April 12, 2004
The Honorable Linton Brooks
National Nuclear Security Administration
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-0701
Dear Ambassador Brooks:
In October 2003, Lawrence Livermore National Laboratory (LLNL) submitted a proposed safety basis for Building 332, the Plutonium Facility, to the National Nuclear Security Administration’s (NNSA) Livermore Site Office (LSO). This proposed safety basis was developed in accordance with the requirements of the Nuclear Safety Management rule (10 CFR Part 830). The staff of the Defense Nuclear Facilities Safety Board (Board) has identified significant deficiencies in this document and some of its supporting references. Many of these deficiencies appear to have been noted by LSO as well, as demonstrated by the more than 270 comments communicated by LSO to LLNL. A copy of a report on these issues, prepared by the Board’s staff, is enclosed for your information and use during the approval process for the proposed safety basis for Building 332.
Of particular concern to the Board is a new approach adopted by LLNL to allow the unfiltered release of radioactive materials from the facility during certain accident scenarios. This approach reduces the margin of safety and the defense-in-depth currently provided for protection of the public, collocated workers, and other on-site individuals. Moreover, the proposed approach does not consider the potential impact of an unfiltered release on the recovery strategy or post accident monitoring for the facility. Additionally, there do not appear to be any safety or operational benefits to be gained from this approach.
The current safety basis for Building 332 relies on an active safety-class ventilation system, in concert with its support systems, to prevent the release of unfiltered radioactive materials during an event. Portions of this ventilation system, along with several other safety-class systems, have been downgraded from their high reliability and existing operational safety functions in the proposed safety basis.
The Board believes that LLNL’s new approach to allow unfiltered release of radioactive materials from potentially hazardous events is inconsistent with the defense-in-depth philosophy that is the hallmark of nuclear facility and operational safety. Therefore, pursuant to 42 U.S.C. § 2286b(d), the Board requests a report by NNSA within 30 days of receipt of this letter providing NNSA’s position on LLNL’s approach.
John T. Conway
c: The Honorable Everet H. Beckner
Mrs. Camille Yuan-Soo Hoo
Mr. Ralph E. Erickson
Mr. Mark B. Whitaker, Jr.
Staff Issue Report
March 17, 2004
MEMORANDUM FOR: J. K. Fortenberry, Technical Director
COPIES: Board Members
FROM: F. Bamdad
SUBJECT: Safety Basis Review at Lawrence Livermore National Laboratory
The staff of the Defense Nuclear Facilities Safety Board (Board) visited Lawrence Livermore National Laboratory (LLNL) on March l–4, 2004, to continue its review of the safety basis for Building 332, the Plutonium Facility. The review included an update on activities conducted in response to previous findings communicated by the Board to the National Nuclear Security Administration (NNSA) in a letter dated April 10, 2003, as well as discussions on the proposed Documented Safety Analysis (DSA) submitted to NNSA’s Livermore Site Office (LSO) in October 2003. Staff members W. Andrews, F. Bamdad, D. Kupferer, A. Matteucci, and M. Merritt participated in this review.
Response to the Board’s Letter. In response to findings contained in the Board’s letter dated April 10, 2003, related to implementation of the Conditions of Approval (COAs) of the safety bases, LSO has taken an aggressive role in ensuring that all COAs are identified and tracked to satisfactory closure. Unfortunately, because of limited resources, only a fraction of the COAs had been verified as closed by the time of this review. LSO has committed to verifying closure of all of the COAs before approving the proposed DSA.
In response to the Board’s letter dated April 10, 2003, LLNL performed a survey of some of its non-nuclear facilities to identify needs and methodologies for improving the chemical materials inventory tracking system known as CHEMTRAC. As a result, LLNL is taking steps to enhance CHEMTRAC to make it a transaction-based system, as well as changing the software so that the system will be health/consequences-based. That is, real-time inventory tracking will be implemented at each facility to ensure that threshold limits based on hazardous consequences will not be exceeded.
Building 332 Safety Basis. LLNL submitted a DSA to LSO for review and approval in accordance with the requirements of the Nuclear Safety Management rule (10 CFR Part 830). The Board’s staff reviewed this document and some of its supporting references, and met with LLNL and LSO representatives to discuss its observations. The following is a summary of some of the issues discussed during these meetings. Many of these issues appear to have been noted by LSO, as demonstrated by the more than 270 comments communicated by LSO to LLNL.
Overview―Major components of four safety-class systems in the current Building 332 Safety Analysis Report have been downgraded to safety-significant in the proposed DSA. The four downgraded systems are (1) the emergency power system, (2) portions of the glovebox ventilation system, (3) portions of the room ventilation system, and (4) portions of the fire detection and suppression system. Some components of these systems (e.g., the uninterruptible power supply) have been further downgraded to non-safety-level. This action could degrade the defense-in-depth posture of the Plutonium Facility.
Identification and Analysis of Hazards―LLNL used a methodology from safe harbors identified in 10 CFR Part 830 to prepare the DSA, but used an in-house procedure to identify and analyze the hazards associated with the activities performed in Building 332. LLNL conducted a systematic walkdown of the facility; identified approximately 60 hazard types; and proposed potential controls to protect the public, workers, and the environment. Some of the controls were classified as safety-significant since they were designated to protect workers from fatality, serious injury, or hospitalization. The hazard analysis summary tables in the proposed DSA list both engineered and administrative controls. The tables also distinguish between controls that are credited as safety controls and those that are not.
In reviewing the DSA, the Board’s staff learned that LSO had directed LLNL to continue preparing the DSA without implementing Change Notice 2 of the Department of Energy (DOE) DOE Standard 3009-94, Preparation Guide for U.S. Department of Energy Nonreactor Nuclear Facility Documented Safety Analyses―although the notice was issued in April 2002, nearly 18 months prior to completion of the proposed DSA. Change Notice 2 specifies that safety-significant controls must be identified to protect workers from significant radiological or chemical hazards, in addition to those controls selected to prevent worker fatalities and injuries. LSO’s decision may have resulted in less than adequate protection of workers from hazardous activities. LSO representatives are requesting that LLNL develop a schedule to incorporate Change Notice 2 into all DSAs.
Accident Analysis―LLNL is pursuing a new approach to accident analysis in that potentially harmful consequences to the public are mitigated by the structural boundaries of Building 332, which is assumed to reduce the unmitigated release of radioactive materials. In the past, Building 332 relied on a safety-class active ventilation system to ensure that the radioactive materials released during an accident, such as a fire, would be forced through a series of high-efficiency particulate air (HEPA) filters before being released to the outside environment. Under LLNL’s new approach, it is assumed that the building’s leak paths would physically reduce the release of unfiltered contaminated air from the facility.
Validation of LLNL’s new approach requires analytical modeling of the building’s leak paths to the outside, and estimation of the percentage of any radioactive materials that would be released unfiltered (leak path factor (LPF)) after an accident. An LPF of 5 percent, as assumed in the proposed DSA, would result in public dose consequences that LLNL believes should be acceptable. In the DSA, for example, the unmitigated consequence (LPF of 100 percent) of a fire resulting from a hydrogen deflagration is estimated to be about 18 rem at the site boundary. As calculated in the DSA, this same deflagration scenario would result in an unfiltered, mitigated dose consequence of about 1 rem to the public, based on an LPF of 5 percent. As a result, the DSA downgrades portions of the active ventilation system and its supporting equipment, such as the emergency power supply, from its current safety-class to safety-significant status.
The Board’s staff reviewed the LPF analysis and discussed it in detail with its authors and LLNL representatives. Several assumptions in the analysis are unrealistic and inconsistent with other authorization basis documents and facility procedures:
1. In the LPF analysis, the facility is modeled by several nodes or compartments, connected via junctions or flow paths for the door cracks and other potential openings of the building. This model fails to account for the additional leak paths that would result from the use of emergency exit doors by Building 332 personnel as they evacuate the facility during a fire. Evacuation is essential for worker protection, as described in the facility-specific Fire Hazard Analysis. Therefore, the calculated LPF of 5 percent is unrealistic and probably underestimates the extent of a release of unfiltered radioactive material from the facility.
2. The LPF calculations are based on a fire scenario that lasts for only 30 minutes, with the entire event assumed to end after 2 hours. In reality, such an event could continue for days until any airborne radioactive material released by the fire into the internal facility atmosphere had either been removed by settlement, released to the outside environment, or removed through other remedial actions. The reason for this is that airborne radioactive material released during a fire would remain trapped within the confines of the facility because of the lack of filtration by an active ventilation system. Eventually, material would leak to the outside environment through diurnal effects, wind impact on the building, or other natural phenomena. These phenomena are either not modeled or incorrectly analyzed, and their important effect on the long-term breathing of the facility is not properly accounted for in the calculation of the LPF.
3. The computer program manual used to calculate the LPF―CONTAIN―has cautionary notes with regard to its use for modeling. These notes recommend performing sensitivity analyses on important input parameters (e.g., the size of a time step) to prevent incorrect conclusions. Such sensitivity analyses have not been performed in support of the LPF calculations for the proposed DSA, and it is not clear whether conservative input parameters are used in the analyses.
Furthermore, it does not appear that LLNL has considered the potential impact of the new passive mitigation approach on any accident recovery strategy or post accident monitoring for the facility. Without being able to depend on the use of an active ventilation system to guide the flow of air through the HEPA filters after an event, it is conceivable that the spread of contamination throughout the facility could jeopardize the facility’s recovery and future use. An unfiltered release through the unmonitored pathways would also prevent the post accident monitoring of radioactive materials released to the environment.
Identification and Implementation of Controls―Identification of appropriate boundaries for safety controls and their support systems is a shortcoming in both the existing safety basis and the proposed DSA for Building 332. For example, the fire detection and alarm system is identified as safety-significant to protect workers from the potential consequences of a fire in the facility. The heat and smoke detectors, the MXL® control panel and its associated power supply, and the flow switches are defined as being within the boundaries of the fire detection and alarm system. However, the annunciation system as not been defined as being within the boundaries of the tire detection and alarm system, and therefore has no safety designation. It is not clear how workers can be notified so they can take appropriate action if the annunciation system has failed. Furthermore, in December 2002, the emergency voice alarm system, which is part of the annunciation system, was identified as not meeting the requirements of National Fire Protection Association (NFPA) 72, National Fire Alarm Code, in the facility’s Fire Hazard Analysis. No action appears to have been taken to remedy this situation. Similarly, the tire suppression system is identified as safety-class, but none of the supporting water supply systems have a safety-related designation―the tertiary tire water tanks in the basement are classified as defense-in-depth. It would be prudent to classify the tertiary tire water tanks as safety-significant and part of the fire suppression system boundaries.
The descriptions of some of the controls in the proposed DSA are very vague; in particular, some engineered features that are relied upon for worker safety are poorly defined and may be difficult to implement. For example, the DSA defines many controls as Equipment Design without specifying the type of equipment or how it would protect workers. This lack of detail in the DSA could lead to several safety-related shortcomings:
· Workers could be inadequately protected because of a lack of knowledge of the specific control that needs to be implemented.
· Poorly defined controls could be removed from a procedure inadvertently resulting in a less-than-desirable safety posture.
· Future unreviewed safety question (USQ) determinations could be inconclusive or incorrect because the controls that may be subject to the USQ process are not clearly defined.
· Sections 830.122(e)(1) and 830.201 of the Nuclear Safety Management rule require that the controls identified in the DSA be implemented by the contractor when the associated activities are performed. Lack of detail in defining the controls could result in insufficient information for LLNL to demonstrate compliance with the rule.
In other instances, credit has been taken for safety-significant equipment preventing hazards without proper functional classification. For example, the glovebox water-cooling system is credited with protecting the surface of the glovebox and reducing the heat load from a molten plutonium spill. However, the glovebox water-cooling system is not identified as safety-significant.
The Board’s staff also identified some administrative controls that are inconsistent with the supporting calculations in the proposed DSA. For example, the potential for a solvent explosion event is substantially reduced by limiting the amount of flammable materials in a glovebox. The administrative limits in the Technical Safety Requirements (TSR) document, however, are not consistent with the conclusions in the DSA reference calculations. Additionally, the safety-related administrative controls are not identified as such in the proposed DSA. Such administrative controls are subject to DOE’s Implementation Plan for the Board’s Recommendation 2002-3, Requirements for Design, Implementation, and Maintenance of Administrative Controls, for potential future enhancements.
Some safety management programs, identified in both the existing and proposed TSRs, do not appear to have been properly implemented. For example, TSR Administrative Control 5.11 requires that a program be established, implemented, and maintained to ensure that the conditions identified in Table 5-7 of the proposed DSA are maintained in the facility. Administrative Control 5.11 defines five key attributes to be included in the program. The attributes identified in the TSRs would enhance programmatic implementation of the administrative controls, as is the focus of Recommendation 2002-3. This program is also identified in the current approved TSRs; however it does not appear to have been implemented.
 This Table 5-7 does not appear to exist in the proposed DSA.