IR 05000528/1989008
| ML17304B157 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 04/19/1989 |
| From: | Johnston G, Meadows T, Richards S NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V) |
| To: | |
| Shared Package | |
| ML17304B156 | List: |
| References | |
| 50-528-89-08, 50-528-89-8, 50-529-89-08, 50-529-89-8, 50-530-89-08, 50-530-89-8, NUDOCS 8905150352 | |
| Download: ML17304B157 (68) | |
Text
U. S.
NUCLEAR REGULATORY COMMISSION REGION V
Docket Numbers:
50-528, 50-529, 50-530 Inspection Report Number:
50-528/89-08, 50-529/89-08, 50-530/89-08 License Numbers:
NPF-41, NPF-51, NPF-74 Licensee:
Arizona Nuclear Power Project P. 0.
Box 52034 Phoenix, Arizona 85072-2034
'acility Name:
Palo Verde Nuclear Generating Station Units 1, 2, and
Inspectors:
Other Accompanying Personnel:
L. Deffording, Battelle PNL A. Sutthoff, SAIC M. McWilliams, SAIC S.
Sun, Inspector, NRR G. Lapinsky, Inspector, NRR Inspection Conducted:
March 13 -- 17, 1989 G.
sto
,
perator Licensing Examiner-R7:+'~~ZP Fo~
T. Meadows, perator L>cens>ng Examiner ate sgne 4/i~ls9 Date
>gne Approved By:
~'
S. Richards, Chief, Engsneersng Section 0 iS S"r Date Signed
~Sunma r:
Inspection on March 13, 1989
-
March 17, 1989, (Report Nos. 50-528, 50-529, 50-530/89-08)
Areas Ins ected:
A special team inspection of the Licensee Emergency Operating roce ures
>n accordance with Temporary Instruction TI 2515/9 Resul ts:
General Conclusions and S ecific Findin s:
The NRC inspection team concluded that the Palo Verde Emergency Operating Procedures (EOPs)
can be utilized by the facility operating staff to effectively manage and mitigate serious operational occurrences.
Thih conclusion stems from the observed use of the EOPs by operations personnel in simulator exercises and procedure walkthroughs in the plant.
However, the EOPs do present significant usage problems for the operating staff.
Principally those problems are human factors related and include:
inconsistencies in structure and format; an overly complex structure; ill defined, excessive, and buried transitions within the optimum and functional recovery procedures, after exiting the diagnostics; heavy reliance on operator judgement and discretion; and the lack of a defined philosophy of use.
These problems were recognized by the operators, who voiced their dissatisfaction with the quality and useabi lity of the EOPs.
The licensee's procedure development program appears to be the chief cause of the procedural problems.
The problems with procedural development appear to be equally applicable to the Abnormal and Normal Operating Procedures.
The licensee must address the programmatic weaknesses of procedure development in order to preclude the repetition of similar problems.
The plant simulator did not fully replicate actual plant response in some, scenarios, providing negative operator training.
Additionally, a poor professional relationship appears to prevail between the operations and training organizations.
These problems provide evidence that the programs for procedure generation, operator feedback, and operator training have not been well managed in the past.
Si nificant Safet Matters:
The team concluded that the licensee has not implemented a program to provide an approach that will generate revised EOP procedures that are an improvement over the present EOPs.
Summar of Violations:
There were no violations identified within the scope of this inspection.
Deviations:
There were no deviations identified within the scope of this inspectio l
DETAILS Persons Contacted ANPP Personnel
" J.
Haynes, Vice President Nuclear Production - ANPP J. Kirby, Director, NPS L. Papworth, Director, guality Assur ance/guality Control W. Fernow, Manager, Training D. Gouge, Operations Manager, Unit 3 W. Marsh, Plant Director, Nuclear Production L. Souza, guality Assurance, Manager J. Allen, Relief Plant Manager.
- J.
Tench, Acting Director, Plant Services D.
Willsey, Emergency Planning Supervisor D. Craig, Supervisor, Licensed Training
" R.
Badsgard, Supervisor, Engineering and Construction
" R. Younger, Manager, Standards and Control R. Butler, Director, Standards and Technical Support T. Shrive'r, Manager, Compliance B. guinn, Director, Nuclear Safety and Licensing
~ D. Stover, Manager, Nuclear Safety Department
~ R. Myers, Senior Advisor, Operations Standards
'.
Gonsowski, Senior Nuclear Instructor, Training
- D. Heini ke, Plant Manager, Unit 2
" F.
Buckingham, Operations Manager, Unit 2
" K. McCandless-Clark, Lead Compliance Engineer J. Bailey, Assistant Plant Manager, Unit 3
- F. Riedel, Supervisor, Operations, Unit 3
" W. Ide,'la'nt.Manager, Unit 1
" D. Marks, Engineer, Nuclear Safety NRC k
G. Johnston, Team Leader, Operator Licensing Examiner, RV T.
Meadows, Operator Licensing Examiner, RV T. Polich, Senior Resident Inspector, Palo Verde D. Kirsch, Chief, Reactor Safety Branch, RV L. Defferding, Battelle PNL A. Sutthoff, SAIC M. McWilliams, SAIC G. Lapinsky, Inspector, NRR
" Attended exit meeting on March 17, 1989.
¹ Attended entrance meeting on March 13, 1989.
In addition other members of the licensee staff were contacted during the course of the inspectio.
Emer enc 0 eratin Procedure Deskto Review The inspection team reviewed selected proced ures prior to the site visit.
This review was conducted according to the guidance provided in Temporary Instruction 2515/92,
"Emergency Operating Procedures Team Inspections."
The procedures selected represented a majority of the Emergency Operating Procedures.
The EOPs were reviewed to ensure that the procedures were technically accurate and incorporated the guidelines of CEN-152, Revision 2.
The selection included portions of the following:
Site Proc.
TITLE 41EP-1ZZ01 Emergency Oper ati ons 41RO-1ZZ01 Reactor Tr ip 41RO-1ZZ02 Excessive Steam Demand 41RO-1ZZ03 Loss of Secondary Coolant 41RO-1ZZ04 Loss of Forced Circulation 41RO-1ZZ05 Loss of Feedwater 41RO-1ZZ06 S/G Tube Rupture 41RO-1ZZ07 Loss of Coolant Accident 41RO-1ZZ08 Small Loss of Coolant Accident 41RO-1ZZ09 41RO-1ZZ10 Blackout Functional Recovery The methodology of the review consisted of a comparison between the procedures and the Generic Technical Guideline (CEN-152) for the Combustion Engineering Owners Group (GEOG).
The comparison also used other references including, but not limited to the following:
The facility Procedure Generation Package.
The facility Writers Guide.
Generic Letter 82-33, NUREG-0737 Information Notice IEN 86-64.
The procedures were also reviewed by NRC Contractors for specific Human Factors concerns associated with useabi lity of the procedures.
The review checked that the entry/exit points were 'correct, that the transfer between the diagnostic procedures (41EP-1ZZ01)
and the appropriate optimum and functional recovery procedures was well defined, and that minimum staffing was met.
Comparisons were made among selected procedures and the licensee's technical guideline document to ensure that safety significant deviations were reported to the NRC as required, that
safety evaluations were performed per
CFR 50.59, that deviations warranted by the specific plant design were incorporated, and prioritization of accident mitigation strategies were correct.
The team determined that in general, the EOPs adequately incorporated the procedure guidelines of CEN-152, Revision 2.
To summarize:
The CEN-152 prioritization of accident safety function investigation hierarchy was maintained in the EOPs.
+
The values of the referenced safety features setpoints (e.g.,
SIAS, CSAS, CIAS) were consistent with the plant design values.
+
Entry/exit points to the Palo Verde EOPs from the diagnostic procedures (41EP-lZZOl) were clearly stated and could be followed by trained reactor operators.
However, as discussed later, once the diagnostics are exited, transitions within the EOPs were ill defined.
The team identified a number of technical concerns in the EOPs associated with deviations from CEN-152 without.justification or supportive analysis:
Logic differences in the Notes of steps 1.2.2 and 1.4 of 41EP-1ZZOl,
"Emergency Operations," calls the operators attention to implement two optimal recovery operating procedures while CEN-152 requires the implementation of functional recovery procedures when multiple events are diagnosed.
b.
Two optimal recovery procedures (41RO-1ZZ03 and 41RO-lZZ08) for the loss of secondary coolant and small loss of coolant accidents were added to the Palo Verde'OPs without supportive analysis to show the adequacy of step sequences and actuation setpoints for safety systems to mitigate the transients.
The success criteria on page 67 of 161 of 43R0-3ZZ10.are different from those in CEN-152 in that RCS pressure must be maintained within the acceptable operating range (subcooled between 200 and 28 ~F)
while the procedure only requires pressure to be less than 2350 psia and the RCS to be at least
F subcooled.
d.
Procedure 41EP-1ZZOl,
"Emergency Operations,"
uses a cooldown rate of 100
~F per hour to avoid the problem of pressurized thermal shock (page 40 of 179).
However, this is not consistent with the requirement of CEN-152 which requires the use of a 200 F subcooled pressure and temperature curve.
The procedure (page 48 of 179) also specifies 28 'F subcooled for the acceptance criteria of adequate core cooling for natural circulation and 60 'F subcooled (page 160 of 179) for harsh containment conditions.
However, no documentation is available for the supporting analysis.
e.
Inconsistent acceptance criteria exist between 41EP-lZZ01,
"Emergency Operations,"
and 43RO-lZZ10, "Functional Recovery."
Page 38 of 179, of procedure 41EP-lZZOl, specifies 28 ~F subcooling to support NPSH criteria for Reactor Coolant Pump operation.
Page 53 of 161, of procedure 43RO-lZZ10, provides various NPSH curves for various combinations of RCP operation.
The team compared the
required NPSH curve with the 28 F subcooled margin curve and determined that use of the 28 F subcooled margin curve to operate the two RCPs is only adequate for RCS temperatures greater than 550 F.
In that range, the RCS pressure is greater than the subcooled margin pressure-temperature curve for RCP operation.
Concerns, specific to individual procedures, are detailed in Appendix A.
3.
Generic Procedure Problems During the table top review, the team identified two general concerns.
The first has to do with significant inconsistencies in the Emergency Operating Procedures.
The inconsistencies were pervasive, in that every procedure reviewed exhibited, to some degree, the same types of inconsistencies.
These included the following:
+
Transitions between procedures are sometimes ill defined, including the lack of transitions to return to another procedure, which occurs frequently in the Appendices.
+
Action statements vary significantly'n format, even on the same page.
+
Flowcharts vary with different formats, different type styles, and a
lack of consistency with accepted standards (i.e.
NUREG CR-5228).
Structure and format of Appendi.ces, both in the Functional Recovery Procedure, 41R0-1ZZ01, and the Standard Appendices in the Emergency Operations Procedure, 41EP-1ZZOl, vary considerably.
Information and guidance vary or were lacking for action steps requi ring decision making.
+
The format of Abnormal Operating and Normal Operating procedures performed concurrently in support of the EOPs vary in structure with the EOPs.
Additionally, the procedures exhibited considerable complexity in format and structure.
These variances in format and structure complicate the process the operators have in implementing the steps in the procedures.
These factors that add to the complexity of the-procedures include the following:
There are a large number of transitions to appendices that may be better suited to inclusion in the procedures.
The procedures have action steps that describe objectives but do not specify how to achieve them.
Variances occur frequently in acronym usage.
One example is the usage of three different acronyms for Steam Generator on one page (i.e.
S/G, SG, and S.G.)
The mixing of flowchart and text within procedures adds significant complexit +
Transitions exist within Caution statements and Notes.
This presents the problem that a key transition could be missed.
+
Actions are embedded within Caution statements and Notes.
This presents the problem that a key action may be missed because it was not clearly made an action step.
There are Caution statements and Notes within action steps in the procedures.
This format minimizes the importance of the caution or note and could impact the performance of the procedure.
There is little guidance or information about place keeping in the procedures.
The procedures have a structure that requires that after a transitional step or procedure is complete that the operator return to the step following the transition.
Placekeeping aids that are clearly defined are not provided.
The concerns associated with these items stem mostly from the problems they would present in the stressful environment that would exist if an actual event had occurred.
4.
Procedure Walkdowns Task 3 of Temporary Instruction 2515/92 involves a walkthrough of selected EOPs to determine that the EOPs can be successfully accomplished.
Primarily, the walkthroughs were to ensure that all of the referenced plant equipment were available to the operators.
The process also included verifications that the designators for instrumentation, controls, indicators, and annuciators were consistent between the procedures and the equipment tags.
The results of the walkthroughs confirmed that the issues associated with the tabletop reviews had merit.
The walkthroughs did not reveal any pressing technical weaknesses with the procedures; however, comments from the operators did indicate that some procedures were hard to accomplish due to transition steps and guidance that were not clear as to intent.
The discretionary nature of those steps also lead to some confusion on the part of the operators as to what procedures to transition to.
Specific concerns identified during the procedure walkthroughs are detailed in Appendix A.
5.
Simulator Exercise of EOPs The inspectors assessed the adequacy of the EOP training by reviewing two areas.
The first dealt with observing an unrehearsed operating crew performing selected EOPs in the plant-specific simulator.
The second was to review the simulator scenario exercises that were used during training of operators to determine if they were adequate to exercise the procedures, required transitions between procedures, and included multiple equipment failure W
a.
Simulator Scenarios Two of the team's licensed operator examiners developed scenarios similar to those used during EOP training.
During the performance of these scenarios with unrehearsed operating crews, the entire NRC EOP inspection team had the opportunity to: observe the operators'erformance to validate or. dismiss any concerns that may have been raised during the table-top reviews of the EOPs; assess the licensee's operating philosophy (whether it differs from the CEOG guidance in CEN-152);
assess the human factors elements (place keeping, assignment of duties, physical interference, etc.)
associated with performance in a "real time" atmosphere; and observe how the operators diagnosed accident conditions and transitioned between procedures.
Two operating crews were observed, each crew included the auxiliary operators.
During the scenarios, when the procedure required an observation or operation in the plant, the auxiliary operator went to that location and simulated the operation in order to give a real time response.
Each scenario was allowed to run long enough to reach well into the procedure.
The following scenarios were run as exercises:
+
Steam Generator Tube Rupture
+
Small Break LOCA with a loss of HPSI
+
Blackout
+
Total Loss of Feedwater The team made the following observations:
+
Even though the procedures contained numerous human factors problems and provide minimum guidance in some areas, the operators exhibited very good knowledge of the plant and were able to use the procedures to mitigate the events.
+
The lack of simulator fidelity in some areas (such as lack of gSPDS and subcooled margin monitor indication) forces the operators to obtain needed information by methods that may not be used in the plant.
Also, the modeling for the steam generator during the total loss of feedwater scenario seems suspect.
The pressure decreased too rapidly and the increase in water level with feed rates of 400-500 gpm seemed too slow.
This lack of fidelity can develop negative training which could cause an operator to misjudge the plant response in an emergency.
+
During plant recovery in the blackout scenario, an operator was required to use five normal operating procedures and an
, equipment list while re-energizing-a train of electrical busses.
These normal procedures assumed star tup from cold shutdown and included a number of additional steps that were not needed for re-energizing a bus that was recently lost and, therefore, took longer to complete (comment from an SRO).
After the scenario, the reactor operator informed the examiners that the operators really needed one procedure to recover from the blackout.
+
There is no instrument that indicates the differential temperature between the hot leg and cold leg.
The operators have to read two fairly coarse instruments and make a
subtraction.
This increases the error opportunity during an event where this information may be needed for acceptance criteria.
The method of determining the delta T was not standardized across the spectrum of operators.
The two most prevalent methods were to (1) take the highest delta T in one train of instruments, or (2) take the highest T-hot and subtract the lowest T-cold.
Obviously this presents problems of continuity during an event and deserves attention by the training and operations organizations.
+
One operator made an error in reading the downcomer flowrate during the initial portion of establishing feed to the steam generator with the condensate pumps (this was during the total loss of feedwater scenario).
He was corrected by the Control Room Supervisor.
+
Procedure 41R0-1ZZ08,
"Small Break LOCA" step 5.2 instructs the operator to cycle pressurizer heaters as necessary.
The operator stated that he could use more guidance in this step as to when to cycle the heaters.
+
Procedure 41R0-1ZZOS,
"Small Break LOCA" step 10. 1 of Appendix A indicates that a
CRS directed action will occur.
However, the CRS portion of the procedure does not provide for a directed action at that point in the procedures.
b.
Review of Faci lit Trainin Scenarios and Lesson Plans The simulator scenarios and lesson plans for those exercises were examined.
The lesson plans included objectives needed to evaluate the operators.
The scenario events were adequate to exercise the procedures, including the functional recovery.
Human Factors Evaluation As a result of the evaluation of PVNGS EOPs, a list of specific human factors concerns was generated.
These concerns were identified during an initial desktop review of the EOPs prior to the on-site inspection and were corroborated through observation of simulator exercises, interviews with Palo Verde staff, and plant walkdowns.
Additional human factors concerns related specifically to plant walkdowns and simulator exercises are discussed in the sections of this report addressing those elements of the inspection.
The primary human factors deficiency identified in the Palo Verde EOPs is the overall complexity of the procedures.
This high level of complexity is caused by the interaction of a number of human factors concerns.
This results in procedures that can be difficult to use and understand; especially under highly stressful conditions, and that place an additional burden on the operator rather than support operator performanc The major contributing factors to the complexity of the PVNGS EOPs are (a) the basic principles and philosophy of design and use; (b) problems with transitions; and (c) inconsistent and incorrect application of structural principles.
Additional factors contributing to the EOP deficiencies were identified in the overall EOP development program, training, and the physical aspects of EOP usability.
a
~
Philoso h
of Procedure Desi n and Use Emergency operating procedures are intended to direct operator actions necessary to mitigate the consequences of transients and'ccidents that have caused plant parameters to exceed reactor protection system setpoints, engineered safety feature setpoints, or other established limits.
Before development of high quality EOPs can begin, an EOP system design and philosophy of use must be defined by the licensee.
There are many acceptable ways to approach the design of EOP systems, and the special characteristics and preferences of any plant must be carefully considered.
However, the resultant EOPs must reflect the strategies of the plant's technical guidelines and must provide clear directions for operators to use.
The design and philosophy of use for EOPs at PVNGS have a number of inherent weaknesses that contribute to the many deficiencies identified.
These weaknesses are categorized as follows.
i.
Heavy reliance on operator judgment/discretion Because the emergency conditions under which EOPs are used can be highly stressful, it is important to design procedures that wi 11 serve to support operator performance at a time when decision making and memory may be degraded.
The PVNGS EOPs rely heavily on operator judgment and discretion.
Throughout the procedures, steps are qualified as "at the CRS discretion."
PVNGS staff reported that every attempt was made to avoid restricting the options open to operators in EOPs.
Whi,le the need for allowing experienced operators a number of options is realistic, the manner in which this approach has been taken at PVNGS has resulted in procedures that, in many cases, do not provide the operators with precise directions on what actions should be taken.
In many places throughout the EOPs steps merely indicate that the operator should judge what action to take.
Not only does this type of procedural step conflict with guidance on the purpose of EOPs, but it places a greater burden on the operator.
Reading steps that do not direct actions takes time and does not provide support to the operator in bringing the plant to a safe condition.
In addition, as a result of the dependence of operator judgment on which the procedures are based, simulator exercises became more a review of operator discretion rather than a review of the strengths and weaknesses of the procedures themselve Heavy reliance based on a system of transitions to other procedures or parts of procedures Operators should be provided with the information necessary to bring the plant to a safe condition within the EOPs.
In order to minimize the potential for error caused by movement within and between different EOPs, transitions should be avoided.
The EOP system design used by PVNGS relies heavily on frequent transitions to other procedures and other parfs of the procedure in use.
This system increases, rather than decreases, the potential for error.
It reduces the usefulness of the procedures in supporting operator performance, and causes the procedures to be more difficult to use than necessary.
In many cases, transitions were required for only a limited amount of information.
PVNGS staff indicate that transitions were used when more than five steps from another source were required.
This transition threshold is far less than that used effectively at other plants, and leads to many more transitions than are useful to the operators.
Every effort should be made to provide the operator with the necessary instructions within the
'equence of the procedure in effect, and to transition to other sources only when inclusion of the material would greatly increase the bulk of the procedure.
Other weaknesses in the use of transitions within PVNGS EOPs are detailed later in this section.
Lack of a clearly defined and implemented philosophy of use Although the EOPs depend heavily on operator judgment, no clear philosophy of use has been defined.
Therefore, great variation in the use of the procedures exists between individuals, between crews, and between units.
Operators reported different approaches to step sequencing requirements in the procedures, different methods of obtaining plant safety parameters, and different understanding of the content of some steps.
For example, during debriefing following simulator exercises, operators expressed such justification for their actions as
"my limit is 35K" and "that was out of what I considered the normal operating band."
Operators have been forced to make their own determination about how to view plant conditions because of the lack of available guidanc f
!
l II I
t I
'
In a situation, such as at PVNGS, where EOPs do not specifically direct operator actions, the need for clearly defined methods of using the procedures is extremely high.
Without a clearly defined philosophy of use, training is less effective because operators will develop their own solutions to problems.in using the procedures.
b.
Transitions Transitions are directives to the operator to move within and between procedures.
These steps may instruct the operator to concurrently use more than one procedure, or to completely exit the procedure being used and move into a different procedure.
An operator may, also be required to reference tables, charts, appendices, or non-EOP procedures.
Movement within and between EOPs can be disruptive, confusing, and cause unnecessary delays and error.
Therefore, it is particularly important that transitions be minimized.
When transitions cannot be avoided, it is important that the transition directions to the operator be clearly and consistently presented.
NUREG-0899 states that when transitions are necessary, a method should be used that is quick and creates the least amount of disruption.
As mentioned in the previous section, the PVNGS EOPs are designed to rely on numerous transitions to other procedures and sections of procedures.
The transition directions were found to include the folio'wing types of problems.
Excessive number of transitions All procedures reviewed contained numerous transitions.
Because of the need for operators to constantly refer back and forth'etween multiple procedures, the resulting potential for confusion and delay is high.
For example, 41R0-1ZZ01, Reactor Trip procedure includes up to 26 explicit transitions AFTER verification that the operator is in the correct procedure.
Because many transitions observed in the simulator were based on operator knowledge, it is impossible to judge how many transitions are actually possible from the Reactor Trip procedure.
During the PVNGS Unit 3 trip on 3/3/89, 51 procedures and 20 binders of alarm response procedures were used or consulted.
The exact number of alarm response procedures used was not available, but the total number of procedures would have been 71 or greater.
Incident Investigation Report No. 2-1-89-001 states that the Operations Crew debriefing and self critique yielded the conclusion that a general operating procedure is needed to incorporate the actions of the numerous
operating procedures that are entered following an unplanned reactor trip.
ICR No.
00511 was submitted to the PVNGS Plant Standards group addressing this issue.
During the inspection simulator exercises, an operator was required to use five different procedures to restore electrical busses during recovery from a blackout condition.
The operator called inspector attention to his difficulty in the use of multiple procedures.
During a recent trip in Unit 1, an operator skipped Stdp 5.2 of 41R0-1ZZ04, Loss of Forced Circulation, which required a transition into a general operating procedure.
The operator believed that this was an optional transition.
The numerous instances of references within the PVNGS EOPs may contribute to operator belief that some
'ransitions are, less critical than others, and may lead to additional errors of this type.
ii.
Implied transitions Throughout the procedures, transitions were implied or understood by the operators with no direct instructions.
In most cases, this was observed during execution of verification steps.
During simulator exercises, upon reading steps that required the operator to verify the status of a system, operators often refer red to another procedure for supporting instructions.
Example:
43R0-3ZZ09, Blackout, page 5 of 68 Caution Shutdown Margin must be met prior to allowing RCS temperature to drop below 510 degrees-F.
Boron cannot be added to the RCS during a blackout.
This caution includes an implied transition to Shutdown Margin (72ST-9RX01).
In this simulator, an operator was observed executing the transition by memory.
(Note:
Not only does this caution contain an implied transition, but the caution incorrectly includes an action--the transition--and also fails to identify the potential hazard.
Example:
43R0-3ZZ10, Functional Recovery Procedure, page 50 of 161 2.1.3.1 E. P.
Standard Appendix J provides for a list of equipment and values for verifying proper SI activation, as time permit This step includes an implied transition to Standard Appendix J.
It is also worded in a passive, rather than directive manner, and includes a qualifier, or condition phrase, at the end of the step rather than before the affected action.
iii. Inconsistent structure of transition steps Explicit transitions within the PVNGS EOPs were indicated through a wide variety of methods.
The PVNGS writer'
handbook defines only the use of the term "Go to" for branching completely out of one procedure and into another, and does not define a term to be used for indicating concurrent references to other documents.
Example:
43RD-3ZZ02, Excessive Steam Demand, page 17 of
8.0 Direct secondary operator to per form secondary equipment shutdown checklist, per Standard Appendix G.
This step uses unnecessary detail and includes an embedded transition to Appendix G.
Correct structure would use a
transition method approved by the writer's guide and the primary action would be the transition itself, rather than the requirement to "direct" the action.
In addition, the transition would include the title, page, page number, and step number, to which the operator should move.
Example:
43RD-3ZZ09, Blackout, page 5 of 68 2. 1 Direct STA to monitor RCS response to recovery actions referring to Standard Appendix BB.
This step is similar to the previous example and used yet another transition term that was not defined in the writer's guide.
iv.
Incomplete transitions Transition directions generally included only the relevant procedure number, with no name, page number or step number included.
In some cases, transition directions referred to a procedure or appendix by a descriptive name, rather than the exact titl v.
Placekeeping deficiencies When operators must execute transitions within and between procedures, it is particularly important that they be provided methods for keeping track of their place and for finding the procedures or sections of procedures to which they must transition.
The PVNGS EOPs provided placekeeping spaces only at high level steps within procedures.
In most cases, there are many substeps following high level steps and covering
number of pages.
After completing all substeps related to a high level step, the operator must tur n back to the high level step to mark the placekeeping space.
This method not only lacks a system for keeping track of the operator's place within the substeps, but also adds another transition by requiring the operator to turn back several places to the high level step.
In addition, the procedure requires the operator to transition to many appendices attached to the EOPs and, yet, does not include the use of tabs or any other aid to help the operator quickly find the referenced section.
Examples:
43R0-3ZZ01, Reactor Trip, Step 3.0, is a high level step with related substeps beginning on page 5 of 30 and ending on page 9 of 30.
Step 5.0 of the same procedure includes substeps beginning on page 10 of 30 and ending on page
of 30.
Functional Recovery Procedure.
Step 5. 0, includes substeps beginning on page 8 of 161 and ending on page 10 of 161.
Structure Many performance variables can increase the potential for error during execution of emergency operating procedures.
To minimize the potential for error, it is important that information be presented to the operator in a straightforward, clear, and consistent manner.
EOP structure and format should, therefore, be clearly defined and consistently applied throughout the procedures.
In addition to making the
'rocedures easier to understand, a consistent structure and format will increase the effectiveness of training.
When operators are trained to have common expectations about how the procedures look and are to be used, variations in operator performance will be minimized.
Therefore, consistency of structure and content in the EOPs is essential to both individual operator understanding of the actions required and conformity of performance across operating personne The PVNGS EOPs contain numerous weaknesses in the area of procedure structure.
These weaknesses are categorized as follows.
i.
Inconsistent and incorrect use of logic statements When individuals are subjected to emotional or environmental stresses, such as those which may be present during the use of EOPs, difficulties may be experienced in a number of cognitive areas'or example, information drawn from long term memory may be incomplete or i'naccurate, short term memory capacity may be reduced, and the ability to accurately assess the importance of details may be degraded.
Any or all of these problems can lead to difficulty in decision making.
Logic statements are used in procedures to describe a set of conditions or a sequence of actions.
By their structure, logic, statements indicate to operators that they must make a decision and, depending on the outcome of that decision, they must perform an action or sequence of actions.
Because decisions can be difficult to make during emergencies and yet are extremely important, it is critical that logic statements be clearly, consistently, and appropriately used.
In the PVNGS EOPs, a number of difficulties with the use of logic statements and logic terms were identified.
For example, logic statements were often embedded or layered in other logic statements, in transitions, or in cautions and notes.
Example:
43R0-3ZZ10, Functional Recovery Procedure, Page 63 of 161 4.1 In Manual Individual drive in CEA's which do not indicate fully inserted.
This step includes an embedded logic statement.
The qualifier phrase (which do not indicate full inserted)
should" be presented as the conditional part of a logic statement beginning with "IF."
For example,
"IF any CEAs do not indicate fully inserted, THEN...
Example:
43R0-3ZZ10, Functional Recovery Procedure, page 10 of 161.
5.2.3 ALARA concerns must be addressed if introduction of primary coolant with high activity level into the Auxiliary Building (shutdown cooling) is necessar This step contains an embedded logic statement.
In addition, it is passively worded and does not contain the criteria for determining whether shutdown is necessary.
43RO-OZZ05, Loss of Feedwater, Page 20 48 9.1.3.3 If void size is greater than pressurizer level can compensate for, THEN SI flow should be established if RCP restart is to be attempted.
This step includes layered logic sequences.
It fails to quantify the void size mentioned in the first conditional sequence.
In addition, the criteria for attempting RCP restart is not included.
Inconsistent and incorrect use of high level/substep structure As described above, the consistent use of defined structure will add to the ease with which the operator is able to understand and use the procedure.
PVNGS EOPs use a system of high level steps and substeps.
High level steps should define a task.
The related substeps then describe the actions necessary to complete the task.
In the PVNGS EOPs, the high level/substep structure often does not convey this relationship.
High level steps are inconsistently structured.
In many cases they do not define a specific task.. Substeps often have no relation to the completion of the high level step task.
Example:
43R0-3ZZ05, Loss of Feedwater, page 5 of 48 2. 0 INITIATE EMERGENCY CLASSIFICATION, EPIP-02 TO BEGIN CLASSIFICATION AND NOTIFICATION ACTIVITIES.
2. 1 Direct STA to monitor RCS response to recovery action referring to Standard Appendix BB.
This substep has no direct relationship to accomplishment of the high level task.
Example:
63RO-SZZ10, Functional Recovery Procedure, Page 39 of 161 3. 9 Verify adequate emergency boration flow rate (GREATER THAN 40GPM) by evaluating the following:
3. 9. 1 CHN-FIC-210Y
3. 9. 2 CHB-FI-212 3.9.3 SI HPSI injection flow transmitters for injection path aligned 3.9.4 Mhen using SI path and unable to verify > 40 gpm on installed instrumentation, direct RCS chemistry samples to ensure increasing boron concentrations'ubsteps 3.9. 1, 3.9.2, and 3.9.3 are a list of items, rather than action steps necessary to accomplish the task described in 3.9.
Substep 3.9.4 is appropriately a
substep to 3.9, however, it is a logic statement that is improperly formatted.
iii. Inconsistent and incorrect use of cautions and notes Cautions are used to describe hazardous conditions 'that can cause injury or equipment damage and should describe the consequence of the hazard.
Notes are intended to provide supplemental information to the operator.
Neither cautions nor notes should contain directions to the operator.
Because of the critical nature of the information contained in cautions, it is particularly important that cautions be emphasized in a way that distinguishes them from notes.
Both cautions and notes should be located. prior to the step or steps to which they apply.
In the PVNGS EOPs, cautions and notes are often found
'mbedded in action steps.
Likewise, action steps are often included within cautions and notes, and the potential hazards related to cautions are seldom stated.
In addition, the location of cautions and notes is sometimes incorrect, following the step or steps to which they apply.
Example:
43R0-3ZZ02, Excessive Steam Demand, page 17 of
Caution If subcooling is lost or NPSH criteria is lost, stop all running RCP's.
This caution is actually an improperly structured conditional action statement or logic statement.
It should read:
IF subcooling is lost OR NPSH criteria is lost, THEN stop all running RCPs.
If potential damage to equipment or injury to personnel exists, then that hazard should be expressed in a caution proceeding this conditional action ste Example:
43R0-302,=Excessive Steam Demand, page 17 of 41 Note If RCP restart quenches the RVUH void such that the pressurizer empties, RCP operations may continue provided subcooling and NPSH criteria are met.
Otherwise stop RCP's and restore plant status per safety function criteria on the operator flow charts.
This note contains numerous problems.
First, both sentences are actually logic statements.
The first sentence contains two conditional sequences:
If RCP restart quenches the RVUH void such that the pressurizer empties, and, PROVIDED subcooling and NPSH criteria are met.
The second sentence is the contingency step to the first sentence.
It would correctly be "IF NOT."
Second, the note contains actions, including a nonspecific reference to "operator flow charts."
Third, the steps are not stated simply and directly.
Fourth, subcooling and NPSH criteria are not expressed quantitatively.
Fifth, the plural to RCP is punctuated incorrectly as a
possessive.
Every one of these problems is in conflict with published guidance on the appropriate structure of EOPs.
iv.
Inconsistent and incorrect flowchart structure Flowchart format is extremely difficult to develop and implement properly.
Because of its heavy reliance on symbology, context, and structure to communicate information, the conversion of technical guidelines into EOPs with a flowchart format requires greater visual and editorial changes to the source material than does development of text format for EOPs.
Because each element of the structure and content is a flowchart interaction, every decision made about how to present the information impacts the rest of the flowchart, and this results in trade-offs of some type.
Because of this, the end product is far more sensitive to specific problems and oversights than might be anticipated by those experienced with developing EOPs in the text format.
Despite these problems, the need for consistent, clear presentation of information is just as critical in flowchart format EOPs as in text format EOPs.
The
~ flowcharts used as part of the EOP system at PVNGS vary greatly in the style of presentation used, as well as the quality.
For example, direction of movement through the charts is inconsistent, type style and size varies, length of flowlines differs both within and between flowcharts, and orientation of the flowchart on the page varies from flowchart to flowchart.
These inconsistencies, as well as the low quality of the format of individual flowcharts, lead
to flowcharts that can be difficult to use and understand--flowcharts that impede rather than support operator performance.
v.
Vague and ambiguous vocabulary In order to assure consistency of understanding and performance across operating personnel, the terminology used within the EOPs must hold the same meaning for all individuals using the procedures.
Use of clearly defined vocabulary and training on those terms are important for establishing this consistency.
NUREG-0899 states that vocabulary should be concrete and specific, and describe exactly what the operator is to do. It also indicates that licensees should avoid using words that are difficult to define precisely.
It is recommended that information should be expressed quantitatively, when possible.
Throughout the PVNGS EOPs, vocabulary is used that is vague, imprecise, and ambiguous.
Terms such as "slowly,"
"adequate,"
and "low" all hold the potential for different interpretations by different individuals.
Example:
43R0-3ZZ10, FRP, page 9 of 161 5.2.1
'nsure adequate water inventory available to support the change in plant conditions.
5.2.2
, Ensure adequate electrical power available to support the change in plant conditions.
Example:
43R0-3ZZ06, Steam Generator Tube Rupture, page
or 75 1. 1 The following conditions should exist.
SIAS Pressurizer pressure LOW Pressurizer level LOW vi.
Vague and ambiguous step structure As with the need for clear and precise vocabulary, EOP steps must be clearly and consistently structured so that the actions required of the operator are easy to understand.
Both the PVNGS writer's handbook for EOPs and NUREG-0899 indicate that sentences should be short, simple, and include one idea per sentence.
In addition,
it is important that directives.to the operator be presented in imperative, or active mode, rather than in a passive manner.
Steps throughout the PVNGS EOPs were.-written in a complex manner, using multiple action verbs, unnecessary supplemental information, and i'nconsistent structure.
Example:
43R0-3ZZ10, Functional Recovery Procedure, Page 9 or 161 5.1.3.2 The short term stage places the plant into the required mode of operation.
This stage may include, implementation of 2 recovery procedures in a dual capacity situation; or make use of an abnormal operating procedure to effect a cooldown, or a special combination of procedures relative to plant conditions may be implemented.
The objective of this stage is a safe, controlled progression to cold shutdown.
This step is not worded as a direct action step.
It is long and complex, and is in the -passive mode.
The step describes an objective to be achieved, rather than providing the operator with directions for accomplishing an action.
Example:
43R0-3ZZ10, Functional Recovery Procedure, page 36 of 161 3.0 Charging Pump emergency boration lineup from RWT or Spent Fuel Pool with BAMP's operable.
This step lacks an acti'on verb.
It is numbered as if it were a high level step, however, it is not formatted as a
high level step.
Example:
43R0-3ZZ10, Functional Recovery Procedure, page 36 of 161 3.1.1.2 Close/Check Closed PCV V036 This step includes two verbs in a format that is not described in the writers guide.
Example:
43R0-3ZZ10, Functional Recovery Procedure, page 6 of 161 3. 1.2 IF the selected supporting appendix does not adequately restore the safety function, THEN reassess the safety function and implement another support appendix as directed by the
flowchart.
Flowcharts may be used concurrently with each other.
The CRS should not become detained or blocked within a flowchart.
This step is overly complex, containing obvious direction on the use of the flowcharts.
It also contains supplemental information more appropriately included in a
, related note.
Example:
43R0-3ZZ10, Functional Recovery Procedure, page 36 of 161 1.2.6 The Charging Pump discharge is not aligned to the RCS via SI.
This is not an action step.
vii. Level of detai l concerns NUREG-0899 indicates that EOPs should include the amount of detail necessary for a newly trained operator to be able to complete the required actions to mitigate a plant event.
Because procedures are intended to support operator performance in an emergency situation where cognitive processes may be degraded, it, is important that the appropriate level of detail be included to help minimize overdependence on operator memory.
Conversely, the amount of detail included in the procedures should not be so extensive as to include the obvious, or actions that are extremely familiar to the operators.
Inclusion of excess detail will result in procedures that are overly bulky and difficult to use.
PVNGS EOPs reflect problems with both.unnecessary detail and insufficient detail.
The great number of implied references are a reflection on the lack of detail in the procedures.
Operators should be able to find the information they need to execute actions within the EOP in use.
Likewise, obvious statements directing the CRS to
"direct" other personnel to perform an action are unnecessary in action steps.
The examples provided in the previous section on vague step structure also include evidence of problems with the level of detail included in PVNGS EOPs.
Example:
41EF-101, Emergency Operations, page 9 or 179 2.3. 1. 1 Correct as necessar Example:
41EP-1ZZOl, Emergency Operations, page ll of 179 2.6.1 Take Steps to correct abnormality.
These examples provided insufficient detail.
They do not precisely direct the operator to perform actions.
Example:
43R0-3ZZ01, Reactor Trip, page 5 or 30 1.4 Provide the operators with their copies of the Recovery Operations Procedures, Primary Operator
'ppendix A, Secondary Operator Appendix B and instruct them to complete steps 1.0 through 3.0.
This example includes obvious and unnecessary information.
It increases the bulk of the procedure, rather than aiding operator performance.
Procedure Pro ram Weaknesses To ensure high quality EOPs, all elements of EOP programs must be adequately implemented.
Without solid basis documents, thorough verification and validation, and the ongoing support of management, even the best procedures will degrade over time.
Programs supporting the PVNGS EOPs include a number of weaknesses that have contributed to current deficiencies in the EOPs and have the potential. for increasing deficiencies in the future if they are not corrected.
These problems are categorized as follows.
Writer's handbook inadequate to ensure consistent procedures over time In order to prepare clear, consistent EOPs that will aid the operator and help minimize errors that can occur when operators execute procedures during emergency situations, a complete and clear writer's guide is necessary.
Lack of restrictive guidance in a writer's guide will lead to dependence on the procedure writer's preference and increasing variation in the procedures over time and personnel changes.
The resulting inconsistencies will reduce the quality and usability of the procedures and will reduce the effectiveness of training on the EOPs.
A number of inadequacies were identified in the PVNGS writer's handbook.
These deficiencies result in a writer's handbook that does not provide sufficient, nor adequately restrictive, guidance to ensure on-going production and revision of high quality procedure ~,
f p
il I
To illustrate, the EOP writer's handbook fails to address the detail of flowchart construction and format.
It states, on page 4 of 26,
"The flowchart should be as simple as possible using standard logic symbols and a
common direction for like answers."
However, "standard" logic symbols are not defined or illustrated.
The remainder of the guidance on flowchart construction is equally vague.
Resulting inconsistencies and inadequacies in the PVNGS flowcharts can be attributed to this lack of guidance.
Likewise, the guidance on transition methods addresses only the term "go to."
The section does not restrict use of this term, nor does it define other approved terms or describe instances in which other terms may be used.
Additional deficiencies in the PVNGS EOPs described in the section of this report addressing structure are in many cases at least partially attributed to inadequacies in the writer's handbook.
Due to the extensive use of other procedures in conjunction with the EOPs, guidance for their preparation and revision should also be included in the EOP program documents.
Because they are part of the EOP system, it is critical that format be consistent throughout-these procedures and that the quality of the documents be controlled as strictly as that of the EOPs.
Lack of-multi-disciplinary team approach Appropriate staffing is extremely important to the development of good EOPs.
Because of the need for correct technical information within procedures,,
senior reactor operators often are given the task of writing procedures.
However, individuals so focused on the technical information and so familiar with the operation of the plant are not always able to objectively consider the human performance aspects of the procedures..
Technical writers can contribute expertise in a clear and concise writing style, but they lack expertise in the way human beings perform in a man-machine system.
Human factors personnel sometimes lack expertise in plant performance, but are able to integrate knowledge about human performance and information processing into procedures in ways that optimize usability and minimize human error.
Through the participation of staff with skills drawn from various disciplines, procedures can be developed that maximize reliability and safety through the consideration of capabilities and limitations of both the mechanical and human components of the system.
PVNGS EOPs reflected a lack of human factors and technical writing influence.
The resulting deficiencies as described in this report cause the procedures to be more
difficult to use than necessary.
Thus, the procedures place an. additional burden on the operator, rather than supporting his performance.
Appropriate staffing of the EOP revision program now in progress will greatly enhance the quality of PVNGS procedures.
No mechanism for tracking impact of design changes, technical specification changes, referenced procedure changes, etc., to EOPs.
Once emergency procedures have been implemented, it is essential that a mechanism be provided to ensure incorporation of any changes in system design, technical specifications, and referenced procedures.
Without such a
system, even procedures that have been through a rigorous verification and validation program can quickly become outdated and incorrect.
The procedure development program at PVNGS currently lacks such a system, relying instead on the procedure developers'ersonal knowledge of operational changes and memory as to which procedures are impacted.
Although PVNGS has instituted the Instructional Change Request (ICR) system, which provides a means of identifying necessary revisions to procedures as problems are encountered in day to day use, this system does not provide for simultaneous incorporation or changes into all affected procedures and cannot be relied upon for this purpose.
An example of the type of problem incurred by not having a
configuration control system is the discrepancy between Appendix J and Appendix L of 43R0-3ZZ10, Functional Recovery Procedure, in providing guidance for restoring steam generator levels.
Although the copy of Appendix J in the Unit 2 control room was altered to indicate a feed rate of 250 gallons per minute, Appendix I still reflected previous guidance of 150 gallons per minute.
PCN/ongoing revision process concerns Once necessary changes to procedures have been identified, it is essential that revisions be made in a timely manner to ensure that operators are provided with technically accurate, up to date procedures.
Procedure changes should be easy to understand.
and read, and should enhance the correctness and usability of procedures.
Although PVNGS has a mechanism in place for notifying procedure users of interim changes--the Procedure Change Notice (PCN) system, there are no requirements specifying a maximum number of PCNs that may be accumulated before the procedures must be revised to incorporate these changes.
The problem of
'xcessive transitions at PVNGS is increased by requiring operators to refer back to PCN forms at the beginning of each procedure for clarification of changes.
It should also be emphasized that making handwritten changes to the
procedures is unacceptable, due to potential i 1 1 egi bi 1 ity and lack of revision control.
Adequacy of current staffing to meet revision schedule In conjunction with the finding that PVNGS procedure development program does not utilize an integrated team approach, the overall staffing level also appears inadequate to meet the revision schedule provided at the time of the inspection.
It was reported to the inspection team that currently the full time equivalent of 3 contracted procedure developers are dedicated to the revision project.
Given the extensive level of effort required for this project (potentially including many Abnormal and General Operating procedures),
this staffing level appears inadequate to meet the schedule provided at the time of the inspection.
Training Breach between training and operations The training department plays a critical role in the development and implementation of emergency operating procedures.
Training staff are a useful source of information about procedure usability for development and ongoing revision processes.
In addition, it is the training on procedure use that ensures consistent performance in the mitigation of plant events.
Operator faith in the quality of their training increases the likelihood that they will have faith in and use the procedures.
A breach between the operations department and training department at PVNGS was commonly reported by PVNGS staff.
This breach appears to result from a number of issues, including those discussed in sections ii and iii.
A strong relationship between training and operations is particularly important in situations where the procedures have numerous deficiencies.
The PVNGS EOP program weaknesses are increased by this problem between training and operations.
Problems with simulator fidelity Proper training in the use of emergency procedures is an integral factor in the effectiveness of operator response under emergency conditions.
However, at PVNGS, the value of operator training in use of the emergency procedures is significantly reduced by the lack of PVNGS simulator fidelity to the actual plant functions.
During interviews with operations and training staff, the problems associated with differentiating the observed response of systems in the simulator and the anticipated response of the actual
systems in the plant were consistently reported.
This lack of simulator fidelity results in negative training effects that reduce the effectiveness of training and increase the potential for operator error.
One Shift Supervisor reported that it takes approximately 6 months of control room experience for new operators to become familiar with actual (vs. simulator) plant behavior.
The licensee is currently reviewing the problems with simulator fidelity and has an ongoing program to upgrade the facility.
Minimal site specific operations experience on training staff In light of the problems with simulator fidelity at PVNGS, it is especially important that licensed operator instructors be sensitive to the differences between actual plant operations and the simulator.
This not only ensures that training is relevant but also enhances the credibility of the instructors.
In interviews with operators'nd instructors, it was reported that of the entire licensed training organization staff, only a few instructors have hot operational experience on the PVNGS units.
The operators expressed less confidence in the training staff because of their lack of direct knowledge of plant operations, and -less faith in the overall quality of PVNGS training.
This situation increases the breach between training and operations.
In addition, it increases the 'likelihood that operators will depend on their own.judgment and interpretation of procedural use rather than that defined in their training, thus reducing consistency of operator performance across crews and units.
The facility training staff indicated that there is consideration of a plan to rotate operations and training staff on a periodic basis.
Implementation of such a plan would be expected to result in instructors with enhanced plant specific operational knowledge, however, PVNGS should be sensitive to trade-offs associated with using operators with little training background as instructors.
Lack of AO training on EOPs All operations staff who have responsibility for implementing emergency procedures should be provided with training appropriate to their duties and responsibilities.
Currently, no formal training is provided to Auxiliary Operators (AOs) in the use of emergency procedures or in carrying out duties under emergency conditions.
Based on an analysis of training needs conducted during the last revision to the AO training program, it was determined that AO duties did not differ between normal and emergency operating conditions, and, therefore, no additional knowledge or skills were necessary.
However, on procedure walkthroughs for reference in performing tasks directed by
the control room, it was reported that AO hands-on use of EOPs is increasing.
In order to assure that AOs have a clear and consistent understanding of EOP structure and content, AOs should be provided training in EOP procedure use.
Also, PVNGS should reconsider the need for training AOs in performing duties within the context of the overall emergency condition.
Although tasks may not differ between normal and emergency situations, the conditions under which tasks are performed could differ greatly, with significant potential impact on AO performance.
f.
Deficiencies in physical aspects of EOP usability In addition to the need for EOPs to be technically accurate and structured in a manner that ensures ease of understanding and use, procedures must be physically easily accessible, usable, and readable.
At PVNGS, several deficiencies were identified relative to the physical condition of the EOPs.
They are categorized as follows.
Problems with physical organization of procedures and appendices Operators must be afforded quick and easy access to the procedures and supporting appendices required to perform their specific functions.
Organization of procedure packages should reflect functional use and be presented in such a way that operators will have easy access to all parts of the procedures.
In addition, procedures should be bound in some manner to assure that pages will not inadvertently be disordered or misplaced.
In the Unit 2 control room, the inspectors observed that procedures and supporting appendices intended for distribution to the primary and secondary operators were all stapled together.
Distribution of appendices to the ROs then" requires that the CRS tear the appendices from the main body of the procedure.
Each appendix as distributed is then a collection of loose sheets of paper, increasing the possibility of misordering or misplacing pages.
Separating the documents in such a manner also poses a risk that pages may be tom, obscuring information such as page numbers.
Extremely poor quality of reproduction, especially tables and graphs Poor legibility can lead to delays in operator actions due to the need to consult additional information sources, or to operator error when marginally legible information is misread.
At PVNGS, the inspection team observed a number of procedures for which the reproduction quality of the
control room procedure working copy was unsatisfactory.
Some procedure copies appeared to be of multiple generation and evidenced significant degradation.
Operators also reported that some of the figures that were duplicated from the procedures and place'd on the control board for reference were unreadable.
The inspection team met with the facility representatives denoted in.
paragraph 1 on March 17, 1989.
The team leader summarized the findings of the inspection placing particular emphasis on the future efforts of the licensee to produce new Emergency Operating Procedures.
The team leader stated that the performance of the operating crews during the simulator exercises, and of individual operators during procedure walkthroughs, provided confidence that the operators could effectively use the procedures.
The team leader went on to emphasize that the procedures, as they are now constituted, do present significant problems for the operators.
The problems include; an overly complex structure; inconsistencies that present subtle and obvious points of confusion; plus procedural transistions that can lead to a proliferation of procedures in use during an emergency.
The team leader stated that the procedures did not present any serious technical issues that conflict with CEN-152 Rev.
2.
The technical issues that were identified were passed on to the licensee's staff, and are detailed
'in this report.
The team leader emphasized that the future effort of revising the EOPs must avoid producing procedures that contain the same inadequacies as the current EOPs.
The need to use a multi-disciplinary approach is paramount to the authorship of good procedures.
Further, the lack of effort on the part of the licensee to address previously identified concerns in the EOPs does not give the NRC confidence that the revision process in place now will produce a better product.
The current effort on the revision of EOPs must address this concer e IJ I
I I
(1 t
f f
Appendix A
Findings of Specific Concerns Associated With Palo Verde EOPs Table-Top Review:
These concerns identified during the table-top review are more of the nature of a technical or a specific nature that could not be categorized as being a
generic problem.
The concerns include the following:
+
Appendices for 41EP-1ZZOl and 41RO-1ZZOl both lack titles and the enumeration of the Appendices is similar, thereby leading to possible confusion.
+
The terms "Subcooled" and "Subcooling" are used without a definition or acceptance criteria that indicates just what is required.
There is only a single Note informing the operators of the effect harsh containment environment has on instrumentation accuracy.
This is particularly critical with instrumentation associated with the gSPDS display such as Subcooling Margin.
The Shift Technical Advisor would have to cue the operators that the conditions in the containment (if the temperature is high) require using a different value for RCS Subcooling.
The Recovery Operations procedures do not specify acceptable ranges of measured values for verifications.
This leaves an interpretational problem for the operators in determining whether plant conditions are truly acceptable.
Verification steps will ask for information with no specific value specified.
An example is "Pressurizer level LOW
". The lack of definition of what the" term LOW means leaves considerable discretion to the operators.
Curves and tables don't show ranges of acceptable operation.
Again, this leaves considerable interpretation to the operators.
Appendix E, page 48 of 179 of 41EP-1ZZOl "Emergency Operations",
the table has no title, and is wrongly referenced in the body of the procedure.
The Safety Function Status Check done in 41RO-1ZZ10 "Functional Recovery" Appendix A has a prioritization different than that in CEN-152 Rev.
2.
Reactivity Control is after Vital Auxiliaries.
This item needs clarification by the licensee.
Procedure 41EP-1ZZ01
"Emergency Operations" has no entry conditions, scope, or objective, in accordance with NUREG-089 +
Step 1.3 of 41RO-1ZZ06 uses an IF -
THEN logic step with embedded multiple transitions.
This implies multiple meanings when an AND -
OR logic is then used in a following related statement.
This presents four possible logic paths which could lead to confusion.
+
Appendix D in 41RO-1ZZ10 step 1.1.2 has the Operators place the Charging Pumps in Pull-to-Lock to facilitate aligning the Charging Pumps discharge to a Safety Injection flowpath.
It, subsequently, does not indicate that they should then place the pumps in Run.
Standard Appendix E of 41EP-1ZZOl is used for Natural Circulation Verification but the balance of the procedure is principally used for void reduction.
The title should reflect this.
"LOCA" procedure 43RO-3ZZ07:
- Step 1. 1 has no notation of quench Tank indication as is in CEN-152 Rev.
- Step 6.2 ~ 3 has no criteria for stabilized RCS temperature, pressure, or Pressurizer level.
- Step 7. 1, for confirmation of adequate core cooling if Natural Circulation is not verifiable, has no notation for Pressurizer level or Steam Generator availability as is described in CEN-152 Rev.
2.
- Step 23.2 indicates that CESSAR 6.3.3.4 provides that a
RCS pressure of 538 psia corresponds to a level in the outlet plenum of 73K.
Discussion with plant personnel revealed that the two numbers are the minimum conditions that 'would have to be met prior to aligning the RCS for Shutdown Cooling, but are not necessarily mutually comparable and therefore RCS pressure should not be used to verify level in the outlet plenum.
+
43RD-3ZZ02 "Excessive Steam Demand"
- The note before Step 4. 1.3. 1 is a reference and should be formatted as a
reference.
- Step 4; 2.3.3 The NOTE here is an action step.
The Stop Valves referred to in the note are the same valves referred to as Feed Valves in the Caution below the note.
Equipment or controls should be referred to consistently by the same name.
The step tells the operator to "slowly restore S/G level and stabilize RCS temperature."
The procedure should give the operator a clue about flow rate which can be expected to raise the S/G level.
This is especially true if the level is below 0 on the Mide Range level instrument, since if the operator chooses a flowrate that is less than the boil off rate, the level could be decreasing and the operator may not be able to measure this.
The procedure can suggest a feedrate and then direct the operator to observe the cooldown rate and rate of increase in the steam generator and adjust the rate as required to prevent overcooling but still see an increase in steam generator level.
Standard Appendix J "Verification of SIAS":
- Step 4.3. 1 has three items of concern.
First the NOTE refers to the reset criteria listed in Step 7.
The reset criteria is actually listed in Step 6.
Second, the NOTE implies that the operator should check the reset criteria in Step 6 before he verifies the actions, but there is no real action step to do this.
Thirdly, ther e are some very minor portions of the SIAS system that show up on the check sheet before the very important pumps, such as check the bathroom exhaust fan before you check the Essential Water, HPSI, and LPSI pumps.
The licensee should review their check lists for safety system acquisition to identify the most important items and move them to the top of the lists.
Then order the remaindeg of the items to a smooth flow around the control boards.
+
43RO-3ZZ02 "Loss of Secondary Coolant":
- Step 3.3.2 of the CRS actions states that if both S/G's are faulted declare th'e S/G with the worst parameter s the faulty S/G per Step 3.3 and proceed to Step 4.0.
There is no further guidance on cooling down the reactor using a faulted S/G.
There probably. should be special guidance on feed rates because normal feed rates to a faulted S/G that is being used for cooldown may cause an excessive cooldown rate, depending on the extent of the fault.
- Step 10.3 has no reference on where NPSH criteria is located.
Is it a procedure or a chart?
Clearly, this must be addressed by the licensee.
- Step 5.3.2. 1 of the primary operator actions has the caution for this step on page 4 of 10 in Appendix A, while the step is on page 5.
Cautions should be on the same page as the step.
The caution is, however, not a caution, but is the HPSI throttle criteria.
+
Standard Appendix E "Emergency Operations" (referred from Pressure Inventory Control PIC):
- Step 1.0 refers to Figure 1, a flowchart.
The f'low chart does not have the figure number or title.
The flowchart should have the figure number and the title.
Some parts of Figure 1 are only marginally readable.
The quality of the chart should be improved.
Step 1. 1 refers to a data sheet on page 7 of 7 in the Appendix E.
The data sheet is actually on page
of 8.
- Step 2.1.2 refers to the flow delivery graph.
The graph is not labeled, and there are two graphs.
The HPSI graph and the LPSI graph.
The HPSI graph is for two trains required and the addition of the flow indications from two flow meters is required.
This should be indicated on the graph.
- Step 2.3.3 has a note that states that for enhanced reflux boiling the S/G should be over 65K on the Wide Range level instrumentation.
The step has the operator maintain Wide Range level at 35 to 80K.
This should be reworded to clarify.
- Step 3. 1 tells the operator to cooldown/depressurize the RCS per the MPT curve.
The examiner assumes that the MPT curve is one of the two curves
on page 9 of 18, but neither curve has a title or figure number.
Both curves are also small and difficult to interpret.
- Step 3.8.2. 1 directs the operator to open the SIT vent valves.
Since this operation is done infrequently, Palo Verde should consider including the valve numbers.
Procedure Walkthroughs:
Appendix D 41RO-1ZZ10 "Functional Recovery":
Step 3. 1 has no indication of which valves on the list are local operation in the plant versus operation from the control room.
Some indication, such as (local), could help remind the operator in a crucial time and reduce the need to memorize all the valve locations.
Appendix G 41RO-1ZZ10 "Functional Recovery" Step 1. 0 the third item, the pressurizer selection channel X/Y handswitch is mislabeled on the control panel in Unit 1.
The handswitch is labeled RCH-HS-110 instead of RCH-HS-100.
The fifth item has an error in the prefix for the designation of two power supplies.
NGN-L32 should be PGB-L32 and NGN-L33 should be PGA-L33.
Appendix H 41RO-1ZZ10 "Functional Recovery":
The sixth instruction states that "If charging and letdown are to be used for pressure control, then perform step 5."
Step 5 is chiefly about restoring pressurizer level, then using the pressurizer heaters for pressure control.
Only one step, number 5.2, mentions coordinating letdown, charging flow, and SI flow, with no guidance on what the operator is expected to do.
Additional guidance should be given to the operators for this little used operation.
Step 3. 1 has the instrument air containment isolation valve as IA-UV-2 when it should be listed as IAA-UV-2.
Appendix I 41RO-1ZZ10 "Functional Recovery":
The procedure has a caution added before step 5.
The caution refers to the use of reactor vents and identifies TS 3.4. 10.
The connection between the caution and the Technical Specification referred to was not apparent even to a licensed operator.
This disparity needs clarification.
Appendix 0 41RO-1ZZ10 "Functional Recovery":
Step 1.3 has two problems, the first is minor.
The step uses a different acronym for Nuclear Cooling Water than the following step, NC versus NCW for step 2.0.
Step 1.3 directs the operator to step 3.0 if chillers are unavailable due to loss of NC or PW.
When the operator completes step 3.0 it appears he should be directed to return to complete steps 1.4 and 2.0.
The component and power supply table (page 4 of 5) for Reactor Cavity Cooling Fans has the LPSI control power, CS control power, and Chemical
Addition Pump breaker instead of the three discharge dampers HCN AC03B, A03C, and A03D.
(The table in 43R0-3ZZ10, Appendix 0 is correct.)
+
Appendix P 41RO-1ZZ10 "Functional Recovery":
- The Safety Injection, Shutdown Cooling Table on page 9 of 12 has a wrong component number (typo) for SIC-UV-653.
+
Appendicies L and J 41RO-1ZZ10 "Functional Recovery":
,r
- Appendix L defines a slow feed rate for a Steam Generator as 5,000 ibm per hour (approx.
150 gpm).
This is contrary to Appendix J which says 250 gpm.
+
Other items identified during walkthroughs:
ODGs (Operation Department Guidelines) for local oper ation of Emergency Boration flow path was not posted at the gravity feed valves CH-HV-536 and 532.
A working copy of 41AO-1ZZOl was not in the Control Room, however a
controlled copy was available.
Local operation of the ADVs (41SG-1ZZOl)
was also, not available in the Control Room.
The core exit subcooling meter (preferred method of obtaining subcooling information) is difficult to read.
The increments are non-conventional and the most needed portion of the scale is on the bottom tenth of the meter.
During the walkthroughs an RO mi'sread the meter by 50 deg.
F.
The auctioneered subcooling margin meter (close by the core exit meter described above) is also a preferred source of subcooling information.
It is also difficult to read, uses a different scale from the core exit subcooling meter, and sometimes is erratic in its response.
The current revision of the EOPs has a note that this meter should not be used independently of other readings because of previous problems in using this meter when executing the procedures.
The Qualified Safety Parameter Display System (QSPDS) is the third preferred method of determining subcooling.
However the operators are not trained in the use of the QSPDS and the QSPDS is not availiable for use in the simulator (not installed).
The Control Room labels for B train equipment and instruments are hard to read because of the white on green, low contrast lettering, and the buildup of surface dirt on the labels.