IR 05000010/1997025
| ML20202D083 | |
| Person / Time | |
|---|---|
| Site: | Dresden  |
| Issue date: | 11/26/1997 |
| From: | Leach M NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION III) |
| To: | |
| Shared Package | |
| ML20202D050 | List: |
| References | |
| 50-010-97-25, 50-10-97-25, 50-237-97-25, 50-249-97-25, NUDOCS 9712040140 | |
| Download: ML20202D083 (8) | |
Text
_.
- _ _
..
.
-. _
... - _ _
__
_
._ -_
_ __
Y
.-
.
U.S. NUCLEAR REGULATORY COMMISSION REGION lll Docket Nos:
50-10;50-237; 50-249 License Nos:
'
l Report Nos:
50-10/97025(DRS); 50-237/97025(DRS);
50-249/97025(DRS)
f Licensee:
Commonwealth Edison Facility:
Dresden Nuclear Station, Units 1,2 and 3
<
Location:
6500 N. Dresden Road Morris, IL 60450
'
Dates:
October 28 to October 31,1997 Inspector:
D. Roth, Resident inspector, Dresden Approved by:
M. Leach, Chief, Operator Licensing Branch Division of Reactor Safety
>
9712040140 971126 gDR ADOCK 030000go PDR
.
-
.
_-,_,7,.m-.
-, _
_-
-,iw
- - -,
,, --
-,.
-
. e
-
.
,
EXECUTIVE SUMMARY Dresden Generating Station, Units 1,2 & 3 NRC Inspection Reports 50-10/97025; 50-237/97025; 50-249/97025 This inspection included a review of the procedures and policies for maintaining examination security during development and administration of annuallicensed operator requalification and initial license applicant examinations.
e Overall, the procedural cont.ols and physical barriers to control examina' ion security were in compliance with the Nuclear Training Administrative Policy (NTAP). The control of the combinations O the examination room door and storage cabinet was not proceduralized, but the licensee kept the combinations on a need-to-know basis. The control of computer passwords was also not proceduralized. The licensee had accidentally.ransferred all instructors' passwords to the examination development computers, but did not compromise the examinations because of how the group-access to the files had been set up. Key control w&s not a concem because keys were riot used to control examination material (Section 05.1).
Training was provided to all operations training instructors on the NTAP, including
examination security. The training provided to the clerical staff and to the simulator support staff was not formally documented. The licensee indicated that the training was given at the time that the personnel were required to sign examination security forms.
The licensee stated that prior to the use of NTAP, the clerks were reouired to be instructed in examination security, and the licensee planned to consider formal documented training (bection 05.1).
The use of the NTAP reduced the level of proceduralized examination security
compared to earlier procedures because it eliminated training requirements for clerks and periodic changes to combinations and passwords. However, the NTAP requirements were sufficient to maintain examination security (Section 05.1).
- The licensee's verification of the effectiveness of corrective actions for the 1996 examination compromise was poor because no self-assessments of examination security were performed (Sedion 07.1).
-
-
.
.
.
-.
.
-..
- -.. -. -.
.. -
- -
. _ -
-
. - - -
.
.
1. Optrations
Operator Training and Qualification s.
Insoection Scoos (71001)
The inspector reviewed the administrative controls for examination security, root cause reports and investigations for examination-security related events, and discussed
!
examination security with plant staff. Documents reviewed included:
Nuclear Tracking System (NTS) Report Number 237123-96-00900, Rev. O, "NRC Initial Licensed Examination Compromised Due to insufficient barr ers Against Theft."
i Nuclear Training Administrative Policy (NTAP) Rev. 00.
Training Program Description (TPD)- 103, Rev. 00, " Licensed Operator Continuing Training Program Description."
Training Department instruction (TDI) 32, Rev. 02, " Licensed Operator Annual Requalification Examinations."
Dresden UFSAR section 13.2, " Training."
IMP 07, Rev. 00," Simulator Examination Security Cnecklist."
]
The inspector revbwed the measures taken to pros ide simulator security. The inspector reviewed the methods by which the simulator computer could be accessed and the
,
licensee's actions used to prevent the access. The inspector also discussed security measures with operator training staff and with simulator support staff.
b.
Observations and Findings Review of Past Problems On July 1,1996, the licensee discovered an unauthorized copy of part of an NRC
,
L operator licensing examination and the examination was canceled. This was documented in a Problem Identification Form (PlF). The root cause report number 237-r 123-96-00900 documented a number of steps for long-term corrective action. First, the licensee revised the procedure then in use, Training Dupartment instruction (TDI) 412,
" Examination Construction and Ar.alysis," to require (1) that NRC examination materials
,
are maintained in a controlled room with a unique locking device while not in possession I
of an authorized person, (2) that the examination materials are maintained in a lockable storage container with a unique locking device, (3) that positive controls are maintained over NRC examination material being developed in the simulator, and (4) that the combination for ths NRC Examination Preparation room and computer passwords be changed periodically and when personnel with knowledge of the combination are changed. Second, the licensee established a room designated for NRC examination
.
. _
_
. _
.
.
__
.
.
._
_
_
_
_
,
.
material preparation and storage such that "two separate and independent barriers are required to be breached before loss of examination material can occur." Last, the licensee planned to compare the planned Nuclear Operations Division wide training policy with TDI 412.
Current Examination Security Policy The licensee started the NOD procedure Nuclear Training Administrative Policy (NTAP)
Rev. 00 on April 30,1997 and deleted TDI 412. Sections 8.7. 8.8, and 8.9 of NTAP provided the requirements for examination security. The requirements included the use
,
of at least one barrier (e.g., a lock or a password) for all examinations, and use of two independent barriers for NRC-related examinations.
Following the NTAP, the licensee maintained an NRC Examination Preparation room, and had the room equipped with standalone, password-protected computers. The NRC ixamination Preparation room was locked with a combination lock, and the storage cabinet within the room was equipped with a combination lock.
The licensee did not use keys as part of its examination security because use of combination locks instead of keyed locks eliminated any problems with key control. In particular, the use of combinations precluded passing keys from one person to the next during off-normal working hours.
The inspector nsted that the NTAP did not address periodic changes to combinations on locks and passwords. The requirement had been deleted during the change from TDI 412 to NTAP. The licensee stated that the combination for the door is changed for each examination. No formal procedural controls existed goveming the control and distribution of combinations to the room or cabinet. At the time of the inspection, the combination to the NRC Examination Preparation room was known to two people, and the combination to the locking storage container within the NRC Examination Preparation room was known to three people. After the inspector identified to the licensee that there were no formal controls over the passwords and combinations, the licensee planned to develop procedural controls.
Licensee generated weekly quizzes were subject to less-strict security than the final examination. For example, the NTAP only required one barrier instead of two. These weekly quizzes are developed on the computers in each hstructor office-space, and the quiz development program required a password to use. The inspector observed that the i
licensee posted signs saying when an instructor was working on a quiz. The inspector i
noted that anyone with a pa: sword to the examination development software could find
!-
the weekly quiz of any other instructor from any other computer on the training department network. The inspector concluded that one barrier remained, as required by the NTAP, because students did not have passwords to the examination development software. However,if an instructor failed to log out of the examination development software, the NTAP would be violated because a barrier would no longer exist.
l
--
. _ - _ - -
_,
..
t
.
The training department operations instructors were given passwords to use the network-version of the software used for examination development. Students and operators were not issued passwords. Following discussions about password control with the inspector, the licensee determined that the passwords for examination development software access were inadvertently transferred to the NRC Examination Preparation room standalone computers. Examination security was not compromised, however, becsuse the software was set up with restricted access to NRC-related examinations. The licensee deleted the other passwords immediately upon discovery.
Simulator Security Section 8.9 of the NTAP goven ed simulator examination security and mandated the use of checklists. The simulator software engineer showed how the simulator computers were physically isolated from 16<3 local area network and how the symem was protected from aial-in access. Checklists IMP 07 was compared with the stated practice and found adequate. The inspector could not assess actual execution of the checklists because an NRC-related examination was not in progress.
Staff Training The inspector reviewed the training provided to the training staff on Dresden Administrative Procedure (DAP) 08-01, NTAP, and other training procedures. All operations training instructors were trained.
T he inspector noted that the clerical staff was not included in the training. Step 8.7.7 of the NTAP required that clerkd retain control of examinations during word processing and copying activities. The licensee informed the inspector that the clerks who were assigned examination responsibility had the security duties explained to them at the time.
,
I Similarly, the simulatoi support staff was not trained on the NTAP. Section 8.9 of the NTAP govemed simulator examination security The licensee informed the inspector i
that all simulator support staff was required to sign examination security forms during
!
actual examinations because the location of the simulator support staff offices gave the l
staff access to examination material. The licensee told the !nspector that the support
'
staff was all briefed about examination security before signing the examination security forms.
l c.
Conclusions Overall, the procedural controls and physical barriers to control examination security were sufficient to maintain examination security. Although some aspects of the program l
were not proceduralized this was offset by the licensee's informal controls, which j
minimized an individual's access to examination security combinations.
Training was provided to all operations training instructors on the NTAP, including examination security. The training provided to the clerical staff and to the simulator
. -
-
.-
.
---
-
.. _ -
_. -
- - -.
.-- - _ - -
-_ -
,
.
.
.
support staff was not formally doctanented.- The licensee said that the training was given at the time that the personnel were required to sign examination security forms.
The licensee stated that before the use of the NTAP, the clerks were required by TDI 412 to be instructed in examination security, and the licensee planned to consider formal documented training.
Quality Assurance in Operations 07.1 Self Assessments and Corrective Actions Effectiveness Review a.
insoection Scooe (71001)
The inspector reviewed the results of recent self-assessments :n training for examination securiti related events. The most-recently performed self-assessment was report number 37-251-97-04200, " Plant Certification Course Examination Practices and Documentation."
b.
Observations and Findings Report number 37-251-97-04200 did not discuss specific aspects of examination security, but it did state that the examination key was prt,perly marked; marking the examination key is a security requirement of the NTAP.
The inspector identified that no effectiveness review of the corrective actions associated with t'le examination compromise documented in Root Cause Report 237-123-96-00900 was done. Senior licensee management noted that an effectiveness review for an event such as the examination compromise should have been done. This was due to procedure changes in the corrective actions program and also to a risk level assignment for the original examination compromise of moderate!y low rather than a more appropriate moderately high risk.
The licensee stated that the current classification process, which uses the corporate-wide Nuclear Station Work Procedure, tvould have required an effectiveness review.
Following discussions with the inspector regarding the absena of a review of the corrective actions for the examination compromise, the licensee scheduled a review.
c.
Conclusions The inspector concluded that the licensee's verification of the effectiveness of corrective actions was poor.
07.2 Quality and Safety Assessment (Q&SA) Monitorina a.
Insoectiori ScQae (71001)
The inspector reviewed the results of the surveillances performed by the Quality and Safety Assessment (Q&SA) department, the field monitoring reports (FMRs) recorded
..
- -
.
.
.
--.
-
_
.
<
,
by individual Q&SA inspectors from the beginning of 1996 to the present, and training department Corrective Action Records (CARS).
b.
Observations and Findings The Q&SA department did not do any specific surveillance of security used in training and testing, and the documentation of training-related surveillances comploted do not include examination-security-specific comments. The inspector concluded that Q&SA did not do any specific examination security surveillance.
Field Monitoring Report number 12-97-03-0080 drumented the following examination security problem: On Me,rch 6,1997, an auditor w.ch the licensee's Independent Safety Engineering Group (ISEG) monitored part of the 1997 NRC annual requalification examination. The auditor found that contrary to Training Department Instruction (TDI)
520, "NRC Examination Security," the lead examiner had not signed t.ie examination security agreement. The auditor concluded that the error was a minor deficiency in proceoural adherence, and that it was not an actual examination security issue. The lead examiner was aware of the examination security responsibilities, and had previously signed a security agreement for that particular examination, but was not aware that training had decided to use new examination security forms for different aspects of the examination. The licensee also documented this in PlF number 1997-1660. The PIF was screened by management and the management concluded that the issue was of low significance, and assigned no corrective actions beyond what was already proceduralized to preclude recurrence.
The inspector reviewed CARS related to training and found no findings concerning examination security.
The inspector had the licensee do a search of PIFs for examination security-related events and the licensee found none other than the above mentioned PIF and the examination compromise PlF.
c.
Conclus%g The inspector concluded that the licensee's PlFs, field monitoring reports, and corrective action records documented only one examination security event (other than the 1998 compromise), and the event was of minor significance and no consequence.
V. Management Meetings X1 Exit Meeting Summary The inspector presented the inspection results to members of licensee management at the conclusion of the inspection on October 31,1997. The licensee acknowledged the findings presented.
l The inspector asked the licensee whether any materials examined during the inspection should be considered proprietary. No proprietary information was identified.
.
- -
.
-
- - - - -
-
-
- - -.
.-.
.
..
.
-
.
- =-
.
.
.
PARTIAL LIST OF PERSONS CONTACTED Licensee G. Abrel, NRC Coordinator i
H. Anagnostopoulos, Corrective Actions Supervisor S. Barrett, Operations Manager T. Eason, Operations Training Supervisor R. Freeman, Site Engineering Manager J. Heck, Operations Instructor M. Heffley, Station Manager R. Holbrook, Training Department Manager C. Richards, OSA Audit Supervisor W. Talbott, Simulator Support
' INSPECTION PROCEDURES USED 71001 Licensed Operator Requalification Program Evaluation ITEMS OPEN, CLOSED, AND DISCUSSED
,
None LIST OF ACRONYMS USED CAR Corrective Action Records DAP Dresden Administrative Procedure ISEG Independent Safety Engineering Group NOD Nuclear Operations Division NTAP Nuclear Training Administrative Policy NTS Nuclear Tracking Syste'm PIF
. Problem identification Form Q&SA Quality and Safety Assessment TDI Training Department instruction TPD Training Program Description UFSAR Updated Final Safety Analysis System s
!
e f'