA’s Severe Accident Management Guideline Development Toolkit

11-15 December 2017

Vienna, Austria


• To provide overview of review guidelines for

Accident Management on Technical Safety

Review (TSR-AM) Services,

– in principle, based on the Guidelines for the review of

accident management programmes in nuclear power

plants (SVS No. 9, May 2003)






• Options of Technical Safety Review service for

Accident Management (TSR-AM)

• Purpose and Scope of the guidelines for TSR-AM

• Review of Accident Analysis for Accident

Management (RAAAM)

• Review of Accident Management Programme


• Preparation and Conduct

• Conclusion


Options of TSR-AM (1/2)

• Review of Accident Analysis for Accident

Management (RAAAM)

– To check completeness and quality of accident

analysis for DECs (original text is ‘BDBA and severe accidents’)

– Should be performed prior to use of accident analysis

for development of Accident Management Programme


– 2 experts and 1 IAEA team leader

– One week mission


Options of TSR-AM (2/2)

• Review of Accident Management Programme


– To check its quality, consistency and completeness

RAAAM is a part of the overall review

– Should be performed prior to its implementation

– 4 experts and 1 IAEA team leader

• If RAAAM was not done separately, 2 more experts will be


– One week mission


Purpose and Scope of the guidelines

• To give guidance on the preparation, execution

and reporting of IAEA missions or its components

• To be used by the review team members

• Assistance to operators and regulators in

preparing, developing and implementing AMP

and in performing their internal review or

regulatory review


Review of Accident Analysis for

Accident Management (1/14)

• Objectives of the review

– To assess the completeness and quality of accident

analysis performed for DECs (BDBA and severe


Focus on; selection of accident sequences, selection of

analytical tools, analysis of accidents w/o operator action,

analysis of various preventive and mitigative AM measures,

and quality assurance (QA) in accident analysis

Uncertainties (e.g. code models and correlations) have to be

considered in the evaluation of analysis results


Review of Accident Analysis for

Accident Management (2/14)

• Reference material (in English)

– Basic material; needed in advance of the review


Basis for the selection for accident sequences and their


Characteristic of computer codes used;

Summary report on analysis of accidents w/o operator


List of symptoms used for preventive and mitigative

actions; and

Summary reports on analysis with operator actions.


Review of Accident Analysis for

Accident Management (3/14)

• Reference material (in English) (cont’d)

– Specific material; provided during the on-site review


Summary reports on PSA level 1 and level 2, if available or other

relevant documents showing the plant vulnerabilities;

Justified list of the selected accident sequence classes;

Engineering Handbook and Database for the analysis, with

references to sources of data;

Justification of the applicability of the computer codes selected

for analysis;

Full reports on analysis w/o operator actions, preventive and

mitigative measures analysis;

Plant emergency operating procedures (EOPs); and

QA procedure for accident analysis and prove of its application. 9

Review of Accident Analysis for

Accident Management (4/14)

• Course of the review

1. Selection of accident sequences

2. Information needed for analysis

3. Selection of analytical tools

4. Analysis without operator action

5. Evaluation of capabilities and limitations of existing


6. Identification and analysis of preventive measures

7. Identification and analysis of mitigative measures

8. QA in accident analysis


Review of Accident Analysis for

Accident Management (5/14)

1. Selection of accident sequences

Key questionnaires;

Was adequate use made of results of PSA level 1?

Is there additional information used for the accident sequence

categorisation process?

o Such as; design specificaion, operational experience, accident

precursors, and severe accident research, and so on.

Have plant specific severe accident phenomena been considered

in the selection process?

Have accident sequence classes been chosen which focus on risk

significant accidents?

A complete PSA level 2 would replace a step of accident

sequence classification 11

Review of Accident Analysis for

Accident Management (6/14)

2. Information needed for analysis

Computer code(s) input data; geometry, thermal-hydraulics

parameters, control and safety systems’ characteristics, set

points, and drawings etc.

Key questionnaires;

Which methodology was applied and what simplifying

assumptions and calculations were made to convert technical

plant data to code input deck?

Are modelling assumptions adequately explained and described?

Were input data verified by review and crosschecking by

qualified individuals and groups that were not involved in the

input deck development process?

Is verification appropriately documented?


Review of Accident Analysis for

Accident Management (7/14)

3. Selection of analytical tools

Best estimate codes selected for DECs

Limitation of codes and accident phenomena understood

Key questionnaires;

Are the codes capable to adequately model the physical

phenomena in question?

Do the physical models adequately represent plant specific


Were the applicability range of models and correlations


Was detailed user guidance available and actually used?

Is the personnel qualified for use of the codes?

Has a code qualification programme performed and documented?


Review of Accident Analysis for

Accident Management (8/14)

4. Analysis without operator action

To understand plant response to DECs,

To understand which accident phenomena are important for the

plant in question,

To understand and rank challenges to fission product (FP)

boundaries, and

To provide a sound basis for the investigation of preventive and

mitigative measures.


Rise of PCV

pressure due to


inside reactor

Change of pressure due to

activation of PCV spray

Pressure drops quicker than D/W due to W/W vent






vessel p




Time after accident (min)

Dry well

Suppression chamber

Drop of pressure due to PCV vent

(approx. 18 hours)

Review of Accident Analysis for

Accident Management (9/14)

4. Analysis without operator action (cont’d)

Examples of key questionnaires;

Are trend plots of key parameters available?

Are the analysis results physically reasonable?

Have vulnerabilities of the specific design been identified and

reported, and ranked according to their importance?

Have major challenges to FP boundaries been identified and


Were accident phenomena important to the specific plant


Have the mutual dependencies of the key phenomena been

appropriately identified?


Review of Accident Analysis for

Accident Management (10/14)

5. Evaluation of capabilities and limitations of existing


Existing equipment assessed under consideration of use outside

its design range and margins; or

New equipment being considered in case of inoperability of

available equipment

Key questionnaires;

Has the operability of existing equipment under accident

environmental conditions been assessed?

Is there justification of operability of existing equipment outside

its design range?

Is additional/new equipment dedicated to accident management



Review of Accident Analysis for

Accident Management (11/14)

6. Identification and analysis of preventive measures

Possible preventive measures to prevent or delay the onset of

core damage analyzed under selecting accident sequences

Examples of key questionnaires;

Do the areas selected for studying preventive measures reflect

findings of accident sequence analyses w/o operator intervention?

Were the same input deck and version of computer code(s) used

as for analyses w/o operator intervention?

Was analysis performed to determine that symptoms selected for

activating measures in key areas of preventive accident

management can be used for the whole range of accident

sequences chosen for analysis?

Are sensitivity studies available and documented with varying

values of the symptom(s) that indicate accidents occurring

outside the design? 17

Review of Accident Analysis for

Accident Management (12/14)

7. Identification and analysis of mitigative measures

Possible measures to mitigate the consequences of core damage analyzed under selecting accident sequences

Examples of key questionnaires;

Do the areas selected for mitigative measures studies reflect findings of accident sequence analyses w/o operator intervention and with preventive measures?

Were the same input deck and version of computer codes used as for analyses w/o operator interventions?

Was analysis performed to determine that symptom(s) selected for activating measures in key areas of mitigative accident management can be used for the whole range of accident sequences chosen for analysis?

Have sensitivity studies been performed and documented with varying values of the symptom(s) that indicate accidents occurring outside the design range?


Review of Accident Analysis for

Accident Management (13/14)

8. QA in accident analysis

Key questionnaires;

Are QA procedures in agreement with established rules?

Has the production of the Database and the Engineering

Handbook been in line with the established QA procedures?

Have all contradictions been satisfactory resolved?

Was the input deck verified, and how was it validated?


Review of Accident Analysis for

Accident Management (14/14)

• Results of the review

– Should be documented to include;

The major findings under each review step

Recommendations related to;

Appropriateness of accident sequence selection;

Qualification of analysis tools;

Correctness of input data, including correct consideration of NPP


Identification and analysis of preventive and mitigative accident

management measures; and

QA in accident analysis.



Review of Accident Management

Programme (1/20)

• Objectives of the review

– To review the comprehensiveness, consistency, and quality

of the AMP



OSART Guidelines,

Safety Report Series

related to AMPs, etc.

1st phase

2nd phase

Review of Accident Management

Programme (2/20)

• Reference material (in English)

– The advance material; needed to be submitted prior to the review mission

Relevant regulatory requirements;

Description of the NPP systems configuration;

Summary report on PSA level 1 and, if available, level 2 or another documents showing plant vulnerabilities;

List of symptoms used for preventive and mitigative actions;

Tasks and tools of the technical support centre (TSC);

Overview of the EOPs and SAMGs;

Overview of computational aids (CAs);

Overall description of the AMP; and

Results of previous peer reviews relevant to the accident management; in particular, this also includes peer reviews of PSA level 1 and 2 studies, if available.


Review of Accident Management

Programme (3/20)

• Reference material (cont’d)

– Examples of the material to be available during the review


All the documents needed for review of accident analysis in support of

accident management (same to RAAAM)

EOPs and SAMGs;

List of equipment considered in accident management;

Documents on qualification of equipment (including instrumentation);

Training programmes for AMP personnel, including description od

software tools;

QA programme for operation;

On-site and off-site emergency plans including emergency organization;

Documentation on the plant physical protection related to accident

management; and

Programmes and results of emergency drills. 23

Review of Accident Management

Programme (4/20)

• Course of the stepwise review

1. Selection and definition of AMP

2. Accident analysis for AMP

3. Assessment of plant vulnerabilities

4. Development of severe accident management strategies

5. Evaluation of plant equipment and instrumentation

6. Development of procedures and guidelines

7. Verification and validation of procedures and guidelines

8. Integration of AMP and plant emergency arrangements

9. Staffing and qualification

10. Training needs and training performance

11. AMP revisions 24

Review of Accident Management

Programme (5/20) 1. Selection and definition of AMP

The basic principles to be adopted in the programme

The scope of the programme

Links to;

Other projects, any upgrade policy and compliance with associated IAEA Safety Standards (SSs)

Examples of key questionnaires;

Has the degree to which the implementation of the AMP may generate requirements for equipment upgrades been specified?

Have requirements of IAEA SSs been addressed?

Have the entry and exit conditions, and the transitions between EOP and SAMG (if applicable) been defined, and existing EOPs modified to reflect them?

Has the acceptable plant end state configuration (for example a ‘controled stable state’) been defined?

If a generic approach has been used, has it been appropriately evaluated and assessed for applicability to the plant design in question?


Review of Accident Management

Programme (6/20)

2. Accident analysis for AMP

Requirements for analytical information at all three main phase

of AMP

Preparation, development and implementation

Key questionnaires on General items;

Where analysis has been performed, have appropriate tools and

models (with sufficient range of applicability) been used to

perform the analysis?

Has due consideration been made of the uncertainties in the

predictions of the analytical models? What practical impact did

this have on the procedures and guidelines?

Has analysis been performed on a ‘best estimate’ basis?


Review of Accident Management

Programme (7/20)

2. Accident analysis for AMP (cont’d)

Key questionnaires on Preliminary analysis;

Was an initial review of available background analyses and other supporting information performed at the beginning of the development project?

Was the review able to conclude that sufficient background information already exists;

o to identify plant specific vulnerabilities, nature and importance of potential challenges to FP boundaries, timing of challenges, parameters which can be used as symptoms, potential strategies to manage the accident, and

o in general to understand well the plant specific response to accident situations?

If not, was an appropriate programme of work performed to develop such a technical basis?

Did the background information also indicate what the plant response would be to proposed strategies?


Review of Accident Management

Programme (8/20)

2. Accident analysis for AMP (cont’d)

Key questionnaire on Development phase analysis;

Are the following aspects of the AMP development backed up by


Confirmation of choice and optimisation of strategies

Setpoint calculations

Use of systems to perform specific duties

Choice of key symptoms

CA development

Any recommendations for equipment or instrumentation upgrades

Key questionnaire on Implementation phase analysis;

Was any analysis performed in support of the validation

programme appropriately defined and performed?


Review of Accident Management

Programme (9/20)

3. Assessment of plant vulnerabilities

The first step to developing accident management strategies

Key questionnaires;

Has a systematic plant specific identification of the plant’s

vulnerabilities been performed?

Was a suitable and appropriate technical basis (including

background documentation and analyses) used to perform the

identification of vulnerabilities?


Review of Accident Management

Programme (10/20)

4. Development of severe accident management strategies

Examples of key questionnaires;

Has an appropriate process for the identification and evaluation

of potential strategies been followed (for examples as defined in


Have the strategies been systematically identified, evaluated for

potential effectiveness, and evaluated for potential negative


If the programme is based on a generic approach, has an

assessment of differences between the actual and generic

reference plant designs been made, and applied to an assessment

of the applicability of generic strategies?

Has due consideration been taken of the possibility and effects of

interactions between different strategies? 30

Review of Accident Management

Programme (11/20)

5. Evaluation of plant equipment and instrumentation View points; the needs, the potential availability and the


Examples of key questionnaires; Has a systematic review of plant specific systems capabilities

been performed, and have the results been specifically reflected in the procedures/guidelines?

Have any limitations associated with operating the equipment been identified and addressed? E.g. can interlocks be removed in a user friendly way?

Have possible alternative ways to implement a given strategy been identified?

Have temporary measures also been considered?

Have the necessary arrangements been made to ensure that the instrument data is available to the SAMG users?

For multi-unit sites, has the use of systems or other capabilities from the unaffected units been addressed?


Review of Accident Management

Programme (12/20)

6. Development of procedures and guidelines

Examples of key questionnaires;

Has a consistent approach to procedure and guideline writing been adopted (language, use of specific terms, etc.)? Has a ‘writers guide’ been followed?

Has guidance been prepared for all involved parts of the organisation (e.g. operators, safety engineer(s), TSC)?

Have the long-term implications or concerns of implementing the strategies been considered?

Is not only point-value information from instrumentation asked for, but also trend information?

Have requirements and means to override or block automatic protection system signals or interlocks been identified?

Has the need to produce revisions of the guidelines and background information been considered within the structure of the material?


Review of Accident Management

Programme (13/20)

7. Verification and validation of procedures and guidelines Required to ensure the overall quality and usability of the final

guidance material

Examples of key questionnaires; Were the plant specific procedures and guidelines fully and

independently reviewed, in accordance with the applicable QA programme, during their development?

Do the setpoints and the guidance as defined reflect the present state-of-the-art and are they in line with the technical boundaries of the plant?

Has it been verified that the procedures/guidelines represent technically correct interpretations of the high level strategies and are capable of achieving their objectives?

Did the scenarios chosen for use in the validation cover a wide range of the procedures/guidelines?

Did the validation test the organizational aspects of severe accident management, especially the roles of the evaluators and decision makers?


Review of Accident Management

Programme (14/20)

8. Integration of AMP and plant emergency arrangements Organizational aspects, especially definition of lines of

responsibility covered by a review and potential additions to the plant’s emergency arrangements

Examples of key questionnaires; Has the onsite emergency response organization (ERO) been

reviewed and perhaps modified to incorporate the new severe accident management functions?

Has the AMP been integrated into the emergency response arrangements?

Are criteria and procedures used by the operational staff for classification and activation of the response organization adequate for timely implementation of the accident management functions?

Have the lines of responsibility been clearly defined for evaluators, decision makers and implementers, for all severe accident management functions?


Review of Accident Management

Programme (15/20)

9. Staffing and qualification The SAMG user team need to be appropriately constituted and


Examples of key questionnaires; Has it been shown that the staff can perform their assigned

accident management functions under the conditions anticipate during an emergency?

Have possible conflicts with other response functions (e.g., search and rescue, security, fire fighting) been considered and resolved?

Have provisions been made to effectively utilize the emergency services (e.g., fire fighting) available from off-site to include providing them: prompt access to the site, appropriated training and radiation protection?

Has the decision maker and other people involved in the decision process adequate technical knowledge of severe accident phenomena and accident management?


Review of Accident Management

Programme (16/20)

10. Training needs and training performance

Examples of key questionnaires; Was a training plan developed, in a timely fashion, which

identified which staff (individuals and groups) need training, and at what level? Is a training programme available for each function described in the emergency plans?

Does the training provided focus on correct execution of the emergency plan tasks and, hence, involve knowledge based, skill based and efficiency oriented training as described in IAEA Safety Guide on Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants (NS-G-2.2)?

Does the training programme contain topics, which vary depending on the function of the staff being trained?

Are drills and exercises conducted under conditions that realistically simulate the conditions present during an emergency to include: simulations performance of other response actions, hazardous work conditions, time constraints and stress?


Review of Accident Management

Programme (17/20)

11. AMP revisions

Key questionnaire;

Has a mechanism been put in place, which allows for the update

of the programme when new or revised information becomes



Review of Accident Management

Programme (18/20)

• Review in relation to the basic safety principles

– Usage of ‘objective trees’, in order to identify a set of

challenges for given objectives of the accident management;

Provisions for development of strategies

General provisions for performance of equipment in accident


Provisions for performance of personnel in accident management

Specific provisions (technical means) for emergency heat

removal, protection of containment structure And limitation of

radioactive releases

Provisions for integration with emergency arrangements and NPP

physical protection


Review of Accident Management

Programme (19/20)

• Review in relation to the basic safety principles (cont’d)

– Example of ‘objective trees’


Objectives; Control of severe accident conditions,

including prevention of accident progression and

mitigation of consequences of severe accidents

Challenges; Inadequate accident management


Mechanisms; Incomplete review of NPP full design

capabilities, etc.

Provisions; Identify equipment expected to work

outside its design range, etc.

Review of Accident Management

Programme (20/20) • Results of the review

– Uncertainties; Due to insufficiency of analysis tools;

Due to bifurcation in the behaviour of the plant;

Due to equipment capability and availability;

The available information during the accident; and

Human behaviour.

‒ Conclusions and recommendations in terms of; Compliance of the overall AMP approach with IAEA SSs requirements;

Quality and extent of the accident analysis to support the AMP in all levels;

Technical correctness of accident management actions, in accordance with up-to date knowledge, proper management of uncertainties at all levels;

Consistency of the accident management procedures and guidelines with other operating procedures;

Level of verification and validation of the procedures and guidelines;

Compliance of the responsibilities of the accident management staff with the plant emergency arrangements;

Consistency of the interface between preventive and mitigative actions and procedures, including the entry and exit criteria; and

Performance of the equipment and instrumentation during the severe accident conditions. 40

Preparation and Conduct of the

review (1/3)

• Preparing the review

– Scope specified in the Member State’s request

– Consideration in selecting the experts;

The experts should not be selected from the organizations

involved in development of AMP to avoid potential conflict of


Team members should overlap in expertise, to have as broad

experience in the team as possible; and

Variety of vies (different approaches) and experience should be

represented in the team.


Preparation and Conduct of the

review (2/3)

• Conducting the review

– Based on the documentation, discussion, observations and plant walk-downs

– Divided into; for example 0.5 day – General presentations incl. NPP sys. Configuration

2.5 days – Technical discussions and plant walk-downs

1.0 day – Report writing

0.5 day – The exit meeting

‒ Plant walk-downs may include; Overall NPP walk-down, including localization of equipment

important for accident management;

Operational Support Centre; and



Preparation and Conduct of the

review (3/3)

• Reporting of the review

– Final review report

Draft mission report prepared on the site and handed over on the

last day of the mission

Draft final review report should be submitted to the host

organization within one month of the end of the review meeting

Final review report incorporates comments received on the draft

– Exit meeting (held before leaving the host organization)

• Provides its observations, preliminary recommendations and

suggestions to representatives of the organization

• Should be conducted on a free, open and positive atmosphere



• TSR-AM will be implemented by use of the

Guidelines for the review of accident management

programmes in nuclear power plants (IAEA Services

Series No. 9)

• The guidelines provides guidance on the preparation,

execution and reporting of IAEA missions devoted to

review of the AMP or its components

• In particular, key questionnaires are shown at each

review step on RAAAM and RAMP missions


Thank you for your attention!
