Text

'TRTR NATIONAL ORGANIZATION OF TEST, RESEARCH, AND TRAINING REACTORS Executive Committee William G. Vernetson, Chairman John A. Bernard, Massachusetts Institute of Technology Director of Nuclear Facilities David D. Clark, Cornell University University of Morida Training Reactor Arthur G. Johnson, Oregon State University University of Morida Tawfik M. Raby, National Institute of Standards and Technology G:inesville, Morida 32611 Junaid Rarvi, General Atomics (904) 392-1408 FAX (904) 392-3380 Wade J. Richards, Department of Ddeme/ Chairman-Elect T. Charles McKibbs, University of Missouri. Columbia Marcus H. Voth, Pennsylvania State University May 26,1993

)-

g G7h Mr. James M. Taylor Executive Director for Operations U.S. Nuclear Regulatory Commission Washington, DC 20555

Dear Mr. Taylor:

At the request of the University of Virginia, the enclosed report of the TRTR review of the April 28,1993 reportable occurrence and the overall administration and operation of the University of Virginia Reactor (UVAR)is being provided directly to the Nuclear Regulatory Commission at the same time it is supplied to the UVAR facility. As indicated in my letter of May 6,1993, to Dr.

Seymour H. Weiss, TRTR considers this a very important evaluation. The on-site review and evaluation was conducted by myself and Tawfik Raby of the National Institute of Standards and Technology. Wade Richards was unable to participate on-site due to a sudden illness in his family. However, he was able to review all the key documents and has provided his input to the written report as well.

The TRTR community considers this to be a serious occurrence which cannot be allowed to happen at any TRTR facility. We b*elieve this report sets out our findings and makes recommendations whose implementation will assure the effectiveness of UVAR corrective action and hence preclude recurrence of this or similar events. If you have any questions or need further information, please feel free to give me a call at (904) 392-1408/1429.

Thank you for your consideration.

Sincerely, b

William G. Vernetson Chairman i

WGV:p cc:

J. H. Sniezek, NRC B.K. G m C

040045 S.H. Weiss, NRC V S.D. Ebneter, NRC R. Mulder, U.Va.

T. Raby, NIST W. Richards, DoD I

9306070336 930526

,r PDR ADOCK 05000062 1

S PDR I

r

I A PEER REVIEW / EVALUATION j

REPORT OF THE UNIVERSITY OF VIRGINIA REACTOR FACILITY Conducted on May 17-18, 1993 1

i By i

l W.G. Vernetson l

T.M. Raby With Input From W.J. Richards a

On Behalf of the i

NATIONAL ORGANIZATION OF-

'l TEST, RESEARCH AND TRAINING REACTORS 2

(TRTR)

MAY,1993

REPORT ON THE UNIVERSITY OF VIRGINIA REACTOR FACILITY 1.0 Introduction At the request of the Director of the University of Virginia Reactor (UVAR) facility, Bill Vernetson, University of Florida and TRTR Chairman and Tawfik Raby, NIST with assistance and input from Wade Richards, McClellan Air Force Base, all representing the National Organization of Test, Research and Training Reactors (TRTR), conducted a peer review and evaluation of the UVAR reactor operations program. This review and evaluation of UVAR facility operations was conducted in response to the discovery of a reportable occurrence concerning an inadvertent modification of the UVAR reactor console which resulted in the operation of the reactor for a period of about five and one-half (5-1/2) hours with several protective scrams required by Technical Specifications (TS) not operable. Specifically, the exchange of two mixer-driver (MD) modules in the Scram Logic Drawer resulted in the inoperability of both power-level scrams, the intermediate-range period scram, the low primary coolant flow scram, the loss of power to the primary pump scram, the range switch scram and the key switch scram for the duration of the second run on April 28,1993.

i Since discovery of the occurrence during shutdown, the event and actions leading up to the modification have been thoroughly investigated by the UVAR management and staff. Based upon details in the UVAR preliminary report submitted to the Nuclear Regulatory Commission (NRC) on April 29, 1993 and the UVAR 14-day report as well as reviewing of various facility documents and extensive interviews with facility management and staff, we feel that the root cause of the occurrence is a lack of adequate management control. The troubleshooting that led to the undocumented modification and operation with various scrams disabled was itself well-designed. The lack of a focal point for controlling operations at the facility compounded by the failure to recognize that a modification had been made with no subsequent checks or tests to verify operability of the safety system functions are evaluated as the root and immediate causes respectively of the event. All actions taken following discovery of the problem during the shutdown on April 28 have been well designed. Extensive tests determined the exact safety functions that were inoperable and the system was rapidly retumed to and verified to be in to its pre-modification status but tagged out of service. Further tests have continued on the console and other spare equipment as has review of facility operations and development of new procedures and checklists.

This failure to recognize these actions as involving maintenance as well as a modification to the safety syste m, regardless of whether the mixer-driver modules were identical, is the immediate cause of the occurrence. Nevertheless, the review team feels strongly that the root cause of the '

event is a lack of proper understanding and implementation of lines of authority and responsibility along with the lack of a focal point for control of all significant facility operations.

The result was more a passive cor.currence on the restart versus a posidve documented approval to restart which led to the occurrence as described in the UVAR 14-day report.

1 t

,. ~

,e m

1 We recognize the seriousness of this occurrence and are pleased that so does the UVAR management and staff; however, we feel it is important for morale and for maintaining technical 7

- skills that the reactor be restarted as soon as possible aRer the internal causes of the event are corrected. Specifically, the facility must implement a better method for approving restarts from trips, for carrying out maintenance, for implementing modifications and for carrying out work ~

on the reactor console, especially on the reactor safety systems. More importantly, the facility must define and establish a focal point for all activities to include a system for prominently identifying the individual focal point (reactor supervisor) in the operating log.

In summary, the results of our review and evaluation of operations at the UVAR facility emphasizing the reportable occurrence indicate that this occurrence does not represent nor is it the result of a technical or design problem. Rather we find it is an administrative problem involving a lack of proper understanding and implementation of lines of authority and responsibility compounded by a failure to recognize actions as involving major maintenance or a modification. Corrective action must be implemented to assure there is a focal point for controlling day-to-day operations and to assure that authority and responsibility for activities at the facility are well-defined and that actions taken are well-documented. When these conditions are met, there is no reason not to restart.

2.0 Discussions Extensive discussions were held with the following individuals during the review and evaluation conducted at the UVAR facility on May 17-18, 1993. These individuals include all those directly involved in the occurrence as well as most other members of the UVAR operations staff as well as the Chairman of the Reactor Safety Committee:

Director, UVAR Chairman, Reactor Safety Committee Member, Reactor Safety Committee Reactor Administrator / Reactor Supervisor SRO, Services Supervisor (Alternate Reactor Supervisor)

SRO, Research Scientist SRO SRO RO Laboratory Instrumentation Supervisor Note: Names are deleted from copies supplied to the Nuclear Regulatory Commission.

2

1 i

i

3.0 Background

As indicated in the 14-Day report filed with the NRC by the UVAR facility, the UVAR reacto was operated on the afternoon of April 28, 1993 at full power for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> with five major automatic trips required by Technical Specifications (TS) not operable. The inopera two power range, low flow primary pump off, and reactor period. Other automatic were:

shutdown capability associated with in-core parameters was available, partially offsettin not available as verified by the UVAR staff after the occurrence. In addition, the licensed reactor operator at the console had all the normal alarms, reactor instrumentation readings and manual shutdown capability available to him. The reactor was operated in this condition because the operators had no indication that some of the required trip functions were not available until the period trip capability happened to be tested later that evening at reactor shutdown.

This situation developed as a result of an unintentional modification of the automatic shutdown logic circuitry in the console, made by a senior reactor operator who is assigned console and other instrument responsibility following a spurious automatic reactor shutdown near m The exchange was made while troubleshooting to determine the cause of this and other s scrams that occurred earlier.

The modification involved the interchange of what appeared to be two identical mixer-driver (MD) modules already installed in the scram logic drawer p Figure 3.15 of the UVAR Safety Analysis Report. On the contrary these modules were not exactly alike in that they had been altered internally. Had the MD modules not been modified the interchange may not have compromised the trip functions.

During the operation on the afternoon of April 28 following the exchange of the MDs, the operators apparently had no way of knowing that key trip functions were unavailable. Indeed all operators on the afternoon of April 28 indicated to the review team that everything appea normal with all visual reactor information available. Only a check of the scram system with the reactor shutdown would have permitted knowledge of the lack of certain trips. As required b standard operating procedures (SOPS) a test of the trip system had been performed succe that morning. A test was not performed after the interchange of the MDs because the oper and then his direct supervisor for reactor opentions, decided that the simple exchange of mixer-driver modules as well as the earlier temporary switching of solid state relays did not requir any checks.

During the period that the reactor was operated with some scrams inoperable, no operational parameters were exceeded, no safety limits were violated and no damage was caused to the reactor or the console. The switching of the MDs did not cause damage to other electronic components in the console. Following discovery of the problem and its cause, the console was quickly and easily returned to its original functional condition with the return of the MDs to their initial configuration where they remain with the console tagged out of service.

The UVAR is currently shutdown and tagged out with all systems back in normal working order.

i While operable, the reactor remains shutdown as evaluation and implementation of correcdve action proceeds per the NRC Confirmation of Action letter of April 30,1993 which we have also reviewed along with the 14-day report.

3 m

4.0 Findings

1.

The spurious UVAR trip on the morning of April 28,1993 had seemed to be a soft trip indicating all rods had not dropped simultaneously. As a result it was felt the source of the spurious trips might be isolated to one side or the other of the Scram Logic Drawer.

t 2.

The two solid state relays (SSR) were switched in the Scram Logic Drawer as a part of troubleshooting to discover the source of the earlier spurious trip. When the intermittent but spurious trip indication remained, the SSRs were eliminated from consideration as the trip source and left in the new position. Though this is good troubleshooting methodology, this switching should itself have been tracked as a temporary modification for which some sort of test or checks would be required.

t 3.

The two mixer-driven modules were also switched as part of the troubleshooting effort to isolate the source of the intermittent spurious trip signals. When the intermittent trip signal failed to return after a period of time, the switched MD l

modules were left in place and the reactor was restarted by the cognizant SRO with the knowledge of the reactor supervisor. Since the two MDs were not identical due to previous modifications, this action constituted a modification of the safety system. This unintentionalinadvertent modification of the UVAR safety system disabled a number of trips for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of operation due to switching non-identical mixer-drawer modules on April 28,1993 and was the direct cause of the reponable occurrence.

i 4.

Because the two mixer-driver modules were considered to be identical per Figure 3.15(Scram Logic Drawer) of the UVAR Safety Analysis Report, no tests or checks were performed following the switching of the MDs.

i 5.

There is only one daily checklist performed per day. Regardless of other occurrences, there is no specific requirement to perform another complete checklist or any part of the checklist.

6.

Licensed staff member: do not all understand the same requirements for approval to start up the reactor or to nestart following a trip. It is also not clear who has authority to restart and who is responsible to approve restarts dependent on whether the cause is known or not.

7.

There is no clear delineation of who has the authority and responsibility to approve apparently minor and in some cases significant changes at the facility.

Depending en the licensed individual interviewed, different levels of authority are

[

understood to be provided to them without any clear documentation of this authority. Similarly there is no clear understanding as to who may authorize and 4

a

h approve significant items of maintenance, repair and other activities and what checks or tests are required following completion of the task.

8.

There is no clearly established focal point for control of operations-related activities at the UVAR facility. Careful evaluation indicates the restart following switching the MDs was agreed to more than approved by the reactor supervisor with no documentation of the restart approval by the reactor supervisor.

9.

Shift turnovers after the restart made no special mention of the switched MDs.

Operators, as part of good practice, did make themselves generally aware of the switching. Nevertheless, the shift turnovers themselves made no mention of the troubleshooting mode of operation. This lack of communication was considered acceptable because any further spurious trips would come through one or ~ e other of the two MD modules, either proving one of them as the cause of t1 y

or eliminating them from further consideration. It was tacitly assumed t'-

e cognizant SRO would be the person called and informed of such a trip so the requisite information would be available to that individual upon notification that there had been a trip. Nevertheless, there was no specific direction given to the operator to notify the individual should there be another spurious trip.

10.

The external organization of the reactor facility is not well suited to the UVAR.

There is no clearly defined line management responsibility for safeguarding facility personnel and the public. This responsibility is being met but in a non-optimal manner as the President of the University acts as the licensee which is not necessary since University and NRC requirements can be separated.

11.

The actions of the facility following discovery of the problem after shutdown have been commendable. Actions taken to include the extended shutdown with the reactor tagged out, the decisive actions taken to identify and isolate the immediate cause and return the system to normal, the actions taken to generate new checklists, new procedures and communcations with the staff are all duly acknowledged as exemplary. The decision to check as well as clearly and permanently label all components intended for use in the UVAR console-is another exempliary response to the occurrence. The staff is clearly committed to improving facility operations and earning permission to restart.

12.

The quality of reactor personnel appears high and impressive.

5.0 Recommendations 1.

Though the failure to perform adequate tests or checks following switching apparently identical components in the UVAR. safety system is the immediate cause of this event, the root cause of this event is evaluated to be an institutional i

5 i

problem. We find there is no clearly defined line management responsibility for operations-related activities. A focal point to clear and control all significant c

operations related actions at the facility through a documented person in charge as the reactor supervisor is essential. Prior authorization and approval of this individual should be required for all signincant activities associated with the reactor. The reactor facility organization should be structured to clearly define these lines of responsibility and authority.

2.

It should be made clear via procedures and periodic training that any time there is any kind of work on the UVAR safety system, appropriate checks must be performed commensurate with the work that has been accomplished. There must be a clear demarcation as to who makes changes as well as who authorizes then.

Specifically it is recommended that a three tier system be implemented to control UVAR facility changes in the following categories:

a.

Minor and temporary, non-safety system related changes may be approved by the SRO or the Reactor Supervisor.

b.

Minor and temporary changes affecting the safety system may be approved by the Reactor Administrator or the Director.

c.

Other than minor changes may be reviewed and approved by the Reactor Safety Committee with final approval by the Director with special considerations given to changes whenever the reactor safety system is involved.

The same system of controls and approvals should be applied not only for design changes but also for changes in SOPS, tests and experiments. A determination that all such changes do not involve an unreviewed safety question should be made and documented. The degree of documentation should be dependent upon the level of the change.

3.

The UVAR also needs an adequate restart checklist as well as controls as to who can approve restart. Here, the review team recommends that restarts following trips be categorized at two levels.

a.

Restart following a trip from a known and corrected cause for which satisfactory checks have been completed should require SRO approval.

b.

Restart following a trip from an unknown cause where conditions appear normal based on significant checks should require reactor supervisor approval as the focal point for all operations-related activities.

i 6

e Any thne checks indicate uncorrected problems, then the restart should not be app:oved; the level of responsible authority must be defined for such cases.

As a further note the review team feels the proposed safety systems checklist (a subset of the full daily checklist) may be more extensive than necessary for many trips, especially those from known causes where the cause has been corrected.

We recommend the facility consider a further reduced subset of checks though this decision on adequate checks must finally fall to UVAR management and staff based on their detailed knowledge of the facility.

7 4.

We recommend that certain procedures related to control of maintenance, repair and modifications should be developed and/or improved and better implemented.

l This process is currently in progress with the new SOPS appearing to address the -

issues of controlling maintenance and modifications in a substantive manner. - We recommend that these be implemented as soon as practicable.

5.

We recommend that a certain area be designated for storage of components intended for use in the UVAR console. These should be clearly labelled for i

storage of components inteaded for use in the UVAR console. These should be clearly labelled in storage; your decision to mark them is good.

Some consideration should also be given to sealing them in protective bags since many replacement components may be stored for years prior to usage. The key here is to reduce the possibility of using a defective or unapproved component though it is recognized that proper checks and tests will provide final protection against such defects.

6.

As discussed during the evaluation, we strongly recommend that two people be present in the facility for daily checkouts and fet recovery / restart following trips with one in the control room observing whenever possible.

7.

We recommend that the transfer of console duties and shift responsibilities be more formalized. Specifically we recommend documenting in the log when the turnover occurs and that the operator assuming shift resporaibility has been briefed on the status of the facility. Such documentation of shift tumovers will serve to alert those coming on shift of facility activities or conditions that may merit special atteation. Though interviews with those on duty during the five plus hours when some of the scrams were inoperable do not indicate any special 1

concerns on their part, many occurrences can be prevented or better analyzed if.

the operator-on-duty has been properly cautioned on what may be of interest based on the activities in progress.

8.

If it is feasible and practical, we recommend that the UVAR evaluate the

~

possibility of having two(2) independent strings in the safety system to actuate all scrams. Though not considered necessary, making such a modification would 7

provide additional redundancy to preclude a failure to scram from failure of one j

mixer-driver module, especially on the more important scrams (two overpower, low flow and loss of primary coolant pump). We emphasize that care should be taken to assure that failure of one mixer-driver module cannot cause failure of the 1

l other; that is, that there is no interconnection allowing feedback to cause a common failure. Of course this change, if proposed, would require a full safety evaluation and possibly NRC approval. We emphasize that we do not consider the current design deficient so there is no need for such a change to be implemented or even fully evaluated prior to restart; however, if implemented, it could provide important added redundancy to the safety system.

9.

It is recommended that the external organization of the facility be restructured along the lines of ANSI /ANS 15.1(The Development of Technical Specifications For Research Reactors)to provide clearly defined line management exclusively for the administration of the reactor license. The overall organization should be i

streamlined so there is clear line management responsibility for safeguarding facility personnel and the public and for dischaiging their obligations under the NRC license. The level of a department head or dean is acceptable to meet license requirements; there is no need ta Mvolve the President of the University of Virginia. This organization and associated safety committees should be separated from other university organizations, functions or requirements.

Whatever internal requirements are put on the facility by University adn.inistrators can be implemented and assured independent of the NRC license.

10.

Along these lines it is recommended that the Reactor Safety Committee should be set up exclusively for reactor and license reviews. This committee should review things and perform audits in accordance with your Technical Specifications and the ANSI /ANS 15.1 Standard. This committee does not need to be burdened with minor changes which can be addressed by the facility director nor does it need to be part of a larger university committee.

11.

Troubleshooting to determine problem-related causes and corrective action and initiative to improve performance should continue to be encouraged. However, these activities should be carried out in a programmed, well thought out, well reviewed and s eimi manner. We are concerned that the occurrence and subsequent criti:

A ; may inhibit personnel from taking prudent action when such action is waana. Such inhibition should not be allowed to occur.

6.0 Conclusions Failure to recognize the safety system changes made on the afternoon of April 28 as involving maintenance as well as a modification to the safety system, regardless of whether the mixer-driver modules were identical, and the subsequent failure to check or test the operability of the scrams is the immediate cause of the 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> operation at full-power with some scrarns 8

inoperable. However, the review team feels strongly that the root cause of the event is a lack of proper understanding and implementation oflines of authority and responsibility along with the lack of a desingated focal point for control of all significant operations. The lack of a focal i

point (the reactor supervisor) documented in the operating log for control of all significant operations-related activities is particularly critical. The result of not having such a focal point was more a passive concurrence on the restart without performing any checks versus a positive documented decision being made to restart which resulted in the occurrence as described in the UVAR 14-day report.

We commend the facility on actions taken to date including the extended shutdown and the decisive actions to correct the problem. However, although various changes in procedures and checklists are in progress, we feel it is essential that steps to establish the focal point and to establish clearly defined line management authority and responsibility for operations-related activities must be implemented prior to restart. However, we find it is important for morale and for maintaining techrl:al skills that the reactor be restarted as soon as possible after the internal principal cause is corrected by defining lines of authority and responsibility and estabhshing a focal point for all operations-related activities.

The responsibility and authority of such individuals should be known and clearly defined.

Finally, we consider the event to be most serious. It cannot be allowed to hapy:n again at this or any other TRTR facility. The decisive action taken by the University including seeking this review gives us every confidence that there will be no recurrence of this or similar events.

9