[DNFSB LETTERHEAD]

 

May 13, 2003

 

The Honorable Linton Brooks

Acting Administrator

of the National Nuclear Security Administration

U.S. Department of Energy

1000 Independence Avenue, SW

Washington, DC 20585-0701

 

Dear Ambassador Brooks:

 

The Defense Nuclear Facilities Safety Board (Board) has been reviewing the Title I design for the Pit Disassembly and Conversion Facility (PDCF).  While the main structure of the PDCF Plutonium Processing Building was designed to survive the design basis earthquake, this is not the case for many of the 2-hour fire barriers between fire zones.  As a result, a postulated seismically induced full-facility fire could lead to calculated offsite doses that exceed the evaluation guideline.  The Board believes it would be appropriate for the National Nuclear Security Administration (NNSA) to consider upgrading the design of the fire barriers to withstand the design basis  earthquake, eliminating the potential for a full-facility fire.

 

The Board was also interested to learn of the proposed engineered-control strategy for criticality safety at the PDCF, using nondestructive assay measurements (e.g., gamma-ray detectors, neutron detectors, and simple weights) and computer software to control the flow of fissile material entering and exiting the gloveboxes.  This effort to use engineered controls instead of administrative controls is commendable and, if successful, should improve the safety of the PDCF.  This initiative will be complex, however, and will require careful evaluation to ensure the effectiveness of the system.

 

The enclosed report on these issues is provided for your consideration and use, as appropriate.

 

Sincerely,

 

John T. Conway

Chairman

 

c:  Mr. Mark B. Whitaker, Jr.

Mr. Edward J. Siskin

 

Enclosure

 

---

 

DEFENSE NUCLEAR FACILITIES SAFETY BOARD

 

Staff Issue Report

 

April 11, 2003

 

MEMORANDUM FOR:      J. K. Fortenberry, Technical Director

 

COPIES:                                 Board Members

 

FROM:                                   H. W. Massie, J. D. Roarty

 

SUBJECT:                             Documented Safety Analysis and Criticality Safety Strategy for Pit Disassembly and Conversion Facility

 

On March 4-7, 2003, members of the staff of the Defense Nuclear Facilities Safety Board (Board) attended two meetings held in Denver, Colorado, at the engineering offices of Washington Group International (WGI) to review the status of the Preliminary Documented Safety Analysis (PDSA) and criticality safety strategy for the Pit Disassembly and Conversion Facility (PDCF).

 

The first meeting was a kickoff meeting for the PDSA Review Team, which is sponsored by the National Nuclear Security Administration (NNSA) and led by NNSA’s Savannah River Office of Fissile Materials Disposition in the Office of Defense Nuclear Nonproliferation.  The PDSA Review Team comprises individuals from Department of Energy (DOE) Headquarters, NNSA Headquarters, the Savannah River Site Office, Los Alamos National Laboratory (LANL), Washington Safety Management Solutions, and Science Applications International Corporation.

 

The second meeting was a PDCF topical review meeting held to address Title II design issues related to the new engineered-control strategy for criticality safety.  Battelle Memorial Institute (Battelle), under subcontract to WGI, has design responsibility for both the PDSA work and the criticality work.  Battelle must complete the PDSA for the PDCF by about June 1, 2003, in order to support the scheduled Critical Decision 2 (CD-2) date.  CD-2 will finalize the technical scope, cost, and schedule baseline for control of the PDCF as a Major System Project under DOE Order 413.3, Program and Project Management for the Acquisition of Capital Assets.

 

Preliminary Documented Safety Analysis.  Battelle is using the requirements in Part 830 to Title 10 of the Code of Federal Regulations (10 CFR 830), Nuclear Safety Management, along with the safe harbor guidance in DOE Standard 3009, Preparation Guide for U.S. Department of Energy Nonreactor Nuclear Facility Documented Safety Analyses, to prepare a 17-chapter PDSA for the PDCF.  Battelle is also using DOE Guide 420.l-l, Nonreactor Nuclear Safety Design Criteria and Explosive Safety Criteria, and DOE Guide 420.1-2, Guide for the Mitigation of Natural Phenomena Hazards for Nuclear Facilities and Nonreactor Facilities.  Battelle has prepared first drafts of 14 chapters of the PDSA.  The most important chapters (3, 4, and 5)―which detail the hazard analysis; safety systems, structures, and components; and derivation of Technical Safety Requirements-are in the formative stages.  Battelle personnel discussed two accident scenarios, discussed below, that represent significant open safety issues.

 

Steam Explosion in Sanitization Furnace―The sanitization glovebox, which was designed by LANL and is similar to one being installed in Technical Area (TA)-55, uses an inductively heated, water-jacketed, bell jar furnace to melt classified parts made of beryllium, stainless steel, and other contaminated metals.  The furnace is capable of achieving melt temperatures greater than 3000°F.  The preliminary hazard analysis includes a postulated steam explosion as a result of a leak in the cooling water coils.  The water would contact the hot molten metal in the crucible, resulting in rapid pressurization and rupture of the bell jar vessel.  The hazards to workers include exposure to the residual plutonium (assumed to be up to 280 grams) on the parts and other toxic metals in the melt, such as beryllium.

 

Battelle has determined that this scenario will be a design basis accident, since the calculated unmitigated accident consequences exceed a 100 rem radiation dose to facility workers and collocated workers, as well as exposure of facility workers to beryllium.  There appeared to be a difference of opinion between WGI and LANL on this safety issue and the need for measures to prevent or mitigate such an explosion.  Following the meeting, NNSA issued a letter directing LANL not to operate the sanitization furnace presently being installed in TA-55 until this safety issue has been resolved.

 

Battelle has performed additional analyses and determined that the energetics of the steam explosion scenario exceed 9 megajoules (or 2 kilograms of TNT).  This energy is enough to significantly damage the glovebox and adjacent areas.  Battelle offered the following safety-significant controls as options to address the steam explosion accident:

 

• Provide an additional physical barrier to isolate cooling coil leaks from the crucible and molten metal.

 

• Provide a leak detection system and associated shutdown logic.

 

• Provide an active control that limits the amount of water available to contact the molten metal.

 

Battelle will conduct additional evaluations of this accident scenario and prepare a white paper on the subject for review by NNSA and WGI.

 

Seismically Induced Full-Facility Fire―The PDCF fire hazards analysis identifies the worse scenario to be a three-room fire (i.e., three adjacent fire zones) and assumed a fire loading of 7.5 pounds per square foot.  This scenario is sufficiently bounding with the 2-hour fire barriers in place.  However, although the PDCF structure is designed to meet Performance Category 3+ seismic requirements, many of the fire barriers are not, nor is the fire suppression system.  As a result, the three-room fire does not bound a seismically induced fire, which would involve the full facility.

 

Battelle personnel presented the results of preliminary evaluations of a seismically induced full-facility fire.  These evaluations show that the calculated doses for this scenario are below evaluation guidelines (i.e., 25 rem) for members of the public if all the doors of the PDCF Plutonium Processing Building are closed, including the doors to the safe havens.  However, some doors would likely be open during a major fire.  Workers would be directed to go first to the building safe havens, then to exit the safe havens and leave the building; firefighters would also enter the Plutonium Processing Building.  Battelle analyzed this scenario assuming that all the doors would be opened simultaneously, which would allow smoke containing plutonium oxide particles to bypass the sand filter.  Under these conditions, the calculated dose to members of the public would be greater than 25 rem.

 

Battelle proposed several options for additional safety-class controls to mitigate the seismically induced full-facility fire scenario:  (1) increase the number of safety-class exhaust fans from two to four; (2) provide a separate safety-class fire suppression system for the Product Nondestructive Assay (NDA) room, which will contain the largest amount of plutonium oxide outside of the vaults; or (3) design the 2-hour fire barriers, especially those around the Product NDA room, to survive a PC-3+ earthquake.  During discussions held in November 1999, the Board’s staff strongly encouraged NNSA to use properly designed tire barriers, coupled with a sand filter, to provide sufficient design margin against large fires.  More recently, the Board’s staff reviewed the Title I design for the PDCF and commented that it is essential for fire barriers, irrespective of their fire rating, to survive the design basis earthquake to mitigate the full-facility fire scenario.  If the PDCF had earthquake-resistant fire barriers as proposed under option (3), the size of the fire would be bounded by the original assumptions of the fire hazards analysis.  The Board’s staff considers this option to be the most practical means of minimizing health and safety risks.

 

Criticality Safety Strategy.  Battelle is proposing a new engineered-control strategy for criticality safety using NDA measurements (e.g., gamma-ray detectors, neutron detectors, and simple weights) and computer software to control the flow of fissile material entering and exiting the PDCF gloveboxes.  This is a commendable effort and, if successful, should provide greater assurance of safety than is the case for current defense nuclear facilities.  A sophisticated process control system must be developed to nondestructively identify and accurately ascertain the mass of fissile material, using a large number of fissile material detector (FMD) sets scattered across 62 inspection stations.  These measurements must be made with reasonable count times to meet plant throughput requirements.  Given the complexity of this system, early prototype testing would be prudent.  The staff is especially interested in the development and testing of the associated software system.

 

Another characteristic of the criticality control system that warrants careful review is the use of administrative controls.  Personnel will still have to record data at each FMD station, make comparisons with data from a previous FMD location, read bar code identification labels on each container, and ascertain that subcritical spacing limits are being adhered to.  Project personnel were aware of the Board’s Recommendation 2002-3, Requirements for the Design, Implementation, and Maintenance of Administrative Controls.  The staff encouraged project personnel to identify engineered controls that were available but had been rejected in favor of an administrative control, and to identify the reasons for each rejection. The Board’s staff intends to review the 18 classified nuclear criticality safety evaluations that are being revised.