Resolution of Generic Safety Issues: Issue 81: Impact of Locked Doors and Barriers on Plant and Personnel Safety (Rev. 5) ( NUREG-0933, Main Report with Supplements 1–35 )

DESCRIPTION

Historical Background

In October 1982, the Executive Director for Operations appointed the Committee to Review Safety Requirements at Power Reactors (CRSRPR) to review U.S. Nuclear Regulatory Commission (NRC) security requirements at nuclear power plants with a view toward evaluating the impact of these requirements on operational safety. Overall, the CRSRPR did not identify any clear operational safety problems associated with implementation of the NRC’s security requirements. However, the Committee found that there was the potential for security measures at a site to adversely affect safety and issued its recommendations in a report⁶²¹ to the Office of Nuclear Material Safety and Safeguards. In view of one of the findings in this report, a memorandum⁵⁴² was issued on May 31, 1983, identifying this issue and suggesting that a multidisciplinary group be convened to perform an integrated assessment of the potential safety problem associated with locked doors and barriers. Based on the responses to the memorandum, a consensus supported the creation of the multidisciplinary group to gather the necessary information and prepare a scope of the issue for appropriate consideration. ⁶²³ This approach was approved⁶²⁴ and action on this matter was formally initiated.⁶²⁵

The multidisciplinary group held its first meeting on February 28, 1984, and issued a report on June 8, 1984.⁶²⁶ Inasmuch as a proposed rule (SECY-83-311, "Proposed Insider Safeguards Rules," dated July 29, 1983⁶²⁷) specifically designed to address the security barrier issue had been prepared independently, and IE Information Notice 83-36, "Impact of Security Practices on Safe Operations,"⁶²⁸ had been issued in June 1983, the work of the group was limited to nonsecurity barriers.

The proposed rule¹⁴³⁶ was eventually adopted and stated that "the NRC is amending its regulations to provide a more safety conscious safeguards system while maintaining current levels of protection." Regulatory changes included (1) permitting suspension of security based on Title 10 of the Code of Federal Regulations (10 CFR) 50.54(x) and (y), (2) requiring the access authorization system to be designed to accommodate the potential need for rapid ingress and egress of individuals during emergency conditions or situations that could lead to emergency conditions, and (3) ensuring prompt access to vital equipment by periodically reviewing physical security plans for potential impact on plant and personnel safety. The rule was implemented with Regulatory Guide (RG) 5.65, "Vital Area Access Controls, Protection of Physical Security Equipment, and Key and Lock Controls,"¹⁴³⁸ and Generic Letter 87-08, "Implementation of 10 CFR 73.55 Miscellaneous Amendments and Search Requirements," dated May 11, 1987,¹⁴³⁷ which addressed the issuance of vital area keys to operations personnel. At the time of evaluation of this issue in 1995, the Office of Nuclear Reactor Regulation (NRR), Reactor Safeguards Branch, indicated that almost all licensees were in compliance with RG 5.65¹⁴³⁸ and Generic Letter 87-08¹⁴³⁷ and had implemented mechanical key overrides for electronically controlled access doors. The rulemaking resulted in security plan amendments that increased the focus on plant and personnel safety.

Subsequent to the above work, a main feedwater pipe rupture event at Surry Power Station (see Issue 139, "Thinning of Carbon Steel Piping in LWRs") caused the failure of a security card-reader that was located approximately 50 feet from the break point. This failure was caused by intrusion of water and steam that saturated the card-reader. As a result, key cards could not be used to open plant doors. The control room doors were opened to provide access to the control room, and security personnel were assigned to the control room to provide access security. One operator was temporarily trapped in a stairway due to the card-reader failure. Electric override switches were later installed to remedy this problem. Because of the failure of the security card-reader during the Surry Power Station event, the staff determined that Issue 81 should be expanded to include potential electric door lock failures and reevaluated to determine whether the previous priority ranking (DROP) should be changed.¹¹⁶³

Safety Significance

The possible failure of locked doors and barriers that may be required for fire protection, radiation protection, flood protection, and administrative controls is of special concern during abnormal or accident situations when emergency conditions may require prompt and unlimited access of the plant operators to safety equipment to assure proper plant shutdown. This issue was applicable to all operating and future plants.

Possible Solutions

An evaluation of each plant’s locked doors and barriers might be required and appropriate procedural and hardware changes may have to be made to establish that operator access is unimpeded during emergency, abnormal, or accident conditions, and that prompt operator action, as required, is possible.

PRIORITY DETERMINATION

This section presents the NRC staff analysis for prioritizing this issue, which was performed in 1995. This analysis, which includes frequency, consequence, and cost estimates and a value/impact assessment, has not been updated in the 2011 revision of this issue.

In the event of an accident, failure of the electronic card-reader access control system (ACS) could result in an impediment to operator actions outside of the control room that are required for recovery. Some examples of possible operator actions are (1) locally overriding a failed component, (2) replacing or repairing a failed component, or (3) realigning valves to bypass a failed pump or clogged pipe. If the card-reader ACS fails, the operator will be impeded in his access through the door.

Even if the ACS fails, there is a large probability that the plant will have a mechanical key override or that the locks will fail open. The study conducted by the CRSRPR estimated that a majority of plants did not have problems with ACS computer failure, either because the doors fail open, mechanical key overrides are available, or the number of controlled areas is small.⁶²¹ An NRR review of plant safeguards revealed that only one plant that did not have a mechanical key override on ACS-controlled doors had locks that failed open. Based on these data, a probability of 0.01 was assumed to account for the occurrence of no key override due to lost or misplaced keys, mechanical failure of the override, or failure of an electronic ACS to fail open if so designed.

Assuming the worst case (i.e., the operator has no other means than to defeat the lock), the effect of impeded operator action was estimated assuming that action begins soon after the accident is initiated. The amount of time between accident initiation and the initiation of core damage was calculated for critical minimum cutsets in WASH-1400 (NUREG-75/014, "Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," issued October 1975.¹⁶ Studies have also been performed to estimate the amount of time required to defeat a locked door, such as the access delay technology transfer manual (Sandia National Laboratories report SAND87-1926/1 VC-525, dated June 7, 1989). These studies showed that the lock on a typical access door in a commercial nuclear power plant could be defeated in less than 6 minutes with hand tools. The number of doors that would be required to be unlocked can also be estimated. The CRSRPR study found that, on the average, operators need to access three doors to perform routine surveillance, starting from the control room.⁶²¹ Routine surveillance requires accessing most areas of the plant, as opposed to the type of specific access that would be required for operator actions in response to equipment failure. Therefore, assuming that three doors will need to be accessed is probably a conservative assumption, even for plants that require more than three controlled doors to be accessed for routine maintenance.

Based on the typical door construction at nuclear power plants, as provided in the Sandia National Laboratories report, the time for penetration of a door with hand tools (e.g., a large screwdriver or crowbar) was determined to range from no delay to 6 minutes. The maximum time required to obtain tools, starting from the control room, was estimated to be 5 minutes. These estimates yield a minimum (5 minutes) and maximum (23 minutes) time for breaking through three doors. These times were arbitrarily assumed to be the 10-percent and 90-percent points on a success probability curve, with linear interpolation between these points and the probabilities of zero-percent chance of success at time = 0 minutes and 99-percent chance of success at time = 1 hour. Using this curve, the probability of successful performance for a given period of time to core damage can be estimated. This curve was used only to estimate the probability that three locked doors can be defeated before core damage is initiated for any given accident sequence, given the unknown construction of locked doors in the average plant and the unknown availability of tools. For this evaluation, every sequence that results in damage in greater than 1 hour was assumed to result in core damage after 1 hour. This was a conservative assumption because almost every sequence requires more than 1 hour until initiation of core damage and/or containment failure. A detailed analysis of each accident scenario would be required to determine at what point a given action would become futile.

In order to estimate the probability that the card-reader will fail during a plant transient or similar event, data from NUREG/CR-5580, "Evaluation of Generic Issue 57: Effects of Fire Protection System Actuation on Safety-Related Equipment," issued December 1992,¹⁵⁸⁸ were reviewed. This report contained details from 138 incidents of advertent or inadvertent fire protection system actuation. Only one incident resulted in failure of the electronic ACS. Based on these data, a failure rate for the ACS of 0.01 was assumed. Although this estimate may be close to the actual failure rate for a scenario like station blackout, it is probably conservative for most other scenarios. (In addition, the harsh environment criterion was considered by NRR in the licensing of new plants, and the advanced boiling-water reactor design incorporates features to prevent the failure at one station from affecting the rest of the system.)

Scenarios that require operator action outside the control room are included in most probabilistic risk assessments (PRAs). The quantification of those scenarios usually includes the probability that the operator will fail to properly respond to an equipment malfunction or other problem in a timely manner. The effect of ACS failure on operator actions can be included in these terms by increasing the operator error probabilities used in the existing PRAs by a factor equivalent to the combined probabilities of card-reader failure, key override unavailability, and operator inability to break through doors before initiation of core damage. These data are presented in Table 3.81-1 below. However, because it is recognized that this table does not include individual sequences that may have a significantly greater chance of impeded operator action, it was decided to perform a parametric study in order to determine the impact on the probability of core damage of the variation in those estimates. The results of this study are presented in Table 3.81-2 and discussed below. In addition, a review of the interfacing systems loss-of-coolant accident (LOCA) accident scenarios for three typical plants (which were investigated in a separate program) indicated that only one of the three plants had a minimum cutset that included an operator action outside of the control room. This action also had an alternate action inside of the control room.

Frequency Estimate

In order to calculate the increase in core-melt frequency, the minimum cutsets from existing PRAs for Oconee Nuclear Station, Unit 3, and Grand Gulf Nuclear Station, Unit 1, were assumed to represent the ideal condition of no effect of locked doors on operator recovery for pressurized-water reactors (PWRs) and boiling-water reactors (BWRs), respectively. This was a reasonable assumption because the scenario of card-reader failure was probably not considered for these early PRAs and was not discussed in the Nuclear Safety Analysis Center reports on these PRAs.

The effect of the card-reader ACS failure was studied⁶⁴ parametrically by Pacific Northwest Laboratory by calculating the total increase in core damage frequency (CDF) for a corresponding increase in the probability of any event that models failure of operator action. This probability of operator failure was increased by 0.0001, 0.0005, 0.001, 0.01, and 0.1. This quantity was added to all existing parameters in minimum cutsets that represented failure of necessary operator actions outside of the control room. These actions are included in all minimum cutsets, not only the four listed in Table 3.81-1. The results of this study are presented in Table 3.81-2.

Although the maximum probability calculated in Table 3.81-1 is 1.2x10^-5, the range of values for the parametric study started at 10-4. However, 1.2x10^-5 was believed to be a conservative estimate of the maximum increase in operator failure probability, as the events listed in Table 3.81-1 were chosen on the basis of a high speed of core damage initiation. Events that take longer than several hours to develop core damage will probably be minimally affected by impeded operator access, because the operators will have more time to gain access. Therefore, including these events in the calculation for increase in CDF was conservative.

Consequence Estimate

The increase in public risk was an output of the PRA and was also shown in Table 3.81-2. Corresponding values for total public exposure were calculated based on the estimated number of operating and future plants (90 PWRs and 44 BWRs) with remaining lives of 28.8 and 27.4 years, respectively. As expected, the increase in both core-melt frequency and public risk was negligible at the expected levels of operator impairment (10^-4) but became significant at unrealistic levels of impairment (10^-1). These calculations contain the implicit assumption that core damage will occur in no more than 1 hour for all events.

Table 3.81-1

Estimated Probability of ACS Failure to Prevent Operator Action

Eventd	Probability			Productc
	ACS Failsa	Override Failsa	Delay Exceeds Limitsb
V	0.01	0.01	0.12	1.2 x 10-5
S2D	0.01	0.01	0.08	0.8 x 10-5
AH	0.01	0.01	0.02	0.2 x 10-5
TMLB	0.01	0.01	0.01	0.1 x 10-5

Notes a Estimated. b Calculated, assuming a limit of 1 hour for all sequences. c Based on assumed independence of ACS failure, override failure, and delay of operator until core damage initiates. d Minimum cutset accident sequences from WASH-1400:16 V LPIS check valve/system failure S2D 0.5" to 2.0" LOCA combined with loss of ECCS injection AH Medium to large LOCA and failure of ECCS recirculation TMLB TMI sequence

Table 3.81-2

Calculated Increase in Core-Melt Frequency and Public Exposure

Operator Failure Probabilitya	Core-Melt Frequency (x 10-5/RY)				Public Dose Increase (man-rem)
	PWR	Δ	BWR	Δ
Base Case	1.408	-	2.475	-	-
0.0001	1.411	0.003	2.482	0.007	5.2 x 102
0.0005	1.425	0.017	2.509	0.034	2.6 x 103
0.001	1.442	0.034	2.543	0.068	5.2 x 103
0.01	1.754	0.35	3.149	0.674	5.2 x 104
0.1	4.968	3.6	9.216	6.74	5.2 x 105

Notes a Increase in probability that operator will fail to perform recovery action within the necessary time due to card-reader ACS failure and locked doors.

Cost Estimage

Based on the deliberations of the multidisciplinary group, the cost to evaluate and make modifications to each plant and its procedures was estimated to be approximately $1.1 million (M) per plant.⁶²⁶ This cost was based on the following factors:

(1) A one-time evaluation of existing plant locked doors and barriers $200,000 (2) Resolution of adverse safety findings [Cost for maintaining keys for a security force of 24 per plant was estimated to be $21,000/reader.627 Training for security and operational personnel based on 50 operators and security personnel for 1 day/year/plant, over the lifetime of the plant (28 years) was assumed to be (1/365)(50)(28)($100,000) = $391,232] 400,000 (3) Ongoing program to ensure future reduction of safeguards impact on safety ($10,000/year for an average reactor lifetime of 28 years) 280,000 (4) NRC reviews of plant modifications 200,000 TOTAL: $1,080,000

These estimates could be high for a plant that was in substantial compliance with the recommendations in Generic Letter 87-08¹⁴³⁷ and RG 5.65.¹⁴³⁸ However, because the estimated safety benefit for these plants would be a decrease in CDF significantly less than 10^-5, these plants would not meet the substantial additional protection criterion of the Backfit Rule (10 CFR 50.109, "Backfitting").

Value/Impact Assessment

The value/impact assessment is presented in Table 3.81-3.

Table 3.81-3

Value/Impact Assessment

Probability Increase	Total Cost ($M)	Risk Reduction (man-rem)	S (man-rem/$M)	Priority Ranking
0.0001	150	5.2 x 102	3.5	DROP/LOW
0.0005	150	2.6 x 103	17	LOW
0.001	150	5.2 x 103	35	LOW/MEDIUM
0.01	150	5.2 x 104	350	MEDIUM/HIGH
0.1	150	5.2 x 105	3,500	HIGH

Other Considerations

The following other considerations relate to this issue:

(1) The most probable effect of locked doors on reactor safety was believed to be represented by an increase in the probability of failure of the operator to leave the control room and perform actions required for recovery of less than 0.0001. This corresponded to a priority rating that was borderline between DROP and LOW priority. Even if this estimate was inaccurate by an order of magnitude, the corresponding priority ranking would be borderline between LOW and MEDIUM. (2) Even with a conservative assumption about the impact of failure of the ACS on the probability of preventing operator recovery action, the issue would not satisfy the requirements of the Backfit Rule (10 CFR 50.109). Specifically, SECY-91-270, "Interim Guidance on Staff Implementation of the Commission’s Safety Goal Policy," dated August 27, 1991,1425 stated that, with limited exceptions, a reduction of CDF of at least 10-5 was needed to satisfy the substantial additional protection criterion of that rule. However, Table 3.81-2 shows that, with the probability of operator failure due to ACS failure as high as 10-2, the change in core-melt frequency does not reach this value. Further, as shown in Table 3.81-1, the best estimate of the increase in the probability of operator failure is in the range of 10-5. (3) This evaluation was not intended to address the effect of locked doors on worker safety in an operating plant. A nuclear power plant has many inherently dangerous materials that may present a significant hazard to untrained personnel but do not significantly affect the ability of the plant to safely shut down in the event of an accident or transient. While it was recognized that these dangers pose legitimate concerns, it is beyond the authority of the NRC to regulate working conditions other than radiological hazards. (4) The consequence and cost estimates described above were based on a remaining life of 28.8 years and 27.4 years for PWRs and BWRs, respectively, consistent with the original 40-year license period. If it were assumed that 75 percent of the plants will have their licenses extended for an additional 20 years, the remaining life would be increased by 15 years. This would have very little impact on the value/impact assessment described above.

CONCLUSION

As explained above, this issue was initially placed in the DROP category in 1984. The estimated frequency of card-reader ACS failure and its impact on plant safety indicated that improvements in this area were not a cost-effective way to increase overall plant safety. Moreover, the multidisciplinary task group concluded that the locks and barriers associated with these areas could easily be defeated or bypassed in an emergency situation, if necessary, provided there was enough time to take the necessary steps. In addition, implementation of the regulatory guidance associated with rulemaking¹⁴³⁶ resulted in better coordination between plant security and operations personnel. Thus, this issue was given a LOW priority ranking in 1992 (See Appendix C). Consideration of a 20-year license renewal period did not change the priority of the issue.¹⁵⁶⁴

The staff conducted a review of this issue in 2010 to determine whether any new information would necessitate reassessment of original prioritization evaluation.¹⁹⁶⁴ The staff determined that the operating experience has not indicated a change in the significance of this issue. In addition, the staff verified that the regulations related to this issue establish requirements that provide prompt access to affected areas and equipment during emergencies. The following discussion demonstrates the application of the NRC regulatory framework to this issue.

According to 10 CFR 73.55(e)(9)(i), "Vital equipment must be located only within vital areas, which must be located within a protected area so that access to vital equipment requires passage through at least two physical barriers, except as otherwise approved by the Commission and identified in the security plans." During emergencies or abnormal conditions, it may be necessary for certain licensee personnel to gain quick access to vital equipment to mitigate or terminate some adverse plant condition. The regulation at 10 CFR 73.55(g)(5)(i) requires that "The licensee shall design the access control system to accommodate the potential need for rapid ingress or egress of authorized individuals during emergency conditions or situations that could lead to emergency conditions." Moreover, 10 CFR 73.55(g)(5)(ii) states that "To satisfy the design criteria of paragraph (g)(5)(i) of this section during emergency conditions, the licensee shall implement security procedures to ensure that authorized emergency personnel are provided prompt access to affected areas and equipment."

In addition, requirements have been established to ensure that personnel can quickly evacuate vital areas if the emergency condition results in high radiation or other dangerous conditions within the vital area. The regulations at 10 CFR 73.55(e)(8)(iii) and 10 CFR 73.55(e)(9)(ii) state, in part, this requirement for protected areas and vital areas, respectively. The regulation at 10 CFR 73.55(e)(8)(iii) states that "All emergency exits in the protected area must be alarmed and secured by locking devices that allow prompt egress during an emergency and satisfy the requirements of this section for access control into the protected area." In addition, 10 CFR 73.55(e)(9)(ii) states that "The licensee shall protect all vital area access portals and vital area emergency exits with intrusion detection equipment and locking devices that allow rapid egress during an emergency and satisfy the vital area entry control requirements of this section."

Finally, Appendix R, "Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979," to 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities," states that administrative controls shall establish procedures to define the strategies for fighting fires in all safety-related areas and areas presenting a hazard to safety-related equipment. Under these strategies, in part, "All access and egress routes that involve locked doors should be specifically identified in the procedure with the appropriate precautions and methods for access specified."

In addition to the regulations stated above, for emergencies or abnormal conditions, RG 5.65¹⁴³⁸ states that "Licensees can provide for rapid ingress/egress during such conditions by providing backup keys to vital areas and methods of opening locked doors in the case of computer or power failure." Moreover, RG 5.65¹⁴³⁸ describes acceptable procedures for providing for safe ingress/egress during a power or computer outage.

Based on the review of the NRC regulations related to this issue presented above, the staff concluded that the existing regulations adequately establish requirements that provide prompt access to affected areas and equipment during emergencies. Therefore, the staff changed the status of Generic Issue 81 and DROPPED this issue from further pursuit.

REFERENCES

0016. WASH-1400 (NUREG-75/014), "Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," U.S. Atomic Energy Commission, October 1975. 0064. NUREG/CR-2800, "Guidelines for Nuclear Power Plant Safety Issue Prioritization Information Development," U.S. Nuclear Regulatory Commission, February 1983, (Supplement 1) May 1983, (Supplement 2) December 1983, (Supplement 3) September 1985, (Supplement 4) July 1986, (Supplement 5) July 1996. 0542. Memorandum for R. Mattson et al. from D. Eisenhut, "Potential Safety Problems Associated With Locked Doors and Barriers in Nuclear Power Plants," May 31, 1983. [8306200435] 0621. NUREG-0992, "Report of the Committee to Review Safeguards Requirements at Power Reactors," U.S. Nuclear Regulatory Commission, May 1983. 0623. Memorandum for H. Denton from D. Eisenhut, "Potential Safety Problems Associated with Locked Doors and Barriers in Nuclear Power Plants," December 22, 1983. [8401130140] 0624. Memorandum for D. Eisenhut from H. Denton, "Safety-Safeguards Interface," January 16, 1984. [8402010286] 0625. Memorandum for H. Thompson from D. Eisenhut, "Potential Safety Problems Associated with Locked Doors and Barriers in Nuclear Power Plants," January 30, 1984. [8402140525] 0626. Memorandum for T. Speis from H. Thompson, "Submittal of Potential Generic Issue Associated with Locked Doors and Barriers," June 8, 1984. [8407060042] 0627. SECY-83-311, "Proposed Insider Safeguards Rules," U.S. Nuclear Regulatory Commission, July 29, 1983. [8308190179] 0628. IE Information Notice 83-36, "Impact of Security Practices on Safe Operations," U.S. Nuclear Regulatory Commission, June 9, 1983. [ML082890896] 1163. Memorandum for T. Speis from K. Kniel, "Treatment of Lessons-Learned from Surry Event as Related to Generic Issues," March 31, 1987. [8704030542] 1436. Federal Register Notice 51 FR 27817, "10 CFR Parts 50 and 73, Miscellaneous Amendments Concerning Physical Protection of Nuclear Power Plants," August 4, 1986. 1437. Letter to All Power Reactor Licensees from U.S. Nuclear Regulatory Commission, "Implementation of 10 CFR 73.55 Miscellaneous Amendments and Search Requirements (Generic Letter 87-08)," May 11, 1987. [ML031150413] 1438. Regulatory Guide 5.65, "Vital Area Access Controls, Protection of Physical Security Equipment, and Key and Lock Controls," U.S. Nuclear Regulatory Commission, September 1986. [8610030129] 1564. Memorandum for W. Russell from E. Beckjord, "License Renewal Implications of Generic Safety Issues (GSIs) Prioritized and/or Resolved Between October 1990 and March 1994," May 5, 1994. [9406170365] 1588. NUREG/CR-5580, "Evaluation of Generic Issue 57: Effects of Fire Protection System Actuation on Safety-Related Equipment," (Vol. 1) December 1992, (Vol. 2) December 1992, (Vol. 3) December 1992, (Vol. 4) December 1992, (Vol. 5) December 1992. 1964. Memorandum for B.W. Sheron from B.G. Beasley, "LOW Priority Generic Issues," March 17, 2011.[ML092520025]