GUIDE NO.

AERB/NPP-WCR/SG/D-26

GOVERNMENT OF INDIA

AERB SAFETY GUIDE

ACCIDENT MANAGEMENT PROGRAMME

FOR
WATER COOLED REACTOR BASED
NUCLEAR POWER PLANTS

ATOMIC ENERGY REGULATORY BOARD

 AERB SAFETY GUIDE: AERB/NPP-WCR/SG/D-26

ACCIDENT MANAGEMENT PROGRAMME

FOR WATER COOLED REACTOR BASED NUCLEAR
POWER PLANTS

Atomic Energy Regulatory Board

Mumbai-400094
India

July 2020
 Price:

Order for this Guide should be addressed to:

The Chief Administrative Officer

Atomic Energy Regulatory Board
Niyamak Bhavan
Anushaktinagar
Mumbai-400 094
India
 .. ,
•

FOREWORD

Activities concerning establishment and utilisation of nuclear facilities and use of radioactive
sources are to be carried out in India in accordance with the provisions of the Atomic Energy
Act, 1962. In pursuance of ensuring safety of members of the pub I ic and occupational workers
as well as protection of the environment, the Atomic Energy Regulatory Board (AERB) has
been entrusted with the responsibility of laying down safety standards and enforcing rules and
regulations for such activities. The Board has, therefore, undertaken a programme of
developing safety standards, safety codes and related guides and manuals. While some of these
documents cover aspects such as siting, design, construction, operation, quality assurance and
decommissioning of nuclear and radiation facilities, other documents cover regulatory aspects
of these facilities.
AERB Safety codes and safety standards are formulated on the basis of nationally and
internationally accepted safety criteria for design, construction and operation of specific
equipment, structures, systems and components of nuclear and radiation facilities. Safety codes
establish the objectives and set requirements that shall be fulfilled to provide adequate
assurance for safety. Safety guides and guidelines elaborate various requirements and furnish
approaches for their implementation. Safety manuals deal with specific topics and contain
detailed scientific and technical information on the subject. These documents are prepared by
experts in the relevant fields and are extensively reviewed by advisory committees of the Board
before they are published. The documents are revised when necessary, in the light of experience
and feedback from users as well as new developments in the field.
Accident management is an element of the defence in depth and is part of the design of new
reactors and operation of the existing reactors. AERB safety codes on operation and design
require the accident management guidelines to be developed by the utilities. This safety guide
provides guidance to the utilities in the development of accident management programme
including severe accident management guidelines. This safety guide specifies the goals and
guidance which would help the utilities in developing and implementation of the accident
management guidelines. In drafting this document, the relevant AERB Safety Codes on Design
and Operation and International Atomic Energy Agency (IAEA) documents on development
and implementation of Severe Accident Management Progran1r11es for Nuclear Power Plants
have been used. Canadian regulatory document on accident management and other regulatory
uut;uu1e11L� l1ave Gt:t:11 rt:ferretl. Irt atltlilion, IAEA repon on accident managetnem Insights after
Fukushima Daiichi NPP accident and Nuclear Energy Agency (NEA) report of t<1sk p;ro11p on
accident management have also been referred.
A working group consisting of AERB staff and other professionals experienced in this field
has prepared this guide. Experts have reviewed the guide <1nct the relev<1nt AF.RR ;:icivisory
committees have further reviewed it before issue.
AERB wishes to thank all individuals and organisations who have prepared and reviewed the
document and helped in its finalisation. The list of persons, who have participated in this task,
along with their affiliations, is included for information.

���
(G�geswara Rao)
Chairman, AERB
 SPECIAL DEFINITIONS

Additional Safety Systems/Features

Items designed to perform a safety function or which has a safety function in design extension
conditions without core melt.

Accident Conditions
Deviations from normal operation which are less frequent and more severe than anticipated
operational occurrences, and which include design basis accidents and design extension
conditions.

Accident Management
Actions carried out during the evolution of design extension conditions:
(a) to prevent the escalation of the event into a severe accident;
(b) to mitigate the consequences of a severe accident;
(c) to achieve a long term safe stable state.
The second aspect of accident management (to mitigate the consequences of a severe accident)
is also termed severe accident management.

Accident Management Programme

An accident management programme consists of all activities and processes developed and
undertaken by an operating organization for the prevention and mitigation of accidents. Severe
accident management programmes are focused solely on the mitigation of severe accidents.

Complementary Safety Features

A design feature outside of the design basis envelope that is introduced to cope with design
extension conditions with core melt/severe accidents.

Computational Aid
Pre-calculated analyses, nomographs or easily usable computer software available for use by
plant staff during accident management (i) to guide and support plant staff (ii) to predict
accident phenomena and timing and (iii) to evaluate the effectiveness of specific candidate
strategies.

Controlled State
This is a state of the plant, following an anticipated operational occurrence or accident
condition, in which the fundamental safety functions can be ensured and can be maintained for
a time sufficient to implement provisions to reach a safe state/safe shutdown state.

Core Damage
Significant core degradation or severe core damage or core damage for PHWRs:
Loss of structural integrity of more than one coolant channel.

Core melt/core damage for LWRs:

Loss of coolable geometry resulted due to loss of coolant and simultaneous loss of SSCs
provided for the core cooling.

ii
 Design Basis Accident
Accident conditions against which a nuclear power plant is designed according to established
design criteria (including single failure criteria), and for which the damage to the fuel and the
release of radioactive material are kept within authorised limits.

Design Extension Conditions

Accident conditions that are not considered for design basis accidents, but that are considered
in the design process of the facility in accordance with best estimate methodology, and for
which releases of radioactive material are kept within acceptable limits. Design extension
conditions could include severe accident conditions.

Long-term Safe Stable State

A state in which fuel in the core1 or the spent fuel pool is submerged in water, the associated
reactivity is controlled to remain subcritical, and a long-term decay heat removal from the fuel
is achieved and maintained.

Mitigatory Action
Actions (i) to reduce the potential for conditions to develop that would result in exposure or a
release of radioactive material requiring emergency actions on or off the site; or (ii) to mitigate
source conditions that may result in exposure or a release of radioactive material requiring
emergency actions on or off the site.

Onsite Emergency Response Organization (or any equivalent organization)

An organization consisting of group of dedicated personnel who evaluate, decide and execute
actions of accident management and emergency response.

Plant States
Operational States Accident Conditions

Normal Anticipated Design Design extension conditions Practically

operations operational basis eliminated
occurrences accidents conditions
Accidents without Accidents with Early or large
significant core release of
core/fuel* melt/significant radioactivity
degradation core from
degradation@ containment
Considered in design
Severe accidents
*‘Fuel’ word is used here to address the spent fuel pool events
@ ‘Fuel’ word is not used here as accidents with fuel melt are practically eliminated in spent fuel pool. ‘Core
melt’ terminology is applicable for LWRs whereas ‘significant core degradation’ is applicable for PHWRs

Safe Shutdown State

Safe shutdown state is the state of the plant, following an anticipated operational occurrence or
accident conditions, in which the fundamental safety functions can be ensured and maintained

1
Refer the definitions of safe state and severe accident safe state as applicable for the reactor core/corium.

iii
continuously (Section 5.20.2 of AERB Safety Code on Design of Light Water Reactor based
Nuclear Power Plants, AERB/NPP-LWR/SC/D may be referred for further details).

Safe State
State of plant, following design extension condition without core melt, in which the reactor is
subcritical and the fundamental safety functions can be ensured and maintained stable for a
long time (Section 5.20.3 of AERB Safety Code on Design of Light Water Reactor based
Nuclear Power Plants, AERB/NPP-LWR/SC/D may be referred for further details).

Severe Accident
An accident more severe than a design-basis accident and involving severe core degradation in
the reactor core or fuel degradation in the spent fuel pool.

Severe Accident Management Guidelines

A set of guidelines for actions for severe accident management.

Severe Accident Preventive Guidelines

A set of guidelines for actions to fulfill the accident management objective of ‘preventing core
damage’ are termed as Severe Accident Prevention Guidelines.

Severe Accident Safe State

Severe accident safe state is a state, which shall be achieved subsequent to a design extension
condition with significant core damage or core melt phenomena. Severe accident safe state
shall be reached at the earliest after an accident initiation. It should be possible to maintain this
state indefinitely. During this state there is (Section 5.20.4of AERB Safety Code on Design of
Light Water Reactor based Nuclear Power Plants, AERB/NPP-LWR/SC/D may be referred for
further details):
a) no possibility of re-criticality
b) fuel or debris is continuously cooled
c) uncontrolled release of radioactivity to environment is arrested
d) means to maintain above conditions are available for long term, including critical
parameter monitoring
e) monitoring of radiological releases and containment conditions

Symptom based procedure/guideline

A procedure or guideline for actions to be taken depending on the values of directly measurable
plant parameters.

Verification (for procedures and guidelines)

Verification is a process to confirm the correctness of a written procedure or guideline and to
ensure that organisational, technical and human factors have been properly incorporated.

Validation (for procedures and guidelines)

Validation is a process to confirm that the actions specified in the procedures and guidelines
can be followed by trained staff to manage emergency events.

iv
 CONTENTS

SPECIAL DEFINITIONS ................................................................................................................... II

1 INTRODUCTION ........................................................................................................................ 1
1.1 GENERAL ................................................................................................................................................. 1
1.2 OBJECTIVE .............................................................................................................................................. 1
1.3 SCOPE ...................................................................................................................................................... 1
2 GENERAL ASPECTS OF ACCIDENT MANAGEMENT PROGRAMME ......................... 4
2.1 RELEVANT AERB REQUIREMENTS FOR ACCIDENT MANAGEMENT PROGRAMME ...................... 4
2.2 OBJECTIVES FOR ACCIDENT MANAGEMENT...................................................................................... 5
2.3 CONCEPT OF ACCIDENT MANAGEMENT PROGRAMME .................................................................... 5
2.4 GENERAL REQUIREMENTS FOR DEVELOPING ACCIDENT MANAGEMENT PROGRAMME ............ 6
3 DEVELOPMENT AND IMPLEMENTATION OF AN ACCIDENT MANAGEMENT
PROGRAMME ................................................................................................................................... 12
3.1 GENERAL ASPECTS .............................................................................................................................. 12
3.2 IDENTIFICATION OF PLANT VULNERABILITIES ................................................................................ 13
3.3 IDENTIFICATION OF PLANT C APABILITIES ....................................................................................... 14
3.4 DEVELOPMENT OF ACCIDENT MANAGEMENT STRATEGIES .......................................................... 14
3.5 ANALYSIS FOR DEVELOPMENT OF ACCIDENT MANAGEMENT PROGRAMMES ........................... 16
3.6 DEVELOPMENT OF PROCEDURES AND G UIDELINES ....................................................................... 18
3.7 HARDWARE PROVISIONS/INSTRUMENTATION FOR ACCIDENT MANAGEMENT .......................... 22
3.8 PERSONNEL STAFFING AND NEEDS ................................................................................................... 25
3.9 ORGANIZATIONAL ASPECTS, RESPONSIBILITIES AND INTERFACES WITH EMERGENCY
PREPAREDNESS AND RESPONSE......................................................................................................... 26
3.10 VERIFICATION AND VALIDATION ...................................................................................................... 30
3.11 ACCIDENT MANAGEMENT TRAINING AND EXERCISES .................................................................. 33
3.12 UPDATING ACCIDENT MANAGEMENT PROGRAMME ...................................................................... 34
4 EXECUTION OF PROCEDURES AND GUIDELINES ....................................................... 36
5 DOCUMENTATION OF ACCIDENT MANAGEMENT PROGRAMME......................... 38
APPENDIX-A: ACCIDENT MANAGEMENT ACTIONS ............................................................ 39
APPENDIX-B: TYPICAL PLANT PARAMETERSUSED IN ACCIDENT MANAGEMENT
PROGRAMME ................................................................................................................................... 42
APPENDIX-C: TYPICAL EXAMPLES OF PLANT DAMAGE CONDITIONS ....................... 44
APPENDIX-D: TYPICAL LIST OFPARAMETERS FOR ENTRY/EXIT CRITERIA ............. 46
APPENDIX-E: COMPUTATIONAL AIDS ..................................................................................... 47
REFERENCES .................................................................................................................................... 49
LIST OF PARTICIPANTS OF WORKING GROUP ........................................................................ 51
ACNRS MEMBERS.............................................................................................................................52
 1 INTRODUCTION
1.1 General

In nuclear power plant design, defence in depth is achieved through five levels. Level-1:
prevention of deviations from normal operation and the failure of items important to
safety, Level-2: detecting and control of deviations from normal operational states in
order to prevent anticipated operational occurrences at the plant from escalating to
accident conditions, Level-3: prevention of damage to the reactor core/irradiated fuel or
significant off-site releases and returning the plant to a safe shutdown state in case of a
design basis accident by means of inherent and/or design provisions, safety systems and
procedures. Level-4: prevention of extensive fuel damage or core melt (design extension
conditions without core melt) through additional safety systems/features and limit the
consequences of accident conditions with core melt (design extension conditions with
core melt) by means of complementary safety features,Level-5: mitigating the
radiological consequences of radioactive releases that could potentially result from
accident conditions through emergency response measures such as emergency plans and
facilities for on-site and off-site emergency response. The mapping between plant states,
defence in depth and other characteristics are shown in Figure 1.
Accident management is one of the key components of effective defence in depth,
especially for the fourth level of defence in depth. A set of actions taken during the
evolution of accident progression during design extension conditions (DEC) viz. i) to
prevent the escalation of the event into a severe accident ii) to mitigate the consequences
of a severe accident iii) maintaining the integrity of the containment iv) minimising the
releases of radioactive material v) to achieve a safe state/severe accident safe state is
termed as ‘Accident Management’. A comprehensive accident management programme
(AMP) with plant specific information is necessary for performing these functions.

1.2 Objective

This safety guide provides primarily guidance to licensee/applicant for development,

implementation, evaluation and updation of the accident management program for
nuclear power plants.

1.3 Scope

This safety guide is primarily for the use in the development of accident management
programme for water cooled reactors (light water and heavy water cooled reactors). The
guidelines are not only applicable for accident management during at-power states, but
are intended to be valid also for other modes of operation, including shutdown state.
Guidance on accident management for spent fuel pools (SFP) is also covered. Preventive
and mitigatory domains of accident management are covered in this guide.
The recommendations of this Safety Guide may also be applied with judgement to other
types of nuclear installations, including research reactors and nuclear fuel cycle facilities
(including facilities for the storage of spent nuclear fuel). The principles elaborated in
this safety guide are also applicable to other types of NPPs.

1
This document deals with the accident management aspects and interface between
accident management programme and emergency response. However, it does not include
guidance on emergency preparedness and response.

2
 Plant States Normal AOOs DBAs DECs Practically eliminated
Operation conditions
without significant with core (Early or large releases)
core/fuel degradation melt/significant
core degradation

Defence in Level-1 Level-2 Level-3 Level-4

Depth
Level-5
Objective Prevention of Control of Control of Management to avoid Mitigation to Mitigating the radiological
deviations from abnormal accidents severe core confine consequences of
normal operation within design damage/Significant radioactive radioactive releases
operation limits core/fuel degradation releases
Procedures/ Operating Emergency Operating Emergency Operating Severe Accident Use of SAMGs, if
Procedures Procedures Procedures/Severe Management applicable
Guidelines Accident Preventive Guidelines
Guidelines
Accident Management

Emergency Response Plans and Procedures

Systems Process Systems Control Safety Additional Safety Complementary Contingency Measures
Systems Systems Systems/Features Safety Features
Response from Main or Supplementary Control Room
Onsite Emergency Support Center
Off-site Emergency Response Control Center
Figure 1: Plant states, defence in depth and their characteristics

3
 2 GENERAL ASPECTS OF ACCIDENT MANAGEMENT
PROGRAMME

2.1 Relevant AERB Requirements for Accident Management Programme

2.1.1 AERB Safety Code ‘Design of Pressurised Heavy Water Reactor Based Nuclear Power
Plants Section 5.2.11 of AERB/NPP-PHWR/SC/D (Rev.1), 2009’ specifies that accident
management procedures shall be established, taking into account representative and
dominant severe accident scenarios.
2.1.2 AERB Safety Code ‘Nuclear Power Plant Operation [Section 7.2.3 of AERB/NPP/SC/O
(Rev. 1), 2008)]’brings out the requirements on the development of emergency operating
procedures or guidance for managing severe accidents.
2.1.3 AERB safety Code ‘Design of Light Water Reactor Based Nuclear Power Plants
(Section 7 of AERB/NPP-LWR/SC-D, 2015)’ establishes requirements for additional
support provisions for accident management infrastructure needed to handle extreme
events along with unexpected failure of existing safety systems/features.
2.1.4 AERB safety Code ‘Design of Light Water Reactor Based Nuclear Power Plants
(Section 5.18.5 of AERB/NPP-LWR/SC-D, 2015) requires that severe accident
management guidelines (SAMG) shall be prepared, taking into account the plant design
features and the understanding of accident progression and associated phenomena.
2.1.5 Accident response capability should be diverse and flexible that would provide a backup
to permanently installed plant equipment, that might be unavailable following certain
extreme conditions (e.g. extreme natural phenomena such as earthquakes, flooding and
high winds), and would supplement the equipment already available for responding to
severe accidents. The approach shall include design measures to provide multiple means
of obtaining power and water needed to fulfil the key safety functions of maintaining
core cooling, containment integrity and spent fuel pool cooling (Section7.2.1 of
AERB/NPP-LWR/SC-D, 2015).
2.1.6 Accident management techniques that improve the capability of a plant to survive an
extended loss of all AC power, loss of normal heat sinks and loss of normal access to
plant site, etc., as a result of extreme events should be developed. It shall include
equipment to respond to such challenges; procedures and guidance; equipment
readiness, storage, and transportation; and training. The increased equipment capability
will consist of installed equipment, portable equipment stored onsite and portable
equipment in nearby establishments and other national facilities (Section7.3 of
AERB/NPP-LWR/SC-D).
2.1.7 The licensee of the facility or activity shall have arrangements to promptly decide and
take on-site actions that are necessary to mitigate the consequences of a nuclear or
radiological emergency. These arrangements shall include emergency operating
procedures and technical guidance for operating personnel on mitigatory actions. This
shall also include, on-site teams at the facility for mitigating the consequences of an
emergency (e.g. damage control, firefighting) (Clause 5.3.1 of the R0 draft of AERB
code on management of nuclear and radiological emergency, AERB/SC-NRE).

4
2.2 Objectives for Accident Management

2.2.1 In operating a nuclear power plant, safety of plant personnel, the public and the
environment should be ensured. This is achieved by fulfilling the following safety
functions:
a) control of reactivity
b) removal of heat from the fuel and/or fuel debris
c) confinement of radioactive material
d) shielding against radiation
e) control of radioactive discharges and hazardous substances, as well as limitation of
accidental releases
f) monitoring of safety-critical parameters to guide operator actions
2.2.2 Accident management program is developed to support the fulfillment of the safety
functions mentioned above with the following objectives:
a) Preventing or delaying the occurrence of severe fuel/core damage2.
b) Terminating the progress of severe fuel/core damage once it has started
c) Maintaining the integrity of reactor vessel/calandria to prevent melt through
d) Maintaining the integrity of the containment and preventing containment by-pass
e) Minimizing releases of radioactive material from the core or at other locations of
fuel
f) Achieving a long term safe state/severe accident safe state of the reactor
core/corium and long term safe stable state of the spent fuel storage
2.3 Concept of Accident Management Programme

2.3.1 A structured top down approach should be used to develop the accident management
programme. This approach should begin with the objectives and strategies followed by
measures to implement the strategies and finally result in procedures and guidelines.
Figure 2 illustrates the top down approach to accident management.
2.3.2 Multiple strategies should be developed to achieve the objectives of accident
management (Refer 2.2.2).
2.3.3 From the strategies, suitable and effective measures for accident management should be
derived, corresponding to available plant hardware provisions. Such measures may
include plant modifications/additional provisions. Personnel actions initiated either in the
control room or other locations could be an important part of these measures. Measures
could also include use of systems and equipment still available, recovery of failed
equipment and use of non-permanent equipment, stored on-site or off-site.
2.3.4 The accident management should cover both preventive and mitigatory domains. In the
preventive domain, the guidance should generally consist of descriptive steps, as the plant
status is known from the available instrumentation and the consequences of actions can
be predetermined by appropriate analysis. The guidance for the preventive domain,
therefore should generally be in the form of procedures, usually called emergency

2
Maintaining the integrity of coolant channels for PHWRs

5
 operating procedures (EOP) which are prescriptive in nature or severe accident
preventive guidelines.
2.3.5 In the mitigatory domain, large uncertainties may exist in the plant status, availability of
the systems, timing and outcome of actions. Consequently, the guidance for the
mitigatory domain should not be prescriptive in nature but rather should include a range
of potential mitigatory actions and should allow for additional evaluation and alternative
actions. Such guidance is usually called Severe Accident management Guidelines
(SAMG).
2.3.6 The guidance for the mitigatory domain should be presented in the appropriate form,
including guidelines, procedures, manuals or handbooks. The guidelines/procedures
include a set of strategies and measures that describe the tasks to be executed at the plant.
Manuals or handbooks typically contain a more general description of the tasks to be
executed and their justification.
2.4 General Requirements for Developing Accident Management Programme

Identification of Plant Vulnerabilities and Capabilities

2.4.1 The accident management programme should address internal and external events
relevant for the site considered under all modes of operation (including shutdown state)
and also events that could cause fuel damage in spent fuel pool, taking into account
possible dependencies between events. It should also consider external events that could
result in significant damage to the infrastructure on-site or off-site.
2.4.2 Selection of events/accident sequences should be sufficiently comprehensive. This
should consider events and accident sequences that could arise from multiple hardware
failures, human errors, internal and external hazards, and their combinations. Useful
guidance can be obtained from Level-1 PSA, from expert judgement or similar studies
from other plants and operating experience from the affected plants.
2.4.3 Full spectrum of challenges (accident sequences, associated phenomena etc.) that can
threaten the integrity of the containment and the release of radioactive material to the
environment should be identified. Useful guidance can be obtained from the Level-2
PSA, or similar studies from other plants, expert judgment and insights from research
on severe accidents.
2.4.4 Low numerical risk estimates (e.g. event/event sequence frequency contributing to core
damage frequency or large release frequency) should not be used as the sole basis for
excluding events/accident sequences from consideration for SAMG development. This
is especially important if the consequences are very high.
Capabilities of the plant/site to cope with the challenges should be identified in
performing accident management actions. Accident management provisions need to be
comprehensive, well designed and up to date. They need to be derived on the basis of a
comprehensive set of initiating events and plant conditions and also need to provide for
accidents that affect several units at a multi-unit site.
Development of Accident Management Programme and Guidelines
2.4.5 Plant specific accident management programme should be developed, implemented and
maintained consistent with the plant design and its current configuration.

6
 Design extension conditions (DEC)
with core melt /
without significant core/fuel
significant core
degradation
degradation

Level-4 Defence In Depth

Terminating the
progression of core
Safety objective melt. Maintain the
Prevent significant fuel
integrity of the
degradation and keep releases
containment as long
within acceptable limits
as possible. Minimise

TOP DOWN APPROACH

on-site and off-site
releases.
Accident management
Preventive Mitigative
domain

Systems Additional safety Complementary

by design systems/features safety features
Measures
Plant modifications, additional provisions, recovery of
Additional
failed equipment, use of non-permanent systems,
means
personnel actions etc., as applicable.
Emergency Operating Severe Accident
Procedures/Guidelines Procedures/Severe Accident Management
Preventive Guidelines Guidelines

Deterministic
safety
Plant specific analysis Plant specific analysis
Analysis analysis
in (DSA)
support Probabilistic
of AMG safety
Level-1 PSA Level-1 and 2 PSA
assessment
(PSA)

Equipment and Qualification/

instrumentation Survivability as applicable
Figure 2: Top down approach and other characteristics for accident management

2.4.6 When developing guidance on accident management, consideration may be given to the
full capabilities of the plant. Care should be taken if the possible use of some systems
beyond their originally intended function is foreseen in the guidance on accident
management.

7
2.4.7 Development of accident management guidance should be based on best estimate
analysis of the physical response of the plant (Refer AERB/SG/D-19 for further details
on methodology). While developing the accident management guidance, consideration
should be given to uncertainties in knowledge about the timing and magnitude of
phenomena that might occur in the progression of the accident.
2.4.8 The approach in accident management should be, as far as feasible, based on either
directly measurable plant parameters3 or information derived from simple calculations
and should consider the loss or unreliability of indication of key plant parameters.
2.4.9 The personnel who will be working in the control room or onsite emergency support
center (OESC) or any other organizational unit responsible for evaluation, decision-
making and implementation in the course of an accident should be involved at an early
stage of development of an accident management programme as this provides valuable
training for future tasks and feedback. A team of experts with sufficient range and level
of expertise should be formed for the development of accident management programme.
The team should contain staff responsible for the development and implementation of
the accident management programme in the plant, including, analysts, personnel from
the training department, operation, maintenance, radiation protection, instrumentation
and controls staff, engineering staff, persons responsible for emergency preparedness
and response (EPR) planning and external experts, as appropriate.
2.4.10 Multi-unit damage, uncovered fuel in spent fuel pools, releases of radioactive materials
and hydrogen into buildings adjacent to the containment should be considered in the
development of accident management programme.
2.4.11 Care should be taken when adapting a generic accident management programme to a
plant specific one. This should include evaluation for additional vulnerabilities and
respective strategies for mitigation. On the other hand, any deviations from generic
accident management guidance or plant operating requirements/conditions should
receive a rigorous review that considers the basis and benefits of the original approach
and the potential unintended consequences of deviating from this approach.
Procedures and Guidelines
2.4.12 Guidance in the form of EOPs or severe accident preventive guidelines should be used
in the preventive domain (design extension conditions without core melt) of accident
management. Guidelines in the form of SAMGs should be used in the mitigatory domain
(design extension conditions with core melt) of accident management.
2.4.13 EOPs/severe accident preventive guidelines should be accomplished by plant operation
staff generally from the main control room (MCR) and SAMGs should be accomplished
by onsite emergency response organization by identified emergency response team from
identified locations.
2.4.14 The plant parameters and their thresholds that define the transition from EOP to
preventive guidelines/SAMG should be identified.

3
In case of unavailability of direct measurement, it can be derived alternatively from indirect sources.
An example of such an indirect measurement is the use of pressure measurement in a connected residual
heat removal loop or safety injection system to infer RCS pressure when the direct RCS pressure
measurement is not available.

8
2.4.15 The procedures and guidelines developed for accident management should be supported
by appropriate background documentation (e.g. technical basis document) and should
be used as the basis for developing accident management programme. This
documentation should describe and explain the rationale of the various parts of the
guidelines. The background documentation does not replace the guidelines themselves.
It should be available to all staff involved in evaluation and decision making.
2.4.16 For situations that result in normal (designated) accident management capabilities being
unavailable, support procedures may be developed to provide guidance on using
instrumentation and equipment to cope with these conditions (use of portable non-
permanent equipment). The guidance should include conditions for use of these support
procedures.
2.4.17 The guidance should contain a description of both the potential positive and negative
consequences of proposed actions, including quantitative data, and should contain
sufficient information for the plant staff to make appropriate decisions on the actions to
be taken during the evolution of the accident.
2.4.18 In developing the procedures and guidelines, it should be considered that the information
available for the operating staff or the emergency response team may be incomplete and
characterized by significant uncertainties.
2.4.19 Development of accident management guidance and associated procedures should take
account of the potential unavailability of instruments, lighting, power and abnormal
conditions including plant state, high radiation fields, accessibility, fire etc.
2.4.20 Guidelines or procedures should be developed with the appropriate level of detail for the
staff participating in accident management such as control room operators and staff
involved in evaluation, decision making and implementation in accordance with their
respective roles. The usability of the guidelines under stressful conditions should also
be considered.
Equipment and Instrumentation
2.4.21 Availability of information on vital plant parameters in all plant states, including severe
accidents should be ensured for diagnosis of the accident, monitoring the state of
essential safety functions and to confirm the effectiveness of the accident management
measures.
2.4.22 The equipment and instrument performance under harsh environmental conditions with
reasonable assurance should be demonstrated either by equipment qualification or by
assessment of the survivability.
2.4.23 For situations, such as total loss of off-site and on-site power or loss of all heat sinks or
the engineering safety systems, simple alternative sources including any necessary
equipment (such as mobile power, compressed air and water supplies) should be
provided for accident management. Such provisions should be located at a safe place
and the plant operators should be trained to use them. Refer AERB/SC/D for LWRs and
PHWRs for further details.
2.4.24 Ageing and maintenance of equipment and instrumentation should be taken into account.
2.4.25 The accident management guidance should refer to the preferred accident management
equipment that is available. Possible equipment failures (e.g. instrumentation failure or
equipment lockout) should be considered. Alternate methods of achieving the same

9
 purpose should be explored to take into account possible equipment failures, and the
availability of alternative equipment should be determined.

Organizational Aspects, Roles and Responsibilities

2.4.26 The applicant/licensee should have the full responsibility for development,
implementation, evaluation and updating the accident management programme.
2.4.27 Onsite Emergency Response Organisation consisting a team of evaluators, implementers
and decision makers should be available for implementing accident management
strategies.
2.4.28 The roles and responsibilities of Onsite Emergency Response Organisation should be
clearly defined to help ensure effective communications and decision-making for
accident management. These include identification of a specialized team for performing
evaluations and necessary recommendations (evaluation group), decision makers and
implementers for accident management actions.
2.4.29 The decision making authority should be clearly defined and established at an
appropriate level, commensurate with the complexity of the task and the potential
consequences of decisions made. Major decisions which could have significant adverse
effects on public safety or the environment should be made with the full knowledge of
the person entrusted with legal responsibility for the plant.
2.4.30 The communication protocol that is to be followed during the implementation of
accident management should be clearly defined.
2.4.31 Accident management guidance should complement, support and interact with the
overall emergency arrangements defined in the plant’s emergency plans and should not
contradict each other. This should include lines of responsibility and accountability for
implementing response actions during execution of accident management guidance
throughout the duration of the accident.
2.4.32 Nuclear security measures should be maintained during all phases of accident
management.

Verification and Validation

2.4.33 The developed accident management procedures and guidelines should be verified and
validated.(Please see the section 3.10 for details)

Staffing and Resource

2.4.34 Adequate staff and habitability should be ensured along with clear definition of roles of
the different members of the Onsite Emergency Response Organisation involved in
accident management.
2.4.35 Availability of human and material resources should be ensured for carrying out accident
management actions.

10
Training and Exercise
2.4.36 Appropriate levels of training should be provided to relevant plant personnel and
members of the Onsite Emergency Response Organisation; the training should be
commensurate with their responsibilities in the preventive and mitigatory domains as
well as deciding on the transition between domains.
2.4.37 Robust training should be imparted to every organization involved in the management
of a severe accident, including decision makers, evaluators, implementers and external
emergency responders. These training programmes need to take a practical, learning by-
doing approach, using realistic training aids, and to allow for an evaluation of their
effectiveness.
2.4.38 The overall form of the guidelines and the selected level of detail should be tested in
exercises. Based on the outcome of such exercises, it should be judged whether the form
is appropriate and whether additional details should be included in the guidance.
Exercises should provide for identification of areas for improvement.
2.4.39 Training and exercises need to include postulated severe accident conditions to ensure
that operators are well prepared. The exercises should include the simulated use of actual
equipment that would be deployed in the management of a severe accident.
2.4.40 The training programmes should be updated based on new operating experience and to
take into account developments in science and engineering.
2.4.41 Training programmes should address the roles of the different groups and include
exercises to enable assessments of the interactions between the various groups involved
in accident management.
Review and Update of AMP
2.4.42 The accident management programme should be reviewed periodically (typically once
in five years) in response to major lessons learned, to reflect operating experience, new
results from relevant research and changes in plant configuration.

11
 3 DEVELOPMENT AND IMPLEMENTATION OF AN ACCIDENT
MANAGEMENT PROGRAMME
3.1 General Aspects

3.1.1 The following steps should be executed to set up an accident management programme:
a) Challenges (including events/event sequences) to safety functions and/or
boundaries to fission product release should be identified
b) Plant vulnerabilities should be identified, considering the challenges
c) Plant capabilities under challenges to safety functions and fission product barriers
should be identified, including capabilities to mitigate such challenges, both in
terms of available equipment and personnel
d) Suitable accident management strategies and measures should be developed,
including the use of permanent (fixed) and onsite/offsite non-permanent (portable
and/or mobile) equipment and instrumentation to cope with the
vulnerabilities/challenges identified
e) Accident management should implement all feasible measures that will either
maintain or increase the margin to failure or that will gain time before the failure
of safety functions or of barriers to a release of radioactive material
f) Supporting analyses should be performed to evaluate and confirm the adequacy of
the strategies and measures developed, and
g) Procedures and guidelines to execute the strategies and measures should be
developed

3.1.2 The following aspects should be considered while developing the accident management
programme:
a) Supporting analysis and experiments for the development of the accident
management programme
b) Necessary hardware provisions for execution of accident management strategies
c) The means of obtaining information on the plant status, and the role of
instrumentation therein, including cases in which information provided by
instrumentation is erroneous or normal instrumentation and control power is
unavailable
d) Specification of lines of decision making, responsibility and authority in the teams
that will be in charge of the execution of the accident management measures
e) Availability of personnel to execute the programme with consideration of human
performance aspects
f) Integration of the accident management programme within the emergency
arrangements for the plant
g) Verification and validation of procedures and guidelines (please see the section
3.10)
h) Education, training, exercises and evaluation of personnel skills
i) Possible restrictions on the accessibility of certain areas for performing local
actions
j) A systematic approach to periodic evaluation and updating of the guidance and
training with incorporation of new information and research insights on severe
accident phenomena

12
3.2 Identification of Plant Vulnerabilities

3.2.1 Safety assessment should be performed to identify and consider all credible
challenges resulting from individual events/combinations of events/event
sequences that could cause failure of barriers against release of fission products.
For external events, the safety assessment should consider identified margins to
events in which the consequences can significantly worsen for small changes in the
event magnitude (cliff-edge effect)4.
3.2.2 Guidance for plant damage assessment should be part of an accident management
programme. Of particular importance is the assessment of site and building
structural damage resulting from external hazards.
3.2.3 Guidance should also be provided to address challenges to physical barriers and
safety functions before any significant fission product release.
3.2.4 The vulnerabilities of the plant to challenging conditions should be identified. It
should be investigated how specific accidents will challenge safety functions, and,
if these are lost and not restored in due time, how the integrity of fission product
barriers including fuel will be challenged. The possibility of being left with non-
permanent (portable and/or mobile) equipment only for mitigating some challenges
should be contemplated. Vulnerabilities resulting from the failure of command and
control due to loss of control room or impairment of the capability to operationalise
the on-site emergency response organization [Refer section 3.11] should also be
addressed.5
3.2.5 The vulnerabilities to external hazards that can impact the use of accident
management features, both permanently installed as well as non-permanent, should
be identified. It should be investigated how specific external hazards can interfere
with the use of accident management features.6 The non-permanent (mobile)
equipment should be located in diverse positions to the extent practicable so as to
avoid common cause failures due to external hazards such as earthquakes and
tsunami.
3.2.6 The behaviour of the plant during design extension conditions (including those
caused by external hazards) should be well understood with identification of the
phenomena that may occur together with their expected timing. The severity of
these phenomena should be assessed and the analysis results should be collected
and set out in a report that could serve as the technical basis for accident
management.
3.2.7 The information regarding the plant behaviour in accident conditions should be
obtained using appropriate analysis. Other inputs should also be used, such as the
results of current research on severe accidents, operational experience including
insights from other plants and engineering judgment. Consideration should be
given to uncertainties in the severe accident knowledge base and the assumptions

4
In a nuclear power plant, an instance of severely abnormal plant behaviour caused by an abrupt transition from
one plant status to another following a small deviation in a plant parameter, and thus a sudden large variation in
plant conditions in response to a small variation in input.
5
Vulnerabilities could be created by loss of communication with the control room, physical damage to the control
room (e.g. fire) harsh environmental conditions in the control room (radiological conditions, toxic gases, smoke)
or staff injuries or even death.
6
E.g. removing of rubble for accident management

13
 made in models and analysis.
3.2.8 Effectiveness and adequacy of equipment and response centres (e.g. control room
and/or OESC) that are shared by different units should be assessed for cases where
accidents occur simultaneously in multiple units. Based on the result of such
assessment, potential alternate solutions could be developed.
3.2.9 If structures, systems and components (SSCs) whose use is contemplated for
accident management are shared between two or more units, an assessment should
be performed whether safe shutdown state is achievable on the other unit(s).
3.3 Identification of Plant Capabilities

3.3.1 All plant capabilities available to fulfill and support safety functions and for
mitigation of challenges to fission product barriers should be identified and
characterized. This should include safety systems, complementary design features,
additional safety systems as well as use of non-dedicated systems, unconventional
line-ups and hook-up connections for non-permanent equipment located on-site or
brought in from off-site. When unconventional line-ups or hookup connections are
contemplated, consideration should be given to the availability of equipment
(hoses, mobile or portable equipment) necessary for easy use of these capabilities
and restoration of failed equipment. Availability of spare parts, lubricants,
compressed air, water and fuel should be ensured.
3.3.2 Relevant information including lessons learned from past nuclear accidents as well
as data from experimental activities should be considered during the identification
of plant capabilities.
3.3.3 Specific consideration should be given to accidents developing when the facility is
in a shutdown state.7
3.3.4 The capabilities of plant personnel to contribute to unconventional measures to
mitigate accident challenges, including the behaviour and reliability of personnel
under adverse environmental conditions (high temperature, poorly lit, high
radiation) should be considered8. Where necessary, protective means should be
provided and training should be imparted for the execution of such tasks.

3.4 Development of Accident Management Strategies

3.4.1 On the basis of the vulnerability assessment, identified plant capabilities,

knowledge of accident phenomena and reactor specific accidents, accident
management strategies should be developed for each individual challenge or plant
vulnerability, in both the preventive and mitigatory domains.
3.4.2 In the preventive domain, strategies should be developed to preserve the safety
functions viz. achieving and maintaining sub-criticality, core cooling, spent-fuel
cooling and containment integrity.
3.4.3 In the mitigatory domain, strategies should be developed with the objective of:

7
Due to maintenance activities some of the safety features may not be available.
8
Including performance when using protective clothing and breathing devices.

14
 a) terminating the progress of fuel degradation
b) maintaining the integrity of the reactor vessel/calandria
c) maintaining the integrity of the core catcher and confinement in the event of
RPV failure
d) maintaining cooling of corium (in-vessel or ex-vessel)
e) preventing criticality in the core debris/corium
f) maintaining the integrity of the containment or any other confinement of
fuel and preventing containment bypass
g) minimizing, delaying off-site releases of radioactive material
h) achieving a long term safe stable state (Severe accident safe state).

Strategies may be derived from ‘accident management actions’, examples of which are
given in Appendix-A.

3.4.4 A systematic evaluation of the possible strategies should be conducted to confirm

feasibility and effectiveness, to determine potential negative impacts and to develop
prioritisation, using appropriate methods. Adverse conditions that may affect the
execution of the strategy during evolution of the accident should be considered.

3.4.5 Particular consideration should be given to strategies that have both positive and
negative impacts in order to provide the basis for a decision as to which strategies
constitute a proper response under a given plant damage condition. 9
3.4.6 Strategies should be prioritized taking into account plant damage status and the
existing as well as anticipated challenges. The basis for the selection of priorities
in accident management strategies should be documented. When prioritizing,
special attention should be paid to the following:
a) timeframes and severity of challenges to the barriers against releases of
radioactive material
b) availability of support functions as well as possibility of their restoration
c) plant initial operating mode, as accidents can develop in operating modes
where one or more fission product barriers could already be lost at the
beginning of the accident
d) adequacy of a strategy in the given domain; while some strategies can be
adequate in the preventive domain, but may not be suitable in the mitigatory
domain due to changing priorities.10
3.4.7 For strategies that rely on non-permanent equipment following an extended loss of
all AC power (due to external events), steps should be taken to ensure that
personnel can install and operate such equipment within the time frame necessary
to avoid loss of safety functions taking into account possible adverse conditions on-
site. Support items such as fuel for nonpermanent equipment should be available.
3.4.8 Accident management strategies should be developed for situations when DC
power is also lost during a long-term loss of all AC power.
3.4.9 The implementation of specific mitigatory strategies should be triggered when

9
An example is flooding the cavity, with the negative impact of possible occurrence of an ex-vessel steam
explosion.
10
For example, cooling the fuel could be first priority when the fuel is undamaged (in the preventive domain),
while retaining containment integrity or limiting fission product releases could be the priority (in the mitigatory
domain)

15
 certain parameters reach their threshold values. These parameters should be
selected to be indicative of plant damage conditions and challenges to fission
product barriers.
3.4.10 If strategies are to be implemented within a certain time window, the possibly large
uncertainties should be taken into account in identifying such a window. However,
care should be exercised in order not to discard potentially useful strategies.
3.4.11 A systematic identification of the plant control and logic interlocks that need to be
defeated or reset for the successful implementation of accident management
strategies should be performed. The potential negative effects of such actions
should be adequately characterized and documented.
3.4.12 The definition and selection of strategies applicable in the mitigatory domain
should consider the potential usefulness of maintaining strategies initiated in the
preventive domain. Limitations that could arise from harsh environmental and
radiological conditions expected in the mitigatory domain should be taken into
account.
3.4.13 Strategies which avoid or minimise the accumulation of large amounts of
potentially contaminated water, including leakage from a failed containment should
be preferred. Strategies for storing and handling of accumulated contaminated
water should be considered in an appropriate manner.
3.5 Analysis for Development of Accident Management Programmes

3.5.1 Safety analysis should be performed:

a) for the accident scenarios expected in all significant sources of radioactive material
(e.g. reactor core and spent fuel pools) in the plant
b) for the accident scenarios expected in all relevant normal operational and shutdown
states including shutdown states with open reactor or open containment barriers
c) for identification of challenges to integrity of barriers and capabilities and to
demonstrate the acceptability of the identified solutions to support the accident
management strategies and measures. This also calls for the analysis without
crediting the mitigatory measures
d) for formulation of the technical basis for development of strategies, procedures and
guidelines
e) for verification and validation of procedures and guidelines (with other safety
analysis tools, if available)
f) for source term and dose assessment
g) to support the decision making regarding plant upgrades
h) for arriving at the conditions required for environmental qualification and
survivability of equipment/instrumentation
i) to arrive at working conditions/habitability of working places for personnel
involved in the execution of the accident management actions
j) for identifying the accident scenarios for personnel training and exercise purposes
k) for multi-unit accidents, where applicable

3.5.2 Safety analysis should provide sufficient inputs for development of procedures and
guidelines, in particular:

16
 a) choice of symptoms (i.e., parameters and their values) for diagnosis and monitoring
the course of the accidents (i.e. to determine the reactor core condition, state of
protective barriers etc.)
b) identification of the key challenges and vulnerable plant systems and barriers
c) specification of set-points to initiate and to exit individual strategies
d) positive and negative impacts of accident management actions
e) time windows available for performing the actions
f) prioritisation and optimisation of strategies w.r.to achieving safety functions
g) evaluation of capability of systems to perform intended functions
h) expected trends in the accident progression
i) conditions for entering and exiting accident management including severe accident
management domain as applicable
j) computational aids development

3.5.3 Suitable analysis methods with appropriate safety or risk metrics should be used to aid
in decision making regarding plant upgrades. Consideration should be given to the fact
that analysis in the field of severe accident management is usually not conservative but
of best estimate analysis and does not in itself provide margins.
3.5.4 Plant specific data including plant operational parameters, plant systems configuration
and performance characteristics and set-points should preferably be used for the
analyses.
3.5.5 Address a sufficiently broad set of accident scenarios adequately covering potential
evolutions of initiating events into design extension conditions and a comprehensive
set of plant damage states. PSA Level 1 and 2 in combination with engineering
judgement should be used for selection of the scenarios.
3.5.6 Selection of accident sequences should be performed in the following steps:
a) A suitable categorization approach and a set of plant damage states should be
developed. A categorization scheme should result in a list of groups of accident
sequences including fuel degradation and melting, calandria/reactor vessel failure
and containment boundary failure and the associated severe accident phenomena11.
The full list of plant damage states obtained from PSA should be screened for the
less important plant damage states in order to identify a limited set, considering
contribution to core damage frequency and ensuring that all initiators are
represented;
b) One or more accident sequences for each plant damage state should be chosen
considering the total contribution to core damage frequency and the ability of the
chosen sequence to represent other sequences in the same plant damage state.

3.5.7 Following aspects of accident scenarios that would lead to core damage and subsequent
potential challenge to fission product barriers should be taken into account12
a) Sequences with no operator action or inappropriate operator actions (errors of
omission or errors of commission) leading to core damage
b) Availability and functionality of equipment, including instrumentation and the

11
Many categorisation schemes are possible. Level 2 PSAs contain such categorisation schemes.
12
Note that selection of sequences that would, without intervention, lead to core damage, is an appropriate way
of accident scenarios for subsequent investigation of both preventive actions (taken before core damage) and
mitigatory actions (taken after core damage)

17
 habitability of working places under anticipated environmental conditions and
c) Potential cliff-edge effects.
3.5.8 Best estimate approach should be used for the safety analysis to support the accident
management with appropriate recognition of uncertainty existing in the timing and
severity of the phenomena. The computer codes that are used for accident management
should be validated to the extent as far as reasonably practicable. Sensitivity analysis
should be performed when computer code results are relied upon for making critical
decisions and to identify cliff-edge effects.
3.6 Development of Procedures and Guidelines

General
3.6.1 Procedures (equivalent guidelines) or guidelines should be developed for preventive
and mitigatory domains respectively to implement the strategies and measures for
accident management. Procedures and guidelines should contain the necessary
information and instructions for the responsible personnel to successfully implement
the strategies, including the use of equipment, equipment limitations and cautions and
benefits.
3.6.2 Procedures and guidelines should be written in a user friendly way so that they can be
readily executed under high stress conditions, and should contain sufficient details to
ensure the focus is on the necessary actions13.
3.6.3 The guidelines should contain as a minimum the following elements:
a) Objectives and strategies
b) Positive effects and potential negative consequences of the actions
c) Initiation criteria
d) The time window within which the actions are to be applied (if relevant)
e) Monitoring of strategies
f) The equipment and resources (e.g. AC and DC power, water and instrument air)
required
g) Identification of local actions with relevant guidance
h) Consideration of habitability for local action
i) Consideration of required personnel resources
j) Cautions and limitations
k) Transition criteria (EOP to SAMG) and exit/termination conditions
l) Assessment and monitoring of plant response
3.6.4 Procedures and guidelines that are implemented should be integrated with each other
to establish a comprehensive strategy for accident management.

13
For example, where water injection to primary heat transport system is recommended, it should be identified
whether this should be initiated from dedicated source or alternate sources. Also the available line-ups to achieve
the injection should be identified and guidance should be put in place to configure unconventional line-ups, where
these are needed. It should be known how long water sources will be available, and what needs to be done to
either replace or to restore them once they are depleted.

18
3.6.5 The guidance should directly identify the recommended action14, when accident
conditions require immediate attention and short term actions.The development of
accident management guidance should take into account the habitability, operability
and accessibility of the control room and OESC. Accessibility of other relevant areas,
such as areas for local actions should also be assessed and taken into account in the
development of accident management guidance.
3.6.6 Pre-calculated graphs, tables or simple formulae should be developed, where
appropriate, to avoid or limit the need for complex calculations during the accident.
These ‘computational aids’ should be included in the documentation of the guidelines.
Typical list of computational aids is given in Appendix-E. Computer based aids should
consider the limited battery life of self-contained computers (laptops) and the potential
for loss of AC power.
3.6.7 Conditions during and following a natural disaster or an internal plant event may
significantly impede and delay the ability of plant operators and others to respond and
take needed actions. The potential for such delays should be considered when
procedures and plans for time-sensitive operator actions are being established.

Diagnosis, Parameters and Instrumentation

3.6.8 In the preventive domain, it may be possible to diagnose the accident on the basis of an
appropriate procedure and plant alarms and the guidance should be aimed at monitoring
and preserving or restoring safety functions on the basis of the selected strategies. In
the mitigatory domain it should not be necessary to identify the accident sequence or to
follow a pre-analysed accident scenario in order to use the SAMGs correctly. The
control room and OESC personnel should be able to identify the challenges to fission
product barriers and different plant damage conditions based on the monitoring of plant
parameters (A typical list of plant parameters is given in Appendix-B), if available.
3.6.9 While developing the accident management programme, a list of symptoms/parameters
as feasible should be identified, for the defined plant damage conditions to help in
deciding the suitable accident management strategies. A typical list of plant damage
conditions for different reactor types is given in Appendix-C. However, in the event of
difficulties in identification of defined plant damage conditions, suitable strategies
should be selected based on the information available in MCR/OESC.
3.6.10 The set of procedures and guidelines should include relevant plant parameters that
should be monitored and they should be referenced or linked to the criteria for initiation,
throttling or termination of the various systems. Specific and measurable parameter
values should be defined for the transition from the preventive domain to the mitigatory
domain.
3.6.11 Procedures and guidelines should be based on directly measurable plant parameters.
Where measurements are not available, parameters should be estimated by means of
simple computations and/or pre-calculated graphs and/or using other available relevant
parameters.
3.6.12 The guidelines should be developed in such a way that the potential for an erroneous

14
For example, an immediate challenge to a fission product barrier, where 'immediate' means that there is no time
or limited time for evaluation prior to decision making. Other example, 'immediate actions' to obtain a stable plant
condition and work from there. Also such actions may be relevant before the OESC is available and operators
must take action.

19
 diagnosis of plant status is minimized. Redundant and diverse instrumentation and
signals should be used preferably.

Transition and Termination of Guidelines

3.6.13 A transition point (entry criteria) from the preventive to the mitigatory domain should
be set with careful consideration of timing and magnitude of subsequent challenges to
fission product barriers. Typical entry criteria parameters for PHWRs, PWRs and
BWRs are given in Appendix-D.
3.6.14 The possibility of transition from EOPs/severe accident preventive guidelines to
SAMGs before OESC is operable should be considered in the development of
procedures and guidelines.15 Any mitigatory guidance provided to control room
operators in this case should be presented in a way that makes prompt and easy
execution possible and, therefore should be presented in a format operators are able to
work with and already trained for.
3.6.15 In addition to entry conditions to the SAMGs, exit conditions and criteria for
terminating long term provisions should be specified. Typical exit conditions are also
specified in Appendix-D. Safe state or severe accident safe state as applicable should
be clearly defined and provisions to maintain these states should be specified.
3.6.16 Where EOPs are not exited but are executed in parallel with the SAMGs, their
applicability and validity in the mitigatory domain should be demonstrated. In such
cases, a hierarchy between EOP and SAMG actions should be established, in order to
address conflict, if any.
3.6.17 Guidance should include the rules of usage for parallel execution of EOPs and
guidelines and parallel execution of two different guidelines. Priorities should also be
defined among the various procedures and guidelines, in accordance with the priority
of the underlying strategies.
Equipment
3.6.18 It should be noted that various equipment may start automatically or change
configuration upon certain parameters reaching pre-defined values (‘set points’). Such
automatic starts have usually been designed for events in the preventive domain. These
automatic actions may be counterproductive in the mitigatory domain. Hence, all
automatic actions should be reviewed for their impact in the mitigatory domain and,
where appropriate, equipment should be inhibited from automatic start. These aspects
should be included in the guidelines along with a caution note indicating their positive
and negative effects. Manual start of the equipment concerned should then be
considered in the guidance.
3.6.19 Guidance should be developed to diagnose equipment failure and to identify methods
to restore failed equipment to service. The guidance should include recommendations
on the priorities for restoration actions.
3.6.20 The time to recover unavailable equipment or to implement/connect non-permanent
equipment should be factored into accident management guidance.

15
This situation can occur in cases where an event rapidly develops into a severe accident, or where the OESC
cannot be activated within the time assumed in the guidance.

20
Multi-unit Damage
3.6.21 The guidelines should address the possibility that more than one, or all units, may be
affected, including the possibility that damage propagates from one unit to other(s), or
is caused by actions taken at one unit.
3.6.22 Guidelines should also cover events with multi-unit damage, potential damage to the
fuel in spent fuel pools, release of radioactivity and hydrogen into buildings adjacent to
the containment, if applicable, and run off of contaminated water to the environment.
3.6.23 Multi-unit damage or large-scale external disturbances may impact the time required in
restoring the power and the human and organizational performance. Hence long time
periods should be considered in the guidelines for initiation and completion of the
required actions.
3.6.24 Guidance for the assessment of damage to the plant should be part of the accident
management programme and should be developed to address challenges to the
fundamental safety functions or the fission product barriers before any significant
fission product release. Of particular importance is the assessment of access to the site
and structural damage to buildings resulting from external hazards more severe than
those considered for design, derived from the site hazard evaluation
Documentation
3.6.25 Adequate background material should be prepared to support development of accident
management guidelines. The background material should fulfill the following roles:
a) It should be a self-contained source of reference for:
(i) The technical basis for strategies and deviations from generic strategies, if
any
(ii) A detailed description of instrumentation needs
(iii) Results of supporting analysis
(iv) The basis and detailed description of steps in procedures and guidelines
(v) The basis for specification of set-points used in the guidelines
b) It should provide basic material for training courses for accident management staff.

Additional Guidance for Spent Fuel Accident Management

3.6.26 Failures of the cooling system, make-up water system, loss of pool water caused
by pipe breaks and the siphon phenomenon, where water level cannot be
maintained as applicable should be assumed. Loss of systems concurrently with
fires and explosions should be assumed while developing the guidelines.
3.6.27 Countermeasures and documented procedures should be established to prevent fuel
damage (maintaining a sufficient water level for cooling and shielding and also
adequate boron levels for sub-criticality if envisaged).
3.6.28 The possibility of damage to the SFP structure leading to leakage larger than
compensatory provisions (make-up system) should be considered. Leakage could
be mitigated by the provision of sealing systems designed to provide temporary
repair to breaches, or to minimise the leakage rate to levels within the capability of
the make-up system.
3.6.29 For enhancing reliability of cooling of SFPs, water source requirements should
21
 consider conservative decay heat loads.
3.6.30 Addition of water from mobile sources (such as fire tender or fire engine) or fire
protection systems should be considered as a back-up for water injection with
consideration for possible boron dilution if any. To minimize the addition of boric
acid, fuel storage racks maybe designed with neutron absorbing materials in the
structure.
3.6.31 Reliable means of monitoring water level, temperature and radiation/activity levels
of the SFP should be established. It is also desirable to monitor states of SFPs
through video cameras. The instrumentation should be provided with alternative
power sources to ensure its availability in all accident conditions.

3.7 Hardware Provisions/Instrumentation for Accident Management

Hardware Provisions for Accident Management

3.7.1 Reactors should be equipped with hardware provisions (which may include
supplementary onsite and offsite equipment) to fulfill safety functions viz. to maintain
sub-critical, decay heat removal and containing the release of fission products for all
accident conditions including severe accidents.
3.7.2 Appropriate provisions should be available to remove the decay heat from the
core/corium debris/spent fuel pool to an ultimate heat sink.
3.7.3 Equipment Upgrades16/Changes in Design
a) Changes in design should be evaluated where challenges to fission product
barriers cannot be reduced to an acceptable level.
b) Equipment upgrades aimed at enhancing preventive features of the plant and
preserving the containment function should be considered as tasks with high
priority.
c) Equipment upgrades which increase capability or margin to failure for the
following functions should be taken into account:
(i) Monitoring key parameters such as temperature, pressure, radiation level,
hydrogen concentration and water level (containment/calandria
vault/calandria etc.)
(ii) Containment isolation in a severe accident, including prevention of
containment bypass
(iii) Ensuring the leak-tightness of the containment, including preservation of
the functionality of isolation devices, penetrations, personnel locks etc.,
for a reasonable time after a severe accident
(iv) Establishing or restoring the containment heat sink to manage pressure
and temperature in the containment
(v) Control of combustible gases, fission products and other materials
released during severe accidents
(vi) Monitoring and control of containment leakages and of fission product

16
Refer clause 3.5.3 for analysis methods and corresponding risk metrics in decision making w.r.to plant upgrades

22
 releases
(vii) Prevention and mitigation of dominant challenges, such as for
containment over-pressure and under-pressure, high-pressure core-melt
scenarios, reactor vessel/calandria vessel melt-through and basemat melt-
through by molten corium.
3.7.4 There should be multiple diverse accident management strategies and measures for
mitigating challenges to containment integrity.
3.7.5 For non-permanent equipment, multiple hook-up points to facilitate their use during
external hazards should be considered, taking into account benefits versus potential
negative implications.
3.7.6 When additional equipment is supplemented to mitigate severe accidents, it should
preferably be independent with equipment and systems used to cope with design basis
accidents.
3.7.7 Containment Venting
a) the accident management programme should provide guidance on containment
venting, if envisaged as a last resort, to prevent loss of containment integrity and
to mitigate releases of radionuclides causing long-term off-site contamination.
b) When containment venting is contemplated or directed in the accident
management strategies, it is recommended to consider the following in the
guidance:
(i) situations when all AC and DC power is lost and the instrument air system
is not available
(ii) situations involving high radiation areas and high temperatures in areas
where vent valves are located (if local access is required)
(iii) the potential negative consequences of containment venting should be
assessed during the decision making process
3.7.8 Guidance should consider additional hardware provisions, including non-permanent on
and off-site equipment as a back-up measure where the existing equipment is not
anticipated to remain functional in the long-term or could be disabled in case of station
black-out. In estimating the long-term availability of components, the feasibility of
performing maintenance or repairs should be evaluated and taken into account.
3.7.9 Steps should be taken to ensure that personnel can install and operate the non-
permanent equipment within the timeframes necessary taking into account possible
adverse conditions (radiological conditions, lighting, ventilation, temperature etc.).
3.7.10 Maintenance, testing and inspection procedures should be developed for equipment to
be used in accident management taking into account the safety significance of such
equipment.
Instrumentation for Accident Management

3.7.11 Adequate instrumentation for the monitoring and diagnosis of reactor conditions and
for assisting in accident evaluation, accident management decision-making and
execution of actions at each stage of the accident progression should be available.
Instrumentation should provide data to support the operator actions and to monitor the
effectiveness of accident management actions. Adequate instrumentation should also

23
 be provided for entry and exit criteria used in accident management. Typical parameters
that are used in accident management programme are given in Appendix-B.
3.7.12 Essential instrumentation needed for monitoring core, containment and spent fuel
conditions should be identified. These monitoring functions should be maintained
throughout an extended SBO. A list of instrumentation for each stage of the accident
progression for obtaining the necessary information on key parameters such as neutron
flux, temperature, pressure, flow, water level, combustible gas concentration and
radiation level should be established. In case of unavailability of direct parameter
monitoring, indirect parameters can be co-related and may be made use of. Use of
portable instrumentation may be considered in the accident management programme.

3.7.13 Guidance should be provided to validate important instrumentation outputs (i.e., those
used for symptom based diagnosis of potential challenges to fission product barriers or
for confirmation of the effectiveness of implemented strategies). All important
instrumentation readings should be verified with other independent information17,18
where possible. This should also be emphasized in exercises.
3.7.14 The time needed for obtaining adequate information from plant parameters important
for accident management should be taken into account when developing guidelines.
3.7.15 It should be confirmed that information needed for decision making during execution
of accident management strategies can be obtained from the instrumentation in the
plant. Such information should be available in multiple places viz. main and
supplementary (if available) control rooms and OESC where the evaluation and
decision making are to be made.
3.7.16 The uncertainty of readings of instruments essential for accident management should
be assessed and appropriately considered.

Survivability of Equipment and Instrumentation

3.7.17 When adding or upgrading equipment/ instrumentation for design extension conditions
with out and with core melt, the equipment or instrumentation is expected to operate
under harsh environmental conditions (high temperature, high pressure, high radiation
level, high concentration of combustible gases, seismic acceleration, moisture and
corrosive environments, debris in the environment, wind-blown missiles and
submergence). The equipment and instrument performance under harsh environmental
conditions with reasonable assurance should be demonstrated either by equipment
qualification or by assessment of the survivability. The instrument readings may have
some inaccuracies in the harsh environment but it should be within acceptable range to
monitor the parameter with reasonable assurance.
3.7.18 Environmental conditions expected during accident conditions should be determined
using appropriate accident simulations which models the accident progression. These
simulations should also help to determine the necessary instrument ranges (including
margins), instrument mission times and anticipated environmental conditions including
uncertainties.

17
Instruments may continue to provide information, such as trends, even if the readings are not accurate.
18
For examples, sometimes, a degree of malfunction of thermocouples depends on temperature, humidity, salt
deposition and other environmental factors.

24
3.7.19 Survivability of the equipment/instrumentation that could be used in SAM should be
evaluated through a systematic review and assessment of equipment/instrumentation
functions and conditions based on the available knowledge and data, such as from
equipment environmental qualification for DBA, severe accident testing and analysis,
and engineering judgment. The following steps should be considered for assessment of
survivability:
a) identification of accident management actions for mitigating severe accidents
b) definition of fuel and core damage stage (plant damage conditions) and time period
for each accident management action
c) identification of equipment and instrumentation designated to perform each of the
actions
d) determination of the bounding environmental conditions expected for this
equipment and instrumentation within each time period.
e) cumulative environmental effects should be considered including passive and
active phases.
f) Capability demonstration that the equipment will survive to perform its function

3.8 Personnel Staffing and Needs

3.8.1 Persons with designated roles and responsibilities who will be part of the accident
management should be identified. This should take into account of accidents
developing over a long period so that adequate shift manning is always maintained.
3.8.2 Adequate staffing levels and personnel qualifications should be established for
implementation of accident management measures taking into account the possibility
that multiple units can be affected simultaneously and taking into account the
requirements for emergency response. Staffing should be capable of sustaining an
adequate response until relief arrives when the plant is isolated for some time.
3.8.3 Acceptable working conditions (habitability) should be provided to plant and external
support personnel in situations where the site is partially or totally isolated from
continuous off-site support.
3.8.4 The shift change over document should contain at least severe accident related
information such as the severe accident sequence development, the procedures and
guidelines in use at the time of the transition from the preventive to the mitigatory
domain, the emergency teams involved in the mitigation, possible instrumentation
inaccuracies and the recovery actions undertaken for unavailable systems. During
turnovers, the new shifts should be provided with the accident-related information as
well as other information deemed appropriate to maintain continuity in strategies for
managing the accident.
3.8.5 Contingency plans should be developed for situations where accident management staff
have been incapacitated or when outside support may be delayed.
3.8.6 Contingency plans, training and guidance should be developed to help personnel cope
with the emotional stress affecting personnel performance during a natural disaster or
nuclear accident.

25
3.9 Organizational Aspects, Responsibilities and Interfaces with Emergency
Preparedness and Response

Roles and Responsibilities

3.9.1 The Onsite Emergency Response Organisation typically carries out the functions as
depicted in Figure 3.

On-site Emergency Response Organisation

Accident management:
Performing functions to manage the accident at the plant. This includes
evaluations, recommendations, implementation and necessary decision
making.

Emergency Response:
i. Assessment of the emergency arising from the plant conditions and
declaration of appropriate emergency classification.

ii. Onsite response: fire, medical, communication, survey, rescue,

security, transport etc.

iii. Provides recommendations/guidance to the ‘Responders’, having

mandated responsibility for implementation of the emergency plans
in the public domain

Dose assessment and determination/recommendation of response actions

(on-site and off-site) based on plant conditions.

Figure 3: Typical functions of on-site emergency response organization

3.9.2 Roles of personnel involved in accident management should be clearly defined and
documented, including:
a) Evaluators: The role of evaluators is to assess the plant conditions,
identification of potential actions, evaluation of the potential impacts of these
actions and recommendation of actions to be taken, assessing the outcome of
actions after implementation and dose assessment in support of accident
management actions.
b) Decision Makers: The role of decision makers is to approve the recommended
action or deciding other appropriate actions for implementation.
c) Implementers: The role of implementers is to operate the equipment as
necessary including verification of operation. This includes remote operations
from the control room and also local actions by appropriate personnel to
recover or connect equipment.

26
The elements, roles and responsibilities of personnel involved in accident management are
depicted in Figure 4.

Accident Management

Evaluation and Decision Making Implementation

Recommendation

Plant Assessment: MCR/Field

a) Evaluate plant a) Authorize strategy Actions/Damage Control:
symptoms implementation a) Perform immediate
b) Determine plant b) Make informed decisions actions
conditions on on-site actions (e.g. b) Implement new
c) Review status of containment venting) that strategies and actions
equipment recovery may impact off-site c) Ensure ongoing
d) Identify and prioritise emergency activities strategies can be
strategies for accident c) Determination/recommenda continued
management tion of off-site actions (if d) Implement actions to
e) Assess positive and any) recover failed
negative aspects of d) Evaluate offsite equipment
strategies consequences of
f) Recommend recommended actions (if Emergency Response:
implementation of applicable) Rapid response team (fire,
strategies and actions medical, rescue), Survey
g) Monitor safety function teams, Communications
status, plant response to team, Security, etc.
actions and for exit
conditions
Radiological Assessment:
a) Dose monitoring and
assessment
Figure 4: Elements, roles and responsibilities of the personnel involved in accident
management

3.9.3 The decision making authority should lie with the emergency director/advisory group
in both preventive and mitigatory domains. Until the emergency director/advisory
group takes charge, the control room staff should continue to make necessary decisions.
3.9.4 The emergency director should be granted the authority to decide on the
implementation of accident management measures proposed by the plant evaluation
group or, when necessary, based on his own judgment. The emergency director should
maintain a broad understanding of the actual status of the plant, plant capabilities and
vulnerabilities and key accident management actions, including their off-site effects.
The emergency director should have the authority to take any necessary actions to
mitigate the event including venting containment or injecting low quality water into the
reactor without the need for external authorization.

27
3.9.5 Responsibilities and authorities for implementation of certain accident management
actions with a potentially significant impact19 should be established in the on-site
emergency response organization.
3.9.6 Contingency, where a certain authority level is incapacitated should be addressed in the
accident management programme20. This should identify an alternative authority and
decision maker.
3.9.7 When external support to accident management is contemplated, responsibilities,
priorities and contingencies should be addressed in a way that minimizes the possibility
of negative interaction between activities performed by site personnel and external
support teams. Accident management should be implemented to ensure that all teams
have a common situational awareness.
Transfer of Responsibility and Authority

3.9.8 The points at which authority for decision-making and implementation of accident
management actions is transferred should be clearly established.
3.9.9 When transferring responsibilities and decision making authority, impact of external
hazards should be considered, in particular, when placing the decision making authority
for accident management at both on-site and off-site locations. Guidance should be also
provided for the case of failure of the communication network.
3.9.10 In transferring the overall authority for accident management from the control room to
the emergency director, the functions that remain in the control room and actions that
can be decided upon by the control room staff independently of the emergency director
should be specified.21 As the control room staff is also responsible for the execution of
the measures decided upon by the emergency director, consistency, and a hierarchy,
between the two groups of actions should be established.
3.9.11 The transfer of responsibility and authority should not create a ‘vacuum’ in decision
making and necessary actions. Hence, formal transfer should not take place until the
new decision maker is ready to assume his/her role. Transfer of responsibilities and
authorities should be consistent with the emergency plan.
Onsite Emergency Support Centre

3.9.12 Personnel working in OESC should have a detailed knowledge of the procedures and
guidelines. They should have prompt access to the information on the plant status and
understanding of the underlying accident phenomena.
3.9.13 Criteria for activation of the OESC should be unambiguous, clearly specified in plant
procedures and/or on-site emergency plan. Accident management measures should
continue to be decided and carried out from control room until OESC is operational.
When there are multiple support teams, their responsibilities and interfaces should be
defined.
3.9.14 Depending on the situation, the OESC may be activated in the preventive domain and

19
For example, containment venting or use of un-borated water for injection to a PWR core and/or spent fuel pool
(SFP)
20
Incapacitation could be the result of site isolation.
21
These include activities that control room staff can carry out independently, such as maintaining support
conditions (e.g. room cooling, service water) and responding to some alarms; activities that the control room staff
should not do on their own (e.g. starting up major equipment) should also be specified.

28
 the Onsite Emergency Response Organisation should provide technical support to the
control room staff as necessary.
3.9.15 Support from qualified organizations, including the plant vendor or designer, should be
sought, if required, for evaluation and recommendation of appropriate accident
management measures. The mechanisms for calling on early support should be
established.
3.9.16 The mechanisms for ensuring the flow of information between the OESC and the
control room as well as from the OESC to other parts of the emergency response
organization, including those responsible for the execution of on-site and off-site
emergency plans, should be specified. As the occurrence of a severe accident will
generate extensive communication between on-site and off-site teams, care should be
taken that this communication does not disrupt the management of the accident at the
plant.
3.9.17 Information about the performance of the instrumentation and equipment required for
accident management should be made available to the OESC. Preferably the OESC
should have direct access to plant information required for accident management. The
availability and use of such information should be considered in the development of
guidelines. The plant information in the OESC should be recorded and monitored
appropriately.
3.9.18 Extended loss of AC power should be considered in providing for communication
between the control room, the OESC and off-site facilities.
Interfaces with Emergency Preparedness and Response

3.9.19 Appropriate interfaces between the accident management programme and the
emergency plan should be established for an effective response to emergencies
(including nuclear or radiological emergencies, both on-site and off-site).
3.9.20 A review of the emergency plan and accident management programme should be
performed with respect to the actions that should be taken according to the emergency
response plan and accident management strategy, to ensure that conflicts do not exist.
3.9.21 Use of the AMGs must interface with the organizational structure and actions defined
in the emergency plan to ensure a consistent and coordinated response to accident
conditions.
3.9.22 For multi-unit sites, the site emergency plan should include the necessary interfaces
between the various parts of the overall emergency response organization. Plant
emergency director should decide on the appropriate actions at that unit. An overall
emergency director (site emergency director) should also be assigned to coordinate
activities and priorities amongst all affected units on the site. Decision making
responsibilities should be clearly defined. In case of different operating organizations
at a given site, appropriate mechanism should be established on coordination of
emergency response activities including accident management guidance.

Communication Interfaces

3.9.23 Reliable communication network between the different locations of the emergency
response organization should be used. Guidance should be put in place for measures to
be taken if off-site communication fails and only the on-site emergency response

29
 organization remains functional. The effects of a station black out on the
communication equipment should be considered.
Management System

3.9.24 The operating organization should integrate all the elements of the accident
management programme within the existing management system so that processes and
activities that may affect safety are established and conducted coherently for the
protection of site personnel, the public, and the environment.
Quality Assurance Aspects of the AMP

3.9.25 The background documentation should provide a demonstration of compliance with the
relevant quality assurance requirements.
3.9.26 Operators should develop a programme for update and administrative control of
procedures and guidelines to take into account of changes that would be required
because of enhancements arising due to operating experience or due to any other reason.
3.9.27 Where modifications to procedures and guidelines are needed, it should be necessary
to determine the process for their implementation. Changes to documents should be
reviewed and recorded and should be subjected to the same level of approval as the
documents themselves.
3.9.28 The general process for administrative control of procedures should be well established
in NPPs. In general, the following should be considered when modifications to
procedures and guidelines are needed:
(i) changes should be verified
(ii) changes should be validated in agreement with their significance. Some very
small changes may not need validation, but the cumulative effect of many small
changes included in one revision or in different revisions should be taken into
account
(iii) old documents (e.g. procedures, guidelines, background documentation) should
be replaced with the revised documents in all the appropriate locations (control
room, onsite emergency support centre, etc.)
(iv) personnel should be trained on the new procedures and guidelines

3.10 Verification and Validation

3.10.1 The verification process should confirm the compatibility of instructions given in the
procedures and guidelines with referenced equipment, user-aids and supplies (e.g., non-
permanent equipment, job aids, strategy evaluation materials, etc.). It should also
confirm the correctness of a written procedure or guideline and ensure that technical
and human factors have been properly incorporated. The review of plant specific
procedures and guidelines in the development phase, in accordance with the quality
assurance regulations, forms part of this verification process.

3.10.2 The consistency of procedures and guidelines should be checked for the written
correctness with the documents such as plant-specific writer’s guide. For example, text
is readable with no typographical errors and that information is consistently organised
and presented.

30
3.10.3 The technical accuracy of verification involves checking of consistency of procedures
and guidelines with the background documents. Typically, the following should be
performed for the assessment of technical accuracy:

a) check the entry conditions, symptoms or states for correctness

b) identify and confirm sequences, steps, warnings and notes from source documents
c) ensure that specified values (quantitative information) are correct, plant specific,
margins are included and computed accurately. Also ensure that this information
is adequate for the operator
d) checking plant hardware information to ensure that the instrumentation exists at
the plant, and that the instrument is available during accident conditions’
delineations

3.10.4 The goal of validation is to ensure that the procedures and guidelines are usable and
correct. The level of detail in the procedures and guidelines should be checked for its
sufficiency and ease of understanding.

3.10.5 It should be checked that the procedures and guidelines are compatible with plant
responses, systems/instrumentation, shift manpower and control room/OESC
information to ensure that the operator is able to complete the required action with the
hardware and systems that are in place.

3.10.6 It should be checked whether shift manpower is adequate to comply with the actions
specified within the procedures and guidelines and whether policies for operator duties
and responsibilities conflict with actions specified in the procedures and guidelines. It
should also be evaluated whether time critical actions can be performed with the current
shift and in the allotted time and whether the operating crews can follow the sequence
of actions.

3.10.7 Validation of the procedures and guidelines should be performed by the most
appropriate or a combination of the following methods:

a) control room personnel performing the actions according to scenarios using the full
scope simulator
b) an engineering simulator or other plant analyser tool
c) the walk-through method, whereby personnel should conduct a step-by-step
enactment of their actions without carrying out the actual control functions
d) the table-top validation method, whereby personnel explain and/or discuss steps of
the procedure in response to a scenario. The table-top method may be used where
access to plant equipment is not practical
e) exercises

3.10.8 The evaluation process and acceptance criteria for SAMGs validation should address
issues related to the following topics during observation or participation in the
validation exercises:

a) interfaces between EOPs, SAMGs and other guidelines: clarity of transfer points,
appropriateness of timing, clarity of responsibilities during transitions;
b) control room guidelines: availability of necessary plant parameters, logical order
of decision steps, missing or extraneous steps, ability to accomplish steps, clear and
understandable instructions, communication considerations;

31
 c) OESC diagnostics: availability of necessary plant parameters, usability of
computational aids, appropriateness of parameters for plant conditions and threats,
logical order of diagnostic priorities, missing or extraneous steps, ability to
accomplish steps, timeliness of diagnostics cycle;
d) OESC guidelines: availability of necessary plant parameters from the control room,
logical order of decision steps, missing or extraneous steps, ability to accomplish
steps, applicability of SAMG strategies, clear and understandable instructions,
adequate consideration of negative impacts, clarity of SAMG decision-making
process, usability and scope of computational aids;
e) SAMG - emergency plan interface: conflicts of actions and priorities between the
emergency plan and SAMGs for particular plant conditions, clarity of
responsibilities for each SAMG step/action, coverage of guidance after exiting
SAMGs.

3.10.9 Validation tests should address the organizational aspects of accident management,
especially the roles of the evaluators and decision makers, including the staff in the
control room and OESC.

3.10.10Changes made to guidelines and procedures should be re-evaluated and re-validated, to

maintain the adequacy of the accident management programme.

3.10.11Validation should be performed in a way that realistically simulate the conditions

present during an emergency and include simulation of other response actions,
hazardous work conditions, time constraints and stress. Special attention should be paid
to the use of portable and mobile equipment, when such use is contemplated. This
should also include needed local actions, contingencies, and its proper connection to
plant equipment, multi-unit events, emergency lighting, etc., and the time needed for
these actions.

3.10.12All equipment identified in the accident management programme, including

nonpermanent equipment, should be tested to verify that performance conforms to the
requirements22. Testing should include the equipment and the assembled sub-system
needed to meet the planned performance.

3.10.13A cross-functional safety review of the plant should be performed with the objective of
fully understanding all accident management implications. This review should
incorporate a plant walk-down for assessing which kind of difficulties could exist for
practical implementation of accident management measures, in particular in case of an
external hazard.

3.10.14Staff involved in the validation of the procedures and guidelines should be different
from those who developed the procedures and guidelines. Developers/Writers of plant
specific procedures and guidelines should prepare appropriate validation scenarios and
should participate as observers to the validation process.

3.10.15The findings and insights from the verification and validation processes should be
documented and used for providing feedback to the developers of procedures and

22
Environmental conditions including temperature, pressure, humidity, radiation and chemicals will vary greatly
with the time and location so that the equipment important to safety must be established for the most severe
design basis accident.

32
 guidelines for any necessary updates before the documents are brought into force by
the management of the operating organization. The documentation should be stored
safely in order to provide for any future revalidation.

3.11 Accident Management Training and Exercises

3.11.1 Personnel responsible for performing accident management duties should be trained to
acquire the required knowledge, skills, and proficiency to execute their roles. A
comprehensive training programme for accident management should be prepared.
Training should include a combination of education (classroom training) and exercises,
supported by appropriate means, such as desktop training or adequate simulation tools.

3.11.2 The decision makers should be trained for understanding the consequences and
uncertainties inherent in their decisions; the implementers should ensure that they
understand the actions that they may be asked to take; and the evaluators should ensure
that they understand the technical basis upon which they will base their
recommendations.

3.11.3 Training should be developed using a systematic approach to training. This includes
identifying training needs, defining the training objectives, identifying the technical
basis for training material, developing training material and measuring the effectiveness
of training to provide feedback to the training process.

3.11.4 Training should be established and implemented for each on-site group and external
support group involved in accident management. Training should be commensurate
with the tasks and responsibilities of the participants, taking into account appropriate
technical level needed for each group. In-depth training should be contemplated for
people entrusted with critical functions in the accident management program.

3.11.5 Training material should be developed by subject matter experts and qualified trainers.
Further, experts could assist in answering questions that are beyond the capability of
professional trainers.

3.11.6 Training, including periodic exercises should be sufficiently realistic23 and challenging
to prepare personnel responsible for accident management duties to cope with and
respond to situations expected to occur during an event24, including accidents occurring
simultaneously on more than one unit, from different reactor operating states and in the
spent fuel pool. Training should consider unconventional line-ups of the plant
equipment, use of non-permanent equipment (such as diesels or pumps) as well as
repair of the equipment. Training material should address implementation of strategies
under adverse environmental conditions, including those resulting from external
hazards, under potentially high radiation situations and under influence of stress on the
anticipated human behavior.

3.11.7 Initial training as well as refresher training should be developed for all groups involved
in accident management. The frequency of refresher training should be established

23
Exercises should extend over a time period long enough not to unacceptably distort plant response, and allow to
test transmission of information during shift changes.
24
Special exercises should be developed to practice operating shifts and OESC personnel changeover and
information transfer between different teams

33
 based on the difficulty and importance of accident management tasks. The interval for
refresher training should be defined based on the outcome of exercises held at the plant.
Changes in the guidance and/or use of the guidance should be reflected in the training
programme.

3.11.8 Exercises should be based on scenarios that require application of a substantial portion
of the overall accident management programme along with emergency response. Large
scale exercises providing an opportunity to observe and evaluate all aspects of accident
management should be undertaken.

3.11.9 Accident management exercises should be performed periodically by considering the

unavailability of information sources, equipment and facilities that potentially could be
damaged in the accident.

3.11.10Criteria for evaluating the effectiveness of an exercise should be established. Such

criteria should characterize the ability of the team participating in the exercise to
understand and follow the evolution of plant status, to reach sound decisions (including
unanticipated events) and initiate well-founded actions, meet job performance criteria
and exercise objectives.

3.11.11Some of the scenarios used for exercises should consider core damage state, failure of
the reactor pressure vessel/calandria and containment.

3.11.12Attention should be paid to exercises that enhance the awareness of control room
personnel, OESC personnel on the need of overriding controls and interlocks along with
their possible consequences for implementing some successful strategies.

3.11.13Results from exercises should be systematically evaluated to provide feedback for

training programme, procedures, guidelines and organizational aspects of accident
management.

3.12 Updating Accident Management Programme

3.12.1 The accident management programme (background documentation, accident

management strategies, provisions, procedures and guidelines) should be updated as
and when new information becomes available. This may include the potential for new
accident scenarios, state-of-the art knowledge, experimental data obtained from severe
accident research programmes and lessons learned from the accidents, phenomena or
challenges to physical barriers, or any other significant effect on accident management
that had not been fully considered previously. PSA revisions which identify the new
accident sequences or changes in weightage of existing sequences, that were not part of
the basis of the existing accident management guidance should also considered in
updating the accident management programme.
3.12.2 The effect of any changes in the plant design including the available non-permanent
equipment or the operating organization on the accident management programme
should be evaluated. A formal process should be developed for updating the accident
management program when such changes are implemented.
3.12.3 The accident management procedures and guidelines that are based on a reference
design or some other generic source of information, should be updated when the
originator of the procedures and guidelines on the reference design issues a revision of

34
 the accident management programme.
3.12.4 When the new information challenges the basis of current external event design
assumptions, the capability of installed equipment and accident management
procedures and guidelines should be evaluated to determine if safety functions could
be compromised. Based on this evaluation, measures for updating the accident
management programme commensurate with the impact should be identified.
3.12.5 Strategies should be documented and maintained, including those for using non-
permanent equipment and including the technical background. Changes to the
documentation should contain a record of previous strategies along with the basis.
3.12.6 Any update of the accident management programme should include revision of
background documents including supporting analysis, as applicable used for their
implementation and training documentation.

35
 4 EXECUTION OF PROCEDURES AND GUIDELINES
4.1 In case of an emergency, in particular, one taking place in combination with an external
hazard, plant staff should assess the global situation on-site and ensure that their
emergency command and control structures (roles, responsibilities and authorities) are
capable of directing responses in accordance with established procedure and guideline
sets. If required, contingencies developed to re-establish command and control should
be implemented.
4.2 The assessment of the situation should include:
a) number of affected units
b) control facilities functionality and habitability
c) damage to essential structures and buildings
d) availability of access to essential buildings and equipment and
e) capability to communicate with off-site organisations.
4.3 Once the control room staff, while executing the EOPs, has reached the point of entry
to the SAMG domain, the transition from the EOP domain to the SAMG domain should
be made.
4.4 The control room staff should initiate actions under the SAMGs that apply until
responsibility for recommending actions is transferred to OESC and till emergency
response team takes over. This occurs when the OESC is operable, is informed about
the overall situation, has evaluated the plant status and is ready to give its first
recommendation or decision on execution of a SAMG. The control room staff should
continue to work with actions already initiated in the EOP domain provided they are
consistent with the rules of usage of the SAMG. The conflicts between EOP and SAMG
should be taken into account during execution.
4.5 The OESC should reassess plant conditions at regular intervals as the accident
progresses, to confirm or adjust the priorities for mitigatory actions.
4.6 Recommendations should be presented by the OESC evaluation personnel preferably
in written form to the decision maker, who will decide on the course of actions to be
taken.
4.7 Decisions on actions to be taken should be given to the control room staff in an
unambiguous manner that minimises misunderstandings. The main control room staff
should confirm the actions that were directed and should promptly report back the
progress and impact of these actions. Oral (telephone) communication to the control
room staff should preferably be carried out by OESC personnel who is a licensed
operator.
4.8 The key plant parameters should be displayed in an easily accessible way, e.g. by
optical means (displays) or by wall boards. Long term station blackout should not lead
to loss of data. Trends should be noted and recorded. Actions taken should also be
recorded. Other relevant information, such as the EOP or SAMG applicable at the time,
emergency alerts for the plant and planned releases of radioactive material should also
be recorded. Adequate technical means should be available for this.

36
4.9 The timing and magnitude of possible future releases as a consequence of accident
management guideline actions or their failure should be estimated at regular intervals,
and should be communicated in a suitable form through proper channels to the
organization responsible for further actions.
4.10 The work at the OESC should be well structured and based on a clear task description
for each staff member. The OESC personnel should convene in sessions at regular times
and should leave sufficient time for individual staff members to do their analysis
between these regular sessions.
4.11 The OESC personnel should ensure that external organisations are aware of planned
actions with potential impact on the plant surroundings. Through consultations it should
be ensured that off-site response organizations are aware of and prepared for planned
releases. Alternatively, the releases should be delayed to a later time, if such a shift is
compatible with the accident management actions foreseen. Final decision making rests
with the person at the highest level in the Emergency Response Organisation.
4.12 A mechanism should be put in place to assign priorities in case of a conflict between
planned releases and the off-site readiness. In principle, priority should be assigned to
the actions that prevent major damage to the fission product barrier still intact.
4.13 The process for decision making should take into account the fact that decisions may
have to be made in a very short time frame. A basic principle is that the decision making
process should always be commensurate with the time frame of the evolution of the
accident.

37
 5 DOCUMENTATION OF ACCIDENT MANAGEMENT
PROGRAMME
5.1 Aspects of accident management should be described by a set of accident management
documents consisting of procedures, guidelines together with their technical basis and
supporting safety analysis reports for justifications, explanations, verification and
validation. There are also other related documents such as description of the reactor
physical protection, PSA studies, equipment and instrumentation survivability assessments
and reactor evaluation reports (e.g. stress test)that should be available as appropriate.

As a minimum, the licensee should have the following documented information:

 goals and principles used for development and implementation of the accident
management
 technical basis and results of probabilistic and deterministic analyses conducted in
support of accident management
 EOPs/equivalent procedures or guidelines and SAMGs performance capabilities for the
systems and equipment that are used in support of accident management procedures
and actions
 list of plant parameters that are used in accident management programme
 responsibilities of persons and organizations involved in accident management,
including requirements and plans for personnel training
 results of the accident management validation and reviews
 equipment and instrumentation survivability assessments

The technical basis documents provide technical information important to the identified
accident management measures. They can build-on or provide a cross-reference to the
existing technical descriptions. They should include, but not be limited to:

 justification for selection of accident scenarios and coverage, including a general

description of reactor response to accidents
 distinct stages of an accident progression if no accident management actions are
credited
 understanding of phenomena and the associated physical processes, including
challenges to fission product barriers and the associated mechanisms and conditions
 state of the current knowledge of the phenomena, including current predictive
capabilities for modelling the phenomena and physical processes and analytical and
experimental supports
 any other special topics or important aspects for the development and verification of
EOP and SAMG

Reviews and revisions of the accident management documents should be tracked and
controlled.

38
 APPENDIX-A: ACCIDENT MANAGEMENT ACTIONS

The following is a typical list of accident management actions in response to the plant damage
conditions as applicable:
a) Inject water into the primary system/RCP seal/calandria vessel/calandria vault/End
Shield
b) Inject water into the containment
c) Containment sump/core catcher cooling
d) External cooling of RPV
e) Injection of water into the SGs/Boilers/Decay Heat Removal System
f) Spray within the RPV (BWR)
g) Spray into the containment
h) Injection of water to spent fuel pool
i) Restart RCPs
j) Depressurize the RPV (reliable depressurisation of the RCS in order to prevent high-
pressure core melt)
k) Depressurize the SGs
l) Isolate the Containment
m) Operate containment coolers
n) Control of the concentration of hydrogen and other flammable gases
o) Operation of igniters
p) Inert the containment with non-condensables (BWRs)
q) Steam inerting of the containment
r) Vent the containment
s) Establishment and maintenance of reactivity control in the reactor and in the spent fuel
pool.
t) Minimise the unfiltered releases of radioactive products

The actual list should depend on the plant’s characteristics and actual application will vary
from plant to plant. Both the positive and negative consequences of these actions should be
considered. This should be done for each plant damage condition to which these actions are
applied or for each of the guidelines that have been derived from these actions.

The following are the examples of positive and negative effects of some of the accident
management actions mentioned above:
a) Inject water into the RCS
Positive effects:
(i) A medium is provided to transfer heat away from the core.
(ii) It may help collapse the upper head steam void which enables RCS pressure
reduction.

Negative effects:
(i) A possible high pressure spike is generated when water is added to an overheated
core.
(ii) Hydrogen may be generated as a result of the zirconium–water reaction.
(iii) Injection of un-borated water may lead to re-criticality.
(iv) A steam explosion is possible if the injection rate is too fast.

39
b) Inject water into SGs
Positive effects:
(i) Heat removal from the secondary side is provided, which could lower the primary
pressure and promote primary side water injection.
(ii) The tubes are protected from over temperature conditions and the possibility of
tube creep rupture is reduced.
(iii)Fission products are scrubbed if SG tube leakage has occurred.

Negative effects:
(i) Thermal shock from feeding a dry SG could cause the tubes to fracture.
(ii) Creep rupture of tubes could occur when a hot, dry SG is fed by lowering the
pressure on the secondary side of the tubes.

c) Depressurization of the SGs

Positive effects:
(i) Lower pressure water pumps can be used to feed the SG.
(ii) Heat is removed from the primary side of the SG.
Negative effects:
(i) Creep rupture of the SG tube may be possible due to depressurization of the
secondary side of the SG and promotion of circulation on the primary side of the
tubes.
(ii) If developed head of low pressure water pumps are sufficiently low, SG dryout
may be necessary to reduce the pressure enough to allow feed.

d) Restart of RCPs
Positive effects:
(i) Any water volume in the cross under pipe will be sent to the core, which removes
heat and offers some temporary retardation of core melt.
(ii) A recirculation path with the SG for reflux cooling could be established.

Negative effects:
(i) A recirculation pathway to the SG can be started and, if any SGs are dry, tube
creep potential is increased.

e) Flooding of the reactor cavity

Positive effects:
(i) Vessel failure can be prevented or delayed (to avoid creep rupture of the vessel) if
the water level inundates the vessel sufficiently.
(ii) A heat sink for the RPV is provided and reactor coolant boil-off is reduced,
provided the RPV insulation does not prevent the submerged vessel from
steaming.
(iii)The corium–concrete interaction is reduced if the RPV fails, even if the cavity is
covered by only a small amount of water.

40
 Negative effects:
(i) If flooding is accomplished by containment spray, condensation of steam in the
containment can result in to ‘de-inerting’, which can increase the possibility of a
hydrogen combustion.
(ii) Extended water injection into the containment could submerge safety related
equipment.
(iii)Extended injection of external water sources into the containment could cause long
term corrosion cracking concerns.
(iv) A steam explosion is possible.

f) Depressurization of the RCS

Positive effects:
(i) A low pressure water make-up system is allowed to supply water to the RCS.
(ii) Stress in the primary system is reduced, thereby decreasing the probability of creep
rupture of SG tubes or reactor coolant system piping.
(iii)The effect of high pressure RPV failure is reduced, i.e. DCH concerns and corium
relocation outside the RPV.

g) Spraying water into the containment

Positive effects:
(i) The pressure and temperature in the containment is reduced, thereby reducing the
challenge of containment failure and leakage.
(ii) The airborne fission products are washed out, thereby reducing their release
through any containment leakage.
(iii) Cavity flooding is promoted.
Negative effects:
(i) Condensation of steam in the containment can result in to ‘de-inerting’, which can
increase the possibility of a hydrogen combustion.

h) Operation of containment fan coolers

Positive effects:
(i) The pressure and temperature in the containment is reduced, thereby reducing the
challenge of containment failure and any leakage.
Negative effects:
(i) Condensation of steam in the containment can result in to ‘de-inerting’, which can
increase the possibility of a hydrogen combustion.
i) Venting of the containment
Positive effects:
(i) The pressure in the containment is reduced, thereby reducing the challenge of
containment failure
(ii) Reduction of ground level releases
(iii)Reduction of mass of hydrogen in the containment
(iv) Trapping of fission products in scrubbers and filters
Negative effects:
(i) Release of FPs if filtering and scrubbing are not efficient
(ii) De-inerting of the containment
(iii)Hydrogen combustion in the vent line.

41
 APPENDIX-B: TYPICAL PLANT PARAMETERSUSED IN
ACCIDENT MANAGEMENT PROGRAMME
B.1 Following is the typical plant parameters used in accident management
programme of water cooled reactors:
(i) SG water level
(ii) SG pressure
(iii) Primary heat transport system/reactor coolant system pressure (pressuirser
pressure, accumulator pressure, safety injection header pressure)
(iv) Emergency core cooling system (ECCS) flow rates
(v) Position of pressurizer relief valves
(vi) Position of isolation valves on the main steamline
(vii) Water level in spent fuel pool
(viii) Dose rate at the plant site
(ix) Containment pressure and temperature
(x) Hydrogen, oxygen and steam concentration in the containment
(xi) Location of core debris: temperature (e.g., in different containment
compartments and/or embedded in structures where the corium is expected to
relocate)
(xii) Success of water injection and cooling functions: reactor vessel/primary heat
transport system pressure and temperature, calandria and calandira vault water
level, pressure and temperature, containment pressure and temperature, water
levels at relevant locations, temperatures in the cooling chain and flow rates of
cooling systems
(xiii) Radiation levels in the containment, site releases, radiation activity
measurements in release routes (e.g. use of online decision support system)
(xiv) Post-accident sampling of containment environment
(xv) Monitoring the position of isolation valves and other important valves
(xvi) Integrity of the steam generator tubes: reactor coolant system temperature,
activity in secondary side

B.2 Symptoms generic to LWRs:

(i) RPV level

(ii) Emergency condenser level, pressure, temperature
(iii) Core temperature (RCS temperature, RPV metal temperature, core exit
temperature, hot/cold leg temperature difference, sub-cooling margin)
(iv) Pressure vessel melt through: temperature or other suitable parameters (e.g.,
outer wall of the RPV)
(v) Water level in the containment (containment recirculation sump level, Re-
fuelling Water Storage Tank level)
(vi) Containment pressure
(vii) Water level in the reactor cavity
(viii) Re-criticality: neutron flux measurements or relatable parameters25

25
Survivable instrumentation can be used as long as the core is within the pressure vessel; sharp increase
(unexpected behaviour) in containment pressure and temperature measurements may be an indication of re-
criticality

42
 (ix) Temperature of the corium for RPV breach
(x) Temperature in the core catcher
(xi) Water level in the core catcher
(xii) Temperature of reactor cavity concrete

B.3 Symptoms generic to PHWRs

(i) Water level in decay heat removal condenser

(ii) The PHT temperature (PHT temperature, RIH/ROH temperature difference,
sub-cooling margin)
(iii) The water level in the containment (sump/suppression pool level)
(iv) The calandria level
(v) The calandria vault level
(vi) The temperature of the calandria vault water

43
 APPENDIX-C: TYPICAL EXAMPLES OF PLANT DAMAGE
CONDITIONS
The term ‘plant damage condition’ is used to describe the degree of damage to the reactor core
including fuel, the reactor pressure vessel/coolant channel/calandria/calandria vault and the
containment. Typical categorisation of the damage conditions in increasing severity of the
postulated accident are described below for water cooled reactors and may adopt a different
categorisation based on present state-of-art:

C.1 The plant damage conditions may be classified as follows for PWRs and BWRs:

The following are the typical damage conditions for the core:

a) Oxidised fuel: This damage condition represents degraded fuel conditions in which the
fuel cladding has undergone oxidation but fuel degradation is not sufficient to lead to
appreciable relocation of fuel debris. In this state, the coolable geometry of the fuel
does not differ significantly from that before the initiation of fuel damage. This damage
condition is applicable to fuel both in the reactor core and in the spent fuel pool.

b) Badly damaged core: This damage condition represents a degraded fuel condition in
which significant fuel relocation has occurred so that the coolability of the fuel
geometry has degraded. One consequence of such fuel relocation is to introduce flow
blockages in the fuel matrix. These blockages serve to limit the access of cooling water
to the fuel material. This damage condition is applicable to fuel both in the reactor core
and in the spent fuel pool. This damage condition for fuel in the reactor core will include
potential challenges to the integrity of the RPV lower head. Similarly, this damage
condition for fuel in the spent fuel pool will include potential challenges to the spent
fuel pool structure.

c) Core ex-vessel: This damage condition represents a degraded fuel condition in which
core debris has relocated into containment. This is the damage state in which direct
attack of the concrete containment can occur. This damage state is of relevance to
degraded reactor core fuel.

The following are the typical damage conditions for the containment:

a) Containment closed and cooled26: This damage state represents a condition in which
the containment is intact and no appreciable build-up of energy is occurring within the
volume. This damage state applies to both the primary and secondary containments.

b) Containment challenged: This damage state represents a situation in which either

appreciable quantities of energy have built up within the containment volume or
flammable gases are present in a mixture that could ignite given the presence of an
ignition source. Such a damage state applies to both the primary and secondary
containments.

c) Containment impaired: This damage state represents an impaired containment state

26
This is not really a containment damage condition, but is a relevant plant damage condition if associated with
one of the mentioned core damage conditions.

44
 in which either containment isolation is not complete or a breach of containment has
occurred by some other means. This damage state applies to the primary containment.
d) Containment bypassed: This damage state represents conditions in which there is a
breach in the reactor coolant system that could bypass the containment boundary.

C.2 The plant damage conditions may be classified as follows for PHWRs:

a) Damage condition 1: The fuel channels have lost water inventory, dried out and heated
up. The fuel sheath is oxidized and the pressure tubes have ballooned/sagged into
contact with the calandria tubes. The moderator removes most of the decay heat.

b) Damage condition 2: The moderator level has dropped exposing several upper
channels (due to moderator rupture disk bursting due to boiling or in-core LOCA). The
exposed channels have heated up, sagged, oxidized and broken apart collapsing onto
lower submerged channels or dropping to the bottom of the calandria vessel. Most of
the decay heat is removed from submerged channels as well as some of the decay heat
of the collapsed fuel channels that are now submerged.

c) Damage condition 3: The moderator inventory is exhausted (boiled off slowly or

drained quickly due to type and location of break). All channels have heated up, sagged,
oxidized and broken apart leaving a rubble pile of ‘corium’ (mix of fuel and core
structural materials) at the bottom of the calandria vessel. The steel calandria vessel and
surrounding biological shielding materials (water, or concrete) remove some of the
decay heat. The structure is not capable of removing all decay heat and the corium will
eventually melt through; however, adding water to the calandria vault can prolong this
state.

d) Damage condition 4: Corium has penetrated through the calandria vessel and is on the
concrete floor. Accumulated water may quench the molten corium.

e) Damage condition 5: Due to lack of water or insufficient contact area for boiling, or
due to formation of an upper crust, the corium attacks the concrete referred to as molten
core concrete interaction. Ablation of concrete produces steam, H2, CO and CO2. The
degree to which the molten core concrete interaction can be terminated depends on the
decay heat (which diminishes with time), the surface area of the melt (affects rate of
cooling by a water layer, limited by the critical heat flux) and the availability of water.

The damage states with respect to containment for LWRs discussed above are also
applicable to PHWRs.

45
 APPENDIX-D: TYPICAL LIST OFPARAMETERS FOR
ENTRY/EXIT CRITERIA
Transition from the EOP domain to the SAMG domain should take place if preventive accident
management is unsuccessful. The SAMG should specify the parametric values for the transition
along with its justification. The transition is based on symptoms indicating the onset of fuel
damage or the fact that fuel damage is imminent. This is done by recognising certain
representative and measurable plant parameters, e.g. the core exit temperature (typically for
PWRs) or the failure to maintain a minimum level in the RPV (typically for BWRs) or by
defining thresholds, or using recognised and predefined degraded states based upon the analysis
of a set of related parameters.

Termination and exit from SAMGs should be specified in addition to entry criteria. The exit
conditions should be based on measurable data indicating that safe and stable conditions have
been successfully achieved.

Typical entry criteria parameters for SAMG in PHWRs, PWRs and BWRs are given in D.1,
D.2 and D.3 respectively. Shutdown states may have additional/separate criteria parameters.
Typical exit criteria parameters is given in D.4.

D.1 Entry criteria parameters for PHWRs

(i) Sub-cooling margin in inlet/outlet headers
(ii) Moderator low level
(iii) Radiation level in the containment
(iv) Steam generator low level

D.2 Entry criteria parameters for PWRs

(i) RPV flooding not successful
(ii) Core exit temperature and/or ECCS is not available
(iii) Superheat on the core exit temperature thermocouple
(iv) Radiation level in the containment

D.3 Entry criteria for BWRs

(i) Minimum cooling level in RPV
(ii) Radiation level in the containment

D.4 Entry criteria for SFPs

(i) Spent fuel pool level going below alarm level
(ii) Spent fuel pool water temperature
(iii) Dose rate

D.5 Exit criteria

(i) Reactor core temperature < X* AND stable or decreasing
(ii) Dose rate< Site emergency levels AND stable or decreasing
(iii) Pressure inside containment < X* AND stable or decreasing
(iv) Hydrogen concentration inside containment < 4% in dry air AND stable or
decreasing
(v) Availability of ultimate heat sink

*X = Certain value of a given parameter

46
 APPENDIX-E: COMPUTATIONAL AIDS
The stress level of all personnel will be high during the accident progression. Therefore, by
reducing the potential for human error, ease of application will increase the overall success of
the response organization. One of the possible ways of accomplishing this is to develop
calculation methods that may be used by the evaluators/implementers in mitigating plant
damage. Some of these could be developed prior to an actual event. Such computational aids
are presented in the form of parameter graphs, diagrams, tables, etc. The following is the typical
list of computational aids:

(i) RCS injection timing/rate to recover core

(ii) Coolant injection rate need for the removal of decay heat from the core, heat from
metal oxidation and accumulated heat of the RPV structural material
(iii) Coolant injection rates to calandria and/or calandria vault required
(iv) Injection rate for long term decay heat removal
(v) Amount of water that will prevent vessel melt through or calandria failure
(vi) Minimum water injection rate for retention of debris in RPV (BWRs)
(vii) Amount of water needed of effectively spray cool the containment
(viii) Hydrogen production
(ix) Containment atmospheric flammability
(x) Volumetric release rate from vent
(xi) Effect of containment venting on the flammability of hydrogen in the containment
(xii) Containment challenge – to determine whether depressurising the containment may
induce a (future) hydrogen challenge or burn
(xiii) Containment water level and volume (correlation between injected water and
containment water level to determine the flooding level)
(xiv) RWST gravity drain initiation and level (to estimate the flow rate into the containment
by gravity drain from the RWST)
(xv) Potential for re-criticality
(xvi) Time available for reaching different criteria
(xvii) Measuring the containment pressure and reading the hydrogen concentration may give
an immediate insight whether or not the containment is challenged

47
ABBREVIATIONS

AC Alternating Current
AERB Atomic Energy Regulatory Board
AMG Accident Management Guidelines
AMP Ageing Management Programme
AOO Anticipated Operational Occurrences
BWR Boiling Water Reactor
CA Computational Aid
DBA Design Basis Accident
DC Direct Current
DCH Direct Containment Heating
DEC Design Extension Conditions
DID Defence in Depth
DSA Deterministic Safety Analysis
ECCS Emergency Core Cooling System
EOP Emergency Operating Procedure
EPR Emergency Preparedness and Response
IAEA International Atomic Energy Agency
LOCA Loss of Coolant Accident
LWR Light Water Reactor
MCR Main Control Room
NEA Nuclear Energy Agency
NPP Nuclear Power Plant
NRE Nuclear and Radiological Emergency
OESC On-site Emergency Support Centre
PHT Primary Heat Transport System
PHWR Pressurised Heavy Water Reactor
PWR Pressurised Water Reactor
PSA Probabilistic Safety Assessment
RCP Reactor Coolant Pump
RCS Reactor Coolant System
RIH Reactor Inlet Header
ROH Reactor Outlet Header
RPV Reactor Pressure Vessel
RWST Refueling Water Storage Tank
SAM Severe Accident Management
SAMG Severe Accident Management Guidelines
SBO Station Black Out
SFP Spent Fuel Pool
SG Steam Generator
SSC Systems, Structures and Components

48
REFERENCES

[1] ATOMIC ENERGY REGULATORY BOARD, “Design of Pressurised Heavy Water

Reactor Based Nuclear Power Plants” Safety Code No. AERB/NPP-PHWR/SC/D
(Rev-1), Mumbai, (2009).
[2] ATOMIC ENERGY REGULATORY BOARD, “Design of Light Water Reactor
based Nuclear Power Plants” Safety Code No. AERB/NPP-LWR/SC/D, Mumbai,
(2015).
[3] CANADIAN NUCLEAR SAFETY COMMISSION, REGDOC-2.3.2, Version
2“Accident Management”, 2015.
[4] Cantemir, C., and Madalina, T., “Regulation of Emergency Operating Procedures and
Severe Accident Management Guidelines – Past Experience and Further Work”,
International Nuclear Safety Journal, vol. 4, issue 3, pp 1-12, 2015.
[5] NATIONAL COMMISION FOR NUCLEAR ACTIVITIES CONTROL (CNCAN),
“Guidelines for Regulatory Review of EOPs and SAMGs”, 2016.
[6] ELECTRIC POWER RESEARCH INSTITUTE, “Severe Accident Management
Guidance Technical Basis Report”, Volume 1: Candidate High Level Actions and
Their Affects, EPRI-Technical Report, 2012.
[7] George Vayssier, “From strategies to guidelines – creation of SAMG”, IAEA SAMG-
D course, IAEA, Vienna, October 2015.
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, “IAEA Safety Glossary,
Terminology Used in Nuclear Safety and Radiation Protection”, 2016 Edition, IAEA,
Vienna (2016)
[9] INTERNATIONAL ATOMIC ENERGY AGENCY Safety Reports Series No. 32,
“Implementation of Accident Management Programmes in Nuclear Power Plants”,
Vienna, Austria, 2004.
[10] INTERNATIONAL ATOMIC ENERGY AGENCY Report on “Severe Accident
Management in the Light of the Accident at the Fukushima Daiichi Nuclear Power
Plant”, International Experts Meeting, Vienna, Austria, 2015.
[11] INTERNATIONAL ATOMIC ENERGY AGENCYTECDOC, “Analysis of Severe
Accidents in Pressurised Heavy Water Reactors”, IAEA TECDOC-1594, 2008.
[12] INTERNATIONAL ATOMIC ENERGY AGENCY Safety Guide No. NS-G-2.15,
Severe Accident Management Programmes for Nuclear Power Plants, Vienna,
Austria, 2009
[13] INTERNATIONAL ATOMIC ENERGY AGENCY Safety Standards Series, “Severe
Accident Management Programmes for Nuclear Power Plants ” Draft Specific Safety
Guide-DS483
[14] JOINT RESEARCH CENTER Science and Policy Reports, "Review of Current
Severe Accident Management (SAM) approaches for Nuclear Power Plants in
Europe", Report EUR 26967, Luxembourg, 2014.
[15] NUCLEAR ENERGY AGENCY, Committee on Nuclear Regulatory Activities,
“Accident Management Insights after the Fukushima Daiichi NPP Accident”, Report
of the CNRA task group on accident management, NEA/CNRA/R (2014)2, 2014.

49
[16] OKB Gidropress, “Participation in development of severe accident strategy for NPP-
2006 (AES-2006)”, 5th MDEP meeting, 2016.
[17] STUK Guide YVL A.6, “Conduct of Operations at a Nuclear Power Plant”, Helsinki,
Finland, 2013.

50
 LIST OF PARTICIPANTS

WORKING GROUP FOR DEVELOPMENT OF SAFETY GUIDE FOR ACCIDENT

MANAGEMENT PROGRAMME FOR WATER COOLED REACTOR BASED
NUCLEAR POWER PLANTS
Dates of meeting:
February 16, 2015 June 09, 2015
July 09 , 2015 May 17, 2016
May 23, 2016 June 02, 2016
June 15, 2016 June 23, 2016
June 28, 2016 July 04, 2016
July 19, 2016 March 16, 2017
April 04, 2017 May 15-19, 2017
May 30, 2017 June 01& 02, 2017
July 04&05, 2017 July20, 2017
August 02, 2017 March 08, 2019
March 18, 2019 April 02, 2019
April 10, 2019
Members of Working Group:
Shri Avinash J. Gaikwad (Convenor) : AERB
Shri K. Srivasista : AERB
Shri J. Arunan : AERB
Shri S. Hajela : NPCIL
Shri S. M. Saxena : NPCIL
Shri Prasanna Majumdar : BARC
Shri Utkarsh S. C. : AERB
Dr. R. S. Rao (Member Secretary) : AERB
Dr. S. P. Lakshmanan (Permanent Invitee) : AERB
Shri P. Krishna Kumar (Invitee) : NPCIL
Shri V. B. L. Jagannad (Invitee) : NPCIL
Shri Anuj Kumar Deo (Invitee) : AERB
Shri Aniket Gupta (Invitee) : AERB
Shri K. Mahesh (Invitee) : AERB
Shri Harpal Singh (Invitee) : AERB

Technical Editing by: Shri D. Gawande, Former, NPCIL

Copy Editing by: Shri R. Venkatraman, Former, AERB
51
 ADVISORY COMMITTEE ON NUCLEAR AND RADIATION SAFETY (ACNRS)

Dates of meeting:
October 07, 2017
July 06, 2019

Members of ACNRS:
1. Shri S. S. Bajaj, - Chairman
Former Chairman, AERB
2. Shri D. K. Shukla - Member
Chairman, SARCOP, AERB
3. Dr. N. Ramamoorthy - Member
Chairman, SARCAR, AERB
4. Dr. M. R. Iyer - Member
Former Head, RSSD, BARC
5. Shri U. C. Muktibodh - Member
Director (T), NPCIL
6. Shri V. Rajan Babu - Member
Director (T), BHAVINI
7. Prof. C. V. R. Murthy - Member
Director, IIT, Jodhpur
8. Shri H. S. Kushwaha - Member
Former Director, HS&E Group, BARC
9. Shri K. K. Vaze - Member
Former Director, RD&D Group, BARC
10. Shri S.K. Ghosh - Member
Former Director, CE Group, BARC
11. Dr. S. C. Chetal - Member
Former Director, IGCAR
12. Shri A. R. Sundararajan - Member
Former Director, RSD, AERB
13. Dr. A. N. Nandakumar - Member
Former Head, RSD, AERB
14. Shri S. T. Swamy - Member Secretary
Head, RDS, R&DD, AERB

52
AERB SAFETY GUIDE NO. AERB/NPP-WCR/SG/D-26

Published by: Publication Cell,

Atomic Energy Regulatory Board,
Niyamak Bhavan, Anushaktinagar.
Mumbai – 400 094