Text

y. J-o , k FEB 2 01986 MEMORANDUM FOR: Richard H. Vollmer, Deputy Director AE0D/E603 Office of Inspectirn and Enforcement FROM: Frederick J. Hebdon, Deputy Director Office for Analysis and Evaluation of Operational Data

SUBJECT:

DELAYED ACCESS TO SAFETY-RELATED AREAS DURING PLANT OPERATION Enclosed is an AE00 Engineering Evaluation Report concerning several recent events of delayed access to safety-related areas because of security, radiological protection or administrative provisions. Although the events described in the report were of no immediate safety consequence and would not alter previous safety analyses, one event at Limerick Unit 1 involved the failure to transfer a set of equipment or compartment keys to the remote shut-down panel during a preplanned test. This event, which was not security _related, could have been prevented by improved procedures for remote reactor shutdown operations. To remind licensees of the need for adequate key control provisions in their remote shutdown procedures, we suggest that the Office of Inspection and Enforcement consider issuing an information notice to describe the Limerick event and the lessons which were learned from the experience.

If you or your staff have any questions concerning the enclosed Engineering Evaluation Report, please contact Ted Cintula of my staff on extension 24434.

Frederick J. Hebdon, Deputy Director Office for Analysis and Evaluation of Operational Data

Enclosure:

As Stated cc: w/ enclosure E. Jordan, IE J. Sniezek, D/ROGR E. Rossi, IE J. Davis, NMSS R. Baer, IE R. Burnett, NMSS G. Holahan, NRR ,

DISTRIBUTION:

<PDRo AE00 SF

/

R0AB SF ['

ROAB CF ~

7A TCintula 8607220654 860220 SRubin KVSeyfrit PDR ORG NEXD /h_ fib/b [/r/>

s KBlack [fl9 WLanning CHeltemes, Jr. ,! /} hg'h

BC:ROAB  : D:AE0 p-PhC  : ROAB (), : SC:ROAB

__________.g._____:_______  : DD:AEOD;  :  :

, ,, p

_:________ _ _:______ g , , ,

.___ _m. ,

f [q /I

[NAME : TCintula:as SRubin[rt

KVSeyfrit : FHebdon  : CJ emes :  :

- DATE : 2/9./86  : 2/n /86  : 2//.?/86  : 2/i'?/86  : 2/ $ 86 OFFICIAL RECORD COPY 1

r 1

AE00 ENGINEERING EVALUATION REPORT M UNIT: VARIOUS LWRs EE REPORT N0. AE00/E603 DOCKET NO.: VARIOUS LWRs DATE: February 19, 1986 LICENSEE: VARIOUS LWRs EVALUATOR / CONTACT: T. Cintula NSSS/AE: VARIOUS

SUBJECT:

DELAYED ACCESS TO SAFETY-RELATED AREAS DURING PLANT OPERATION EVENT DATES: VARIOUS EVENT DATES IN 1985 .

SUMMARY

Several recent events of delayed access to vital areas because of security, radiological protection or administrative provisions were reviewed to deter-mine the impact on plant operational safety. The events did not occur during a plant emergency; therefore, they were of no immediate safety consequence and would not alter previous safety analyses. .ne recent delayed access events were of sufficiently short duration that had they occurred during an actual emergency, operator actions very likely could have been taken inside the affected compartment in time to prevent a significant degradation of plant safety margins. However, one event at the Limerick plant, and described in this report, involved delayed local operator actions because plant procedures did not include provisions for having a set of equipment or compartment keys available at the remote _ shutdown panel during a remote shutdown demonstration.

This procedural deficiency will be prevented from recurring as a result of improvements implemented in the planning and procedures for remote shutdown operations. To remind licensees of the need for adequate key availability during remote shutdown op'erations, it is suggested that IE issue an information notice describing the lessons learned from the Limerick experience.

INTRODUCTION The requirements for physical protection and access control systems for high radiation and safety related areas and protected equipment in the nuclear power plants are defined in 10 CFR Parts 20 and 73 respectively. All operating reactors are subject to these regulatory requirements, and their respective radiological protection and security plans have been approved by the NRC.

Generally, the control systems installed at the nuclear power plants involve site specific designs. This variation necessitates that licensees develop and implement plant-specific procedures related to these systems. The lack of standardization in plant security systems and related procedures has led to a regulatory concern that security arrangements may in some instances be too inclusive and restrictive, which potentially could adversely affect plant 1/ This document supports ongoing AE0D and NRC activities and does not represent the position or requirements of the responsible NRC program office.

I vc C@?A2%

safety. That is, plant security arrangements may not have been adequately considered in emergency procedures at all facilities. In addition, administrative or radiological protection provisions may potentially adversely affect the ability of the plant operators to take timely corrective action during a plant emergency.

The NRC staff's concern of the possible adverse impact of security on safety led :o publication of NUREG-0992, " Report of the Committee to Review Safeguards Requirements at Power Reactors," in May 1983 (Ref. 1). In this report, the committee could not identify any significant safety problems associated with security requirements. However, the committee found that the potential for plant security arrangements adversely affecting plant safety did exist to. .

l varying degrees among licensees and was caused by site-specific procedures rather than NRC requirements. As a result of NUREG-0992, IE Information Notice No. 83-36: " Impact of Security Practices on Safe Operations" was issued to all nuclear plant licensees on June 9,1983. The information notice informed licensees of the potential problem areas and the possible alternatives to the possibly overly restrictive site-specific practices discussed in NUREG-0992.

I On October 19, 1984, Generic Issue No. 81: " Impact of Locked Doors and Barriers on Plant and Personnel Safety" (Ref. 2) received a priority rating of

" Drop." The task review group for this issue concluded that the mechanical failure of the locks used for doors and barriers, together with a personnel error, were low probability events. In any case, the review group concluded i that the locks and barriers could easily be defeated or bypassed in an emergency provided enough time was available to take the necessary steps.

~

, More recently, the NRC staff report (Ref. 3) on the loss of main and auxiliary i

feedwater event, which occurred at the Davis-Besse plant on June 9, 1985, docu-i mented a concern expressed by an equipment operator, who had been dispatched

! to the AFW pump room during the emergency, to manually reopen two auxiliary

feedwater (AFW) valves. The operator knew that there were several locked doors, 4

which would have to be opened to reach the valves. The plastic key card, which j he brought from the control room, also had been known to break and fail. The 4

operator had not obtained a set of 'hard' (metal) keys to open the locked

doors. The operator knew that he would not be able to gain immediate access to the AFW room if his key card or any of the card readers malfunctioned. As it turned out, the key card and computerized card reader system functioned properly and the operator experienced no delay in entering the AFW pump room.

Nevertheless, the potential existed for delayed or denied access caused by the t

plant security systems. Accordingly, the event at Davis-Besse renewed concerns

! regarding the validity of the previous NRC findings and conclusions related to the potential for the plant security features to cause unacceptable delays in operator actions during a plant emergency. As a result, the Office of Nuclear

, Reactor Regulation initiated a limited scope study to re-evaluate the effect of security features (locked doors, locked equipment, etc.) on the operator's

ability to gain timely access to vital equipment outside the control room in accordance with emergency procedures.

During the time period immediately prior to and following the Davis-Besse event, through the routine screening of operational data and Licensee Event

. Reports (LERs), the Office for Analysis and Evaluation of Operational Data also

{ became aware of a number of incidents in which access to safety-related areas j was denied to authorized plant personnel during normal operations. In each of i

4

e .

these incidents, access was denied as a result of a problem with the access control system or procedures. Although none of the events affected the operational safety of the plant (since an emergency situation did not exist),

it may have been possible that operational safety could have been affected under other circumstances. To assess the safety implications of the recent incidents, an investigation and review for each of the events was conducted.

The following paragraphs provide the results of this study.

DISCUSSION Operating Experience On April 15, 1985, with Limerick Unit 1 in cold shutdown, the hourly fire watch 4

of a switchgear room could not be performed within the one-hour time period allotted by the technical specifications. The area could not be inspected until 39 minutes after the one-hour technical specification limit had expired.

The delay was caused by an unplanned security computer outage that prevented access to the switchgear room. Plant security personnel responded to the computer outage by established procedures to assure proper security at other predetermined locations and in doing so did not respond in a timely fashion to the fire watch request. The delay was likely prolonged because of inadequate communications between the fire watch and security personnel.

On June 23, 1985, a fire watch patrol at the same unit could not make an inspection of the 'B' diesel generator bay within the one-hour time limit required by the plant technical specifications. The patrol was delayed by a failed card reader at the entrance to the diesel generator bay. The plant's security force was aware that the card reader had failed and hadiposted personnel to ensure adequate security for the vital area. However, contrary to established procedures, the individual involved did not sign out and bring the hard key needed to unlock the door to the bay. Accordingly, the fire watch could not gain access to the area within the allotted time.

On June 22, 1985, an hourly fire watch patrol at the Sequoyah Nuclear Power Station was unable to enter five safety-related areas and one of the equipment buildings at the two unit site. The fire watch patrol could not gain access because a new security computer system was being programmed and the program for card reader access had not been properly modified in time for the hourly fire watch. Reprogramming was subsequently completed and the next hourly fire watch was successfully performed.

On July 3,1985, with Palo Verde Unit 1 in Mode 3, the hourly fire watch patrol could not gain timely access to an area because the card reader would not accept the plastic card of the fire watch patrol. At Palo Verde, the security system computer had malfunctioned earlier and had been re-initialized prior to the event. In the past, the security system computer had occasionally reinitiated with a few expired program access codes on a random basis after an outage. As a consequence, in this case, the computer did not recognize the imprinted code on the fire watch's plastic key card. The individual on the fire watch contacted security to inform them of the need to enter the area.

The security officer arrived 11 minutes after the fire watch patrol was scheduled to be in this area. The security officer did not respond earlier because he was responding to other calls of a similar nature. To prevent delays of this type from recu ning, the security staff was informed of the need i

to make fire watch patrol access to vital areas a high priority. Security was also counseled on the requirement that they respond to calls within a prescribed time frame.

On July 18, 1985, because the fire detection system and various fire rated doors were inoperable at the Shoreham Nuclear Power Station, hourly fire watch patrols were initiated. During their rounds, the hourly fire watch patrol could not gain entry to either the heating, ventilation, and air conditioning (HVAC) or chiller equipment rooms, because of a problem with a latch mechanism which prevented opening of the door leading into the HVAC equipment room. The defective latch mechanism prevented the firewatch's key card and hard key from opening the door. Because the latch mechanism would have to be replaced under ,

any circumstance, a decision was made to force the door open. By the time a crowbar was obtained and the door was pried open, the fire watch patrol was 30 minutes late in performing the inspection. Most of the time delay in gaining entry into the room was consumed waiting for arrival of the watch engineer and discussing the door opening methods that would result in minimal damage to the door.

On September 24, 1985, with Unit 1 of the Byron Generating Station at 91%

power, an outage of the station's security computer necessitated issuing vital area keys to the fire watches to allow them to continue their rounds. After being issued a hard key, the fire watch became delayed when his key became stuck in the lock of a vital area door. The station's security program requires that vital area doors be continuously attended when they are not capable of being locked or when the key is in the lock. This required the fire watch to remain at the door until he could be relieved. Tne lack of station communications equipment (i.e. , a phone or a pager) in the vicinity of the door prevented the firewatch from summoning assistance until other station personnel entered the area. When another security person entered the area, the fire watch patrolman explained the situation. The fire watch resumed his rounds when he was subsequently relieved at the door by another security force member, but he was now 25 minutes late. It was determined that the lock would be replaced by a more reliable model and hand held radios would be issued to all fire watch patrols to iroprove communications.

Two other recent events (Ref. 4) have raised some concern regarding the potential for delayed access to safety-related areas during an emergency l condition. One event occurred at San Onofre 1 on November 21, 1985 and the other occurred at Rancho Seco on December 26, 1985. Evaluation of both of these events are the responsibility of separate incident investigation teams. Although no operator delays actually occurred in either event, the potential for delayed operator response due to security interfaces that might occur under different circumstances have been identified. The results of these evaluations will be described in reports documenting the findings of the i investigating teams and are not addressed further in this study.

I Finally, on September 11, 1985, control operators at Limerick Unit 1 (Ref. 5) were in the process of conducting a " Remote Reactor Cooldown Demonstration" from the remote shutdown panel as part of a scheduled test in their startup test program. A plant shutdown and subsequent cooldown to cold shutdown conditions from the remote shutdown panel would be required in the event that the control room becomes uninhabitable and must be evacuated. The shutdown and cooldown evolutions were being conducted from the remote shutdown panel while

the control room and its nearby offices were assumed to be uninhabitable.

During the cooldown evolution, the reactor core isolation cooling (RCIC) system was manually initiated to control reactor pressure and to makeup inventory to the reactor vessel. Although the RCIC system successfully initiated, its injection valve did not open automatically because of a high differential pres-sure across the valve disc. The injection valve also would not manually open remotely from the panel. Accordingly, the operating crew performing the test decided to dispatch an operator to the equipment compartment to manually open the valve locally.

The RCIC injection valve is located in the steam tunnel room immediately outside primary containment. This room is designated as a high radiation area ,

and the key needed to enter the room is controlled by the Health Physics (HP)

Department. A separate key to this compartment was not provided in the remote shutdown panel area for the test. The operators were also aware that they had not transferred a set of compartment or equipment keys from the control room to the remote shutdown panel for the remote shutdown test.

To gain entry into the steam tunnel room, the operating crew contacted the Health Physics Department. The operators requested that a health physics technician obtain a key to the steam tunnel rcom door and that he meet the equipment operator with the key at the locked door. Approximately 15 minutes elapsed before the HP arrived at the steam tunnel room. The key which the HP brought did not open the door lock, however. The HP technician had brought the wrong key and he returned to the HP offices to obtain the proper key.

During the time that the operating staff was waiting for the RCIC injection valve to be opened, adequate makeup to the vessel was being supplied by a con-trol rod drive pump. The reactor core was generating very little decay heat and the boiloff rate was very low.

The HP technician returned after a few minutes with the correct key and the steam tunnel room door was opened. The operator quickly located the RCIC injection valve in the room, but found that the manual handwheel on the valve motor operator was chained and locked in position. To manually open the valve would require opening the lock and removing the chain. The operator did not

, have a key to open the lock, however. The operating crew back at the remote l shutdown panel also did not have a set of keys for the equipment locks. Bolt

cutters were located in the reactor building and were brought into the

equipment room. The chain securing the motor operator handwheel was cut open l and removed and the RCIC injection valve was manually cracked opened. This l action equalized pressures across the valve seat allowing the valve to be l opened remotely from the remote shutdown panel. With the RCIC system injecting l into the vessel, the test sequence was continued and the reactor was successfully brought to a cold shutdown condition.

Following completion of the test, the procedures for shutting the plant down from the remote shutdown panel were to be revised to include steps which would ensure that all required room and equipment keys are brought from the control room to the remote shutdown panel should the plant have to be shutdown from the remote shutdown panel.

l

s Analysis of Operatina Experience

The task review group for Generic Issue No. 81 (mentioned in the introduction to this report), considered the likelihood of mechanical failure of the lo used for doors and barriers in nuclear plants to be of the order of 10E-6 gs .

(or 10E-4 to be conservative) per demand (Ref. 3). Personnel error (e.g. , a lost key or a wrong key) was estimated to be of the order of 10E-3 per demand.

-; Both kinds of failures were judged to be recoverable within no more than 15 minutes. Failures of locked doors or barriers that led to delays of 15 minutes or less were considered by the task review group to be of limited safety significance because irreversible sequences leading to core uncovery would require considerably more time than a 15-minute time delay. In any case,.the. .

review group concluded that even in the event that a lock failed or a key was

inaccessible, steps could be taken to quickly defeat the lock by physically destroying it with readily available tools, such as drills, crowbars, hammers, etc. With this perspective as a backdrop, each of the events discussed in the previous section was assessed to determine whether it involved time delays and 4

operator responses which were consistent with the data and conclusions presented by the task review group. The events were also reviewed to determine if any of the events revealed significant circumstances which had not been fully considered by the review group.

Fire Watch Patrol Delays Caused by Faulty Key Card Systems q

Among the events reviewed, the most frequent cause for delay in accessing-safety-related areas involved the fire watch patrols and a problem with the

central security computer or its remote card readers. A problem in either of these components leads to a loss of automated entry capability with the key

card carried by fire watch personnel. In such an event, the fire watch i

involved must contact the security unit to gain entry into the vital area since fire watch personnel are not generally issued hard keys for routine firewatch tours. In most of the events, the firewatch was delayed in entering a vital

area by more than 15 minutes, which the task review group used as the basis for

concluding that denied access events were of minor safety consequence.

However, from a review of the limited actions actually taken by each firewatch patrol (subsequent to discovering that the card reader would not permit l access), it is apparent that the most expeditious and forceful actions were not

used to gain entry to the vital area. It would appear, therefore, that the events of delayed access experienced by firewatch patrols are not directly comparable to the kinds of events used or envisioned to establish the 15-minute time frame of the task review group.

In the case of a computer or card reader failure, discussiens with licensee representatives for the plants involved in the events reviewed indicate that to avoid delays encountered by the firewatch, the control room operators are immediately notified (by procedure) of security system problems so that l compensatory measures to gain access to vital areas can be taken by the operating personnel if the need arises. Emergency classification procedures 2/ 10E-6 denotes 10 6, etc.

O are also used to determine required actions by plant personnel. In the event of a security computer malfunction, security personnel would typically be dispatched to stand watch at key locked vital area doors to control and permit access with hard keys. Hard keys would also be available to operating personnel to open all vital area doors, if needed, when a card reader or the security computer is not operational. Typically, a complete set of hard keys for all vital area door locks and equipment locks is readily accessible to control room personnel. Access to those keys is often under the control of the shift supervisor. Generrlly, several sets of keys are kept in a locked cabinet in the control builaing. The security unit also has a complete set of hard keys to open every locked door in the plant.

TheissuanceofhardkeysisstrictlyIontrolled,accountableandpermittedto ~

be in an individual's possession for only a short period of time. The fire watch patrols have only a routine inspection function which does not justify the potential compromise of security by providing the fire watch patrol with hard keys. Therefore, the fire watch patrol is usually dependent on security personnel to gain access to areas denied by the computerized security system.

On the other hand, operations personnel have priority access and can successfully enter any vital area with one key card or one master hard key.

Hard keys are also issued to operating personnel under emergency conditions and when security malfunctions are known. Therefore, the relatively lengthy delays (i.e. , greater than 15 minutes) experienced by the firewatch patrols in events involving faulty key card systems would not be representative of the (considerably shorter) time celays which plant operating personnel would be expected to experience in the event of an actual plant emergency.

Firewatch Patrol Delays Caused by Door Latch or Lock Problems Of a potentially more serious nature were events in which the security computer card reader system would not permit personnel access and the compartment door would not function properly due to mechanical failures (i.e., the defective latch or lock mechanism of the vital area door). One event (i.e., at Shoreham) exceeded the 15-minute time period that the task reviewsgroup judged to be an acceptable time frame for significant impact on safety. In the Shoreham event, the defective door latch was quickly pried open once the decision was made to forceably gain access to the vital area. The effective time delay associated with this event would, therefore, appear to be consistent with and support the view that mechanical failures of locked doors or barriers do not result in time delays of greater than 15 minutes.

~

The event at Byron Unit 1, where firewatch schedules were not met because the firewatch could not leave a vital area with a key stuck in the door, also does not appear to conflict With the task review group's findings in either the time frame needed for rapid entry or the ' estimated probability for the failure of a locking device of a vital area doce. In this event, the vital area door was capable of being opened at all times with the key lock. However, the door was not capable of being locked closed with the key removed from the door lock.

The time delay caused by the key not being removable from the lock resulted in a security problem rather than an operational safety problem.

l l

Safety-Related Delays Caused by Inaccessibility of Hard Keys Finally, the most serious event involving a time delay was the event at Limerick 1. In this event, the licensee failed to ensure that all necessary room and equipment keys were immediately available to the plant operating personnel. The event also brings into some question the validity of the conclusion reached by the task review group that local operator actions outside the control room can be completed in 15 minutes if required. In this event, the local actions of the operating staff (to open the RCIC injection valve) were dependent upon the availability and efficiency of another (i.e., a non-operations) department for entry into a vital area. The event involved a significant time expenditure to gain access to a locked compartment. First,~

since the operating staff did not have radiation protection keys available at '

the remote shutdown panel, and the control room was assumed to be uninhabitable, the operating crew F ranged to have another (i.e., the HP) department obtain and bring the proper key to the compartment. Additional time was expended waiting for the HP to arrive at the locked room. The event description notes that it took 15 minutes just for the HP to arrive. Since the incorrect key was brought, additional time was required for the HP to retrace his steps to the key storage cabinet and to return with the proper key. Even after this additional time had elapsed, the needed system was still not operational because of an additional unforeseen delay caused by a chained and locked RCIC injection valve motor operator handwheel. A key for this lock was effectively unavailable (i.e., the key to the lock was not available at the remote shutdown panel and the equipment keys in the control room were considered inaccessible).

Therefore, except for the use of bolt cutters or possibly a hack saw, the potential existed for an indefinite further delay in taking the desired operator actions to make the RCIC injectiun valve operational. Furthermore, this sequence does not take into account the add'tional time delay which would be associated with evacuating the control room and setting up control operations at the remote shutdown panel. It would appear clear, therefore, that the 15-minute maximum time delay assumption can be ensured during remote shutdown operations only by making all required compartment and equipment keys available at the remote shutdown panel when necessary.

FINDINGS AND CONCLUdIONS The recent events of delayed access to safety-related areas have not raised any new immediate safety concerns because the events did not occur during emergency conditions. In an emergency, with known security malfunctions, hard keys are generally available to all equipment operators to open any door leading to a controlled area and to unlock equipment within the compartment. The limited number of events found in the time span covered by this review appears to support the earlier conclusion that failures of the hard key together with unanticipated personnel errors are low probability events.

Although these recent events were not of immediate safety significance, it is apparent from the events collected that not all licensees may have developed l

adequate emergency procedures to resolve the concern of timely compartment or equipment access caused by plant security or radiological protection arrange-ments. One delayed access event involved the failure to provide a set of compartment and equipment keys at the remote shutdown panel during a shutdown test from the remote shutdown panel. This oversight resulted from inadequate pretest planning and administrative procedures. This particular procedural ,

(i.

o (.

-g-deficiency has, however, been addressed through revisions to the aoplicable plant-specific emergency procedures.

The fact that only one significant concern involving delayed access interfaces was identified during this limited review, does not imply that other delayed access concerns might not exist. In this regard, it should be expected that the more comprehensive staff review which was recently initiated as a result of the Davis-Besse event of June 9,1985 will provide further insights and conclusions on this subject.

SUGGESTION Because all licensees may not recognize the importance of having a set of hard keys readily available to access safety-related equipment and areas during an emergency plant shutdown from the remote shutdown panel, it is suggested that-the Office of Inspection and Enforcement consider issuing an information notice on the Limerick ev(nt and the lessons learned from their experience. The information notice should suggest that licensees review their procedures for key control provisions during emergency plant shutdown from the remote shutdown panel to ensure that all compartment and equipment keys will be readily accessible if needed.

REFERENCES

1. " Report of the Committee to Review Safeguards Requirements at Power Reactors," NUREG-0992, May 1983.

2. Memorandum, H. Thompson (DHFS) to H. Denton (NRR) dated October 19, 1984,

" Schedule for Resolving and Completing Generic Issue No. 81-Impact of Locked Doors and Barriers on Plant and Personnel Safety."

3. " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9,1985," NUREG-1154, July 1985.

4. Private communications between T. Cintula (AE0D) and W. Lanning and F. Hebdon (AE0D).

5. Private commuxication between T. Cintula (AE00) and D. Florek (Region I).

l l

l f

I *

.- __ .