ML20137Y540
| ML20137Y540 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 11/05/1996 |
| From: | Boland A NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION II) |
| To: | Mark Miller NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION II) |
| Shared Package | |
| ML20137Y003 | List: |
| References | |
| FOIA-96-485 NUDOCS 9704230115 | |
| Download: ML20137Y540 (25) | |
Text
.
4 From:
Anne Boland i G To:
intemet:mmiller207@aol.com EL Date:
11/5/96 9:15am
Subject:
Info for Panel Hll We now have two issues on tommorrow's panel for St. Lucie - the one from Last week and a nep one from Lori Stratton. The issues for St. Lucie are scheduled to begin at 2:00 p.
e ' ht behind the other. The bridge number is 301-415-7605 t Opasscode IAlso, to avoid a long distance charge or use of your fede,ral
{
telephone ca ere is a 1-800 number you can call into HQ (1-800-368-5642)~. When the operator answers just tell them that you need to be transferred to the teleconference bridge. They will transfer you/it will answer /you'll get a tone /then input the passcode.
Be aware that we do have two issues in front of St. Lucie so we could run behind (THAT NEVER HAPPENS!!!).
The info on both issues is attached. Please send me a positive response that you got this and were able to access the attachments. (atb@nrc. gov). I've had trouble with the internet and attachment previously.
Didn't anyone ever tell you that this is a bad way to spend your vacationll!
i s
h!Wat:n in 12 rmrd clas dele'ed
[
in acco.de,0c vdh the Freedom of information-1 A;t, sempticcs96 W F01 A. _
9704230115 970417 PDR FOIA BINDER 96-485 PDR
.o t
ENFORCEMENT ACTION WORKSHEET i
INADEQUATE DESIGN CONTROL PREPARED BY: John W. York DATE: October 28, 1996 NOTE: The section Chief of the responsible Division is respor.sible for preparation of this EAW and its distribution to attendees prior to an Enforcement Panel. The section Chief shall also be responsible for providing the meeting location and telephone bridge number to attendees via e-1 mail [ENF.GRP. CFE OEMAIL. JXL JRG, sHL. LFD: appropriate R!l DRP. DRs; appropriate NRR NMss).
A Notice of Violation (without "boilerplate") which includes the recommended severity level for the violation is required. Copies of applicable Technical specifications or license conditions cited in.the Notice or other reference material needed to evaluate the proposed enforcement action are required to be enclosed.
This Notice has been reviewed by the Branch Chief or Division Director and each violation includes the appropriate level of specificity as to how and when the requirement was violated.
Signature j
Facility: St. Lucie Unit (s): 1 and 2 Docket Nos: 50-335, 389 License Nos: DPR 67. NPF 16 Inspection Report No: 96 17 Inspection Dates: 10/7 11, and 10/15 18, 1996 i
Lead Inspector: John York i
1.
Brief Summary of Inspection Findings:
[Always include a short statement of the regulatory concern / violation. Reference and attach draft NOV. Then either summarize the inspection findings in this section or reference and attach sections of the inspection report. Inspectors are encouraged to unlize the Noncompliance Information Checklist provided in Enclosure 4 to ensure that the information gathered to support the violation is complete.]
The licensee replaced some safety related nuclear instrumentation drawers during the Unit 1 Outage. The drawers were wired backwards because of incorrect drawings.
Part of the root cause identified the lack of a proper independent verification as a potential cause.
This is a violation of 10 CFR 50 Appendix B Criterion III In examining the safety aspects of this event, one additional example of inadequate design verification was identified for BEACON on line core performance monitoring system.
In addition to the wiring problem for the drawers, the maintenance group connectea the field cables for an NI backwards because the markings on the connectors were different than on the previous detectors.
An NOV was written for failure to write a Condition Report (discrepancy report) and resolve this problem prior to installation of the detector.
See attached IR feeder and proposed NOV for details.
i PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
ENFORCEMENT ACTION WORKSHEET 2.
Analysis of Root Cause:
Lack of control and procedural adherence in the licensee's program for preparing and implementing Plant Change / Modifications (PC/Ms).
3.
Basis for Se;.:rity Level (Safety Significance):
[ Include example from the supplements, aggregation, repetitiveness, willfulness, etc.]
Aggregation of examples and application of Supplement I. C.7. a breakdown in the control of licensed activities involving two violations that are related that collectively represent a potentially significant lack of attention toward licensed activities.
L The safety significance of reversing the detector inputs to the NIS l
drawers substantially reduced the safety margin between the TM/LP trip setpoint and the analysis limit even considering the increased TM/LP margin to the trip setpoint due to actual core operating conditions.
)
4.
Identify Previous Escalated Action Within 2 Years or 2 Inspections?
[by EA#. supplement, and Identification date.]
l EA 96-249 - Inadequate 50.59 did not identify USQ. 7/12/96 EA 96-040 - Boron Overdilution Event. Supplement 1. 1/22/96 EA 95-180 - Inoperable PORVs due to Inadequate PMT, Supplement 1. 8/4/95 l
l.
5.
Identification Credit? No The miswired NI drawers were identified through an event (the failure to have the system respond properly), i. e. the analysis of the data by Reactor Enginecring discovered the miswi 'ing of the NI drawers but the the drawing should have been discciered in the design control error proces.
The desigr, error associated with BEACON was identified through routine comparisons of actual plant data with predicted data. This error could have been discovered in the design control process.
(
Enter date Licensee was aware of issues requiring corrective action:
l 7/30/96 u.
Corrective Action Credit? Yes Brief summary of corrective actions:
l In response to the issue, the licensee adopted corrective actions which included:
l For immediate action the licensee prepared a change request for e
the modification package and channels A.C. ~and D were reconnected and testing was performed to verify proper NI response.
e A root cause/self assessment and training meeting for the
[
Engineering Department emphasizing importance of proper design PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
ENFORCEMENT ACTZCN -
I WORKSHEET verification and importance of questioning attitude.
Tape was produced of this meeting for future engineering training, Procedures (Engineering Quality Instructions) were revised to (1) e require all critical aspects be verified during the PC/M. (2) emphasize that the same level of verification is required for l
PC/Ms duplicated for the second unit, and (3) reinforce the verification requirements for safety related drawings.
Walkdowns will be conducted (linear NIs) to revise any design e
1 documentation and tagging.
ASI targets will be established for future trending of ASI during power ascension.
i Require cross-disciplinary reviews of design inputs e
Better documentation of assumptions in core design inputs and e
codes Explain application of corrective action credit:
y Corrective action appears to be of appropriate scope.
7.
Candidate For Discretion? NO j.
Explain basis for discretion consideration:
Since actual power conditions did not exceed trip setpoints, no escalation is warranted.
Several examples of licensee's declining performance in enginecring does not warrant mitigation.
8.
Is A Predecisional Enforcement Conference Necessary? Yes 4
i i
Why:
To determine adequacy of licensee's proposed long-term corrective actions regarding backward looks at modifications performed prior to the Unit 1 outage. This included discussions of other modifications that l
may not have been independently verified.
If yes, should OE or OGC attend?
[ Enter Yes or No]:
Should conference be closed?
[ Enter Yes or No]:
9.
Non Routine Issues / Additional Information:
b i
~
l PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC CISCLOSURE c
WITHOUT THE APPROVAL OF THE DIRECTOR, OE
t ENFORCEMENT ACTION
-4 WORKSHEET 1
10.
This Action is Consistent With the Following Action (or Enforcement Guidance) Previously Issued:
[EICS to provide] [If inconsistent, include:)
Basis for Inconsistency With Previously Issued Actions (Guidance)
+
11.
Regulatory Message:
4 Positive control must be established and maintained over the design a
i process, with particular emphasis on properly performing independent design verification.
12.
Recommended Enforcement Action:
SL III 13.
,This Case Meets the Criteria for a Delegated Case. [EICS - Enter Yes or No) 14.
Should This Action Be Sent to OE For Full Review? [EICS - Enter Yes or No)
If yes why:
2 15.
Regional Counsel Review [EICS to obtain)
No Legal Objection Dated:
16.
Exempt from Timeliness: [EICS)
Basis for Exemption:
Enforcement Coordinator:
DATE:
PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE "lRECTOR, OE
l.-
ENFORCEMENT ACTION WORKSHEET -ISSUES TO CONSIDER FOR 01SCRET10N o
Problems categorized at Severity Level I or II.
l o
Case involves overexposure or release of radiological material in excess of NRC requirements.
o Case involves particularly poor licensee performance.
o Case (may) involve willfulness.
Information should be included to address whether or not the region has had, discussions with 01 regarding the case, whether or not the matter has been formally referred to 01, and whether or not 01 intends to initiate an investigation.
A i
description, as applicable, of the facts and circumstances that address the aspects of negligence, careless disregard, willfulness, and/or management involvement should also be included.
a Current violation is directly repetitive of an earlier violation.
a Excessive duration of a problem resulted in a substantial increase in risk.
a Licensee made a conscious decision to be in noncompliance in order to obtain an economic benefit.
o Cases involves the loss of a source.
(Note whether the licensee self-identified and reported the loss to the NRC.)
o Licensee's sustained performance has been particularly good.
o Discretion should be exercised by escalating or mitigating to ensure that the proposed civil senalty reflects the NRC's concern regarding the violation at issue and tlat it conveys the appropriate message to the l
licensee.
Explain.
i l
PROPOSED ENFORCEMENT ACTION - NOT FOR PUBUC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE l'
' ~
REFERENCE DOCUMENT CHECKLIST l
l
[-]
NRC Inspection Report or other documentation of the case:
NRC Inspection Report Nos.:
[]
Licensee reports:
[]. Applicable Tech Specs along with bases:
L
[]
' Applicable license conditions
[]
Applicable licensee procedures or extracts 1
[]
Copy of discrepant licensee documentation referred to in citations such as NRC. inspection record, or test results i
[]
Extracts of pertinent FSAR or Updated FSAR sections for citations involving 10 CFR 50.59 or systems operability
[]
Referenced ORDERS or Confirmation of Action Letters
[]
Current SALP report summary and applicable report sections
[]
Other miscellaneous documents (List):
l PROPOSED ENFORCEMENT ACTION NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
~
NI INSPECTION ST. LUCIE-October 7-18, 1996 l
On July 30, 1996. St. Lucie Unit 1 was operating at approximately 100 %
power when reactor engineering was analyzing the data taken during power ascension and noted an anomaly in the results.
The data indicated three of the four exccre linear detectors measured core power moving to the top of the core during power ascension. This was an unexpected 3henomena and (iid not agree with the trend of the power moving to the Jottom of the core indicated by RPS Channel B Linear Range Detector.
Control Channel #9 Linear Range Detector, and the BEACON Core Power Distribution Monitoring System.
Evaluation of the data collected indicated that RPS Channels A.C and D could have reversed (rolled) leads of the top and bottom chambers input to the RPS drawers.
The modification performed during the outage associated with this problem was No. PC/M 009-195.
During the outage, the licensee replaced the power range NI drawers for the Reactor Protection System (RPS) with new Gamma Metrics drawers.
This modification combined the linear power range input to the RPS and the logarithmic wide range channel into a single drawer i.e. reduced the number of drawers on Unit 1 from eight to four.
This modification increased the limits of the instruments range and replaced aging equipment.
Engineering Verification-Root Cause A design error was responsible for the reverse connection (rolled leads) on four NI safety related drawers on Unit 1.
The Controlled Wiring Diagram (CWD). no. JPN-009-195-001/002 depicted the upper Uncompensated Ion Chamber (VIC) connected to the lower VIC input at the NI drawer.
The root cause noted that the designer and the iead engineer interpreted conflicting information on the existing CWDs and made an assumption.
The independent verification may have caught this error had the process been properly performed.
The drawings were prepared by the lead designer with input from the lead engineer.
The drawings were then checked by a second designer who had no special knowledge of the NI design. This check was essentially a drafting check. The drawings were then reviewed by the lead designer and then by the engineering supervisor.
Engineering Quality Instructions (01)'1.7. Design Input / Verification.
l dated July 5.1995, states in part that " Design verification is the
)
. process whereby a competent individual, who has remained independent of the design process, reviews the design inputs...
and design output to 1
verify design adequacy.
This independent review is provided to minimize the likelihood of design errors in items that are.important to nuclear safety." Contrary to this requirement the first reviewer could not be considered as competent because he was not an engineer as required by J
i PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE l
WITHOUT THE APPROVAL OF THE DIRECTOR, OE
2 01 1.7 and the lead engineer as the third reviewer could not be considered to have remained independent of this design project.
One of the action items to prevent recurrence was to check all the I&C and electrical PC/M to see if all the drawing approval signatures could
. qualify as independent verifiers.
The licensee found three out of.eight open modifications where this was a potential problem, two of these modifications were electrical and one was I&C.
This therefore is not an isolated case.
This failure to perform independent verification according to procedure is identified as example one of violation 50-335/96-17-XX. Failure to Control the Design Process According to the Requirements of 10 CFR 50. Appendix B. Criterion III.
BEACON Core Power Distribution Monitoring System.
The licensee had installed BEACON during this refueling outage to replace the older IMPAX code used for in-core flux monitoring. BEACON provided several significant improvements over IMPAX one being real-time flux profile monitoring. This improvement permitted reactor engineering to identify the NIS problem quickly and initiate prompt corrective actions.
During power operations, reactor engineering used BEACON to obtain the actual in-core flux profile.
The actual in-core flux profile was then used to verify compliance with Technical Specifications and provide calibration information for the excore NIS drawers. As part of. these routine surveillances, reactor engineering compares actual in-core fiux arofile to the in-core flux profile. predicted by the core design code.
Reactor engineering noted larger than normal errors between actual and predicted in-core flux profile.
Because BEACON used the same neutronics engine as used in the core design code, reactor engineering could not explain the error and notified the corporate core design engineers. As part of the process to resolve these errors. it was discovered that a simplifying assumption, used to overcome limitations of the IPPAX. was not accounted for in the original design of BEACON.
Ihis simplifying assumption was used because the licensee had changed the fuel design to incorporate a longer end cap to prevent debris induced fuel failures.
This longer end cap raised the overall core height by 2.64" causing an offset between detector midplane and actual core midplane. The IMPAX -
code assumed detector midplane was along core midplane and could not accommodate the 2.64" offset. Therefore, the licensee, after discussion with the fuel vendor (Siemans), used this simplifying assumption to essentially lower the core midplane by 2.64" so that final design output would be referenced to detector midplane: not core midplane.
- However, the engineer preparirq the design in)ut for BEACON was not aware of this simplifying assumption consequently 3EACON was referenced to core midolane resulting in an increased error between~the core design predicted in-core flux profile and actual in-core flux profile.
PROPOSED ENFORCEMENT ACTION NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
3 The licensee's root cause evaluation identified lack of cross-discipline review as the significant contributor to this design error.
The inspector concurred with the licensee's evaluation.
Engineering Quality Instructions (QI) 1.7. Design Input / Verification, dated. July 5.1995.
states in part that " Design verification is the process whereby a competent individual, who has remained independent of the design process, reviews the design inputs.... and design output to verify design adequacy. This independent review is provided to minimize the likelihood of design errors in items that are important to nuclear safety." Contrary to this requirement, the design inputs were not adequately reviewed by a competent individual in that the core midplane 4~
offset was not identified as a design input for BEACON. This failure to i
i perform an adequate independent design review for the BEACON system is identified as example two of violation 50-335/96-17-XX. Failure to Control the Design Process According to the Requirements of 10 CFR 50.
Appendix B. Criterion III.
The safety significance of reversing the detector inputs to-the NIS drawers substantially reduced the safety margin between the TM/LP trip setpoint and the analysis limit even considering the increased TM/LP margin to the trip set)oint due to actual core operating conditions.
The safety impact of t1e failure to identify the core and detector midplane offset on TM/LP or LPD safety limits was milimal.
j CONNECTOR SWAPS AT DETECTOR 6-CHANNEL B All four of the RPS Linear Range Detectors had the connectors reversed as previously discussed but the B channel unlike the other three channels was giving the correct data.
At the same time that the drawers were being replaced on Unit 1. the detector for channel B (detector no.
- 6) was being replaced as a maintenance activity.
During connection of 1
the field cables, the connections were reversed for the upper and lower i
detection chambers, thereby causing the B channel to record properly.
i The root cause for the swap of the cables was that the new detector had different labeling than_ the existing cables.
The existing cables were labeled TOP SIG and B0T SIG. and the new detector had A and B.
The inspectors discussed this maintenance job with the I&C supervision who had supervised the latter part of this maintenance project.
Several opportunities were ) resented to the maintenance personnel, one when the detectors were checced out in the warehouse and a second time when this condition was noted in the field.
Maintenance personnel should have resolved the labeling problem by writing a Condition Report (CR) and having a formal resolution.
Administrative Procedure No. 0006130. Condition Reports, rev. 4. dated March 22. 1996. Par. 8.1.1.A states in part that "Any individual who becomes aware of a problem or discrepant condition
.. should initiate a PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
4 CR.
If doubt exists, a CR form should be initiated".
This failure to comply with the requirements of the administrative procedure is identified as violation 50-335/96-17-YY Failure to Initiate a Condition Report for Labeling on Safety Related Detectors.
s i
1 PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
Violation 1 with two examples.
10 CFR 50 A)pendix B. " Quality Assurance Criteria for Nuclear Power i
Plants and uel Reprocessing Plants." Criterion III requires, in ] art.
I that... design control measures shall provide for verifying or clecking the adequacy of design, such as the 3erformance of design reviews..The verifying or checking process shall
)e Jerformed by individuals or groups other than those who performed tie original design, but who may be from the same organization.
FPL Topical Quality Assurance Report. TOR 3.0. revision 11. " Design Control." Section 3.2.4. " Design Verification." stated, in part. " Design control measures shall be established to independently verify design input... Design verification shall be performed by technically qualified individuals or groups other than those who performed the design.
Engineering Quality Instructions 1.7 " Design Input / Verification." rev.1.
dated July 5,1995, states in part. " Design verification is the process whereby a competent individual, who has remained independent of the design process, reviews the design inputs..
and design output to verify design adequacy.
Contrary to the above:
1.
Contrary to the above, on July 30, 1996, it was discovered that a design change (PC/M 009-195) was completed without an independent design verification by a competent individual.
Design change PC/M 009-195 to install new Gamma Metrics Nuclear Instrumentation drawers was completed by a lead designer and a lead engineer.
This design change was independently verified by a second designer who had no'special knowledge of the design.
A engineering supervisor approved the design.
Neither the second designer or 1
engineering supervisor had remained independent of the design process.
2.
Contrary to the above. on July 30, 1996. it was discovered that an independent design review was not conducted for the installation of a new core flux monitoring computer code BEACON.
During initial operation of BEACON it was found that the code did not i
compensate for a core mid-plane offset created by a previous core modification. The engineer who prepared the design was not aware of the core mid-plane offset and the independent review of the new BEACON code did not identify this omission.
Violation 2
. Technical Specification 6.8. Procedures and Programs, paragraph 6.8.1 requires in part that written procedures recommended in Appendix A of Regulatory Guide 1.33 revision 2. February 1978. shall be established, implemented..
PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
2 Administrative Procedure No. 0006130. Condition Reports, revision 4.
dated March 22, 1996. Paragraph 8.1.1.A states in part that "Any individual who becomes aware of a problem or discre] ant condition...
should. initiate a CR.
If doubt exists, a CR form s1ould be initiated" Contrary to the above on July 30, 1996. Instrument and Control _
technicians installing a plant design change (PC/M 009-15) did not initiate a condition report when they became aware of a discrepant condition concerning incorrectly marked cables.
They continued to install the modification and an error was made that resulted in cross-wiring of the nuclear instrumentati.on system.
l 1
l i
PROPOSED ENFORCEMENT ACTION - NOT FOR PUBLIC DISCLOSURE WITHOUT THE APPROVAL OF THE DIRECTOR, OE
T i
CHRONOLOGY 1.
}
UNAUTHORIZED INDIVIDUAL ENTERING THE PA AFTER TERMINATION
.7/28/96 Employee terminated.
l
-8/19/96 CR 96-2041 identifies an individual having access to the site,12 days after termination.
4 9/19/96 PSL Access Coordinator identifies employee terminated and removes i
the individual's access (along with 2 others). but fails to notify Security.
10/7/96 TPN contact's PSL Access Coordinator to process this individual for l
TPN access.
2 10/9/96 During the processing of this individual. the PSL Access Coordinator notices that the employee's last badge use date is.
2 after his t'ermination date.
Further review reveals the individual had entered the PA.on 5 occasions (3 different days).
Upon interview of the individual, the licensee learns he returned for an interview on one occasion. However. on the other occasions,
{
came back to talk to other people in general. 'The Access Coordinator notifies the security supervisor, who determines the event as non-reportable.
10/11/96 The Security Manager learns of the situation and logs the event in the licensee's SEL.
CR is generated.
10/16/96 The licensee determines the event to be one hour reportable.
Call made to Region II (Stratton) and OPS Center.
PROBLEMS:
1.
, Procedure does not provide a form / checklist for termination.
2.
Procedure denotes responsibility to the individual, their supervisor, and human resources to notify security upon termination.
All three H
individuals failed to do so.
q 3.
- No training on the procedure.
Limited distribution of the procedure, however, the procedure is available to anyone.
3 Access Coordinator's failure to notify security and recognize the
. seriousness of the situation and failure to log the event in the licensee's SEL.
4.
Security's failure to one hour report the event after learning the individual had entered the protected area.
IR 96-16 (tampering event report) also identified a violation for failure to report.
4 5.
The licensee's missed opportunity to investigate / correct the problem when CR-2041 was identified.
This was a precursor to the event.
6.
If the individual had not processed in at PSL. the problem may not have been identified, and the licensee would still not know an unauthorized individual had entered the PA.
7.
Corporate QA had responsibility to ensure compliance with this procedure.
No evidence that was ever initiated.
j 8.
This problem is FPL wide.
PTN also has identified individuals who had access after they were terminated.
No other individuals who had access i
after termination entered either site.
Responsible organizations who failed to notify Security included Engineering. MIS. Human Resources.
.~
9.
Numerous severance packages are being offered in conjunction with many j
i terminations at FPL 10.
Security's inadequate investigation of the event in that, the two people identified by the individual as being visited on the days when the individual accessed the site were interviewed.
That's all that was done as far as Security's investigation. Upon independent inspection, this
)
i ins)ector learned that the two individuals spent approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> I
wit 1 the individual. 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> on 8/15 and 15 minutes on 8/7.
According to access records, the employee was in the protected area as follows:
8/7/96 12:02 - 12:45 (43 minutes) 4 8/7/96 12:59 - 14:28 (30 minutes) 8/7/96 14:37 - 17:15 (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 38 minutes) 8/9/96 10:07 - 13:37 (3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> 30 minutes) 8/15/96 12:47 - 17:37 (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 50 minutes)
Approximately 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> inside the protected area are unaccounted for.
11.
Individual had PA and VA access.
Did not enter any VAs during the times noted above.
The licensee also identified that BEACON was placed into service on Unit I without any l
benchmarking against IMPAX, the on-line core performai:ce monitoring code BEACON was replacing. Instead, BEACON was installed on Unit 2 and benchmarked against CECORE, which did not require any modifications to accommoda'.e the core midplane offset.
Engineering Quality Instruction (QI) 3.7, Computer Scftware Control, revision 1, Section 5.4.
requires that SQAl software shall be validated and verified (V&V'ed) in accordance with Section 5.6. Section 5.6 states that new software shall be V&V'ed prior to use. V&V l
includes the use of test cases to ensure the new software produces correct results. Item 4 of Section 5.6 states that technical adequacy shall be determined by comparing the test case to results from alternative methods such as functionally equivalent and previously validated software. In the case of BEACON, IMPAX would have been functionally equivalent software. Benclunarking BEACON against IMPAX may have identifed the design error 1
concerning core midplane offset because the two codes would not have yielded the same results. Contrary to this requirement, BEACON was placed into service on Unit I without benchmarking against IMPAX. This is a Severity Level VI violatien.
NOTE TO PANEL: This could be considered another example of inadequte PMT as identified in EA 95-182. V&V is the post-mod acceptance test for software.
J d
4 r
i i
1
)
- ~ _
.. _ ~. - -
_ _ ~. - - - - -
. - ~.
ENFORCEMENT ACTION WORKSHEET INFORMATION REOUIRED TO BE AVAILABLE FOR ENFORCEMENT PANEL ST. LUCIE UNAUTil0RIZED ACCESS PREPARED BY: Lori Stratton DATE: 10/30/96 NOTE: The Section Chief of the responsible Division is responsible for preparation of this questionnaire and its distribution to attendees prior to an Enforcement Panel. The Section Chief shall also be responsible for providing the meeting location and telephone bridge number to attendees via e-mail [ENF.GRP. CFE. OEMAIL.
JXL JRG SHL. LFD; appropriate RII DRP DRS: appropriate NRR. NMSS). A Notice of Violation (without "boilerplate") which includes the recommended severity level for the violation is required. Copies of applicable Technical Specifications or license conditions cited in the Notice or other reference material needed to evaluate the proposed enforcement action are required to be enclosed.
i This Notice has been reviewed by the Branch Chief or Division Director and each violation includes the appropriate level of specificity as to how and when the requirement was violated.
Signature 1.
Facility: St. Lucie l
Unit (s): 1 and 2 Docket Nos: 50-335, 50-389 License Nos: DPR-67. NPF-16 Inspection Report No: 96-19 Inspection Dates: 10/21 - 10/25/98 Lead Inspector:
L. Stratton 1.
Brief Sumary of, Inspection Findings:
A.
10.CFR 73.55(7) requires that licensee's shall establish an access authorization system to limit unescorted access to vital areas during non-emergency. conditions to individuals who require access in. order to perform their duties.
The licensee's Physical Security Plan (PSP). Revision 48. dated 2/23/96 states. "Only those individuals with identified need for access and having appropriate authorization, shall be granted unescorted Vital Area j
access."
Contrary to the above, from July 28. 1996 to September 19. 1996 an
I individual whose employment terminated on July 28, 1996, had unescorted access to protected and vital areas without appropriate authorization. In addition, on August 7: August 9: and August 15, 1996, that individual entered the protected area and had access to vital
{
areas.
w..
=
.,. -. _ -.. - - - _ - -.. _. ~ - - -. -.-
Also, three other individuals had unescorted access to the protected and vital areas after they were terminated from the period of July 27 to September 19, 1996, without appropriate authorization. However, those individuals did not access the protected or vital areas.
-l B.
10 CFR 73. Appendix G. states that an actual entry of an unauthorized
_ person into a protected area or vital area be reported within one hour i
of discovery.
10 CFR 73. Appendix G states that any failure, degradation, or discovered vulnerability in a safeguards system that could have allowed unauthorized or undetected access to-a protected area'or a vital area' had compensatory measures not been established. be recorded within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of discovery in the safeguards event log.
Contrary.to the above, on October 9. 1996. the licensee discovered that an individual had been terminated on July 28, 1996, and had entered the protected area on five different occasions.-yet failed to make a report within the one hour timeframe. In addition, on September 19. 1996, the l
licensee discovered three individuals who had previously been terminated on July'27, July 28.'and August 24. 1996 that had access to the protected area and failed to report that discovery in the safeguards event 109
~ 2.
Analysis of Root Cause:
Violation A:
i l
Responsible organizations failure to adhere to Administrative Procedure (AP) 0010509, " Personnel and Material Control." Revision 18. dated 9/30/96 and notify security when individuals were terminated. Also those organizations' l
inadequate review of the 31 day vital area access lists.
!L l_
Violation B:
Security's failure to implement Security Procedure (SP) 0006125. " Report of L
Safeguards Events." Revision 10. dated 10/9/96.-
l.
[ Include example from the l'
3.
Basis for Severity Level (Safety Significance):
supplements, aggregation, repeti tiveness, willfulness, etc.]
j Violation A: Supplement III. SL III l
('
The NRC Enforcement Policy states as example, "A failure or inability to i
j
' control access through established systems or procedures. such that an unauthorized individual (i.e., r,,,. authorized unescorted access.to the protected area) could easily gain undetected access into a vital-area from l
outside the protected area."
l-f
-y
,av.-
r-r-
,m w
- - - - -, - - - - = < > - - =
Violation B: Supplement III. SL III The NRC Enforcement Po' icy states in Section 7.10. "The severity level assigned to the licensee's failure to submit a required, acceptable. and
- timely report on a violation that occurred at the licensee's facility is normally.the same as would be assigned to the violation that should have been reported. However, the severity level for submitting a late report may be reduced. depending on the individual circumstances.
NOTE: This is a first repeat of this violation with respect to failure to make a one hour report.
' 4.
Identify Previous Escalated Action Within 2 Years or 2 Inspections?
[by EA#, Supplement, and Identification date.] _
95-180; PORVs Inoperable Oue To Personnel Error. SL III 96-040: Dilution Event: SL III 96-249: Multiple Examples of Inadequate 50.59 Reviews: 3L III 5.
Identification Credit?
[ Enter Yes or No]: No Consider following and discuss if applicable below:
Licensee-identified Revealed through event NRC-identified Mixed identification Missed opportunities Violation A:
Security immediately removed the individuals' access when discovered.
However. The licensee missed an opportunity to evaluate their access program on 8/19/96. when Condition Report'(CR) 96-2041 was issued. This CR identified that an individual was presented a FPL severance package and his access was still valid 12 days later.
In addition, although Security did remove the individuals' access authorization, they missed an opportunity to validate that those individuals did not use their unauthorized access from the date of their respective terminations.
Violation B:
Several missed opportunities with respect to reportability occurred at St.
Lucie. (a) The security access coordinator on September 19 failed to notify any other personnel when he discovered three individuals had unauthorized access. Therefore, the event was not logged in the safeguards event log. (b)
When the security access coordinator learned on October 9 that one of the individuals he had earlier identified as having unatthorized access actually entered the protected area, he did notify his supervisor. However, the event was neither one hour reported nor logged in the safeguard event log. (3)
When the_ Security Manager learned of the event of October 11. a determination
= - -.., =...
J was made to put the event in the safeguards event log rather than make a one hour report. The event was eventually reported on October 16.
I,
)
i l
t t
s i
i T
i l
1 1
l l
.\\
i l
i 1
1
i i
A possibility exists that if the individual did not apply for a position at Turkey, Point and had his processing for that position conducted by the St.
. Lucie staff for convenience purposes, the problem would not have been l
identified. (See attached chronology for more specific details).
Enter date Licensee was aware of issues requiring corrective action:
I Violations A and B: September 19, 1996
)
l 6.-
Corrective Action Credit?
[ Enter Yes or No]: No.
Brief summary of corrective actions:
l Violation A:
Security immediately removed the individuals' unescorted access to the protected and vital areas.
FP&L inter-office correspondence dated October 25 to all responsible organizations that by COB 10/30/96. an access review and certification that all' individuals listed on the attached access lists are valid.
A comparison of a listing of 594 terminated individuals to the security j
computer to verify that unescorted access was correct, which was started October 17 and completed October 31. Out of those 594..three more 1
individuals were identified. Two individuals were identified for Turkey e
Point and one individual was identified with unauthorized access to both facilities.
i However, an inadequate assessment of CR 96 2041 which resulted in no L
specific corrective action could have identified to the licensee a j
problem existed'as early as 8/19/96. ' Also, again on 9/19/96, when the access coordinator discovered the three individuals who had unauthorized L
access. Finally on October 9 when the licensee discovered an individual l
had entered the protected area after termination, the licensee once again should have identified a problem existed with respect to terminations and unescorted access. Not until the period of October 16.
when the event'was called to the NRC to October 25, when CR 96-2496 was-i generated, did the 1.icensee recognize a significant problem existed.
Violation B:
The licensee did eventually determine a one hour report was warranted.
No other corrective action had been initiated. The corrective i
action generated by the violation cited in IR 96_16 was partially complete when the events occurred and fully completed prior to the i
L t
m
finish of the inspection. However, the corrective action for IR 96-16 was to change the procedure to include tampering events, whereas the cause of these violations was adherence to the procedure itself.
7.
Candidate For Discretion? [See attached list]
[ Enter Yes or No]:
Indeterminate.
The licensee's failure to report the event within one hour is a repeat i
violation.
8.
Is'A Predecisional Enforcement Conference Necessary?
[ Enter Yes or No]:
Yes.
Why:
To facilitate a better understanding of root cause and missed opportunities.
If yes should OE or OGC attend? [ Enter Yes or No]: Yes should conference be closed? [ Enter Yes or No]: No 9.
Non Routine Issues / Additional Information:
See attached chronology.
10.
This Action is Consistent With the Following Action (or Enforcemert Guidance)
Previously Issued:
[EICS to provide] [If inconsistent. include:]
Basis for Inconsistency With Previously Issued Actions (Guidance) 11.
Re'gulatory Message:
Encouragement of prompt identification and prompt comprehensive corrective action.
12.
Recommended Enforcement Action:
l.
Severity Level III and Severity Level ~ IV violation.
13.
This Case Meets the Criteria for a Delegated Case. [EICS - Enter Yes or No]
No 14.
Should This Action Be Sent to OE For Full Review? [EICS - Enter Yes or No]
No If yes why:
I
15.
Regional rAunsel Review [EICS] At the panel.
No Legal Objection Dated:
16.
Exempt from Timeliness: [EICS] No.
Basis for Exemption:
Enforcement Coordinator:
DATE:
i s
6
P ISSUES TO CONSIDER FOR DISCRETION Problems categorized at Severity Level I or II.
Case involves overexposure or release of radiological material in excess of NRC requirements.
Cat e involves particularly poor licensee performance.
Case (may) involve willfulness. Information should be included to address whether or not the region has had discussions with 01 regarding the case, whether or not the matter has been formally referred to 01, and whether or not OI intends to initiate an investigation. A description, as applicable, of the facts and circumstances that address the aspects of negligence.' careless disregard, willfulness, and/or management involvement should also be included.
Current violation is directly repetitive of an earlier violation.
Excess 4ve duration of a problem resulted in a substantial increase in risk.
Licensee made a conscious decision to be in noncompliance in order to obtain an economic benefit.
Cases involves the loss of a source. (Note whether the licensee self-identified and reported the loss to the NRC.)
Licensee's sustained performance has been particularly good.
Discretion should be exercised by escalating or mitigating to enstre that the proposed civil penalty reflects the NRC's concern regarding the vution at issue and that it conveys the appropriate message to the licensee. Gplain.
.