IR 05000461/2009404
| ML11129A284 | |
| Person / Time | |
|---|---|
| Site: | Clinton  |
| Issue date: | 04/10/2009 |
| From: | Eric Duncan Plant Support Branch II |
| To: | Pardee C Exelon Generation Co, Exelon Nuclear |
| References | |
| FOIA/PA-2011-0187, EA-08-284 IR-09-404 | |
| Download: ML11129A284 (17) | |
Text
xl\ -
April 10, 2009 EA 08-284 Mr. Charles Senior Vice President, Exelon Generation Company, LLC President and Chief Nuclear Officer (CNO), Exelon Nuclear 4300 Winfield Road Warrenville IL 60555 SUBJECT: CLINTON POWER STATION NRC SUPPLEMENTAL INSPECTION REPORT 05000461/2009404(DRS)
Dear Mr. Pardee:
On February 26, 2009, the U.S. Nuclear Regulatory Commission (NRC) completed a supplemental inspection at your Clinton Power Station. The inspection examined activities conducted under your license as they relate to safety and compliance with the Commission's rules and regulations, and with the conditions of your license. The enclosed inspection report documents the inspection results, which were discussed at the exit meeting on February 26, 2009, with Mr. F. Kearney and other members of your staff. The NRC was informed of your readiness for the inspection on January 20, 2009.
As required by the NRC Reactor Oversight Process Action Matrix, this supplemental inspection was conducted to provide assurance that the root causes and contributing causes of the events resulting in a Greater than Green finding were understood, to independently assess the extent of condition and extent of cause, and to provide assurance that the corrective actions for significant performance issues were sufficient to address the root causes and contributing causes, and to prevent recurrence. The inspection consisted of plant walkdowns, a selected examination of representative records, and interviews with personnel.
Based on the results of this supplemental inspection, no findings of significance were identified.
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter will be
- made available electronically for public inspection in the NRC Public Document Room or from the NRC's document system (ADAMS), accessible from the NRC Web site at http://www.nrc.qov/readinq-rm/adams.html.
I Eocioslw contains Sensitive Unclassified 4o~p-,feVardnor an.tiVhenep.ated
/f~rol1/enclo ij e, this transhittdl document is
/dec~ntrolled. However, because of the security-related information contained in the enclosure, and in accordance with 10 CFR 2.390, a copy of this letter's enclosure will not be available for public inspection.
Sincerely, IRA/
Eric Duncan, Chief Plant Support Branch Division of Reactor Safety Docket No. 50-461 License No. NPF-62 Nonpublic
Enclosure:
Inspection Report 05000461/2009404(DRS)
w/Attachment: Supplement Information
REGION III==
Docket No. 50-461 License No. NPF-62 Report No: 05000461/2009404 Licensee:' Exelon Generation Company, LLC Facility: Clinton Power Station Location: Clinton, IL Dates: February 23 through February 26, 2009 Inspector: M. Martin, Physical Security Inspector Approved by: E. Duncan, Chief Plant Support Branch Division of Reactor Safety Enclosure N
j
SUMMARY OF FINDINGS
IR 05000461/20094P4(DRS); 02/23/2009 - 02/26/2009, Clinton Power Station; Supplemental
Inspection IPF,95001. * .
This report covered a 4-day period of supplemental inspection conducted by one Region III physical security inspector. No findings of significance were identified. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, "Reactor Oversight Process."
A. Inspector-Identified and Self-Revealed Findings
Cornerstone: Security
The NRC staff performed this supplemental inspection in accordance with IP 95001,
"Inspection for One or Two White Inputs in a Strategic Performance Area," to assess the licensee's evaluation associated with the failure to control Safeguards Information (SGI)while unattended in July 2008. The NRC staffpreviously characterized this issue as having-!'ow to moderate security significance(White.)Js documented in NRC Inspection Report 05000461/2008403. During this supplemental inspection, the inspector determined that the licensee performed a comprehensive evaluation of the licensee-identified SGI issue. The licensee identified the primary root cause of the issue as Clinton Security failed to institutionalize site and fleet good practices concerning SGI controls, which resulted in a failure to control SGI while unattended. The licensee also identified that there was a failure to incorporate effective good practices into their procedure as well as failures to conduct self-assessments and refresher training. The licensee has conducted audits, training, and process improvements as correction.
Given the licensee's acceptable performance in addressing the SGI issue, the White finding associated with this issue will only be considered in assessing plant performance for a total of four quarters in accordance with the guidance in IMC 0305, "Operating Reactor Assessment Program." Inspectors will review the licensee's implementation of corrective actions during a future inspection.
No findings of significance were identified.
Licensee-Identified Violations
None.
REPORT DETAILS
INSPECTION SCOPE
The NRC staff performed this supplemental inspection in accordance with Inspection Procedure (IP) 95001 to assess the licensee's evaluation of a White finding, which affected the security cornerstone in the reactor safety strategic performance area. The inspection objectives were to:
- Provide assurance that the root causes and contributing causes of risk significant performance issues are understood;
- Provide assurance that the extent of condition and extent of cause of risk significant issues are identified; and
- Provide assurance that licensee corrective actions to risk-significant issues were or will be sufficient to address the root and contributing causes and to preclude repetition.
The Clinton Power Station (CPS) th entered theRegulatory---- Response
, s o se CColumn l m R oof NRC's Security Action Matrix in the 4 quarter of 2008 as a resuit of one inspection finding of low to moderate security significance (White). ýThe finding was in the Security Cornerstone for the failure to protect Safegua-ds Information (SGI) in accordance with 10 CFR 73.21 and 73.2 requirements. Inspection Report 05000461/2008403 documented one instance where the licensee failed to properly handle and store SGI material. Safeguards information had unknowingly been mixed with non-SGI and inadvertently removed from the Secondary Alarm Station (SAS), and taken out of the Protected Area (PA) to an office within the Owner-Controlled Area (OCA) where it remained unattended and unprotected for 5 days.
The licensee's staff informed the NRC by telephone on January 20, 2009, that they were ready for the supplemental inspection. In preparation for the inspection, the licensee performed a root cause evaluation (RCE), 796575-18, to identify weaknesses that existed in their organization, which allowed for a.risk-significant finding and, to determine' the organizational attributes that resulted in the White finding. The licensee also compiled a safety culture self-assessment report(SA, incorporated in their RCE.
The inspector reviewed the licensee's RCE in addition to other evaluations conducted in support of and as a result of the RCE. The inspector reviewed corrective actions that were taken or planned to address the identified causes. The inspector also held discussions with licensee personnel to ensure that the root and contributing causes and the contribution of safety culture components were understood and corrective actions taken or planned were appropriate to address the causes and preclude repetition.
_N\ý UýGRIYRLTDCO ý0
O IAL EQ Y- EC -RE A D F A ON EVALUATION OF INSPECTION REQUIREMENTS Problem Identification a. Determine whether the evaluation identified who (i.e., licensee, self-revealing, or NRC),and under what conditions the issue was identified.
For the instance where the licensee failed to protect SGI in accordance with 10 CFR 73.21 and 73.2 requirements, the licensee prepared a RCE.
The RCE concluded that on July 15, 2008, licensee personnel, specifically the Security Shift Supervisor (SSS), during a conversation with the Security Operations Supervisor (SOS) discovered the SGI document they were discussing (CPS Site Defensive Strategy) was not current, but was a previous revision. At this time the SSS realized the possibility that the current revision could have been inadvertently "mixed in" with the non-SGI "Read and Sign" paperwork submitted to the SOS for review on July 10, 2008.
Acting on this possibility, the SSS and the SOS immediately went to the SOS's office in the OCA portion of the gate house where they located the SGI documents on the SOS's desk, "mixed in" with the non-SGI "Read and Sign" paperwork. The SSS immediately took control of the SGI documents and determined all pages of the document were present.
The inspector concluded that that the licensee accurately identified who and under what circumstances the issue was identified.
b. Determine whether the evaluation documented how long the issue existed, and whether there were any prioropportunities for identification.
The ROE concluded that the condition existed for approximately 116.50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> (approximately 5 days). At approximately 1105 hours0.0128 days <br />0.307 hours <br />0.00183 weeks <br />4.204525e-4 months <br />, July 10, 2008, the SOS removed a set of five (5) "Read and Sign" documents (the bottom one being SGI) from the SAS and transported them out of the PA to the SOS's office within the OCA. At approximately 0745 hours0.00862 days <br />0.207 hours <br />0.00123 weeks <br />2.834725e-4 months <br />, July 15, 2008, the SOS and the SSS discovered the SGI material in the SOS's office within the OCA and took immediate control of the document.
This investigation revealed numerous missed opportunities that could have either prevented this event from occurring or would have minimized the significance of the event. Specifically, the RCE identified eight
- (8) missed opportunities:
- On June 5, 2009, the Security Force Training Lead generated and assembled the "Read and Sign" and failed to insure the SGI coversheet was the top sheet. The signature sheet was placed on top of the SGI cover sheet.
- The site specific coversheet within the Electronic Database Management System (EDMS) is not colored red (as per site expectation). Additionally, the expectation to print the coversheets in red is also not included in EDMS.
There were no unique markings for a SGI "Read and Sign" package to differentiate it from a non-SGI "Read and Sign" package.
Several security officers noted the SGI material in the "Read and Sign" package did not have a red cover sheet. No action was taken on these observations because: 1) the SGI was within a controlled area; and 2) red cover sheets were normally used for "loose" SGI.
Resulting from interviews it was determined that several members of the security force were not aware of the site expectation to utilize red cover sheets on SGI material.
- The site expectation to utilize red cover sheets on SGI is not documented in any site policy or security training.
- The SGI information remained in the "Read and Sign" configuration for approximately 10 days after the last signature was recorded on the signature sheet.
The inspector concluded that the licensee adequately documented the length of time each of the issues existed and all of the prior opportunities for identification.
c. Determine whether the licensee's RCE documented the plant specific risk consequences (as applicable)and compliance concerns associatedwith the issue.
The Root Cause Investigation concluded that the licensee failed to properly handle and store SGI in accordance with 10 CFR 73.21 and 73.2 requirements or with their Exelon fleet procedure which could have resulted in SGI being exploited.
The inspector concluded that the RCEs adequately documented the plant specific risk consequences and compliance concerns associated with the issue.
d. Findinqs No findings of significance were identified.
.2 Root Cause, Extent of Condition, and Extent of Cause Evaluation
a. Determine whether the licensee's RCE applied systematic methods in evaluating the issue in order to identify root causes and contributing causes.
In the RCEs, the licensee used the TapRoot process including Root Cause Tree for analysis as well as Event and Causal Factors charts and Barrier Analysis to arrive at its conclusions.
The licensee identified the root cause as Clinton Security failed to institutionalize site and fleet good practices concerning SGI controls.
The inspector concluded that the licensee's methods used to evaluate the root and contributing causes were adequate.
b. Determine whether the licensee's RCE was conducted to a level of detail commensurate with the significance of the problem.
In the RCE, the licensee identified one root cause and three contributing causes.
Based upon the work performed for the above root cause and contributing causes, the inspectors concluded that evaluations were conducted to a level of detail commensurate with the significance of the issues.
c. Determine whether the licensee's RCE included considerationof prioroccurrencesof the problem and knowledge of prior operatingexperience.
In the RCE, the licensee reviewed the results from searches of four sources: 1) Clinton Station Issue Condition Reporting System was checked and six related Incident Reports (IR) were located since 2001. Of the six, three were enhancement IRs and three were of low safety significance and dissimilar to the event in question; 2) The Exelon Fleet Hyperion System was queried with no time constraints and several issues were found related to aspects of SGI control. However, only one event NCS-301997-02/16/05, which occurred at Exelon Headquarters on February 16, 2005, was similar; 3) The Nuclear Event Reports (NER) were reviewed using keywords "NER" and "Safeguards" for all Exelon sites with no time period restraints and no additional SGI issues were identified; and 4) A keyword search was conducted in the INPO and Homeland Security operating experience web pages using the keywords, "Safeguards and event,"
"Safeguards and control," "Safeguards Information Event," "Safeguards and uncontrolled," "Safeguards and unsecured," and five SGI events were found. None of the SGI events had relevance to the root cause of this incident.
Based upon the considerations described in the analyses, the inspector concluded that the RCEs adequately included consideration of prior occurrences of the issues and knowledge of prior operating experience.
d. Determine whether the licensee's RCE addressed extent of condition and extent of cause of the problem.
In the RCE, the licensee determined the extent of condition for this event included control of all loose SGI at any location. The corrective action to prevent recurrence addressed the control of SGI in a security location such as a Security Alarm Station.
The remaining extent of condition would be the use of SGI outside of a security location.
Two conditions exist: 1) The largest threat in unsecured locations deals with Force-on-Force SGI drill scenarios. The SGI is carried by a drill controller during a potentially dynamic drill scenario. Typically, this SGI material is loose pages, stapled together; and 2) The second extent of condition is issuing SGI to any authorized individual with a "need to know" in order to accomplish a task.
The extent of cause for this event was the potential for declining process rigor in other security processes.
PE~El~0R~f~I
The inspector concluded that the licensee's analysis of each issue appropriately addressed the extent of condition and extent of cause of the problems.
e. Determine whether the licensee's RCE, extent of condition, and extent of cause appropriatelyconsideredthe safety culture components as described in IMC 0305.
The licensee addressed safety culture components as described in Inspection Manual Chapter 0305. The licensee concluded that: 1) The licensee failed to systematically collect, evaluate and communicate to affected internal stakeholders in a timely manner relevant internal and external OE. This was evident as discussions with other Exelon stations after the event identified several good practices that could have reduced the risk of the Clinton event; 2) The licensee failed to conduct self-assessments at appropriate frequency, depth, comprehensiveness and are objective and self-critical. This was evident as no self-assessment of the SGI process could be located within the past 7-years; 3) The licensee failed to ensure that a learning environment exists. This was evident that even though the licensee was in compliance with the SGI procedure and implemented fleet mandated good practices, the site failed to seek additional learnings of SGI process improvements that would have been indentified during fleet and industry benchmarking and self-assessments.
The licensee addressed safety culture components. The inspector reviewed the assessments and verified that the performance issues, the methodologies, and the results obtained, indicated a weakness in a portion of the safety culture component.
These weaknesses were identified by the licensee and adequate corrective actions had been enacted.
f. Findings
No findings of significance were identified.
.3 Corrective Actions
a. Determine whether the licensee specified appropriatecorrective actions for each root/contributingcause or that the licensee evaluated why no actions were necessary.
In the RCE, the licensee concluded that the root cause was that Clinton Security failed to institutionalize site and fleet good practices concerning SGI controls. This was aided by a false sense of confidence (complacency) from a lack of recent significant safeguards information events at Clinton Power Station. Additionally, three contributing causes were identified: 1) failure to query Exelon sites and to incorporate effective good practices into the governing Safeguards procedure (SY-AA-101-106); 2) failure of Clinton Security to conduct self-assessments and benchmarking on safeguards controls; and 3) failure to conduct periodic refresher training on SGI controls. The licensee established numerous corrective actions to address the root and contributing causes:
- SGI material must be in an approved binder/container;
" SGI "Read and Sign" information/training packets will be kept separate from non-SGI "read and sign" packets; O A XE-IAI)TION
" Require the use of a uniquely colored or marked SGI coversheet;
- Require the cover sheet (front and back) be the outer most page of a document containing SGI;
- Require use of a visual barrier stop sign on the interior door of areas containing SGI;
- Require peer check when departing areas containing SGI;
- Require single point of contact (accountable person) for any SGI that is not in an approved SGI container;
" Establish a chain of custody to indicate when the designated accountable persons responsibility has changed;
" Management Oversight on SGI Controls was added to the Department Human Performance Improvement Plan;
- Require periodic refresher training on SGI;
- Utilized additional barrier on SGI containers (safe dial covers);
- Developed a specific long range (4-year) focused area self-assessment schedule for SGI;
" Conduct a Management Model Review of Clinton Security; and
- Conduct management over sight (post checks) for all security personnel.
The inspector concluded that the corrective actions were appropriate to prevent recurrence of the problems based upon the established procedures and training programs. However, the inspector noted two observations. These are potential missed opportunities and although they are not required, these observations would increase the defense in depth at Clinton Station.
Observations
1. The Central Alarm Station and the SAS maintain SGI information for emergency and
routine daily use and no inventory is required. It was noted that both alarm stations conduct daily inventories of nearly every item in their work areas with the exception of the available SGI. In this particular incident, if the SGI had been inventoried on a daily basis, this event could have been detected within hours rather than days.
Or ,r " ,ý R "E E44~MTO
2. New or updated information is disseminated throughout the security organization routinely. It was noted there was no consistent tracking method in place at the time of this inspection to insure 100 percent of all personnel were receiving the information. A variety of means were being used, e.g., "Read and Sign" sheets, pre-shift briefings and individual post briefings.
b. Determine whether the licensee prioritizedthe corrective actions with considerationof the risk significance and regulatorycompliance.
In the RCE, the licensee prioritized corrective actions to insure short term and long term corrective actions were enacted appropriately. For example, cover sheets, binders, peer checks and initial awareness training were immediately established/conducted. With longer term corrective actions such as self assessments, Management Model Reviews, incorporation of best practices.into Exelon procedures.
The inspector concluded that corrective actions had been prioritized with consideration of the risk significance and regulatory compliance,.
c. Determine whether the licensee established a schedule for implementing and completing the corrective actions.
In the RCE, the licensee included the Corrective Actions to Prevent Recurrence timeline which outlined the corrective actions taken and the corrective actions that would be taken to avoid further violations to include specific completion dates.
The inspector concluded that the licensee has completed or firmly planned all corrective actions associated with the root causes and contributing causes.
d. Determine whether the licensee developed quantitative or qualitative measures of success for determining effectiveness of the corrective actions to prevent recurrence.
As part of the corrective actions associated with this issue, the licensee established an effectiveness review to be performed to monitor the site's progress in controlling SGI.
Specifically, the effectiveness review is an on-going review of the Condition Reporting System and the security log events to ensure that the procedures and process were working. The licensee planned to monitor periodically by means of surveying SGI qualified personnel, as well as station personnel, on the sensitivity knowledge of how to identify SGI and how to control it.
The inspector concluded that the licensee had established qualitative measures to validate the effectiveness of the corrective actions to prevent recurrence of the issues.
e. Determine whether the licensee planned or has taken corrective actions to adequately address the Notice of Violation (NOV) that was the basis of this supplemental inspection.
The NRC issued an NOV to the licensee on 20 January 2009. The licensee has taken adequate corrective actions to address the Notice of Violation.
FFI US LY- URIT -R AT F T N*
K F I L S Y- EC Y-R AT INF R*
OTHER ACTIVITIES
03.01 (Closed) Violation 05000461/2008403-01: Failure to Control Safeguards Information while Unattended V
'1 '1 A violation of~low to moderate security significance (White) of 10 CFR 73.21 and 73.2 requirements was identified during a review of the liense6's security event logs when the licensee failed to properly store SGI on two separate occasions.
Based on the RCEs and corrective actions discussed above, the inspectors concluded that the events resulting in the White'finding were understood, the extent of condition and extent of cause were identified,-end the corrective actions were sufficient to address the root causes and contributing causes, and to prevent recurrence. This violation is closed.
40A6 Exit Meeting
.1 Exit Meeting Summary
On February 26, 2009, the inspector presented the inspection results to Mr. F. A. Kearney and other members of his staff, who acknowledged the findings.
The inspector asked licensee if any of the material examined during the inspection should be considered proprietary. The licensee did not identify any proprietary information.
ATTACHMENT:
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee
- F. Kearney, Site Vice President
- M. Kanavos, Plant Manager
- C. Williamson, Site Security Manager
- M. Hiter, Security Analyst
- S. Gackstetter, Regulatory Assurance Manager
- J. Waddell, Security Supervisor
Nuclear Requlatory Commission
- B. Kemker, Senior Resident Inspector
- D. Lords, Resident Inspector
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened
None
Closed
- 05000461/2008403-01 VIO Failure to Control Safeguards Information while Unattended
Discussed
None
6FFI ENCN-ý,fCfLE\LATEdi ION
1OFFICl 0 Y S URI - EL IN OR 0