Implications of the Accident
at Chernobyl for Safety Regulation
of Commercial Nuclear Power Plants
in the United States
U.S. Nuclear Regulatory
Availability of Reference Materials Cited in NRC Publications
Most documents cited in NRC publications will be available from one of the following
1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC
2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082,
Washington, DC 20013-7082
3. The National Technical Information Service, Springfield, VA 22161
Although the listing that follows represents the majority of documents cited in NRC publications,
it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public
Document Room include NRC correspondence and internal NRC memoranda; NRC Office of
Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation
notices; Licensee Event Reports; vendor reports and correspondence; Commission
papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales
Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings,
and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations
in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series
reports and technical reports prepared by other federal agencies and reports prepared by
the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature
items, such as books, journal and periodical articles, and transactions. Federal Register
notices, federal and state legislation, and congressional reports can usually be obtained
from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC
conference proceedings are available for purchase from the organization sponsoring the
Single copies of NRC draft reports are available free, to the extent of supply, upon written
request to the Office of Information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory
process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and
are available there for reference use by the public. Codes and standards are usually copyrighted
and may be purchased from the originating organization or, if they are American
National Standards, from the American National Standards Institute, 1430 Broadway,
New York, NY 10018.
Implications of the Accident
at Chernobyl for Safety Regulation
of Commercial Nuclear Power Plants
in the United States
Manuscript Completed: April 1989
Date Published: April 1989
U.S. Nuclear Regulatory Commission
Washington, DC 20555
This report was prepared by the Nuclear Regulatory Commission (NRC) staff to assess
the implications of the accident at the Chernobyl nuclear power plant as
they relate to reactor safety regulation for commercial nuclear power plants in
the United States. The facts used in this assessment have been drawn from the
U.S. fact-finding report (NUREG-1250) and its sources.
This report consists of two volumes: Volume I, Main Report, and Volume II, Appendix
– Public Comments and Their Disposition.
NUREG-1251, Vol. I iii
ABSTRACT. …………………… ………………………. 1
INTRODUCTION…………………………… …………. 1
SUMMARY ………………………………….. ………………….. 2
1 ADMINISTRATIVE CONTROLS AND OPERATIONAL PRACTICES ……………….. 1-1
1.1 Administrative Controls To Ensure That Procedures Are Followed
and That Procedures Are Adequate ……. …………………… 1-2
1.2 Approval of Tests and Other Unusual Operations ……………… 1-7
1.3 Bypassing Safety Systems….. ….. 1-11
1.4 Availability of Engineered Safety Features……………….1-15
1.5 Operating Staff Attitudes Toward Safety …………………… 1-19
1.6 Management Systems ………………………………………. 1-22
1.7 Accident Management ……………………………………… 1-23
2 DESIGN …………………………………… ………………… 2-1
2.1 Reactivity Accidents ………………………………. 2-1
2.2 Accidents at Low Power and at Zero Power …………………… 2-9
2.3 Multiple-Unit Protection..* ………………………………. 2-12
2.4 Fire Protection…… ………………… ……………….. 2-15
3 CONTAINMENT ………….. ……………………………. 3-1
3.1 ContainmentPerformance During Severe Accidents …………….. 3-2
3.2 Filtered Venting ………………………………………… 3-4
4 EMERGENCY PLANNING ……………………………………………. 4-1
4.1 Size of the Emergency Planning Zones ………………………. 4-1
4.2 Medical Services ………………………………………… 4-4
4.3 Ingestion Pathway Measures …. ………………………….. 4-7
4.4 Decontamination and Relocation ……………………………. 4-9
5 SEVERE-ACCIDENT PHENOMENA ……………. ……………………… 5-1
5.1 Source Term ……. … …………………………… 5-1
5.2 Steam Explosions …………. I ……………………………. 5-10
5.3 Combustible Gas …………………………………………. 5-14
6 GRAPHITE-MODERATED REACTORS …………………………………… 6-1
6.1 The Fort St. Vrain Reactor and the Modular High-Temperature Gas-
Cooled Reactor ……………………. …………………… 6-2
6.2 Assessment …………….. … ……………………. 6-2
6.3 Conclusions and Recommendations …. ……………………… 6-7
REFERENCES ……………… . …………………………………….. R-1
NUREG-1251, Vol. I
This report was prepared by the staff of the U.S. Nuclear Regulatory Commission
(NRC) to assess the implications of the April 1986 Chernobyl accident in the
Soviet Union as they relate to commercial nuclear reactor safety regulation in
the United States. Most of the assessment focuses on light-water-reactor power
plants. A final chapter addresses graphite-moderated reactors.
With respect to studying the Chernobyl accident, U.S. Government agencies have
expended their energies on determining the facts, as well as on assessing those
facts in terms of how the accident may affect U.S. policies and practices in
the nuclear power field.
The work was divided into two major phases. The first phase, fact finding, was
a coordinated effort among several U.S. Government agencies and some private
groups; this phase was completed in January 1987 and has been reported in
NUREG-1250, “Report on the Accident at the Chernobyl Nuclear Power Station.”
The second phase, an assessment of the implications of that accident with regard
to U.S. policies and practices, is being pursued separately by each organization
that participated in NUREG-1250. The present report, as part of this
second phase, addresses the safety regulation of commercial nuclear reactors
under NRC regulatory jurisdiction. (Department of Energy reactors, not subject
to NRC regulation, are not addressed in this NRC study.)
In developing the assessments presented in this report (NUREG-1251), the NRC
staff depended on NUREG-1250 and its two major source documents (USSR, 1986;
INSAG, 1986) for the facts of the Chernobyl accident. The Soviet document
(USSR, 1986) is an official Soviet report to the International Atomic Energy
Agency (IAEA) Experts’ Meeting held in Vienna August 25-29, 1986; the second
(INSAG, 1986) is the report to the IAEA prepared by the International Nuclear
Safety Advisory Group at a second meeting in Vienna on August 30 to September
The assessment of the implications of the Chernobyl accident with regard to
commercial nuclear reactor safety regulation in the United States is supported
by detailed assessments of a number of particular issues, grouped in six subject
areas. The particular issues selected for evaluation were those that are associated
with significant factors that led to or exacerbated the consequences of
the Chernobyl accident.
A draft of this report was issued for public comment in September 1987. The
comments received, together with further work within the NRC, were taken into
account in preparing this final version. The passages that have been changed
(except for those with minor editorial changes, such as the spelling out of
acronyms) are marked by vertical lines in the margin. A separately bound appendix
to this report contains the comments received, provides the staff’s response
to significant issues raised in the comments, and identifies the nature
and basis of the resultant changes to the draft report. The changes correct or
clarify specific items of information and modify asspssments in some areas pertaining
to specific issues; they do not substantially change the major aspects
,of the assessment.
NUREG-1251, Vol. I 1
A study of the Chernobyl accident has ledthe NRC staff to the following gen-.
eral conclusions about its effect on safety regulation of commercial nuclear
power plants in the United States:;
(1) No immediate changes are needed in the NRC’s regulations regarding the
design or operation of U.S. commercial nuclear reactors.
Nuclear design, shutdown margin, containment, and operational controls at
U.S. reactors protect them against a combination of lapses such as those
experienced at Chernobyl. Although the NRC has always acknowledged the
possibility of major accidents, its regulatory requirements provide adequate
protection against the risks, subject to continuing vigilance for
any new information that may suggest particular weaknesses, and also subject
to taking measures to secure compliance with the requirements.
Assessments in the light of Chernobyl have indicated that the causes of
the accident have been largely anticipated and accommodated for commercial
U.S. reactor designs.
Yet, the Chernobyl’accident has lessons for us. The most important lesson
is that it reminds us of the continuing importance of safe design in both
concept and implementation, of operational controls, of competence and
motivation of plant management and operating staff to operate in strict
compliance with controls, and of backup features of defense in depth against
Although a large nuclear power plant accident somewhere in the United States
is unlikely because of design and operational features, we cannot relax the
care and vigilance that have made it so. Accordingly, further consideration
of certain issues is recommended, as discussed.
(2) Some aspects of requirements and regulations that already exist or are
being developed will be reexamined, taking into account the accident at
Areas that may warrant further study include operator training, emergency
planning, and containment performance.
(3) Study of areas related to certain aspects of the Chernobyl accident will
be extended and will provide a basis for confirming or changing existing
These areas include reactivity accidents,”accidents at low power or at
zero power (when the reactor is shut down), and characteristics of
NUREG-1251, Vol. I 2
(4) The Chernobyl experience should remain as part of the background information
to be taken into account when dealing with reactor safety issues in
Conclusions About Specific Areas
The accident at Chernobyl suggests that the following specific areas be examined
in direct response to that event. (Cross-references in parentheses refer’to
correspondingly numbered detailed assessments in the body of this report.)
(1) Administrative Controls Over Reactor Operations (Chapter 1)
In general, regulatory provisions at nuclear plants in the United States,
if properly implemented, are adequate with respect to administrative controls
to ensure that reactor operations are conducted within a safe range
of operating conditions. These controls address procedural adequacy and
compliance, approval of tests and other unusual operations, bypassing of
safety systems, availability of engineered safety features, operating
staff attitudes toward safety, management systems, and accident management.
However, the benefits of the followi~ng additional provisions should be
(a) Programs for accident management, including training and the development
of procedures for coping with severe core damage and for the effective
management of the containment. This provision will be addressed
and resolved as part of the implementation of the Commission’s
Severe Accident Policy.
(b) The review of administrative controls to seek ways of strengthening
technical reviews and the approval of changes, tests, and experiments.
(c) The review of safety system status displays and the availability of engineered
safety features for potential worthwhile improvements.
(d) The review of current NRC testing requirements for balancing benefits
(e) Measures that might further increase assurance that violations of procedures
that could be instrumental in causing an accident or emergency
situation or compromising safety margins will not occur.
(2) Reactivity Accidents (Section 2.1)
Positive void reactivity coefficients, which are a characteristic of the
RBMK graphite-moderated water-cooled reactors, played a central role in
determining the severity of the Chernobyl accident. Commercial reactors
in the United States are designed very differently from the RBMK reactor
at Chernobyl, and have generally a negative void reactivity coefficient.
This provides assurance that the kind of superprompt critical excursion
that took place at Chernobyl will not occur. However, the NRC should
reconfirm that vulnerabilities and risks from possible accident sequences
have been adequately factored into safety analysis reports on which design
approvals are based.
NUREG-1251, Vol. I 3
(3) Accidents at Low Power and at Zero Power (Shutdown) (Section 2.2)
Regulations for commercial nuclear power plants in the United States require
that potential accidents that could occur during all conditions of
operation (full, low, and zero power) be considered and provided for in
the plant design. Such provisions are considered in safety analyses required
in support of licensing. Often, analyses assuming full-power operation
are found to be limiting cases–bounding accident risks at low-power
operation or when the reactor is shut down. The Chernobyl accident suggests
that accident sequences beginning at low power and under shutdown conditions
should be reviewed, particularly for situations in which not all engineered
safety features are considered-necessaryo.to be available.
(4) Multiple-Unit Protection (Section 2.3)
For multiple-unit plants that are operating or are under construction, the
Chernobyl experience shouldbe considered in assessing the adequacy of protection
of control rooms in the event of an accident at one of the units.
This assessment should be performed on the basis of recent research information
on radionuclide release.
New multiple-unit plants should not share.systems required for shutting
down each unit unless designed to enhance the overall level of safety.
(5) Fires (Section 2.4)
Provisions for fighting fires when radiation levels are high should be
reviewed to confirm that the current provisions are adequate.
(6) Containment (Chapter 3)
The Chernobyl accident demonstrated the importance of containment performance
for mitigation of the risks of nuclear power plant operation. Even
before the Chernobyl accident, research programs and regulatory initiatives
in the United States addressed the issue of containment performance during
severe accidents. A systematic search for plant-specific vulnerabilities
(i.e., potential failures that result in unacceptably high risk) is scheduled
to begin in 1988, as part of the implementation of the Commission’s
Severe Accident Policy. This search will include reviews of containment
design. The Chernobyl experience should be taken into account in these
reviews wherever that experience is relevant.
Filtered venting of containment as a means of limiting offsite consequences
of core-melt accidents is being pursued in a number of countries and is
being examined in the United States. Anticipated international technical
exchanges will enhance U.S. research and evaluation efforts concerning
this potential measure.
(7) Emergency Planning (Chapter 4).
Partly because the radionuclide release in the Chernobyl accident is
specific to the RBMK design, the size of the 10-mile plume exposure pathway
emergency planning zone, which specifically includes the concept of
NUREG-1251, Vol. I 4
protective actions outside it if necessary, continues to be viewed as
adequate. However, in light of new research information (NUREG-0956,
“Reassessment of the Technical Bases for Estimating Source Terms,” and
NUREG-1150, “Reactor Risk.Reference Document”), the planning bases for
relocation and decontamination and for protective measures for the food
ingestion pathway are being reexamined in cooperation with’the Federal
Emergency Management Agency.
(8) Severe-Accident Phenomena (Chapter 5)
The phenomena of the Chernobyl accident were greatly influenced by the
design features and materials in-the RBMK reactor, which differ in many
respects from those of U.S. reactors. The only radionuclide release
aspects identified to date that are not currently considered in U.S. ana-‘
lytical models involve two mechanisms of fission-product release from fuel
debris. These are mechanical dispersal and chemical stripping (removal
of the fuel surface layer, as through chemical change of the uranium oxide).
Although it is not clear that these mechanisms will have any effect on
accident sequences relevant to U.S. reactors, it is recommended that the
need for additional research be assessed.
(9) Graphite-Moderated Reactors (Chapter 6)
The Fort St. Vrain high-temperature gas-cooled reactor (HTGR) is the only
licensed and operating commercial graphite-moderated reactor in the United
States. A study of the potential for a Chernobyl-type fire and explosion
at Fort St. Vrain was initiated immediately after the Chernobyl accident.
It should be noted, however, that the licensee for Fort St. Vrain, the
Public Service Company of Colorado, has notified the NRC that it will
discontinue operations on or before June 30, 1990.
Although the only shared features between the HTGR concept and the Chernobyl
design are the use of a graphite moderator and gravity-driven control rods,
the 330-MWe Fort St. Vrain’HTGR andza proposed modular HTGR concept were
reviewed against the Chernobyl candidate issues and the conclusions presented.
in this document for light-water reactors. This assessment confirms
that the concept of the HTGR (because it uses-helium coolant in a fully
ceramic core, has an overall negative reactivity coefficient, and has completely
diverse alternate shutdown and cooling systems) has no direct association
with the identifiedweaknesses of the Chernobyl design. In the
areas at issue of operations, design, containment, emergency planning, and
severe-accident phenomena, NRC assessments conclude that the implications
of the accident at Chernobyl generate no new licensing concerns for HTGRs
and both the overall and specific`area conclusions are the same as for
light-water reactors. The assessment did not raise any new concerns regarding
HTGR severe-accident phenomena. It did reinforce the desirability of
undertaking a limited probabilistic risk assessment of Fort St. Vrain. It
also suggested consideration of the merits of the possible reinitiation of
experiments in graphite thermal stress to enhance confidence in the longterm
integrity of the Fort St. Vrain structural graphite. However, no
work with respect to Fort St. Vrain is now warranted, in view of the
imminent termination of operations.
NUREG-1251, Vol. I 5
ADMINISTRATIVE CONTROLS AND OPERATIONAL PRACTICES
In the United States, administrative controls over plant operations include NRC
rules and regulations, facility license conditions, Technical Specifications,
and plant procedures. The overall administrative control framework requires
that safety-related activities at nuclear power plants be conducted in accordance
with approved written procedures. These activities include, for example,
operations, tests, inspections, calibrations, maintenance, experiments, modifications,
safety review and approval functions, and audits. The safety design
basis of the plant is based on assumed initial conditions for transients and
emergencies. These assumed initial conditions (e.g., temperatures, pressures,
control rod positions, and equipment availability) establish a “safe operating
envelope.” Effective administrative controls are needed to ensure that reactor
operations are conducted within this safe operating envelope. Clearly, for
administrative controls to be effective they must be technically accurate and
complete, they must be understood by those responsible for implementing specific
procedures, and management must ensure that they are enforced. A key finding
from the Chernobyl accident is that such administrative controls in place at
Chernobyl were not effective in maintaining conditions within the safe operating
In this chapter, the NRC staff reviews the administrative controls over plant
operations in the United States to determine if adequate controls are in place
to maintain plant conditions within the safe operating envelope. This review
includes an assessment of procedural adequacy and compliance, approval of tests,
bypassing of safety systems, availability of engineered safety features, operating
staff attitudes toward safety, management systems, and accident management.
The results of these detailed reviews are reported in the following sections.
The staff confirmed that some ongoing activities with a nexus to the Chernobyl
accident should continue. In addition, a few new issues requiring staff attention
were identified and are presented below.
Emergency operating procedures (EOPs) are intended to ensure safe shutdown and
to mitigate the effects of accidents and transients. Facility EOPs are designed
for coping with accidents and transients that initiate from within the safe
operating envelope. The ability of operators to successfully implement EOPs
depends upon plant safety parameters initially being within the safe Operating
envelope. As a result of the Three Mile Island accident, NRC required that
new symptom-based EOPs be developed. These new procedures have not been
implemented at all facilities, and NRC audits have identified deficiencies in
implementation at several facilities. Thus, licensees must expend significant
effort to complete implementation of new EOPs.
Operator training needs to stress fundamentals of reactor safety, how the plant
should function, and the underlying danger if plant conditions move outside the
safe operating envelope. With adequate training and knowing the possible
NUREG-1251, Vol. I 1-1
consequences, personnel would be less likely to succumb to pressures to speed
up, take shortcuts, or defeat safety functions. Operating experience and the
Chernobyl event suggest that additional attention to training in the areas of
maintenance of safety-parameters and plant conditions within the safe operating
envelope, emergency operating procedures, and accident management should be
The Chernobyl accident has emphasized the need for contingency planning assuming
core damage has occurred to ensure that appropriate controls, training, and
planning have prepared the plant staff to manage plant assessment activities,
response actions, and emergency actions. Significant effort has been expended
to prepare for events involving degraded-core cooling and to upgrade emergency
planning. However, more work needs to be donein training and procedure development
for coping with severe core damage and for effective management of
Management attention and diligence are required to ensure that plant operations,
testing, and maintenance are conducted within the safe operating envelope. Management
must focus on ensuring that all of the administrative control systems are
effective and enforced. To obtain feedback on the quality of safety activities,
the operating staffs must continue to perform audits, internal inspections, and
reviews of operating data and events. .Qualified and informed individuals must
control reviews of changes, tests, and procedures. Experience has shown that
some of these reviews have not been of consistently high quality and, in some’
instances, design changes have been made and testing has been conducted that
place the plant outside the safe operating envelope. Industry has acted to
improve the review process required by NRC; however, more needs to be done to
sharpen the focus on responsibility for safety.
1.1 Administrative Controls To Ensure That Procedures Are Followed and That
Procedures Are Adequate
Are controls at-U.S. reactors adequate to ensure that operations and other
activities at nuclear power plants are performed in accordance with approved
When, in order to complete the test, the operators deviated from the approved
test procedures and-the established administrative procedures, they initiated
the Chernobyl accident. Although the test procedure called for the test to be
run at 700 to 1000 MWt, the operators could only achieve 200 MWt, but decided
to conduct the test anyway. In addition, they violated the fundamental administrative
requirement to maintain enough control rods at the proper degree of
insertion to be effective in an automatic scram. The operators should not have
raised the-control rods beyond their administrative limits so that the reserve
shutdown reactivity margin limits were violated; they should have terminated
the test and shut the reactor down. This violation resulted in the inability
to insert enough negative reactivity in the required time by a scram to overcome
certain reactivity transients..
The operators violated another administrative procedural limit when they activated
and operated two additional main circulating pumps while the other main
circulating pumps were running. Such actions (1) violated limits protecting
against pump cavitation damage and (2) yielded an abnormally high core flow rate.
NUREG-1251, Vol. I 1-2
The conditions created by running all of the main circulating pumps would also
have caused an automatic scram if the operators had not intervened and defeated
the scram function. Subsequent operation with the high flow rate resulted in
voids being swept from the fuel element channels. This caused a large reactivity
loss which was compensated for by control rod withdrawal to an extent that the
rods were initially less effective when scrammed.
Other deviations from administrative procedures occurred, such as bypassing
safety systems. These are discussed separately. Such deviations and procedures
violations are influenced by operator attitudes (also discussed separately).
This issue concerns (1) controls by licensees and-regulators to ensure that procedures
are appropriately written, known-to the operators, placed at the worksite,
and followed and (2.) the adequacy of these controls for some safety functions.
Such controls involve plant policies and procedures, industry standards,
and regulatory rules and enforcement policy. The specific administrative controls
applicable to changes, tests, and experiments are provided in Section 1.2.
1.1.1 Current Regulatory Practice
(1) NRC Requirements and Guidance for Procedure Development and Use
The NRC has a large body of guidance and requirements that includes general and
specific measures for development and use of administrative procedures and controls.
These controls govern all operating activities at nuclear power plants,
and are designed to avoid the types of violations that occurred at Chernobyl.
Violations of procedures do occur at licensed plants, but in relation to the
number of procedural steps taken at plants, such violations are infrequent, and
only rarely do they occur with the knowledge that a violation is being committed.
Errors have also been committed because of operator failure to use or refer to
procedures. In its program to ensure safety and quality, the NRC has developed
and published quality assurance requirements for activities affecting nuclear
safety. Criterion V, “Quality Assurance Criteria for Nuclear Power Plants and
Fuel Reprocessing Plants,” of Appendix B to Part 50 of Title 10 of the Code of
Federal Regulations (10 CFR 50) governing procedures states:
V. Instructions, Procedures and Drawings
Activities affecting quality shall be prescribed by documented instructions,
procedures, or drawings, of a type appropriate to the
circumstances and shall be accomplished in accordance with these
instructions, procedures, or drawings. Instructions, procedures, or
drawings shall include appropriate quantitative or qualitative acceptance
criteria for determining that important activities have been
This criterion prescribes the general requirement for having procedures and for
following them. A second level of administrative controls for procedures is.contained
in each plant’s Technical Specifications-, which are a part of the license.
Plant Technical Specifications require licensees to establish, implement, and
maintain procedures. Both Technical Specifications and Criterion V have the
force of law.
Technical Specifications require procedures to be reviewed by the Unit Review,
Group when initially written and before being changed, except for temporary
NUREG-1251, Vol. I .1-3
changes made on the spot that do not alter the intent. The Unit Review Group
is made up of key plant supervisory personnel who are knowledgeable about plant
safety. The objective of this review is to ensure that experts from the various
technical disciplines review the procedures for operations or changes that could
affect safety. This review backs up the technical procedure writer and his/her
supervisor’s decisions on safety. There is a further screening of procedures
and changes to procedures to determine whether or not they may involve an unreviewed
safety question or a technical specification, in which case prior NRC
approval is required by 10 CFR 50.59. The NRC requires that all of these activities,
including compliance with procedures, be periodically audited, and audit
results be provided to appropriate management; corrective action is required
when deficiencies are found.
(2) Required Procedure Coverage
Technical Specifications require that licensees commit to develop and implement
applicable procedures listed in Appendix A to Regulatory Guide 1.33, “Quality
Assurance Program Requirements Operation.” Licensees make this commitment in
their applications. This list of applicable procedures covers essentially all
operating and administrative activities (e.g., startup, shutdown, refueling)
and requires the development of specific procedures for activities, such as tests
and maintenance, at the approximate.-time-but before the test or maintenance
activity is performed. Test and administrative procedures undergo the same
review as other procedures.
(3) Guidance in Standards
Additional guidance on procedures is provided in American National Standards
Institute/American Nuclear Society (ANSI/ANS) Standard 3.2-1980, “Administrative
Controls and Quality Assurance for the Operational Phase of Nuclear Power
Plants.” The guidelines of this standard provide much more detail than other
documents on the measures needed for the development, review, control of changes,
and implementation of the procedures. This standard is endorsed by the NRC
through Regulatory Guide 1.33, and licensees have committed to comply with Regulatory
Guide 1.33 in their license applications.
ANSI/ANS 3.2 requires that procedures be written for all plant safety activities,
that they be followed, and that the requirements for use of the procedures be
prescribed in writing. It further requires written guidance for operators to
contain elements describing when a procedure is to be memorized, when it is to
be in hand while the operator is conducting the operation, and when signoffs
are required. It identifies’situations in which temporary changes can be made
and the conditions under which such changes can be made if proper controls are
(4) Training on Procedures
Operators must be licensed by the NRC. Since plant operation requires extensive
use of procedures, operators are trained in both the technical details of procedures
and what is expected of them in terms of using procedures and following
procedural provisions. The NRC examines operators in these areas.
NUREG-1251, Vol. I 1-4
(5) NRC Inspection and Enforcement
Important elements in the overall regulation of nuclear power plants are the
inspection of licensee activities and the enforcement actions taken when the
licensee fails to comply with NRC requirements.
Since a requirement exists in the Technical Specifications that licensees follow
procedures, licensed operators must use procedures and must abide by them or
face possible disciplinary action from their own management and possible enforcement
action by the NRC. Citations and significant fines havebeen imposed on
utilities for such violations of procedures. Licensees’ activities are inspected
routinely and after each significant event to determine compliance with procedural
requirements. These inspections are often done unannounced on backshift
and during weekend periods. More severe actions are usually taken for violations
of procedures if the act has been willfully performed. Operators are very reluctant
to deliberately commit such acts. In an emergency, a licensee is permitted
through 10 CFR 50.54(x) to deviate from a procedure or even from a technical
specification if the licensed operator determines such deviation is needed
to protect the public. When appropriate (e.g., as a result of decreasing Systematic
Assessment of Licensee Performance ratings), additional emphasis will be
placed on inspectors monitoring the quality and use of procedures.
1.1.2 Wrrk in Progress
(1) Technical Specifications Improvements
The NRC has a priority effort under way to improve Technical Specifications
through the Technical Specification Improvement Program. Current Technical
Specifications have grown in volume because of lack of guidance on which
requirements should be included in them. A Policy Statement defining the
scope and purpose of Technical Specifications (52 FR 3788) has been approved
by the Commission. Technical Specifications that have been revised in accordance
with this Policy Statement will be more closely oriented toward the
operator’s job and will be rewritten to improve clarity. Bases for requirements
will be improved. Technical Specifications ‘that appear in procedures
will be easier to understand and to follow.
(2) Symptom/Function-Based Emergency Operating Procedures
One of the lessons learned from the accident at Three Mile Island Unit 2 was
the need for symptom/function-based emergency operating procedures (EOPs) for
coping with transients and accidents. The NRC has a program in place that is
sponsored by vendor owners groups to develop EOPs- based on reanalyses of transients
and accidents. All licensees are required to implement symptom-based
EOPs incorporating good human factors practices. Operators are receiving
training on these procedures. The ability of operators to successfully implement
these procedures is directly related to their knowledge of whether or not
the plant is initially operating within the safe operating envelope.
(3) Refocusing NRC Inspection Activities
The NRC initiated an inspection program to reward good licensee performance by
reducing inspections for good performers; below-average performers were inspected
NUREG-1251, Vol. I 1-5
In the staff’s judgment, a high level of overall compliance and a high level
of compliance with procedures go hand in hand. To achieve the coveted high
performance rating, licensees will need to have (a) effective administrative
controls over procedure development and use as well as (b) good performance in
other management and technical areas.
Good administrative controls are essential for the safe operation of nuclear
power plants. The staff has carefully examined these controls. The assessment
of the adequacy of these controls at U.S. reactors is discussed below.
Over the past 15 years, a body of American Nuclear Society standards has been
developed and put into place to provide criteria and guidance for procedures
and for controls over the procedures. Several key standards have been in use
for much of this period; furthermore, these key standards have been revised and
refined, becoming effective standards. They address administrative controls,
qualifications for nuclear power plant personnel, training, and quality assurance.
The NRC has encouraged such standards development, endorsing it through
the NRC regulatory guide series. The standards have become the recommended and
accepted programs in their respective areas.
These standards contain excellent requirements and guidance for control over
administrative and technical procedures. They are geared toward ensuring that
technically sound procedures are developed that have been reviewed by a multidiscipline
review body, and that have management endorsement and authorization.
They also require the use of approved written procedures for essentially all
activities at the plants. Required training emphasizes how these procedures
are to be used and followed. Management directives and administrative procedures
state the philosophy and expectations, i.e., procedures will be written
The NRC has. published guidance and has issued plant-specific Technical Specifications
stating requirements in the use of procedures. Although these procedures
and specifications allow removal of a single train of redundant systems for test
or repair, they prohibit defeating safety systems and prescribe minimum operability
requirements for important safety equipment. NRC personnel inspect procedural
activities and’take enforcement action, when appropriate, against utilities
and licensed operators who violate these requirements. The industry-sponsored
Institute of Nuclear Power Operations evaluates performance in these same areas
and strives for excellence in writing, use, and control of procedures through
its evaluation feedback process to management.
Although the staff recognizes that errors and violations will occur, the measures
taken by the NRC and industry should keep violations to a minimum. Since
Technical Specifications containing, the operability requirements for safety
equipment are so prominent in operators’ and management’s minds, the staff believes
that operators, because of their concern for safety, will not willingly
violate these requirements and put the reactor in jeopardy. It should be recognized,
however, that since violations of procedures do nevertheless occur, a
study that would characterize the nature, severity,-and frequency of violations
could be of value. It might provide a firmer basis for a reassuring conclusion
or lead to a consideration of additional means of-reducing inadvertent violations
and deterring willful ones.
NUREG-1251, Vol. I 1-6
Recent audits by the NRC have’identified deficiencies in the implementation of
the new symptom-based emergency operating procedures (EOPs.) In addition, NRC
examinations have identified the need for additional training on the use of these
procedures. Therefore, the staff believes work should continue to achieve full
implementation of the new EOPs and to provide associated training to operating
personnel. Furthermore, the staff believes that the concept of maintaining plant
conditions within the safe operating envelope should be emphasized in operator
1.1.4 Conclusions.and Recommendations
The staff recommends that increased emphasis be placed on implementing symptombased
EOPs and related training. Full implementation of symptom-based EOPs is
expected to ensure that procedures are adequate. The staff also recommends an
increased emphasis on NRC inspections to determine if those administrative controls
needed to-ensure that procedures are being followed have been prepared and
are in place. Further, the staff recommends initiation of a research program to
analyze the frequency, nature, and severity of violations in order to provide a
basis for the consideration of measures that might increase assurance that violations
that could be instrumental in causing an accident or emergency situation
or compromising safety margins will not occur. These measures are intended to
reinforce assurance that operations and-other safety-related activities will be
performed in accordance with approved written procedures.
1.2 Approval of Tests and Other Unusual Operations
Are administrative controls at nuclear power plants adequate to ensure that
changes are made safely and that tests and experiments at plants are conducted
safely and within the safe operating envelope?
The testing being performed at Chernobyl at the time of the accident was stated
to have been prepared by an individual not familiar with the RBMK-1000 type of
reactor. Moreover,,’the Soviet report (USSR, 1986) stated that “the quality of
the program was poor and the section on safety measures was drafted in a purely
formal way.. .. ” In addition to the test program being poorly constructed, its
intent was violated in a number of ways. The test power level was chosen to
avert control difficulties that would result from changes to the thermal, hydraulic,
and nuclear characteristics at low power levels. The test also presumed
an automatic trip of the reactor by closing the turbine stop valve when
the test was initiated. The trip circuit for this function was defeated by the
operators to expedite a retest if the original test failed. An adequately
constructed test procedure would establish the prerequisites, including power
level, with a warning or caution against lower power levels and would have
established in advance any permissible bypasses of-safety features.
U.S. standards and administrative control requirements minimize the potential to
conduct a test without an adequate safety review. Multiple Federal regulations
would have been violated had Chernobyl Unit 4 been a licensed U.S. plant.
In the United States, all changes, tests, and experiments planned to be performed
in reactors licensed by the NRC are evaluated against the requirements
of 10 CFR 50.59, “Changes, Tests, and Experiments.” This regulation establishes
which changes, tests, and experiments may be done solely under a licensee’s
NUREG-1251, Vol. I 1-7
administrative procedures and which must get prior NRC approval. iThe NRC staff
must review, approve, and authorize any change, test, or experiment that involves
an unreviewed safety question or a technical specification.-.
If the change, test, or experiment does not involve an unreviewed safety-question
or a-technical specification, but does involve reactor safety,.it must be done
under the administrative control system discussed in Section 1.1 and be submitted
to that review and approval process.
The controls to ensure that changes, tests,-and experiments are properly dealt
with are discussed in this section. These controls. are a part of the administrative
controls discussed in Section 1.1 and relate topoperator attitudes
toward safety as discussed in Section 1.5.
1.2.1 Current Regulatory Practice
10 CFR 50.59 requires Commission approval for any change to the facility or to
procedures described in the Safety Analysis Report and any test or experiment
which involves a change to the Technical Specifications or to an unreviewed,
safety question (USQ). A USQ is defined as a change which increases the probability
or consequences of. an accident or malfunction-of-equipment important to
safety previously evaluated, creates the possibility of an accident or~malfunction
of a different type than that previously evaluated, or reduces, the margin
of safety as defined in the basis of the plant Technical Specifications. The
licensee may make the change, which could.consist of a new test or experiment,
without prior Commission approval if it does not involve-a change to the:Technical
Specifications or a USQ. If such a change, test, or experiment affects
nsuticllle amr ussat febtey ,p robpuet rldyo es not involve a USQ, the change, test,,or experiment reviewed and approved before implementation., The safety
evaluation required by 10 CFR 50.59 is but one of several ‘reviews required
either by Technical Specifications or by other plant administrative controls.
Figure 1.1 charts the flow of changes, tests, or experiments required to receive
After authorization of the change, test, or experiment has’been obtained,’the
test details have to be converted into a procedure.. The process of converting
test details into a procedure follows the controls discussed in.Section 1.1 for
writing, reviewing, approving, and implementing procedures. ,.
mNReCn tsp etroso ncnoenlf irmin spect selected activities involving changes, tests, or experi- that 10 CFR 50.59 requirements were satisfied. Resident
,inspectors at each site stay abreast of licensed activities and periodically
confirm that changes, tests, and experiments have been appropriately reviewed.
Each plant has an NRC project manager assigned to its main office who also
stays abreast of licensed activities. The project manager’s.role has recently
been expanded to include routine review of documentation summaries and selective
audits of 10 CFR 50.59 activities. ‘
1;2.2 Work in Progress .
Some reviews conducted in accordance with 10 CFR 50:59-hiVe6been found inconsistent
in depth of review and quality of documentation.. On May 27, 1986, NRC
management requested that industry develop review criteria:and guidelines for
NUREG-1251, Vol. I 1-8
CHANGES TO FACILITIESAND
TESTS (OR EXPERIMENTS) 10 CFR 50.59
Change Pmroposalmmm Most Technical Specifications (TS) require the Unit Review Group
(1) to review all procedures and changes thereto that affect nuclear
safety, all proposed tests and experiments that affect nuclear safety,
and all proposed changes to the facility that affect nuclear safety;
and (2) to recommend in writing to the Plant Superintendent approval
or disapproval of these proposals.
Is the Safety Analysis Report (SARI)affected?
0)l Does the proposal change the facility or procedures from their
description in the SAR?
1(2 ) Does the proposal involve a test or experiment not described in the SAR?
(3) Could the proposal affect nuclear safety in a way not previously
evaluated in the SAR?
Any answer Yes All answers. No
Is a change in the TS involved?
10 CFR 50.59 no longer applies. It is still
necessary, however, to ask: Is a change
in the TS involved?
Is an unreviewed safety question involved?
(I1) Is the probability of an occurrence or the consequences
of an accident. or malfunction of equipment important to
safety previously evaluated in the SAR increased?
(2) Is the possibility for an accident or malfunction of a different
,, type than any previously evaluated in the SAR created?
(3) Is the margin of safety as defined in the basis for any
technical specification reduced?
Most TS require the Unit Review Group to
inm 1 render determination in writing with regard
‘ constitutes an unreviewed safety question.
All answers No Any answer Yes I I Most TS require the Company Nuclear Revie
Group to review proposed changes to procedu
equipment or systems, and test or experimen
that involve an unreviewed safety question.
Document the change. Include in these
records a written safety evaluation .
providing the bases for the determination
that the change, test. or experiment does
not involve an unreviewed safety question.
Submit the proposal to the
NRC for authorization.
Proceed with the change
I ‘ Most TS require the Company Nuclear Review Group to review the safety evaluations I L m – 1 for changes to procedures, equipment, or systems, and tests or experiments completed I under the provisions of 50.59 to verify that such actions did not constitute an unreviewed I
Figure’ 1.1 Approval of changes, tests, and experiments
NUREG-1251, .Vol,. I 1-9
licensees conducting reviews of changes, tests, and experiments under the regulatory
provisions of 10 CFR 50.59. This work was initiated by the Atomic Industrial
Forum (AIF), now a part of the U.S. Council for Energy Awareness, and is
now being conducted under the auspices of the Nuclear Management and Resources
Council with participation by AIF and the Electric Power Research Institute’s
Nuclear Safety Analysis Center. This group presented a draft set of criteria and
guidelines to NRC management in November-1987. The NRC has reviewed these guidelines
and provided comments to the industry. Once these criteria~and guidelines
are acceptable, they will be used by the NRC–as well as the licensees–to review
changes, tests, and experiments by licensees under the provisions of 10 CFR 50.59.
Each year licensees conduct thousands of reviews under the provisions of
10 CFR 50.59. Some of the review items should have received prior NRC review,
as later determined by inspections and licensee audits. Enforcement penalties
have been levied for some of these violations. Nevertheless, considering the
large number of changes, tests, and experiments involved, this activity has
been mostly successful. The staff has observed some inconsistencies in the
level and quality of reviews performed by licensees in making the judgment as
to the identification of an unreviewed safety question and thus the involvement
of the NRC. Moreover, documentation associated with some of these reviews has
sometimes been inconsistent and insufficient.
On occasion, because the unreviewed safety question determination was too
narrowly drawn, the licensee determined incorrectly that a unreviewed safety
question was not involved. Therefore, the NRC did not review the item. As
stated in a memorandum to Commissioner Asselstine (Malsch, 1986), “the Agency’s
regulatory scheme recognizes that it is neither necessary nor manageable for
the Commission to undertake prior review and approval to all subsequent changes
to the design or operation of the facility….” It is clear that those items
needing prior NRC review should be limited, but the most important items should
be reviewed. Also, the resident inspector has access to the lists of all tests
for all phases of plant operation to help ensure his/her awareness of tests of
potential safety significance.
The fact that the Chernobyl accident was initiated by a test-intended to assess
equipment capabilities raises a concern about the balance between the benefit
of testing and the risks introduced by tests. Although safety reviews are
intended to ensure that tests are conducted within the safe operating envelope,
equipment and design deficiencies have, in a few instances, led to unacceptable
plant conditions (e.g., rapid cooldown during testing at Catawba). However,
without such testing, these deficiencies may not have been identified.
Therefore, tests should be evaluated to determine the potential risks associated
with testing versus the benefit or need for the test.
1.2.4 Conclusions and Recommendations
The NRC should review the results of the joint Nuclear Safety, Analysis Center/
Atomic Industrial Forum efforts to produce criteria and guidelines for licensee
reviews of changes, tests, and experiments to ensure that (1) appropriate depth
and quality of reviews will be required, (2) review documentation will be adequately
prescribed, and (3) the distinction as to which of these should receive
NUREG-1251, Vol. I 1-10
prior NRC review is appropriately defined. The additional controls thus provided
should ensure that operations within the safe operating envelope are maintained.
If deficiencies in this review are identified, the NRC should correct them and
should publish the criteria and guidelines as the regulatory position on reviews
required for changes, tests, and experiments. Also, consideration should be
given to an evaluation of whether current NRC testing .requirements (e.g., surveillance
testing required by Technical Specifications) appropriately balance
-risks and benefits.
1.3 Bypassing Safety Systems
Multiple safety systems that could prevent or mitigate the consequences of the
accident at Chernobyl were intentionally disabled by the plant operators before
they initiated a test procedure that ultimately led to the accident. The test
procedure apparently called for the bypassing of certain safety systems. It is
known that the operators deviated from the test procedure in order to complete
the test, and it is suspected that some of the deviations involved the bypassing
of additional-safety systems. It is apparent that administrative controls governing
the availability of safety systems did not exist or were blatantly violated
by the operators. Thus, a safe operating envelope was.not maintained. In assessing
the implications of the Chernobyl event with respect to U.S. commercial
reactors, a question raised is whether the ability of operators to override or
bypass safety systems,’during modes of plant operation in which they should remain
operable, is a safety concern. This issue is discussed below. The scope of
this discussion is limited to the typical administrative controls and hardware design
features used to ensure the availability of sufficient safety systems to respond
to transient and accident conditions. The unavailability of safety systems
because of sabotage and human error (i.e., Unintentionally disabling a safety
function versus taking conscious deliberate actions based on poor judgment to
override or bypass a safety function) arewnot within’this scope.
Definition of Bypass
The bypass or override of a safety or protection system is typically any action
taken by the operator that inhibits or prevents the system or some portion of
the system from performing its safety-related protective function(s). In general,
two types of bypasses are used at U.S. commercial reactors, both of which
are typically initiated manually by the operators in the control room. The
first type of bypass is referred to as a “maintenance bypass” and is used to
preclude inadvertent or unwanted system actuations when routine testing, maintenance,
repair,.or calibration activities are being performed during reactor
operation. The use of maintenance bypasses allows routine surveillance testing
of plant safety systems to detect component failures that may have occurred,
and to verify system operability, thus providing assurance that the system will
perform as designed when called, upon to perform its safety function(s). A maintenance
bypass may temporarily reduce the degree of redundancy of equipment, but
will not cause the loss of a safety function. The second type of bypass is
referred to as an “‘operating bypass” and is used to permit operational mode
changes. An example of an operating bypass is the blocking of an engineered
safety features actuation when low reactor coolant system pressure (indicative
of a system break during power operation) is detected during a controlled
NUREG-1251, Vol. I 1-11
reactor shutdown, where pressure is intentionally reduced to below the actuation
setpoint and safety system actuation is not desirable. Therefore, bypasses are
necessary to prevent inadvertent actuations of plant safety systems that might
otherwise disrupt plant operation or result in unnecessary challenges to safety
systems, and if used correctly, actually contribute to the overall safety of
1.3.1 Current Regulatory Practice
(1) Technical Specification Restrictions on the Use of Bypasses
The use of bypasses at U.S. commercial reactors is controlled by plant-specific
Technical Specifications. These specifications are a part of each reactor operating
license, and compliance with them is required. Before granting an operating
license, the.NRC requires that an analysis be performed to determine the
plant response to prescribed bounding design-basis transient and accident events.
This is a conservative analysis which assumes the “worst case” initial plant
conditions (i.e., the mode of operation, initial parameter values, control system
status, etc., that would lead to the most severe design-basis transient or
accident) and identifies the safety systems whose successful operation is relied
on to prevent or mitigate the consequences of the events so that safety limits
are not exceeded. The Technical Specifications require the operability* of
safety systems consistent with the transient and accident analysis. They include
required actions considered appropriate when a redundant portion (or train) of
a safety system is bypassed (or rendered inoperable for any reason) during modes
of plant operation for which it is normally required to be operable. These actions
require that the bypassed or inoperable portion of the safety system be
restored to an operable status within a specified time. This is referred to as
“out-of-service time,” i.e., an interval of short duration considered sufficient
to allow completion of necessary repair activities without unduly restricting
reactor operation, and without causing unnecessary risk because-part of the system
is unavailable for a prolonged time. If the repair cannot be done in the
alloted time, the reactor must be shut down or its operation must be restricted
to a condition where the system is no longer required to ensure plant safety.
The Technical Specifications for many U.S. commercial reactors include a small
number, of special test exceptions which permit safety systems to be bypassed by
the control room operators in order to perform the tests. These are infrequently
performed tests which are carefully staged with significant involvement by the
licensee in the control and execution of the tests. They are usually conducted
at reduced power with some reactor trip settings lowered. NRC resident inspectors
often monitor these tests.
(2) NRC Criteria and Guidance Regarding Bypasses
Requirements for the design of safety systems concerning the use of bypasses are
stated in 10 CFR 50.55a(h) and the Institute of Electrical and Electronics
Engineers (IEEE) Standard 279-1971, “Criteria for Protection Systems for Nuclear
Power Generating Stations.” Two of these requirements, applicable to all U.S.
commercial reactors, are summarized below.
*The state of being capable of performing their specified functions.
NUREG-1251, Vol. I 1-12
Where operating requirements necessitate the use of an operating bypass,
the design shall be such that the bypass condition is automatically
removed (i.e., system operability automatically restored) when the plant
enters a mode of operation for which the safety system is required to be
operable in accordance with the Technical Specifications.
If the protective action of a portion of a safety system has been bypassed
or deliberately rendered inoperable for any purpose, this fact shall be
continuously indicated in the control room.
The first requirement ensures that a safety system bypassed to permit reactor
mode changes will not remain inadvertently bypassed when the plant is returned
to a mode of operation for which the system is required to be operable. The
second requirement is intended to ensure that sufficient information concerning
the inoperable status of safety systems is provided in the control room so that
the operators will be continually aware of the status of redundant portions of
the protection system. Information on the status of safety systems is typically
provided in the control room through a combination of administrative
controls (e.g., manually updated status boards and logs) and automatic indication
systems (e.g., annunciators and plant computer printouts).
Additional guidance concerning the use of bypasses and the design of bypass
circuits is provided in IEEE Standard 338-1975, “IEEE Standard Criteria for the
Periodic Testing of Nuclear Power Generating Station Safety Systems,” as supplemented
by Regulatory Guide 1.118, “Periodic Testing of Electric Power and
Protection Systems,” Regulatory Guide 1.22, “Periodic Testing of Electric Power
and Protection System Actuation Functions,” and Regulatory Guide 1.47, “Bypassed
and Inoperable Status Indication for Nuclear Power Plant Safety Systems.” This
guidance emphasizes the importance of providing (a) sufficient redundancy within
the safety system so thatwhen a portion of the system is bypassed for maintenance
or testing purposes, that capability still exists to accomplish the safety
function if required, (b) positive means to prevent a concurrent bypass condition
on redundant or diverse safety systems/equipment, (c) automatically actuated
continuous indication in the control room of each bypass condition that renders
a portion of a safety system inoperable during a mode of plant operation for
which the system is required to be operable, and which is expected to occur more
than once a year, and (d) measures to ensure that upon completion of work activities
which required the bypass condition (e.g., maintenance or testing), the
affected systems and equipment are restored to their normal operational status.
1.3.2 Work in Progress
The current effort under way at NRC to revise Regulatory Guide 1.47 was recommended
in NUREG/CR-3621, “Safety System Status Monitoring.” NUREG/CR-3621
identifies some of the tasks associated with monitoring the status of bypassed
safety systems (e.g., updating status boards and determining system status
during all modes of operation) whichare prone to human errors. These human
factors considerationsare being reviewed for possible inclusion in Regulatory
Another staff effort under way is the implementation .of the Maintenance and
Surveillance Program Plan (MSPP). The MSPP examines the commercial nuclear
NUREG-1251, Vol. I 1-13
industry work and control processes associated with maintenance and surveillance
activities.’ This includes administrative controls used to ensure the
availability of redundant safety’systems/equipment.
A related area’of activity is-work to resolve the generic issue of wrong-unit
or wrong-train events.(Generic Issue 102). An NRC staff report on this subject
(NUREG”.1192) was issued in 1986. The .report indicated that inadequacies in
equipment labeling (absent, illegible, or unclear labels) were the primary contributor
to such errors, with deficiencies in training and procedures being additional
factors. The effectiveness of voluntary industry efforts, coordinated
by the Institute for Nuclear Power. Operations, is being evaluated by the NRC
(1) Bypass Design Features
In most nuclear power plant designs, the bypass of safety-related equipment is
initiated by the plant operators from the control room,.or by plant service personnel
or instrument technicians from instrument or switchgear cabinets after
the bypass-has been approved by the control room operators. Before the bypass
is effected, procedures require that the operators verify the availability of
redundant safety equipment to ensure the bypass will not result in the loss of a
safety function. The bypass is typically accomplished by actuation of a bypass
or test switch. Operation of the switch will disable a portion of the safety
system, and will usually provide inputs to status monitoring points in the control