August 19, 2003
The Honorable Everet H. Beckner
Deputy Administrator for Defense Programs
National Nuclear Security Administration
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-0104
Dear Dr. Beckner:
The staff of the Defense Nuclear Facilities Safety Board (Board) recently conducted a review of electrical and lightning protection systems employed at selected defense nuclear facilities at Los Alamos National Laboratory (LANL). Enclosed is a report detailing relevant observations resulting from this review.
The Board is particularly concerned about the lightning protection system at the Weapons Engineering Tritium Facility (WETF). The Documented Safety Analysis (DSA) for WETF, which was approved in April 2002 but has not yet been fully implemented, identifies the lightning protection system as a safety-class control for certain accident scenarios. A study completed in March 2003 analyzing potential lightning threats to the facility revealed that WETF’s existing lightning protection system could not perform its credited safety function. Months after the study was completed and more than a year after the DSA was approved, WETF continues to operate without effective safety controls for an accident deemed credible by the National Nuclear Security Administration (NNSA) and LANL. Additionally, even if the lightning protection system were an effective control, WETF does not appear to be maintaining this system in a manner commensurate with its approved functional classification.
The Board is also concerned that a portion of the electrical distribution system at the Chemistry and Metallurgy Research (CMR) facility appears to serve a safety-significant function, but has not been classified as a safety-significant system. The Board understands that LANL is aware of this situation and is working to resolve it. In identifying appropriate compensatory measures for this system, NNSA and LANL should consider the possibility that the facility lifetime for CMR could be a decade or longer.
Pursuant to 42 U.S.C. § 2286b(d), the Board requests to be informed within 30 days of receipt of this letter as to NNSA’s plans for establishing and maintaining defensible lightning protection at WETF and addressing safety system functional classification issues at CMR.
John T. Conway
c: Mr. Mark B. Whitaker, Jr.
Mr. Ralph E. Erickson
DEFENSE NUCLEAR FACILITIES SAFETY BOARD
August 19, 2003
MEMORANDUM FOR: J. K. Fortenberry, Technical Director
COPIES: Board Members
FROM: B. Broderick
SUBJECT: Review of Electrical and Lightning Protection and Detection Systems for Facilities at Los Alamos National Laboratory
This report documents a review by the staff of the Defense Nuclear Facilities Safety Board (Board) of electrical and lightning protection and detection systems employed by Los Alamos National Laboratory’s (LANL) Weapons Engineering Tritium Facility (WETF) and Chemistry and Metallurgy Research (CMR) facility. Staff members B. Broderick, A. Gwal, A. Jordan, C. Keilers, and W. White met with laboratory personnel and representatives from the National Nuclear Security Administration’s (NNSA) Los Alamos Site Office (LASO) to discuss the status of previously identified issues and to assess the adequacy of lightning protection and electrical systems relied upon to ensure safety in selected LANL facilities.
Weapons Engineering Tritium Facility. In April 2002, NNSA approved a Documented Safety Analysis (DSA) for WETF that was intended to comply with the requirements of Part 830 to Title 10 of the Code of Federal Regulations. The Technical Safety Requirements derived in the approved DSA will go into effect after a readiness assessment has verified their successful implementation. In the interim, the facility is being operated under the Operational Safety Requirements associated with the facility’s previous Safety Analysis Report. The staff reviewed electrical systems and lightning controls that are identified and credited in the new DSA. Relevant observations are discussed below.
Safety-Class Lightning Protection System―The approved DSA designates the lightning protection system at WETF as a safety-class engineered control to prevent lightning-related accident scenarios that could result in significant radiological releases. The existing WETF lightning protection system, whose design and installation were intended only to meet basic general-service requirements, was called upon to serve the important dual safety functions of minimizing the possibility of a facility fire that could impact material at risk, and preventing lightning current from arcing onto potentially vulnerable process equipment and storage canisters.
To reduce uncertainties associated with how and to what extent lightning hazards could adversely impact the facility and its inventory, a commitment was made in the DSA to perform an engineering study analyzing the potential effects of lightning on WETF. On March 14, 2003, LANL submitted the results of this study. One of the conclusions of the study was that the current lightning protection system, which was designed on the basis of principles codified in National Fire Protection Association (NFPA) Standard 780, Standard for the Installation of Lightning Protection Systems, cannot be expected to perform the arc prevention safety function for which it is credited. A further conclusion was that the probability of a material release caused by lightning current “burning through” process equipment piping could be as high as 1.3 xl0-3 per year, using conservative assumptions. Although the study did not conclude that the lightning-related accidents postulated in the DSA are incredible or adequately prevented or mitigated by other controls, LANL’s cover letter transmitting the study’s results requests that the lightning protection system be downgraded from safety-class to safety-significant based on its “demonstrated ineffectiveness” to perform its credited safety function.
Four months after the lightning study and downgrade request were submitted, NNSA had not responded. This lack of response leaves an operating nuclear facility with a long remaining lifetime (approximately 40 years) with no defensible control strategy for accident scenarios deemed credible by LANL and NNSA that have significant consequences. Consequently, rapid resolution of issues associated with the WETF lightning protection system would appear warranted.
Additionally, even if the lightning study had supported the assertion made in the DSA that a lightning protection system compliant with NFPA 780 could perform all its credited safety functions, deficiencies exhibited by the current system might still render it inadequate. A letter from the Board dated August 8, 2002, communicated the results of a review by the Board’s staff that identified several instances in which the lightning protection system was not compliant with NFPA 780. A subsequent lightning protection inspection performed by LANL identified 21 deficiencies associated with the lightning protection system for WETF. Most of these deficiencies remain more than a year after the Board’s staff first identified code-compliance issues with this system. Given that an NFPA 780 compliant lightning protection system is credited in the DSA and that numerous deficiencies with poorly understood safety impacts persist, it does not appear that LANL and NNSA have developed a clear definition of what types and what magnitude of degradation to this safety-class system would require a suspension of hazardous operations. In addition, facility modifications completed since the approval of the WETF DSA do not appear to have been evaluated against requirements in NFPA 780, and these modifications may have negatively impacted the functionality of the lightning protection system. Thus it does not appear that the change control and configuration management practices applied to the WETF lightning protection system have been commensurate with the approved functional classification for this system.
Seismic Qualification of Uninterruptible Power Supply―The safety-significant uninterruptible power supply (UPS) system for WETF provides emergency power to a number of credited safety controls, including the Inert and Oxygen Monitoring System and the Tritium Monitoring System. The DSA identifies a performance criterion stating that the UPS must be able to function during a performance category 2 (PC-2) seismic event. However, a WETF seismic vulnerability assessment concluded that the UPS would fail in the event of a PC-2 earthquake. A cost-benefit analysis has determined that seismic upgrades are warranted, but a firm schedule for their implementation has not been set. Modifications facilitating seismic robustness for this system ought to be made in as timely a manner as possible to ensure the availability of systems that are relied upon during analyzed accident scenarios to protect worker safety.
Electrical Calculations―WETF personnel could not locate a short-circuit analysis that included and evaluated all relevant facility electrical equipment and loads. Several short-circuit analyses exist for subsections of the electrical distribution system. However, a complete, system-wide analysis is necessary to develop appropriate estimates of the magnitude of short-circuit current that could challenge equipment protective devices. Such an evaluation would verify the ability of installed electrical equipment to mitigate the effects of a worst-case short-circuit without initiating a fire or explosion. Industry-standard software that can be used to perform short-circuit analysis is available at other facilities on site, including the CMR facility.
Chemistry and Metallurgy Research Facility. The Department of Energy (DOE) has authorized the design and construction of a replacement facility for CMR. Given its status as a limited-life facility, CMR is operating under a Basis for Interim Operation (BIO) that assumes that the current facility’s core mission will be moved to the replacement building in 2010. However, the present state of progress in siting and designing the replacement facility indicates that 2010 may be an optimistic estimate and that operations may have to continue in CMR for longer than was assumed by the BIO. The staff reviewed CMR’s electrical and lightning protection systems, being mindful of the limited (but potentially increasing) service life of the facility. Relevant observations are discussed below.
Functional Classification of the Electrical Distribution System―The CMR BIO identifies a number of safety-significant structures, systems, and components (SSCs). Some of these SSCs, including the ventilation system, rely on electrical power to operate. Although it provides an important support function for credited safety systems, the electrical distribution system is currently designated as general-service, which is not consistent with the functional classifications of systems it supports.
The CMR ventilation system is relied upon to minimize the concentration of airborne radioactive material in occupied spaces, and to direct air flow through the stacks and exhaust filtration to reduce quantities of radioactive material released from the facility. These safety functions protect both workers and the public under various accident scenarios. The ventilation system has no backup power supply; if normal facility power is lost, it becomes inoperable. CMR personnel stated that the safety functions provided by the ventilation system are not required upon loss of power because workers are trained to evacuate the facility. However, some analyzed accidents (e.g., filtered and contained medium wing-wide fires) credit the ventilation system for more than worker protection. As such, it is not clear that this worker egress action alone eliminates the need for ventilation system operation and the power to run it during all scenarios, including those in which loss of power could be a consequence of the accident.
Subsequent to the staffs review, LANL personnel reevaluated the current general-service designation of the electrical distribution system and concluded that site standards (in the form of Laboratory Implementation Requirements [LIRs]) would require this system to be functionally classified as safety-significant. The laboratory is working to determine why this system was originally classified in a manner that appears inconsistent with both laboratory requirements and DOE expectations, and to discern what compensatory actions are appropriate.
Functional Classification of Emergency Lights―The continuous air monitors (CAMS) are another example of credited safety-significant controls that do not have backup power. In this case, the worker evacuation action that results from a loss of power does eliminate the need for the CAMs’ safety function under facility blackout conditions. However, the timely and safe evacuation of CMR personnel (the action eliminating the need for the CAMs’ safety-significant function) requires emergency lighting. Thus, the emergency lights and their dedicated backup power sources appear to serve a safety-significant function, and ought to be functionally classified accordingly.
Cable Condition Monitoring―Many of the electrical cables used in the CMR facility are approaching or past their intended service life. As cables age, their electrical characteristics may degrade past an acceptable level, thereby decreasing the reliability of both the cables and the systems they support. Because aged cables provide power for a number of facility safety systems, it may be prudent to consider incorporating a cable condition monitoring capability into the existing CMR preventative maintenance regime. Cable condition monitoring could improve the service life and reliability of electrical equipment by detecting damaged and deteriorating power and instrumentation and control cables prior to equipment failure. This type of capability could prove particularly useful and appropriate if the electrical system is reclassified as safety-significant.
External Oil-Filled Transformers―A number of oil-filled transformers that service CMR are located around the exterior of the facility. The type of mineral oil used by these transformers for cooling and insulation is a flammable material. Given the physical locations of these transformers, a fire caused by transformer leakage or failure could potentially impact the building structure or collocated electrical equipment that provides power for facility safety systems. It was not clear that this hazard and its potential impacts had been well characterized and evaluated. To address this issue, CMR personnel have decided to replace the existing oil with an appropriate type of less hazardous, fire-resistant material.
Site-wide Electrical and Lightning Issues. The following general electrical and lightning issues are of a site-wide nature.
Laboratory-wide Lightning Detection―Weather can vary widely across the laboratory’s 43 square miles because of LANL’s topography, and storms sometimes form directly above nuclear and explosive facilities that house potentially lightning-sensitive materials and operations. Without the benefit of a site-wide lightning detection and warning system, some nuclear and explosive facilities with a compelling safety interest in the timely notification of impending lightning activity must rely on either audio/visual observations or information supplied by localized lightning detection systems (such as that one used by the Dynamic Experiments Division). These localized systems are designed to service only selected sections of the laboratory, and it is not clear that they can provide adequate coverage for all potential on-site users.
It does not appear that significant progress has been made in investigating or implementing an effective laboratory-wide lightning detection system since this subject was broached in a report dated September 22, 1999, and reiterated in a subsequent report dated August 6, 2002.
Electrical Safety and Lightning Protection Expertise at Los Alamos Site Office―LASO has no subject matter experts assigned to provide oversight for electrical safety or lightning protection activities. In the past, LASO had staffed this important function with an engineer from DOE’s Albuquerque service center. However, the retirement of this individual has left the service center unable to provide this capability. It is difficult to see how LASO will be able to assess the adequacy of LANL’s electrical safety program and lightning protection systems effectively without a knowledgeable and experienced individual (or individuals) assigned to perform oversight in these areas.
Status of Previous Issues―LANL has made several significant positive strides in addressing issues raised previously by the staff in the areas of electrical safety and design requirements for new safety-related electrical systems: