ML033030498
| ML033030498 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 10/23/2003 |
| From: | Clemens R Omaha Public Power District |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| LIC-03-137 LER 03-S01-00 | |
| Download: ML033030498 (5) | |
Text
m- =
Omaha Public Power Dishtct 444 South 16th Street AMall Omaha NE 68102-2247 October 23, 2003 LIC-03-01 37 U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001
Reference:
Docket No. 50-285
Subject:
Licensee Event Report 2003-SO1 Revision 0 for the Fort Calhoun Station Please find attached Licensee Event Report 2003-SOI, Revision 0, dated October 23, 2003. This report is being submitted pursuant to 10 CFR 73.71(b)(1). If you should have any questions, please contact me.
Sincerely, tens Division Manager Nuclear Assessments RTR/EPM/epm Attachment c: B. S. Mallett, NRC Regional Administrator, Region IV A. B. Wang, NRC Project Manager J. G. Kramer, NRC Senior Resident Inspector INPO Records Center (5;
Employment with Equal Opportunity
.NRC`FORM 366 U.S. NUCLEAR REGULATORY APPROVED BY OMB NO. 3150-0104 EXPIRES 7-31-2004 (7-2001) COMMISSION Estimated burden per response to comply with this mandatory information collection request 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />. Reported lessons learned are incorporated into the licensing process and fed back to industry. Send comments regarding burden estimate to the Records Management Branch LICENSEE EVENT REPORT (LER) go E6), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by intemet e-mail to b slnrc. ov, and to the Desk Officer, Office of Information and Regulatory Affairs, (See reverse for required number of NEOB-1002 (3150-0104), Office of Management and Budget. Washington, DC 20503. If a digits/characters for each block) means used to impose information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the informnation collection.
- 1. FACILITY NAME 2.DOCKET NUMBER 3.PAGE Fort Calhoun Nuclear Station Unit Number 1 05000285 1 OF 4
- 4. TITLE Safeguard System Vulnerability due to Inadequate Securing of a Security Door
- 5. EVENT DATE 6. LER NUMBER 7. REPORT DATE 8. OTHER FACILITIES INVOLVED MO DAY YEAR YEAR SEQUENTIAL I REV MO DAY YEAR FACILITY NAME DOCKET NUMBER NUBR NO DA ER{ 05000 FACILITY NAME DOCKET NUMBER 09 23 2003 2003 - S01 - 00 10 23 2003 05000
- 9. OPERATING 5 11. THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR §: (Check all that apply)
MODE _ 20.2201 (b) 20.2203(a)(3)(ii) 50.73(a)(2)(ii)(B) 50.73(a)(2)(ix)(A)
- 10. POWER 0 20.2201 (d) 20.2203(a)(4) 50.73(a)(2)(iii) _ 50.73(a)(2)(x)
___ LEVEL_ 20.2203(a)(1) _ 50.36(c)(1)(i)(A) 50.73(a)(2)(iv)(A) _ 73.71 (a)(4) 20.2203(a)(2)(i) 50.36(c)(1)(ii)(A) _ 50.73(a)(2)(v)(A) _ 73.71 (a)(5) 20.2203(a)(2)(ii) _ 50.36(c)(2) 50.73(a)(2)(v)(B) X OTHER 20.2203(a)(2)(iii) 150.46(a)(3)(ii) 50.73(a)(2)(v)(C) Specify In Abstract below or in
._20.2203(a)(2)(iv) _ 50.73(a)(2)(i)(A) _ 50.73(a)(2)(v)(D) NRC Form 366A 20.2203(a)(2)(v) _ 50.73(a)(2)(i)(B) X 50.73(a)(2)(vi):'
20.2203(a)(2)(vi) _ 50.73(a)(2)(i)(C) 50.73(a)(2)(viii)(A)
. .20.2203(a)(3)(i) 50.73(a)(2)(ii)(A) 50.73(a)(2)(viii)(B)
- 12. LICENSEE CONTACT FOR THIS LER NAME TELEPHONE NUMBER (Include Area Code)
Alan Clark, Supervisor Nuclear Security Operations 402-533-6666
- 13. COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT CAUSE CAUSE SYSTEM I COMPONENT I ~~~~~~
FACTURER ~~MANU-REPORTABLE TO EPIX I CUE CAUAE STE SYSTEM COPOE MANU-ER RCOMPONENT REPORTABLE TO EPIX
- 14. SUPPLEMENTAL REPORT EXPECTED 15. EXPECTED MONTH DAY YEAR l_YES_ (Ifyes,_compleeEXPECTEDSUBMISSIO _DATE). _l_XlNODATSUBMISSION
__YES (If yes, complete EXPECTED SUBMISSION DATE). I X INO DATE_____
- 16. ABSTRACT (Limit to 1400 spaces, I.e., approximately 15 single-spaced typewritten lines)
On September 23, 2003, the doors 1009-1A and 1009-1 B, which allow access to the containment equipment hatch room (a vital area), were placed in an unsecured mode to allow hoses to be run through them for ongoing outage maintenance work. During this time, a security officer was posted at the doors to control personnel, vehicle and material access. When maintenance was complete the hoses installed -did-not allow door 1009-1Aito be secured.-As-further access was not required, the decision was made to lock and secure door 1009-1B and place it on an hourly patrol. Later on September 23, 2003, maintenance requested that the doors be opened again. At this time that it was discovered that both doors were still in the unsecured mode. The alarm station operator immediately secured door 1009-1 B and notified the Shift Security Supervisor. The determination was made that this event was reportable in accordance with 10 CFR 73.71(b)(1).
The root cause for this event was a failure to follow procedural guidance by the Security personnel involved.
The security staff involved in the incident were interviewed in order to determine the cause of the event. Appropriate individuals were counseled. The security staff was briefed on the event and the procedural violations that caused it.
NRC FORM 366 (7-2001)
NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (1-2001)
LICENSEE EVENT REPORT (LER)
- 1. FACILITY NAME 2. DOCKET LER NUMBER 3. PAGE YEAR SEQUENTIAL NUMBER REVISION NUMBER Fort Calhoun Nuclear Station Unit Number 1 05000285 2 OF 4 2003 - S01 - 00
- 17. NARRATIVE (If more space is required, use additional copies of NRC Form 366A)
BACKGROUND The Fort Calhoun Station (FCS) uses a proprietary security force. FCS started a refueling outage on September 12, 2003, at 2055. At the time of the event (September 23, 2003) the plant was in mode 5 (refueling).
The event described below concerned the containment roll-up door 1009-1A and 1009-1 B. These doors are the entrance points for the containment equipment hatch room (66) inside of the protected area.
The unsecured mode means that the security computer generated door alarm has been disabled. All tamper indicating and line supervision capabilities are still in force. The secure mode includes intrusion alarm annunciation in addition to tamper-indication-and line supervision. - _ _ _
As required by the code of federal regulations, there are two alarm stations. They are the Central Alarm Station (CAS) and the Secondary Alarm Station (SAS).
EVENT DESCRIPTION On September 23, 2003, security personnel were responding to a request to open doors 1009-1A and 1009-1B to support ongoing outage maintenance activities in the area of room 66. During the evolution, hoses would be passed through these doors in a manner that would require door 1009-1A to remain in an unsecured mode. Door 1009-1 B, was to remain in a padlocked and secure mode with compensatory actions to place 1009-1 B on an hourly patrol.
Following the placement of the hoses, officers at the door location verified that 1009-1 B was padlocked and verified closed. Standard practice at this point would require the CAS Operator to place door 1009-1 B into the secure mode using the plant security computer system. However, at approximately 1225, security personnel discovered that the door had not been placed back into its secure mode as had been planned. The alarm station operator immediately secured door 1009-1 B and notified the Shift Security Supervisor. The determination was made that this event was reportable per 10 CFR 73.71(b)(1). A one hour report describing the event was made to the NRC Operations Center at 1415 as required. This event is being reported pursuant to 10 CFR 73.71(d).
SAFETY SIGNIFICANCE Nuclear safety was not impacted by this event. The plant was in a safe and shutdown condition. The doors were padlocked and dead bolted. Opening this door requires two individuals, one stationed inside the Equipment Hatch Room and another stationed on the exterior portion of the door. In addition, door 1009-1 B was being checked on an hourly basis.
Doors 1009-1 A and 1009-1 B are the entrance points for the equipment hatch room. SECOP-22, Security
-Compensatory.Logs delineates the actions taken when security-barriers are placed in an unsecured mode and opened. The procedure establishes strict criteria and specific actions to be take n5Tiyhe Sliift S&6urityfSupervisor,-
Alarm Station Operator, and the Security Officer posted at the barrier. During the closing of 1009-1A and B, each individual working in the capacity of the above failed in some aspect to follow the procedure, however nuclear safety was not impacted by this event. There are three criteria involved when evaluating or mitigating the consequences of a security equipment or procedural failure. Those are:
. Was the condition predictable?
- Was the condition identifiable?
. Was the condition exploitable?
In this incident, because several barriers had to fail for the event to occur, it was certainly not predictable. Looking at the door, one could tell that the door was locked but one would not be able to tell that the door was in unsecured mode. Therefore, it was not identifiable. And last, because of the negative responses to the first two questions, the situation was not exploitable. Therefore, the event falls into the category of failure to follow procedures, without resulting in the loss or degradation of safeguards effectiveness.
No plant systems (safety systems or others) were threatened by this oversight. Therefore, this event had no impact on the health and safety of the public.
NRC FORM 366A (1-2001)
NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (1-2001)
LICENSEE EVENT REPORT (LER)
- 1. FACILITY NAME (1) 2. DOPKET 6. LER NUMBER 3. PAGE YEAR SEQUENTIAL I REVISION YEA NU.MBER NUMBER Fort Calhoun Nuclear Station Unit Number 1 05000285 3 OF 4 2003 - S01 - 00
- 17. NARRATIVE (If more space is required, use additional copies of NRC Form 366A)
CONCLUSION Security Operational Procedure (SECOP)-20, "Response to Security Alarms and Unlocked Access Alarm Zones,"
controls the process of changing the status of door alarms. Section 2.2, "Alarm Zone Status Changes," describes the process that should be used to place and or remove doors in or out of an unsecured mode. Step 2.2.5 of the procedure controls returning the door to a secure status as follows:
2.2.5 Return to Secure Status
- A.-After the need for an Officer to monitor a zone is completed,-the monitoring Officer will request -
CAS/SAS to secure the zone, if accessed and rearm all alarms on the zone. After CAS/SAS has completed this function, CAS/SAS will display the zone to ensure the data base indicates the zone is, secured and advise monitoring Officer of same.
B. The Officer monitoring the zone will not leave the zone until the Shift Security Supervisor grants permission to do so. The Shift Security Supervisor will personally verify the zone is secure by checking the status at one of the alarm stations. If the Shift Security Supervisor's duties will not allow a personal verification, he/she may request the alarm station that initiated the action, to verify the status of the Alarm Zone.
C. If the zone is being monitored due to maintenance reasons, the Shift Security Supervisor must ensure a performance test is completed prior to relieving the Officer in accordance with SETP-1 B.
The Shift Security Supervisor gave permission to the monitoring office to secure door 1009-1 B after he had finished placing'the padlock and deadbolt in place. Communications between the monitoring officer and the alarm station operator about securing the station on the door were unclear. The monitoring officer stated that he believed he had heard that the door had been secured, and the alarm station operator stated he did not hear a request to secure the door. The monitoring officer did not leave the post until permission was received from the Shift Security Supervisor.
However, the Shift Security Supervisor did not verify the status of the door by contacting the alarm station as required. The monitoring officer did not contact the alarm station to receive the time that the post was closed out (obtained from the security computer).
The root cause for this event was a failure by the Security personnel involved to follow procedural guidance. When discussing the status of the door with the officer posted at the door, it was assumed by the supervisor that the door alarm had already been placed in the secure mode by CAS/SAS. The analysis also revealed two contributing causes
-to.the event:--
- 1. Wrong assumptions made by junior ranking security personnel due to perceived thoroughness and competence of the more experienced members. This led to a failure to question the communications and procedural steps.
- 2. Inadequate use of site human performance communication standards for giving directions which involve a change in plant or equipment status.
CORRECTIVE ACTIONS Upon discovery of the problem, the security door was immediately placed in the secure mode, as required. The security staff involved in the incident were interviewed in order to determine the cause of the event. Appropriate individuals were counseled. The security staff was briefed on the event and the procedural violations that caused it.
The correct procedure was reinforced in the briefing information. Additional corrective actions will be implemented using the station's corrective action system.
NRCL UORM3bbA (1 2001)
I NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (1-2001)
LICENSEE EVENT REPORT (LER)
- 1. FACILITY NAME (1) 2. DOCKET 6. LER NUMBER 3. PAGE YEAR SEQUENTIAL REVISION YEAR NUMBER NUMBER Fort Calhoun Nuclear Station Unit Number 1 05000285 4 OF 4 2003 - S01 - 00
- 17. NARRATIVE (If more space is required, use additional copies of NRC Form 366A)
SAFETY SYSTEM FUNCTIONAL FAILURE This event did or did not result in a safety system functional failure in accordance with NEI 99-02.
PREVIOUS SIMILAR EVENTS The last 10 CFR 73.71 report made at the station was in 1997. This report was for the Uncompensated Loss of a Single Security Intrusion Detection Alarm Zone due to lack of attention to detail on behalf of both the CAS and SAS Operators.
NRC FORM 366A (1.2001)