EOPs and SAMGs

Introduction
Accidents that progress to severe accidents will mostly have progressed from the EOP domain, where operators try to prevent core damage using all available means. Hence, it is essential for the readers to also understand the purpose and background of Emergency Operating Procedures as well as how these procedures are formatted. Therefore, this section describes the elements of EOPs in some more detail.
Accidents can be caused by failure(s) in the equipment, human performance errors or extreme external events. In the event that the progression of an accident cannot be halted by the EOPs, the accident may progress to the point where severe core damage occurs and is then mitigated by the SAMG, following a transition from EOPs to SAMG. The transition criteria are discussed below, sec. 2.8, and in some more detail in Module 3, chapter 5.
In the following section EOPs are described in further detail. For the EOPs, text in this Module is partly based on IAEA Safety Report Series (SRS) 48, ´Development and Review of Plant Specific Emergency Operating Procedures` (2006), Read more → SRS 48. Note that this early report focuses on EOPs at power operation; nowadays, EOPs cover generally also shutdown and refuelling states, as well as multi-unit considerations, where applicable.
Emergency Operating Procedures (EOPs)
Basis for EOPs
The Special Safety Requirements document SSR-2/2 (Rev. 1) , requires in Requirement 26: ´´Operating procedures shall be developed that apply comprehensively (for the reactor and its associated facilities) for normal operation, anticipated operational occurrences and accident conditions, in accordance with the policy of the operating organization and the requirements of the regulatory body.``
SSR-2/2 (Rev. 1) requires further in sec. 7.3: ´´Procedures shall be developed and validated for use in the event of anticipated operational occurrences and design basis accidents. Guidelines or procedures shall be developed for the management of accidents more severe than the design basis accidents. Both event based approaches and symptom based approaches shall be used, as appropriate. The related analysis and justifications shall be documented.
Procedures for normal operation provide instructions for normal start-up and shutdown of the reactor, control of reactor power level, compensation for fuel burn-up and, control of the spent fuel pool coolant level. If anticipated operational occurrences occur, an alarm will be generated and, apart from automated actions, Alarm Response Procedures (ARPs) or Abnormal Operating Procedures (AOPs) are used to control the event and to bring the plant back to the normal operational state, i.e. within the Limits and Conditions for Normal Operation (Often called ´Technical Specifications`). ARPs/AOPs are not further treated here; some general information is available in SRS-48, sec. 2.1.1, Read more → SRS 48 , sec. 2.1.1 .
Should the event require fast shutdown (´scram`) and/or initiation of the ECCS, the plant operators follow instructions in the Emergency Operating Procedures (EOPs) to bring the plant to a safe shutdown state. This process is followed for all Design Basis Accidents (DBA) and Design Basis External Events (DBEE). Examples of DBAs for PWRs and PHWRs are small break or large break LOCA (SBLOCA, LBLOCA), steam generator tube rupture (SGTR) and main steam line breaks. Examples of DBEEs are external events such as earthquakes, flooding, and extreme meteorological conditions. These typical events are derived from the accidents examined in the plant safety analyses.
EOPs can extend to events beyond the design basis (BDBA and Design Extension Conditions without significant fuel degradation, as defined in SSR-2/1 (Rev. 1) ), such as Anticipated Transient without Scram (ATWS), also called ´Anticipated Transient Without Trip` (ATWT), and Station Black-Out (SBO). EOPs, hence, cover all events with no or limited fuel damage; severe fuel damage events are mitigated by SAMG.
The various types of procedure (or guideline) can be linked to the various level of Defence-in-Depth as described in Module 1, section. 2.2, and presented in Safety Report Series (SRS) 46, Table 1-1:
Normal Operating Procedures (NOPs) apply to DiD Level 1;
ARPs or AOPs apply to DiD Level 2;
EOPs apply to DiD Level 3 as well as, usually, to DiD Level 4 for events without significant fuel damage;
SAMGs apply to DiD Level 4 with significant fuel damage;
Emergency Preparedness (EP) is designed for mitigation of the consequences from significant radiological releases and hence applies to DiD level 5.
A clear picture as where the various procedures stand for in a large number of NPPs is presented in Figure 1-8:

Figure 1-8: The various AM procedures in correspondence with the event severity 1
Note that Figure 1-8 also specifies the decision making authority for the various stages. More details on the design making authority during severe accident management will be provided in Module 4.
Scenario dependent / scenario independent EOPs
Initially, EOPs had been derived for specific events, such as a Large Break Loss of Coolant Accident (LBLOCA) or an SGTR. The underlying thought was that the operator would be able to recognize the event by identifying specific accident sequences. In other words, the event is expected to evolve in a certain predetermined way and follow a well-known and well defined sequence. Hence, apart from the various procedures for the events, a diagnosis schema was developed, for the operators to recognise what type of event had occurred and was going on.
Such procedures were shown to be highly effective, as they presented an optimal response to the event, which, of course, varied for different events. Usually, such procedures are called ´event-based procedures`. However, after the Three Mile Island (TMI) accident (1979), it was concluded that some events might not easily or not at all be recognised by the operator, because of failing instrumentation, human error or because a more complex event occurred than had been analysed in the design basis. This created the need for EOPs to handle events for which such recognition was not needed or not possible. Such procedures are called event-independent or scenario-independent procedures, or – erroneously – symptom-based procedures. The latter name derives from the fact that not scenarios were used as basis for the procedures, just certain symptoms, which themselves were derived from observed parameters. However, as the event-based procedures are also based on observation of parameters, they can also be called symptom-based. A better name is here ´state-based procedures`, as they depend on a certain observed plant state. Here the name ´symptom-based procedures` will be used.
The main difference between event-based procedures and symptom based procedures is that symptom based procedures are not focussed on the recovery from a certain assumed / observed event, but instead are focussed on the preservation of a certain set of primary safety functions, such as shutting down the reactor, making sure the reactor pressure vessel is filled with water and the decay heat removed, and the containment function intact. Such functions are often called ´Critical Safety Functions` (CSFs) – which name we here will retain to stay close to practice 3 . They derive from the Fundamental Safety Functions as specified in Req. 4 of SSR-2/1 (Rev. 1): (i) control of reactivity, (ii) removal of heat from the reactor and from the fuel store and (iii) confinement of radioactive material, shielding against radiation and control of planned radioactive releases, as well as limitation of accidental radioactive releases.
Many PWRs and PHWRs use a combination of event-based and symptom/state based procedures. BWRs often use only symptom/state based procedures, which are linked to the three main parameters: RPV level, RCS pressure and plant power. But some of these plants have strengthened their procedures with an anticipatory-event procedure: if a strong seismic event is measured, plants located at the sea shore already initiate certain EOP actions for an eventually following tsunami, i.e. before any change of plant parameters has occurred (otherwise, without such change, no action would be taken before the tsunami would hit, as only then parameters in EOPs will change value).
As the development of EOPs is a highly complex task, many plants opt for a generic type of procedures, which then only need to be adapted to the specific plant at hand. Others have developed EOPs from ´scratch`, i.e. developed their own technical basis for the EOPs, defined the counter actions and developed the related procedures.
Event-based procedures
Three major prerequisites exist for such procedures (largely from SRS-48):
a) The event that occurs is one among a well-defined set of anticipated events.
b) The operator recognizes (identifies) which particular event has occurred and is ongoing.
c) The event will evolve in a certain predetermined way and follow a well-known and well-defined sequence (typically obtained from a thermal-hydraulic analysis of that presupposed event).
In addition, it is assumed that:
d) The instruments are within their operability limits, i.e. they provide reliable indications under the prevailing accident conditions.
e) The required safety systems are available to perform their required safety functions; this requires the safety system to be environmentally qualified to function in the environment resultant from the initiating event. Other systems not designated as safety systems are included in the EOPs, but are not credited in the safety analysis for design basis events.
f) The event is a single event, i.e. there is no concurrent internal event requiring mitigation. However, external design basis events should be included, as they can occur during all plant states, i.e. also during the postulated accident. 3
Note that a single failure is assumed to occur along with the event for all events within the design basis up to and including DBA/DBEE, so that sufficient redundancy/diversity must be implemented in the design of the equipment used to mitigate the event. Note also that, depending on each Member States' practice, the application of the single failure criterion may not be requested for DECs. Finally, note that some EOP vendors place a probability target on the EOPs which they develop. For example, they develop EOPs for all events and combination of events/multiple events for which the probability is above 10 -6 to 10 -8 per year 4. Thereby, such EOPs cover a wide range of events, far beyond the plants´ design basis.
In CANDU PHWRs event specific EOPs are provided for all single events which directly threaten reactor power control and fuel cooling / heat removal functions. Basis is that that all foreseeable events with the potential for serious consequences or with a significant frequency of occurrence are anticipated and considered5. Examples of abnormal incidents covered include the following:
• Loss of Heat Transport (HT) coolant with HT pressurized.
• Loss of HT forced flow with HT pressurized.
• Loss of high power heat sink.
The procedure will end when the plant is in a stable state (Critical Safety Parameters stable and acceptable)
At the end of the successful implementation of the EOPs, the plant will be in a safe shutdown state. Note that this is not necessarily a cold shutdown, which, if needed, is achieved under long-term accident management. Plant management may decide to repair failed equipment and restart the plant.
The main elements of event-based EOPs are, therefore:
• A diagnosis diagram, from which the operator selects which event is occurring.
• A set of procedures which cover all events that can be diagnosed from the diagnosis diagram.
• Safety analysis of the initiating event and the mitigating measures.
• Background documentation, which describes each step in the procedures and its justification.
The use of continuous or repetitive diagnosis helps to correct any initial misdiagnosis and ensures that the operators respond to changing plant conditions that could be more threatening to the core integrity than the initial event (cf. SRS-48 sec. 2.2.3).
Symptom / state based procedures
Note: also in this section the term ´symptom-based´ procedures or ´state-based procedures` is used to indicate scenario-independent procedures.
As described, symptom-based procedures are not designed to mitigate specific events that have been previously identified using safety analysis and can be recognized from a diagnosis diagram. Instead, symptom based procedures are used to ensure the preservation of the ´Critical Safety Functions´, CSFs – and do so independent from any event recognition. They define an envelope beyond which the safety of the plant can no longer be assured and, hence, provide operators with guidance on how to stay within this envelope.
In practice, operators will first try to diagnose the event and follow the event-based procedures6, as they provide an optimum response. However, the plant operators will need to in parallel monitor the plant state to ensure their actions do not cause the plant to operate outside its safety envelope, i.e. beyond the safety limits or constraints for the CSFs. Operation outside the safety envelope can occur if the operators have misdiagnosed the event, have made errors in the applicable event-based procedure, or subsequent instrument or equipment failures have occurred. Should any of the criteria for the CSFs be exceeded, operators should leave the event-based procedure and initiate execution of the state-based/ symptom-based procedures, designed to maintain the CSFs. If the operators then are able to ensure the plant is within its safety envelope, they may return to the applicable event-based procedure and continue the actions of that procedure.
The CSFs can be challenged to various degrees. Some approaches just consider whether the CSFs are fulfilled or not fulfilled7, others define a gradual approach and consider the CSFs fulfilled, slightly challenged, moderately challenged or severely challenged8. The more severe the challenge, the more drastic actions are allowed, up to actions that may violate limits or conditions for component operation, such as, for example, an allowable cooldown rate of a mechanical component, or a low pressure that may damage an RCP seal (in a procedure that calls for an RCP restart at low pressure).
The CSFs are monitored by comparing a set of Critical Safety Parameters (CSP) with pre-determined limits, to ensure that the CSFs and, therefore, also the Fundamental Safety Functions, are being preserved. Examples of CSFs are9:
1. Subcriticality;
2. Core cooling;
3. Heat sink;
4. RCS integrity;
5. Containment integrity;
6. RCS inventory.
The CSFs are listed in order of priority.
Some vendors add other functions, e.g. steam generator (SG) integrity, or preserving vital auxiliaries (such as AC, DC, water)10. CANDU PHWRS do not consider the CSFs directly, but instead identify a set of CSPs which can direct operating staff to ensure adequate fuel cooling and containment of fission products11. These CSP-EOPs provide guidance to the Operations Staff for process disturbances which threaten the fuel integrity and for which any or more of the following is true:
a) Cause cannot be diagnosed.
b) Cause is incorrectly diagnosed.
c) Plant or Operator response to the diagnosed disturbance is inadequate.
d) Plant response or corrective actions cannot or have not been provided.
For CANDU PHWRs the CSPs are parameters whose values indicate whether reactor power is controlled, fuel is cooled and radioactive material is contained, ensuring integrity of the safety barriers. Typical CSPs shown in order of priority include the following:
1. Reactor power.
2. Heat transport system margin to saturation.
3. Containment activity.
4. Feedwater, Service Water and Condenser Cooling Water activity.
5. Containment pressure.
6. Containment water level.
The main advantages of symptom/state based procedures 12are:
• They work for a large range of events.
• There is no need to know the initiating condition to take corrective actions.
• Actions are appropriate, irrespective of the initiating event.
• Entry conditions are symptomatic of events which degrade into emergencies.
• Operators are assured actions are appropriate and are given more of an opportunity to determine the status of the overall plant.
• They give clear transition criteria to the SAMG, should one or more of the CSFs not be fulfilled.
• Use of existing plant event based procedures is still possible, and encouraged, to mitigate the event in an optimal way, once the event has been clearly identified.
The main disadvantages are:
• They may not be the optimum response to the actual event.
• They require generally more systems to operate and, hence, use more of the available resources of power and water than the applicable event-based procedure would have used (for example, depending on the plant design and specific assumptions on the PIE, an SGTR may not require operation of the ECCS, but these may be started to protect the CSF on core cooling).
Hierarchy of event-based versus symptom/state based procedures13:
• When symptom/state-based procedures are entered, they become the principal guidance to be followed.
• If operators diagnose the event and an applicable event-based procedure exists, concurrent execution may occur, provided:
o The specified actions do not conflict with direction given in symptom/state-based procedure;
o Time and resources permit;
o The specified actions do not result in loss or unavailability of equipment whose operation is specified in the symptom/state-based procedures.
Format of procedures
The EOPs need to provide clear, concise and detailed instructions since the events for which they are written are infrequent in nature; an operator may have used them during simulator exercises, but probably never in actuality. Such detail prevents the risk of misdiagnosis, overlooking important information, an incorrect series of actions, incorrect priorities, human performance errors while acting under stress, not observing limitations on functions and capabilities, divergent opinions between staff handling the event.
Various formats are in use, notably text style and flow chart style. Text style EOPs can be single column or dual column, where the left column represents the nominal actions and the right column contingencies for what to do if the nominal action fails. The flow-chart type links the various elements of an EOP (questions, actions, cautions - all contained in boxes) in a graphical form, from one element to the other, until an exit condition is reached. Boxes may also contain just the number of the step, where the steps are documented in separate texts or procedures. Flowcharts provide in this way a visual representation of the execution of the procedure. A flowchart provides, hence, a map of the procedure flow in addition to the required instructions and information.
Some, usually quite drastic, EOP actions may have negative consequences. For example, if the reactor (PWR) is made subcritical in an ATWS by shutting down the RCPs, the cold leg loop seal may collect non-borated water, which then may cause a reactivity transient if the RCPs are restarted. Or the envisaged cooling rate by dumping an SG may exceed the cooldown limits of the RPV. Such negative consequences should be investigated and included in the procedures.
In general, system safety is prioritised over system integrity. For example (PWR), an RCP-restart at low pressure may damage the RCP-seal and prohibit re-use of it. Yet, RCP-trip is mentioned in a number of EOPs.
As not all EOPs neither can nor should be executed at the same time, priorities between them should be established. These can be chosen based on the priorities of the CSFs, e.g. subcriticality has the highest priority. Cautions should be defined and included, as should be limitations in equipment and functions. These may lead to throttling or even termination of the operation of water injecting components. Of course, releases should be mitigated.
EOPs are to be executed verbatim, as the various steps have been pre-analysed in scenarios that are well understood. A good practice is to mention alternative possibilities, should the primary action not be available or not lead to the desired result.
Equipment to execute EOPs
Plants have equipment that is designed to execute EOPs, which is subject to design requirements as specified in SSR-2/1 (Rev. 1), Req. 19. This includes high-quality design as well as specific criteria, such as the single failure criterion.
For events that are still in the EOP domain but are beyond DBA/DBEE, i.e. DECs without significant fuel degradation, usually less stringent design requirements are specified (e.g. high quality commercial equipment rather than nuclear safety grade equipment), and generally the application of the single failure criterion is not requested.
Apart from fixed plant equipment, strategies may involve mobile / portable equipment, for which then connection points must be provided. The underlying thought is that the permanent equipment has been damaged (e.g. by a fire or a seismic event), so that the safety-related tasks then can be accomplished using the mobile / portable equipment. As an example, mobile equipment is provided in the US for Extended Loss of AC Power (ELAP) and Loss of Ultimate Heat Sink (LUHS) as the bounding scenarios. These strategies are referred to as the Diverse and Flexible Coping Strategies (FLEX). In Canada such equipment is called Emergency Mitigating Equipment (EME) and it is developed to mitigate extended loss of Class IV and III electric power. In France, the assembly of such equipment is called the ´hardened safety core` and mitigation is also brought forward by the Rapid Deployment Force (French acronym: FARN).
Plant specific guidelines provide instructions on how to deploy and connect the equipment to the plant.
The FLEX strategy usually consists of three levels: first, use whatever there is installed at the plant; second, use portable equipment stored on-site (in specially protected buildings); third, request off-site stored portable equipment. Although the FLEX equipment has primarily been developed to provide additional means of preventing beyond design basis accidents from progressing to severe accidents, it can also be used in the mitigative domain (i.e. for SAMG). The Canadian EME strategies have also been incorporated into SAMGs strategies. EME equipment is hooked on at the declaration of a severe accident, so it is ready for use should needed plant equipment fail.
Authorities and responsibilities
The ultimate decision making authority during the execution of EOPs should be clearly identified. Usually, this is the shift supervisor. He/she will consult the plant operators before making key decisions and may consult the Technical Support Centre (TSC), which consists of people with knowledge about complex events. Note: the principal role of the TSC is to provide recommendations to a pre-defined Decision Maker during the execution of SAMG; however, they are also available to provide technical advice to the shift supervisor while still in EOP domain. More is available in Module 4.
Verification and validation (V&V)
All EOPs should be verified and validated. Verification ensures that the EOPs are written correctly, are technically accurate, usable under accident conditions, and are operationally correct. Verification must be done prior to validation. Validation is the evaluation which determines that the actions specified in the procedures and guidelines can be followed by trained staff to manage emergency events, in other words usability. More complete description of V&V is in SRS-48 (sec. 3.5) and, revised, in SSG-54, paras 2.56-2.59 and 3.61-3.68.
Read more → SRS-48
Read more → SSG 54
V&V should be executed by a team that is different from the team which developed the EOPs. Peer review by other plants/ different experts is recommended.
Education and training
The EOPs are owned by and principally used by the licensed control room operators. Therefore, the licensed staff should be educated and trained in using EOPs, preferably using a full scope simulator. Training should encompass initial training and refresher training, with the latter being at appropriate regular intervals (for example, two years).
Maintenance programme
An EOP maintenance program should be implemented to provide a systematic way of maintaining the EOPs so that they are always as current, efficient and effective as possible. The plant engineering change control process should identify any changes in the plant hardware that might require the EOPs to be updated accounting for the new configuration. This includes any changes in the generic EOPs, if they were the basis for the plant-specific procedures.
Transition to SAMG
Although many EOPs specify alternative actions in case the intended actions fail, all assume the actions, if executed properly, will be successful, i.e. they result in a final safe and stable state. As various severe accidents in the past have shown that this may not occur (i.e. the accident results in severe fuel damage) then measures must be taken to mitigate the consequences. These measures include protecting the plant staff and the public and fall within the area of severe accident management with the appropriate guidelines, the severe accident management guidelines (SAMG), which is the focus of the SAMG-D Toolkit. The Emergency Response Team, hence, changes its priority from efforts to achieve core cooling to protection of the remaining fission product barriers.
Hence, if an accident progresses to DEC with core melt, clear and concise criteria should be provided for transiting from the EOPs to the SAMGs.
A detailed treatment of the transition from EOP to SAMG is given in Module 3, sec. 5.
Concluding remarks
The focus of the SAMG-D Toolkit is on the development and implementation of severe accident management guidelines (SAMG). However, SAMG is only a part of the whole family of procedures and guidelines which support the plant staff in handling complex events. This section provides only the main EOP-concepts on a high level and does not eliminate the need for thorough education and training for those working with EOPs or otherwise interested in the topic. Various IAEA and industry documents provide deeper insights. For EOP-development and implementation the IAEA SRS-48 is recommended, which provides detail on plant specific application.
Endnotes
1 From Westinghouse severe accident management [1].
2 Often, CSF-terminology has been used by EOP-vendors, such that there is one EOP for each CSF that is not fulfilled [2].
3 Many countries therefore consider the Safe Shutdown Earthquake (SSE) together with e.g. a LBLOCA, but other countries do not assume this on the basis of the low probability of the simultaneous occurrence of these two - in principle independent - events.
4 See SRS-48 sec. 3.1.3. Also observed in the Westinghouse Owners Group EOPs [2].
5 Canadian Regulatory Guide REG DOC 2.5.2, [3].
6 Where these exist – some plants use only symptom/state-based procedures (e.g., many BWRs).
7 Method of Siemens/Areva/Framatome, [4].
8 Method of the Westinghouse Owners Group, [5].
9 Method of the Westinghouse Owners Group [5], [6].
10 Approach by Combustion Engineering Owners Group [7].
11 Notably the CANDU Owners Group.
12 Most compiled from an article by R. Bastien et al., Westinghouse [2] and personal communication with the authors.
13 Source as footnotes 9, 10.
References
[1] ´Severe Accident Management Guidance; Overview of the Westinghouse Owners Group SAMG`, presentation at the IAEA Regional Workshop on Accident Management, Kiev, Ukraine, 2001.
[2] J.P. Dekens, R. Bastien, S.R. Prokopovich, The Emergency Response Guidelines for the Westinghouse Pressurized Water Reactor, Proceedings of a Seminar on the Diagnosis of and Response to Abnormal Occurrences at Nuclear Power Plants, Dresden, Germany, 12- 15 June 1984, IAEA TECDOC 334, p. 291-304, 1985, https://inis.iaea.org/collection/NCLCollectionStore/_Public/16/075/16075175.pdf .
[3] Canadian Nuclear Safety Commission (CNSC), Regulatory Document REGDOC-2.5.2, ´Design of Reactor Facilities: Nuclear Power Plants`, 2014-2020.
[4] G. Vayssier, ´EOPs – Approaches - Examples`, slides 41-42 (provided by Areva), IAEA Expert Mission on Safety Analysis and Accident Management, Nucleoelectrica Argentina, 20-24 October 2009.
[5] Radim Hončarenko, ´Temelín Specific Emergency Operating Procedures - Severe Accident Prevention`, Operational Safety Group, NPP Temelín, Workshop at SUJB, Prague, Czech Republic, 2003.
[6] Augustin Osusky, ´Experience gained in SB EOP development projects of Bohunice NPP`, IAEA National Workshop on Symptom-based EOPs for PWRs, Moscow, Russian Federation, 15-19 May, 2006.
[7] ´Severe Accident Guidelines Fort Calhoun`, provided by Ray Schneider, Combustion Engineering Owners Group, to the EU project Severe Accident Management Implementation and Expertise (SAMIME), contract FI4S-CT98-0052, December 2000.
|