ML20154H317
| ML20154H317 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 10/07/1998 |
| From: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION IV) |
| To: | |
| Shared Package | |
| ML20154H296 | List: |
| References | |
| 50-361-98-12, 50-362-98-12, NUDOCS 9810140143 | |
| Download: ML20154H317 (35) | |
See also: IR 05000361/1998012
Text
_ _ _ _ _ .. _ _ .-_ _ _ _ _ _ . . . _ _ _ _ . . _ _ . _ _ _ _ _ . . _ . _ _ _ _ . _ . . . . . _ . -
, , ,
i
ENCLOSURE 2 '
U.S. NUCLEAR REGULATORY COMMISSION
' REGION IV
Docket Nos.: 50-361;50-362
Report No.: 50-361/98-12; 50-362/98-12
Licensee: Southem California Edison Co.
Facility: San Onofre Nuclear Generating Station, Units 2 and 3
Location: 5000 S. Pacific Coast Hwy.
San Clemente, Califomia
Dates: . July 13-17,1998
Inspector (s): A. Bruce Earnest, Physical Security Specialist i
Plant Support Branch i
Approved By: Blaine Murray, Chief .
' Plant Support Branch
ATTACHMENTS:
Attachment 1 SupplementalInformation
Attachment 2 Facsimile from Licensee, dated September 24,1998
l
1
!
l
l
..
l
'
9810140143 981007 *
l gDR ADOCK 05000361
PDR .
.
- , . . - . . - - , . , , - - . -- -, - ,
. . . . - _- - --_- _- -_ - . - .
_ -- . - . - - ..~ - - -
. .
2-
l
EXECUTIVE SUMMARY j
l San Onofre Nuclear Generating Station, Units 2 and 3
NRC Inspection Report 50-361/98-12; 50-362/98-12
This routine, announced inspection focused on the licensee's physical cecurity program. The
areas inspected included access authorization / fitness-for-duty, personnel access control,
compensatory measures, assessment aids, onsite review of event reports, and followup of
previously identified items.
Plant Sucoort
. A noncited violation of 10 CFR Part 26 and security procedures was identified for failing
to complete a fitness-for-duty drug screen prior to granting access to an individual who ;
was not fit-for-duty (Section S1.1). l
l . A noncited violation of the physical security plan and security procedures was identified
l
for failure to control personnel access control to a vital area (Section S1.2).
l . A violation of the physical security plan and security procedures was identified for failing
l to adequately compensate for three separate failures of the security computer system
l (Section S2.1).
. A noncited violation of the physical security plan was identified for two instances of
l
inattentive security officers manning the guard towers (Section S2.2).
. A violation of 10 CFR 50.9 was identified involving the submittal of inaccurate
information to the NRC (Section S8.1).
l
I
l
!
i
'
.
$
1
.! .
a
"
. , , . . . . , - .
_ . - -
. . _ . .
. ,
,
I
l
!
-3-
Report Details
IV. Plant Support ,
1
i S1 Conduct of Security and Safeguards Activities
l
S1.1 Access Authorization / Fitness-for-Duty
a. Insoection Scope
1
Portions of the access authorization program were reviewed in order to determine I
compliance with 10 CFR 73.56 and the physical security plan. Portions of the
fitness-for-duty program were reviewed in order to determine compliance with
b. Observations and Findinas
10 CFR 26.24(a)(1) requires that personnel will be initially tested within 60 days prior to
granting unescorted access.10 CFR 26.10(a) requires fitness-for-duty programs to
provide reasonable assurance that personnel are not under the influence of any
substance which in any way affects their ability to safely and competently perform their
duties.
The requirements of 10 CFR 73.56 are implemented, in part, by the licensee's General
Procedure SO123-XV-7, Revision 8. Paragraph 6.3.1 of the procedure requires that a
badge granting unescorted access into the primary access is not to be issued until a
satisfactory drug and alcohol screen has been completed within 60 days prior to
granting access.
During a review of a licensee reported event (LER 98-003), the inspector noted the
following:
. On March 10,1998, while reviewing a report of pending security badges, the
access authorization supervisor determined that a protected area unescorted
access badge had been inappropriately issued to a contract worker on March 9,
1998, before drug screening test results were received. The test was
administered to the contract worker on March 9,1998, the same date that
unescorted access was granted. The contract employee entered the protected
area on March 10,1998, at 6:44 a.m. After discovering the mistake, the
supervisor caused the unescorted access of the individual to be canceled. The
contractor was escorted out of the protected area at 9:37 a.m. The contractor
employee was inside the protected area for approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. There was
no vital area access during the 3-hour time period. Subsequently, on March 16,
1998, the medical review officer declared that the worker's sample collected on
l March 9,1998, was positive for methamphetamine.
l
l The failure to submit appropriate fitness-for-duty test information to access authorization
personnel, in order for an appropriate evaluation or consideration of that information
i
_ _ __ _ _ . _ _ _ . _ _ _ _ . _ . _ _ . . _ _ _ _ . _ ._ _. _
, .
-4-
prior to granting unescorted access, resulted in the granting of access to an individual
that if the drug screen results had been considered, the individual would not have been
granted access. The failure to provide accurate drug screen results and present the
results for consideration before granting access is a violation of 10 CFR 26.24(a)(1) and
, Paragraph 6.3.1 of the licensee's General Procedure SO123 XV-7, Revision 8,
j (50-361/9812-01;-362/9812-01). This nonrepetitive, licensee-identified and corrected
'
violation is being treated as a noncited violation consistent with Section Vll.B.1 of the
The above noncited violation is similar to the violation documented in NRC Inspection
Report 50-361/95-05; 50-362/95-05. Information provided by the licensee by facsimile
- (Attachment 2) on September 24,1998, was considered in dispositioning this recent
i violation as a noncited violation. This recent violation was not considered a repetitive !
violation in accordance with the NRC Enforcement Policy.
. The root cause of this noncited violation was an erroneous computer data entry that
l inaccurately stated that the contract emp'oyee had been drug and alcohol tested and
l that there was a negative finding. When drug screening was completed, the initial test
i at the plant revealed a positive test for methamphetamine, and the confirmatory test
I
results received on March 16,1998, confirmed the contract worker was unfit for duty.
The corrective actions included the briefing and training of appropriate fitness-for-duty
personnel. In addition, the access authorization computer database was modified to not
permit the entry of a drug screening result if a drug screening submittal has not first
been entered. The access authorization section changed their process by requiring a
- hard copy of the test results before granting unescorted access.
!
l L Conclusion
l
A noncited violation of 10 CFR Part 26 and security procedures was identified for failing
to complete a fitness-for-duty drug screen prior to granting access to an individual who
was unfit for duty.
.
S1.2 Access Control - Personnel
!
a. Insoection Scoce
l
!
The personnel access control program was inspected to determine compliance with the
requirements of 10 CFR 73.55(d)(1), and (7), and the physical security plan.
b. Observations and Findinas
!
10 CFR 73.55(d)(7)(i)(B) requires that the licensee positively control all points of
!
'
personnel access to vital areas and limit such access to vital areas under
nonemergency conditions to individuals who require access in order to perform their
duties.
,
l
? - . - .
i
j
1
, ,
,
1
1
! -5- )
l Paragraph 5.1.4 of the physical security plan, Revision 58, states, in part, "The SONGS
I
VA access authorization system, which is described in written station procedures, has
been designed to limit access to individuals who require entry to particular areas in order
to perform their job duties." Further, it states that, " Positive identification of VA access
authorization is accomplished by means of card-key badges."
Paragraph 6.7.1.2 of Security Procedure SO123-IV-5.1, Revision 7, requires that all
family tour escorts have their vital area access removed prior to the tour starting.
Paragraph 6.4.2.3 of licensee Security Procedure SO123-XXill-4, Revision 2, states that
all vital areas will be off limits to visitors and employees (escorts) participating in the
Family Tour Program.
The licensee identified in the safeguards event tog that on May 10,1998, three
personnel (escort and two family members) were incorrectly granted access to a vital
area (diesel generator building) during a family tour. None of the three persons was
authorized access to the vital area. The access control system was bypassed by a
second employee (not an escort) when the second employee allowed the visitors and ,
i their escort to tailgate in and out of the vital area. l
The licensee determined the root cause of the violation was personnel error. Both the
escort, who did not have vital area access, and the second employee who did, forgot l
rule and procedural requirements in their attempt to provide an informative tour to family l
! members. Corrective actions included retraining of the two employees involved, l
l re-emphasis of the procedural requirements to the plant population at large, and a .
l change to the General Employee Training emphasizing escorting and vital area access. l
l
The failure to control vital area access constitutes a violation of the requirements of
10 CFR 73.55(d)(7)(i)(B), paragraph 5.1.4, of the physical security plan, and paragraph
6.7.1.2 of Security Procedure SO123-IV-5.1 (50-361/9812-02; -362/9812-02). This
nonrepetitive, licensee-identified and corrected violation is being treated as a noncited
violation consistent with Section Vll.B.1 of the NRC Enforcement Policy.
c. Conclusion
!
l A noncited violation of the physical security plan and security procedures was identified
'
for failure to control personnel access to a vital area.
S2 Status of Security Facilities and Equipment
S2.1 Comoensatorv Measures
l a. Inspection Scoce
The compensatory measures program was inspected to determine compliance with the
i
requirements of 10 CFR 73.55(a), (g)(1), and the physical security plan. The areas
inspected included the deployment of compensatory measures and the effectiveness of
those measures.
l
l
__
l
l
. .
1
-6-
b. Observations and Findinas
l
10 CFR 73.55 (g)(1) states, in part, "All alarms, communications equipment, physical l
barriers, and other security related devices or equipment shall be maintained in operable I
condition. The licensee shall develop and employ compensatory measures including
equipment, additional security personnel, and specific procedures to assure that the
effectiveness of the security system is not reduced by failure or other contingencies i
affecting the operation of the security related equipment and structures." l
i
Paragraph 3.2.3 of the physical security plan states, in part, "Upon identification of a
failure to comply with this plan or its implementing procedures, security management will
implement prompt corrective action to mitigate the consequences of system failure, to ;
'
achieve equivalent protection, and to prevent recurrence." Further, paragraph 3.2.4
states, in part, "SCE has established a management system that provides for the
development, revision, implementation, and enforcement of security procedures. New '
procedures and revisions to current procedures are subject to the approval of the
Manager, Site Security. All procedures are reviewed and updated annually in
accordance with standard station policy."
Paragraph 6.6.3 of the physical security plan states, in part, "An armed security
officer / unarmed security personnel equipped with a radio observes the affected segment
pending restoration of intrusion detection capability." Further, paragraph 6.6.4 (VA
Alarm Failure) states, in part, "In the event of a VA alarm system outage, the following
compensatory measures will be taken: All VA card-key access portals are designed to
fait locked and are inspected by an armed security officer or unarmed security
personnel. Any portals found unlocked are secured with either a security padlock or a
manned logging station is established. Armed security officers / unarmed security
personnel equipped with access lists control access to such portals until the system is
repaired and tested." At the bottom of the page, which contained the above
! requirements, the physical security plan states, in part, "These measures will provide an
equivalent level of intrusion detection protection pending prompt repair of the failed
system."
l Threat Event TS M4-D contained in the safeguards contingency plan requires the
security organization to deploy the security force to compensate for failed computer
channels. Further, under the data required section,it references preplanned scenarios
for predesignated security post assignments and patrol routes contained in the shift
commanders post order binder to compensate for the range of security computer
failures.
l
l During NRC Inspection 50-361/97-24; 50-362/97-24, the inspector determined that the
licensee had not established a specific procedure for the employment of compensatory
measures resulting from a security computer failure. Pending further review by the
NRC, the issue was characterized as an unresolved item in NRC Inspection
Report 50-361/97-24; 50-362/97-24. The subsequent review determined that during
-- . _ _ . - - . - _ - - - - - - - . - . - - - _ . - _ _ _
,
. .
L
I
-7- l
three events that occurred on May 20, July 29, and October 30,1997, both security
computers feled; adequate compensatory measures were not instituted in that security ,
officers were not posted to control most of the vital area portals; and the measures
instituted did not ensure an equivalent level of protection. The failure to provide .
adequate compensatory measures is a violation of the requirements of paragraphs 3.2.3
and 6.6.3 of the physical security plan (5'J-361/9812-03; -362/9812-03).
Corrective actions by the licensee included changes to the compensatory measures
procedure to include security computer failures. The inspector reviewed changes to
Security Procedure SO123-IV-6.8, Revision 2, which describes the addition of ;
compensatory measures for a degraded security computer. The procedure was greatly l
enhanced by the changes. Information directing compensatory measures was more J
l detailed, comprehensive, and user frien6y. On July 15,1998, the inspector observed a
l drill in which the security shift on duty sin.t'Lted the loss of the security computers. All
i of the compensatory measures posts were manned within 5 minutes. The inspector
l walked down the posts with shift security supervision. The officers at each post were
i questioned about the area that they were compensating, and the responses indicated a
very well trained shift. The compensatory measures plan for posting was well thought
out and adequately ensured that all detection system losses were compensated. The
inspector concluded that the corrective actions implemented should prevent recurrence
of a similar violation.
c. Conclusion
I A violation of the physical security plan and security procedures was identified for failing
to adequately compensate for three separate failures of the security computer system.
S2.2 Assessment Aids / Inattentive Security Officers
a. Insoection Scope
L
l The assessment aids program was inspected to oetermine compliance with
j 10 CFR 73.55 (h)(4) ano (6) and the physical security plan.
l
i b. Observations and Findinas
10 CFR 73.55(h)(6) requires a capability of observing the protected area isolation
zones. Paragraph 6.2.1 of the physical security plan requires the guard tower officers to
assess all alarms and activities in the isolation zones.
During a review of the safeguards event logs, the inspector determined that the licensee
had identified that guard tower security officers were discovered asleep in the guard
!
towers on March 14 and April 12,1998, and unable to assess the alarms and activities
! in ti.e isolation zones. The inspector reviewed documentation of corrective action that
'
included notifying all security officers of the necessity of staying awake on post and
J
.
l
._. --
. .
-8-
disciplinary action for the officers involved. The corrective action was apparently
effective. Even with a higher awareness among supervisors, there has not been an
identified recurrence since the last incident in April 1998. The inability of security
officers to assess alarms and activities in the isolation zones is a violation of
paragraph 6.2.1 of the physical security plan (50-361/9812-05;-362/9812-05). This
nonrepetitive, licensee-identified and corrected violation is being treated as a noncited ,
violation consistent with Section Vll.B.? of the NRC Enforcement Policy. I
c. Conclusion
A noncited violation of the physical security plan was identified for two instances of
inattentive security oMicers manning the guard towers.
S8 Miscellaneous Security and Safeguards issues (81700-02.08)
S8.1 Inaccurate Information Submitted to the NRC
a. Insoection Scope l
Through inspection activities and interviews, the accuracy of information provided by the
licensee during an enforcement conference and in a letter from the licensee to the NRC
dated February 3,1998, was reviewed to confirm compliance with the requirements of
b. Observations and Findinas.
10 CFR 50.9(a) states, ir, part, "Information provided to the Commission by an applicant
for a license or by a licensee or information required by statute or by the Commission's
regulations, orders, or license conditions to be maintained by the applicant or the
licensee shall be complete and accurate in all material respects."
During a predecisional enforcement conference in Region IV on January 20,1998, and
in a letter dated February 3,1998, the licensee submitted information that indicated
compensatory measures utilized during security computer failures on May 20, July 29,
and October 30,1998, were adequate in that responding security officers had all
received patrol cards and that they had been trained on the use of the cards. Inspection
activities by NRC staff during an initialinspection provided information that was different
from that provided by the licensee. Subsequent review by NRC confirmed that the
above submittals were inaccurate. The licensee reached the same conclusion
subsequent to being notified by the inspection staff. A licensee letter to the NRC dated
February 24,1998, concluded that the information submitted was inaccurate and
corrected the information. The failure to submit complete and accurate information to
the NRC constitutes a violation of 10 CFR 50.9 (50-361/9812-04; -36?/9812-04).
,
c. Conclusion
A violation of 10 CFR 50.9 was identified by NRC in which the licensee submitted
inaccurate information to NRC.
(
. .
.g.
S8.2 Onsite Review of Event Reports (92700) ,
S8.2.1 (Closed) LER 50-361/98-02:-362/98-02: Diesel Fuel Oil Filtration
The LER described events when a diesel fuel oil filtration trailer was brought into the j
protected area. There was some doubt on the part of the licensee as to whether correct i
escort and compensatory measures requirements were appropriately implemented. A
review of the incident by NRC did not reveal any noncompliance. However, the licensee
did clarify procedural requirements to prevent further confusion regarding escort and
compensatory requirements during diesel fuel oil filtration operations.
S8.2.2 (Closed) LER 50-361/95-02:-362/95-02: Loss of Safeauards Information in the
U.S. Mail
The licensee did not mishandle or improperly mail the safeguards information lost. NRC
guidance allows the use of the U.S. mail to transmit safeguards information. The
licensee attempted to trace the mailed information numerous times with post office
officials to no avail.
S8.2.3 (Closed) LER 50-361/96-02:-362/96-02: Missed Surveillance
The licensce failed to perform a testing surveillance on an infrared detection zone as per
the plan requirements. It was licensee-identified, of minor nature and, except for the
requirements of license condition 2.G which has since been changed, would have been
logged in the safeguards event log. The missed surveillance was of minor significance
and did not affect the health and safety of the plant personnel or the public.
S8.2.4 (Closed) LER 50-361/96-03:-362/96-03: Security Alarm Not Posted
Duririg a 1996 review of security records, the licensee discovered that on December 20,
1992, a segment of the protected area detection aids was not posted upon discovery
that the zone had exceeded the false and nuisance alarm rate. It was imensee
identified, of minor nature and, except for the requirements of license Condition 2.G,
which has since been changed, would have been logged in the safeguards event log.
S8.2.5 (Closed) LER 50-361/97-02:-362/97-02 and LER 50-361/97-02-01:-362/97-02-01:
Failure to Protect Safeauards Information
This issue was previously dispositioned as a Severity Level ill violation (EA 97-585).
S8.2.6 (Closed) LER 50-361/97-03:-362/97-03: Security Computer System Out of Service
The licensee was previously issued a violatiori in inspection Report 50-361/97-24;
l 50-362/97-24 for failing to report these computer failures. This LER documented the
corrective actions for the ee. lier noncomplianc;e, as well as reported two additional
'
failures. The inspector confirmed during the current inspection that interim corrective
actions were in place, and that they were effective in preventing computer failures.
Software corrections were ongoing.
i
I
. .
l
-10-
S8.2.7 (Closed) LER 50-361/97-04:-362/97-04: Unlocked Weapons Containers
The licensee was previously issued a violation for failing to report instances of unlocked
weapons containers. The violation was cited in Inspection Report 50-361/97-24; )
50-362/97-24. )
S8.2.8 (Closed) LER 50-361/98-01:-362/98-01: Security Computer Failure
The licensee was in the process of making significant changes to the reportability
procedure when the computer failed. They did not take into account that adequate
compensatory measures were in place before the attempted reboot of the computer.
With adequate compensatory measures in place prior to the reboot, this event becomes ;
of minor significance and would not have required an LER to be submitted. l
l
S8.2.9 (Closed) LER 50-361/98-03:-362/98-03: Inadeauate Access
Authorization / Fitness-for-duty.
This item is identified as a noncited violation in this report. Refer to Section S1.1 for
details.
S8.2.10 (Closed) LER 50-361/98-04:-362/98-04: Safeauards information
The licensee identified several safeguards information documents that were not
adequately protected. The discovery of these documents was part of the corrective
actions for a previously identified Severity Level lil violation (EA 97-585).
S8.3 Followuo-Plant Supoort (92904)
S8.3.1 (Closed) VIO 50-361/9724-01:-362/9724-01: Inadeauate Emeraency Power Supply
The licensee failed to install a detection zone battery resultirig in noncompliance when a
power failure occurred. The licensee installed a battery and tested the zone. The
j inspector reviewed records to confirm that the corrective action was completed.
1
I
S8.3.2 (Closed) URI 50-361/9724-02:-362/9724-02: Inadeauate Compensatory Measures
The unresolved item is closed and a new item opened as a violation in this report. Refer
to Section S2.1 for details.
l
I S8.3.3 LClosed) VIO 50-361/9724-03:-362/9724-03: Failure to Report
I
l The licensee failed to report an incident in which a safeguards contingency cabinet
containing weapons and ammunition was left unsecured inside a vital area. The root
cause of the violation appeared to be unclear guidance in the reportability procedure.
During this inspection, the inspector reviewed changes to the procedure. The change to
the procedure appears to be an effective corrective action.
,
J
. .
-11-
S8.3.4 (Closed) VIO 50-361/9724-05:-362/9724-05: Failure to Secure Continaency Weapons
On two separate occasions, security contingency weapons cabinets were left
unsecured. The licensee changed the locks in order to prevent the keys from being
removed until the locks are secured. There has been no recurrence of the violation. l
The corrective action appears to be effective.
S8.3.5 (Closed) URI 50-361/9724-04:-362/9724-04: Failure to Protect Safeauards Informatior.
1
This Item was previously dispositioned as a Severity Level ill violation (EA 97-585). l
S8.3.6 (Open) VIO 50-361/E 97-585: -362/E 97-585: Failure to Protect Safeauards
Information
1
The violation was issued as a Severity Level lli violation. The violation will be left open I
because the corrective action is not complete. Some minor documents are still being
discovered as part of the corrective action (See Section S8.2.10). This item will be
reviewed further in a future inspection.
l
'
S8.3.7 (Closed) URI 50-361/9803-07:-362/9803-07: Diesel Fuel Oil Filtration
Refer to Section S8.2.1 for details.
V. Manaaement Meetinas
X1 Exit Meeting Summary
The inspector presented the preliminary inspection results to members of licensee
management at the conclusion of the inspection on July 17,1998. Final exit briefings
were conducted telephonically on August 21 and October 7,1998. The licensee
acknowledged the findings presented during the August 21 phone call; however, they
disagreed that the characterization of the access authorization issue constituted a
potential Severity Level lll violation. Upon further review, it was communicated to the
licensee during the October 7,1998, phone call that the access authorization issue was
a noncited violation,
l
l
l
l
i~ i
l
.
ATTACHMENT 1
PARTIAL LIST OF PERSONS CONTACTED
Licensee
<
,
R. Krieger, Vice President, Nuclear Generation
'
F. Barvara, Instrumentation and Calibration Engineer
S. Blue, Supervisor, Fitness-for-Duty l
G. Broussard, Security Operations Supervisor l
L. Camacho, Administrative Supervisor l
S. Chun, Security System Engineer I
- G. Cook, Supervisor Compliance
!
T. Cook, Security Shift Commander
l M. Flannery, Supervisor, Central Processing Facility
T. Frey, Compliance Coordinator !
- G. Gibson, Manager, Compliance l
K. Gross, Central Document Management Supervisor
D. Herbst, Manager, Quality ,
R. Jones, Supervisor, Security Systems 1
J. Matthews, Supervisor, Security Business and Personnel
H. Newton, Manager, Support Services
G. Plumlee, Supervisor, Security Compliance i
M. Ramsey, Root Cause Engineer i
R. Reiss, Supervisor, Security Self Assessment
D. Rolph, Administration Supervisor
A. Scherer, Manager, Nuclear Regulatory Affairs
K. Slagle, Manager, Nuclear Oversight
R. Todd, Supervisor, Security Equipment and Training ,
l J. Wallace, Security Manager !
L. Youde, industrial Engineering {
M. Zar, Quality Assurance Engineer '
NRC l
J. Sloan, Senior Resident inspector
INSPECTION PROCEDURES USED
IP 81700 Physical Security Program for Power Reactors
IP 92904 Followup
IP 92700 Onsite Review of Event Reports
!-
I
! 1
1
,
I
. .
l
1
l
!
-2- .
l
ITEMS OPENED AND CLOSED
Opened
50-361;-362/9812-01 NCV inadequate Access Authorization / Fitness-for-Duty
50-361;-362/9812-02 NCV Inadequate Access Control- Personnel I
50-361;-362/9812-03 VIO Inadequate Compensatory Measures
50-361;-362/9812-04 VIO Inaccurate Information Submitted to the NRC
50-361;-362/9812-05 NCV Inadequate Assessment Aids /Incttentive Security Officers
l
Closed I
50-361;-362/9812-01 NCV Inadequate Access Authorization / Fitness-for-Duty
50-361;-362/9812-02 NCV Inadequate Access Control- Personnel l
50-361;-362/9812-03 VIO Inadequate Compensatory Measures l
50-361;-362/9812-05 NCV inadequate Assessment Aids / Inattentive Security Officers
50-361;-362/9724-01 VIO Inadequate Emergency Power Supply ;
50-361;-362/9724-02 URI inadequate Compensatory Measures 1
50-361;-362/9724-03 V!O Failure to Report
50-361;-362/9724-04 URI Failure to Protect Safeguards information I
50-361;-362/9724-05 VIO Failure to Secure Contingency Weapons I
50-361;-362/9803-07 URI Diesel Fuel Oil Filtration
50-361;-362/98-02 LER Diesel Fuel Oil Filtration
50-361;-362/95-02 LER Loss of Safeguards Information in US Mail
50-361;-362/96-02 LER Missed Surveillance
50-361;-362/96-03 LER Security Alarm Not Posted i
50-361;-362/97-02 LER Failure to Protect Safeguards Information 1
50-361;-362/97-02-01 LER Failure to Protect Safeguards Information
50-361;-362/97-03 LER Security Computer System Out of Service l
50-361;-362/97-04 LER Unlocked Weapons Containers l
50-361;-362/98-01 LER Security Computer Failure i
50-361;-362/98-03 LER Inadequate Access Authorization / Fitness-for-Duty
50-361;-362/98-04 LER Safeguards Information
LIST OF DOCUMENTS REVIEWED i
l
Security Procedure SO123-IV-6.8, Revision 2, " Protected Area and Vital Area Barrier Patrols" l
l
Security Procedure SO123-IV-11.2, Revision 4, " Reporting Safeguards Events"
Security Procedure SO123-XV-7, Revision 8," Drug and Alcohol Testing Program for
Protected Area Access and Assignment to Emergency Operations Facility Duties"
Security Procedure SO123-IV-5.1, Revision 7, " Protected and Vital Area Access"
i
Security Procedure SO123-IV-4.4, Revision 5, " Security Lock and Key Control" l
Security Procedure SO123-XV-2.4, Revision 3, " Security Responsibilities of Site Employees"
'
l
l
_ _ . - . . - - _ - . .
__
,
. . !
!
! ,
<
l
Security Procedure SO 123-XXill-4, Revision 2, " Site Access"
Security Procedure SO123-XXill-4.1, Revision 1, " Authorization and issuance of Security Photo
identification Badges"-
l Security Procedure SO123-XV-6, Revision 5, " Fitness-for-Duty (Behavior Observation)"
Nuclear Organization Directive D-006, Revision 1, " Fitness-for-Duty"
Security Event Logs, First, Second, and Third Quarters,1998
! Licensee Action Request Nos. 980301717-01; 980401023-01
Surveillance Reports SOS-036-97 and SOS-037-97
.
\
I
!
l
l
'l
l
l
.
!
l
l
f
1
-
J
l
I
. .
l
l
ATTACHMENT 2
ATTACH FACSIMILE AS ATTACHMENT 2.
l
I
l
l
l
'
t
i
I
,
.
FAX COVER SHEET
w
dA .
Southern California Edison Company '
5000 Pacific Coast Highway
San Clemente, CA 92672
Date:
TO: /7/fQ h//l/b Voice: , Fax:
hf) [W
FROM: de 50 Voiced 949 %f45?/e x: <7443 sea-7575
.
Number of Pages (including cover sheet):
10 *d SO:11 86. P2 dos S252-892-6P6:xed S810330 933 8031TN
o
. .
PROTECTED AREA ACCESS AUTHORIZATION
INCIDENT OF MARCH 9-10,1998 l
I. Back2rnund
l
l
On March 9,1998, Collection Site Personnel (CSP), while processing pre-access dmg screening
information, made a data entry error in the T2000 computer program. The error resulted in a
contract worker being granted unescorted access to the Protected Area (PA) prior to passing a
required pre-access drug screening test. l
l
l On March 10,1998, the individual entered the PA for approximately three hours, when it was
l
discovered that the individual had a presumptive positive result on their pre-access drug screening I
test. Upon discovery of the error, steps were taken to have the individual escorted out of the PA.
On March 16,1998, SCE's Medical Review Officer (MRO) declared a " positive" dmg test result
for the contract worker.
It is noted that, since implementing corrective actions for an access authorization violation in
1995, SCE has processed at least 7193 security badges, with this being the only example where an
inappropriate individual we.s, granted a security badge. This constitutes a program success rate of
99.9%.
l
II. SCE Fitriess For Duty (FFD) Testine Procram (Pre-access)
In order to receive unescorted access to the Protected Area (PA), all individuals are required to
pass FFD requirements in accordance with 10CFR26. The FFD testing program for initial site
access consists, in part, of a drug screening test and an alcohol breath analysis test. The individual
must provide an acceptable urine sample, as determined by measuring quantity, temperature,
specific gravity and PH of the sample, and the sample is then analyzed for the presence of specific
drugs. The results of the alcohol test are indicated by the alcohol measuring device, and are
immediately known to the CSP conducting the test. The crug screening analysis is perrormed by
the onsite prescreen Specialist, normally within a few hours of collecting the sample. The CSP
,
'
collecting the urine sample does not usuallyperform the drug screening analysis, and did not
perform the drug screening analysis on March 9,1998.
Behavioral observation is also part of the FFD program. In order to receive a security badge, all
'
personnel must complete a FFD training course, which includes superviscry level training for
identifying aberrant behavior associated with the use of drugs or alcohol. Additionally, if any
unusual or aberrant behavior is observed during the pre-access testing process, CSPs are
instructed to document the behavior in the Permanent Record Log Book maintained at the Drug
Screening Facility.
1
!
l
CO 'd 15:01 86. pg das $252-892-6P6:x23 SdIU339 938 B03 DON
_ _ _ _ _ ._ _._ _ . _ _ _ _ _ __._._ _ _ ._ _ _
. .
I
.
'
i
III. Chronolo2v of Events (See Attached Timeline) '
March 9,1998, Morning
l
The contract worker entered the Central Processing Facility (CPF) on the morning ofMarch 9,
1998, and began the process for obtaining an unesconed access badge. Between the time the !
l
individual entered the CPF until approximately 1030 hours0.0119 days <br />0.286 hours <br />0.0017 weeks <br />3.91915e-4 months <br />, the individual completed the required
I
I Site Access and Fitness For Duty courses, with passing test scores. At 1153 hours0.0133 days <br />0.32 hours <br />0.00191 weeks <br />4.387165e-4 months <br />, the individual
!
was logged in at the Drug Screening Facility. The CSP obtained a valid urine specimen (i.e., the !
specimen's quantity, temperature, specisc gravity, and PH level were within acceptable limits),
and the individual passed an alcohol breath analysis test. The individual exited the Drug '
Screening Facility at approximately 1300 hours0.015 days <br />0.361 hours <br />0.00215 weeks <br />4.9465e-4 months <br /> on March 9,1998
March 9,1998,1300 - 1530 Hours
!
I
Sometime between 1300 and approximately 1500 hours0.0174 days <br />0.417 hours <br />0.00248 weeks <br />5.7075e-4 months <br />, a CSP entered the individual's drug and
alcohol screening information in the T2000 computer program, which is the software program
l used at SONGS for processing security badges for unescorted access. The T2000 FFD program
i contains two parts; a "Submitta!" screen and a "Results" screen. The " Submittal" screen is
completed after the individual has provided an acceptable urine sample (i.e., quantity,
temperature, specific gravity and PH are within limits) and passed the alcohol test, and the
i
"Results" screen is completed after the individual has passed the pre-access urine drug test. Both
screens must be completed for a badge to be issued by CPF.
1
The attached Figure I shows a printout of the FFD program computer screen. The " Submittal"
l )
and "Results" screens are visuallyidendcal In order to enter information on the " Submittal"
i screen, the CSP uses the mouse to click on the " Submittal" button. In order to enter information
l on the "Results" screen, the CSP uses the mouse to click on the "Results" button. Both screens
require the CSP to enter the following information fields for the individual being tested: social
l
'
security number, date, test type, and results. The test type identifies ifit is a random or initial
(pre-access) drug test, or other type. On the " Submittal" screen, a "P"is entered in the results
i
field when an acceptable urine sample is attained. On the "Results" screen, a "P" is entered in the
results Held when passing results are obtained for the drug / alcohol test (i.e., test results are
negative for drug usage). Unacceptable urine samples andpresumptive positive drug test
results are NOTenteredin T2000.
(Note: The process described here for processing individuals in T2000 was the process in
i
place on March 9,1998. As part of the corrective actions for LER 98-003, the process I
was enhanced to prevent recurrence of the type ofincident that occurred on March 9; e.g.,
'
the codes used for the " Submittal" screen result 6 eld are now different than the codes used
for the " Result" screen result 6 eld.)
While entering the individual's drug screening information, the CSP inadvertently and i
- unknowingly used the mouse to click on the "Results" screen when she intended to click on the
<
2
l
3.; .y ec es c > c ' 00^-* : yp a e,uTW4JH MW MTW
,
" Submittal" screen. The computer screen " buttons" for the two screens are located right next to
each other, and the two computer screens are visually identical. The CSP then unknowingly
completed the "Results" screen for the individual. rather than the " Submittal" screen.
Consequently, by entering a "P"in the results 6 eld of the "Results" screen, the CSP
unintentionally and unknowingly entered a " passing" drug test result for the individual
At 1509:03 hours on the same day (after the initial data entry error had been made), a second CSP
verified the " Submittal" screen information. The purpose of this verification was to verify that all
individuals, who had been entered in the Permanent Record Log Book as having provided valid
chemical test samples (i.e., urine quantity, temperature, specific gravity and PH were within
acceptance limits, and negative alcohol breath test), were also entered on the T2000 " Submittal"
screen. On March 9,1998, there were 3o individuals tested at the Mesa Site Collection Facility.
To complete the verification, the CSP accessed a review data screen for submittal entries only.
Starting with the first entry in the Permanent Record Log Book, the CSP found the corresponding
social security number on the group " Submittal" screen, and then verified the individual's social
security number, date and test type. During this veriscation, the second CSP identified a
Permanent Record Log Book entry, with a valid chemical test specimen, that was not entered on
the T2000 " Submittal" screen. This enny was for the individual who earlier had been
inadvertently entered on the " Result" screen rather than the " Submittal" screen. Since the log
book indicated that a valid chemical test sample had been attained, the second CSP created a
" Submittal" screen entry for this individual. Consequently, the individual completed " Submittal"
and "Resuh" screens, taken together, now satissed the FFD requirements for receiving
unesconed access to the PA.
The drug screening analysis is performed by an onsite prescreen Specialist some time after the
sample has been collected. The Specialist separates the " Presumptive Positive" tests (i.e.,
presence of drugs has been detected) from the " Negative" tests (i.e., no drugs detected) The
paperwork for each " Negative" test result has a yellow top sheet that is stamped to indicate the
test was passed. The paperwork for each " Presumptive Positive" test result has a white top sheet
with no stamp. The Specialist enters the " Presumptive Positive" test results on a " Send Out List"
which is provided to the CSPs to ensure that the samples are sent to the offsite laboratory for
confirmatory analysis, and also notines the FFD Supervisor that a presumptive positive result was
obtained. As the screening tests are completed, the Specialist provides the paperwork to the
CSPs. The CSPs maintain the " Presumptive Positive" test results in a single folder, and all
" Negative" test results are entered on the T2000 "Results" screen. " Prest enprive Positive" rest
resula are NOT entered in T2000, and not specifically reviewed by the CSPs.
On March 9,1998, two aliquots from the suspect individual were analyzed by the prescreen
Specialist and determined to contain methamphetamine. The Specialist concluded that the
individual was " Presumptive Positive," and subsequently entered the test result on the " Send Out
j List," and also notified the FFD Supervisor. The paperwork for the individual was processed as a
" Presumptive Positive," and provided to the CSPs. One of the CSPs placed the paperwork for
3
l
l
!
l .n y ~$:N %. to dag $252-99E-6t'6: XPd SdIdddd 93d D3
.- .. .- . - , - - - -- - . - _ _ . - - - - - - . - - ~ - - . - . . .
. .
l
l
the " Presumptive Positive" test in the appropriate folder. The " Presumptive Positive" rest result
was not entered in T2000.
I The CSPs also perform a vedfication of the entries on the T2000 "Results" screen In this cas
the CSP performing the verification accessed a group "Results" screen that included all
individuals tested on March 9,1998, that had " Negative" test results. Using the completed
( paperwork for the " Negative" test results, the CSP verified that there was a corresponding entry
on the T2000 "Resuhs" screen. The purpose of this verification was to ensure that there was a
T2000 "Resuhs" screen entry for all individuals with paperwork showing a passing drug test. .
Using the complete:tpaperworkfor the " Negative" test results, this venfication would idennfy
if there was a missing T2000 "Results" entry, but would not be expected to identify of there
was an additional "Results" entry, as was the case on March 9,1998.
March 9,1998,2018 Hours
Since T2000 now had completed " Submittal" and " Result" screens for this individual, CPF
personnel concluded that FFD requirements had been satisfied, as displayed in T2000, which
i
allowed for the issuance of a security badge. The security badge was activated in the computer * in
the Central Alarm Station at 2018 for Protected Area access only. (NOTE: T2000 will not allow i
the issuance of a security badge without a " Submittal" and " Result" completed within the
previous 60 days. Since both were completed on March 9,1998, this requirement was met.)
March 10,1998, Morning
Security logs show that the individual picked up his badge and entered the PA at 0644:33. There
is no evidence that the individual was accompanied when he entered the PA. He apparently
proceeded directly to his assigned assembly area for an 0700 pre-job briefing. Several SCE and
contract worken accompanied the individual at the pre-job brief and while he was working in the
,
PA. Although it appears that the individual was accompanied the majority of the time, theref
insufficient evidence to indicate that the individual was accompanied 100% of the time-
~
,.
At approximately 0930, the CPF Supervisor was reviewing a pending security badge report.
During the review, he identified critical path workers that had drug screen submittals pending, but
did not have results. Based on this information, he met with the CSPs and identif.ed that there
was a discrepancy in the number of pending badges (badges awaiting drug test results due to
presumptive positive results). The Supervisor identified the improperly issued badge, and
immeiirtely directed the Screening Supervisor to contact Secunty to have the badge deactivated.
The Screening Supervisor then called the SCE supervisor of the individual who had received the
badge, and instructed him to have the individual escorted out of the PA and have him return to
CPF.
j
The individual was escotted to the exit turnstile, and exited the PA at 093':02. The individual's
i badge was deactivated at 0942. The individual was in the PAfor approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and
53 minutes with a se'curity badge. The individual subsequently reentered the PA with an escort
4
1
4
l
t
l
l
l
- q a q
- q] M, P dO9 W - @ D Ud
.
. _ __ __ . . . _ _ _ _ .__. . . -
-
__
_ ._. . _ __ _ -_._.._. __ _ __ _. -
_ .
. .
. .
k
badge and escort.
March 10 - 13,1998
The individual completpd his work under an escprt badge while accompanied by an escort and
~
departed the site. '
3 , i
March 16,1998
The MRO declared a " Positive" test result after reviewing the report from the Health and Human
Services certified laboratory that performed the confirmatcry drug test analysis. SCE made the '
i required one hour notification to the NRC Operations Center, in accordance with
,
'
April 8,1998
SCE submitted the required Licensee Event Report in accordance with 10CFR73.71(d).
l
l
l
!
!
! l
! !
!
1
.
l
!
l
l
f
5
,
1
l
l
.
90'd ES:01 86. pg das 52S2-892-6P6:xP3 S'IU336
d 938 8031]nN
. . 1
1
.
l
. !
l
l
"
Submittal" Button
"
Result" Button
.
. .-.. - - . - . -
m
..
p a a. a
.
- -
i .
'
. '
. .._ . .
Vi ~~' ~
ssN '
khieved Date h Pass Fail Comments
!!
- aam
l1
!I
n
- ) Le!(H(
t
!I x !e i
4b 1, . . . .
a
a s a m
M M N9.U$fM'6Xa?2eW D'.*T= wpe=w
v.
-
WTvTEM=7
- =u
- s .
- 2+wz = : m a s u m m .=D7A a= WRML l'I[N
-
tiio. -
>1m
- m -.c_t% casw a.s.n w a x e u w e re-' ~----:-- __ riweersa
!BIMitGcism tiDFM1 ssWWaEFMaff2"?tiewesLC-~
-,w__
_,,,,Trry'<h'e'
"'T'v' -m74 -- ' ' " '
72W5"!
l
)
Figure 1 - T2000 FFD Computer Screen
1
20 'd ES:01 86. pg das $252-89E-576:xed $d10d30 933 dd3 U t1 l
l
._ . . - _ _ _ _ _ _ -- _-- - - _ - - - _ _ _ _ - - - -- - - -
.
.
Timeline for Access Authorization incident
8 -
n-.
3/9/98
3
5
1300 1530
&
- NIkkk! vbbNhbhNkIkh
a - Preecreening Toula Performed
as
I
- 26 Negatives- Resums Pro *Jedle CSP for T2000
- 4 Presumpuvo Poenbee-Noencedon Made to FFD
supensoor
ono 1030 tiss 1;rn -Erdered on" Set Our Use 2018
. Reportslo CPF - VaM Urine Sarapie
ceaected Badge
JO _
in - Coenpletes Requted Activated
1300
7 TrWning - AkdelTest Pasned 1530
b -
I
y . _ ink !kk h....w..
,
.
h h!kk!kNI .'. ..
~
. ,
E . . cse verinse s
ne we - ,
M T2000Desel T20tD l Ensuredin T200 &
ErtyEner i Suserveele
g : - Meekg
i
i
Vessed -
8
BienaltdAdded 8 - Presuurppve"Peeltve
l - FFD l Resuas
m Requiremerts Prepared for Osete
g * SaNeted** s Lab
d
it
S
cc -
'
. .
, _ _ - - _ - . _ . _ _ . - - - - - - _ - _ _ _ . _ . _ _ _ _ _ _ _ _ - - -
_ - _
. . - _ _ . - - _ _ _ _ - _ _ _ . . - _ --- _ _- -__ ._- - _ - _ _
.
Timeline for Access Authorization incident i
8
a
$
5 ,.
E
Q 3/10/98 3/13/98 3/16/98
m
0644.33 0700 CB37D2 OM2
_
individual Attends Pre-Job Brief Badge Indwidual Completes Work. MRO Declares Positive Drug
Enters PA
and Commences Work
-
Deactivated db While Escorted and Departs SRs db Test
tn
In
't
'
,
$ CSS
a
,
'
8 CPF Supervisor Individual
% -
Identifies -
Escorted Out of
2 BadginD Error PA
E
-
&
'
S
x
a -
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _
-_ _. .. . _ _ _ _ _ _ _ _ . . _ _ . _ , _ _ _ . - _ . . - _ _ _ . . .
.,
l
. .
!
L
- NRA ASSESSMENT OF PROTECTED AREA ACCESS AUTHORIZATION
INCIDENT OF MARCH 9-10,1998
, 1I. Assessment of Applicable Regulatory Requirements / Guidance
Requirement - 10CFR26 Fitness For Duty Programs -
, l
10CFR26.10 General Performance Objectives
~
i
Fitness-for-duty programs must: I
(a) Provide reasonable #SSNTONCe that nuclear power plant personnel.... ,
'
will perform their tasks in a reliable and trustworthy manner and are not under the
influence of any substance, legal or illegal, or mentally or physically impaired from
any cause, which in any way adversely affects their ability to safely and !
competently perform their duties;
- . .j
i :
(b) Provide reasonable measures for the cariy detection of persons who
are not fit to perform activities within the scope of this part;
.
j' 10CFR26.24 Chemical and alcohol testing i
(a) To provide a means to deter and detect substance abuse, the licensee shall
implement the following chemical testing programs for persons subject to this part:
!
(1) Testing within 60 days prior to the initial granting ofunescorted J
access to protected areas or assignment to activities within the wupe of
this part. ,
'
l
l
Note: Although this requirement is germane to the issue, there is no apparent
'
-
disagreement that SCE has a chemical testing program in place that meets this
requirement.
t
l 10CFR26.27 Management actions and sanctions to be imposed
i
! (b) Each licensee subject to this part shall, as a minimum, take the following
actions. Nothing herein shall prohibit the licensee from taking more stringent
action.
,
'
(1) Impaired workers, or those whose fitness may be questionable, shall
,. be removedfrom activities within the scope of this part, and may be
1
i
01 'd SS:01 86. pg das $454-892-6P6:xej S81633d 933 ?fJ3'lJN
. . . - - ., _ , . . .
. .-- -. . - _ ~ . - . - . . - _ . . . . . - ~. .. - . - . ~ . . _ . - - _ .- _ -
. ..
returned only after determined to be fit to safely and competently perform
activities within the scope of this part.
Applicable NRC Guidance on 10CFR26
Enforcement Policy, Supplement VII - Miscellaneous Matters
C. Severity Level III - Violations involving for example:
,
6. A failure to complete a suitable inquiry on the basis of 10 CFR Part 26,
keep records concerning the denial of access, or respond to inquiries
concerning denials of access so that, as a result of the failure, a person
previously denied access for fitness-for-duty reasons was improperly
granted access;
7. A failure to take the required action for a person confirmed to have been
tested positive for illegal drug use or take action for onsite alcohol use; not ,
amounting to a Severity Level Il violation;
9. A breakdown in the fitness-for-duty program involving a number of ,
violations of the basic elements of the fitness-for-duty program,that 1
collectively reflect a significant lack of attention or carelessness towards !
meeting the objectives of 10 CFR 26.10;
D. Severity Level IV - Violations invoMng for example:
!
4. Violations of the requirements of Part 26 of more than minor i
significance
Enforcement Manual, Section 7.4, " Enforcement Actions Involving FFD"
7,4.1 Action against the facility licensee
In citing the facility licensee, it is important to note that it is not the unff
l person that establishes the violation but rather the licensee's failures to
j implement the program, including those ofits contractors and vendors, that creates
the violation..
Supplement VII of the Enforcement Policy provides examples ofviolations where
the facility licensee failed to meet the requirements of 10 CFR Part 26..
,
l
The examples for Severity Level 111 are significant because they represent
, 2
11 'd SS:01 -86. pc das $251-892-@6:x03 S810i+J 933 B9FDfN
.. , . . .. .. - - . . - . - .- - -.- - - ..- _. - - - - ._
,
'
,
... ,
l
I
l
1
significant individual violations or significant breakdowns in basic elements of a i
FFD program.... A breakdown in the program categorized at a Severity Level III
will normny involve more than one signipcantfailure of a single ,
element or singlefailures of a number ofelements.
'NUREG/CR-5227, " Fitness for Duty in the Nuclear Power Industry: A Review of
TechnicalIssues"
Page vii
'
?.
l "..,Fusthermore, drug levels in the urine are not directly correlated to
l intpairment"
Page 5-1
" Finally, the correlation between impairment and the level ofdrug or drug
...
l
l metabolite in the urine varies, and it is diffcult to determine the -
l
appropriate cut-oflevels that will idennfy the impairedpersons." '
Page 5-2
l
l
{ "The greatestproblem with urinalysis is interpretation of the results
l (Sutheimer, Yarborough, Hepler, and Sunshine,1985). The concentration of a
j drug or drug metabolite in the urine does not provide information about drugs
l pharmacologically affecting the person's system nor does it provide information
i. about impairment (Hawks and Chaing,1986)"
!
"...Hence, a positive confirm *21t est result indicates only that an individual has
ingested the dsug recent!y. A positive result does notprovide information
l about the frequency of use, pattern of use, addicdon, legitimacy of use, or
'
whether theperson was under the influence of the drug when the
-
urine we collected (Manno,1986a)."
"Because of the numerous factors that influence the concen ration of a drug or
drug metabolite in the urine, it is impossible to set cut-offlevels that relate
directiv to performance impairment."
" ..Thas it is difpcult or impor;ible to make definitive statements
linking drug levels in the sysum to impairment (Ambre, personal
communication, January 26,1988)."
i
L
l
1
.
EI 'd 01:11 86,.pg das SdS2-89MP6:xed S3I0330 933 BUTDnN
!
. ._. - ._ -
- -
_.
- .
l
l
I
,
1
1
Assessment of 10CFR26 Implementation
Example C.6 from the Enforcement Policy, Supplement VH, applies to personal
background checks and is not relevant to the incident at SONGS.
Example C.7 from the Enforcement Policy, Supplement VII, is not relevant to the incident l
at SONGS since it involves confirmedposidve test results, the incident at SONGS
involved a pre-access presumptive (not confirmed) positive test. The individual's
unescorted access privilege had already been removed when the confirmed positive drug
test result was declared by the MRO.
The incident at SONGS does not meet example C.9 of the Enforcement Policy,
Supplement VH, since it describes a programmatic breakdown involving a number of
violations. The incident at SONGS resulted from a random isolatedpersonnel
error (cognitive).
Example D.4 (LevelIV) appears to be the most relevant example in this
section ofthe EnforcementPolicy since the incident at SONGS might be
considered to be ofmore than minor significance. In addition, under the
terms ofEGM 98-006, this would appear to be recategorized as a noncited
violation.
Enforcement Manual, Section 7.4, specifically references the Severity Level III examples
described in Supplement VII of the Enforcement Policy. The incident at SONGS
involved a random isolatedpersonnel error. not a programmatic breakdown, and
does not appear to fit the above, Severity Level III description. There was not more than
one significant failure of a single element, nor single failures of a number of elements.
Since March 1,1995, when corrective actions were implemented for a FFD/ Access
Authorization violation, through August 31,1998, SCE processed 7193 security badges,
with this being the only example where an inappropriate individual was granted a security
badge. This supports the conclusion that the incident at SONGS involved an isolated
random personnel error.
NUREGICR-5227 emphasizes that a positive result on a urine drug last does not
indicate that the individual was impaired or under the influence ofdrugs.
-
i
l
4
,
g1 d 10:11 86. pc das $252-89E-576:xe3 sdIdifJ 933 BU3 M
. .. . . . - - .- --~ _ .-. . - -.- - -- . . . - . -
,
l
l
l . .,
l
!
(
!
,
(
I
l
Requirement - 10CFR73 Physical Protection of Plants and Materials ,
i
73.56 Personnel access authorization requirements for nuclear power plants. I
(a) General 1
!
(1) ...By April 27,1992, the required access authorization program must be
- incorporated into the site Physical Security Plan as provided for by 10 CFR ,
l 50.54(p)(2) and implemented. -
!
[ The following is from the applicable section of the Physical Secunty Plan j
(PS*), and a plant procedure: !
Section 4.4 of the PSP states that badge issuance and control are
described in site procedures.
Site Procedure SO123-XV-7, "Dmg and Alcohol Testing Program
L For Protected Area Access and Assignment to Emergency
l Operations Facility Duties"
Ste9 63 Processing Criteria for Unescorted Access and/or ;
EOF Duties
6.3.1 A badge granting unescorted access into the PA shall l
not be issued or EOF duties assigned until the Central ;
1
Processing Facility (CPF) has recordea aii
requirements aS Sat /Sfedincluding the fulfillment of a
drug and alcohol test within 60 days prior to the initial
granting of access and initiation of suitable inquiry.]
73.56(b) General performance objective and requirements.
- (1) The licensee shall establish and maintain an access authorization
i program granting individuals unescorted access to protected and vital areas
with the objective ofproviding high assurance that individuals
l granted unescorted access are trustworthy and reliable, and do not
l constitute an unreasonable risk to the health and safety of the public
!
including a potentid to commit radiological sabotage.
(2) Except as provided for in paragraphs (c) and (d) of this section, the
unescorted access authorization program must include the following:
4
-
5
?! "d 10:11 86. pg das $252-892-606:xPJ SdIUJJU 938 803 DfN
. .
. . . - _ . - _ . _ - - . . - - - . - -.. . - -- -.
- ,
l
,
I
(i) A background investigation designed to identify past .
actions which are indicative of an individual's future reliability j
within a protected or vital area of a nuclear power reactor. As a
mmimum, the background investigation must verify an individual's
employment history, education history, credit history, criminal
history, military service, and verify an individual's character and
reputation.
. (ii) Apsychological assessment designed to evaluate the . !
I
l possible impact of any noted psychological characteristics which
may have a bearing on trustworthiness and reliability.
4
(iii) Behaviorat o6servation, conducted by supervisors and
management personnel, designed to detect individual behavioral
changes which, ifleft unattended, could lead to acts detrimental to
the public health and safety.
(3) The licensee shall base its decision to grant, deny, revoke, or continue
an unescorted access authorization on review and evaluation of all I
pertinentinformation developed.
Applicable NRC Guidance on 10CFR73/ Access Authorization
.
Enforcement Policy, Supplement m - Safeguards
C. Severity Level m - Violations involving for example:
7. A failure to perform an appropriate evaluation or background
investigation so that information relevant to the access determination was
not obtained or considered and as a result a person, who would likely
-
not have been granted access by the licensee, if the required investigation
or evaluation had been performed, was gramed access;...
Enforcement Manual, Section 8.3.2, " Access Control"
The severity level of an access control violation is determined by: (1) the case of
exploitation of the vulnerability including its predictability and the ease of passage
created by that violation, (2) the intent of the intruder, and (3) the combined
integrity of both protected area and vital area / material access area barriers..
i
! 6
l
CI ' A 70:II P6. pg das C;><u-Ro?-6P6: xe - g31e1+j egy ag3ml
.
.,
I
i
.
l
\
l
l
The intent of the intruder must also be considered. Unauthorized intrusions
by licensee employees without malicious intent are not by themselves
ofsignificant concern...
Assessment of 10CFR73 Implementation
Although the example in the Enforcement Policy, Supplement III, may appear relevant,
the incident at SONGS was caused by a random human error (data entry keystroke
error mnde by CSP), and therefore, unescorted access was not granted based on
informadon "not obtained or considered" by SCE.
Section 8.3.2 of the Enforcement Manual provides guidance on activities addressed in
Supplement III of the Enforcement Policy. The individual granted unescorted access did
not display any malicious intent as evidenced by the fact that the individual I
completed his assigned work assignment in an acceptable manner. The individual did not j
have access to vital areas, and the integrity of both protected area and sital area / material l
access area barriers was not compromised. The root cause ofthe violation was a
random isolatedpersonnel error (cognitive). The error was not
predictable and could not likely be exploited.
Neither the regulations nor any of the applicable regulatory guidance documents appear to
provide any performance criteria for assessing whether the program implementation meets
the applicable acceptance standard of ensuring "high assurance. " The FFD and
Access Authorization programs in place on March 9,1998 (and today), appear to provide
"high assurance." This conclusion is supported by the fact that, since implementing
corrective actions for an Access Authorization /FFD violation in 1995,7193 security
badges have been processed at SONGS. The incidem a March 9,1998, that was caused
by a random human error, is the only example where an inappropriate individual was
\ granted a security badge. This represents a success rate of 99.9%, which
meets or exceeds the regulatory requirementforproviding "high"
assurance.
i As a comparison,10CFR73.55(a) requires that the onsite physical protection system
I provide high assurance that activities invoiving speciaa nuciear materiai are not inimical
to the common defense and security and do not constitute an unreasonable risk to the
public health and safety. Regulatory Guide (RG) 5.44," Perimeter Intrusion Alarm
Systems," provides performance testing criteria for determining the acceptability of the
Protected Area intrusion Detection System (IDS), a part of the physical protection
system. The RG specifies that the IDS must be able to detect intruders with at least a
90% probability with 95% confidence. Although no similar type of performance criteria
was found for measuring the acceptability of the FFD or Access Authorization programs,
l
,
,
7
9I 'd 20:II 86. pg das $252-89E-6P6:xed S'd Idddd 933 303 U N
. . . .. .- - .- - - - - - . --
)
)
- -
1
9
4
1
the aforementionedprogram success rate of 99.9% meets or exceeds the
regulatory guidancefor satisfying a "high assurance" performance
,
standartl
1
Mitigating Factors to be Considered:
There is substantial evidence that the individual who was inappropriately granted
unescorted access was not under the influence of drugs, or impaired, on March 9 or .
March 10;
,
4
NUREG/CR-5227, " Fitness for Duty in the Nuclear Power Industry: A Review of
Technical Issues," pages, vii, 5-1 and 5-2, note that dmg levels in the urine do not
provide information about impairment.
The CSP who interacted with the individual on March 9,1998, are instructed to
look for, and document, any unusual behavior. These CSP did not identify any
behavior to indicate that the suspect individual was impaired.
The suspect individual completed and received passing test scores for the required
Site Access and Fitness For Duty trabing courses, within hours prior to taking the
drug test.
While working in the PA on March 10, the individual was apparently accompanied
the majority of the time by other unescorted contract workers and/or SCE
employees who had received supervisory level training in recogmzmg aberrant
behavior. All individuals who have been identified as being with the individual
whil; h the PA have stated that they did not observe any anusual or aberrant ,
behavior. !
The physician in charge of the laboratory that performed the confirmatory testing i
I
indicated (during a telephone call with SCE) that, based on the confirmatory drug
test results, and the fact that the individual demonstrated no unusual or aberrant
behavior, it was his medical opinion that the individual was not likely impaired on
March 9,1998.
The individual did not have access to any vital areas,
The root cause of the violation was a random isolatedpersonnet error (cognitive);
it was not willful, repetitive, or indicative of a programmatic breakdown. Since
implementing corrective actions for a FFD/ Access Authorization violation in 1995, SCE
processed 7193 security badges, with this being the only badge that was issued to an
inappropriate person. This constitutes a program success rate of 99.9%.
8
J I 'd EO:IT 86, tg das SdSd-892-6tr6: xP3 S810330 93d 803 U N
.
.- - - . - - .. --. . _- . _ _ . - - - . _ - _ . _ _ - - . - _
.. ,.
II. Regulatory Assessment
A review and assessment of the applicable regulations and regulatory guidance associated with the
FFD and Access Authorization programs, and of SCE's procedures for these programs that were
in place on March 9,1998, would lead to the conclusion that the incident did not involve a
violation ofthe regulations. The inappropriate granting of a security badge to a contract
worket involved an unintentionalrandom human error (data entry keystroke error), .
which in itself is not a violation of federal regulations. The basis for this conclusion is
summarized below.
10CFR26 and 10CFR73.56 provide the regulatory requirements for FFD and Access
Authorization programs respectively. 10CFR26.10 requires that the FFD program provide
reasonabze assurance that nuciear power giant personnei are not under the ineuence of
illegal substances.10CFR73.56 requires that the Access Authorization program provide high
assitrance that individuals granted unescorted access are tmstworthy and reliable, and do not
constitute an tinreasonable risk to the health and safety of the public. These regulations also
describe the speciSc elements that must be included in each program. For example,10CFR26.24
specifies that the FFD program must include chemical testing within 60 days prior to granting any
individual unescorted access to the PA, and 10CFR73.56(b)(2) requires that the Access
Authorization program include a background investigation, psychological assessment, and
behavioral observation.
Neither the regulations nor any of the applicable regulatory guidance documents appear to
provide any performance criteria for assessing whether the program implementation meets the
applicable acceptance standards of ensuring " reasonable assurance" and "high
assurance. " Nevertheless, both citations clearly eliminate " perfection" as the
regulatory standard
The FFD and Access Authorization programs in place on March 9,1998 (and today). appear to
p'rovide both " reasonable assurance" and "high assurance." This conclusion is supported by the
fact that, since implementing corrective actions for an Access Authorizatio VFFD siolation in
1995,7193 security badges have been processed at SONGS. The incident on March 9,1998, that
was caused by a random human error, is the only example where an inappropriate individual was
granted a security badge. This represents a success rate of 99.9% A 99.9% program
success rate meets or exceeds the regulatory requirementfor providing
" reasonable"and "high" assurance.
- As a comparison,10CFR73.55(a) requires that the onsite physical protection system provide
high assurance that activities involving special nuclear material are not inimical to the common
defense and security and do not constitute an unreasonable risk to the public health and saferv.
l
9
!
_ - -__ - _ - _-__ _ _-_ _ __ _ __ - __
_ - _ _ _ _ _ - _ - _ _ _ ,
- .
Regulatory Guide (RG) 5.44, " Perimeter Intrusion Alarm Systems," provides performance testing
criteria for determining the acceptability of the Protected Area Intrusion Detection System (IDS),
a part of the physical protection system. The RG specifies that the IDS must be able to detect
intruders with at least a 90% probability with 95% confidence. Although no similar type of
performance was found for measuring the acceptability of FFD or Access Authorization
programs, the aforementionedprogram success rate of 99.9% meets or exceeds the
regulatory guidancefor satisfying a "high assurance" performance standard
In addition to the discussion above, the following information is provided to further demonstrate
that the incident that occurred on March 9,1998, did not involve a violation of the regulations:
With regard to FFD program violations, the Enforcement Manual, Section 7.4.1, notes
that it is not the unfitperson that establishes the violation, but rather it is the
licensee's failure to implement the program. On March 9 and 10,1998, all aspects of the
FFD and Access Authorization programs were reasonably implemented. The error that
resulted in issuing the security badge to an inappropriate individual was an unintentional
random human error, and a program was in place that met or exceeded (99.9%) the
regulatory standards of " reasonable assurance"and/or "high assurance. ".
Further, there is substantial evidence to suggest that the individual inappropriately granted
unescorted access was not impaired during pre-access dmg testing or while in the PA on
March 10,1998. This evidence includes the following: (1) within hours prior to taking the
drug test, the person passed examinations for 2 courses required as part of satisfying
badging requirements; (2) personnel who interacted with and accompanied the individual
on both days indicated that the individual displayed no unusual or aberrant behavior; and
(3) the physician in charge of the HHS certified laboratory that processed the confirmatory
urine analysis provided a medical opinion that the individual was not likely impaired on
March 9.
Notwithstanding the above discussion, thefollowing is an assessment to
demonstrate that, even ifit is concluded that a violation occurred, the incident on
March 9,1998, appears to satis.[v the criteria in the Enforcement Policy, Section
VH.B.1, andin Enforcement Guidance Memorandum 98-006for a Noncited
Violction.
Factors Supperting Noncited Violation (Enforcement Policy and EGM 98-006):
The violation was self-idenn)7ed.
The CPF Supenisor, while reviewing a repon of pending security badges with the
CSP, identified that a security badge had been issued that had pending dn2g test
results.
10
. . . ,.. ~, _,e c.cu w o c.vo; eum a x n-'a wNI
.. . ._ _ _ . _. _ __. . . ... _ . . - . _ _ _ . - _ _ _ _ _ _ _ _ _ _ _ . _ - .
.
Da er
.
The v'oladon could not reasonably be expected to have been prevented by the
licensee's correctin actionfor aprevious violation or a proious licenseefinding that
occurred within thepast 2 years or thepast 2 inspections.
SCE received a Level IV violation in 1995 when three individ als were granted
unescorted access before the results of the pre-access dmg tea were processed.
This violation had a different root cause, and the corrective actiors could not
reasonably have been expected to prevent the current violation.
.
It was or will be corrected within a reasonable time. including immediate currective
aedon and comprekansin correcdu action to pment recurnace.
The individual's badge was terminated, and the individual was esconed out of the
PA.
The T2000 computer program has been modified such that the " Submittal" and
"Results" screens now utilize different codes for the result field.
The T2000 computer program has been modified such that information can not be
entered on a " Result" screen until a " Submittal" screen has been congleted.
In addition to de T2000 modifications, a hardcopy form is now provided to badge
issuing personnel nulicating the results of the FFD pre-access requirements have
been verified, prior to badge issuance.
The violation was not willful
The root cause of this violation was a random isolatedpersonnel error
(cognitive).
!
.
,
3
i
11
!
1
1 .. . .. .. ._ ;__ _ . _ . . ~ . . . _ . . . . . . . . . . _ , . . . - , , ~ .
i
-