This regulatory document is part of the CNSC's operating performance series of regulatory documents, which also covers the conduct of licensed activities. The full list of regulatory document series is included in the back of this document and can be found on the CNSC's Web site at nuclearsafety.gc.ca/regulatory-documents.
REGDOC-2.3.2, Accident Management, sets out the requirements and guidance of the Canadian Nuclear Safety Commission (CNSC) for the development, implementation and validation of accident management programs for reactor facilities.
Accident management is a commitment to the defence-in-depth approach and is an important component in the licensee's overall capabilities to ensure the risks from nuclear reactors remain low. Defence in depth is applied to all organizational, behavioural, and design-related safety and security activities to ensure they are subject to overlapping provisions. It is important for licensees to implement and maintain operational procedures, guidelines and adequate capabilities to deal with abnormal situations and accidents, including severe accidents. This regulatory document specifies safety principles, high-level requirements and supporting guidelines that allow licensees to develop, implement, and evaluate an integrated accident management program, which includes components that address severe accident management.
Key principles and elements used in developing this document are consistent with International Atomic Energy Agency (IAEA) safety principles, guides and reports, such as the following:
This document reflects lessons learned from the Fukushima nuclear event of March 2011, and addresses findings from the CNSC Fukushima Task Force Report. This document supersedes Regulatory Guide G-306, Severe Accident Management Programs for Nuclear Reactors, published in 2006.
Important note: Where referenced in a licence either directly or indirectly (such as through licensee-referenced documents), this document is part of the licensing basis for a regulated facility or activity. The licensing basis sets the boundary conditions for acceptable performance at a regulated facility or activity and establishes the basis for the CNSC's compliance program for that regulated facility or activity. Where this document is part of the licensing basis, the word "shall" is used to express a requirement, to be satisfied by the licensee or licence applicant. "Should" is used to express guidance or that which is advised. "May" is used to express an option or that which is advised or permissible within the limits of this regulatory document. "Can" is used to express possibility or capability. Nothing contained in this document is to be construed as relieving any licensee from any other pertinent requirements. It is the licensee's responsibility to identify and comply with all applicable regulations and licence conditions.
1.0 Introduction
1.1 Purpose
1.2 Scope
1.3 Relevant legislation
1.4 National and international documents
2.0 Accident Management and its Links with Emergency Preparedness and the Principle of Defence-In-Depth
3.0 Requirements for an Integrated Accident Management Program
3.1 Goals of accident management
3.2 General requirements
3.3 Equipment and instrumentation requirements
3.4 Requirements for procedures and guidelines
3.5 Requirements for human and organizational performance
4.0 Guidance for Developing an Integrated Accident Management Program
4.1 General considerations
4.2 Establishment of an integrated accident management program
4.2.1 Identification of challenges to reactor safety functions
4.2.2 Identification of reactor capabilities
4.2.3 Development of strategies and measures
4.2.4 Supporting analyses
4.2.5 Development of procedures and guidelines
4.3 Other considerations
4.3.1 Equipment provisions
4.3.2 Role of instrumentation
4.3.3 Organizational responsibilities
4.3.4 Communication interfaces
5.0 Guidance for Implementing an Integrated Accident Management Program
5.1 Integration of procedures, guidelines and arrangements
5.2 Verification of procedures and guidelines
5.3 Human and organizational performance
5.4 Training
6.0 Guidance for Validating an Integrated Accident Management Program
6.1 Review of integrated accident management program
6.2 Evaluation of systems and equipment
6.3 Assessment of resources
7.0 Guidance for Documentation of an Integrated Accident Management Program
List of Acronyms
Glossary
References
Appendix A
REGDOC-2.3.2, Accident Management, sets out the requirements and guidance of the Canadian Nuclear Safety Commission (CNSC) for the development, implementation and validation of integrated accident management programs (IAMPs) for reactor facilities.
IAMP refers to all arrangements needed to manage any accident affecting a reactor facility. It addresses accidents resulting from all kinds of initiators, originating from technical or human induced failures or natural or man-made hazards. Initiators affecting any part of the facility, in particular the reactors and spent fuel pools, including possible combinations of affected installations are considered. IAMPs also address all operating states, both in operation and shutdown. IAMPs make use of all available infrastructures, equipment, procedures and guidelines, and human and organizational resources.
This regulatory document stipulates regulatory requirements and supporting guidance for licensees to develop, implement and evaluate IAMPs for existing and new nuclear power plants, small reactors and their associated reactor facilities.
The IAMP shall be commensurate with the relative risk posed by the licensed activities of a reactor facility, which may be influenced by the reactor thermal power and available protective systems. For some reactors, it may be possible to show that certain elements of an IAMP are unnecessary or do not apply. It is the responsibility of an applicant or a licensee to demonstrate that accident management provisions are adequate to limit the risk posed by accidents, including severe accidents.
The document specifies IAMP requirements and guidance that are to be used to develop and validate necessary items such as emergency operating procedures (EOPs), severe accident management guidelines (SAMGs), and to demonstrate the licensees' capabilities to manage the anticipated operational occurrences (AOOs), design basis accidents (DBAs) and beyond-design-basis accidents (BDBAs), including severe accidents.
This document focuses on the accident management aspects and thus does not include requirements and guidance for emergency preparedness and response, as those are given in REGDOC-2.10.1, Nuclear Emergency Preparedness and Response [1].
Sections of the Nuclear Safety and Control Act (NSCA) and its regulations relevant to this document include:
REGDOC-2.3.2, Accident Management, represents the CNSC's adaptation of the principles and guidelines set forth in national and international documents, including the following:
A list of relevant Canadian reference documents is provided at the end of this document.
The fundamental premise underlying accident management is that the organization operating a nuclear reactor must be able to respond to any credible accident in order to:
To achieve the above goals, an integrated accident management program (IAMP) is put in place. An IAMP is a structured framework that comprises a cohesive set of plans and arrangements undertaken to ensure that, if an accident occurs:
Thus, accident management provides capability to respond to an accident within the reactor facility. It is important to recognize that accident management interfaces closely but is distinct from emergency preparedness, which provides emergency responses to mitigate the onsite and offsite impacts of an accident to workers and the public.
Both accident management and emergency preparedness form part of the defence-in-depth provisions. In particular, accident management contributes to the levels 3 and 4 of defence-in-depth, while emergency preparedness corresponds to level 5 of defence-in-depth. Defense-in-depth level 3 is associated with the control of an accident and rule based procedures are, in general, used. Level 4 of defense-in-depth refers to BDBAs including severe accidents where efforts are focused on managing the accident and operators may need to move beyond the use of rules based procedures to symptoms based guidelines/procedures with considerable judgment required.
Figure 1 illustrates links between the accident management, emergency preparedness and defence-in-depth. IAMP focuses on preventing an event that has already occurred from escalating and minimizing its radiological releases through use of various physical and procedural provisions. The specific provisions may vary depending on the accident (which may be a design basis accident or beyond design basis accident, including a severe accident). The emergency preparedness program (which is described in REGDOC-2.10.1 [1]) specifies how the nuclear facilities and organizations concerned are prepared for and plan to respond to an emergency including a nuclear or radiological emergency, both onsite and offsite, in order to protect workers and the public.
It is recognized that response to accidents of different severity would require different actions. Careful consideration of transition criteria is essential in ensuring a seamless activation of appropriate response.
Appendix A further illustrates various essential elements of an IAMP used to respond to AOO, DBA and BDBA.
Figure 1: An IAMP (REGDOC-2.3.2) and a nuclear emergency preparedness program (REGDOC-2.10.1) and how they relate to one another
Click on image to enlarge | Figure 1: Text Equivalent
This section specifies the requirements for an IAMP. The first subsection sets the goals of accident management. The second subsection gives the general or high-level requirements. Then, specific requirements covering various elements for an IAMP are grouped under the requirements for equipment, procedures, and organizational and human aspects.
In accordance with the NSCA and associated regulations, the overarching nuclear safety objective is to protect individuals, society, and the environment from harm by establishing and maintaining effective defences against radiological hazards and hazardous substances. When an accident occurs in a nuclear reactor facility, the above objective is achieved by fulfilling the following fundamental safety functions:
The specific goals of a comprehensive and effective IAMP are to:
To fulfill these high-level requirements, the licensee shall meet all the requirements specified in this section and consider the guidance given in sections 4, 5, 6, and 7.
In support of the development, implementation, and validation of an IAMP, licensees shall:
Licensees shall:
To satisfy the requirements specified in section 3 pertinent to development of an IAMP, the licensee should consider the following guidance.
A structured top-down approach (as illustrated in Appendix A) should be used for developing an IAMP. At the top level, the objectives of accident management should be defined according to the level of defence and associated goals that are given in section 3. Challenges to safety functions and physical barriers, together with the associated damage mechanisms and conditions, should be identified, which is referred to as identification of challenges. For each of the identified challenges, suitable and effective measures or provisions should be derived, described, and referenced or documented in procedures or guidelines, and used for training the personnel responsible for executing the measures for managing such an accident, should it occur.
The staff responsible for developing the IAMP should have a sufficient level of training and experience regarding accident management in a nuclear facility.
For setting out an IAMP, the following steps should be taken:
While following the above major steps for establishing an IAMP, the licensee should also consider the following important elements as described in section 4.3:
The development of an IAMP should consider postulated initiating events and accident sequences that could be caused by credible failures or malfunctions of SSCs, human errors, common-cause internal and external hazards, and combinations thereof.
Challenges that are not considered in the reactor design envelope, but could potentially threaten the integrity of the containment should be practically eliminated; that is, the existing process systems, safety and control systems, complementary design features, available SSCs, and procedural provisions should make the occurrence of these challenges practically impossible. For example, the installed rupture disks or relief valves that provide reliable and sufficient depressurization capability for a reactor core or vessel can eliminate the high-pressure corium ejection phenomenon and thus the possibility of direct containment heating by corium.
Among credible events, a selected set of accident sequences that can be used to represent the consequences of each group of accident sequences should be used to obtain insights into the behaviour of the accident and to identify challenges to reactor safety functions. This requires investigating how specific accidents will challenge safety functions and – if safety functions are lost and not restored in due time – how the accident progresses, how the fission product barriers are breached, how long it will take to reach each stage of the accident, and how severe each accident stage will be.
In the domain of beyond-design-basis accidents (BDBAs), insights into the response of the reactor to BDBAs, including severe accidents, should be obtained. A technical basis for SAM should document the understanding of severe accident phenomena and reactor-specific physical processes, such as core degradation, in-vessel core debris retention, ex-vessel corium spreading and coolability, molten fuel coolant interaction, molten core concrete interaction, and all known containment challenge mechanisms. The technical basis should also include severe accident phenomena in spent fuel bays and multi-unit distress. The technical basis should be updated as necessary to reflect the state-of-the-art knowledge and experimental data obtained from applicable severe accident research programs and lessons learned from the reactors that have experienced severe core damage. The updated knowledge and data should be used to evaluate the reactor ability to cope with accidents and to deduce suitable accident management strategies, provisions, procedures, and guidelines.
Reactor-specific beyond-design-basis initiating events, such as events triggered by extreme external hazards (e.g., earthquakes, flooding, and extreme weather conditions), should also be considered to increase the reactor coping capability. The aim is to ensure that a set of sufficient, supplementary onsite equipment and consumables (e.g., fuel and water inventories) are identified, obtained, protected and stored onsite or offsite. These can be used to maintain or restore the cooling of the core, the containment, and the spent fuel pool following a beyond-design-basis initiating event. After the consumables are used up, offsite resources should be obtained to sustain those cooling functions indefinitely.
Accident management should consider that some beyond-design-basis initiating events may result in similar challenges to all units on the site.
Challenges for severe accidents and beyond-design-basis initiating events may be identified using a targeted assessment of safety margins against a set of postulated extreme conditions that cause a consequential loss of safety functions leading to severe core damage. Such a reactor-specific "stress test" can be used to determine the time of autonomy of reactor-critical safety functions, any potential weak points, and any cliff-edge effects for a given set of the considered extreme situations. This type of exercise may be used to identify the potential for safety improvements and to provide input to the development of an IAMP.
Similar to identification of challenges, all reactor capabilities to fulfill the safety functions and to preserve fission product barriers during DBAs or BDBAs should be investigated in terms of capabilities of both SSCs and personnel. Reactor capabilities to cope with BDBAs by the available SSCs including the complementary design features should be identified, including the use of non-dedicated systems, external water sources, temporary connections (hoses, mobile or portable equipment), and offsite hardware and personnel resources. Considerations should also be given to whether failed systems can be restored to service. In addition, an assessment should be made of how operator actions are carried out to mitigate accident consequences.
Multiple diverse SAM measures should be provided for significant challenges to containment integrity. Consideration should be given to both the benefit and potential negative impact of using portable or supplementary equipment to cope with beyond–design-basis initiating events.
Relevant information including lessons learned from past nuclear accidents as well as data from experimental activities should be considered during the identification of reactor capabilities.
To ensure that the accident management objectives are achieved, a set of strategies for severe accident prevention and accident mitigation should be developed on the basis of the understanding of accident phenomena and reactor-specific accidents, as well as the considerations of the identified reactor challenges and capabilities.
Preventive strategies are needed to preserve safety functions that are important to prevent core damage such as maintaining core cooling and containment integrity. Mitigative strategies are needed to terminate the progression of core damage once it has started, minimize the radiological consequences, and achieve a long-term safe stable state.
Reactor damage states, such as damaged fuel, core uncovered and damaged, core debris uncovered leading to failure of the reactor vessel, and movement of the core debris outside the reactor vessel, should be identified based on the reactor parameters monitored and considered in the development of accident management strategies.
Suitable strategies that cover each reactor damage state should be developed and prioritized, taking into consideration the evolution of the accident (i.e., the time window for each reactor-specific damage state) and both positive and negative effects. The possibly large uncertainties in identifying such a time window should be taken into account.
For each of the strategies developed, all suitable measures or actions should be identified and evaluated, taking into account the effects of accident conditions on equipment, instrumentation, and the personnel who perform the actions. Effectiveness of the most suitable or preferable measures for each reactor damage state should be assessed and documented in detail.
The licensee should identify practical preventive and mitigation actions to achieve the accident management objectives. Generally, accident management actions should include:
To increase the reactor coping capability against beyond-design-basis initiating events, suitable strategies should be established; for example, use of the installed SSCs for the initial accident management phase, dedicated systems or supplementary equipment stored onsite or offsite for the transition phase during which the installed SSCs are incapacitated, and offsite equipment and resources to maintain or restore fuel and containment cooling functions indefinitely.
Safety analysis to support an IAMP can be largely based on the existing analysis (e.g., documented in safety reports or probabilistic safety assessment [PSA] documents). Additional analysis, if required, should be performed specifically to address accident management issues.
Safety analysis should be used to assist in developing an IAMP by:
Safety analysis performed to support SAM should use the best-estimate approach. Uncertainties in the analytical prediction of challenges to fission product barriers should be taken into account if the level of knowledge of important severe accident phenomena and physical processes is low and if the associated supporting experimental data are insufficient.
Necessary computational aids should be identified and developed to assist in the overall success of accident management activities performed by the response organization prior to an actual event. These computational aids are typically obtained using simplified assumptions and are often presented graphically.
The results of deterministic severe accident analysis should assist the licensee to:
For severe accidents, the results of PSA should assist the licensee to:
The credited human actions in preparation of the IAMP should be supported with adequate analyses. Considerations should be given to:
Procedures and guidelines to implement the strategies and measures for accident management should be developed and described in documents such as EOPs and SAMGs, or equivalent documents (see the requirements specified in section 3.4). If EOPs and SAMGs already exist, the IAMP can be built using these existing elements. Any new information on reactor site configuration, changes in hazards, and knowledge gained should be considered, and if appropriate procedures and guidelines should be updated accordingly.
The EOPs should contain a set of information, instructions and actions designed to prevent the escalation of an accident, mitigate its consequences and bring the reactor to a safe and stable state.
The SAMGs should contain a set of information, instructions and actions designed to mitigate the consequences of a severe accident according to the chosen strategies. Uncertainties may exist both in the reactor status and in the outcome of a selected action. Therefore, SAMGs should propose a range of possible actions and allow for additional evaluation and alternative actions. SAMGs should also address various positive and negative consequences of proposed actions, including the use of equipment, limitations of the equipment, cautions and benefits.
The procedures and guidelines should be verified and validated. This should include the usability of the procedures and guidelines (see section 5.2). Clear criteria for EOP to SAMG transition should be defined.
Adequate guidance should be provided in the design of the IAMP to ensure that its event and symptom-based EOP components, or equivalent, are appropriately coordinated among the responsible personnel and that the symptom-based approach is invoked when it is required.
Measures, including providing guidelines and training, should be defined to support staff decision-making for situations where an event has progressed to a stage for which procedures have not been defined.
EOPs and SAMGs should cover events with multi-unit damage, potential damage to the fuel in spent fuel pools, releases of radioactive materials and hydrogen into buildings adjacent to the containment, and run-off of contaminated water to the environment.
The time period that EOPs or SAMGs assume to initiate and complete required actions should reflect potential damage to the reactor. For example, a SAMG may specify a time period required to hook up alternative power and water sources. For external events, the extent of reactor damage and disturbances from outside or at the grid should be taken into account to prolong this time period. Having a diesel back on line may take a whole day or even longer, much more than the time that is assumed sufficient for an intact site area without large disturbances from outside.
For beyond-design-basis initiating events, the reactor may require supplementary equipment stored onsite or offsite and external support to mitigate the accident consequences. These necessary measures should be specified in guidelines for coping with these events.
Additional important elements that should be considered in the development of an IAMP include equipment and instrumentation, organizational responsibilities, and communication interfaces.
Reactors should be equipped with hardware provisions (which may include supplementary onsite and offsite equipment) to fulfill the fundamental safety functions (i.e., control of reactivity, removal of heat from the fuel, confinement of radioactive material) as far as reasonable for all accidents considered in the IAMP, including severe accidents. Dedicated systems and design features should be provided to practically eliminate some severe accident phenomena such as core melt at high pressures and hydrogen detonation. All complementary design features and available water sources for removal of decay heat from damaged reactor fuel should be identified in advance and put in place for managing severe accidents, particularly for maintaining the cooling of the core debris and the integrity of the containment.
Suitable analysis tools and methods should be used, in conjunction with the existing risk (e.g., based on the identified reactor challenges and capabilities), to aid in decision-making regarding equipment and instrumentation provisions or upgrades for accident management.
For the most serious BDBA challenges, such as an extended loss of heat sinks, buildup of a diverse and flexible mitigation capability should be considered. For example, portable or supplementary equipment can provide multiple means of obtaining power and water to support key safety functions for all reactors at a site.
BDBAs and severe accidents potentially create harsh environments with high temperature, high pressure, high radiation level, and high concentration of combustible gases. These environmental conditions, which could well exceed those of DBAs used for equipment qualification, present additional challenges to the equipment. The licensee should perform equipment survivability assessments to provide reasonable assurance that equipment used in SAM is available at the time it is called upon to perform.
Survivability of the equipment that could be used in SAM should be evaluated through a systematic review and assessment of equipment functions and conditions based on the available knowledge and data, such as from equipment environmental qualification for DBA, severe accident testing and analysis, and engineering judgment. The following steps should be taken:
The habitability of the facilities used in accident management (such as the main control room, the secondary control room, and the emergency support facilities, including an onsite technical support centre and on onsite emergency support centre) should be assessed and assured, taking into account the environmental conditions (e.g., radiological conditions and other conditions related to lighting, ventilation, temperature and communication) within and surrounding the facilities during an accident.
Adequate instrumentation should be available at each stage of an accident for the monitoring and diagnosis of reactor conditions and for assisting in accident evaluation, accident management decision-making, and action execution.
The reactor parameters used in each stage of accident management should be checked and evaluated for their reliability. The preferred method to obtain the necessary information is to use the instrumentation that is qualified for the expected environmental conditions. The effect of environmental conditions on the instrument reading should be estimated and taken into account to produce the procedures and guidelines. Any key instrumentation reading from a non-qualified instrument that is used to diagnose reactor conditions for SAM should have an alternate method, (possibly including computational aids) to verify the reading. Where the risks associated with faulty readings are high under local environmental conditions, consideration should be given to upgrading or replacing the instruments. For scenarios where the required parameters are missing or their measurements are unreliable, the need for development of computational aids to obtain information should be identified, and appropriate computational aids developed in advance.
The guidelines for equipment survivability specified in section 4.3.1 for severe accident conditions also apply to reactor instrumentation. A list of instrumentation for each stage of the severe accident should be established. Reasonable assurance should be provided that the instrumentation used to monitor severe accident progression and facilitate accident management actions is available. Harsh environmental conditions, including the effects of hydrogen burn within the containment on cables and electrical containment penetrations, should be also taken into account.
Given that during a severe accident the total information flow may be overwhelming and that some of the indications may be contradictory due to failed equipment and instrumentation, the licensee should consider using diagnostic and support tools to help with decision-making for accident management (e.g., computational aids as discussed in section 4.2.4).
An IAMP should clearly define and document the roles and responsibilities at each stage of an accident, including:
The duties of the "evaluators" are to assess the reactor conditions, identify potential actions, evaluate the potential impacts of these actions, and recommend actions to be taken. During the execution of EOPs, both the evaluators and implementers who carry out the approved actions may come from the main control room and field personnel.
For SAM, the technical advisory team at the technical support centre should perform evaluations and recommend recovery actions to the decision-making authority. The control room staff should provide input to the evaluations of the technical support centre on the basis of their knowledge of reactor equipment and instrumentation, and their other special skills from their training.
The technical support centre personnel should have a good understanding of the underlying severe accident phenomena and reactor-specific accident progression stages. They should have a detailed knowledge of the EOPs and the SAMGs. The team of the technical support centre should communicate extensively with the control room staff.
Lines of authority should be clearly defined at each stage of the accident. Where evaluation responsibilities and decision-making authority are transferred from the control room staff to the technical support centre and a higher level of authority, the transition should be made at some specific point in time that poses no additional risk to accident management.
Specifically, the licensee should establish clear roles and responsibilities of the following participants for each stage of an accident. The list includes, but is not limited to:
In consideration of beyond-design-basis initiating events, the minimum number of qualified personnel needed for managing the situation should be identified. The effects of extreme weather conditions, seismic events or events that are disruptive to society on the availability of skilled personnel should be considered. Contingency plans should be developed to identify substitutes that could perform the same tasks in case these skilled workers are unavailable. Suitable backups should be pre-defined for key roles in the accident management organization, including potentially the possibility to transfer authority in whole or in part.
During a severe accident, no single group is likely to have the complete information, knowledge, and skills required to manage the accident. It is therefore important to establish effective onsite communication interfaces among groups including the emergency response teams as specified in REGDOC-2.10.1, Nuclear Emergency Preparedness and Response. These interfaces will enable efficient integration of the information and expertise available within the operating and supporting organizations or from other involved authorities.
An effective communication interface between the operating organization and the provincial and other appropriate emergency organizations should clearly delineate responsibilities, and specify the scope and timing of the information and the support that the provincial emergency organization and other involved organizations will receive.
The possible loss of power should be considered in providing for communication, e.g., between the control room and the technical support centre (also see REGDOC-2.10.1).
The impact of beyond-design-basis initiating events on communication should be considered. Provisions should be made for reliable communication among different accident management and emergency response organizations, including extreme situations such as widespread onsite and offsite damage caused by severe weather conditions, flooding, earthquake, etc. Measures should be taken to ensure the effectiveness of the emergency communication systems, including regular practice in their use.
To satisfy the requirements specified in section 3 pertinent to the implementation of an IAMP, the licensee should consider the guidance given in this section.
Implementation of an IAMP should consider, but not be limited to:
Licensees should integrate the established procedures, guidelines, and arrangements including equipment and personnel resources to implement the reactor-specific IAMP.
EOP to SAMG transition and the associated issues including roles and responsibilities, equipment performance, and potential instrument errors under accident conditions should be identified and addressed. The implementation stage may identify necessary changes in certain aspects of the IAMP.
The onsite and offsite emergency response plans and procedures should be reviewed with respect to the accident management actions, to ensure that conflicts do not exist. Hardware arrangements, including temporary and supplementary equipment, should be checked for their operability and usability under accident conditions.
The purpose of verification of procedures and guidelines before they are used in an IAMP is to confirm their usability, technical accuracy, and completeness of scope. An assessment should be undertaken to confirm that operator actions that are specified in EOPs and SAMGs are possible, accounting for ease of access, possible radiation fields, presence of debris, fires or flooding, low light levels, use of personal protective equipment, and staffing levels.
Safe and reliable human and organizational performance is an essential part of IAMP. Such performance under emergency situations should be taken into account during the implementation of the IAMP to meet the expectations specified in regulatory guides G-276, Human Factors Engineering Program Plans [3], and G-323, Ensuring the Presence of Sufficient Qualified Staff at Class I Nuclear Facilities – Minimum Staff Complement [4]. Field operator performance and human-machine interface issues under hazardous environments and conditions should be identified and considered during the execution of SAMG actions. SAM may require sufficient qualified personnel that are not part of the normal minimum staff complement.
Sufficient verification and validation of all aspects of human and organizational performance, including EOPs and SAMGs, to execute all the identified accident management actions should be conducted to clearly demonstrate that they can be carried out by reactor personnel under all types of conditions covered by the IAMP.
The IAMP should incorporate measures to ensure that the personnel are ready to carry out the appropriate roles and responsibilities. For example, certain accident events may cause damage to the facilities (e.g., the technical support centre) and provisions should be made to ensure the habitability of the facilities or an alternative is available.
Improvement of the IAMP should be achieved through the consideration and incorporation of relevant results from well-supported research in human performance, including decision-making.
EOP implementation primarily involves the operations organization, with support from other organizations as needed. SAMG implementation has wider organizational implications, which require careful considerations in terms of roles and responsibilities, personnel qualification, and interfaces with the technical support centre and the emergency support centre (see section 4.3.3).
Appropriate arrangements should be identified for shift turnover and provision of food and other amenities for prolonged duty caused by beyond-design-basis initiating events.
Consideration should be given to the fact that reactor staff may be concerned about family and friends following a beyond-design-basis initiating event and may be under extremely high stress while executing accident management actions. For certain situations, it may be impossible to increase or replace staff for a given time. Measures should be taken to address all of these situations.
Appropriate levels of training should be provided to the operating personnel and responsible organizations to ensure their competency in using all instructions and actions specified in EOPs, and their knowledge of the information required to identify events and accidents that are beyond the design basis and of the guidelines specified in SAMGs.
The training programs should be commensurate with personnel's respective roles in accident management in accordance with REGDOC-2.2.2, Personnel Training [2], enabling them to:
The licensee should establish qualification, training, deployment, and staffing numbers for the various organizational groups involved in accident management.
Training programs should address the roles to be performed by the different groups, and include drills and exercises to enable assessment of the interactions between the various groups involved in IAMP. A set of drills should be developed to cover multi-unit events and external events.
The purpose of conducting regular drills and integrated exercises is to confirm and maintain that each of the essential elements related to procedures, equipment and personnel of the IAMP has a high degree of assurance of effectiveness, should an accident occur.
To the extent practicable, the licensee should use simulator training, because it provides a realistic and interactive environment and is an efficient method for enhancing human response in complex situations.
To satisfy the requirements specified in section 3 pertinent to validation of an IAMP, the licensee should consider the guidance given in this section.
The first step of validating an IAMP is to review the program to assess its completeness and adequacy. The review also gives an opportunity to identify specific areas in the IAMP that need improvement to enhance reactor capabilities to cope with an accident. The adequacy of the SSCs and human/materiel resources that are required to complete IAMP actions should be assessed.
To ensure the continued effectiveness of the IAMP, the licensee should have a procedural mechanism (see requirement 6 in section 3.2) by which its components are continuously reviewed to ensure that the technical basis remains sound and current, and that station staff can carry them out effectively. Where the review indicates that improvements are required, the IAMP should be revised promptly to incorporate those improvements.
Review of an IAMP before its implementation is intended to check its quality, consistency and completeness. Review of IAMP after its implementation is to evaluate its adequacy, effectiveness, and any needs for updating and strengthening. The review includes self-assessments and independent reviews.
It is necessary to review and evaluate the effectiveness of the IAMP periodically to ensure it reflects modern requirements, reflects lessons from drills and exercises, incorporates knowledge gained from any new information and experimental data, and includes any changes in personnel, reactor equipment and instrumentation conditions, and training needs. The review should cover all the aspects of the preparation, development, implementation, and documentation of the IAMP, including:
In addition, completeness of the provisions important for implementing an IAMP should be reviewed in relation to the basic safety principles and IAMP requirements specified in section 3. All the identified provisions should be reviewed to evaluate whether they exist and can be successfully implemented. The review should also identify if additional provisions are required to strengthen the ability of the reactor staff to manage an accident, including a severe accident, or evaluate if an absence of a provision leads to the weakness in defence in depth.
Reactor design capabilities for accident management, such as containment venting, hydrogen mitigation, and coolant make-up provisions should be identified and their effectiveness should be evaluated.
For all systems and equipment that are expected to perform in a way or under conditions that were not considered in their original design, the licensee should conduct an assessment of their potential availability, effectiveness, and limitations for use in support of an IAMP. Existing systems may warrant design enhancement if the assessment reveals that the potential consequences of severe accidents are such that the existing systems may not provide the desired preventive and mitigating capabilities.
Essential reactor monitoring features and instrumentation for diagnosing reactor state should be identified and verified for severe accident conditions, so that they function reliably and provide meaningful data.
The validation of an IAMP should also include an assessment of the adequacy and sufficiency of supplementary equipment and consumables (fuel and water inventories) used to maintain or restore nuclear fuel and containment cooling for coping with beyond-design-basis initiating events.
The licensee should perform an assessment to determine the availability of coolant, energy, and other materiel resources that may be required for the effective completion of accident management actions.
For procurement of external resources (e.g., equipment, power, water and personnel), the licensee should assess the adequacy of arrangements with other organizations to ensure availability, timing and access to these resources during accidents, with consideration of potential challenges posed by common cause and/or external events. These arrangements should be formalized and documented.
To satisfy the requirements specified in section 3 pertinent to documentation of an IAMP, the licensee should consider the following guidance.
All aspects of an IAMP should be described, typically by a suite of IAMP documents consisting of manuals, procedures, guidelines together with their technical basis and supporting safety analysis reports for justifications, explanations, verification and validation. There are also many other related documents such as description of the reactor physical protection, PSA studies, equipment and instrumentation survivability assessments, and reactor "stress test" reports as appropriate.
At a minimum, the licensee should provide the following documented information about an IAMP:
The technical basis documents provide technical information important to an IAMP. They can build on or provide a cross-reference to the existing technical descriptions. They should include, but not be limited to:
The illustration presented in this Appendix is not a mandatory part of this regulatory document and is provided for information only.
Figure 2: Key components and overlapping provisions of an integrated accident management program and emergency preparedness program
Click on image to enlarge | Figure 2: Text Equivalent
Facilities and activities within the nuclear sector in Canada are regulated by the Canadian Nuclear Safety Commission (CNSC). In addition to the Nuclear Safety and Control Act and associated regulations, there may also be requirements to comply with other regulatory instruments such as regulatory documents or standards.
Effective April 2013, the CNSC's catalogue of existing and planned regulatory documents has been organized under three key categories and twenty-five series, as set out below. Regulatory documents produced by the CNSC fall under one of the following series:
Note: The regulatory document series may be adjusted periodically by the CNSC. Each regulatory document series listed above may contain multiple regulatory documents. For the latest list of regulatory documents, visit the CNSC's Web site at nuclearsafety.gc.ca/regulatory-documents.
Table of Contents