Resolution of Generic Safety Issues: Issue 81: Impact of Locked Doors and Barriers on Plant and Personnel Safety (Rev. 4) ( NUREG-0933, Main Report with Supplements 1–34 )
DESCRIPTION
Historical Background
In October 1982, the EDO appointed the Committee to Review Safety Requirements at Power Reactors (CRSRPR) to review NRC security requirements at nuclear power plants with a view toward evaluating the impact of these requirements on operational safety. Overall, the CRSRPR did not identify any clear operational safety problems associated with implementation of the NRC's security requirements. However, the Committee found that there was the potential for security measures at a site to adversely affect safety and issued its recommendations in a report621 to NMSS on February 28, 1983. In view of one of the findings in this report, a DL/NRR memorandum542 was issued on May 31, 1983, identifying this issue and suggesting that a multi-disciplinary group be convened to perform an integrated assessment of the potential safety problem associated with locked doors and barriers, with DHFS/NRR in the lead coordinating role. Based on the responses to the memorandum, DL reported623 that a consensus supported the creation of the multi-disciplinary group to gather the necessary information and prepare a scope of the issue for appropriate consideration. This approach was approved624 and a DL memorandum625 to DHFS formally initiated action on this matter.
The multi-disciplinary group held its first meeting on February 28, 1984, and issued a report on June 8, 1984.626 Inasmuch as a proposed rule (SECY-83-311)627 specifically designed to address the security barrier issue had been prepared independently and IE Information Notice No. 83-3628 also had been issued, the work of the group was limited to non-security barriers.
The proposed rule1436 was eventually adopted and stated that "the NRC is amending its regulations to provide a more safety conscious safeguards system while maintaining current levels of protection." Regulatory changes included: (1) permitting suspension of security based upon 10 CFR 50.54(x) and (y); (2) requiring the access authorization system to be designed to accommodate the potential need for rapid ingress and egress of individuals during emergency conditions or situations that could lead to emergency conditions; and (3) ensuring prompt access to vital equipment by periodically reviewing physical security plans for potential impact on plant and personnel safety. The rule was implemented with Regulatory Guide 5.651438 and Generic Letter 87-081437 which addressed the issuance of vital area keys to operations personnel. At the time of this evaluation, NRR (Reactor Safeguards Branch) indicated that almost all licensees were in compliance with Regulatory Guide 5.651438 and Generic Letter 87-081437 and had implemented mechanical key overrides for electronically controlled access doors. The rulemaking resulted in security plan amendments which increased the focus on plant and personnel safety.
Subsequent to the above work, a main feedwater pipe rupture event at the Surry plant (see Issue 139, "Thinning of Carbon Steel Piping in LWRs") caused the failure of a security card-reader which was located approximately 50 feet from the break point. This failure was caused by intrusion of water and steam that saturated the card-reader. As a result, key cards could not be used to open plant doors. The control room doors were opened to provide access to the control room and security personnel were assigned to the control room to provide access security. One operator was temporarily trapped in a stairway due to the card-reader failure. Electric override switches were later installed to remedy this problem. Because of the failure of the security card-reader during the Surry event, the staff determined that Issue 81 should be expanded to include potential electric door lock failures and reevaluated to determine whether the previous priority ranking (DROP) should be changed.1163
Safety Significance
The possible failure of locked doors and barriers that may be required for fire protection, radiation protection, flood protection, and administrative controls is of special concern during abnormal or accident situations when emergency conditions may require prompt and unlimited access of the plant operators to safety equipment in order to assure proper plant shutdown. This issue was applicable to all operating and future plants.
Possible Solutions
An evaluation of each plant's locked doors and barriers might be required and appropriate procedural and hardware changes may have to be made to establish that operator access is unimpeded during emergency, abnormal, or accident conditions, and that prompt operator action, as required, is possible.PRIORITY DETERMINATION
In the event of an accident, failure of the electronic card-reader access control system (ACS) could result in an impediment to operator actions outside of the control room that are required for recovery. Some examples of possible operator actions are: (1) locally overriding a failed component; (2) replacing or repairing a failed component; or (3) realigning valves to bypass a failed pump or clogged pipe. If the card-reader ACS fails, the operator will be impeded in his access through the door.
Even if the ACS fails, there is a large probability that the plant will have a mechanical key override, or that the locks will fail open. The study conducted by the CRSRPR estimated that a majority of plants did not have problems with ACS computer failure, either because the doors fail open, mechanical key overrides are available, or the number of controlled areas is small.621 An NRR review of plant safeguards revealed that only one plant that did not have a mechanical key override on ACS-controlled doors had locks that failed open. Based upon these data, a probability of 0.01 was assumed to account for the occurrence of no key override, due to lost or misplaced keys, mechanical failure of the override, or failure of an electronic ACS to fail open if so designed.
Assuming the worst case (i.e., the operator has no other means than to defeat the lock), the effect of impeded operator action was estimated, assuming that action begins soon after the accident is initiated. The amount of time between accident initiation and the initiation of core damage was calculated for critical minimum cutsets in WASH-1400.16 Studies have also been performed to estimate the amount of time required to defeat a locked door, such as the Access Delay Technology Transfer Manual (SNL report SAND87-1926/1 VC-525, June 7, 1989). These studies showed that the lock on a typical access door in a commercial nuclear power plant could be defeated in less than 6 minutes with hand tools. The number of doors which would be required to be unlocked can also be estimated. The CRSRPR study found that, on the average, operators need to access three doors to perform routine surveillance, starting from the control room.621 Routine surveillance requires accessing most areas of the plant, as opposed to the type of specific access that would be required for operator actions in response to equipment failure. Therefore, assuming that three doors will need to be accessed is probably a conservative assumption, even for plants which require more than three controlled doors to be accessed for routine maintenance.
Based upon the typical door construction at nuclear power plants, as provided in the SNL report, the time for penetration of a door with hand tools (e.g., a large screwdriver or crowbar) was determined to range from no delay to 6 minutes. The maximum time required to obtain tools, starting from the control room, was estimated to be 5 minutes. These estimates yield a minimum (5 minutes) and maximum (23 minutes) time for breaking through three doors. These times were arbitrarily assumed to be the 10% and 90% points on a success probability curve, with linear interpolation between these points and the probabilities of 0% chance of success at time=0 minutes and 99% chance of success at time=1 hour. Using this curve, the probability of successful performance for a given period of time to core damage can be estimated. This curve was used only to estimate the probability that three locked doors can be defeated before core damage is initiated for any given accident sequence, given the unknown construction of locked doors in the average plant, and the unknown availability of tools. For this evaluation, every sequence that results in damage in greater than one hour was assumed to result in core damage after one hour. This was a conservative assumption since almost every sequence requires more than one hour until initiation of core damage and/or containment failure. A detailed analysis of each accident scenario would be required to determine at what point a given action would become futile.
In order to estimate the probability that the card-reader will fail during a plant transient or similar event, data from NUREG/CR-55801588 were reviewed. This report contained details from 138 incidents of advertent or inadvertent FPS actuation. Only one incident resulted in failure of the electronic ACS. Based upon these data, a failure rate for the ACS of 0.01 was assumed. Although this estimate may be close to the actual failure rate for a scenario like station blackout, it is probably conservative for most other scenarios. (In addition, the harsh environment criterion was considered by NRR in the licensing of new plants and the ABWR design incorporates features to prevent the failure at one station from affecting the rest of the system.)
Scenarios which require operator action outside the control room are included in most PRAs. The quantification of those scenarios usually includes the probability that the operator will fail to properly respond to an equipment malfunction or other problem in a timely manner. The effect of ACS failure on operator actions can be included in these terms by increasing the operator error probabilities used in the existing PRAs by a factor equivalent to the combined probabilities of card-reader failure, key override unavailability, and operator inability to break through doors before initiation of core damage. These data are presented in Table 3.81-1. However, because it is recognized that this table does not include individual sequences which may have a significantly greater chance of impeded operator action, it was decided to perform a parametric study in order to determine the impact on the probability of core damage of the variation of those estimates. The results of this study are presented in Table 3.81-2 and discussed below. In addition, a review of the interfacing systems LOCA accident scenarios (ISLOCA) for three typical plants (which were investigated in a separate program) indicated that only one of the three plants had a minimum cutset which included an operator action outside of the control room. This action also had an alternate action inside of the control room.
Frequency Estimate
In order to calculate the increase in core-melt frequency, the minimum cut sets from existing PRAs for Oconee 3 and Grand Gulf 1 were assumed to represent the ideal condition of no effect of locked doors on operator recovery for PWRs and BWRs, respectfully. This was a reasonable assumption since the scenario of card-reader failure was probably not considered for these early PRAs and was not discussed in the NSAC reports on these PRAs.The effect of the card-reader ACS failure was studied64 parametrically by PNL by calculating the total increase in CDF for a corresponding increase in the probability of any event which models failure of operator action. This probability of operator failure was increased by 0.0001, 0.0005, 0.001, 0.01, and 0.1. This quantity was added to all existing parameters in minimum cutsets which represented failure of necessary operator actions outside of the control room. These actions are included in all minimum cutsets, not only the four listed in Table 3.81-1. The results of this study are presented in Table 3.81-2.
Although the maximum probability calculated in Table 3.81-1 is 1.2 x 10-5, the range of values for the parametric study started at 10-4. However, 1.2 x 10-5 was believed to be a conservative estimate of the maximum increase in operator failure probability, as the events listed in Table 3.81-1 were chosen on the basis of a high speed of core damage initiation. Events which take longer than several hours to develop core damage will probably be minimally affected by impeded operator access, because the operators will have more time to gain access. Therefore, including these events in the calculation for increase in CDF was conservative.
Consequence Estimate
The increase in public risk was an output of the PRA and was also shown in Table 3.81-2. Corresponding values for total public exposure were calculated based upon the estimated number of operating and future plants (90 PWRs and 44 BWRs) with remaining remaining lives of 28.8 and 27.4 years, respectively. As expected, the increase in both core-melt frequency and public risk was negligible at the expected levels of operator impairment (10-4), but became significant at unrealistic levels of impairment (10-1). These calculations contain the implicit assumption that core damage will occur in no more than one hour for all events.
Cost Estimate
Based on the deliberations of the multi-disciplinary group, the cost to evaluate and make modifications to each plant and its procedures was estimated to be approximately $1.1M/plant.626 This cost was based on the following factors:
Table 3.81-1
Estimated Probability of ACS Failure to Prevent Operator Action
| Event4 | Probability | Product3 | ||
|---|---|---|---|---|
ACS Fails1 |
Override Fails1 |
Delay Exceeds Limits2 |
||
| V | 0.01 |
0.01 |
0.12 |
1.2 x 10-5 |
| S2D | 0.01 |
0.01 |
0.08 |
0.8 x 10-5 |
| AH | 0.01 |
0.01 |
0.02 |
0.2 x 10-5 |
| TMLB | 0.01 |
0.01 |
0.01 |
0.1 x 10-5 |
Notes
1 - Estimated
2 - Calculated, assuming limit of 1 hour for all sequences
3 - Based on assumed independence of ACS failure, override
failure, and delay of operator until core damage initiates
4 - Minimum cutset accident sequences from WASH-1400:16
V - LPIS check valve/system failure
S2D - 0.5" to 2.0" LOCA combined with loss of ECCS injection
AH - Medium to large LOCA and failure of ECCS recirculation
TMLB- TMI sequence
Table 3.81-2
Calculated Increase in Core-Melt Frequency and Public Exposure
| Operator Failure Probability1 | Core-Melt Frequency (x 10-5/RY) | Public Dose Increase (man-rem) | |||
|---|---|---|---|---|---|
| PWR |  |
BWR | |
||
| Base Case | 1.408 | - | 2.475 | - | - |
| 0.0001 | 1.411 | 0.003 | 2.482 | 0.007 | 5.2 x 102 |
| 0.0005 | 1.425 | 0.017 | 2.509 | 0.034 | 2.6 x 103 |
| 0.001 | 1.442 | 0.034 | 2.543 | 0.068 | 5.2 x 103 |
| 0.01 | 1.754 | 0.35 | 3.149 | 0.674 | 5.2 x 104 |
| 0.1 | 4.968 | 3.6 | 9.216 | 6.74 | 5.2 x 105 |
Note
1 - Increase in probability that operator will fail to perform recovery action within the necessary time due to card-reader ACS failure and locked doors.
| (1)A one-time evaluation of existing plant locked doors and barriers | $200,000 |
| (2) Resolution of adverse safety findings [Cost for maintaining keys for a security force of 24 per plant was estimated to be $21,000/reader.627 Training for security and operational personnel based on 50 operators and security personnel for 1 day/year/plant, over the lifetime of the plant (28 years) was assumed to be (1/365)(50)(28)($100,000) = $391,232] | 400,000 |
| (3) Ongoing program to ensure future reduction of safeguards impact on safety ($10,000/year for an average reactor lifetime of 28 years) | 280,000 |
| (4) NRC reviews of plant modifications | 200,000 |
| TOTAL: | $1,080,000 |
These estimates could be high for a plant that was in substantial compliance with the recommendations in Generic Letter 87-081437 and Regulatory Guide 5.65.1438 However, because the estimated safety benefit for these plants would be a decrease in CDF significantly less than 10-5, these plants would not meet the substantial additional protection criterion of the backfit rule (10 CFR 50.109).
Value/Impact Assessment
The value/impact assessment is presented in Table 3.81-3.
Table 3.81-3
Value/Impact Assessment
| Probability Increase | Total Cost ($M) | Risk Reduction (man-rem) | S (man-rem/$M) | Priority Ranking |
|---|---|---|---|---|
| 0.0001 | 150 | 5.2 x 102 | 3.5 | DROP/LOW |
| 0.0005 | 150 | 2.6 x 103 | 17 | LOW |
| 0.001 | 150 | 5.2 x 103 | 35 | LOW/MEDIUM |
| 0.01 | 150 | 5.2 x 104 | 350 | MEDIUM/HIGH |
| 0.1 | 150 | 5.2 x 105 | 3500 | HIGH |
Other Considerations
(1) The most probable effect of locked doors on reactor safety was believed to be represented by an increase in the probability of failure of the operator to leave the control room and perform actions required for recovery of less than 0.0001. This corresponded to a priority rating which was borderline between Drop and Low priority. Even if this estimate was inaccurate by an order of magnitude, the corresponding priority ranking would be borderline between Low and Medium.
(2) Even with a conservative assumption regarding the impact of failure of the ACS on the probability of preventing operator recovery action, the issue would not satisfy the requirements of the backfit rule (10 CFR 50.109). Specifically, it was stated in SECY-91-2701439 that, with limited exceptions, a reduction of CDF of at least 10-5 was needed to satisfy the substantial additional protection criterion of that rule. However, Table 3.81-2 shows that, with the probability of operator failure due to ACS failure as high as 10-2, the change in core-melt frequency does not reach this value. Further, as shown in Table 3.81-1, the best estimate of the increase in the probability of operator failure is in the range of 10-5.
(3) This evaluation was not intended to address the effect of locked doors on worker safety in an operating plant. A nuclear power plant has many inherently dangerous materials which may present a significant hazard to untrained personnel, but do not significantly affect the ability of the plant to safely shut down in the event of an accident or transient. While it was recognized that these dangers pose legitimate concerns, it is beyond the authority of the NRC to regulate working conditions other than radiological hazards.
(4) The consequence and cost estimates described above were based on a remaining life of 28.8 years and 27.4 years for PWRs and BWRs, respectively, consistent with the original 40-year license period. If it were assumed that 75% of the plants will have their licenses extended for an additional 20 years, the remaining life would be increased by 15 years. This would have very little impact on the value/impact assessment described above.
