ML19308C082
| ML19308C082 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 07/30/1979 |
| From: | Frampton G NRC - NRC THREE MILE ISLAND TASK FORCE |
| To: | NRC - NRC THREE MILE ISLAND TASK FORCE |
| Shared Package | |
| ML19308C081 | List: |
| References | |
| TASK-TF, TASK-TMR NUDOCS 8001210373 | |
| Download: ML19308C082 (41) | |
Text
,
y-
['
UNITED STATES y'
' 'n NUCLEAR REGULATORY COMMISSION
,i W ASHINGTON, D. C. 20555
%,.... p#
July 30, 1979 T0:
All SIG Members FROM:
George T. Frampton, Jr.
Attached is a new draft of the Outline of the Final Report. A few specific lists (such as alternative sequences and plant deficiencies) need to be included in the next draft.
George T. Frampton, Jr.
Attachment:
As stated l
l 8003 g y 9 378
DRAFT:
7/29/79 NRC Three Mile Island Special Inquiry Outline of Report / List of Possible Issues To Be Addressed I.
INTRODUCTION The Introductior, will include a brief discussion of NRC's decision to institute a Special Inquiry under outside, independent supervision; a description of the group's mandate, its staff, and the methods employed in its study will follow.
II. WHAT HAPPENED?
1.
Narrative This section will be a substantial part (at least one-quarter to one-third) of the report and will contain a detailed integrated, narrative account of the accident from 4 a.m. on March 28 until at least ten days later. The narrative will integrate and combine the following into a single account:
1.1 The physical sequence in the plant, including operator actions causing these physical events to occur.
(This will have to include an interwoven account of how a reactor works!)
I 1.2 The utility's response 1.2.1 Operator actions (overlap with 1.1 above).
1.2.2 Decisions and actions by the utility's management, including the composition and actions of various ad hoc groups formed by management.
This will also include the utility's communications with NRC, B&W, and the industry, and assistance rendered by industry groups.
1.3 NRC's response This will be a description of what-NRC personnel actually did.
1.3.1 Region I (IE) Regional Incident Response Action Coordination Team (RIRACT). Boyce Grier, Director of Region I, and his staff formed this team.
1.3.2 Onsite inspection team (s). This team grew dramatically with time until it included the bulk of Region I and many assisting inspectors and managers from the other IE Regions.
The first OIT included:
Charles 0. Gallina, Leader James C. Higgins Donald R. Neely Ronald L. Nimitz Karl E. Plumlee i
A second group arrived in a second vehicle only 55 minutes later;
'it consisted of:
Walter F. Baunack Raymond H. Smith Of the first seven in the OIT, only Higgins and Baunack are reactor inspectors.
The first NRR team, under the direction of R. Vollmer, which arrived 1.3.3 on March 29, and which originally had been designated by NRC Headquarters and sent to the site as a " recovery" team on the assumption that the accident was already over by the afternoon of March 28.
The team under Harold Denton which arrived on the afternoon of 1.3.4 March 30 (Friday), after Denton had been designated as the President's man on the site, and establishment of an on-site command center.
NOTE: With respect to each of the above components, we want to examine how they perceived their role and authority; how they interacted with the operators and utility management; what expertise they brought to the site; and what t'ey actually did there.
1.3.5 NRC Headquarters' Emergency Management Team and Incident Response The emergency management procedures in Bethesda were Center.
implemented at the NRC-HQ Incident Response Center (IRC), which is sometimes also referred to as the Operations Center (OC). The groups that responded from NRC Headquarters through the IRC included:
4
- 1. 3. 5.1 The Executive Management Team (EMT). The EMT was formed pursuant to NRC Appendix 0502, which stipulates that the i
EMT will be the principal entity exercising the NRC's authority in the case of an accident.
In this case, the I
team consisted initially of:
L. V. Gossick, EDO E. G. Case, Deputy Director, NRR J. G. Davis, Acting Director, IE Harold Denton, Director of NRR, was planning to. leave town on March 28 so he originally sent Ed Case to the EMT.
Denton came to the EMT later in the day.
J i
e i
. 1.3.5.2 Incident Response Action Coordination Team (IRACT).
The IRACT was forned under the direction of Nornen C.
Moseley, Director, Division of Reactor Operations Inspection, IE. The principal member of the IRACT on hand at the outset was Victor Stello, Director, Division of Operating Reactors, NRR. The IRACT drew substantially on NRC Headquarters staff, principally from IE and NRR.
The purpose of this group was to marshall NRC support for actions determined by the EMT to be necessary.
1.3.5.3 Office of State Programs (SP).
State Programs immediately set up in a small anteroom of the IRC, communicating with the Pennsylvania authorities and passing information to other states.
1.3.5.4 Office of Public Affairs (PA).
Public Affairs became deeply involved with the EMT at the outset.
1.3.5.5 Office of Nuclear Regulatory Research (RES). The Office of Research did not respond in a significant way until it was called upon on Friday, March 30, to assess the hydrogen problem, core melt possibilities and other com-plex matters. RES worked under the direction of its Director, Saul Levine, in a series of ad hoc groups using RES staff, some other NRC staff, RES contractors, and other outside groups.
1.3.5.6 Office of Congressional Affairs.
1.3.6 The Commissioners.
On March 28, Chairman Hendrie was not initially available and Commissioner Gilinsky acted in his stead. The Commission did not react as a body on March 28, but individual Commissioners tracked events closely and visited the IRC in Bethesda.
NOTE:
For the next draft of this Report Outline, we should include an outline of the significant meetings and decisions of the Commission as a body over the first five days, insofar as that is possible.
1.3.7 This section should also set forth the liaison between the various components or individuals at NRC with Congress.
1.3.8 NRC's liaison and communication with other federal agencies, especially with respect to monitoring of releases and receipt of information concerning the results of this monitoring.
l
. 1.4 Response of other federal agencies.
1.4.1 DOE.
Played majc. role in monitoring.
NEED DETAILED OUTLINE.
1.4.2 EPA.
Its principal role appears to have been the sampling of effluents for the State.
1.4.3 HEW. HEW groups involved in TMI included (a) Bureau of Radiological Health in the areas of radiological monitoring, protective action guides, and obtainment and use of potassium iodide as a thyroid blocking agent, (b) the National Institute for Occupational Safety and Health in the area of recording radiation exposures, (c) the Center for Disease Control in the area of epidemiological studies, (d) the National Institute of Health in the area of qualit control for whole body counting performed on residents near TMI, (y) the e
National Cancer Institute with respect to use of potassium iodide by TMI workers, and (f) the National Mental Health Institute with respect to psychological stresses attributable to TMI.
1.4.4 Dept. of Comerce (NBS and NOAA).
1.4.5 Dept. of Agriculture (USFS).
1.5 Response of State Agencies.
1.5.1 Pennsylvania Emergency Management Agency (PEMA).
(Oren Henderson, Director.)
NEED DETAILED OUTLINE.
1.5.2 Bureau of Radiation Protection (BRP) of the Pa. Dept. of Environ-mental Resources.
(Thomas Gerusky, Director; Margaret Reilly; William Dornsife.) The Pennsylvania plan for Nuclear Power Generat-ing Station Incidents assigned BRP responsibilities for (1) contacting the facility for a description of the incident, prognosis, and recommendations, (2) maintaining contact with the facility, (3) supplementary environmental sampling and analysis, (4) advising state, county, and local agencies, through PEMA, on the need to take protection actions, actions to be taken, areas at risk and recomending withdrawal of protection actions, and (5) notifying and requesting assistance from Federal agencies.
During the incident at TMI, BRP was the state agency with primary responsibility for radiological monitoring and analysis of monitoring results and plant status for the purpose of making recommendations for protective actions.
BRP utilized a State Police Helicopter for air sampling, the Pa. Bureau of Forestry comunications system for comunication between field samplers and headquarters, and requested assistance from DOE's Brookhaven National Lab especially for iodine sampling since the State did not have that capability.
BRP has a laboratory for sample analysis in Harrisburg.. BRP maintained an open line of comunication with the site for several weeks after the
. I.
accident.
NOTE:
BRP disagreed with NRC's recommendation on Friday (3/30) to evacuate out to 10 miles and advised Henderson (PEMA) not to initiate evacuation.
1.5.3 Governor's Office, including the Governor, his chief aides (Executive Assistants, press assistants, etc.).
1.5.4 County civil defense organizations.
1.5.5 Mayors of towns in vicinity.
1.5.6 State police (PSP).
1.6 Radiological releases.
What kinds of radioactivity does a reactor produce and release in l
1.6.1 normal and in failure conditions? How are these types of radio-activity dangerous, and in what doses and circumstances?
What kinds of radioactivity were probably produced and released in 1.6.2 this accident?
1.6.3 Through what pathways did the radioactivity probably escape, when and in approximately what concentrations?
1.6.4 What is the best estimate of the doses and exposures received (a) in the plant, (b) on site, and (c) off site as a result?
1.6.5 How were these doses and exposures measured and calculated? What are the bounds on the estimates?
1.6.6 Estimates of danger to health and safety from these doses and exposures. Bounds on the estimates.
A number of specific matters need to be covered in this narrative section, NOTE:
either interwoven in the narrative or possibly set forth separately in con-While in some cases these matters are part and parcel of 1.1 clusory sections.
through 1.6 (indeed, in some cases they overlap each other), they.are separately listed below so that we can identify which matters will be covered by which Task Groups and individuals within Task Groups. These are 1.7 through 1.13, following:
. 1.7 What were the major strategy decisions (or non-decisions) affecting the status of the plant or releases, how were they made, by whom, and on what basis?
E.g.:
0404 Basic operator decision to reduce HPI flow and letdown, bypassing automatic ECCS as necessary, in order to lower pressurizer level at the expense of pressure. This basic mode lasts most of the day and later includes deliberate venting of the pressurizer.
0415-Lack of an operator decision to isolate the PORV despite looking 0618 at indications of leakage there.
0500-Station Supt. called back to check status.
Realized things were 0515 not normal with low pressure and high pressurizer level.
Decided to direct additional people to site but apparently did not irrer-vene in operational decisions.
0514-Operator decision to stop RCP's.
Due to:
Vibration alarms?
0540 Low flow, low current? NPSH curves? Pin compression curves?
0600-Conference call:
V.P. Generation, Station Supt., B&W Rep. in 0640 control room and Duty Officer in control room.
Decided to start RCP's and report to site.
During conference call it was decided to isolate the PORV. Likely a result of the conference call questions about status.
0719 After 19 minutes of running one RCP (as was directed by the conference call) operators decide to trip pump due to vibration and low current.
0713 Operators decide to begin venting pressurizer through PORV and continue intermittent venting (in conjunction with throttling HPI and with letdown flow) for two hours.
In the beginning of this period pressure and level are both high. However, they rapidly l
bring pressure down to about 1300 psi and continue with the program apparently to try to reduce pressurizer level.
0800 Station Supt, and caucus decide to run one RCP again. Operators start one at 0818 and secure it in 37 seconds due to low current and no flow.
0915 Station Supt. and caucus decide to increase pressure with HPI pumps, venting pressurizer through PORV only as necessary to main-tain pressure % 2000 psi (below safety valve setpoint). This mode continues more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
1130 Station Supt. and caucus decide to blowdown primary system while maintaining some injection flow. This course continues nearly 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
. 1100-V.P. Generation arrived at Observation Center and discussed 1315 situation by phone with Plant Supt. Apparently did not intervene in plant operation decisions except to:
(1) direct Supt. at 1315 to stop dumping steam to atmosphere which left reactor without regular heat sink for about 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />, and (2) direct Supt. and duty officer at 1315 to go to Harrisburg with VP to brief Lt.
Governor (actually left at 1430 and returned at 1600) which took some key people out of control room.
1350 Operators missed the significance of the hydrogen burn indications.
Considered to be an instrument malfunction.
1430 From here until 1611 it is not apparent what the plan was.
Secured venting pressurizer for 18 minutes beginning at 1510.
Biasing HPI flow to the c leg.
1611 It was decided to blowdown again, with NRC prompting.
(Since pressure had never gotten up above 600 psi, it is not clear the previous blowdown mode had ever truly ended.)
%1630 V.P. Generation discussed situation with VP GPU Services, who had talked with B&W engineers in Lynchburg, Va.
They agreed to repressurize. This began at 1645, followed by starting RCP's at 1845.
Operator decision to vent non-condensibles in makeup tank on March 29.
Operator decision to secure ventilation systems.in Unit 2 Auxiliary Building; 1104 on the 28th, 0055 on the 29th. This increased control room radioactivity levels and thus required use of respira-tors in control room.
NRC dictum to stop industrial waste treatment system releases at 1755 on the 29th and later on the 31st. This resulted in spillage of radioactive fluids onto the ground.
Operator decision to bypass orifice in letdown line at 0100 (approx.) on the 29th. This contributed to liquid releases.
Decisions resulting in venting and 1200 mr/hr reading on early morning of March 30.
Decisions relating to perceived hydrogen bubble problem, March 30 and after.
Decision by NRC/ utility to change filters in mid-April, decreasing iodine release rate.
Decision to install supplementary filters, end of April, decreasing iodine and particulate release rate.
l l
O
. 1.8 What decisions were recommended and made (or not made) concerning evacuation, or partial evacuation (including protections such as staying indoors; advisory for children and pregnant women to leave the area which was issued on March 30, etc.). When were they made, by whom, on the basis of what recommendations and inf ormation? What were the apparent bases for these decisions (e.g., actusi or feared future releases; danger of possible core melt; danger of possible hydrogen explosion)? Specifically, we want to examine at least the decision for a partial evacuation advisory made on March 30; and the decision by some Commissioners of the NRC to recommend a wider evacuation on Sunday, April 1, which was not adopted by the site team.
1.9 How bad was the accident and how much worse could it have been?
1.9.1 What could or should have been done to stop or ameliorate the accident? What was the " anticipated" procedure and why didn't it work?
A number of opportunities existed throughout the course of the accident to ameliorate the circumstances and begin cooldown of the fuel. Actions which should have been successful in beginning of cooldown include:
1.9.1.1.
Continuous HPI flow.
Leaving the HPI on in the high flow rate ECCS mode after actuation at about 2 minutes (or after the numerous subsequent actuations).
1.9.1.2.
PORV block valve closure.
Closure of the PORV block valve at about-25 minutes, when the PORV discharge lire temperatures were first obtained from the plant computer; At several later times (prior to 2.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />),
the discharge line temperature was again checked.
Because of the additional coolant loss by these times, it is not clear that block valve closure would in itself have been sufficient to " turn around" the accident.
Increased HPI flow would also have been required after some time into the accident.
- 1. 9.1. 3 Reactor coolant pump operation.
Restart of a reactor coolant pump earlier in the accident (before 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />) may have been effective in " turning around" the accident. Other actions would likely have been required to support RCP operation, such as repressurization of the RCS and the addition l
1.9.1.3 of more water.
It should be noted that an RCP (con td) was restarted by the operators at 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, 55 minutes. The RCP ran for 19 minutes before low running currents and no flow indication required that the pump be tripped.
In addition, pump restart was attempted at about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
The RCP ran for a very short time (about 1 minute) before low pump running currents and no flow indication required that the pump again be tripped. Apparently, low water inventories (and les pressure in the second attempt) in the RCS prevented longer running times of the RCP.
The " anticipated" procedure during a small loss-of-coolant accident would be to allow the automatically-actuated ECCS to run until RCS pressure and pressuri-zer level rose to specific values, at which time the flow rate would be decreased by valve manipulation.
Apparently this course of events did not occur because of:
1.
Operator failure to recognize that a loss-of-coolant accident was occurring;
~.
- 2.--Misleading pressurher-levei--indication; and 3.
Operator lack of understanding on how to recover from a small loss-of-coolant accident, once it was recognized.
1.9.2 What could or should have been done to stop or ameliorate the releases? On-site exposures? Why wasn't this done?
1.9.3 How severe was core damage, when did it occur and how? When was this known and by whom? When should it have been known?
1.9.4 Was there a hydrogen bubble and when? What danger did it in fact pose? If the bubble was incorrectly perceived as a significant danger, why did this occur? Were there other scenarios incorrectly perceived to be poter.tially dangerous?
1.9.5 Alternative sequences:
What might have happened g:
- 1. 9. 5.1 EFW discharge line block valves were not closed?
1.9.5.2 EFW discharge line block valves were not opened until approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />?
1.9.5.3 ECCS was allowed by the operators to operate at full capacity?
- 9a -
1.9.5.4 EFW discharge line block valves were not opened until approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, but ECCS was allowed to operate at full capacity?
1.9.5.5 PORV block valve had been closed at 25 minutes?
1.9.5.6 Closure of the PORV block valve had been delayed until approximately 3.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />?
1.9.5.7 Only 1 reactor coolant pump had been tripped per loop at 90 to 100 minutes?
1.9.5.8 Reactor coolant pumps were tripped concurrent with the reactor trip? See also IE Bulletin (Preliminary Notification of July 27, 1979) requiring RCP trip on small LOCA's.
1.9.5.9 Reactor coolant pumps were not successfully restarted?
1.9.5.10 Offsite power had been lost?
Two time periods appear to be of the greatest significance in terms of plant vulnerability to loss of offsite power:
1.9.5.10.1 March 28, 04:30 to 09:30 1.9.5.10.2 March 30 - April 1 1.9.5.11 Reactor had failed to SCRAM?
(Failure of the reactor protection system (the " SCRAM" system) would have substantially altered the course of the accident and could have resulted in melting of a significant fraction of the fuel.
However, other alternative sequences are being analyzed which have significantly higher likelihoods of occurrence (e.g.,
1.8.5.6) and would likely result in comparable conse-quences (gross fuel melting).
Since more likely paths to a core meltdown accident are being analyzed, it is believed that consideration of reactor protection system failure is not necessary.)
1.9.6 How close did TMI-2 come to a more serious coca meltdown and greater releases of radioactivity?
1.10 What information was communicated to the press, the public and Congress (in the form of official statements, press releases, press conferences) by the various parties, and how did this information jibe with the facts and with the information known to those communicating it?
p.
y.,
-9b-1.11 What was the "socio-economic" effect on the population living in the area of TMI-2? What do we know about the actual response to the evacuation advisory (how many people actually left, what types or groups of people left)?
1.12 Is there any evidence of sabotage? Of bribery?
(i.e., somebody being paid off to overlook or approve faulty or dangerous equipment).
1.13 Was there a coverup during the accident by NRC or Met Ed?
i i
If Did TMI-2 have any design deficiencies that contributed to the accident?
2.
so, were they (a) unique to this plant, (b) characteristic of all similar plants, or (c) characteristic of all or most nuclear power plants?
Possible types of design deficiencies are roughly grouped in five categories below; in each group are listed possible deficiencies which are worthy of examination:
2.1 (Possible) Plant System Deficiencies 2.1.1 Pressurizer Size It has been suggested that the volune of the TMI-2 pressurizer is relatively small, compared to other PWRs of similar power.
If correct, the sneller volune would cause more rapid filling or draining of the pressurizer and thus:
(1) demand more rapid operator response, and (2) cause more frequent demands on the PORV.
2.1.2 OTSG secondary side water inventory The mass of water held in the secondary side of the B&W OTSGs is relatively small conpared to other PWRs, causing these OTSGs to boil dry more quickly. This can result in:
(1) more rapid heatup of the RCS, and (2) the need for more rapid operator intervention in some situations.
This " deficiency," in concert with (possibly) the concern in 2.1.1, nay make the B&W design fundamentally less manageable (less " forgiving") in abnormal situations.
2.1.3 Core barrel vent valves In order to overcome the potential problens of steam binding during a large LOCA, B&W installed vent valves in the core barrel.
When the RCS pressure above the core is greater than that in the downcomer, these valves open and allow steam flow into the downcomer.
In the 3-16 hour period in the TMI-2 accident, these valves nay have been opening, allowing steam flow to go directly to the down-Thus the heat comers, bypassing the steam generators.
removal capability afforded by the steam generators nay have been compromised by the presence of these valves.
2.1.4 Inhibitions to natural circulation Certain design features of the B&W NS35 nay be detrimental to the establishment of natural circulation, most notably the relative heights of the vessel and the OTSGs and the
" candy cane" arrangement.
Thus it nay be more difficult to achieve natural circulation cooling in the B&W design.
. 2.1.5 PORV design and use 2.1.5.1 Design The power operated relief valve at the top of the pressurizer is designed to assist in normal plant operations, and has not been considered in licensing proceedings to be a " safety-related" component.
As such it is not environmentally qualified to safety-grade In transient-initiated accidents standards.
such as that at TMI-2, the PORY may be required to operate in conditions outside its design envelope, and thus may be less likely to perform satis;factorily when needed.
It has also been suggested that a cause for the PORY sticking open ney have been because of the discharge line arrangement.
As it was arranged, it was suggested that backpressure in the line could have caused the valve to re-main open.
2.1.5.2 Use Because of the possible " deficiencies" dis-cussed in 2.1.1 and 2.1.2 above, the frequency of demands on the PORY in B&W plants is signi-ficantly greater than that in other PWRs.
Since the likelihood of such a valve failing to close af ter opening has been known to be relatively high, the likelihood of causing a small LOCA in B &W plants is greater than that in other PWR designs.
2.1. 6 RHR system not designed for operating pressures.
The RHR systems in all PWRs are designed for low pressure operation, i.e., af ter the RCS has been cooled and Since attenpts to depressurized by other systems.
reach RHR pressures during the accident were unsuccessful, it has been suggested that the RHR system be modified to be operable at operating pressures.
1
. 2.1. 7 Pressurizer surge line loop seal The surge line connecting the pressurizer to the RCS hot leg contains a " loop seal" which may have inhibited flow into and out of the pressurf er during the course of the This loop seal may thus have contributed accident.
tc the high pressurizer level readings indicated and used by the operators throughout the accident.
2.1. 8 Lack of remote vent capability at RCS high points During the TMI-2 accident a capability to remotely open the vents at the RCS high points could have been useful to discharge steam and/or noncondensible gases trapped at the high points which were inhibiting natural circulation cooling.
2.1. 9 Reactor Building emergency sump design The emergency sunp in the reactor building contains screens to prevent materials which could clog the sump from actually entering it.
Apparently, these screens were installed to a specific height based
?
on the expected water levels in a large LOCA.
In the actual accident water levels rose to heights above the top of the screens, so that the operators could not be sure that blockage had not or would not occur if the sump were used. Because of this concern, the nunt)er of available options for core cooling appears to have been reduced.
l
2.1.10 Inadequate Radwaste Systems Design.
2.1.10.1 Inadequate liquid radwaste storage capacity.
2.1.10.2 Poor radwaste system design, including relief valve problems, leakage tolerances, seals, etc.
2.1.10.3 Inadequate filter / ventilation systems.
2.1.10.4 Inadequate shielding.
2.1.10.5 Inadequate auxiliary building sump capacity.
2.1.10.6 Sharing of hot sample labs, independence of Unit 1 and 2 sample lines, lack of shielding.
2.1.11 Safety classification of the EFW system The EFW system in TMI-2 was not designed to the safety qualification of systens such as ECC3. Because of this, actuation signals were only given to particular components in the system, and not delivered to valves such as the discharge line block valves. Had such actuation signal requirenents been placed on the EFW system, the delay in EFW delivery to the OTSGs nay not have occurred.
2.1.12 Lack of hot leg ECCS injection capability The TMI-2 plant does not have the capability of injection of ECCS water into the RCS hot legs which exists on some other PWRs.
Since such a capability might have been useful in collapsing steam voids in the upper core and providing better cooling of the damaged portions of the core, the long term cooldown
~
of the core nay have been enhanced.
l t
14 -
2.1.13 Qualification of pressurizer heaters As is the case for the PORY design discussed in 2.1.5 above, the pressurizer heaters are considered opera-tionally-related equipment rather than safety-related.
As such they are not qualified for steam environments and did experience problers in operating during the acci dent. This lack of qualification nay have con-tributed to the prolonged tine period during which the core rensined at high temperatures and radioactive material was forced out of the fuel.
i 2.1.14 Lack of automatic bypass on the demineralizer/
polisher units.
The initiating event in this accident was apparently the closure of the discharge valves from the demineralizer/
polisher units in the main feedwater system.
In other PWRs the bypass valves to these units are designed to automatically open upon closure of the discharge valves. Thus the specific initiating event of this accident nay not have occurred in other PWRs.
2.1.15 Condenser hotwell control Two problens appear to have existed which related to the availability of the hotwell for OTSG heat removal.
2.1.15.1 Hotwell volune and level control Problems were experienced during the accident of overfilling of the hotwell, which made it unavailable for use in steam condensation.
Apparently, the hotwell volune and faulty level controllers were the cause of this problem.
2.1.15.2 Availability of the auxiliary boilers Auxiliary steam boilers are used to supply steam to the air ejectors which maintain condenser vacuum. During the accident, problers apparently were encountered in operating the boilers, which seems to have added to the delays in restoring the hotwell to operability.
(
l l
. l 2.1.16 Inadequate decontamination facilities.
2.1.17 Control room habitability planning.
2.1.18 Plant layout for access and egress control.
2.1.19 Hydrogen recombiner availability.
2.1.20 Capability to thoroughly mix the large volume of coolant water lying on Reactor Building floor after LOCA to assure, for recircu-lation cooling, that no unborated water goes to reactor core.
. 2.2 (Possible) Command and Control Caficiencies 2.2.1 No anticipatory reactor trip (on turbine trip or other secondary conditions)
The control logic of the TMI-2 reactor protection system (the trip system) was such that a delay occurred between the feedwater stoppage to the OTSGs and the tripping of the reactor.
This mismatch between heat generation and heat removal contributed to the initial RCS heatup and the rapid dryout of the OTSGs.
2.2.2 Containment isciation The containment isolation system is designed to actuate at pressures determined by the events in a large LOCA. Thus in the TMI-2 small LOCA the isolation setpoints were not reached for approximately four hours. This allowed radioactive material to escape through various paths such as the reactor building sump, vent headers, etc.
An additional possible deficiency in the isolation system is the isolation of support systems for the reactor coolant pumps, so that operator bypass of the isolation is required to maintain operation of these pumps.
2.2.3 No ECCS actuation bypass prevention The TMI-2 ECCS actuation signals can be (and were) bypassed quickly by the operators.
In other PWR designs, such a bypass is prevented by electrical interlock controls for certain periods of time.
Thus the lack of such interlocks allowed the operators to interfere with the designed response of the ECCS, contributing substantially to the core heatup and damage.
2.2.4 RCS sampling capabilities Samples of the reactor coolant are taken and analyzed as part of both routine shutdowns and emergency situations. A number of problems in these processes occurred during the accident, including the following:
2.2.4.1 Apparent dilution of samples l
Samples of boron concentrations taken early in the accident were apparently incorrect because of the method of sampling. This may have contributed to confusion and misunderstanding by the operators.
I
' l 2.2.4.2 High levels of radioactive material in the sampling lines and area coupled with inadegaate shielding (see 2.1.10) caused additional problems in analysis of samples.
2.2.5 Reactor Building hydrogen concentration control In the early course of the accident ( % first 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />) hydrogen was being generated and transported into the Reactor Building, causing an increase in the concentration sufficient to cause at least a localized burning at about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. No method apparently existed which could have been rapidly actuated and used to control this hydrogen concentration buildup.
2.2.6 Interactions between ECCS control systems and fire control system Throughout the accident, problems in maintaining the operation of the makeup pumps were experienced.
Apparently this problem was in some part due to high temperatures in the areas where the makeup pump circuit breakers were located, which caused the breakers to trip. The high temperatures in these areas were apparently com-pounded by the tripping of cooling fans by the fire control system.
This systemseems to have been actuated by heat sensors in the area.
2.2.7 Integrated Control System The Integrated Control System (ICS) controls much of the initial plant response to a transient such as was the initiating event in this accident. As such, the ICS may have contribu+.ed to the initial variations in plant paiameters.
2.3 (Possible) Instrumentation Deficiencies 2.3.1 Instrumentation Ranges to Follow the Course of An Accident Various important instruments in the control room had ranges of indication which were quickly exceeded, so that inadequate or mis-leading information was presented to the operator. RCS hot leg temperature sensors, core exit thermocouples, and many radiation monitors experienced this problem.
2.3.2 Instrumentation environmental qualification Some instrumentation which was significant in controlling and understanding this accident experienced environmental conditions beyond their design basis.
Pressurizer level sensors were sporad-ically failing throup. Jut the accident; apparently some Reactor Building radiation monitors also failed. Submerged equipment, also.
I 4
1,
2 I
2.3.3 Accuracy of pressurizer level instrumentation 4
}
Because of the nature of the TMI-2 accident, the pressurizer level did not accurately represer.t the water levels in the RCS.
The indications of high pressurizer level apparently misled the operators into believing that the ICS was full of water throughout i
the accident; thus, actions to refill and cool the core were not believed to have been needed.
t 2.3.4 Computer storage and printout capabilities c
The alarm computer printout located in the control room began-experiencing significant backups early in the accident, and was l
actually out of service for some time period. No permanent storage in the computer occurs, so that when the printer is out of service, information is lost completely. As a result of these problems, the computer apparently was of little value to i
the operators.
l 2.3.5 PORY status instrumentation In the TMI-2 control room, the position of the PORY is indicated i
by a light. Since this light actually indicates that the electric i
l power to the valve has been removed, it does not indicate the physical position of the valve. Thus the operators were led to believe by the PORV indicator that the valve had reclosed when in fact it remained open, causing the loss of RCS coolant.
2.3.6 No reactor vessel water level indication In all PWRs, water level in the RCS is measured in the pressurizer.
l Thus in an accident such as that at TMI-2, when phenomena such as that discussed in 2.3.3 occur, an accurate measure of water level l
in the vessel and core is not available.
i 2.3.7 No remote visual observation equipment No remote visual equipment such as television cameras are installed in the Reactor Building of any PWR; so no visual indication of the status of equipment, etc. was available to the operators in the r
TMI-2 control room.
2.3.8 Lack of adequate arer radiation monitors.
2.3.9 No regulatory requirement for in-vessel. thermocouple to measure core performance, and no requirement for display or printout.over an adequate range for the existing thermocouples.
2.3.10 Lack of application.of Regulatory Guide 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety. Systems," to-certain valves and equipment.
_ 19 -
2.3.11 Lack of reactor building sump level monitor with display in readily accessible position.
2.3.12 Lack of flow measurement downstream of relief and safety valves.
2.3.13 Lack of hydrogen concentration monitor at input to recombiner.
2.3.14 Lack of online boron monitor.
2.3.15 Lack of instrumentation to display margin to saturation.
2.3.16 Poor control room design.
(See 2.5 below.)
2.4 Off-site sampling and monitoring deciciencies.
I 2.5 Human factors deficiencies and control room design and display. This category overlaps wM both 2.2 and 2.3 above and with 2.8.4 and 2.8.5 below, insofar as it includes failure to " design" command and control systems or instrumentation or instrumentation displays with human limitations and the possibility of human error in mind.
Furthermore, to answer the question whether any human factors deficiencies contributed to the accident, reference will have to be made as well to the analysis of the contribution of inade-quate procedures (section 4.2,below) and of operator action (section 6, below), which are discussed below. SEE OUTLINE OF HUMAN FACTORS ISSUES ATTACHED AS APPENDIX A TO THIS OUTLINE.
WITH RESPECT TO ANY " DESIGN DEFICIENCIES" IDENTIFIED IN THE AB0VE CATEGORIES, WE WILL HAVE TO ANSWER THE FOLLOWING QUESTIONS:
)
2.6 Was the deficiency, problem or issue raised in any forum, and should it have been? Specifically, with respect to each system or component identi-fied as having a design deficiency: who took the lead role in designing it, what kind of analysis was done, what was NRC's role, did the matter come up in any licensing review process or appear on an " Unresolved Safety Issue" list, how was it resolved, was the resolutica proven incorrect?
2.6A Somewhere here -- possibly either before or afLcr the above section 2.6 --
we will need a description of NRC's licensing p,ocess as it is supposed to work and as it actually does work (or not work); and a description of the NRC's philosophy of safety.
In short, a description of what the NRC does and does not do.
2.7 To what extent are any identified design deficiencies attributed to defects in NRC's basic philosophy of safety, the design basis accident approach and fault tree risk assessment?
2.8 To what extent are any deficiencies attributable to defects in NRC's licensing and review process? Some of the questions that might be covered here are:
. 2.8.1 Did the staff concentrate too much on large LOCA's and not enough on small breaks and transients in its accident analysis?
If so, did it make a difference in this accident?
2.8.2 In general, was inadequate attention paid to conditions that might arise that are beyond the normal criteria, specifically with respect to the following two matters:
2.8.2.1 Is the B&W design approach of allowing a feedwater trip to cause a high pressure condition, challenging the relief valves and causing a SCRAM, a good idea, in spite of the fact that the event is in theory terminated by redundant safety grade equipment?
2.8.2.2 Was there adequate planning for an event involving substan-tial core damage and hydrogen generation. Also, does the accident tell us anything about the adequacy of existing ECCS configurations?
2.8.3 Why was the presence of noncondensible gas in the primary system such a surprise to NRC and to the licensee?
2.8.4 Was control room design and instrumentation adequate? To what extent was human factors technology used in the development and design of the control room? How does the TMI-2 CR compare with human factors standards? With design concepts used in comparable control rooms (NASA; D0D; chemical industry)? SEE Al.S0 APPENDIX A.
2.8.5 Was adequate attention focused on the probability of human error and the control thereof? Specifically., on any kinds of human error that may have played a role in this m:ident? SEE ALSO APPENDIX A.
2.8.6 Did the NRC adequately examine the licensee's technical qualifications?
2.8.7 Does the license review process inhibit innovation in safety?
2.9 To what extent are any identified design deficiencies attributable to failings by the vendor (e.g., faulty or fraudulent analysis)?
To what extent are any design deficiencies attributable to failings by the 2.10 l
utility?
2.11 By the architect-engineer?
l l
2.12. Can we draw any conclusions about the adequacy of NRC's " safety margin" from any such deficiencies? Why was this accident "not a credible event"?
. l Precursor events: Were there specific events or experiences at TMI-2 or at 3.
other plants that should have alerted NRC or the utility to the potential for such an accident? If so, how was information about these events handled, who knew about it, and why wasn't appropriate action taken?
3.1
[ Reserved]
3.2 Davis-Besse, September 24, 1977.
3.3 Pebble Springs ACRS Question 6, November 21, 1977.
3.4 Michelson Report, January 1978.
3.5 No'ak/ Israel memorandum, January 10, 1978.
3.6 Rancho Seco, March 20, 1978.
3.7 Sternberg memo, March 31, 1978.
3.8 Creswell memorandum, January 8, 1979.
3.9 Creswell matter, February 14, 1979 meeting I&E with B&W at Lynchburg.
3.10 Babcock & Wilcox employees Statements of J. J. Kelly, B. Dunn, and re 9/24/77 Davis-Besse event.
others before President's Comission on 7/18/79.
3.11 Control Room Design General Advisory Comission, WASH-1260, Inadequacies.
and others.
3.12 Failure rate of PORV's.
3.13 Were there any precursor events or hints of problems in the operating history to TMI-2? What was experience with prior turbine trips? Loss of feedwater?
E.g., TMI-2 reactor trip of April 23, 1978.
3.14 Were there recomendations arising out of previous accident experiences that were not carried out, and that might have helped prevent or ameliorate this accident?
(E.g., any lessons from the Browns Ferry fire, such as identified lack of lead responsibility for coping with the accident)?
3.15 If precursor events went unheeded, what conclusions can be drawn concern-ing NRC's and the industry's failure to evaluate prior operating experi-ence (for example, possible NRC failure to analyze and act upon LER's) l in a manner sufficient to identify safety problems and cure them?
l l
l
. If the NRC's performance in this brea has been deficient, can we identify reasons why is has been?
4.
Were any specific regulatory requirements, technical specifications, equipment standards, or safety procedures that could or should have been applied to TMI-2 but were not, which might have prevented or ameliorated the accident?
NOTE: This section ney overlap to sone extent with Section 2 on design deficiencies, since presumably identification of a design deficiency might have led to instituting a new regulatory requirement or specific safety procedure, to deal with it. However, the main intent of this section is
~
to focus on relatively concrete, detailed specific items:
if equipment failed, does that show that it should have been required to be safety grade? Would better shift turn-over procedures have prevented the accident? Would inclusion in the tech specs requirements for actuation (alarm) upon certain specific evt nts have helped? The section also looks at a set of possible reasons why such requirements weren't in place:
grandf athering; granting of any exemptions to TMI-2; etc.
4.1 Were NRC 's ec uipment standards adequate? NRC's standards for vendor or utility QA Programs?
4.1.1 Did the failure of equipment contribute to the accident?
4.1.2 What were NRC's requirements for such equipment?
Should the requirement have been higher?
If so, what
' conclusions can be drawn about why the regulatory process did not work to impose stricter requirements.
4 NOTE:
In section 4.1.2 we will need a discussion of the concept of " safety" as opposed to "non-safety" equipment, and how valid the distinction is.
4.1.3 To what extent can equipment failure be traced to defects in the quality assurance program of the vendor? How doe: the NRC oversee or regulate quality assurance? Can we drew any conclusions from equipment failure in this accident as to whether such regulations are adequate?
4.1.4 Did equipment perform above specifications and expectations that turned out to be essential to the mitigation of the accident?
O
. procedures that were not requirsd by the Were there any 4.2 NRC that might have prevented or aneliorated the accident?
What follows is an illustrative list only; for the next draf t of this outline, we will need a more accurate, r0spre-hensive list of any and all procedures we can n9w 'oentify that might have been deficient and that might warrant attention and/or discussion in our Report:
4.2.1 Shif t turn-over procedures.
4.2.2 Checklists and sign-off procedures for surveillance of routine naintenance.
4.2.3 Better procedures for responding to certain acci-dent situations.
4.2.4 Health physics procedures or requirements. SEE ALSO 5.2 BELOW.
4.2.5 Etc.?
4.3 Were newer plants subject to requirenents (e.g., under the standard safety review plan, adopted after TMI-2 was re-viewed) that udght have had an impact on this accident?
If so, what conclusions can be drawn about NRC s " grand-f athering" approach to safety and about the " ratchet" mechanism NRC uses to implement that approach.
NOTE:
In section 4.3 we will need a factual description of how the ratchet process works and how decisiont whether to retro; fit are usually made.
Were there any specific exemptions or amendments granted to 4.4 TMI-2 by NRC that had an impact on the accident ? Tech spec exemptions from certain clean-up and air-handling systems requirements.
4.5 Were there any new research projects or projected standards not yet implemented that might have made a difference?
Were any specific issues raised and contested in the licensing 4.6 process that might have made an impact?
1
.m m
. 4.6.1 Adequacy of radiological monitoring, Contention 6 in the OL 1
proceedings.
4.6.2 Adequacy of the evacuation plan and communications. Contention 8 in the OL proceedings.
4.6.3 We are looking for possible issues in the following areas:
1.
Small break analyses.
2.
Feedwater failures.
I 3.
Auxiliary feedwater safety standards, control by ICS.
4.
Natural circula'. ion - confirmatory testing.
5.
ECCS analyses mod'fications.
6.
Environme.tal qualification of electrical equipment and instrumcntation.
7.
Management organiza tion of applicant.
8.
Cause and likely course of accidents - need for additional ccpability to evaluate in order to provide bases for decisions on offsite emergency measures. (Generic ACRS concern.)
9.
Steam generator instrumentation.
- 10. Design and procedures to prefeet inadvertent disabling of certain engineered safety system compo ents.
4.7 Should the need for these additional standards o procedures have been foreseen? If so, why weren't they implemented before? Is this attributable to failings in the NRC licensing and review process? To utility management?
To the vendor?
5.
Did any deficiencies in the status or condition of the plant -- whether or not they constituted " violations" of the license or NRC regulatior.s -- contribute to the accident and/or releases of radiation and exposures o'/ on-site personnel?
NOTE: To some extent this section will overlap with both ? and 4.
- However, it is the intent of this section to ask whether, even asstming the design was adequate and regulations were adequate, there were condit.ons in the plant that did not meet the regulatory requirements, or leaks or other conditions that simply were never intended to be covered by NRC regulations (or were within regs) that in hindsight contributed to the accident.
Of course, the existence of any such conditions might support a conclusion that stricter requirements should have been in place to prevent the conditions, thus putting such conditions into Section 4, rather than this section.
i
.e
. Physical deficiencies. The list that follows is not meant to suggest 5.1 any conclusions, but is illustrative; for the next draft of this 4
Outline, we.need a more accurate list of the items that might fall
'under this category:
5.1.1 Clogged condensate polisher.
5.1.2 Block valves for auxiliary feedwater closed at start of accident.
5.1.3 Leaks in make-up and let-down system.
5.1.4 Clogged filters on make-up systems pumps.
5.2 Inadequacies in the health physics program.
5.2.1 Management
- Apparent conflict between operations and health physics.
- Personnel dosimetry control (incl. issue and reading).
- Maintenance of logs and survey data during emergency.
- Repair and maintenance of instrumentation (over 50% of portable instrumentation was unavailable of 28 March 1979).
5.2.2 Training
- No formal radiological protection training.
- No formal training for some in emergency, monitoring equipment (SAM-IIs).
- Training records (records indicate training received, individuals indicate training not received).
- No follow-up critique of drills with technicians participating.
- Qualifications.
5.2.3 Instrumentation
- Portable instruments out-of-service (more than 50%).
- ARMS not in service.
- Emergency kits not maintained properly (2 out of 4 kits inoperable on 3/28).
- Only small number of high range pocket dosimeter s.
- Isotopic analysis capability was lost early in accident.
l
- No extremity dosimeters available.
- No lapel air samplers available.
. 5.2.4 Procedures (certain procedures were not followed during' emergency).
- RWPs not utilized during first three-four days of emergency.
- Access control to high radiation areas inadequate.
- Limited and inadequate preplanning of work in high radiation areas.
- Inadequate documentation of personnel contamination.
- Incomplete or improper personnel decontamination.
- Untrained personnel performing frisking and decontamination.
- No surveys made or air samples taken before entry to do work in high radiation areas.
- Incomplete records of surveys, entries, etc.
- Bioassays not completed in timely manner.
- Improper frisking technique (no thyroid or chest measurements).
5.2.5 Personnel Dosimetry.
- Control poor.
- Training in use of TLD reader not formal.
- Dosimetry records incomplete.
- Overall quality assurance.
- Operator on duty 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br />.
i 5.2.6 Equipment.
- No iodine cannisters for respirators.
l
- Insufficient number of Scott-Air packs.
- Breathing air compressor incapacitated due to high in-plant radiation.
- Inadequate personnel decontamination facilities.
- Suitability of H.P. equipment for actual or intended purpose.
- Insufficient quantities of certain anti-C. apparel.
- Inadequate and improper decontamination of respiratory equipment.
. 5.3 Insofar as any deficiencies are identified in the above sections, do these deficiencies indicate:
5.3.1 Violations of regulations?
5.3.2 Inadequate NRC inspection or enforcement?
5.3.3 Inadequate NRC standards and requirements? (If so, then this would be an overlap with section 4, above.)
5.3.4 Inadequate maintenance by the utility?
5.3.5 Inadequate procedures by the utility?
5.3.6 Poor manufacture or quality control by the manu-facturer? (If so, this would raisequestions set forth in 4.1 above).
5.3.7 To what extent do any deficiencies result from the utility being permitted to cut safety corners in order to rush the plant into " commercial operation" by the end of 1978.
Specifically, what tax, rate or other ad-vantages accrued to the utility from going commercial on the last day of 1978, if any, and what efforts were made to meet this dead-line?
6.
What role did operator involvement (and supervisory management of the operators) play in the accident? SEE ALSO APPENDIX A.
- - - -NOTE:In this section, the operators and their involvement in the accident will be discussed. This will include operator training, crew selection, operator qualifi-cation, etc, as well as the effects of crew shif t, fatique and so on. The following is a list of questions that rey have to be addressed at one or another points during this inquiry.
NOTE: There is potential for overlap between this section and the portion of section 2 that deals with inadequate design for human error and inadequate instrumentation.
There is also potential for overlap between this section and section 4, insofar as 4 deals with inadequate require-ments (which arguably could include inadequate requirements for training, operator qualification, etc.) and inadequate procedures (which arguably include procedures to guard against operator error).
I
. It is our tentative intention to try to use this section 6 to deal as nuch as possible with all of the questions relating to the operators' role: 1.e., to identify and discuss deficiencies relating to operator qualification, operator education, operator training, operator licensing, requirements for control room nanning, crew conplements, how shift crews are selected and rotated, role of engineers in the control room, the need for nore specific operating procedures or manuals in the event of various accidents or transients.
We will try to use the design deficiency section (section 2) to talk about inadequate instru-mentation, inadequate control room design, and lack of human factors engineering.
We will see how this division of attention works as we go along.
6.1 Did operator error contribute to the accident?
If so, at what points, and why were those errors made as best we can determine?
6.2 Did the operators have insufficient instrumentation to make the correct decisions?
6.3 bid the operators have sufficient information but fail to obtain it, or fail to rely on or believe it if they obtained it? Why?
6.4 Are qualifications for operators sufficient?
6.4.1 Describe educational qualifications, licensing procedure and requirementsfor reactor operators.
Describe type of person who usually serves in an operator position.
6.4.2 Are these requirements sufficient to reasonably assure that an operator will have the ability to run a plant safely? If not, why not?
6.5 Was operator training sufficient?
- 6. 5.1 Describe training requirements and actual training, generally and in the case of these operators.
6.5.2 Was the training adequate to permit response to this emergency situation? Did the operators in fact follow their training?
If so, with what results?
If training was inadequate, what inprovements or changes might have been nede that would have pre-vented or ameliorated the accident?
6.6 Were there adequateprocedures in the control room for this l
kind of accident? What procedures, if any, were followed?
l
6.7 Should additional technical expertise be regularly in control rooms?
Among questions to be addressed here might be: What is the existing philosophy of operator responsibility in controlling the plant? Does it place an undue burden on the operators? What role do supervisors play? Should there have been a highly qualified engineer available on this shift -- i.e., would that have made a difference? Should reach shift have a " reactor captain," or highly qualified engineer such as suggested by the Lessons Learned Task Force of NRR? Should such expertise be provided by the utility? The NRC? Is one such person at each reactor, or on each shift, enough? What is the relation-ship between this suggestion and the suggestion that an NRC inspector should be permanently assigned to every plant?
6.8 Did the operators rely insufficiently on automatic systems?
6.9 Is there evidence that lack of understanding of the control room or features of the control room played a role in the accident?
(This overlaps with portions of section 2, above.)
6.10 Did the physical and mental conditions of the operators play a role in any identified human error?
(Questions to be asked may include how long the shift had been together, how many days they had worked previously, whether there were enough men on shift, the time of the accident, whether the shift worked together well, whether individuals were physically or mentally fatigued, whether outside influences (family financial, company problems) may have contributed adversely to their conditions, whether any were under unusual stress situations or reacted poorly to stress.
6.11 How good was this shift?
6.12 What was the response of other shifts to various transients?
l i
i
. 7.
Was the planning and response of the NRC for such an accident adequate?
7.1 NRC 's response plan and planning.
What equip-ment, etc. was actually in place.
What is the NRC 's anticipated role in an accident?
7.2 Summarize briefly the actual response of the NRC which will have been set forth in detail ir, the narrative in Section 1.
7.3 Was the NRC 's plan followed?
7.4 How effective and helpful was the responsel Evaluate the usefulness of each NRC conponent listed in Section 1.
7.5 How effective was NRC in coordinating with other federal agencies? The state? The utility?
7.6 Identify reasons, if any, for lack of more effec-tive NRC role.
Suggested possibilities are listed below for feedback:
7.6.1 Inadequate legislature authority?
7.6.2 Lack of manpower?
7.6.3 Poor convend and control, poor nanagement?
7.6.4 Poor communications?
7.6.5 Inadequate technical resources?
i 7.6.6 Poor planning?
7.6.7 Poor coordination with utility? With the state? Other federal agencies?
7.6.8 Poor coordination with State or other federal agencies?
O
. 7.7 In light of the above, how adequate was WRC's planning?
7.8 What should NRC 's role be in an accident and how can it plan correctly to fulfill that role?
E.g., can NRC "take over" a plant? Does a SWAT team make sense? What are the lessons from prior accidents, as well as from TMI-27 8.
Was the utility's response to the accident adequate?
8.1 Describe the utility's plan. Equipment in place, training, etc. Did it meet NRC requirements, if any?
8.2 Summarize actual response from narrative above.
8.3 Was the plan followed?
8.4 How effective was the response?
What factors prevented the response from being 8.5 more effective?
8.6 Evaluate the planning in light of 8.4, above.
NOTE: Aspects of the utility s response that might be considered include:
(a)
Initial operating crew.
I (b) Alerting State, NRC, plant.
i (c) Contacting superiors.
~
(d) Management hy Upper-level Co. personnel.
(e) Use of technical back-up.
(f) Role in informing NRC, State, other agencies.
1 (g) Role in informing public.
8.7 Are any new NRC requirements for utility emergency planning indicated?
. 9.
What was the response of other federal agencies and the state?
9.1 Describe state authority.
9.2 Describe the roles anticipated for other federal agencies.
9.3 Describe analytically and evaluate the roles the state and other federal agencies actually played.
(Some overlap on evacuation with Section 1 and Section 10.)
9.4 Describe the White House role.
9.5 Analyze the question of whether NRC made the best use of these other resources.
9.6 What ought the role of the state and other federal agencies be in an accident situation, and how should the NRC utilize them and coor-dinate with them?
9.7 Since effective emergency planning and response will continue to require the participation of many organizations at the local, state and federal levels, is there any weakness in the present authority and responsibility for funding, organizing, testing and performing the response function?
l 9.8 Did the TMI accident reveal any generic weaknesses in coordination, monitoring, radiation protection, or providing public services that could be effectively improved by better planning, better communica-tions, or expanded resources?
9.9 What role did the existing Preventive Protective Action Guides (PAGs) play in the TMI accident, and what, if any, problems existed in this area?
9.10 To what degree were the perceptions of risk altered during TMI?
Would extensive education on the basis of each PAG likely minimize I
this change?
- 10. Was the public adequately informed as to (1) the dangers and potential l
dangers involved in the accident, (2) releases, and (3) the likelihood of l
evacuation, and actual implementation of evacuation? The state? Congress?
Other agencies?
NOTE: There will be some overlap between this section and Sections 1 and 9.
10.1 Was this due to conscious decisions or rather to negligence, poor coordination, or lack of reliable information on the part of those communicating with the public?
10.2 With respect to the monitoring of releases, whose responsibility was this, was there adequate planning, who did the monitoring, who was supposed to collate the information, how was this actually done, who comunicated release information to the public, and how accurate was it?
. 10.3 What improvements are necessary to improve monitoring of releases, analysis of data and coninunication of that data in future accidents (planning, roles of various agencies; equipment; coordination, and command and control; backup resources for analysis)?
10.4 Should there have been a complete evacuation? Was the evacuation advisory an unnecessary decision? Was the action that was taken decided in a rational way? Was it implemented effectively? Was planning for it adequate? How should such decisions be made and implemented? How should they be planned for?
10.5 In general, were intergovernmental communications adequate and as planned?
10.6 Was there a significant problem with regard to multiple sources of information regarding the accident?
10.7 Was the information provided reasonably representative of the plant status?
10.8 Were there any other problems identified with the adequate dissemina-tion of information to the media (and thus to the public)?
10.9 Were any of the above problems improved or made worse after March 30?
10.10 What is the proper role for local officials? The state? The utility?
11.
Do the events surrounding the Three Mile Island accident raise any questions or suggest any generalizations as to whether our present institutional approach to the safe delivery of consnercial nuclear power, in which the public has apparently put its faith to date, is indeed adequate?
NOTE:
Possible generalizations or questions that might be drawn from the facts as they emerge are listed below. This list is illustrative only; it is intended to stimulate thinking about the types of questions we may want to discuss in our Report, even if we cannot resolve them but can only highlight them as issues:
11.1 Does the system of placing primary responsibility for safety on the utility, which typically has the least expertise (compared to the j
vendor and the NRC), make sense?
l l
What conclusions can be drawn about the NRC's basic philosophy of 11.2 setting design goals and letting the vendor develop a design to meet those goals? This raises the question of standardization and of i
greater regulatory involvement in design.
9 1 11.3 Are there institutional aspects of the NRC itself that tend to inhibit its fulfillment of its statutory responsibilities? For example, do any of the factors listed below play a significant role? Are there other factors we should consider?
11.3.1 The history of NRC's creation from the AEC, and the AEC's traditional promotional role, 11.3.2 The Commission form of regulation. Compare the NRC to other agencies in which regulation of economic behavior is done by Commission (ICC, FTC, CAB, SEC) but the protection of the public health and safety is committed to single-Administration groups (FDA, EPA, FAA, MHSA, OSHA).
11.3.3 Does the autonomy of the various offices within the NRC, including possible lack of coordination, competition, mistrust, etc., hamper the Commission's work?
11.3.4 Is the Commission plagued by poor central management?
11.3.5 Does the Commission have inadequate staff?
11.3.6 Does physical separation of the offices hinder the work?
11.3.7 Is the inspection and enforcement philosophy adequate?
Is the application of this philosophy adequate?
11.4 Does the Commission have its priorities wrong? Does it spend too little time and attention on safety? Too much on trivia? Does it fail to emphasize safety enough?
11.5 Can any conclusions be drawn concerning the effectiveness of the two-stage licensing procedure?
III. RECOMMENDATIONS
- 12. Conclusions. Can we hope to identify or assign a relatively few " primary" or " root" causes of the accident?
13.
Issues that warrant further study.
- 14. Recommendations.
l l
HUMAN FACTORS EVALUATION OF C0'NTROL ROOM DESIGN AND OPERATOR PERFORMANCE AT TMI-2 I.
Background
Following the accident at Three Mile Island Unit No. 2, the Commission established a Special Inquiry to assure that the NRC will have the fullest possible understanding of the events at Three Mile Island. The purpose of that evaluation is to take whatever further steps may be necessary to prevent any similar accident in the future. A major area of investigation by the Special Inquiry is the response of the operating personnel to the events.
Specifically, the Inquiry must determine to what extent the control room design, operator training and selection, operator performance, and other factors, significantly influenced the sequence of events.
The work scope described below is essential to the completion of this objective.
II.
Special Inquiry Group Tasks A.
Operatorsl/
o Examine background and experience prior to Met Ed employment o Determine educational background o Identify NRC requirements for selection o Identify Met Ed requirements for selection o Identify application of selection requirements to operators o
Identify NRC training requirements o
Identify Met Ed training program / requirements o Determine formal training of TMI-2 operators Curriculum l
Lecture training
(
Simulator training i
Instructor background Performance of trainee Recurring training 1[0perators include:
CR operators, CR supervisors, plant auxiliary operators (Maint. Personnel) and appropriate management personnel.
APPENDIX A, PAGE 1
. o Determine on job training for operators Duration Formality of program Capabilityofinstructor(s)
Performance of trainee o Evaluate training program
~
Other utilities' programs Comparison with Met Ed o NRC Licensing Requirements Performance of operators in meeting requirements (test results, etc.)
o Actions / Inactions before the accident Identify critical system malfunctions / misalignments Identify human factors involvement in system malfunctions Determine when and how recognition of malfunction was achieved Determine when and how correction of the malfunctions was achieved o Actions / Inactions during accident Determine detailed sequence of events Identify significant operator actions / inactions B.
Precursors related to Human Factors o Identify significant precursors that could have impacted TMI-2 Determine the response to each of these significant precursors o
For each precursor, determine what information was gained /should o
have been gained o Determine what information feedback was utilized To update training l
To update procedures i
To update plant To update control room Other l
, APPENDIX A, PAGE 2 l
. I Compare emphasis on precursor events by Met Ed and other o
utilities C.
Control Room Design Identify NRC regulations and regulatory guides o
Identify published standards and recommended practices of o
other organizations Identify the criteria utilized in TMI-2 CR design o
Identify the CR design philosophy o
NRC philosophy Met Ed philosophy Vendor philosophy
-- Architect / Engineer philosophy
- o Determine the dominant influence on TMI-2 CR design
- o Evaluate the conformance of CR design to human engineering principles Compare design process to that utilized in other CR's of
- o the same vintage
- o Evaluate the humar. factors considerations utilized in design of critical systems, controls and procedures Compare CR design (from a human factors viewpoint) with designs
- o of other complex man / machine systems NASA D0D Chemical Industry Nuclear Navy D.
Plant Design a Control (outside CR) i Identify NRC requirements for plant design and control o
related to human factors l
Reactor and secondary system 1
Identify Met Ed influence on design o
- These evaluations are to be performed in conjunction with the contractor.
APPENDIX A, PAGE 3
i e For plant control other than CR, determine o
Human factors application Communication Signals in CR E.
Procedures Determine process for development of emergency procedures o
By whom Review and/or approval Update in light of precursors Evaluate effectiveness in time of emergency o
'o Evaluate effectiveness in TMI-2 accident Evaluate operators' use of procedures o
Excmine need for simplification of procedures o
F.
- Evaluate,in conjunction with contractor, the adequacy of the following, particularly as they related to the accident:
o NRC requirements Met Ed & their contractors and vendors in applying human o
factors principles Operator selection and training o
o Control room design o Feedback of information from precursors o Plant design o Emergency procedures
- These evaluations are to be performed in conjunction with the contractor.
APPENDIX A, PAGE 4