EA-01-174 - Westinghouse Electric Company, LLC
August 31, 2001
Westinghouse Electric Company, LLC
Commercial Nuclear Fuel Division
ATTN: Mr. R. Monley, Columbia Plant Manager
P.O. Drawer R
Columbia, SC 29250
|SUBJECT:||WESTINGHOUSE PREDECISIONAL ENFORCEMENT CONFERENCE SUMMARY AND NOTICE OF VIOLATION (NRC SPECIAL TEAM INSPECTION REPORT 70-1151/2001-202)|
Dear Mr. Monley:
This refers to the Special Team Inspection conducted on May 24 - 30 at the Westinghouse Electric Company, LLC, facility in Columbia, SC. The purpose of the inspection was to review your actions in response to an event involving the failure of criticality safety controls on your Ammonium Diuranate (ADU) process lines. On May 21, 2001, Westinghouse safety staff determined that criticality safety controls on ADU process line 4 failed to function in accordance with license requirements following a controller fault. Westinghouse reported this event in accordance with NRC Bulletin 91-01 on May 22, 2001. The Special Team inspection report was forwarded to Westinghouse Electric Company, LLC, on July 16, 2001 and identified six apparent violations of NRC requirements. These apparent violations were clarified in a subsequent letter to Mr. R. Monley dated July 31, 2001.
On August 3, 2001, a predecisional enforcement conference was conducted at NRC Headquarters in Rockville, MD, with members of your staff to discuss the apparent violations, their significance, their root causes, and your corrective actions. A copy of the predecisional enforcement conference summary is enclosed.
Based on the information developed during the inspection and the information that you provided during the conference, the NRC has determined that violations of NRC requirements occurred. These violations are cited in the enclosed Notice of Violation (Notice) and the circumstances surrounding them are described in detail in the subject inspection report and NRC letter of July 31, 2001. The violations occurred when a Programmable Logic Controller controlling risk significant valves and interlocks on ADU Conversion Line 4 faulted and the valves and interlocks did not fail safe as required by the facility safety basis. The overall root cause of the event was determined to be weaknesses in design, verification, testing, and maintenance requirements in the existing design process for items relied on for safety.
The NRC considers these apparent violations significant because the simultaneous failure of numerous criticality safety controls by a common mode greatly increases the likelihood that a process upset could lead to an unacceptable accumulation of Special Nuclear Material. Also, reporting failures are significant because of the impact on the NRC emergency operations process. Since these violations resulted from the same root cause, the NRC is treating these as a single "problem" for the purpose of assigning a severity level and considering a civil penalty. In accordance with the "General Statement of Policy and Procedure for NRC Enforcement Actions" (Enforcement Policy), NUREG-1600, February 16, 2001, these violations may be considered as a Severity Level II problem. However, the NRC considered the following factors in assigning the severity level for this problem: plant conditions, activities, and controls (although not identified as items relied on for safety) functioned to prevent nuclear criticality; the potential consequences were considered to be moderate since the risk of criticality was mitigated by the non-credited process controls; and while you failed to notify the NRC operations center in a timely fashion, you did inform on-site NRC inspectors, which resulted in a minimal impact on the NRC's ability to carry out its statutory mission. Therefore, these violations are categorized collectively in accordance with the Enforcement Policy as a Severity Level III problem.
In accordance with the Enforcement Policy, a base civil penalty in the amount of $15,000 is considered for a Severity Level III problem at a category III fuel facility. Because your facility has not been the subject of escalated enforcement actions within the last 2 years, the NRC considered whether credit was warranted for Corrective Action in accordance with the civil penalty assessment process in Section VI.C.2 of the Enforcement Policy. Based on the inspection report and information you provided at the predecisional enforcement conference, the NRC has determined that your operations, engineering, and safety staff took immediate and effective action to halt operations and ensure that equipment was placed in a safe configuration when the problem was recognized. In addition, your comprehensive corrective actions included equipment modification and testing, improvement to your design verification process, improvements in the identification and control of items relied on for safety, incident response training, and sharing lessons learned information of generic potential safety and safeguards risk significance with other NRC fuel cycle facility licensees for their consideration to preclude similar safety and safeguards events/root causes at other facilities. The NRC concludes, therefore, that your corrective actions were prompt and credit is warranted for corrective action.
Therefore, to encourage prompt and comprehensive correction of violations, and in recognition of the absence of previous escalated enforcement action, I have been authorized, after consultation with the Director, Office of Enforcement, not to propose a civil penalty in this case. However, significant violations in the future could result in a civil penalty. In addition, issuance of this Severity Level III violation constitutes escalated enforcement action, that may subject you to increased inspection effort.
The NRC has concluded that information regarding the reason for the violations, the corrective actions taken and planned to correct the violation and prevent recurrence are adequately addressed on the docket in Inspection Report No. 70-1151/2001-202, dated July 16, 2001, and your presentation during the predecisional enforcement conference. Therefore, you are not required to respond to this letter unless the description therein does not accurately reflect your corrective actions or your position. In that case, or if you choose to provide additional information, you should follow the instructions specified in the enclosed Notice.
In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter, its enclosure(s), and your response will be made available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRC's document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public NRC Library).
|Martin J. Virgilio, Director
Office of Nuclear Material Safety
Docket No. 70-1151
License No. SNM-1107
Enclosure: Notice of Violation
NOTICE OF VIOLATION
|Westinghouse Electric Company, L.L.C.
Columbia, South Carolina
|Docket No. 70-1151
License No. SNM-1107
During an NRC inspection conducted on May 24 - 30, 2001, violations of NRC requirements were identified. In accordance with the "General Statement of Policy and Procedure for NRC Enforcement Actions," NUREG-1600, February 16, 2001, the violations are listed below:
Safety Condition S-1 of the license states, in part, that the authorized use must be "...in accordance with statements, representations, and conditions in the license application dated April 30, 1995, and supplements dated August 4 and 25, September 25, 1995; August 30, 1996; July 14, 1997; name change amendment December 22, 1997; June 30, July 23, 1998; name change amendment September 28, 1998; August 16, 1999; and January 28, 2000."
|1.||Section 6.2.4 of the application, states,
in part, that "The Criticality Safety Evaluation process will be used
to identify the significant parameters affected within a particular
system. All assumptions relating to process/equipment/material theory,
function, and operation, including credible upset conditions, will
be justified, documented, and independently reviewed."
Contrary to the above, as of May 21, 2001, the licensee failed to justify, document and independently review its bounding assumptions for maintaining the minimum subcritical margin on Ammonium Diuranate (ADU) Conversion Line 4. Specifically, the licensee failed to justify, document, and independently review the performance characteristics of the Programmable Logic Controller (PLC) which controlled the valves on the process lines. The licensee incorrectly assumed that the PLC would fault to fail safe and, therefore, the valves would close.
|2.||Section 6.2.1 of the application, states, in part, that
"Nuclear criticality safety controls will be incorporated into the
process design criteria documentation. Prior to use in any process,
these controls will undergo a functional verification process. A program
for routine maintenance and testing will assure continued compliance."
In addition, Section 6.2.1(a) of the application also states, in part,
that "All equipment will be examined in the "as-built" condition to
validate the design and to verify the quality of the installation.
In addition, a functional test will be performed to verify that the
controls function as tested."
|a.|| Contrary to the above, as of May 21, 2001, the licensee
incorporated nuclear criticality safety controls into a process control
and the controls did not undergo a functional verification process
nor a functional test to verify that the controls function as tested.
Specifically, the licensee operated five ADU process lines until May
21, 2001, without performing adequate functional verification to assure
that multiple active engineered criticality safety controls matched
design criteria requiring valve closure upon PLC fault.
|b.||Contrary to the above, as of May 21, 2001, the licensee failed to
have a program for routine maintenance and testing to assure continued
compliance of nuclear criticality safety controls. Specifically, the
licensee failed to have a program of routine maintenance and testing
to assure that multiple active engineered criticality safety controls
matched design criteria requiring valve closure upon PLC fault.
|3.||Section 6.2.1 of the application, states, in part, that
"The Double Contingency Principle (ANSI/ANS-8.1-1983 (Rev. 1988))
will be the basis for design and operation of processes..."
Section 6.2.4(c.2) of the application, states, in part, that "The minimum protection will be that two independent barriers preventing moderator from entering the system must fail before the system can be compromised."
|a.||Contrary to the above, on May 21, 2001, the licensee failed to have
two independent barriers preventing moderator from entering the system.
Specifically, four valves on ADU Conversion Line 4 were credited as
providing at least two independent barriers preventing moderator from
entering the system. The four valves were controlled by a single PLC.
The PLC was not programmed to fault to a fail safe condition and,
on May 21, 2001, the PLC failed to cause the four credited valves
on ADU Conversion Line 4 to close as required following a process
upset on ADU Conversion Line 4.
|b.||Contrary to the above, on May 21, 2001, the licensee failed to have
two independent barriers preventing moderator from entering the system
when ADU Conversion Line 4 was restarted. Specifically, ADU Conversion
Line 4 was shut down following a process upset in which a PLC failed
to shut four valves, as required to provide two independent barriers
preventing moderator from entering the system. The PLC was reset and
ADU Conversion Line 4 was restarted, but the PLC failure had not been
|4.||Section 3.4.1 of the application, states, in part, that
"Operations to assure safe, compliant activities involving nuclear
material will be conducted in accordance with approved procedures."
Section 2.0 of Licensee procedure RA-107, Revision 10 (dated March 29, 2001), titled "Internal Reporting, and NRC Notification of Unusual Occurrences", states, in part, "All Columbia plant operations and activities shall be performed in compliance with written, approved operating procedures and in conformance with all regulatory and safety requirements. Any deviation from these procedures and/or requirements shall be reported immediately to team managers and, for safety-significant deviations, to Regulatory Affairs. Further, safety-significant events involving an inability to follow a procedure, or a process upset, shall be reported immediately to team managers and to Regulatory Affairs." On November 4, 1999, the licensee renamed the Regulatory Affairs section the Environment, Health and Safety section.
Contrary to the above, on May 21, 2001, a process upset was not immediately reported by employees to the licensee Environment, Health and Safety section. The PLC on ADU Conversion Line 4 faulted at approximately 8:00 am, causing an upset of the ADU conversion process. At approximately 8:30 am, Conversion Line 4 was restarted and the Environment, Health and Safety section had not been notified of the process upset. At approximately 10:30 am, the process upset was reported to the Environment, Health and Safety section.
|5.||Pages 3.18 and 3.19 of Section 3.7.3 of the application
states, in part, that "...the NRC Operations Center will be notified
of the following types of incidents, within the time limits prescribed...(b)
4-Hour Notifications...(b.4) any unanticipated/unanalyzed nuclear
criticality safety incident for which the severity and remedy are
not readily determined."
Contrary to the above, on of May 21, 2001, an unanticipated nuclear criticality safety incident for which the severity and remedy were not readily determined was not reported to the NRC Operations Center within 4 hours. Specifically, the faulting of the PLC resulted in an unanticipated nuclear criticality safety incident (i.e., an incident involving the failure to maintain double contingency) that was reported to the licensee safety personnel at 1030. A report of the PLC failure and resulting nuclear criticality safety incident was made to the NRC Operations Center at 2004, greater than 4 hours (i.e., approximately 9.5 hours) after it was identified to licensee safety personnel.
This is a Severity Level III problem (Supplement IV).
The NRC has concluded that information regarding the reason for the violations, the corrective actions taken and planned to correct the violation and prevent recurrence and the date when full compliance was achieved is already adequately addressed on the docket in Inspection Report No.70-1151/2001-202, dated July 16, 2001 and your presentation during the predecisional enforcement conference. However, you are required to submit a written statement or explanation pursuant to 10 CFR 2.201 if the description therein does not accurately reflect your corrective actions or your position. In that case, or if you choose to respond, clearly mark your response as a "Reply to a Notice of Violation," and send it to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555 with a copy to the Regional Administrator, Region II, within 30 days of the date of the letter transmitting this Notice of Violation (Notice).
If you contest this enforcement action, you should also provide a copy of your response, with the basis for your denial, to the Director, Office of Enforcement, United States Nuclear Regulatory Commission, Washington, DC 20555-0001.
If you choose to respond, your response will be made available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRC's document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public NRC Library). Therefore, to the extent possible, the response should not include any personal privacy, proprietary, or safeguards information so that it can be made available to the Public without redaction.
In accordance with 10 CFR 19.11, you may be required to post this Notice within two working days.
Dated this 31st day of August 2001