Language selection

Search


Atomic Energy of Canada Limited National Research Universal Reactor Safety System Upgrades and the Canadian Nuclear Safety Commission's Licensing and Oversight Process

Executive Summary

This report provides the results of an independent review of implementation of Atomic Energy of Canada Limited's (AECL) National Research Universal (NRU) reactor safety system upgrades and the Canadian Nuclear Safety Commission's (CNSC) licensing and oversight process. The review, performed by a team from Talisman International, LLC, consisted of document reviews and interviews, and was focused on the renewal of the NRU licence in 2005 and 2006, and the extended outage in late 2007.

In November 2005, CNSC renewed the operating licence for the NRU reactor with a licence condition that "all 7 NRU upgrades are fully operational by December 31, 2005." In July 2006, the licence was renewed for 63 months, based on "recently completed safety upgrades".

In November 2007, CNSC staff brought to AECL's attention a discrepancy between NRU documentation and the physical state of the plant. Specifically, two of the main heavy water pumps (MHWPs) were not connected to the hazards qualified Emergency Power Supply (EPS), even though some AECL documents described the upgrades as fully operational. Further investigation led to the following:

  • confirmation from AECL that the connection was not in place;
  • concerns from CNSC staff that operation without the connection was outside the licensing basis, and that the reactor should not operate in such a configuration without approval from the CNSC Commission;
  • an ensuing unplanned extended outage of NRU, leading to an interruption in the supply of medical isotopes, until the NRU reactor operation was authorized by an Act of the Canadian Parliament.

AECL and the CNSC have taken this series of events very seriously, and commissioned Talisman International to examine the performance of the CNSC and AECL - both before and after the decisions to renew the NRU license - , identify the underlying causes of the extended outage, and make recommendations for improvements in both organizations, which would prevent a repeat occurrence or similar situation.

Based on a review of the events, and related internal and external communications of both organizations, a fundamental observation of the Talisman Team is that the CNSC regulatory program and the AECL regulatory compliance program are "expert based" and not "process based". The regulatory effectiveness of both organizations can be significantly improved by developing and implementing formal processes, to be used for establishing and complying with regulatory requirements.

The key conclusions reached by the Talisman Team are:

1. The main reasons for the MHWPs not being connected to the EPS were the following:

  1. The AECL licences that included the NRU reactor Operating Licence (OL) conditions issued in 2005 and 2006 were not clear, and did not specify in any detail exactly which NRU safety upgrades were to be installed. The installation of the safety upgrades was part of the information relied on by the CNSC Commission in making its decision to renew the AECL OL in 2006, and was a licensee commitment, although it was not a specific licence condition.
  2. The connection of the MHWPs to the EPS required the installation of seismically qualified DC Motor Starters, which had not yet been installed at the time of licence renewal because NRU reactor management did not believe there was a licensing requirement to install them.
  3. The NRU commitment tracking system was not effective in tracking and monitoring the EPS connections to the MHWPs. Despite the fact that these connections were part of the EPS safety upgrades planned by AECL, by 2007 this safety upgrade was not being tracked in the NRU commitment tracking system.
  4. In 2005, NRU management separated the planned connection of the EPS to the MHWP from the EPS safety upgrade activities. Some CNSC staff members were aware that the connections had not been made, but did not elevate this to CNSC management as an issue that had to be agreed with or challenged. The CNSC management continued to believe, based on earlier documentation, that the planned safety upgrades included the hazards qualified EPS being connected to the MHWPs. Consequently, the status of the EPS connections was not effectively communicated within each organization and between organizations.
  5. The safety benefit of implementing the modification to connect the MHWPs to the EPS was not agreed upon or well understood by NRU site management.

2. The main reasons for the NRU reactor's 2007 extended outage were the following:

  1. There was no regulatory process for resolving deviations from the information relied on by the CNSC Commission in making its decisions, if the information had not been included in the licence itself. The CNSC staff considered the EPS tie-in to the MHWP to be part of the "licensing basis", but there is no CNSC-documented regulatory definition of this term.
  2. Once CNSC management considered NRU to be operating outside its licensing basis because the tie-in had not been made, they concluded that a licence amendment was needed. CNSC staff did not have authority to issue a licence amendment, and needed documentation from AECL (i.e., a licence amendment application request and safety case) to prepare its recommendation for submittal to the CNSC Commission. AECL submitted a safety case and a formal request for approval for a one-pump configuration, and additional time was needed for the CNSC staff to review and prepare the CMD documentation. Both the AECL and CNSC staffs recognized that it would be unlikely that a prompt resolution would be reached.
  3. There was no CNSC regulatory guidance or AECL-established process for assessing whether the operation outside the licensing basis (or in a degraded condition) presented an acceptable condition from a safety standpoint.

3. The main reasons why the EPS connections to MHWPs P-104 and P-105 were not made in a timely fashion, after December 2005, were as follows:

  1. The CNSC compliance inspection of the safety upgrades, which included the EPS upgrades, did not classify the missing connections as a licence violation or an issue that warranted identification as a Directive or an Action Item. The missing connections were not highlighted, even though members of the audit team were aware that the connections were not made. This further supported NRU management's belief that the EPS connections to the MHWPs were not a regulatory requirement.
  2. The NRU reactor staff refocused essentially all available safety upgrade resources to address other significant items that had been identified by the CNSC compliance inspection report, in order to support the licence renewal.
  3. The NRU commitment tracking system was not effective in tracking and monitoring the EPS connections to the MHWPs. Despite the fact that these connections were part of the EPS safety upgrades planned by AECL by 2007, this safety upgrade was not being tracked in the NRU commitment tracking system at all.
  4. The safety benefit of implementing the modification to connect the MHWPs to the EPS was not acknowledged by NRU management following review by the Safety Review Committee and was not elevated to AECL Corporate Management for resolution.

To address process issues that caused the conclusions discussed above, and the factors that contributed to their existence, the Talisman Team has identified recommendations for specific short-term and long-term process and procedure improvements for both CNSC and AECL. The specific recommendations, as provided in the attached report, have been combined and summarized below:

Short-Term:

  • CNSC should clarify current OL requirements, particularly regarding the Licence Strategy document referred to in Licence Condition 19.1 of the current OL. CNSC should reach agreement with AECL on open regulatory commitments, and concur that those open items adequately address the licensing requirements.

CNSC Management Response
At the end of May, the CNSC conducted a follow-up audit to review the status of the seven upgrades identified in the Licensing Strategy document. The CNSC is currently reviewing all the findings and will issue a set of directives and actions to AECL which will need to be completed. The final report should be issued within the next 60 business days. CNSC will work with AECL to review all open regulatory commitments, including any remaining commitments specified in the Licensing Strategy document, to ensure they are clear, that they adequately address the licensing requirements and that both CNSC and AECL are clear on the necessary actions and timelines to meet the commitment. These will be reviewed by legal counsel for clarity and enforceability. This will be completed by October 31, 2008.

  • CNSC and AECL should implement a licensing commitment management system to control the initiation, prioritization, implementation, tracking, close-out and maintenance of licensing commitments.

CNSC Management Response
CNSC will work with AECL to review and update the AECL's existing commitment tracking system to identify licensing and compliance commitments that are considered of greater risk significance and higher priority. AECL will carry out an effectiveness review of this system by September 30, 2008. In addition, the CNSC will introduce its own simplified tracking system for licensing and compliance commitments that are considered of greater risk significance and higher priority. This tracking system will be developed and implemented by September 30, 2008.

AECL Management Response
AECL is implementing an internal process for managing licensing commitments and obligations. To ensure that Talisman's recommendations are addressed, an effectiveness review of the commitment process will be completed by September 30, 2008. AECL will share its process with the CNSC and reach agreement on a combined approach to commitment and obligation management. In addition, AECL is embarking on a major initiative to ensure the licensing basis for its nuclear facilities is properly captured (see response to overall recommendation 13). As the first step of that initiative, a review and reconciliation of licensing commitments and obligations will be undertaken (this review and reconciliation will provide input to the first recommendation above).

  • CNSC should delegate sufficient authority to the Directors General, so that they are authorized to issue licence amendments.

CNSC Management Response
In alignment with the NSC Act, CNSC will review and seek Commission approval to further delegate authority from the Commission to Designated Officers including the Executive Vice-President and the Director Generals or seek to further streamline of the Commission decision making process to approve license amendments in abbreviated time periods. The two options will be reviewed by October 31, 2008 and presented to the Commission in November 2008 with implementation to follow pending Commission approval.

  • CNSC and AECL should develop a formal process to promptly determine whether, and under what conditions, continued NRU reactor operation may be justified during off-normal conditions.

CNSC Management Response
AECL is adapting and adopting a process referred to as Technical Operability Evaluation (TOE) currently used at operating Nuclear Power Plants. The CNSC will provide guidance and regulatory oversight to AECL to ensure the process is effective in identifying and assessing off-normal conditions and for identifying and implementing any necessary mitigative measures to ensure continued safe operation under those conditions. The CNSC will formalize and document the CNSC's internal processes where CNSC reviews and approvals are required to allow for continued NRU reactor operation. The process will include a clear identification of roles, responsibilities, authorities and accountabilities for CNSC staff, management and the Commission to ensure for the timely review and disposition of any requests for continued NRU reactor operation during off-normal conditions. An interim process will be established by September 30, 2008 and fully documented by January 31, 2009.

AECL Management Response
AECL is developing a Technical Operability Evaluation (TOE) process aligned with best industry practise, and the procedure will be completed by January 31, 2009. The purpose of the TOE process is to provide a framework for determining the impact of discovery conditions on reactor operation, and deciding whether continued operation still meets approved safety goals. Once the TOE process has been developed, AECL will work with CNSC staff to ensure that the TOE process is acceptable from a regulatory perspective. AECL will also work with CNSC staff to agree upon a set of safety goals that can be used in operability risk assessments.

  • AECL should strengthen its risk management assessment program (including use of probabilistic safety analyses tools), to support its use in the safety assessment process.

AECL Management Response
Risk assessment tools are required to support a broad range of safety-related decisions including TOEs (see overall recommendation 4), and prioritizing modifications and improvements. AECL will use the NRU Probabilistic Safety Assessment (PSA) and Safety Analysis Report (SAR), with the safety goals agreed under recommendation 4 to perform risk-based assessments.

  • CNSC and AECL should strengthen the quality and timeliness of internal and external communications, including a process to elevate issues of differing views to higher levels of management for resolution when needed.

CNSC Management Response
The CNSC and AECL have recently developed a protocol for communications at the working level. CNSC and AECL will extend that protocol to ensure it promotes effective (timely and high-quality) communications, to include a process for escalating issues to senior management for resolution (where required), and to include senior- and executive-level meetings. An agreed schedule for senior and executive level meetings between AECL and the CNSC will be completed by June 30, 2008. The formalized communications and problem resolution process will be developed, documented and implemented by December 31, 2008.

AECL Management Response
CNSC and AECL have developed a protocol for communications at the working level. AECL will work with the CNSC to extend that protocol to ensure it promotes effective (timely and high-quality) communications, to include a process for escalating issues to senior management for resolution (where required), and to include senior- and executive-level meetings. In addition, AECL will develop an internal Regulatory Communications Protocol based on the fundamental principle of "no surprises". The protocol will include practises for 3-way communication with CNSC staff on regulatory issues and the status of regulatory commitments, and for ensuring open and complete communications with the Commission. The protocol will be developed, and rolled out (including training) by March 31, 2009. Also an effectiveness review for the protocol will be included in the annual self-assessment plan for Licensing.

Long-Term:

  • CNSC should improve the clarity of future NRU OL conditions, by using specific regulatory terms and references, and enforceable language. Safety requirements, such as the limiting conditions for operations, should be included in the OL. CNSC counsel should review licence terms and conditions language for enforceability.

CNSC Management Response
The CNSC will review the current license for NRU to improve the structure, content and clarity of the license, license conditions, limiting conditions of operations and any reference documents. The review will be completed by October 31, 2008. The CNSC will work with AECL to agree on a timeline for completing any necessary changes to the license and any reference documents. The plan and timeline for implementing the changes will be presented to the Commission in February, 2009. The CNSC will improve its review process for licensing documents, including reviews by legal counsel, to ensure more precise regulatory language. As part of establishing licence conditions and the development of the Commission Member Documents, CNSC staff will:
(a) ensure the required actions and timelines to fulfill the condition are understood by both the licensee and staff;
(b) ensure the compliance plan for verifying, enforcing and reporting compliance on the license condition are understood by both AECL and CNSC staff.

  • AECL should clearly define the licensing bases (e.g., licence applications must include the current FA, the FSAR and the applicable LCOs and their bases) in the future OL for the NRU reactor, to ensure future licensing bases are clear.

AECL Management Response
In December 2007, AECL submitted to the CNSC an updated Facility Authorization (FA) that reflects the current plant configuration and references the most recent SAR (Safety Analysis Report), and will work with CNSC staff to get the new FA included in the licence. For future modifications, AECL will ensure the FA is promptly updated to include new Limiting Conditions of Operation (LCOs), and submitted for approval and inclusion in the licence. Furthermore, AECL agrees that the licensing bases for NRU (and other Nuclear Facilities) should be clearly established and is embarking on a major initiative to ensure the licensing bases are properly captured. This will be a multi-year project requiring the review and consolidation of all licensing documentation into a single repository, and a verification that all licensing commitments and obligations from these documents are captured in facility and program documentation with references to ensure commitments are not changed without a proper assessment. As part of this initiative, all existing commitments and obligations will be reviewed and rationalized by September 30, 2009. The updated licensing basis will be complete to support the application for the next licence renewal.

  • CNSC should develop and issue guidance to the CNSC staff and industry for preparing and evaluating a request for the exercise of enforcement discretion for temporary conditions of low safety significance.

CNSC Management Response
The CNSC recognizes the need to ensure clarity on the range of enforcement tools to be applied commensurate with the severity of non-compliance and the overall safety significance. The CNSC will complete a review and ensure clarity on the range of existing enforcement tools and their application by September 30, 2008. The CNSC will also document the process for graduated enforcement including guidance for assessing the risk significance of temporary conditions on NRU safety systems and identifying appropriate regulatory actions. This will be communicated to both licensees and staff. This will be completed by November 15, 2008.

  • CNSC should strengthen its enforcement capability by requesting the authority to issue civil penalties without referral to the Justice Department.

CNSC Management Response
This is currently under review and will be further examined for possible application. The implementation of this proposal would require changes of the Nuclear Safety and Control Act, legal reviews and the establishment of qualified staff and supporting tools to ensure its effective execution. The CNSC will review this option with its Legal Counsel and provide a recommendation to the Commission by November 2008 that will include a proposed timeline for bringing the necessary changes for parliamentary approval and executing the implementation pending the approval.

  • In a generic sense, CNSC should adopt the concept of "timely renewal", to eliminate any perceived need to "rush" in order to avoid the pending termination of an OL. This should be coupled with a requirement for licence renewal applications to be filed early enough, so as to allow for a reasonable period for licence renewal application reviews, while retaining the ability to take the additional time needed to finish a licence review and to have a clear understanding - by both the licensee and the CNSC staff - as to the licence details.

CNSC Management Response
CNSC already extends licenses as appropriate through license amendments. The CNSC further explored opportunities to further utilize license amendments to extended licenses as appropriate. This was completed on June 30, 2008. In addition, the CNSC is currently reviewing the use of Periodic Safety Reviews for Nuclear Power Plants and NRU to support a more systematic and timely approach to safety review that could lead to extended licence durations. This in turn will facilitate the timely submission and review of license renewal applications. The CNSC will bring forward a proposal to the Commission by December 31, 2008.

  • AECL should strengthen its long-term planning process to ensure that all functional departments understand the scope, priority, and schedule for regulatory projects. The commitment date and project schedule should be based on safety significance, plant staff resource requirements and availability, plant operations, and shutdown schedules.

AECL Management Response
AECL has implemented into its work management processes the requirement to identify regulatory commitments or obligations so that all involved understand the context and priority for the scope and schedule. Major project schedules currently include regulatory interactions and commitments. In addition, AECL's commitment management process will be reviewed to ensure that commitment schedules are based on safety significance, resource availability, and impact on plant operations and shutdown work schedules. Plant operations should also sign off on any planned work to ensure they agree with the scope and schedule, and so that they can identify operational safety concerns that need to be addressed. These items will be included in the effectiveness review under recommendation 2 above.

  • AECL should strengthen its work execution and configuration management processes, to ensure that safety significant improvements are promptly implemented and properly closed-out. Specific improvements are recommended in project management, modification management, and work management.

AECL Management Response
AECL has recently issued an engineering change control procedure that addresses many of the findings in modification and commissioning management. An effectiveness review will be conducted to ensure that use of the procedure is addressing the specific recommendations by June 30, 2009. With the formation of a consolidated project delivery organization in April 2005, AECL has implemented a project quality program and associated project management procedures that are based on Project Management Institute guidelines (Project Management Book of Knowledge). AECL will ensure that these procedures include requirements for Project Managers to include regulatory commitments in project plans, schedules and documents, and will ensure accountability statements for Project Managers include responsibilities to meet regulatory requirements, by December 31, 2008. AECL is also implementing improved work management practises, based on industry best practises. A 13-week rolling schedule has been implemented and work is under way on a 52-week rolling schedule that will include project work.

  • The CNSC should define the term "licensing basis" in a regulatory guidance document.

CNSC Management Response
The CNSC will review the definition of "licensing basis" as documented in an existing Regulatory Document RD-360 and develop any additional guidance document to clarify its applicability to existing facilities. This will be completed by September 30, 2008.

  • AECL should continue to strengthen its ability to self-identify and affect performance improvements. Specific recommendations have been made to improve the Corrective Action and Self-Assessment Processes and independent oversight functions, such as the Safety Review Committee.

AECL Management Response
AECL will be conducting a performance-based audit to drive further improvement of its corrective-action and self-assessment programs by March 31, 2009. Industry peers will be included on that audit. AECL will provide additional training in root cause analysis methodology as follows: a week long Root Cause Analysis (RCA) training session for 2008 September to be delivered and attended by industry peers, participation in the COG Corrective Action Working Group, and focussed RCA training to be delivered in 2008 October by a third party expert. Lastly the mandate of the Safety Review Committee (SRC) has been revised to ensure that the committee is properly integrated into AECL's safety oversight functions. A managed transition process is being followed to move to the new mandate, and as part of the transition, external experts are being sought to become members of the SRC.

During its review, the Talisman Team identified a number of factors that contributed to these problems. The report discusses these factors and provides additional recommendations to correct them.

The Talisman Team received the full cooperation of both the CNSC and AECL. The views expressed in this report are those of the Talisman Team, and do not necessarily represent the views of the CNSC or AECL.

Page details

Date modified: