The Honorable Linton Brooks
National Nuclear Security Administration
Dear Ambassador Brooks:
The staff of the Defense Nuclear Facilities Safety Board (Board) recently reviewed the conduct of engineering at Los Alamos National Laboratory (LANL). Progress was noted for facility work, which LANL distinguishes from nonfacility work such as research, development, demonstration, testing, and production. However, full implementation of Department of Energy (DOE) Order 420.1A, Facility Safety, which provides design requirements for nuclear facilities, continues to experience delays.
Some of the more complex and higher-hazard nonfacility work would benefit from (1) a structured application of engineering standards and practices, (2) a formal conceptual design phase, similar to that for large facility projects, and (3) design reviews following conceptual and final design. For example, if the Technical Area-55 line for aqueous recovery of plutonium-238 scrap had been designed initially to engineering standards appropriate for safety controls and if it had a conceptual design phase and design reviews, the project might not be experiencing delays while safety-related issues are resolved. The benefits of applying engineering concepts to the design of nonfacility work include higher confidence in safe operations, more efficient operations, and lower total cost.
Documented safety analyses written in compliance with the Nuclear Safety Management rule, Title 10 Code of Federal Regulations, Part 830, have resulted in a number of existing systems being designated as safety-class or safety-significant. There appears to be little or no internal LANL guidance on how to conduct an engineering evaluation to determine the adequacy of such systems in performing their intended safety function.
As discussed in the enclosed report prepared by the Board’s staff, improvement in these areas is desirable. Therefore, pursuant to 42 U.S.C. § 2286b(d), the Board requests a report within 90 days of receipt of this letter that:
The latter two items should also identify actions to be taken to implement the needed changes in a timely manner.
John T. Conway
c: The Honorable Everet H. Beckner
The Honorable Jessie Hill Roberson
Mr. Mark B. Whitaker, Jr.
DEFENSE NUCLEAR FACILITIES SAFETY BOARD
Staff Issue Report
MEMORANDUM FOR: J. K. Fortenberry, Technical Director
COPIES: Board Members
FROM: A. G. Jordan
of Engineering Standards and Practices at
This report documents observations on the application of engineering standards and practices at Los Alamos National Laboratory (LANL). These observations are based on reviews by members of the staff of the Defense Nuclear Facilities Safety Board (Board) V. Anderson, J. Blackman, B. Broderick, D. Burnfield, A. Gwal, A. Jordan, C. Keilers, R. Quirk, W. Von Holle, and W. White.
Background. LANL distinguishes between “facility work” and “nonfacility work.” Facility work is defined as “any combination of engineering, procurement, erection, installation, assembly, disassembly, or fabrication activities involved in creating a new facility or in maintaining, altering, adding to, decontaminating, decommissioning, or rehabilitating an existing facility.” Nonfacility work includes research, development, demonstration, testing, and production. Examples of production at LANL are pit manufacturing and plutonium-238 (Pu-238) scrap recovery. Requirements at LANL generally differ for facility and nonfacility work.
Safety-class and safety-significant structures, systems, and components (SSCs), which are intended for the protection of the public and workers, respectively, are designed, procured, and maintained as being associated with either facility or nonfacility work, depending on the application.
Facility Work. Facility work ranges from design and construction of major new facilities, such as the Chemistry and Metallurgy Research Replacement building, with the attendant subcontracting to architect/engineering and construction firms; to major and minor facility modifications; to routine maintenance. It also includes most facility management functions.
LANL has taken some major actions that affect the application of engineering to facility work. The actions are intended to enhance the safe, secure, cost-effective, and efficient management and operation of nuclear facilities; and are being taken to address conclusions of internal and external evaluations, concerns related to the Price-Anderson Amendment Act, and to continue to respond to the Board’s Recommendation 2000-2, Configuration Management, Vital Safety Systems. These actions include: (1) reorganizing so that facility managers report to a single manager; (2) initiating the Integrated Facility Management Program to consolidate and develop manuals and procedures for facility engineering, operations, and maintenance; (3) revising the LANL Engineering Standards Manual, formerly called the LANL Engineering Manual, to address DOE requirements and improve environmental practices; and (4) enhancing training programs for engineering-related functions. LANL has also created the position of chief engineer to help establish policy and programs for facility engineering, including the Integrated Facility Management Program.
Reorganization—As a result of the reorganization, the number of facility managers has been reduced from 17 to 9, and the remaining facility managers have been placed in a new Facility Management Unit Organizations group. The realignment includes primarily management and operations that impact facility SSCs, not nonfacility SSCs. This fundamental management change is intended as a means of ensuring the implementation of engineering standards and practices for real property and installed equipment in a consistent manner.
Integrated Facility Management Program—The Integrated Facility Management Program is consolidating and developing manuals and procedures for facility engineering, operations, and maintenance. LANL intends to incorporate the best features of programs at other sites, such as the Savannah River Site’s Conduct of Engineering and Technical Support procedures.
review by the Board’s staff at LANL, the Board noted in a letter to the
Department of Energy (DOE) dated February 22, 2002, that DOE was not aggressively
pursuing implementation of DOE Order 420.1, Facility
Safety, and the related DOE Guide 420.1-1, Nonreactor Nuclear Safety Design Criteria and Explosives Safety
Criteria Guide for Use with DOE O 420.1, Facility Safety, which provide
design requirements and identifies relevant engineering standards for different
types of safety-class and safety-significant SSCs. At the time, many of the engineering standards
were not included in the DOE/University of
Since that time, LANL, with guidance from
DOE, has made additional progress, but is only now completing a gap analysis
and an implementation plan to address the remaining gaps. Delays continue to occur. LANL is adding requirements and guidance from
DOE Order 420.1 and DOE Guide 420.1 to its Engineering
Standards Manual. This effort has
included adding a chapter on instrumentation and control systems; revising the
chapters on mechanical and electrical systems; initiating a revision of the
chapter on structures; and developing new chapters on nuclear and hazardous
process safety. DOE Order 420.1A, which
is a recent revision of DOE Order 420.1, now includes requirements for a system
engineer program and has been added to the DOE/University of
While progress is being made toward full implementation of DOE Order 420.lA and its guidance, implementation has not been rapid. The Board’s staff intends to compare the final results of LANL’s efforts with the requirements of DOE Order 420.lA and accepted engineering practices.
Training—LANL has developed several courses related to the general use of standards, such as Introduction to LANL Engineering Standards, LANL Electrical Engineering Standards, and LANL Drafting Manual. LANL also makes available vendor-taught courses and a number of discipline-specific courses. The Electrical Safety Committee has been effective in ensuring the availability of electrical safety training; about 25 short courses cover various aspects of electrical safety. Some of the courses are useful to personnel performing nonfacility work. On the other hand, it is not clear that the courses are always required to be taken by the appropriate individuals nor that the content of the courses is fully applied.
The LANL realignment of facility management directly affects facility work. At this time the changes have had little effect on nonfacility work described in the next section.
Nonfacility Work. Nonfacility work, which is typically programmatic, includes a broad range of activities-from simple, routine testing to complex, hazardous research and development, demonstration, and production. The focus here is primarily on the design of complex or hazardous activities.
Fundamentals of Designing for Safety—Consistent with integrated safety management, proper design of processes and equipment for nonfacility work involves early identification of potential hazards, development of strategies to avoid those hazards where possible and otherwise to minimize them, and the development of reliable hazard controls. The Board has emphasized the desirability of using engineered controls developed by proper design instead of relying on administrative controls.
As with large facility projects for which it is common practice to have a conceptual design phase followed by one or more phases to finalize the design, some nonfacility work would benefit from having a formal conceptual design phase. The conceptual design phase typically would involve development of a hazard avoidance and minimization strategy; completion of a preliminary hazard analysis; identification of design requirements, including functional and operational controls and tentative specification of standards; and determination of whether any controls have the potential to be designated as safety-class or safety-significant. It is important to identify early in the design phase the potential for any controls to be safety-class or safety-significant to help ensure that they are adequately engineered, procured, and installed with appropriate quality assurance.
Some nonfacility work would also benefit from independent design reviews at the end of the conceptual design phase and at the completion of the design to ensure the adequacy of the design. Such reviews would be opportunities to ensure that the design adequately controls the hazards and provides the appropriate operability, maintainability, and flexibility. These reviews could also ensure the accuracy of calculations important for the mission and/or safety, as well as the adequacy of the documentation of such calculations.
LANL’s Approach to Designing for Safety—LANL has two Laboratory Implementation Requirements (LIRs)—Safe Work Practices and Documentation of Safe Work Practices—that outline requirements for work planning for nonfacility work. However, the LIRs provide no guidance on the use of conceptual design phases for complex, hazardous projects. In addition, these LIRs do not require independent review following the design phase and prior to fabrication and assembly of experimental equipment.
As noted in a letter from the Board dated August 7, 2003, the LIRs on safe work practices make no reference to another LIR—Engineering Standards—that references requirements and guidance for the use of engineering codes and standards in the design and modification of LANL facilities and in “programmatic” work, which is largely nonfacility work. The Engineering Standards LIR, however, also states that its requirements do not apply to programmatic work unless prior consensus approval is obtained from programmatic groups. Thus, in reality LANL provides its scientists and engineers little direction for the use of engineering standards in research, development, demonstration, testing, and production.
An example of a nonfacility project that would have been completed more expeditiously had there been a conceptual design phase is the Technical Area-55 line for aqueous recovery of Pu-238 scrap. This project is experiencing delays while safety-related issues are resolved. Having a conceptual design phase and design review would have resulted in more robust safety features, fewer delays in becoming operational for mission needs, and reduced costs. The review of this project by the LANL readiness assessment (RA) team also noted that no technical review by experienced personnel outside of the group responsible for the project had been conducted prior to the RA and that such reviews would have been advantageous.
Safety-Class and Safety-Significant Structures, Systems, and Components. Safety-
class and safety-significant SSCs can be associated with either facility or nonfacility work. As a result of the development of documented safety analyses in compliance with the Nuclear Safety Management rule, Title 10 Code of Federal Regulations, Part 830, many existing SSCs have now been designated as safety-class or safety-significant because of their importance to protecting the public or collocated workers, respectively. Typically, these SSCs were not originally designed, procured, installed, and maintained as safety-class or safety-significant. In some cases, the need for new safety SSCs has been identified.
There appears to be little or no internal LANL guidance on how to evaluate such newly designated safety SSCs. Such a design adequacy review might involve determining the functional and operational requirements for safety; determining what standards would be used if the SSCs were designed today (e.g., by performing a comparison with DOE Order 420.lA and its guidance); performing a gap analysis, followed by a cost/benefit analysis on potential upgrades; and then making a decision about whether to upgrade. A design adequacy review might also identify minimum operability requirements and actions to be taken should such requirements not be met. An independent design review might also be warranted.
Beyond a design adequacy review, a procedure commonly called commercial-grade dedication is needed to evaluate new or replacement commercial items for their suitability for safety-class or safety-significant applications. Such a procedure would provide the basis for quality assurance requirements.
The design of new SSCs is addressed in DOE
Order 420.lA and its guidance. As discussed
above, some of those requirements are not included in the LANL Engineering Standards Manual. A letter from the Board dated
Requirements and guidance for performing a
design adequacy review on newly designated safety SSCs and procedures for
commercial-grade dedication are not by themselves enough to ensure safety. An interesting case is the Weapons Engineering
Tritium Facility (WETF), for which the existing lightning protection system was
designated as safety-class based on a recent documented safety analysis. WETF management did commission a design
adequacy review from a respected outside expert. However, they failed to maintain the lightning
protection system to common industrial requirements. Later, when the outside expert concluded that
the lightning protection system did not meet safety-class functional
requirements, WETF recommended simply reducing the safety functional
classification to safety-significant based on the “demonstrated ineffectiveness
of the system,” without instituting any additional engineered controls. (See letters from the Board dated
Summary. LANL is making progress in developing the infrastructure required to apply engineering to facility work, although full implementation of the requirements and guidance of DOE Order 420.lA has been slow. LANL has not made significant progress in the development of requirements and guidance for the application of engineering standards and practices to nonfacility work, including the use of a conceptual design phase to allow early identification of the safety strategy and the use of independent design reviews to ensure the adequacy of the safety strategy. In addition, LANL lacks guidance to ensure that SSCs newly designated as safety related can reliably perform their intended safety function.