Information Notice No. 84-58: Inadvertent Defeat of Safety Function Caused by Human Error Involving Wrong Unit, Wrong Train, or Wrong System
SSINS No.: 6835
IN 84-58
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C. 20555
July 25, 1984
Information Notice No. 84-58: INADVERTENT DEFEAT OF SAFETY FUNCTION
CAUSED BY HUMAN ERROR INVOLVING WRONG
UNIT, WRONG TRAIN, OR WRONG SYSTEM
Addressees:
All nuclear power reactor facilities holding an operating license (OL) or
construction permit (CP).
Purpose:
This information notice is provided as a notification of potentially
significant problems pertaining to inadvertent defeat of safety functions
caused by human errors involving the wrong unit, wrong train, or wrong
system. It is expected that recipients will review and consider actions, if
appropriate, to preclude similar problems occurring at their facilities.
However, suggestions contained in this information notice do not constitute
NRC requirements and, therefore, no specific action or written response is
required.
Description of Circumstances:
A large number of reports have been made to the NRC that describe events in
which safety functions were inadvertently defeated as a result of actions
performed on the wrong unit of a multi-unit plant, the wrong train of
systems with redundant trains, or a wrong system. In many cases, the loss of
safety function was not recognized for a long period of time, resulting in
significant degradation of the levels of safety. An example of each type of
event, caused by human error involving the wrong unit, wrong train or wrong
system, is described below. A sample listing from among at least 50 reports
of other similar events that have occurred is contained in Table 1.
On October 2, 1983, an operator was dispatched to lock closed a manual valve
on the discharge side of each of the redundant containment spray pumps for
Turkey Point Unit 3. The activity was required by the procedure for
proceeding from hot to cold shutdown in preparation for a refueling outage.
The operator, instead of closing the Unit 3 valves, locked closed the valves
for Unit 4 which was operating at power. Subsequent to this activity, there
was a change in operators. The replacement operator later went to the Unit 3
containment spray pump discharge valves and closed them as he found them to
be open. He was
8407230079
.
IN 84-58
July 25, 1984
Page 2 of 3
unaware that the Unit 4 valves were closed. It was over a day later before
the licensee's technical staff discovered the Unit 4 valves to be locked
closed during a monthly periodic test of the containment spray system.
Hatch Unit 2 was operating at 100% power on August,17, 1982, with the "B"
loop of the residual heat removal service water system (RHRSWS) out of
service for maintenance. While removing "B" loop from service, the personnel
tasked with closing the "B" loop strainer inlet valve inadvertently closed
the "A" loop strainer inlet. This resulted in the total loss of RHRSWS and,
thus, the residual heat removal (RHR) system including the postaccident heat
removal capability.
On February 7, 1984, the FitzPatrick plant was operating at full power when
the high-pressure coolant injection (HPCI) system was intentionally tagged
out of service to permit general maintenance and modification of the
overspeed trip. Tagging out the HPCI system included closing of the motor
operated steam supply valves, and racking out the breakers for the valves
and oil pumps for the turbine. Before removing HPCI from service, other
safety systems were demonstrated operable as required by the Technical
Specifications. As a part of the maintenance, technicians were assigned to
calibrate the HPCI turbine speed indication which involved disconnecting the
speed feedback circuit and thus disabling the HPCI system regardless of any
other actions. After completing the calibration on what they thought to be
the HPCI turbine speed instrumentation, the technicians reported that the
as-found tolerance was over 40% higher than the procedure limit. When the
responsible supervisor initiated an investigation of the as-found tolerance,
it was discovered that the technicians had calibrated the reactor core
isolation cooling (RCIC) speed instrumentation instead of the HPCI
instrumentation. This activity had resulted in loss of RCIC with HPCI
unavailable.
Discussion:
A review of the inadvertent defeat of safety function events including those
cited above and summarized in Table 1, indicates that many events were
highly significant from the standpoint of safety and others would have been
significant if they had occurred under different circumstances. The review
also indicates that misidentification of equipment by personnel was the
primary cause of most events. Other events were caused by inadequate
planning, defective procedures, or defective labeling of equipment. Although
not the primary cause, design error or failure to perform adequate
verification of activities was a contributing factor in some events.
In the Turkey Point event, the operator had access to the wrong unit because
the access keys were the same for the two units. Also, the valves had
identical identification tags for both units. The operator did not carry the
tag out sheet with him and thus did not sign it for completion of the
activity. Later, the replacement operator closed the correct valves. The
closed valves on the operating unit were not discovered for over 28 hours
because no verification of the activities was performed. Following the
event, the procedural and administrative deficiencies were corrected. A
walkdown of the accessible portions of all safety-related flow paths was
performed to verify that all valves were in correct positions, the locks for
the two units were color coded, and different keys were made for the locks
of the two units.
.
IN 84-58
July 25, 1984
Page 3 of 3
The Hatch Unit 2 event was attributed to personnel error and lack of
adequate independent verification. As a part of corrective actions, new
identification tags were made and locks were changed so that the, keys for
valves in one loop will not open the valves in the other loop. In addition,
the personnel responsible were counseled and reprimanded.
The FitzPatrick loss of RCIC event with HPCI out of service was caused by
personnel error. Following the event, the licensee instituted an awareness
program for the technicians in addition to improving the identification of
HPCI and RCIC equipment.
Adequate procedures, planning, labeling, awareness and training of
personnel, and an independent verification program are needed to prevent the
occurrences of such events. The frequency and number of such events being
reported to the NRC indicates a need for further industry action in these
areas. Additional guidance on independent verification programs is provided
in Information Notice No. 84-51, "Independent Verification."
If you have any questions regarding this matter, please contact the Regional
Administrator of the appropriate NRC regional office or this office.
Edward L. Jordan Director
Division of Emergency Preparedness
and Engineering Response
Office of Inspection and Enforcement
Technical Contact: R. Singh, IE
(301) 492-8068
Attachment
1. Sample List of Recent Inadvertent
Defeat of Safety Function Events
2. List of Recently Issued IE Information Notices
.
IN 84-58
July 25, 1984
Page 1 of 1
Table 1: Sample List of Inadvertent Defeat
of Safety Function Events
Plant/Date Event Summary
D.C. Cook An auxiliary equipment operator was
03/14/81 instructed to deenergize breakers for five
motor operated valves of the Unit 2 safety
injection system. He instead deenergized the
breakers of five Unit 1 valves.
Calvert Cliffs Electricians began work on Unit 2 control
04/17/82 element assemblies (CEAs) instead of the
assigned Unit 1 CEAs.
Point Beach An operator was instructed to perform part
04/22/82 of a procedure to drain the reactor coolant
of Unit 2 which was shutdown. Instead, he
performed the procedure steps on operating
Unit 1.
North Anna 2 Both trains of the quench spray subsystem
05/28/82 and the recirculation spray system were made
inoperable because jumpers were installed in
the train "A" instead of the train "B" solid
state protection output cabinet.
St. Lucie 1 During full power operation, the primary and
06/29/83 back up heat tracing for the boron injection
flow paths were isolated for 24 hours. The
condition existed because the entire
chemical and volume control system heat
tracing was isolated rather than only that
required for the "A" boric acid piping.
Turkey Point 3 With the unit at 100% power and auxiliary
04/19/83 feed water pump "A" out of service, all
steam supply valves for "B" and "C" pumps
were found to have been closed for five
days. The operators had misidentified the
valves and independent verification was not
performed.
D.C. Cook 2 During containment spray system testing,
06/03/83 operators closed a wrong valve which
rendered the train not under test
inoperable.
Kewaunee Both trains of shield building ventilation
03/13/84 were taken out of service for one hour when
maintenance personnel began work on the "A"
train instead of the "B" train.
Page Last Reviewed/Updated Tuesday, March 09, 2021