ML20097H316
| ML20097H316 | |
| Person / Time | |
|---|---|
| Site: | LaSalle  |
| Issue date: | 06/30/1992 |
| From: | EG&G IDAHO, INC., IDAHO NATIONAL ENGINEERING & ENVIRONMENTAL LABORATORY |
| To: | NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| Shared Package | |
| ML20097H312 | List: |
| References | |
| EGG-HFRU-10309, NUDOCS 9206250411 | |
| Download: ML20097H316 (26) | |
Text
.. -...
6 i
EGG HFRU 10309 l
l Trip Report:
Onsite Analysis of the Human Factors of an Event at LaSalle 2 April 20,1992 (Reactor Water Cleanup System Isolation Bypass)
Susan G. Hill i
William Steinko Onsito Analysis Team:
John Kauffman Robert Spence Susan G. Hill Published June 1992
-idaho Nailonal Engineering Laboratory EG&G Idaho, Inc.
P.O Box 1625 l
Idaho Falls, ID 83415 1
Prepared foi' the i
Office for Analysis and Evaluation of Operational Data
+
U.S. Nuclear Regulatory Commission 7
ashington, D.C.
20555 W
l-l Under DOE Contract No.
DE-AC07 70lD01570 l.
9206250411 920616 PDR. ADOCK 0$000373 P
PDR i:
i
_.. _ _ _. ~ _ _ _. _ _ _ _ _ _ _
EXECUTIVE
SUMMARY
As pan of tiv Office for Analysis and Evaluation of Opemtional Data (AEOD) of the U.S.
Nuclear Regulatory Commission (NRC) progmm to study human perfonnance during opemting events, a team conduc'ed an onsite investigation of an event that occuned at the 12Salle 2 nuclear generating station on April 20,1992. The team focused on the factors that influenced the perfomiance of operations staff and perfonned an analysis based on interviews with operations and technical staff personnel, plant logs and recordings, opemtions procedures and training niaterial.
On April 20,1992, the Unit 2 reactor was at 20% power, following a month-long outage.
The reactor water c!canup system (RWCU) was shut down to verify the motor operator limit switch settings on the RWCU inboard and outboani containment isolation valves. The nuclear station operator (NSO) closed the RWCU system retum valve pdor m stopping the two RWCU pumps, in reverse order from that stated in the procedum.
About a minute later, an RWCU high differential flow alarm was received in the control room, indicating ti,e start of a 45 second delay timer, which precedes an RWCU automatic isolation. Several weeks earlier, an RWCU isolation had occuntd due to a spurious RWCU high i
differential flow signal and both motors had failed due to faulty limit switch settings resulting from l
thennal expansion. The NSO, wanting to preserve the valve test, asked the shift forcinan (SF) for I
pennission to bypass the automatic high differential flow isolation of these valves, an Engineered Safety Feature (ESF), The NSO removed the keys from other front contml board switches and gave them to a second NSO, who inserted them in tlie RWCU bypass switches on the back ptnel to prevent the isolation within 35 seconds after the initial alann. The second NSO reported a continuing RWCU differential flow of 95 gpm.
o iii
_...,. -... - _ _. _... _ - _ _,.. _. _ _ _ _ _. _ _. _... _ - -. - _ _ ~ - - - -
_. - ~.-. -.- - -.-.-._---
__. -. - ~ - -. _ _-.-
~--
T About three minutes latee, the ope.rators verified that the alann was not spurious: an equipment attendant identified now from a RWCU rrgenerative heat exchanger relief valve, a third NSO found increasing Reactor Building Equipment Drain Tank (RDEDT) level, and the 95 gpm RWCU differential flow continued. 'Ihe NSO asked the shift control room engmeer (SCRE) and the SF how they wanted to isolate the RWCU. Both agreed that the keys i.hould be removed to I
allow the automatic RWCU isolation. 'the operators retumed she RWCU bypass key switch to nonnal, allowing the RWCU to automatically isolate, which terminated the loss of inventory from the RWCU through the open relief valve.
'lhe following is a summary of the results of the human factors analysis of this event:
Teamwork / Command and Control Control mom teamwork and coordination with personnel in the plant were major factors in detemiining the validity of the RWCU high differential flow alann. Ilowever, the control room -
hierairhy structure has two paths for the chain of command, which has the potential to lead to an unclear direction.
The coordination of the special test engineer with the control room operations personnel was conducted on an individual basis, whetras a crew briefing on what to do if there was an isolation signal would have been helpful.
I 2
'lhe keys used to bypass me ESF were rea lily availab'c in the other switches in the control panel. The use of such keys for multiple purposes sugge:.ts a lack of key contml.
iV
....,v.,...,
..._,_,.,m,.~.,,___,._._.__,,_,,~,...___
l L
Procedures 1hc contml room operators performed all recovery actions without consulting applicable procedures. A decisien was made to allow automatic isolation of the system when the special test procedure directed having thennat overload protection available for the notor-operated valves.
f 1he operators lacked understanding of the required order of perfornunce of procedural directions. Operators lacked confidence in the usefulness of the procedures because of their frequent revision and level of detail. It would have been helpfulif the special test procedure addressed operator response to or recovery from an isolation signal and differential flow alarm conditions.
The alann response procedures for ic RWCU high differential flow alann do not n.cntion the use of the rear panel RWCU diffen ntial flow meter, R13EDT level indication, local area P
radiation monitors, area temperature, dispatching personnel to the area for detennining alann validity, or criteria for using ESF bypass keys.
l After the event, the shift engineer verbally instmeted his crew that ESF signals shall not be l
l bypassed in the future. But,it is not clear if other ciews have been similarly infonned. It would be helpful to operators to liave this policy. statement included in opemting and administrative prc4cdures.
i Decisiontilaking The decision made to bypas3 the RWCU high differential llow alann isolation signal was l
based on knowledge-based reasoning from existing knowledge about systems, processes and plant conditions rather than specifie procedural steps. Several factors contributed to this decision, i
1 l
v i
_ _ -.,,.... _ - ~... _. -,.. _ _
_m,,......,-,
,m-,,.-_,,
..m.,,--..
i
~
including previous opemtor experience with spurious RWCU isolation signals, management's criticism for not bypassing a RWCU isolation signal several weeks earlier when the valve motors were damaged and the operators' opinion of the usefulness of procedures during an emergency.
The decision to remove the bypass and have the syp:m isolate automatically was nude about three minutes after the initial RWCU alann. The operators had time to consider the nest appropriate method of iso ating the RWCU; they could has e decided to shut the isolatica valves nunually to keep motor thennal overload pmtection available, but the senlar reactor operatore, without thinking of this concem, opted instead to renove the keys from the RWCU bypass i
switches and allow the automatic ESF actuation.
i Knowledge-based Behavior The control room actions were primarily knowledge based and knowledge-based behavior lead them both into and out of the event. If krwwledge-based reasoning had been used th.st included concerns for the MOVs, the operators would have bypassed the ESF signal to ensure that themul overload protection was available to the motors, relied upon their RWCU differential flow meter, and immediately closed the RWCU containment isolation valves manually.
Each operator's knowledge base is different and if their knowledge base was the only suppon available, other opemtors nuy not have had the same respons
'" hen actions are dependent on knowledge-based reasoning, operators are more prone to make decisions and take actions without considering their consequences or alternatives, as occurred in this case.
l Vi
Human-Machino Interface
'1he prinury itWCU differential flow indication is located on the rear panel, the RillIDT level indicator is located on another control room front panel, and area radiation monitors on another panel. 'the operator has only knowledge-based reasoning to properly connect the various control room indications needed to determine the validity of an RWCU differential flow alarm. If the indicator were on the fmnt panel, the operator could monitor RWCU differential flow for determining system orcration and alarm validity.
~
'lhere is no RWCU ielief valve discharge line indication in the control room; control room personnel must rely on equipment attendants in the plant to hx; ate and identify discharge line flow.
t G
-+
N 4
vii
l i
ACKNOWLEDGMENTS We express appreciation to the LaSalle staff for their cooperation for freely providing infennation necessary to analya the human factors of the operating event. We particularly thank the Unit 2 operators and technical staff who were on duty during the day shift of April 20 for their cooperation during the interviews.
l i
l 9
iX 4
s t
CONTENTS EXEUJC "UMMARY...............................................................................iii
(
I A C K N O W L L D G M E N TS................................................................................ ix
/
4 A CRON Y MS.,...................................................................................... ai ii
ON..............................,..
..........1 1 '"
.s-
! 1.
-cr-
............................................................,.................2 r
- 1.
Ana l ys is.................................................................... 2
- 2. DliSCIUh 6 TiiE EVF NT A N Al,YS IF.-.............................................. 3
)
g[-
2.'
B ac k gm u nd....................................................................... 3
.4 ? Time Line of de Eve nt............................................................ S h
2.3 Analysis...................................
...... 10 2.3.1 Teamwork / Cc,mmand and Con tml...............................
... 10 2.3.2 Proc ed u re s.................................................................. 12 5
2.3.3 Deeisionmaking.................
.. 14 t -
2.3.4 Knov4e< eJ.oed B e h avio r..............
............16 2 3 '" Ilumari.b :o. Interface....
... 17
?
L
.. 19
- 3. REFERENC2n.............
F 6
FIGURES
/
Figuic 1. LaSalle Operations S nift Staffirg.........................................
.4 Figure 2. Reactor Water Cleanup System..............
...7
(
I M
~
ACRONYMS A11)D OfGce for Analysis arid Evdemian of Q~ uional Data 3
DSP Division of Safety ho;; rams ESF engineered safety feature IIM) htunan-nuchine interface h0V nect operated valve NSO crica:stadon operatov RDEDT reactor building equipment drain tark
'k i
RCS reacv4 coolant system RO cactoroperator ROAE Reactor Operations Analysis Branch RWCU textor water cle:mup system l
SCRE shift contml roon engineer SE shift engineer SF shift fereman SRO senior reactor operatot-(
a f
()
o
(
A c
4 5
.mA
-m
4 4
E Trip Report:
Onsite Analysis of the Human Factors of an Event at LaSalle 2 April 20,1902 (Reactor Water Cleanup System c
isolation Bypass) 1.
1NTRODUCTION 1.1 Purpose L
The Office for Analysis and Evaluation of Operational Data (AEOD) of the U.S. Nuclear
]
I Regulatory Commission (NRC) has a program to study human performance during operating events As pan of this program, AHOD fumied a team to conduct an casite analysis of an event i-that ocenned at the LaSalle nuclear generating station during the day shift on April 20,1992. The Reactor Water Cleanup system (RWCU) was being shutdown to conduct a special test on the inboard and outboard,inotor operated, primary containment isolation valves, An RWCU high differential flow alann was received in the contro; room. A decision wts made by the operating r
crew to bypass the automatic high flow isolation of the RWCU, an Engineered Safety Feature
- (ESF), with a keyed switch. Approximately three minutes later, the operators determined that the alann was not spurious by identifying flow from a regenerative heat exchanger relief valvt an increasinglevel in the Reactor. Building Equipment Drain Tank (RBEDT), and a high fiow indication on an indicator located near the keyed bypass switch in the control roem. Subsequently, the bypass key switch was returned to nomial allowing the RWCU to automatically isolate and tenninate the loss ofinventon/ rom the RWCU thmugh the e.o relief valve.
f i
1-ww
-w<r
+
e-a we e r.
w<es.,v-n om w e e-+w.
-, - - --a u.n-s-ane a-w-.m,
-,e
+s ww--
-em, a
u o n-n s, w n > - - -
-nwe,--
u. a.s vmee-+-
.. _.. _. ~... _. _. _
.. ~._ _... _ _ _.... _ _.
1.2 Scope The human factors analysis focused on the factors that influenced the perfonnance of operations staff and technical supp21 personnel throughout this event. Re analysis was bassJ or data derived frem interviews with operations and technical staff personnel, plant logs and recordings, and review of operations procedures and training material. The Idaho National Engineering Laboratory (INEL) provided assistance as part of the AEOD program to study human peifonnance during operating events, 1.3 Onsite Analysis The onsite analysis team was at the site April 22-23. 1992 and was composed of the following members:
John Kauffman, NRC/AEOD/DSP/ROAB (team leader) l Robert Spence, NRC/AEOD/DSP/ROAB Susan G.11111, IMfil./EG&G Idaho, Inc.
j 1
( 1.
l 4
)
i a
I b
-2 1
. ~,, _. - -
- ~..
f r
<2.
DESCRIPTION OF THE EVENT ANALYSIS
2.1 Background
The LaSalle County Nuclear Station, located in LaSulle County, Illinois, is owned and operated by Commonwealth Edison Company. The two, nearly identical, bailing water reactors are rated at 3293 megawatts-thermal. The units are operated from a <,mmon control room and have been in commercial operation since January and October,1984, respectively.
4 On April 20,1992, the Unit 2 reactor was at 20% power, following a month-long outage.
%e Unit 2 contml room on-duty operating crew consisted of a shift engineer (SE), a shift control room engineer (SCRE), a shift foreman (SF), and several nuclear station operators (NSO) (see Figure 1). The regular crew was imgmented by several extra NSOs to assist during startup activities. A special test prncedure, LTP-100-2, "U-2 Reactor Water Cleanup MOV Cycle Test During Plant Stanup," was scheduled to be performed. The purpose of the test was to stroke the inboard and outboard motor operated prinury containment isolation valves #2G33-F001 and F004 of the Itcactor Water Cleanup system (RWCU) in order to verify proper operation under nomial operating conditions. The special test was approved by the Shift Engineer during the day shift, and, at approximately 8:40 a.m., preparation for the shutdown of the RWCU from the control room was started. RWCU shutdown was necessary prior to stroking the F001 and F0(M valves closed for the test.
- About two weeks prior to the event (on April 2,1992), an RWCU isolation was received due to a high differential Dow alarm. The F001 and F004 valves automatically isola /d 45 seconds after receiving the alann, as designed. However, subsequent investigation showed t'.at the motor operators had failed on both valves due to a faulty limit switch setting. Thermal binding caused by heatup of the system had disabled the limit switch close position contact and had prevented the 3
,_.m._.
..~.... _ _... _....
.o SHIFT ENGINEER l
SRO - 4 yrs.
i t
t i
SHIFT FOREMAN SHIFT CONTROL ROOM SRO-- 1.5 yrs ENGINEER
- SRO - 6 yrs-1 I
l NUCLEAR STATION 1-OPERATOR RO - 8 yrs L____
1-EQUIPMENT ATTENDANT NON-LICENSED
- ' Assumes the role of Shift Technical advisor when position required.
' NOTES:
. 1. SRO - Senior Operator license.
' 2. RO-ReactorOperatorlicense.
- 3. - Alllicensed pernnnel had more than 10 years with the company.
- 4. Shift crews are changi at first of the yearif transfers are desired.
- 5. First day on dayshift following training week.
q r
- Figure 1. LaSalle operations shift staffing.
.i^
f P
w m
e-
~+,w c
eg e.we-w m-p.
=hegp-
,-ev
E L
l
)
torque switch from deenergizing the rnotors. Consequently the motors were destroyed. The MOV assemblics were replaced and management startup directions were written stating 'These isolations are expected during startup and it is not a red phone notification. We should try to prevent these isolations fmm occurring".
The RWCU has a history of spurious alanns from high differential Dow during plant heatups and cooldowns when in the 200 - 300 degree F range. Flashing of water to steam results in pressure transients, flow oscillations and erratic indications durit.n these transitions. Few problems have been experienced at normal operating temperatures. In the April 2nd failure of the RWCU motor operated isolation valves, it was reported in the Licensee Event Report that there was no actual high differential flow, although the alarm was received and the isolation occurred.
On the morning of April 20, the test engineer in charge of the special test procedure asked the SF if the test could be run that momin.u he agreed. Next, the test engineer spoke to the SE, explained what would be done, and received the SE's permission and signature to proceed with the test. 'Ihe test engineer then spoke with the SCRE, and then the NSO who would be shutting down the RWCU. The NSO asked for, and received, a copy of the special test procedure that would be used in this test.
When the test engineer and his personnel were at the test location in the plant and all the test equipment had been readied for use, the test engineer contacted the NSO oy telephone and notified him that the test personnel were ready whenever the NSO was ready to proceed. An equipmers attendau: was with the test team to assist them as needed.
The NSO proceeded to shutdown the RWCU, using the procedure LOP-RT-03, " Reactor Water Clean-Up System (RWCU) - Shutdown". When he reached step le., he turned the switch to close valve MO-2G333040 (RWCU system return) and position switches to stop RWCU 5
t i
t -
i pumps A and B (see Figure 2). The switches for the F040 valve and the two pumps are on the san.e panel and in close proximity to each other. These actions were performed in the reverse order from that' stated in the procedure. The sequence as performed left the pumps running momentarily applying full discharge pressum on the isolated section of the system. In addition, the j
regenerative heat exchanger tubes containing relatively hot reactor coolant were transfeiring energy to the isolated section increasing pressure due to thermal expansion. Shortly after these control i
acdons, the high differential flow condition alarm was activated. The set point of the high differential flow is 70 gpm. The alarm initiated a 45 second clock timer after which the RWCU would automatically isolate,if the high flow condition was still present.
The NSO looked at the RWCU indications on the front panel to determine the validity of the a'.arrn All indications such as piessure, temperature, radiation monitors, and flow appeared l
normal. The NSO, wanting to preserve th:Gr testing, asked the SF fer permission to use the key switches to bypass the automatic isolation system (the SCRE was on the telephone at this time.)
The SF looked at the control board indications, determined there was nothing abnormal, and then directed the NSO to use the keys to bypass the RWCU automatic isolation.
Keys were removed from locations on the front control board panel and were handed to a
. second NSO who then went around to the back panel where the RCWU bypass key switches were located. The key switches were actuated about 30-35 seconds after receiving the flow alanns and before the 45 seconds expired, blocking the automatic isolation. He cecond NSO, while behind -
Lthe panel, observed a RWCU differential flow meter which was located on the back panel near the
- key switches. IIe reported the differential flow was approximately 95 gpm.
1 The NSO who was conducting the RWCU shutdown called on the telephone to the local equipment attendant and asked him to check if there werr any indientions of relief valves lifting on i
the RWCU heat exchangers. The equipment attendant went up the stairs and checked first one 6
i
See N.t. 1 m.
/
= m _._ _ -
b b
]
L MI 4
[ ~y y
V V
O
(
g-REGEN HM*8 l
/
L_ W f 7I g
V V
V 2 56 n
~
h* '** ua Dewkwt pi=:pe]
i I
,u 7040
-FCEO
/
}yg
\\
- SYSTCM WATEM t.
TiOO 5 "(OC FIO2 4,
r 4
g
/
/
h)(fSDi M _I _.-, -'. ', ', / s,,
7
- s s H
tiH A
A PUSCP A F0 3 t1 7038 g( y WASTE
~
I!O ^
sonoc --*- -
r I
55 I
-N l TANK H
[
rou" a
_.m IFm Dh
$#" 7
/
7033 W
M AIN J
CCt40CNSER ArO34
[{['F/DCW PRO CLS PUMP C SAMPLE
>4 PROCCss
~%
ytPR A (blowdown)
NOTE 1: Shell side of heat exchanger relief to RBEDT.
Figure 2. Reactor water cleanup system.
a a
9
- area, i nd then moved to a second area. lie smelled hot paint, and obsen ed water flowing tiuvugh a relief valve discharge line sightglass (22MB). Ile called the NSO in the control room and reported the water flowing in the sightgic.ss near ene of the regenerative heat exchangers and reported the tag number.
A third NSO in the control room checked the display for the Reactor Building Equipment Drain Tank (RBF.DT). He observed an increase in volume in the REEDT, as indicated by a "right hud tum" on the chart recording and reported it to the N50 at the RWCU control panel.
The NSO asked the SCRE and SF i.ow they wanted to isolate the RWCU. The SCRE and SF both agreed that the keys should be removed and to allosv the isolation. The keys wen-removed and the autonutic isolation occurred closing F001 and F004 valves. The NSO called the test engineer and tcla him that the valves were closing and to take electrical current readings.
Investigation of the :ag number on the sightglass identified a relief valve on the B regenerative heat exchanger as having lifted when the RWCU system was shutdown and then resented, after the RCWU isolation. The SCRE and SE determined that this event was not classified in the emergency plan, and the NRC was notified within four hours as per 10 CFR n
50.72 (b)(~2)(ii).
~2.2 Time Line of the Event i
The following event time Jine sequence was da.veloped from interviews with the on-duty shift personnel, technical staff, copics of control room logs, and plant computer printouts.
1 l
b
. I l
4
~
a Note: sall times are Central Daylight Tmic I
I 04/20h2 Test engineer obtained pennission fmm SE to perfonn the special test te 7:30 - 8:00 a.m.
4 cycle closed the F001 and F004 valves. Held individual discussions with SE, SCRE, and NSO regarding the special test.
RWCU filters removed from service in preparation for special test.
8:40 a.m.
8:46:34 a.m.
NSO at the RWCU control panel initiates closing valve F040.
Valve F040 closed.
8:46:48 a.m.
NSO switched off RWCU pump B.
8:46 52 a.m.
NSO switched off RWCU pump A; 8:46:53 a.m.
High differential Dow alami sounded.
8:47:47 a.m.
NSO checkcd front panelinstrumenf athn; it appeared normal.
N'SO asked SF (SRO) for pennission to bypass RWCU iso!ation.
SF (SRO) decided to bypass isola, ion by usir g key switches.
8:48 a.m.
Keys handed to second NSO end he went to back pane! where key switches are located.
Keys were insened into the isolation bypas key switch ami 8:48:30 a.m.
- (approx.)'-
were tumed to the byg og.ition.
NSO 6t the control panel ieques cd quipment attendant to check if a relief valve had lifted on a R% CU regenerative heat exchangers, Second NSO at the rear panel observed RWCU differential flow metei at ~95 gpm and communicatul this to first NSO at the RWCU control board.
Third NSO saw R8EDT level increasing at the 131 panel and-communicated this to first NSO_
l a
E 9
i s
"'~.(
,,-.vw-
-,.y.
i'my.%.,
.,.yej w
,,c-,
.sw-.,
v n
%,~.
4~
n
i-l Equipn.ent attendant saw flow through a regenerative heat exchanger relief valve dischvge line sightglass 'md reported this to the control room.
NSO at the RWCU contml panei realized there were three indications th2t the R WCU high differential flow alarm was not spurious and there was a leak from the system.
NSO asked SCRE and SF for direction on which way to isolate RWCU.
SCRP and SF directed taking : ie keys back to the normz.' position and allowing the system to automaticaDy isolate.
Removed keys to isolation bypass.
8:51:01 a.m.
NSO called special test staff to take ammeter readings.
RWCU isolated.
8:51:24 a.m.
SF checked B regenerative heat exchanger relief valve and 9:00 a.m.
(approx.)
piping was still hot but cooling verified the relief vah e lifted and then reseated.
SCRE notified NRC.
10:37 a.m.
2.3 Snalysis 1
There were e number of factors which contributed to human performece during the event.
These are discussed in the following sections i
2.3.1 Teamwork / Command and Control. The teamwork in the control room and e
coordination were major factors in the ability to obtain needed information and determine the validity of the RWCU high differential flotv alarm. The NSO perfomiing the RWCU shutdown quickly directed other NSOs to oinain needed infomution in the control mom. The NSO directed w
10
{
c l
~.
11 i-i the local equipment attendant to check if there were any lifted RWCU relief valves in the plant.
- The NSO also coordinated with the technical staff who were in the plant to conduct the special test, suggesting they take ammeter readings to test status of valves as they were closing and verify the motor operators shut off.
i The command and control within the control room were canied out in accordance with expected practices. The NSO asked for direction from a supervisor (SRO) related to bypassing the is ation. The SF (SRO) made the decision to bypass the isolation. The operating crew continued investigation of the alarm. When additional 1..armation was obtained that suggested there was a leak from the RWCU and the high flow alarm was not spurious, the NSO asked for direction-regarding isolating the RWCU. He received direction from the SCRE (SRO) and the SF (SRO) to numve the bypass and allow the automatic isolation.
i However, the control room hierarchy structure is perceived by the operators to have two j
paths for the chain of conenand (see Figure 1). The operators pen.eive the SCRE and the SF to be equivalent supervisors. This perception has the potential to lead to unclear roles and chain of J
command.
The coordination of the special test engineer with the control room operations personnel-was conductec on an individual E is, with the test engineer speaking individually to the SE, SCRii, SF, and the NSO responsible for RWCU shutdown. Shutdown of the RWCU had been accomplished many times before and was not considered a special or difficult task. Ilowever, i
i automatic isolations of the RWCU due to spurious signals were not unexpected - the daily orders (04/18 to 04/20,1992) and RWCU operating procedure suggested that there may be spurious alarms. This is a case where ;.rior planning of what to do if there was an isolation signal would i
have been helpful. There was a precaution in the special test procedure that indicated that the isolation valves should not close without thermal overload protection, implying that the valves 11 g
e d
e w
a, r
i should not by shut automatically, but should instead be shut manually by the contml room -
operatom. Prior planning, discussed with all relevant crew personnel as a group, would have taken into account the special test procedure pre 4.autien and determined what would be the tnost _
i appropAe plan of actic.n if an isolation sign i! was received.
1 Another aspect of command and control was the availability and control of the keys used to i
bypass the ESF. Keys were readily available in the control room as they were left in key switches on the front panel. Keys could also be used in multiple key swixhes; a single key was not dedicated to a single use. He availability and multiple use capability suggests a lack of contml of l.
the keys that can be used to bypass ESF actuations.
l.
2.3.2 Procedures. This event ocentred over a relatively sho:t amount of time, spanning three to four minutes, ne control room operators performed all recovery actions without l-consulting applicable procedures. This did not pose a problem during the initial bypassing of the isolation or the diagnostics leading to the discovery that inventory was being lost. Ilowever, a decision was made to allow automatic isolation of the system when procedures would have directed manual isolation pmviding ackiitional protection in the circuitry for the motor-operated i
valves.
There were a number of issues that related to procedures during t':e event. The execution of the RWCU shutdown procedure, LOP-RT-03, included a step with two sub-steps which directed the operator to stop the pumps and close the valve. The operators understood that procedures were to be performed in the step sequence given unless specifically exempted in d:e procedure. Ho7>ever, they did not have a common understanding whether or not sub-steps were to be performed in order. There was ambiguity as to when the sub-steps could be performed in
- any order versus ivhen sub-steps must be performed in the given sequence. In this case, the e
l l
switch was turned to close the valve before the switches were tumed to stop the pumps, the neverse l
12 i
~
. _ _.. _. _ - _.~ __ _ _ _
~
l ordct from what was stated in the procedure. This resulted in the pumps running with no flow and u.aximum discharge pressure. The higher pressure nuy have contributed to lifting the relief valve though no pressura spike was (,bserved by the NSO because the pressure reading in the control room came from instmmentadon which was downstream of the closed valve.
i L
- Opaators reported that the procedures were constantly changing and were revised L
frequently. it was also reported that there was great detail in the procedures which upon occasion affected the operators' ability to identify and locate the needed procedural step. These reports l
suggest that opetators questian the usability of the procedures.
The special test procedure, LTP 1042, "U-2 Rerctor Water Cleanup MOV Cycle Test During P! ant Startup," contained an ermneous precaution that a valvc opemtion without thermal -
overloed protection could damage the motor or the valve. This indicated that an auteniatic isoiation L
may have created an un-isolable reactor coolant system (RCS) leak prior to torque and limit switch -
setpoint verification. Later, the test engineer stated in the interview that the valve would not have I
been damaged if automatic isolation occurred. However, the operators were not aware of thht at the time of the event.
m It would have been helpful if the special test pmcedure addressed operator response to or recovery from an isolation signal and differential flow alarm condition. There is no requirement
..for test procedures to have a " Recovery" section.
The alarm resp use procedures for both "LD RWCU FLOW HI" Div i and 2 do not 1
mention the use of reat papel RWCU differential now meter, the RBEDT indications, local area-radiation monitors area temperatures, or dispatching personnel to the area for determining alarm validity. The", art some of the indications that might be used to assist in determining alarm l --
13 i
l
- - __ _ _ _., _,. -. _ _ _ _ _ _ _ _. _ _.. _. ~. _. ~,
validity. He alarm response procedures do not provide criteria for use of the bypass keys, nor do they reference other procedums where criteria might be present.
The " Conduct of Operations" pnxed tre, IAP-1600-2, addresses temporarily withdrawing systems from operation when it is apparent that continued operation would aggravate the plant condition. There is ambiguity in whether or not this statement includer engineered safety feature (ESP) equipment or actuation or under what conditions the statement applies.
v e.
After the event, the SE verbally insaucted his crew that ESF si nals shall not be bypassed g
i in the future. Therefore, this one crew has been instruced not to bypass ESF, but it is unclear that other crews have been similarly infonned it would be helpful to operators for this statement of policy und its associated actions to be included in appropriate operating and administrative l
procedures, rather than as only a verbal instruction that may be forgotten or confused. It would abo ensure that all opemting personnel were infonned.
i l
2.3.3 Decisionmaking. The decision made to bypass the RWCU high differential flow l
l alann isolation ;,ignal was not based on specific procedural steps but was based on existing 1
knowledge about systems, processes and plant conditions. The decision to bypass :he isolation 1
signal, then, was a knowledge-based decision (Rasmussen,1983). Various factors were influential in making this decision. A major factor was the previous experience of the operators with spurious signals and alanus regarding the RWCU differential flow. Operators reported that the high differential flow alann had activated before, and in mauy cases it cleared before the 45-second isolation timer had timed out. 'Ihis previous experience with spurious alanns was written into the daily orders ((M/18 to 04/20,1992) w here it wts stated that differential flow alarms were expected during stanup and "we should however try to prevent these isolations from occurring (;t is a lot less hassle)" It was reported that operators were criticized for not p:eventing a RWCU 14
I isolation whente valves limit and torque switches malfunctioned and motor damaged resulted (on April 7).
The f actors that contribute to making decisions, such as the decision to bypass the auto natic RWCU isolation, can be complex. Some researchers have suggested that decisions are made by generating alternatives and weighing the advantages and disadvantages of each before deciding which alternative to carry out. Recent studies, however, indicate that experienced operators (such as firefighters and military. ommande rely more upon their recognition of N
similar situations than on a linear progression of decision making through a search for, and evaluation of, options (Klein,1989). The decision to bypass RWCU isolation, given the previous spurious high differential flow alarms, may be un example of such a " recognition primed decision." The operators appeared to rely on the ability to recognize and classify a W. ation, as "that" kind of situaFon, and then determined a way of reacting to the classified situation. In general, the response may be based on vhat the typical response is, what the most recent response was, what responses are available, or other factors. in this event, the hign differential flow alarm, with normal indications, appeared to " fit" the situation of spurious alanu. The response may have been based on recent experience, the.t is, the knowledge that the isolation valve motors burned up when the system isolated two weeks previously, influencing the control room personnel to bypass the isolation rather than experience potentially burned valve motors or valve damage. The pattem koked familiar and the n sponse was based on that identification and classification of the situation.
The decisionmaking process can be aided by determining appropdate responses to possible (or even likely) events, such as holding a prebriefing with crew members to dircuss what should be done under certain circumstances. If decisionmaking is actually based on recognizing patterns,
]
then the decisionmaking process may also be aided by exposing operators to a number of different situations, vu. training and simulation, to enhance their abilities in identifying unusual situations and the most appropriate responses to them. It is also possible to reauire operators to loos at different combinations of instruments that mav dion them to assess the current pattem.
15
4 s
a
%ere was a second decision based on additional information, approximately three minutes later, to remove the bypass and have the system isolate automatically. The additionalinformation of readings fro'n the differential flow meter, from the RBEDT chart, and the equipment attendant report resulted in the knowledge-based decision to remove the bypass. The operators might have decided to shut the isolation valves manually, thereby ensuring thermal overload protection.
Ilowever, having determined that the RWCU should be isolated, the control room operating personnel acted to recover from (i.e., " undo") the initial bypass decision by removing the bypass via the key switch.
2.3A Knowledge-based Behavior.
The actions performed by the control room personnel were primarily kno.vledge-based actions. The knowledge-based ae ons included using d
the key to bypass the RWCU isolation sigr.al; gathering additional infomntion from control room instrumentation and outside the control room to determine the validity of the high dif ferential flow alarm; directing the equipment attendant in the plant to check ;ccally for relief valve lifting indications; directing the technical staff on hand locally f te special test to check the isolation e
valve motorcontroller to ensure the motor had stopped.
Knowledge-based behavior is characterized by cognitive processing of existing knowledge of systems and processes. De knowledge is a result of experience and training. An operatofs
- knowledge base will support the use of procedures (i.e., rule-based behavior). It is acknowledged that error probabilities are higher for knowledge-based behavior than for rule-based behavior.
Gxxi pmcedures will identify what the appmpriate situation is and what should be the response to that situation. If there is no procedure, a situational match is not specifically identified and will be left to the individual operator's ability to identify it as "that" kind of situa;ian. In this event, knowledge-based behavior contributed to the decision to bypass the isolation. Kr owledge-based
[
behavior also contributed to gathering and processing of additioral information to determine alarm l:
E 16 L
m
___..m m.
validity. - The*NSO's knowledge base regarding the system, processes and plant conditions included knowledge that indications of a relief valve lifting migh', be present in the plant, and led to directing the equipment attendant to look for signs of a lifted or open relief valve. 'Ihe knowledge base also led to suggesting to the test personnel that they take ammeter readings to assess the status of the MOVs.
In this event, knowledge-based behavior led to positive, quick thinking actions to
- j detennine alarm validity and appropriate response. However, eaca operator's knowledge base is different and, if their knowledge base was the only support available, othr operators' may not have had the same quick thinking response. When acticns are dependent on knowledge-based reasoning, operators are more prone to making decisions and taking actions without considering all possible alternatives and their consequences.
43.5 Human-Machine Interface. There were several human-machine interface (liMI)
)
issues which contributed to the event. The primary instrument for displaying RWCU differential flow is located on the rear panel. In order to see that indicator, an operator must walk behind the rear panel. It would have been helpful to have that indicator on the front panel to check during the
- l high differential flow alarm response and might also be helpful for the operator to be able to monitor the RWCU differential flow during system operation.
The RWCU flow and pressure instrumentation that was used to initially determine if the high differential flow alarm was valid did not contain suffici:nt information to make a correct judgment. The instrumentation that was subsequently used in the control room to detenn;ne if the 4
- high differential flow alarm was valid included the differential flow indicator which is located on the rear panel arv.! the reactor building equipment drain tank (RBEDT) indicator which is located approximately 15 feet from the RWCU controls area. Therefore, the available instmmentation needed to determine the validity of a RWCU differential flow alarm is located in various areas of 17 l
.. -. - =. -.. -
the control room. In addition, as iias been discussed, the operator needed to use knowledge-based reasoning in order to identify the instrumentation that would provide the indications needed.
Currently, those indications are not discussed in the procedcas. There is not direct relief valve discharge line temperature indication in the control room. Such an indication would assist the operators in identifying a lifted relief valve flow in the linc while remaini':g in the control room i
rather than relying on coordinating with equipment attendants in the plant to locate and identify discharge line flow.
s 7
l r
l L _
5 t
i t-18 1:-
)
i 3.
REFERENCES Klein, G. (1989). Recognition-primed decirions. In W. Rouse (Ed.), Advances in man-machine systems research, (Vol 5) (pp. 47 92). Greenwich, CT: JAI Press.
Rasmussen, L (1983). Skills, rules, and knowledge: Signals, signs and symbols, and other distinctions in performan~x models.1EEE Transactions on Systems, Man, and Cybernetics, Vol. SMC-13(3), 257-266.
d k
19 w
e
+
w-,
,w w
w