Facebook Instagram Youtube Twitter

Level 2 – Abnormal Operation

Anticipated Operational Occurrences

Anticipated operational occurrences, AOOs, are conditions of normal operation that are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of power to all recirculation pumps, tripping of the turbine generator set, isolation of the main condenser, and loss of all offsite power. AOOs are also known as Condition II and III events, but we are not talking about accidents in this case.

Postulated accidents are unanticipated conditions of operation (i.e., not expected to occur during the life of the nuclear power unit). Postulated accidents are also known as Condition III or IV events.

Nuclear safety of anticipated operational occurrences constitutes the second level of defense. It incorporates inherent plant features, such as core stability and thermal inertia, and systems to control abnormal operation (anticipated operational occurrences), with an account of phenomena capable of causing further deterioration in the plant status. This includes automatic functions and control systems that can return the facility to its normal operating mode as soon as possible. The systems to mitigate the consequences of such operating occurrences are designed according to specific criteria (such as redundancy, layout, and qualification).

Level 2 - Control of abnormal operation
In case of anticipated operational occurrences, its objective is to demonstrate that automatic functions and control systems can return the facility to its normal operating mode as soon as possible and to demonstrate that all barriers remain intact.

To demonstrate that the fundamental safety objective is achieved in the design of a nuclear power plant, a comprehensive safety assessment of the design must be carried out. In case of anticipated operational occurrences, its objective is to demonstrate that automatic functions and control systems can return the facility to its normal operating mode as soon as possible and to demonstrate that all barriers remain intact.

Current developments for ensuring the stable, safe and competitive operation of nuclear reactors are closely related to the advances being made in safety analysis. Deterministic safety analyses for anticipated operational occurrences, design basis accidents (DBAs), and beyond design basis accidents (BDBAs) are essential instruments for confirming the adequacy of safety provisions.

Plant States

nuclear power plant states - accident conditions



The term redundancy is the provision of alternative (identical or diverse) systems, structures, and components so that any redundant systems can perform the required function regardless of the state of operation or failure of the other. Redundant systems are of special importance in systems such as I&C, electric power supply, and emergency cooling.

This requirement leads to an n + 2 degree of redundancy, for example, 4 X 50% or 3 X 100% redundancy concepts.

For example, the onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. This is an illustration of redundancy and diversity.

Redundancy and Single Failure Criterion

A single failure means an occurrence that results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither a single failure of any active component (assuming passive components function properly) nor a single failure of a passive component (assuming active components function properly) results in a loss of the capability of the system to perform its safety functions.


Diversity and Common-cause Failure

Functional diversity or diversity in component design is closely related to common-cause failure. Common cause failures (CCF) seriously threaten redundant system reliability. Design diversity has long been used to protect redundant systems against common-cause failures. That means using two or more independent and different methods for achieving the same result.

The design of equipment shall take due account the potential for common cause failures of items important to safety to determine how the concepts of diversity, redundancy, physical separation, and functional independence must be applied to achieve the necessary reliability.

For example, two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with an appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.

Physical Separation

Physical Separation

Separation, also referred to as physical separation, concerns separation by geometry (e.g., distance or orientation), barriers, or a combination of these. Separation is also used in the context of electrical isolation, functional independence, and independence of communication. Functional separation is commonly used in I&C, where the protection system shall be separated from control systems to the extent that failure of any single control system component leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited to assure that safety is not significantly impaired.

Separation, redundancy, physical barriers, and electrical isolation are design measures applied to address potential vulnerabilities related to a single failure of equipment and the propagation of failure effects.

Specific Safety Requirements; SSR-2/1 (Rev. 1) Requirement 21: Physical separation and independence of safety systems

“Interference between safety systems or redundant elements of a system shall be prevented by means such as physical separation, electrical isolation, functional independence and independence of communication (data transfer), as appropriate.”

Postulated Initiating Event

A postulated initiating event, or PIE, is defined as an “identified event that leads to anticipated operational occurrences or accident conditions and its consequential failure effect.”

For certain plant designs, the postulated initiating events shall be identified based on engineering judgment and a combination of deterministic and probabilistic assessments.

Postulated initiating events shall be identified and grouped based on their frequency of occurrence at the nuclear power plant. Therefore, there are two groups of PIEs:

  • Anticipated operational occurrences. Anticipated operational occurrences, AOOs,  refer to the events that are categorized in Regulatory Guide 1.70 and in Regulatory Guide 1.206 as incidents of moderate frequency (i.e., events that are expected to occur several times during the plant’s lifetime) and infrequent events (i.e., events that may occur during the lifetime of the plant). In case of anticipated operational occurrences, the objective is to demonstrate that automatic functions and control systems can return the facility to its normal operating mode as soon as possible and to demonstrate that all barriers remain intact after the event. AOOs is also known as Condition II and III events, respectively, in the commonly used, oft-cited but unofficial American Nuclear Society (ANS) standards.
  • Postulated accidents (or design basis accidents). Postulated accidents are unanticipated conditions of operation (i.e., not expected to occur during the life of the nuclear power unit), but they cannot be excluded. Postulated accidents are also known as Condition III and IV events. Design bases accident is a postulated accidents in which a nuclear facility must be designed and built to withstand without losing the systems, structures, and components necessary to ensure public health and safety.

An analysis of the postulated initiating events for the plant shall be made to establish the preventive and protective measures necessary to ensure that the required safety functions will be performed.

Categorization of Postulated Initiating Events

AOOs and postulated accidents are also categorized according to type. The type of AOO or postulated accident is defined by its effect on the plant. For example, one type of AOO or postulated accident will cause the RCS to pressurize and possibly jeopardize RCS integrity. Another type will cause the RCS to depressurize and possibly jeopardize fuel cladding integrity. It is useful to categorize and organize analyses of AOOs and postulate accidents according to type so that analysts can compare them on common bases, effects, and safety limits. Such comparisons can help to identify limiting events and cases for detailed examination and eliminate nonlimiting cases from further consideration.

AOOs and design bases accidents can be grouped into the following seven types:

  • Increase in heat removal by the secondary system
    • e.g., inadvertent moderator cooldown (PWR and BWR – AOO)
    • e.g., steam line break event (PWR – DBA)
  • Decrease in heat removal by the secondary system
    • e.g., loss of normal feedwater (PWR – AOO)
    • e.g., reactor-turbine load mismatch, including loss of load and turbine trip (PWR and BWR – AOO)
  • Decrease in RCS flow rate
    • e.g., loss or interruption of core coolant flow, excluding reactor coolant pump locked rotor (PWR – AOO)
    • e.g., single reactor coolant pump locked rotor (PWR – DBA)
    • e.g., seizure of one recirculation pump (BWR – DBA)
  • Reactivity and power distribution anomalies (i.e., RIA)
    • e.g., control rod drop (PWR – AOO)
    • e.g., inadvertent chemical shim dilution (PWR – AOO)
    • e.g., ejection of a control rod assembly (PWR – DBA)
    • e.g., control rod drop accident (BWR – DBA)
  • Increase in reactor coolant inventory
    • e.inadvertent operation of emergency core cooling
  • Decrease in reactor coolant inventory
    • e.g., minor reactor coolant system (RCS) leak or loss of reactor coolant such as from a small ruptured pipe or a crack in a large pipe (PWR and BWR)
    • e.g., loss-of-coolant accident (LOCA – DBA)
  • Radioactive release from a subsystem or component

Safety analyses of these AOOs and postulated accident analyses can (and should) encompass a variety of cases, each designed to produce effects or results that challenge designated safety limits. For example, one case study of the turbine trip event is usually designed (by initial and boundary conditions) to yield a high peak RCS pressure, and another case study of the same AOO can be designed to yield a low, minimum thermal margin.

See NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition.

Acceptance Criteria for AOOs

A specific set of rules and acceptance criteria are applied to evaluate deterministic safety analyses. Acceptance criteria are used in deterministic safety analysis to assist in judging the acceptability of the results of the analysis as a demonstration of the safety of the nuclear power plant. Typically, these should focus on neutronic, thermohydraulic, radiological, thermomechanical, and structural aspects, which are often analyzed with different computational tools.

The following are the specific criteria necessary to meet the requirements of GDC for AOOs:

  • Pressure in the reactor coolant and main steam systems should be maintained below a specific value (usually below 110% of the design pressure).
  • Fuel cladding integrity shall be maintained by ensuring that the minimum departure from nucleate boiling ratio (DNBR) remains above the 95/95 DNBR limit for PWRs (a 95% probability at a 95% confidence level) and that the critical power ratio (CPR) remains above the minimum critical power ratio (MCPR) safety limit for BWRs. If the minimum DNBR or MCPR does not meet these limits, then the fuel is assumed to have failed.
  • According to 10 CFR 50.59, an AOO should not generate a postulated accident without other faults occurring independently or resulting in a consequential loss of function of the RCS or reactor containment barriers.

By meeting these criteria, it can be demonstrated that automatic functions and control systems can return the facility to its normal operating mode as soon as possible, and it can be demonstrated that all barriers remained intact after the event.

Example: Partial Loss of Coolant Flow – PWR

A partial loss of coolant flow may be caused by a mechanical or electrical failure in a pump motor, a fault in the power supply to the pump motor, or a pump motor trip caused by such anomalies as over-current or phase imbalance. This postulated initiating event so known as the “single main coolant pump trip.” Typically, 1-out-of-4 MCPs or 2-out-of-4 MCPs are included in the Safety Analysis Report. A sequential loss of forced flow and a complete loss of forced coolant flow is the design basis of accidents.

In case of partial loss of flow, reduction of the primary flow leads to an imbalance between the heat produced by the fuel and the heat removed from the core, potentially exceeding core thermal limits. Thermal imbalance also leads to an overall pressure–temperature transient, typically resulting in short-term pressurization of both the primary and the secondary circuit. For all loss of forced coolant flow transients, the reactor must be tripped before the departure from nucleate boiling ratio falls under the safety analysis limit. This should be demonstrated in the SAR. The reactor must be tripped for all loss of forced coolant flow transients before the pressures (primary and secondary side) exceed their limits.

Key Safety Systems

Reactor Protection System

As was written, the reactor must be tripped before the departure from nucleate boiling ratio falls under the safety analysis limit. The Reactor Protection System, RPS, provides this safety function. The RPS automatically initiates a rapid reactor shutdown (scram) by inserting control rods to preserve the integrity of the fuel cladding and reactor coolant pressure boundary.

Over-pressure relief system and safety valves system

In this case, automatic spray valves regulate the pressurizer spray to provide overpressure control. If this system is not sufficient, there is an overpressure relief system in the event that pressurizer pressure exceeds a certain maximum. There is a relief valve called the pilot-operated relief valve (PORV) on top of the pressurize, which opens to allow steam from the steam bubble to leave the pressurize to reduce the pressure in the pressurizer, thus leading to a reduction of pressure in the whole system.

The pressurizer is also equipped with a safety valve system (“safety system”), which is also routed to the relief tank. The pressurizer safety valves are spring-loaded and self-actuating, with back pressure compensation. The safety valve system is used for emergency pressure reduction during emergency conditions.

Example: Control Rod Drop

A control rod drop event is one of the possible control rod malfunction events, and it belongs to reactivity-initiated events usually described in Chapter 15.4. of the Safety Analysis Report (according to the NUREG-0800).

As a consequence of any of these events, there is a distortion in the core power distribution with a potential reduction of DNBR. For a CR withdrawal, there is also a global reactor power increase, which is reduced later by the reactor power control. A potentially relevant safety aspect comes from the case when a rod drops into the core, and the control system is in automatic mode. If the dropped control rod does not actuate the reactor trip, then the reactor power may be reestablished by the control system. In this case, the rods will be moved out to compensate for the sudden power decrease. Before achieving a new equilibrium power, a transient overshoot on nuclear power can be expected, coincident with a significant distortion in radial power distribution caused by the dropped rod. High local peaking factors and an overshoot in power may violate the limits on fuel power density.

The magnitude of power deviation is primarily a function of the control rod worth, reactivity coefficients, and core characteristics. In this event, it must be shown that the fuel and the fuel-clad integrity are not challenged.

Nuclear and Reactor Physics:
  1. J. R. Lamarsh, Introduction to Nuclear Reactor Theory, 2nd ed., Addison-Wesley, Reading, MA (1983).
  2. J. R. Lamarsh, A. J. Baratta, Introduction to Nuclear Engineering, 3d ed., Prentice-Hall, 2001, ISBN: 0-201-82498-1.
  3. W. M. Stacey, Nuclear Reactor Physics, John Wiley & Sons, 2001, ISBN: 0- 471-39127-1.
  4. Glasstone, Sesonske. Nuclear Reactor Engineering: Reactor Systems Engineering, Springer; 4th edition, 1994, ISBN: 978-0412985317
  5. W.S.C. Williams. Nuclear and Particle Physics. Clarendon Press; 1 edition, 1991, ISBN: 978-0198520467
  6. G.R.Keepin. Physics of Nuclear Kinetics. Addison-Wesley Pub. Co; 1st edition, 1965
  7. Robert Reed Burn, Introduction to Nuclear Reactor Operation, 1988.
  8. U.S. Department of Energy, Nuclear Physics and Reactor Theory. DOE Fundamentals Handbook, Volume 1 and 2. January 1993.

Nuclear Safety:

  1. IAEA Safety Standards, Safety of Nuclear Power Plants: Design, SSR-2/1 (Rev. 1). VIENNA, 2016.
  2. IAEA Safety Standards, Safety of Nuclear Power Plants: Commissioning and Operation, SSR-2/2 (Rev. 1). VIENNA, 2016.
  3. IAEA Safety Standards, Deterministic Safety Analysis for Nuclear Power Plants, SSG-2 (Rev. 1). VIENNA, 2019.
  4. IAEA TECDOC SERIES, Considerations on the Application of the IAEA Safety Requirements for the Design of Nuclear Power Plants, IAEA-TECDOC-1791. VIENNA, 2016.
  5. Safety Reports Series, Accident Analysis for Nuclear Power Plants with Pressurized Water Reactors. ISBN 92–0–110603–3. VIENNA, 2003.
  6. Appendix A to 10 CFR Part 50, “General Design Criteria for Nuclear Plants.”
  7. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition.
  8. Nuclear Power Reactor Core Melt Accidents, Science and Technology Series. IRSN – Institute for Radiological Protection and Nuclear Safety. ISBN: 978-2-7598-1835-8
  9. ANSI ANS 51.1: Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, 1983.

See above:

Nuclear Safety