United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 97-78: Crediting of Operator Actions in Place of Automatic Actions and Modifications of Operator Actions, Including Response Times

                                 UNITED STATES
                         NUCLEAR REGULATORY COMMISSION
                     OFFICE OF NUCLEAR REACTOR REGULATION
                         WASHINGTON, D.C.  20555-0001

                               October 23, 1997


NRC INFORMATION NOTICE 97-78:  CREDITING OF OPERATOR ACTIONS IN PLACE OF
                               AUTOMATIC ACTIONS AND MODIFICATIONS OF
                               OPERATOR ACTIONS, INCLUDING RESPONSE TIMES


Addressees

All holders of operating licenses for nuclear power reactors except those who
have permanently ceased operations and have certified that fuel has been
permanently removed from the reactor vessel.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information
notice to alert addressees to a recent increase in the number of licensees
that have implemented changes to their facilities or operations that may
inappropriately credit operator actions in place of automated system or
component actuations.  Licensees have also altered operator actions, including
response times, previously described in their licensing bases.  Often these
changes are implemented without adequate consideration of human performance
issues that might affect the acceptability of such changes.  In certain cases,
the NRC has pursued enforcement actions against licensees that failed to
adequately justify the changes.  It is expected that recipients will review
the information for applicability to their facilities and consider actions, 
as appropriate, to avoid similar problems.  However, suggestions contained in
this information notice are not NRC requirements; therefore, no specific
action or written response is required.  

Description of Circumstances

The following are recent examples of licensees' changes to facilities or
operations that credit operator actions in place of automated system or
component actuation.  The examples also include instances of licensees
altering operator actions, including response times, that were previously
evaluated.

    Prairie Island 

In June 1995, the licensee performed a service water system operational
performance self-assessment .  The assessment raised an issue concerning the
capability of the seismically qualified emergency intake line to provide
sufficient water following an earthquake for the safety-related cooling water
pumps.  Specifically, the preoperational test did not verify adequate flow
through the line at low river design levels, and no calculations were
performed to correlate test results to design conditions.

9710230271.                                                            IN 97-78
                                                            October 23, 1997
                                                            Page 2 of 5


In November 1995, the licensee performed a special test of the emergency
intake line and determined that, at normal river levels, it did not meet the
final safety analysis report  (FSAR) design flow requirements.  Engineering
analysis determined that design flow was not achievable at low river levels. 
The licensee entered the appropriate technical specification (TS) limiting
condition for operation (LCO) and applied compensatory measures.  The licensee
then prepared an operability determination and a safety analysis to resolve
the issue and exit the LCO.

On the basis of the safety analysis, the licensee specified operator actions
to isolate certain nonessential cooling water loads.  Additionally, in order
to provide sufficient time for the operators to take the required actions, the
licensee altered the design basis by assuming that the nonseismic intake canal
would be available for at least an hour following the earthquake and that the
river low level would not occur during that hour.

In December 1995, the NRC reviewed the licensee's safety analysis and
determined that the licensee's actions constituted a change to the design
basis for coping with an earthquake.  The NRC concluded that an unreviewed
safety question (USQ) existed because the licensee took credit for (1) the
availability and use of the nonseismic canal, which was not previously
evaluated in the FSAR, and (2) operator actions to isolate nonessential
cooling water loads, which could have introduced unanalyzed failure modes
through operator acts of omission or commission.  The NRC staff determined
that these operator errors could have created an accident or a malfunction not
previously evaluated in the FSAR or could have increased the probability of a
malfunction of equipment important to safety.  As a result, the NRC took
escalated enforcement action against the licensee and a civil penalty was
issued.

    Salem Unit 2

The NRC conducted a special inspection between March 24 and April 17, 1997, at
the Salem Unit 2 facility to examine the emergency core cooling system (ECCS)
semiautomatic switchover and related residual heat removal (RHR) system flow
issues.  During the inspection, the NRC identified issues associated with
drain down of the refueling water storage tank (RWST) and the switchover of
the ECCS from the injection mode to long-term recirculation cooling.

A semiautomatic switchover of the ECCS was proposed for Unit 2 between 1983
and 1986 in response to questions that arose during the original licensing
process.  Discrepancies in the conceptual design were resolved between 1986
and 1989, and the NRC approved the conversion from fully manual operation to
semiautomatic operation as part of an amendment to the Unit 2 TS.  The Unit 2
ECCS switchover scheme was required to ensure continued suction to the high-
head (charging) and the intermediate-head safety injection (SI) pumps and to
provide uninterrupted flow of ECCS water to the core.  The semiautomatic
evolution involves automatic valve positioning and more than 10 manual
operator actions, beginning when the RWST low-level alarm is reached.  The
RWST low-level alarm setpoints were established such that a certain amount of
time was available (after receiving the low-level alarm) for operators to
complete the switchover.  Assuming that all of the actions are successfully
performed, the Unit 2 switchover would be completed before the charging and
the SI pump suctions are aligned to the RHR pump discharge.. 
                                                            IN 97-78
                                                            October 23, 1997
                                                            Page 3 of 5


In a March 1996 change to the Emergency Operating Procedures (EOPs), the
licensee implemented an essentially new switchover design.  The change
resulted in shorter required response times by operators and, in certain
cases, interruption of flow to the core.  This modification changed the
licensing basis previously approved by the NRC.

The licensee's new switchover design, which assumed a total of 11.3 minutes
available for operator action to switch over following a small-break loss-of-
coolant accident, constituted a change to the operation of the facility as
described in the FSAR.

In April 1997, the NRC reviewed the modified switchover design and determined
that the changes constituted a USQ.  The issues associated with the USQ were
described in Information Notice 97-60, "Incorrect Unreviewed Safety Question
Determination Related to Emergency Core Cooling System Swapover From the
Injection Mode to the Recirculation Mode," dated August 1, 1997.  The NRC also
found that the licensee had not adequately justified the proposed changes. 
Specifically, the licensee did not have adequate empirical evidence to support
the reduced time available to the operators in the most limiting case, that
is, when the RWST to the RHR pump suction valve failed to close automatically.

Although the licensee's EOPs provide contingency actions to deal with the
failure of the RWST-to-RHR-pump-suction valve to close, the licensee's
simulator was not capable of modeling such a failure, and the crew evaluations
to support the modified timeframe for switchover did not model or account for
these additional contingency actions.  Also, the licensee's analysis failed to
consider credible operator errors of omission or commission that could affect
overall operator response time in carrying out the switchover evolution.

The NRC determined that the change in required operator response time
constituted a USQ because it (1) could have created a situation in which the
operators did not have sufficient time to complete required actions or could
introduce the possibility of credible performance errors that have the
potential for increasing the consequences of an accident or a malfunction of
equipment important to safety previously evaluated in the FSAR, (2) could have
created a different type of accident or malfunction than that previously
evaluated in the FSAR, or (3) could have reduced the margin of safety.

Discussion

The original design of nuclear power plant safety systems and their ability to
respond to design-basis accidents were described in licensees' FSARs and were
reviewed and approved by the NRC.  Most safety systems were designed to rely
on automatic system actuation to ensure that the safety systems were capable
of carrying out their intended functions.  In a few cases, limited operator
actions, when appropriately justified, were approved.  Proposed changes that
substitute manual action for automatic system actuation or modify existing
operator actions, including operator response times, previously reviewed and
approved during the original licensing review of the plant will, in all
likelihood, raise the possibility of a USQ.  Such changes must be evaluated
under the criteria of 10 CFR 50.59 to determine whether a USQ is involved and
whether NRC review and approval is required before implementation.  A licensee
may not make such changes before it receives approval from the NRC when the .                                                            
															   IN 97-78
                                                            October 23, 1997
                                                            Page 4 of 5


change, test, or experiment may (1) increase the probability of occurrence or
the consequences of an accident or a malfunction of equipment important to
safety previously analyzed in the FSAR, (2) create the possibility of an
accident or a malfunction of a different type than any previously evaluated in
the FSAR, or (3) reduce the margin of safety as defined in the basis for any
TS.  In the NRC staff's experience, many of the changes of the type described
above proposed by licensees do involve a USQ.
    
In those instances where licensees consider temporary or permanent changes to
the facility which credit operator actions, the NRC has relied on the guidance
provided in Generic Letter (GL) 91-18, Revision 1, "Resolution of Degraded and
Nonconforming Conditions and on Operability," and ANSI/ANS 58.8, "Time
Response Design Criteria for Safety Related Operator Actions," 1984 (ANSI-
58.8), for evaluating such changes.  GL 91-18, Rev. 1 discusses the
appropriateness of temporary use of operator action in place of automatic
action and states, in part, that:

      ...it is not appropriate to take credit for manual action in place
      of automatic action for protection of safety limits to consider
      equipment operable.  This does not preclude operator action to put
      the plant in a safe condition, but operator action cannot be a
      substitute for automatic safety limit protection. ...Although it
      is possible, it is not expected that many determinations of
      operability will be successful for manual action in place of
      automatic action.  ...[Such changes] are expected to be a
      temporary condition until the automatic action can be promptly
      corrected in accordance with 10 CFR Part 50 Appendix B,
      Criterion XVI, "Corrective Action."

ANSI-58.8 provides estimates of reasonable response times for operator
actions; however licensees may use time intervals derived from independent
sources provided they are based on analyses with consideration given to human
performance.  ANSI-58.8 also states that, 

      Nuclear safety-related operator actions or sequences of actions
      may be performed by an operator only where a single operator error
      of one manipulation does not result in exceeding the design
      requirements for design basis events.

Based on these guidelines, the NRC's reviews of licensees' analyses typically
include, but are not limited to, (1) the specific operator actions required;
(2) the potentially harsh or inhospitable environmental conditions expected;
(3) a general discussion of the ingress/egress paths taken by the operators to
accomplish functions; (4) the procedural guidance for required actions;
(5) the specific operator training necessary to carry out actions, including
any operator qualifications required to carry out actions; (6) any additional
support personnel and/or equipment required by the operator to carry out
actions; (7) a description of information required by the control room staff
to determine whether such operator action is required, including qualified
instrumentation used to diagnose the situation and to verify that the
required action has successfully been taken; (8) the ability to .                           
								                               IN 97-78
                                                            October 23, 1997
                                                            Page 5 of 5


recover from credible errors in performance of manual actions, and the
expected time required to make such a recovery; and (9) consideration of the
risk significance of the proposed operator actions.

If the staff or the licensee has determined that a change, test or experiment
involves a USQ, it does not imply that the action is unacceptable; it only
means that it requires NRC's review and approval before implementation.  In
determining whether a USQ is involved from a human performance perspective,
the overriding focus should be on the implications of what is being proposed. 
Just because a change alters the description in the FSAR, it does not always
mean that a USQ is involved.  What is considered is how the change could
affect the plant's systems and the operator's ability to respond to plant
transients, as well as the potential to introduce new and different accidents
and malfunctions not foreseen during the initial licensing of the plant.  For
instance, the NRC recently reviewed a licensee's modification to its post
accident sampling system (PASS), which increased the number of operator
actions required to place the system in service.  Although the change modified
the system as described in the FSAR, the NRC concluded that the change did not
constitute a USQ because (1) failure of the operator to perform the additional
steps correctly would have a negligible effect on the consequences of an
accident (i.e., the system did not have a direct role in accident mitigation
nor was it needed for maintaining the plant's critical safety functions),
(2) a malfunction of the PASS equipment would not restrict the operator's
ability to respond to the accident or to obtain information provided by the
PASS because other sampling methods remained available, and (3) misoperation
of the system would not potentially reduce the margin of safety.

This information notice requires no specific action or written response.  If
there are any questions about the information in this notice, one of the
technical staff listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager may be contacted.


                                          signed by D.B. Matthews for

                                    Jack W. Roe, Acting Director
                                    Division of Reactor Program Management
                                    Office of Nuclear Reactor Regulation

Technical contacts:  Greg S. Galletti, NRR
                     301-415-1831
                     E-mail:  gsg@nrc.gov

                     Eric J. Benner, NRR
                     301-415-1171
                     E-mail:  ejb1@nrc.gov

Attachment:  List of Recently Issued NRC Information Notices


Page Last Reviewed/Updated Tuesday, December 03, 2013