ML20040A317
| ML20040A317 | |
| Person / Time | |
|---|---|
| Site: | Summer  |
| Issue date: | 12/22/1981 |
| From: | Medeiros M NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Disalvo R, Norberg J NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20040A310 | List: |
| References | |
| NUDOCS 8201200754 | |
| Download: ML20040A317 (32) | |
Text
-.
s i
t December 22, 1981 l
Report of Trip Date:
December 17, and 18,1981 l
Place:
Virgil C. Summer Site, Jenkinsville, South Carolina
Subject:
Review of Operating Procedures Persen Traveling:
M. S. Medeiroc, Jr., Office of Nuclear Regulatory Research Persons K. W. Woodward, Supervisor of Operations, South Carolina Visited:
Electric and Gas Company, Jenkinsville, South Carolina J. Skolds, URC Resident Inspector, Sumer Site, Jenkinsville, South Carolina
Purpose:
The purpose of this trip was to gain first-hand knowledge of operating procedure preparation and use so as to better scope and direct Agency research in support of NRR's human factors research program for upgrading operating procedures.
Background:
1 After the Three Mile Island accident, the Nuclear Regulatory Commission l
published NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," to provide a comprehensive and integrated plan for all actions judged by the NRC to be necessary to correct or improve regulation and operation of nuclear facilities.
In particular, NUREG-0660 action plan l
item I.C.1 requires a short-term accident caalysis and procedures revision program for emergency operating procedures, and action plan item I.C.9 re-I quires a long-term program for upgradiag all operating procedures stating that "significant industry efforts will be required in the area of plant procedures upgrading."
t i
Activity reflecting action plan item I.C.1 is underway.
For example, NUREG-0799, " Draft Criteria for Preparation of Emergency Operating Procedures",
published for public comment in June,1981, provides style and format guidance for preparing emergency operating procedures.
In parallel with NUREG-0799 activity, the Institute for Nuclear Power Operations (INP0) is writing more detailed style and format guidance, and the nuclear steam supply system (N3SS) vendors are writing technical quidelines to be used in conjunction with style and fermat guidance for preparing emergency operating procedures.
However, at the present time, little activity is underway in connection with action plan item I.C.9 which addresses the large majority of a plant's operating procedures, the non-emergency operating procedures goNerning normal operation, maintenance, testing, etc.
It was this area of non-emergency operating procedures that was of primary interest j
during the trip.
8201200754$00 S
s 4
Summary The main observation made during the trip was that operating procedures are very crude from both a style-format-editorial standpoint and a technical standpoint.
Procedure preparation and presentation are so inept that vague-ness, ambiguity, unintelligibility, and error are common.
As a result, these l
procedures appear to invite operator error.
Furthermore, the procedures are so poorly written that, without first per-forming a major upgrading,, it appears the procedures would be as much a
~
hindrance as a help in related work areas such as control room design review and operator training.
Although published management policies for procedure preparation, review, approval, and use appear adequate, the actual products 1
do not exhibit the results of management followup and attention to quality l
that must form a basis for operating excellence.
The observations made during this trip are particularly disturbing because, even without a detailed knowledge of the plant's design and even without
)
consulting system diagrams and descriptive text for thorough technical review, a significant number of deficiencies were evident to the reviewer.
This suggest that an enormous amount of detailed technical and editorial direction, and upgrading must be accomplished before currently planned studies aimed toward procedure refinements and optimization have any practical meaning.
Discussion Unless one can show that operating procedures are complied with to a high degree, one has little basis to claim that a plant is being operated safely.
A policy of compliance with procedures is an essential element of management which assures that a utility has the needed control of operations and is able to demonstrate it.
Furthermore, operator attitude towa d adherence to procedures reflects a utility management perspectjve for safety of operations.
Current research activity in support of upgrading operating procedures is focused toward gathering sufficient information to draft a proposed regula-tion and supporting regulatory guides having two aims.
These aims are to assure that well-thought-out, step-by-step, approved and validated operating procedures exist in each operating plant, and that operating procedures are prepared so that specified evolutions can be performed in strict compliance with the procedures so as to prevent incidents that can lead to accidents.
In addition, cost-benefit data based on quantifying reductions in operator error rate from use of the upgraded procedures, and based on risk assessment methods, will be developed to confirm the adequacy of these new regulatory requirements. However, to the extent that procedures reviewed during this trip are representative of procedures in use generally at operating plants, a considerable amount of ordinary technical writing m.'st be accomplished before operating procedure improvement programs can profit from research.
- $ *A
s In' view of the Agency emphasis on emergency operating procedures, Enclosures (1) and (2) have been prepared to delineate examples of specific deficiencies found during in-plant review of two emergency operating procedures.
Similar I
examples could be prepared from the in-plant review of non-emergency operating procedures, which appeared to be even more in need of upgrading than the emergency operating procedures.
Enclosure (3), prepared from earlier work, provides a list of commonly observed deficiencies, many of wnich were evident during this review.
The following general observations were made during this trip:
The operating procedures are artless from both an editorial and a tech-nical standpoint.
Sentence construction and punctuation shows little skill; sentence frag-ments compound the problem.
Abbreviations are used excessively and inconsistently; capitalization is inconsistent.
Directions provided are often vague and ambiguous and sometimes un-intelligible.
Procedure format is difficult to follow and does not permit rapid location of information.
Typical of the skill-less preparation is a glossary which attempts to guide the reader through the inordinate number of abbreviations but does this in a random order rather than in an alphabetical order.
There is little, if any, consistency in the meaning and use of "must",
"may not", "should", "must not", "shall" and "will".
Confusion abounds.
Seemingly stringent elapsed time specifications have no corresponding time measuring requirements or specification tolerances.
A parameter was specified for observation in the control room that was not observable in the control room.
(deficiency, was being corrected.)
The operator is recuired to make calculations for which the input data i
is not available.
(deficiency was being corrected at time of this review) l l
Meaningless generalities such as:
" care should be exercised", "if desired",
and "any significant change" are sprinkled throughout the procedures.
l l
Within the same steps, different terms (eg. card vs. tag and bumped vs.
started) are confusingly used to mean identical actions.
I -
^
i t
f f
Precautions involving reactor cgolant femperafure have been listed in random sequence (eg. 350"F,145 F, 200 F,160 F) instead of in the natural sequence of temperature change.
The word "will", meaning the result of an automatic system feature, is used interchangeably, and therefore confusingly, with "will", meaning the operator shall take action.
The same deficiency exists with use of the word "should" and a similar inadequacy is evident in several instances where "should not exceed", is really meant to be "shall not be allowed to exceed", and "the maximum" is really meant to be "the maximum allowable".
The emergency operating procedures exhibit the same clumsy form and deficient content as the normal operating procedures.
Enclosures (1) and (2) conta;a specific examples of the foregoing and other deficiencies observed during this trip.
i Other:
The senior person contacted was J. W. Woodward, Supervisor of Operations, who was apprised of the purpose and background of the trip and who was provided a detailed trip agenda prior to the start of procedure review.
M M. S. Medeiros, Jr.
Enclosures:
1.
Examples of Editorial and Technical Deficiencies (EOP-2) 2.
Examples of Editorial and Technical Deficiencies (EOP-5) 3.
Commonly Observed Deficiencias in Operating Procedures i
i cc:
J. Skolds, IE i
W. Kane, NRR V. Brownlee, IE Reg. II l
K. Woodward,,SCE&GC l
i 4-
-m--
a=a r--
'e
+-
g-m<
c-,cev' e--
+ -- + + - ----- - - -
v e
w
i
' Enclosure (1):
Examples of Editorial and Technical Deficiencies Emergency Operating Procedure E0P-2, Main Steam Line or Feedwater Line Break, (Revision 1, Dated November 4,1980)
Editorial Deficiencies 1.
The first two pages of this emergency procedure have been devoted to the non-emergency matters of references, a glossary and a table of abbreviations.
2.
Section 2.1.8 makes little sense listing the feedwater system as a reference.
3.
Section 2.2.1, which consists of a five-line phrase, is vague.
Furthermore,
the words "...line rupture --- lower bounded by those signs...".make little sense.
4.
The procedure contains an inordinate number of abbreviations especially in view of the ample blank space generally existing at tha end of steps.
Further-more, some abbreviations that are used in the text are not listed in the more-than-one-page list of abbreviations.
In related procedures, s.me abbreviations are listed in a manner different from that used in the text (e.g. SG vs. S/G).
5.
There is little consistency in the use of abbreviations and punctuations.
For example, step 3.6 starts with "RB" while step 3.7 starts with " Reactor Build-ing"; step 4.7 uses both "S.I." and " Safety Injection".
6.
Writing is so cryptic and so artless that many readings of an emergency step are necessary to even guess at the step's meaning.
For example, "... low / low-low level alarm"; "... signal low block heaters isolate letdown alarm";
"...from 2/3 steam headers..."; "...from 2/3 RCS loops..."; ".. 25% S/G level in the narrow range."; ".. 25% narrow range span.";
7.
There is little consistency in using phrases in lieu of using sentences te specify symptoms and actions.
8.
The caution note accompanying step 5.6 should preceed the step, not follow it.
9.
The confusing "and/or" connective is used where "or" is meant, where "and" is meant, and where "or both" is meant.
- 10. Unexplained blank lines appear throughout the procedure, apparently for signatures.
No statement is made in the procedure as to what such signatures might mean in terms of actual performance, observation, or Searsay.
- 11. A note between steps 6.4 and 6.4.1 concludes "...this step may be omitted" but the note is ambigious as to which step it applies to.
12.
Step 6.4.1.,B starts with the unintelligible phrase:
" Place all EF isolation..." and ends with a cryptic table of letters ar.d numbers. A clear, easy-to-understand command could be given with the same amount of text or less.
4 l
- Enclosure (1) 4 1
-?-
13.
Step 6.4.3 mixes two separate actions into one step.
Furthermore, because
" controller" should be " controllers," it is not clear that the cryptic table j
following step 6.4.3 is related to step 6.4.3.
]
14.
A typical, poorly written, clumsy step that should be rewritten in plan English 4
is step 6.5.2 which states:
Place all EF isolation from the turbine driven l
pump to S/G's and EF isolation from motur driven pump to S/G's valves (6 valves),
j to the respective S/G, in the MANUAL position."
j 15.
The incorrectly-punctuated, two-line, sentence fragment (with undefined j
abbreviation), which cumprises step 6.7.3, is unintelligible, technically.
}
- 16. Many steps have multi-line redundant headings which generate confusion and add j
an unnecessary layer of numbering to an already cumbersome presentation.
,i
(
17.
Extraneous punctuation and missing punctuation make many steps ambigious or l
change their meanings entirely.
Steps 6.8.2A and 6.9 are examples of this i
deficiency.
l 1
1 i
i 1
i l
i l
i f
i
,1 4
e i
I d
..-.r m-..,.
c.
._m--
.-- -m-.
-.v,--_._
t Technical Deficiencies 1.
The emergency procedure contains a cumbersome list of 18 symptoms which appear to be ranked in no particular order.
For example, symptom 2 mentions changes in feed pump speed and condensate pump flow which may or may not be observable if the operator happened to be looking at these instruments.
Furthermore, one parameter is specified in gallons per minute but the panel meter is calibrated in pounds per hour.
The list should be pared down to a more meaningful and manageable number.
l 2.
The first immediate action step, step 5.1, starts:
" Evaluate plant para-meters..." which appears to be of little value since the parameters of interest are not mentioned.
3.
Similarly, the third iamediate action step, step 5.3, starts: "If time and conditions permit it..." but gives no clue as to what other duties, defined by procedure, training, management, etc., may be so important as to preclude compliance with this step.
4.
Step 5.4 requires the operator to proceed to E0P-5, the Reactor Trip procedure, but does not state whether or not the remainder of E0P-2 is to be ignored or whether E0P-2 and E0P-5 should be performed in parallel.
5.
Action required by step 6.4.2 was alre6dy required by immediate action step 5.5.
6.
Alarm tile engravings unjustifiably suffer from the same ambiguities and excessive abbreviations that aflict the procedures (e.g. low / low-low level ala rm).
7.
In step 6.6, if feed flow is unavailable,it appears that the referenced procedure should be implemented by itself, not concurrently with E0P-2 as stated.
8.
Step 6.7.1 appears to identify a design deficiency; automatic control should preceed and prevent an alarm, not be triggered at the alarm point.
9.
In step 6.8.10, two of the three valves have an incorrect comoonent designation.
l Encl'sure (2):
Examples of Editorial and Technical Deficiencies o
Emergency Operating Procedure E0P-5, Reactor Trip, (Revision 3, Dated October 22, 1981 Editorial Deficiencies 1.
The first page of this emergency procedure has been almost completely devoted to the non-emergency matters of references and a glossary of abbreviations.
2.
The first listing under automatic actions, " Reactor trip", makes little-sense since the emergency procedure is entitled " Reactor Trip". A more meaningful statement, such as "all rods drop into the core", should be made.
3.
Action specified by step 5.1 is redundant to action specified by steps 5.1.1 and 5.1.4 and therefore only adds confusion and an unnecessary layer of numbering.
Furthermore, the meaning of the "/" mark is undefined and unclear in this step.
4.
Step 5.1.1. A is vague since it is not clear how the operator is to deter-mine that the reactor is not tripped.
It appears the writer m ins, "If ep 5.1.1.A2).
the rods have not inserted:".
A similar deficiency exists ir 5.
Step 5,2 is awkwardly written to make ambiguous the intent of "IF NOT" l
(i.e. if not verify? or if not running?).
f 6.
In step 6.7.1, "IF NOT RESET..." is really meant to be "IF NOT, RESET...".
I 7.
Step 6.8 should identify the motor of interest and step 6.11 should specify what information whould be given to the load dispatcher.
l l
8.
The note with step 6.19, " Test performed by I & C Technicans", contains no verb and therefore it is unclear whether the test "may be", "should be",
"shall be" or "must be" performed by the I & C technicians.
9.
The setpoint column of Attachment I contains numerous ambiguities (e.g. +_
Penalties; programmed; 4/4; +5%/2 Sec; etc) which detract from the useful-ness of the table.
,,.w y
- TechMcal Deficiencies 1.
The " symptoms" section refers the operator to an attachment I for "any one of the 23 reactor trip first out annunciators". Attachment I lists l
24 reactor. trips.not 23.
Furthermore, the attachment contains a distract-ing column of setpoints which are of little use in an emergency and which, in many cases, have been written unintelligibly.
2.
The symptoms section fcils to mention a rapid decrease in reactor power, or rod bottom lights being energized, as plant-specific parameters and events that are key symptoms of a reactor trip.
3.
The command " Emergency borate 17 minutes (approximately 100 PPM)..." makes little sense technically since a differential rather than an absolute value is meant.
4.
The recorder specified in step 5.1.3 is the same one specified in step 6.7, yet the component designations are different in the two steps; step 6.7 is in error.
5.
Step 5.1.4 should specify what indication the operator should use to verify that the turbine has tripped.
6.
Immediate action step 5.3 makes little technical sense when it requires the operator to:
" Verify RCS temperature.....by operation of steam dumps."
7.
Similarly, the apparent run-on-sentence of immediate action step 5.4:
" Verify pressurizer level and pressure commence recovery from transient." makes little sense technically.
Any pressurizer level and any pressurizer pressure would satisfy this command, and almost any action would meet the recovery statement, when, in fact, what is meant is that the operator should verify that pressurizer level and pressurizer pressure are returning to normal.
8'.
Step 5.4.A is of little additional help with its generalities:
"If not recovering, evaluate conditions for safety injet. tion symptoms.
If necessary, safety inject...".
Step 6.3.2 is similarly deficient.
9.
Section 5.5 contains no contingency step similar to the contingency steps in sections 5.1.1 and 5.1.4 in spite of the fact that the likelihood of need is similar in all three sections.
- 10. Step 6.2, " Verify feedwater isolation at Tavg 564 F." U too cryptic to be understood consistently and is too restrictive to be performed reliably.
The step should state clearly what automatic operations are to be observed, whatmanualacgionistobetaken,andwithwhatdegreeofprecision,(i.e.not at exactly 564 F) recognizing that a busy operator must tend multiple duties.
11.
Similarly, step 6.3, " Verify Tavg at or approaching no-load value of 557 F.",
is technically unintelligible. What does the command mean? Whatistge operator supposed to do? Why does it need to be done precisely at 557 F?
- 12. Step 6.3.1 starts:
"If cooldown rate is uncontrolled..." but gives the operator ao criteria or guidance to recognize this condition.
If the inten-tion is to prevent a restart accident in the event automatic steam dumping takes reactor temperature below a certain value, this fact should be stated rather than rely on the operator to guess.
1 t
4
_2 13.
Step 6.4.2.A cannot be performed with the information given sface the panel meter is not calibrated in psig.
Either a meter value, an equation or a calibration chart reference should be provided if the panel meter design cannot be improved to obviate the need for these crutches.
14
.,tep 6.14 action should b2 based on direction by the senior reactor operator rather than on the desires of the operator.
l l
l l
l l
l l
l b
Enclosure (3):
Commonly Observed Deficiencies in Operating Procedures Commonly observed deficiencies in operating procedures are the following:
1.
too general; insufficient "what" and how" information is provided to 07 ovide meaningfu' aid.
2.
too verbose and cumbersome; narrative style is used in lieu of simple step-by-step format.
3.
too detailed; the procedure ties the operator in knots and generates excessive number of changes.
4.
incomplete technically.
1 5.
incorrect technically.
6.
steps are sequenced improperly.
7.
known, uncorrected errors exist---a reflection of poor management.
8.
informal, handwritten changes exist in the text.
9.
poor format; aifficult to follow.
10.
all likely symptoms not identified.
11.
does not state what to do if equipment is initially operating outside of l
the range specified in the procedure.
l 12.
does not warn of likely conditions that could occur and should be avoided during procedure performance.
13.
control actions seldom indicate the correct system response.
14.
insufficient provision of contingency steps.
15.' explanati m embedded in instructional steps.
16.
instructions embedded in explanatory notes.
17.
cautions not placed ahead of action steps and in bold type.
18.
specific control positions and indicator values not specified.
19.
procedure nomenclature does not agree with equipment labels.
20.
acceptance criteria and tolerances ambiguous.
21.
no verification checks and signatures required.
22.
too many abbreviations.
23.
text not written at low enough grade level; should be approximately grade 5.
24.
immediate action :teps are primarily for economics rather than safety.
25.
too many immediate action steps.
26.
immediate action steps are too verbose.
27.
too any actions specified per step.
28.
too much referencing to other procedures.
29.
poor readability cf charts, graphs and figures.
30.
work sheets are not provided or are inadequate.
31.
apply to more than one unit at a site.
32.
used for guidance only; no strict compliance.
33.
the procedures have not been validated by actual performance or walk through before being adopted.
34.
the procedures contain editorial deficiencies concerning items such as titling, page identification and typing.
(gM g,2 3-6 OPERATING PROCEDURES THINKING PAPER PURPOSE:
This paper discusses the operating procedure portion of nuclear plant operating excellence; lists some attributes of a properly designed operating procedures program, and identifies areas where action should be taken to expeditiously bring utility practice into line with a properly designed program.
BACKGROUNO:
Since the Three Mile Island accident, several laboratory prepared /
contractor prepared reports have been published advising the agency of action that should be taken to upgrade operating quality.
The value of this advice spans a broad range particularly in the operating procedures area.
Perhaps the most useful of the operating procedure-related reports---useful because it shows a working familiarity with the relationships among operators, procedures, equipment, training, operational data gathering and management---is NUREG/CR-1970, " Development of a Checklist for Evaluating Emergency Procedures Used in Nuclear Power Plants," published in May 1981.
This report is based on proce-dures from and visits to four operating plants and a simulator and summarizes operator performance with regard to the use of operating procedures. Other useful background information is contained in TEC Report R-81-004 " Analysis of the Operator's Role During the Onset of an Emergency"; NUREG/CR-1999 " Human Engineering Guidelines for use in Preparing Emergency Operating Procedures for Nuclear Power Plants"; and NUREG/CR-1977 " Guidelines for Preparing Emergency Procedures for Nuclear Power Plants."
S
2 t
DISCUSSION Operating Procedure Tyoes Non-administrative-type operating procedures generally fall i.nto one of the following four categories:
1.
emergency operating procedures 2.
alarm response procedures 3.
routine operating procedures 4.
maintenance and test procedures To date, upgrading efforts have been applied almost exclusively to the first category, emergency operating procedures.
Little effective work is being done in the other three areas, seemingly because the emergency operating procedures are considered the most seriously deficient; the belief that the most important procedures from a regulatory view are those that aid the operator in responding to a plant casualty (akin to the agency's degraded-cooling /new-design-basis focus on risk reduction by mitigation of accident consequences rather than by accident prevention); and the judgement that upgrading routine operating proce-dures and maintenance procedures is'an enormous task beyond the agency's current resource capability.
{
Without debating which proceaures are the most important and therefore which should receive first attention, it is clear that the work being done for emergency operating procedures, as described in the various NUREG's, has applicability to the other types of operating procedures, including main-tenance procedures.
For example, NUREG/CR-1970, provides a checklist for I
3 evaluating emergency procedures used in nuclear power plants.
Persons experienced in preparation, review, approval, use and revision of nuclear power plant procedures will recognize many features of the NUREG/CR-1970 checklist as applicable to normal operating procedures and maintenance procedures as t
well.
Using this common basis, we should be able to outline a model program of operating procedures; compare current NRC requirements and current utility practice to this model operating procedure program; and identify action necessary to upgrade the entire operating procedure program to the necessary level.
Current Industry Practice Current industry practice varies from a policy of cperating in strict literal compliance with procedures to a policy of operating with emergency procedures having known and uncorrected errors.
In some places, emergency procedures are viewed as not particularly relevant to coping with an emergency; the contents are regarded as unlikely to reflect the actual emergencies that are experienced and the procedures are used as guidelines only.
In other places, the policy of strict literal compliance is reported to be enforced for maintenance proceduras as well as for operating procedures, even to the point of stopping maintenance to process a procedure change when an error is found.
I Until procedures and actual practices at each operating plant are examined in detail, the full extent of operating procedure deficiencies can not be deter-mined. However, sufficient information exists to support the need for a general l
~
upgrading of industry practice and NRC requirements in this area. In this 1
I connection, the Scinto Task Force, which was established to determine whetber
~
l i:
1 4
i there was a sufficient regulatory base for the TMI Action Plan, recommended rulemaking for items related to procedures since these items have only a tenuous connection to existing regulations.
f Table 1 contains examples of deficiencies in currently used operating procedures.
Current NRC Activity As mentioned oreviously, current NRC activity in the operating procedure area is focused on emergency operating procedures.
Little effective upgrading activity j
t is underway for alarm response procedures, routine operating procedures, or
(
maintenance and test procedures even though TMI-2 Action Plan item I.C.9, Long Term Program for Upgrading of Procedures, is applicable to all these areas.
l The emergency operating procedures work is attempting, in six steps, to
(
replace as many as 50 event-oriented procedures now existing in some plants with approximately 10 symptom-oriented emergency operating procedures.
The l
{
six steps are as follows:
L Step 1:
NUREG-0799, Criteria for Preparing Emergency Operating Proce dres (termed " guidelines"), has been prepared by NRR and contains primarily administrative and editorial guidelines to identify "...the elements necessary to prepare and implement a program of emergency operating procedures." Some parallel writing guide-type (format) work is being performed by INP0.
l c
f
5 Step 2:
In parallel with NUREG-0799 preparation, the four nuclear steam system suppliers (NSSS), General Electric, Westinghouse, Combustion Engi-nsering and Babcock and Wilcox, are preparing four more detailed technical guidelines, one for each reactor plant design.
These guide-lines will receive a NRR technical review in the areas of systems, safety analysis and human factors.
Step 3:
Using the applicable NSSS guidelines, some utilities may prepare i
plant-specific guidelines tailored to the parameters and equipment of specific plants.
Any such guidelines will be reviewed by NRR human factors personnel.
Step 4:
Using NSSS guidelines or plant-specific guidelines, or both, and NUREG-0799, individual emergency operating procedures will be prepared for each plant. Although NRR approval of tt.2 individual procedures is neither specified nor planned, some NRR review will take place in the course of review of an applicant's program.
Step 5:
Utilities will verify the adequacy of individual procedures by per-formance, by walk-through, or by both, as appropriate.
IE may assist the utility, informally, as part of IE's normal observance of plant activities, and NRR may observe selected verifications for feedback to the procedure upgrading program and to the control room review program 4
= -. _ -
l 4
6 i
.l Step 6:
The procedures will be issued for use and will then become subject 1
to formal IE scrutiny, on an audit basis, using detailed checklists i
{
being developed by IE.
l From the foregoing, several observations can be made.
For example, there is j
no specific requirement for NRC approval of the final product, the emergency operating procedures.
Instead, the NRC will employ the weaker historic approach l
of reviewing generic guidelines and auditing the final product. Similarly, there t
)
is no stated intention to strengthen the regulations to a'oid the weak position v
1
)
of trying to enforce " guidelines." Also, until tN final product can be viewed, i
l it is not clear that an adequate set of symptom-oriented procedures will be or can be much different from an adequate set of event-oriented procedures.
i.
Attributes cf a Procerly Designed Ocerating Procedures Program j
In addition to the detailed checklist of NUREG/CR-1970 and the more general i
)
guidance contained in various reference documents concerning what is meant by i
j a good procedure (e.g. see page 4 of NUREG/CR-1995 " Applications of Functional i
j Analysis to Nuclear Reactor Operations"), a properly designed operating procedure 4
j program must be based on several other practical considerations which, for various l
reasons, do not appear in the NUREGs that discuss operating procedures.
Some I
of these other prsctical and rundamental considerations are the followflg:
l 1.
Plants must be operated and maintained in accordance with written, approved l
procedures which have been formally issued and distributed for use.
i
~
?
7 2.
Strict compliance with approved procedures is absolutely essential for the safe operation of the plant.
3.
Personnel should not be allowed to give direction, guidance, recommenda-tions or clarifications which conflict with approved procedures.
4.
The responsibility for following approved procedures as they are written rests with the supervisor directing the work or evolution and with the individual performing the work or evolution.
5.
Any deviation from approved procedures must receive prior approval from the cognizant technical authority.
This policy is vital to the continued safe operation of the plant.
It forces proper technical engineering evaluation to be applied toward the solution of all problems.
It also ensures that decisions to deviate from existing standards are made by proper authority.
6.
The foregoing policy of compliance with procedures is an essential element of management which assures that the utility has the needed control of operations and is able to demonstrate it.
7.
Unless one can show that oparating procedures are complied with to a high degree, one has little basis to claim that plants are being operated safely.
.l 8
i 8.
If any lengthy routine task is performed without step-by-step reference
[
to written procedures, errors of omission are very likely.
9.
If properly prepared maintenance procedures and normal operating proce-4 dures are followed strictly, many incidents are prevented before they can lead to accidents.
4 10.
For strict compliance with procedures to be practical, there must exist a stringent, formal and speedy correction mechanism to rectify errors, omis-sions, ambiguities and vagueness promptly when these problems are uncovered in procedure use.
11.
Operator attitude toward procedure adherence reflects a utility management perspective for safety of operations.
- 12. Although no amount of instruction can compensate for deficient design, some procedures must be written to recognize design deficiencies that may be impractical to correct (e.g. a pressurizer that lacks sufficient volume to compensate for system shrinkage after a scram thus requiring use of a protection system for normal operation).
- 13. Just as no amount of instruction can compensate for deficient design, a procedures upgrading program is meaningless if we do not concurrently raise the level of operator understanding of his plant, since procedures can not be written for every eventuality.
For safe 6perations, we must
i L
9 depend upon the operator to use his education and training to v.e:ognize when a procedure is not applicable, or is wrong for the svolution at hand.
See the short article " Operational Excellence: One Facet", Attachment l
(1), for more detailed discussion of this point as it relates to emer-r gency operating procedures.
I t
l 14.
There are no quick solutions or shortcuts to operating excellence, only painstaking, thorough, often mundane attention to detail.
Interesting and seemingly pertinent scientific studias by contracters not familiar l
with nuclear power plants should not be allowed to become distractions that waste resources needed to upgrade today's primitive operating pro-cedures.
The lure of producing scientific cost-benefit models for refined choices has little place in correcting a basi.cally management / engineering deficiency where there are no choices to be made between upgrading proce-dures, upgrading operator training, and upgrading maintenance information--
they all must be developed under tight formal control to improve quality.
i 15.
Similarly, a one-time upgrading will have no lasting results.
There must i
follow continual management reinforcement of operating excellence and con-I tinual NRC auditing of utility management commitment to operating excel-lence.
Technical management in terms of generic " olutions" viewed com-plete when such " solutions" have been promulgated will not work.
I I
I 4
~
10
}
16.
Based on review of the work to date of outside organizations, the agency i
can not depend upon 7utside organizations to set a standard of operating procedure excellence for the utilities; we must do it ourselves.
4 J
l 17.
In applying the foregoing considerations, one must recognize that operating excellence is the responsiblity of the utilities, not the Government, but that there is little reason to believe the utilities will accept the costs associated with operating excellence without tough regulatory requirements or without a demonstration that the benefits will outweigh the costs.
~
Proposed Action Plan for Timely High-Ouality Ocerating Procedures 1.
As a necessary prerequisite to a meaningful procedure upgrading program, obtain general agreement in the NRC on the following essential features:
l (a) Well-thought-out, step-by-step, approved and validated operating pro-cedures (i.e., procedures for emergencies, abnormalities, normal operation, and maintenance) shall exist in each operating plant.
(b) Operating procedures shall be prepared so that specified evolutions can be performed in strict compliance with the precedures.
(c) Since adherence to normal operating and maintenance procedures pre-vents incidents that can laad to accidents, upgrading of normal 9
m--
4 11 cperating and maintenance procedures should proceed in timely fashion j
in parallel with ongoing emergency operating procedure upgrading.
1 i
l (d) The NRC must advance from the traditional guideline and audit type j
of regulatory approach to more active, direct involvement with j
operating procedures including publication of stringent regulations i
j requiring high quality procedures and NRC review and approval of i
such procedures.
2.
Agree upon reasonable limits for a detailed NRC review and approval pro-gram.
There is need for considerable imagination and flexibility in setting up and conducting a procedures review and approval program in view l
of the enormity of the task, resulting from the lack of standardization that has been allowed in ptwer plant design and operation and the dearth of agency personnel experienced in conducting detailed procedure reviews.
Furthermore, some plants have thousands of operating procedures.
There-fare, detailed and complete review and approval will be practical only 3
for a small portion of the total number of plant procedures-- perhaps the emergency operating procedures (and the abnormal operating procedures where these are separate), the major normal operating procedures, and selected important mainteriance procedures and alarm response procedures.
Regulatory activity with regard to the remainder of the operating pro-j l
cedures would continue to center around the traditional guideline and audit approach.
S S
12 3.
From the numerous NUREGs that have been issued in the past year concerning operating procedures, assemble in the form of a Regulatory Guide, a com-posite list of necessary procedure attributes considered acceptable to the staff and base preliminary upgrading on this list.
I I
4.
With NRC management committed to the foregoing realistic and practical path to operating procedure excellence, conduct a scoping study to identify the resources that will be needed to upgrade operating procedures at all plants.
Rescurce estimates for this very costly program will be needed not to choose whether to ct:. duct the program or not, because there is no choice if operating excellence is the goal, but rather to more properly and completely package and defend an adequate program. Also, the scoping study should address features of a follow-on pilot project to review and approve a representative number of plants' procedures; how a pilot program should be structured; and how pilot plants should be picked to demonstrate i
the necessity and practicality of more stringent control of procedures.
l f
5.
Initiate proposed rulemaking with the following objectives:
(a) Define our concern I
(b) Explain the problem to the public i
(c) Lay out a proposed solution l
(d) Provide the public and the regulated industry an opportunity to advise j
the NRC j
(e) Use the response to the proposed rule to shape a final regulation 4
1 I
f
13 6.
Initiate a pilot program to demonstrate the necessity and practicality of a rigorous operating procedure program. The pilot program should:
f (a) Be managed by a group that is experienced in reviewing and approving
{
procedures and can demonstrate a practical understanding of operating i
excellence.
t t
(b) Establish the composition of the minimum size technical group that can adequatelv review and approve operating procedures.
(c) Establish the time and cost to complete the review and approval of one plant's worth of procedures, as defined in foregoing item 2.
7.
Based on the pilot study and a new regulation, commence a long term (about five year) program of upgrading procedures, as defined in item 2, at all operating plants.
Some considerations, in no particular order, might be:
(a) Attempt to understand the basis for each utility's historic manage-ment policies with regard to operating procedures and use this infor-mation, in conjunction with management needs to tailor the program to individual sites.
j (b) The final review and approval program may fit in well with the IE l
resident inspector program as a tool to do two jobs with little more l
i work than that needed to do one.
For example, at a site with a l
resident inspector greatly knowledgeable of plant systems, and f
1 t
I
{
e l
1 l
14 j
i 5
i familiar with design documents, a one procedure-a-week type of detailed i
review over a period of about five years could mostly cover a plant's l
worth of important procedures as defined in item 2.
i l
(c) The program will probably evidence the need for more and better I
drawings, schematic diagrams, and technical manuals, especially for I
understanding the systems and for maintenance.
! (*3 1
1 f
(d) Research may be needed to optimize procedure improvements once correc-I tion of known major deficiencies is underway.
See Attachment (2) for a brief status of current user requests for operating procedure l
research.
1 l
I (e) A new office, AE00, was born from eventually recognizing a similiar, I
j but no more urgent, element of operating excellence, operational data gathering and analysis.
Surely the element of stringent procedural control warrants a similarly independent organizational entity---an
,i j
entity with independence of perspective as well as with independence
{
from conflicting priorities.
i I
1 o,__,
i Table 1 OPERATING PROCEDURES Snecific Deficiencies Needing Correction Commonly observed deficiencies in operating procedures are the following:
1.
too general; insufficient "what" and how" information is provided to provide meaningful aid.
I 2.
too verbose and curabersome; narrative style is used in lieu of simple step-by-step format.
3.
too detailed; the proced*Jre ties the operator in knots and generates excessive number of changes.
4.
incomplete technically.
5.
incorrect technically.
l 6.
steps are sequenced improperly.
l l
i 1
7.
known, uncorrected errors exist---a reflection of poor management.
l 8.
informal, handwritten changes exist in the text.
9.
poor format; difficult to follow.
10.
all likely symptoms not identified.
11.
does not state what to do if equipment is initially operating outside of the range specified in the procedurt.
12.
does not warn of likely conditions that could occur and should be avoided during procedure performance.
13.
control actions seldom indicate the correct system response.
14.
insufficient provision of contingency steps.
I
' ~
1
/
)
15.
explanation embedded in instructional steps.
I 16, instructions embedded in explanatory notes.
17.
cautions not placed ahead of action steps and in bold type.
i 18.
specific control positions and indicator values not specified.
j 19.
procedure nomenclature does not agree with equipment labels.
20.
acceptance criteria and tolerances ambiguous.
l 21.
no verification checks and signatures required.
22.
too many abbreviations.
1 23.
text not written at low enough graue level; should be approximately grade 5.
4 24.
immediate action steps are primarily for economics rather than safety.
1 25.
too many immediate action steps.
i 8
j 26.
immediate action steps are too verbose.
1 27.
too many actions specified per step.
i 28.
too much referencing to other procedures.
/
]1 29 poor readability of charts, graphs and figures.
i i
- 30. work sheets are not provided or are inadequate.
i l
31.
apply to more than one unit at a site.
1 32.
used for guidance only; no strict compliance.
i 33.
the procedures have not been validated by actual performance or i
walk through before being adopted.
1
(.
i 34.
the procedures contain editorial deficienci,es concerning items such as j
titling, page identification and typing.
i
(
l l
,9 '
?-D-3 %d
= **
- OPERATING EXCELLENCE: ONc. FACET Various documents concerning operating excellence refer to a practice of strict literal compliance with operating procedures. Critics almost always misunder-stand the practice and therefore misrepresent it; clearly there is need for better understanding of the practice. Accordingly, the following thoughts are offered as a basis for requiring c rict literal compliance with procedures.
Safe reactor plant operation must be built on a foundation of preventing accidents from happening. This foundation has several cornerstones including conservative aesign, independent design verification, high quality construc'; ion, thorough acceptance testing and comoetent oceration. Lack of one or more of these corner-stones results in a law quality program.
For example, unless independent engineering design review by technically competent personnel is the core of a technical agency's business, the agency will not have the base needed to make the myriad of technical judgments necessary to assure that plants are being operated safely.
Competent operation has several facets including availability of detailed technical infomation, extensive and intensive operator training based on such detailed technical information and aimed toward thorough understanding of plant operation, and rigorous adherence to chrefully prepared, reviewed, and verified detailed operating prccedures.
Lack of one or more of these facets will result in poor operator performance and therefore a low quality program.
For example, unless one can show that operating procedures are complied with to a high degree, one has little basis to claim that plants are being operated safely.
Strict literal comp nance with procedures is part of an old-fashioned, cctnon sense policy, fed by experience, that when well-thought-out-and-prepared procedures are followed rigorously during plart testing, olant maintenance, and other routine plant operations, than the piobabilities of abnormalities and potential plant casualties are substantially reduced.
Imolicit in such a program is the need to stop an operation, for formal correction of text, anytime that testing, maintenance, or other routine operating procedures are found vague, ambiguous, in error, or otherwise deficient. The operation is allowed to proceed only after apprcpriate changes are proposed, reviewed, and approved for perfomance. At first, this can be a very laborious, time-consuming process as verboseness, sloppiness, vagueness, ambiguity, errors, or omissions are replaced by step-by-step, clear, technically justified, properly sequenced instruction.
Furthermore, the process exacts a price for attention to technical detail, for monotonous and unglamorous engineering reviews, for midnight telephone calls, and the need for a cadre of first class nuclear pcwer plant engineers.
However, as mentioned earlier, this price must be paid anyhow if sound technical judgements are to be made in other catters affecting safety of coerating plants.
In addition, overall cost will diminish as a standard of operating excellence develops that is based on detailed understanding of plant coeration with atten-dant reduction in operator errors anc operating incidents.
The program proposed must be based on a high level of operator training since it is impossible to prepare detailed procedures for every accident sequence - -
no one can predict the course of accidents ahead of time. This is precisely Attachment (1)
~
why automatic computer control can be an impediment to safety - - one cannot program a computer for all casualty and accident sequences in advance.
Instead, one must depend on highly knowledgeable operators to recognize when a casualty prccedure no longer provides the detailed guidance for the situation at hand, and to use their training, their ingenuity and intuition based on such training, and sound technical judgment to handle the unthinkable, the unexpected, the accidental event that will inevitably occur in any complex system no matter how ingenious its design might be.
The operator and his excellence when ccmpared to hardware is the final safety assurance within the system, and tne operator's adherence to detailed high quality procedures is one of his fundamental tools.
l l
l
)
Note: The foregoing is an editorial update of a January 8,1981 paper entitled
" Strict Literal Compliance with Procedures," prepared as an enclosure to a February 2,1981 degraded cooling rulemaking memorandum.
9
y
?
t Status of Current User Recuests for Operating Procedure Research Proposed Research Task 1:
In coordination with DHFS, conduct a survey to identify those aspects related to plant procedures (other than emergency response procedures) which are frequently deficient from a safety related standpoint and outline corrective actions needed.
Proposed Response: Recently published documents report the results of the work of several contractors related to development of Emergency Operating Procedures.
These reports include tiUREG/CR-1999, "Huma.n Engineering Guidelines for Use in Preparing Emergency Operating Procedures for Nuclear Power Plants;" NUREG/CR-1977,
" Guidelines for Preparing Emergency Procedures for Nuclear Power Plants;"
NUREG/CR-1875, " Evaluation of Emergency Operating Procedures for Nuclear Power Plants;" NUREG/CR-2005, " Checklist for Evaluating Emergency Procedures Used in Nuclear Power Plants;" ard NUREG/CR-1970, " Development of a Checklist for Evaluating Emergency Procedures Used in Nuclear Power Plants." These reports are directly applicable to all plant procedures and thus provide the survey of deficiencies and corrective action needed as prWosed in Task 1.
Proposed Research Task 2: As indicated from Task 1. conduct supportive re-search, wien involvement of human factors specialists, leading to the develop-ment of guidelines for upgrading of non-emergency plant procedures.
Proposed Response: Respense for Task 1 abcve is applicable here also.
Guide-lines can be prepared from information already available.
Procosed Research Task 3: With initial emphasis on emergency response pro-ceoures, but with applications to procedures in general, explore.and test alter-nate ways of presenting precedures to operators and other plant personnel to optimize comprehension and response.
In particular, this should include studies related to computer based CRT displays.
Proposed Response _:
In parallel with correcting the major fundamental operating procedure deficiencies with practical straightforward solutions, ongoing research, both domestic and foreign, will be monitored for information that i
might be used to optimize procedures once a fundamentally sound procedures program has been put in place.
r Proposed Research Task 4: An effort is underway to provide guidelines for l
improving procedures. At this point little data is available to validate the effects of the required changes on crew perfonnance or to judge the potential effects of various ways of presenting procedures.
Such data are needed to evaluate future changes. Research is needed to develop methodologies for determining the effectiveness of changes that have been or may be made to plant procedures.
A series of simulator tests to ascertain the effects on crew performance of various changes in procedures format should be conducted.
i i
i Attachment (2)
V rundamental operating proce-Proposed Response: Similar to response 3, major dure deficiencies must be corrected before e res: arch program for " fine tuning" has meaning.
Therefore, action on this item should commence once a fundamentally sound procedures program has been put in place.
O d
a