LESSONS FROM SAMG EXERCISES FOR EXISTING AND NEW REACTORS
George Vayssier,
NSC-Netherlands
Hansweert, The Netherlands
Email:
Bob Lutz (retired Westinghouse, USA)
Lutz Consultants,
Asheville, NC, USA
Email:
Abstract
Many NPPs have procedures/guidelines to mitigate severe accidents, so-called Severe Accident Management Guidelines (SAMG). These, however, are a tool that only can help operators to mitigate such accidents, as the plants have not been designed to cope with severe accidents. Advanced reactors have features specifically designed to mitigate consequences of severe accidents. In addition, passive systems are used, decreasing the dependency on AC-power. In this way, large releases should be ´practically eliminated`. However, hardware features and SAMG are only one side of accident mitigation; equally important is the associated organisation. Severe accidents may create havoc and chaos on the site, yet in exercises observed such situations were hardly trained. Often, people were not really exposed to far-reaching scenarios, or they had no pre-defined functions, or worked in rooms without protection against radioactive releases. Staff used laptops to follow plant data, without capability to recharge the batteries. Generic SAMG appeared to be badly understood, despite training by the vendor. Instruments were read at face value, where staff did not consider possible deviations caused by the hostile environ-ment of the instruments. Some SAMG required recognition of vessel failure, without proper tools for the staff to do that. In the paper, such experiences are described, the role of mitigative features and how they affect SAMG. ´Anti-severe-accident features` seem to have only marginal value without proper organisation and training.
1. INTRODUCTION
The design basis of nuclear power plants (NPPs) includes a number of accidents which must be controlled within specified design criteria. Operators use a set of Emergency Operating Procedures (EOPs) in order to control the accident. Usually, these EOPs go beyond the plant design basis, i.e. they also support the operator in these – unlikely – accidents. For example, a main steam line rupture (PWR) is covered by appropriate EOPs, but should also a tube suffer a rupture in the affected steam generator – which is an accident usually beyond the design basis – then still appropriate EOPs are available to the operator to support him/her.
Should the accident progress to core damage, then EOPs usually are not valid any longer, and many plants have specific guidelines in place, so-called ‘Severe Accident Management Guidelines`, SAMG. The prime objective of these guidelines is to protect remaining intact fission product barriers and mitigate any releases, should these occur. As such accidents are (far) beyond the design basis, success cannot be guaranteed, and much then depends on the possibility to repair failed components, to hook on portable equipment. This uncertain outcome is also the reason why these counter measures are shaped as guidelines rather than as procedures, as it may occur that the operator must deviate from the written guidance, due to the accident evolution.
The IAEA has developed guidelines for Member States to assist in building a package of SAMG, [1]. An essential part is the training on the application of SAMG, which is done in exercises /drills, where an accident is ´played` and the NPP applies the SAMG. Severe accidents can be extremely complex events, with much damage to the plant, possibly including fires and explosions, loss of control room, loss of staff, loss of control of the site. Hence, the Emergency Response Organisation (ERO) may face extreme difficulties in mitigating the accident. In subsequent sections, examples are given of exercises/drills ate various plants and the lessons learned.
Advanced NPPs (Generation III) have a number of features that mitigate the consequences of core damage / core melt. A typical example is a core catcher, which is designed to prevent the corium material to interact with the cavity (PWR) or drywell (BWR) concrete, which otherwise could generate large masses of CO2, which may ultimately fail the containment. Examples of core catchers are the melt trap in somelarger VVERs, the BiMAC in some BWRs and the melt spreading room in the EPR. The APWR possesses a passive containment cooling device, which removes the decay heat from the core debris. Vessel meltthrough is prevented by external cooling of the reactor pressure vessel (RPV), a technique also in use in a number of Generation II NPPs.
Yet, although such features are extremely helpful, they do not replace the SAMG: appropriate guidance still is needed to mitigate the accident, and exercises/drills to train the accident mitigation using the guidelines.
2. EXPERIENCES IN EXERCISES / DRILLS
A number of exercises/drills have been attended and assessed by the authors. Some were so-called RAMP-missions by the IAEA (RAMP = Review of Accident Management Programme, for which guidelines have been developed in [2]. Note: RAMP is now a part of the IAEA DSARS programme, where DSARS = Design and Safety Assessment Review Service). Other missions were bilateral, i.e. on invitation from a regulator or an NPP to NSC Netherlands.
Some of the reports are in the public domain, notably a RAMP mission to Krsko NPP, Slovenia [3], a RAMP mission to Ignalina NPP, Lithuania [4], a NSC Netherlands mission to Point Lepreau, New Brunswick, Canada [5]. The lessons learned as reported here include, however, also other NPPs, for which the reports are not in the public domain.
The assessments were based on IAEA documentation, such as [1] and [2], but included also experience the second author has obtained in watching exercises/drills in various plants. This experience has been included in a draft revision of [2], for which no published document existed during the reviews. It must be noted that the NPPs and regulators gave full cooperation, even where they exposed themselves to a critical review.
The assessments included the underlying documentation, such as the national regulation, the SAMG, their background documentation, underlying analysis such as PSA (Probabilistic Safety Analysis), documentation on verification and validation of the SAMG. In principle, the tasks as delineated in [2], were performed:
- Definition of overall AMP and its compliance with the national requirements;
- Quality and extent of accident analysis to support the AMP;
- Assessment of plant vulnerabilities;
- Development of severe accident management strategies;
- Evaluation of plant equipment and instrumentation;
- Development of AM procedures and guidelines;
- Verification and validation of the procedures and guidelines;
- Integration of AMP and NPP emergency plan;
- Staffing and qualification;
- Training needs and performance; and
- AMP revisions.
The following are the major findings of the various reviews:
1. Improper use of the generic SAMG product
It appeared that one plant had used a generic set of SAMG as the basis for their plant-specific SAMG, yet appeared not to have understood the basic principles of the generic methodology. SAMG appeared to be mixed up with EOPs, where these two have a different focus (notably protection of fission product boundaries versus restoring core cooling), different characteristics (verbatim procedures for EOPs, guidance nature of SAMG) and different basis (largely intact core versus degraded/molten core). Some approaches indeed do not close their EOP upon entrance into SAMG, but then have a clear resolution in case of conflict. It also appeared that what was labelled to be a severe accident guideline, in fact was an EOP.
The particular plant had undergone training by the vendor, but apparently did not fully comprehend the SAMG approach.
Another plant had used elements of a generic product, but was unable to demonstrate a technology transfer from the vendor of that product to the NPP. Such a transition is extremely important, as the fundamentals of the generic approach must be transferred appropriately to the specific plant. For example, in a number of plants (PWRs), a creep rupture of SG tubes is risk relevant and placed high on the priority list, whereas in other plants other FPB challenges are more relevant.
Some plants had not really transformed the generic SAMG to the plant-specific SAMG, which is, however, an absolute ´must` for the development of proper SAMG. Some even used plain generic data for the transition from EOP to SAMG, where this always is a plant-unique / plant-specific value, to be obtained from proper analysis.
2. Improper or incomplete Technical Basis
The technical basis includes the vulnerabilities of the fission product boundaries (FPBs), the strategies that mitigate the challenges to the FPBs, and the effect of the different strategies during the various plant damage states. An excellent (generic) Technical Basis for PWRs and BWRs is in the EPRI Technical Basis Report, Vol. I, [6].Various plants had no proper Technical Basis, e.g. it was unknown what the strategies would do during the various phases of the accident, notably whether they would be beneficial or detrimental under particular plant conditions. Some plants had used only one or two accident scenarios to develop their SAMG – far less than the number of severe accident initiators from both internal and external causes. The IAEA Safety Guide on Severe Accident Management, [1], has an Appendix with examples of scenarios to be considered, which is already ~ 30 for internal causes. Best is, of course, using the plant PSA, although care must be exercised that PSAs have been designed to estimate risk, not to define the best possible actions under SAMG.
3. Improper transition EOP – SAMG
A key element is the transition from EOP to SAMG. First, it must be defined on which parameters such transition should be based (i.e. which threshold must be exceeded so that the EOPs ate terminated and the application of the SAMG starts). Second, the transition must be made known to all involved, so that also organisational issues can be initiated, e.g., the transfer of decision making from the shift supervisor to the assigned decision maker (usually the plant manager, or operations manager). It appeared various times that the transition was unclear and, when it happened, it was not announced (so still many did not know).
In one case, it was established that the transition EOP-SAMG was placed at vessel failure. This is, of course, a fully inadequate transition point and is so for two reasons: 1. A massive release of fission products occurs already long before vessel failure, so that protection of fission product boundaries becomes the prime objective. 2. The meltthrough may not be monitored by the TSC, as it is difficult if not even impossible in a number of cases.
4. List of auxiliary equipment incomplete or absent
A major advantage is to have an overview of all available water sources and the way the water can be brought to its destination: the RPV, the cavity, the drywell floor. This should include temporary connections, such as via hoses, fire trucks, etc. Similar should be available for the power sources. In the exercises observed, such knowledge was not available in a structured way and had to be improvised on the spot.
5. Use of equipment that has been damaged by the accident or is not qualified for the prevailing environ-mental conditions;
SAMG includes the equipment which is to be used during the mitigation efforts. During the development of the plant specific SAMG, the development team should investigate whether the equipment foreseen can be anticipated to remain functional under the prevailing conditions. This should include the instrumentation. For example, if a containment is to be flooded, instrumentation may get lost, or a connection to the containment vent may be flooded. In a number of cases, such analysis was not made.
6. Not considering the impact of the severe accident environmental conditions for the instruments which are read to initiate SAGs
A very serious error which was often observed is neglecting of the impact of the severe accident environ-ment on the plant instrumentation. Instrument were read at face values and action initiated on the basis of these values. For example, the SG water level measurement depends on the containment pressure – ignoring this gives false information on the SG water content. This was also the trigger of the TMI-s accident, as operator believed the RPV was full, because the pressuriser was full. Similar in one of the Fukushima units, where it was erroneously believed the RPV level was still appropriate.
7. Not considering the potential negative consequences of planned mitigative actions.
Unlike in EOP-domain, planned actions can also have negative consequences. An example is using the containment spray, which is always beneficial in EOP-domain, but can in SAMG-domain de-inert an initially inert containment atmosphere and so cause a hydrogen explosion. Also the various SAMG approaches warn for such negative consequences. In the exercises observed, however, the question of potential negative consequences of proposed actions was seldom – or not at all - asked. Apparently, the mindset of TSCs was still in EOP-domain, where such questions are not relevant, as the outcome of planned actions is well-known beforehand.
8. Lack of understanding the available time windows for mitigative actions.
A severe accident has a certain evolution: various phenomena occur in a time sequence. For example, an early threat to the FPBs is a SG tube creep rupture, a later threat is the RPV meltthrough, and an even later threat the failure of the containment by overpressure (assuming no earlier failure due to hydrogen explosion). This gives a certain sequence of the needed counter measures, where these also are bound to a certain time limit. In a number of cases, however, it was observed that the TSC had no feeling for the available time for mitigative actions. For example, it took them 1.5 hours to re-establish the feeding of the steam generator – which time is not available under the threat of an SG tube creep rupture. It must be said that here the generic SAMG mostly does not give guidance either – this insight is really to be developed on a plant-specific basis.
9. Lack of integration between the various procedures
NPPs usually have procedures/guidelines of various types for accidents: for the operator using the EOPs, for the TSC (mostly) for SAMG, including the use of portable equipment (sometimes called FLEX, for ´flexible response`, and the guidelines are FLEX Support Guidelines), plus the Technical Support Guidelines (TSG) for functioning of the TSC, for the ERO the emergency preparedness (EP), including response to extreme external events (mostly called Extensive Damage Mitigation Guidelines, EDMG). The complete set is then: EOPs, SAMG, TSG, FSG, EP, EDMG. Proper integration of these procedures/guidelines is essential, yet in observed exercised this integration was often not complete. A weak point is often notably the transition between EOPs and SAMG. Also often it was assumed that the TSC was already available at the beginning of the severe accident. Whereas in most cases the TSC staff is on call, and must come to the site. Often, no guidance was available what to do in between the exit of the EOPs and the beginning of execution of the SAMG under advice from the TSC. Note that this even happened in the generic approaches: in only one approach, such guidance was generically available, then called ´Severe Accident Control Room Guidance` (SACRG).
10. Lack of proper verification and validation
Once the SAMG have been written, they should be verified and validated. Verification should confirm that the latest insights have been incorporated, and that analyses are adequate and state-of-the-art. Validation means that the SAMG can be executed by trained staff. In a number of cases, verification and validation (V&V) were not adequate or not done at all. Absence of V&V is equivalent to absence of SAMG at all. A good practice is to involve sister plants in the V&V process, as well as in exercises/drills. In a number of cases, the V&V was very limited or practically absent. It also happened that the V&V included only a number of the severe accident guidelines. In one exercise, it was observed that only one SAG had been addressed.
11. No SAMG on the system level
A number of plants do not have SAMG on the system level – they use ´handbooks` or other documents that treat the phenomena of severe accidents, but without guidance on the system level. Although insights in such phenomena are helpful to select the proper strategy, it ultimately must be decided to take actions on the system level – but this requires threshold data, beyond which the system must be put into action. Where NPPs select this approach, it must be made clear by many exercises that it functions. Where this functioning must be demonstrated by all involved plant staff – the accident management should not be dependent on individual taste.
12. Lack of proper training and exercises/drills
A serious error which was observed a number of cases is that exercises/drills were executed on a light accident scenario. Plant staff was not really exposed to the complex conditions of a fully developed severe accident, i.e. with large-scale core melting, large failure of supporting systems, loss of staff, loss of containment, etc. Including the shift of personnel and overnight duration. Apparently, the objective was to be ready before lunch time or before normal working hours were over. Such exercises cannot be seen as realistic training of the aspects of a severe accident.