Crediting of Operator Actions in Place of Automatic Actions & Modifications of Operator Actions, Including Response Times

ML031050065
Person / Time
Site:	Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Three Mile Island, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Haddam Neck, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Yankee Rowe, Maine Yankee, Quad Cities, Humboldt Bay, La Crosse, Big Rock Point, Rancho Seco, Zion, Midland, Bellefonte, Fort Calhoun, FitzPatrick, McGuire, LaSalle, Fort Saint Vrain, Shoreham, Satsop, Trojan, Atlantic Nuclear Power Plant
Issue date:	10/23/1997
From:	Roe J Office of Nuclear Reactor Regulation
To:
References
IN-97-078, NUDOCS 9710230271
Download: ML031050065 (11)
v • d • e

text

Addressees

All holders of operating licenses for nuclear power reactors except those who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert addressees to a recent increase in the number of licensees that have implemented changes to their facilities or operations that may inappropriately credit operator actions in place of automated system or component actuations. Licensees have also altered operator actions, including response times, previously described in their licensing bases. Often these changes are implemented without adequate consideration of human performance issues that might affect the acceptability of such changes. In certain cases, the NRC has pursued enforcement actions against licensees that failed to adequately justify the changes. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required.

Description of Circumstances

The following are recent examples of licensees' changes to facilities or operations that credit operator actions in place of automated system or component actuation. The examples also include instances of licensees altering operator actions, including response times, that were previously evaluated.

Prairie Island

In June 1995, the licensee performed a service water system operational performance self-assessment . The assessment raised an issue concerning the capability of the seismically qualified emergency intake line to provide sufficient water following an earthquake for the safety-related cooling water pumps. Specifically, the preoperational test did not verify adequate flow through the line at low river design levels, and no calculations were performed to correlate test results to design conditions.

In November 1995, the licensee performed a special test of the emergency intake line and determined that, at normal river levels, it did not meet the final safety analysis report (FSAR) design flow requirements. Engineering analysis determined that design flow was not achievable at low river levels. The licensee entered the appropriate technical specification (TS) limiting condition for operation (LCO) and applied compensatory measures. The licensee then prepared an operability determination and a safety analysis to resolve the issue and exit the LCO.

On the basis of the safety analysis, the licensee specified operator actions to isolate certain nonessential cooling water loads. Additionally, in order to provide sufficient time for the operators to take the required actions, the licensee altered the design basis by assuming that the nonseismic intake canal would be available for at least an hour following the earthquake and that the river low level would not occur during that hour.

In December 1995, the NRC reviewed the licensee's safety analysis and determined that the licensee's actions constituted a change to the design basis for coping with an earthquake.

The NRC concluded that an unreviewed safety question (USQ) existed because the licensee took credit for (1) the availability and use of the nonseismic canal, which was not previously evaluated in the FSAR, and (2) operator actions to isolate nonessential cooling water loads, which could have introduced unanalyzed failure modes through operator acts of omission or commission. The NRC staff determined that these operator errors could have created an accident or a malfunction not previously evaluated in the FSAR or could have increased the probability of a malfunction of equipment important to safety. As a result, the NRC took escalated enforcement action against the licensee and a civil penalty was issued.

Salem Unit 2

The NRC conducted a special inspection between March 24 and April 17, 1997, at the Salem Unit 2 facility to examine the emergency core cooling system (ECCS) semiautomatic switchover and related residual heat removal (RHR) system flow issues. During the inspection, the NRC identified issues associated with drain down of the refueling water storage tank (RWST) and the switchover of the ECCS from the injection mode to long-term recirculation cooling.

A semiautomatic switchover of the ECCS was proposed for Unit 2 between 1983 and 1986 in response to questions that arose during the original licensing process. Discrepancies in the

conceptual design were resolved between 1986 and 1989, and the NRC approved the conversion from fully manual operation to semiautomatic operation as part of an amendment to the Unit 2 TS. The Unit 2 ECCS switchover scheme was required to ensure continued suction to the high-head (charging) and the intermediate-head safety injection (SI) pumps and to provide uninterrupted flow of ECCS water to the core. The semiautomatic evolution involves automatic valve positioning and more than 10 manual operator actions, beginning when the RWST low-level alarm is reached. The RWST low-level alarm setpoints were established such that a certain amount of time was available (after receiving the low-level alarm) for operators to complete the switchover. Assuming that all of the actions are successfully performed, the Unit 2 switchover would be completed before the charging and the Si pump suctions are aligned to the RHR pump discharge.

In a March 1996 change to the Emergency Operating Procedures (EOPs), the licensee implemented an essentially new switchover design. The change resulted in shorter required response times by operators and, in certain cases, interruption of flow to the core. This modification changed the licensing basis previously approved by the NRC.

The licensee's new switchover design, which assumed a total of 11.3 minutes available for operator action to switch over following a small-break loss-of-coolant accident, constituted a change to the operation of the facility as described in the FSAR.

In April 1997, the NRC reviewed the modified switchover design and determined that the changes constituted a USQ. The issues associated with the USQ were described in Information Notice 97-60, "Incorrect Unreviewed Safety Question Determination Related to Emergency Core Cooling System Swapover From the Injection Mode to the Recirculation Mode," dated August 1, 1997. The NRC also found that the licensee had not adequately justified the proposed changes. Specifically, the licensee did not have adequate empirical evidence to support the reduced time available to the operators in the most limiting case, that is, when the RWST to the RHR pump suction valve failed to close automatically.

Although the licensee's EOPs provide contingency actions to deal with the failure of the RWST-to-RHR-pump-suction valve to close, the licensee's simulator was not capable of modeling such a failure, and the crew evaluations to support the modified timeframe for switchover did not model or account for these additional contingency actions. Also, the licensee's analysis failed to consider credible operator errors of omission or commission that could affect overall operator response time in carrying out the switchover evolution.

The NRC determined that the change in required operator response time constituted a USQ because it (1) could have created a situation in which the operators did not have sufficient time to complete required actions or could introduce the possibility of credible performance errors that have the potential for increasing the consequences of an accident or a malfunction of equipment important to safety previously evaluated in the FSAR, (2) could have created a different type of accident or malfunction than that previously evaluated in the FSAR, or (3) could have reduced the margin of safety.

Discussion

The original design of nuclear power plant safety systems and their ability to respond to design-basis accidents were described in licensees' FSARs and were reviewed and approved by the NRC. Most safety systems were designed to rely on automatic system actuation to ensure that the safety systems were capable of carrying out their intended functions. In a few cases, limited operator actions, when appropriately justified, were approved. Proposed changes that substitute manual action for automatic system actuation or modify existing operator actions, including operator response times, previously reviewed and approved during the original licensing review of the plant will, in all likelihood, raise the possibility of a USQ.

Such changes must be evaluated under the criteria of 10 CFR 50.59 to determine whether a USQ is involved and whether NRC review and approval is required before implementation. A licensee may not make such changes before it receives approval from the NRC when the change, test, or experiment may (1) increase the probability of occurrence or the consequences of an accident or a malfunction of equipment important to safety previously analyzed in the FSAR, (2) create the possibility of an accident or a malfunction of a different type than any previously evaluated in the FSAR, or (3) reduce the margin of safety as defined in the basis for any TS. In the NRC staffs experience, many of the changes of the type described above proposed by licensees do involve a USQ.

In those instances where licensees consider temporary or permanent changes to the facility which credit operator actions, the NRC has relied on the guidance provided in Generic Letter (GL) 91-18, Revision 1, "Resolution of Degraded and Nonconforming Conditions and on Operability," and ANSIJANS 58.8, 'Time Response Design Criteria for Safety Related Operator Actions," 1984 (ANSI-58.8), for evaluating such changes. GL 91-18, Rev. 1 discusses the appropriateness of temporary use of operator action in place of automatic action and states, in part, that:

.it is not appropriate to take credit for manual action in place of automatic action for protection of safety limits to consider equipment operable. This does not preclude operator action to put the plant in a safe condition, but operator action cannot be a substitute for automatic safety limit protection....Although it is possible, it is not expected that many determinations of operability will be successful for manual action in place of automatic action. ...[Such changes]

are expected to be a temporary condition until the automatic action can be

promptly corrected in accordance with 10 CFR Part 50 Appendix B, Criterion XVI, "Corrective Action."

ANSI-58.8 provides estimates of reasonable response times for operator actions; however licensees may use time intervals derived from independent sources provided they are based on analyses with consideration given to human performance. ANSI-58.8 also states that, Nuclear safety-related operator actions or sequences of actions may be performed by an operator only where a single operator error of one manipulation does not result in exceeding the design requirements for design basis events.

Based on these guidelines, the NRC's reviews of licensees' analyses typically include, but are not limited to, (1) the specific operator actions required; (2) the potentially harsh or inhospitable environmental conditions expected; (3) a general discussion of the ingress/egress paths taken by the operators to accomplish functions; (4) the procedural guidance for required actions; (5) the specific operator training necessary to carry out actions, including any operator qualifications required to carry out actions; (6) any additional support personnel and/or equipment required by the operator to carry out actions; (7) a description of information required by the control room staff to determine whether such operator action is required, including qualified instrumentation' used to diagnose the situation and to verify that the required action has successfully been taken; (8) the ability to In accordance with Regulatory Guide (RG) 1.97, 'Instrumentation for Ught-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions

During and Following an Accident,' Revision 3, qualification of the instrumentation relied upon by the operators may be an Important review issue. RG 1.97 defines Type A variables as 'those variables to be monitored that provide the primary information required to permit the control room operator to take specific manually controlled actions for which no automatic control Is provided and that are required for safety systems to accomplish their functions for design basis accident events."