Atomic Energy of Canada Limited National Research Universal Reactor Safety System Upgrades and the Canadian Nuclear Safety Commission's Licensing and Oversight Process

IX. Reasons for the Extended Outage following the NRU Reactor Shutdown in November 2007

On November 5, 2007, the CNSC resident inspector at CRL discovered a statement in the NRU electrical system operating manual that MHWPs P-104 and P-105 were not connected to the EPS. The inspector expressed surprise. On November 7, 2007, AECL confirmed in writing [1] that the MHWPs were not connected to the EPS. In a CNSC-AECL monthly meeting on November 8, 2007, AECL again confirmed that the MHWPs were not connected to the EPS. CNSC staff expressed concern that the physical plant did not agree with the licensing and safety basis. On November 14, 2007, AECL made a verbal report to CNSC that (1) there was a difference between the 2007 FSAR and the physical plant, and (2) that it would use a TOE process from a Canadian power reactor licensee for an assessment, and a root cause analysis would be completed.

The NRU reactor tripped on November 16, 2007. AECL informed CNSC of the results of its TOE evaluation, indicating that NRU was operating within its safety envelope, and that NRU would restart later that day. The NRU reactor was restarted November 16, 2007, when it was known that the EPS was not connected to the two MHWPs, and when that condition was considered to be outside the licensing basis and safety case by the CNSC staff³. While NRU had performed a TOE prior to restart [63], it had used a process not developed or formally approved for use at the NRU reactor, although the Talisman Team was informed that the procedure was approved by the CRL Chief Engineer prior to use, in November 2007.

On November 19, 2007, the NRU reactor was shut down for a 4-day regularly scheduled maintenance outage. CNSC informed AECL of CNSC staff's concerns as to the depth and conclusions of the TOE, and advised AECL that CNSC was working on a strong letter, which stated its position and concerns, and recommended that AECL should not restart the reactor (scheduled for Thursday night, November 22). AECL then informed the CNSC in writing [2] that the reactor would not be restarted, and would remain in extended shutdown, to continue installation of qualified motor starters for P-104 and P-105, and to complete the TOE process; CNSC did not send the letter. AECL said it would provide daily updates and would consult with CNSC prior to restarting the reactor.

NRU pursued two parallel paths to resolve the issue: (1) connect EPS to both MHWPs, and (2) submit and obtain approval of a safety case for one-pump operation. From mid-November to mid-December, the projected end dates for these paths kept changing, while progress was made and more understanding was gained. NRU shifted its primary success path whenever one path's end date moved ahead of the other.

On November 29, 2007 [3], AECL formally submitted a safety case to allow restart with the upgraded EPS connected to one pump (P-105). Both AECL and CNSC staffs recognized that it was unlikely that a prompt resolution would be reached. AECL notified CNSC on December 2, 2007 [4], that it was not continuing with that option, and that the reactor would only be restarted after both DC motor starters for MHWP P-104 & P-105 were connected to the EPS. On December 7, 2007 [5], AECL requested regulatory approval for a modification to the FA, to permit operation with one pump connected to EPS for a limited period of time. CNSC staff apprised AECL, in letters dated December 7, 2007 [6] and December 10, 2007 [7], that a complete safety case and request for licence amendment was required of AECL before the matter could be referred to the CNSC Commission. Subsequently, the Minister of Natural Resources Canada and the Minister of Health Canada wrote to the Presidents of CNSC and AECL on December 10, 2007 [8, 9], and urged them to work together to restart the reactor safely, with due regard for those reliant on the medical isotopes produced by NRU. The reactor remained shut down. On December 11 and 12, 2007, the House of Commons and the Senate, respectively, passed a law [10] which gave authorization to AECL to operate the NRU reactor for 120 days, with certain conditions. The reactor was restarted on December 16, 2007, and medical isotope production resumed within days.

The Talisman Team concluded that another key reason for the extended outage of the NRU reactor that began in November, 2007, was the fact that the CNSC senior managers considered NRU to be operating outside its licensing basis because the EPS tie-in had not been made, and that a licence amendment was needed to approve operation for a different plant configuration. Since the CNSC staff did not have the authority to issue a licence amendment, they needed to prepare the background material and safety case for submission to the CNSC Commission for a licence amendment review and approval. Therefore, they requested AECL to submit a safety case and a licence amendment for CNSC staff review and analysis, prior to requesting a CNSC Commission meeting to consider the new operating configuration. The preparation of this required safety information, and its review by the CNSC staff, clearly added additional time to the duration of the shutdown.

Observation (26) Enforcement (E) and Training

The CRL resident inspector identified a potential problem and successfully brought it to the attention of senior CNSC and NRU management.

Recommendation

The example set by the CRL resident inspector should be used in the enforcement training noted in recommendation C-E-2.

Observation (27) - Operating Licence - (OL)

There is no CNSC definition of "licensing basis" in the CNSC regulations, regulatory policies, regulatory standards, or regulatory guidance documents. Interviews of CNSC staff and managers did not yield a uniform definition of the term "licensing basis", but it was commonly understood to be:

Licensing basis = (1) The CNSC-issued OL requirements and conditions, (2) including those requirements and conditions described in documents referenced in the OL, and (3) the information (Commission Member Documents, presentation material and testimonies) provided to the CNSC Commission Members and upon which they based their decision to grant the OL.

The information provided to the CNSC Commission, although relied upon when granting an OL, is not addressed by regulations if it is not incorporated into the OL or documents referenced in the OL. There is no regulatory process for resolving deviations from the information relied on by the CNSC Commission Members in making their decisions, if the information had not been included in the OL itself. CNSC staff considered the EPS tie-in to the MHWPs to be part of the "licensing basis", but there is no CNSC documented regulatory definition of the term. Regulatory oversight is complicated by the fact that CNSC does not have a formal definition of the "licensing basis", and the implications when a licensee is identified as operating outside of its licensing basis. There is no common understanding between AECL and the CNSC staff of what constitutes the licensing basis for the NRU reactor and what must be reflected in the OL.

Recommendation

C-OL-6: CNSC should publish a definition of the term "licensing basis", which includes those commitments and statements that the CNSC Commission Members relied upon as a basis for the CNSC Commission decision to approve the OL. CNSC should also define other commonly used terms - besides "licensing basis" - in a regulatory guidance document.

CNSC Management Response
The CNSC will review the definition of "licensing basis" as documented in an existing Regulatory Document RD-360 and develop any additional guidance document to clarify its applicability to existing facilities. This will be completed by September 30, 2008. The Reasons for Decisions will be used to capture the basis for the Commission decision.

A-OL-1: AECL should clearly define the licensing bases (e.g., licence applications must include the current FA, the FSAR and the applicable LCOs and their bases) OL for the NRU reactor, to ensure future licensing bases are clear.

AECL Management Response
AECL agrees that the licensing bases for NRU (and other Nuclear Facilities) should be clearly established and is embarking on a major initiative to ensure the licensing bases are properly captured in facility and program documentation (see overall recommendation 13).

Observation (28) - Process to promptly Assess Interim Operation (AIO)

AECL was unable to promptly assess and justify the safety of continued NRU reactor operation to the satisfaction of the CNSC staff, when it was learned that the EPS was not connected to the MHWPs.

A special process for urgently requested temporary amendments or enforcement discretion would enable CNSC to promptly assess the health and safety of the public for interim operation with additional compensatory measures. CNSC staff does not have an effective formal process which could be used to address this type of situation. The process for Class I licence amendments or enforcement discretion is "ad hoc" and does not appear to support urgent requests.

Recommendations

C-AIO-1: CNSC should implement a formal process for reviewing urgent requests for temporary licence amendments and for exercising enforcement discretion to allow continued operation in special situations. Special situations include severe weather, missed surveillance tests, lack of spare parts, degraded electrical grid situations etc. Operating reactors face these situations from time to time, and this would allow them to request approval for continued operation. Frequently, this approval is based on the temporary use of compensatory measures or other appropriate means to assure safety, while not meeting certain specific conditions.

CNSC Management Response
As part of documenting the licensing process, the CNSC will document a sub-process for the review of all license amendments including temporary amendments. A schedule for completing this work will be finalized by September 2008. Refer to C-AIO-2 for information on reviews and approvals (see response to recommendation C-E-4 with regards to enforcement discretion).

C-AIO-2: CNSC should issue guidance to the industry for making requests for continued operation under off-normal conditions, including what information is to be submitted to CNSC by the licensee.

CNSC Management Response
AECL is adapting and adopting a process referred to as Technical Operability Evaluation (TOE) currently used at operating Nuclear Power Plants. The CNSC will provide guidance and regulatory oversight to AECL to ensure the process is effective in identifying and assessing off-normal conditions and for identifying and implementing any necessary mitigative measures to ensure continued safe operation under those conditions. The CNSC will formalize and document the CNSC's internal processes where CNSC reviews and approvals are required to allow for continued NRU reactor operation. The process will include a clear identification of roles, responsibilities, authorities and accountabilities for CNSC staff, management and the Commission to ensure for the timely review and disposition of any requests for continued NRU reactor operation during off-normal conditions. An interim process will be established by September 30, 2008 and fully documented by January 31, 2009.

A-AIO-1: AECL, pending issuance of the CNSC guidance recommended above, should review, approve and implement a TOE process that is aligned with the nuclear industry's best practices in this area. The process can be similar to that used in November 2007, but should be specifically designed and issued for use at the NRU reactor for the assessment of such off-normal conditions. It should include specific actions, assessments and acceptance criteria related to regulatory requirements, design basis, safety function, and safety analysis. AECL should share this procedure with CNSC.

AECL Management Response
AECL is developing a Technical Operability Evaluation procedure for application to discovery issues with facility operations. The procedure will ensure that safe operation is not compromised, and that regulatory requirements continue to be met. This procedure will be shared with CNSC staff (see overall recommendation 4).

A-AIO-2: AECL should strengthen its risk management assessment (including use of probabilistic safety analysis tools) programs, to support their use in the safety assessment process.

AECL Management Response
AECL will be using the NRU PSA to strengthen risk management assessment (see overall recommendation 6).

Observation (29) - Corrective Action Program (CAP)

After it was first discovered that the EPS tie-in to the MHWPs was not made, it was reported and processed by AECL using the CAP (IMPACT). The Talisman Team reviewed the NRU operability and reportability determinations. In this case, since the operating licence was not clear, facility management, licensing and engineering should have more thoroughly researched the reported condition, the OL and the licensing basis, and consulted with CNSC to properly characterize the problem.

In addition, the NRU CAP procedure, Improvement Action (IMPACT) Process, CW-514300-PRO-392, does not provide sufficient details of how and when to determine or assess the operability of degraded systems and components or how to evaluate the reportability thereof.

Recommendation

A-CAP-1: AECL should assess the adequacy of the reportability evaluations performed as part of the CAP.

AECL Management Response
AECL will include an effectiveness review of reportability evaluations in its self-assessment plan for Licensing.

Observation (30) - Enforcement (E)

The NRU reactor was restarted on November 16, 2007, when it was known that the EPS was not connected to the MHWPs and that this may have been in violation of the licensing basis. The CNSC staff did not initiate enforcement action, and allowed the plant to restart.

Recommendation

Recommendations C-E-1 and C-E-2 above will address this observation.

Observation (31) - Corrective Action Program (CAP)

Several examples of weak CAP performance were identified by the Talisman Team. A few examples are:

AECL performed a TOE using a process not developed and formally approved for use at the NRU reactor, and did not recognize that it was an activity important to safety, which should have been conducted in accordance with an approved procedure. The TOE process was used without following the process for issuing procedures.

The root cause analysis performed for the EPS tie-in to the MHWPs did not thoroughly evaluate the deviation. There were no corrective action documents generated for many of the programmatic problems discussed above. The fact that there was an apparent OL violation - from January 1, 2006 through the current OL - was not captured and dispositioned in a corrective action document.

A June 2006 AECL Internal Analysis Report, Chalk River Laboratories Regulatory Issues Assessment Report, Regulatory Assessment Team Report [64] concluded:

1. AECL had not consistently recognized or effectively dealt with those issues identified as significant by the regulator, in a timely manner. Subsequent AECL self-assessments reinforced CNSC concerns and led to corrective actions.

2. High-level ownership of regulatory issues within AECL was not always established or clear. The administrative process for prioritizing and tracking regulatory issues was not sufficiently effective.

3. The importance of timely and full compliance with regulatory requirements was not consistently reflected in AECL priorities and actions taken. Traceability of regulatory requirements to AECL governing and operating documents needs improvement.

4. AECL was not sufficiently proactive in seeking clarification when CNSC requirements and expectations were not clear, nor did AECL proactively follow-up on CNSC submissions, so as to ensure CNSC staff concerns had been adequately addressed.

This was a missed opportunity, as the self-assessment identified similar problems as the Talisman Team has. The self-assessment did not generate a corrective action program document for the conclusions. Had a corrective action program deficiency report been generated, and the extent of condition been investigated, the NRU safety upgrades issue may have been identified by AECL earlier.

In August 2005, the EPS Operating Manual indicated the EPS connection to MHWPs is available, but when the manual was issued the connection had not been done. This was a discrepancy that should have been documented and dispositioned in the CAP on an IMPACT.

Recommendations

A-CAP-2:AECL should assess the effectiveness of its CAP.

AECL Management Response
AECL has an effectiveness review of its ImpAct process in the self-assessment plan for Performance Improvement and Nuclear Oversight (PINO). In addition, the Nuclear Oversight independent assessment plan for 08/09 includes an audit of the OPEX program, including ImpAct (see overall recommendation 15).

A-CAP-3: AECL should continue to strengthen the root cause analysis capability of the NRU staff, and conduct training on root cause analysis techniques.

AECL Management Response
AECL will provide additional training in root cause analysis methodology as follows: a week long RCA training session for September 2008 to be delivered and attended by industry peers, participation in the COG Corrective Action Working Group, key role in the development of an RCA practitioners working group whereby industry peers can exchange ideas/methods, and focussed RCA training to be delivered in October 2008 by a third party expert (see overall recommendation 15).

Observation (32) - Probabilistic Safety Analysis (PSA)

CNSC and AECL were unable to quickly estimate the incremental risk of interim operation with degraded conditions. AECL and CNSC had not incorporated the NRU safety goals associated with the upgrades, either directly into the OL, or indirectly via the FA or FSAR, and neither the latest, nor the previous AECL PSA had been approved by CNSC. Accordingly, when CNSC and AECL attempted to evaluate the incremental difference in risk associated with the incomplete tie-in of EPS to the MHWPs, they could not readily agree. The use of risk, either qualitative or quantitative (i.e., Probabilistic Safety Analysis), could be used as one input to assess the effect of a temporary condition. The licensee could be required to submit an evaluation of the proposed temporary condition, including its calculation of the incremental risk, and the CNSC staff could perform an independent calculation or assessment for verification, including the improved safety of compensatory measures. Compensatory measures could be identified and taken, along with other actions and considerations, to justify safe, interim operation.

Recommendations

J-PSA-1:AECL and CNSC should both develop their own methodology to assess risks of specific plant configurations of the NRU reactor.

CNSC Management Response
In line with responding to recommendation- C-OL-2, CNSC will work with AECL to jointly establish a schedule for the timely review, issue resolution and approval of the NRU PSA and proceed with execution. The plan and timeline for completing this work will be established by September 30, 2008.

AECL Management Response
AECL will work with CNSC staff to achieve an approved PSA for NRU to support risk assessments (see overall recommendations 4 and 6).

J-PSA-2:AECL and CNSC should establish safety goals for the NRU reactor.

CNSC Management Response
CNSC will work with AECL to review and ensure clarity in the safety goals for NRU. The plan and timeline for completing this work will be established by September 30, 2008.

AECL Management Response
AECL will work with CNSC to establish safety goals for NRU (see overall recommendation 4).

³ It is noted that current NRTEOL Operating licence condition General 1.1 states that the Commission or a person authorized by the Commission is the sole authority to interpret the conditions of this license.