February 28, 2006
The Honorable Linton Brooks
National Nuclear Security Administration
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-1000
Dear Ambassador Brooks:
The operating contractor at the Y-12 National Security Complex, BWXT Y-12, recently submitted the Documented Safety Analysis (DSA) and Technical Safety Requirements for the 9212 Complex, thereby completing a significant effort in revising all site safety basis documentation for compliance with Title 10 of the Code of Federal Regulations, Part 830, Nuclear Safety Management. The staff of the Defense Nuclear Facilities Safety Board (Board) conducted a review of these safety basis documents for the 9212 Complex and noted weaknesses in the documents that have resulted in improper classification of safety systems and unclear administrative controls, as discussed in the enclosed report. The noted weaknesses in the safety basis documents, if uncorrected, could lead to an inadequate safety basis for the 9212 Complex and impede contractor implementation. The Board is encouraged that the Y-12 Site Office has identified similar weaknesses and is taking action to resolve these issues.
The Board notes that Y-12 has established a sound methodology for implementation of safety basis controls that includes a line management assessment and an independent Implementation Validation Review to confirm proper implementation of controls. The Board looks forward to working with Y-12 as an acceptable DSA is finalized. The enclosed report is forwarded for your information and use as appropriate.
A. J. Eggenberger
c: Mr. William J. Brumley
Mr. Mark B. Whitaker, Jr.
DEFENSE NUCLEAR FACILITIES SAFETY BOARD
Staff Issue Report
February 9, 2006
MEMORANDUM FOR: J. K. Fortenberry, Technical Director
COPIES: Board Members
FROM: F. Bamdad
SUBJECT: Documented Safety Analysis for the 9212 Complex, Y-12 National Security Complex
This report presents the results of a review of the Documented Safety Analysis (DSA) for the 9212 Complex at the Y-12 National Security Complex (Y-12). A meeting was held at the site on December 5-8, 2005, by members of the staff of the Defense Nuclear Facilities Safety Board (Board) to discuss their observations. Members of the Board’s staff F. Bamdad, M. Duncan, E. Elliott, C. March, and R. Raabe, together with the Board’s site representatives D. Owen and T. Davis, participated in these discussions and walked down the facility during the site visit. Additionally, the staff had two subsequent conference calls to discuss the issues in this report.
Background. The existing Department of Energy (DOE) Hazard Category 1, 2, and 3 nuclear facilities were required to submit a DSA for DOE approval by April 10, 2003, meeting the requirements of Title 10 of the Code of Federal Regulations, Part 830, Nuclear Safety Management. The Y-12 site contractor, BWXT Y-12, submitted DSAs for all such facilities for review and approval before this deadline, except for the 9212 Complex. BWXT Y-12 and the National Nuclear Security Administration’s Y-12 Site Office (YSO) agreed to delay the submittal date for the DSA for the 9212 Complex until September 2004. After YSO reviewed the DSA and provided comments, it was revised by the contractor and resubmitted in November 2005. YSO is planning to complete a Safety Evaluation Report to document approval by February 2006. BWXT Y-12 is planning to implement the DSA and its Technical Safety Requirements (TSRs) by August 2006.
Discussion. The review by the Board’s staff was focused on the adequacy of the DSA
and its companion TSRs. The Safety Analysis Report (SAR) identifies loss of confinement, criticality, explosion, fires, and natural phenomena hazards as evaluation basis accidents that may require more detailed analysis of their consequences for identification of potential safety-class or safety-significant structures, systems, and components (SSCs).
· The plume dispersion analysis is based on a methodology used previously by the contractor for other defense nuclear facilities at Y-12 and approved by YSO. This methodology uses a computer program called WAKE that is not a toolbox code in the DOE Software Assurance Center Registry. The contractor, however, stated that this computer program has been through a rigorous site-specific quality assurance program, and has been authorized by YSO for use in safety basis analyses. This program credits the building wake effects to dilute the plume through the wind-generated vortices from the adjacent facilities. While this methodology may have been technically justified for application to the releases from facilities surrounded by other structures at the site, it is not a conservative approach for the 9212 Complex, which is located at a higher elevation and with no facilities downwind in the direction of the site boundary to promote wake effects.
· The airborne release fractions (ARFs) applied to some materials at risk involved in a fire are based on the mean values provided in DOE-HDBK-3010-94, Airborne Release Fractions/Rates and Respirable Fractions for Nonreactor Nuclear Facilities. Use of the mean value is based on the guidance provided by a Y-12 site procedure. Application of the recommended bounding values may increase the accident source terms by about an order of magnitude. Adequate technical justification for using the mean value is not provided. Therefore, it would be prudent to use the bounding ARF values for long-term energetic events, such as large fires, that would potentially determine the classification of safety controls needed for protection of the public.
· The postulated seismically induced fires in the facility do not appear to be based on a conservative propagation of the events. The SAR assumes that the contents of only one wing would be involved in a fire that was seismically induced. This is based on the further assumption that a fire initiated in a wing would not have the continuity of combustible materials to spread to other wings. The staff considers that a seismic event could initiate individual fires in each wing, resulting in several simultaneous wing fires. The material at risk in such a multiple-wing fire scenario would result in higher consequences at the site boundary than those identified in the SAR and would portray the seismic risk of the facility more realistically.
· The unmitigated consequences of large fire events in the SAR range from a few rem to an upper value of about 14 rem TEDE at the site boundary. The SAR concludes that these values are conservatively lower than the 25 rem evaluation guideline recommended by DOE directives for identification of safety-class controls to protect the public, and therefore identifies the fire suppression system as safety-significant to protect the site workers. However, the SAR relies on a specific administrative control prohibiting storage of organic solutions in a certain location to keep the unmitigated consequences at the site boundary below 25 rem. An unmitigated analysis that did not credit this administrative control might conclude that safety-class SSCs were needed. This scenario should be investigated.
The general uncertainties associated with plume dispersion analyses could lead one to conclude that the calculated values in the SAR for large fire events are approaching the 25 rem evaluation guideline and that a safety-class SSC is needed. Additionally, a more conservative analysis of the bounding fire in the SAR, accounting for the other weaknesses discussed above, would result in doses higher than the calculated values. Designation of one or more fire suppression systems as safety-class would protect the public more reliably from the potential consequences of an event. This would require the systems to be evaluated through the systematic methodology described in site procedure Y17-69-417, Safety System Design Adequacy, for identification and remediation of any potential weaknesses in the systems’ availability and operability commensurate with their safety-class function. This assessment would need to include at a minimum hydraulic analysis of the system and the reliability of the water supply to ensure that it would function as expected during a potential major fire in the facility.
Technical Safety Requirements―In addition to observations regarding the accident analyses, the Board’s staff noted several weaknesses in the SAR that could impact the identification of safety controls in the TSRs. These weaknesses are associated mainly with the specific administrative controls (SACs) and safety management programs (SMP):
· The TSRs identify the need for controlling the amount of hazardous materials in the facility to limit the consequences of an accident to below those calculated in the SAR. The TSRs, however, refer to the amounts used in the accident analyses (discussed in Chapter 3 of the SAR) rather than to a specific table or collected list of such values in the TSRs to support proper implementation and compliance.
· The TSRs list the safety-related engineered features and SACs that have been captured from the Nuclear Criticality Safety Program and its associated criticality safety evaluations (CSEs) through the use of a bridging document. Use of the bridging document helps avoid the need for direct reference in the SAR to specific CSEs. However, the bridging document does not appear to contain sufficient detail to be used in the change control process (e.g., unreviewed safety question determination) without recourse to the CSEs. This defeats the bridging concept, necessitating reliance on the operations staffs knowledge of the criticality safety controls discussed in the CSEs.
· The SAR and the TSRs rely on SMPs to protect the public and workers from the consequences of an event. The staff believes the SAR needs to identify the specific safety attributes of these programs that are relied upon for adequate protection. These attributes do not appear to be clearly identified in the SAR to ensure that the SMPs described in the TSRs would be consistent with the SAR’s analysis. For example, the SAR relies on the training program to ensure that workers would evacuate the areas in case of a fire. The SAR refers to the training program as a control; however, it does not identify evacuation as a required attribute of the training program to ensure that workers are trained on that specific item.
· The Y-12 procedures used to identify and implement safety-significant controls may not be consistent with DOE-STD-3009-94. The contractor procedures define two types of safety-significant controls: those that are needed to protect workers from significant radiological hazards and those needed for protection against nonradiological hazards. The latter category of safety controls has less stringent quality assurance and maintenance requirements than the former. DOE-STD-3009-94 requires safety-significant controls to protect the workers from radiological or chemical hazards in nuclear facilities, and does not differentiate between the above two categories based on the type of the hazard. The Board’s staff has raised this issue with appropriate personnel in DOE’s Office of Environment, Safety and Health.
Implementation of Technical Safety Requirements―The contractor appears to have developed a comprehensive methodology for implementation of the TSR controls. In addition to verification of the engineered features, the TSR implementation program validates that the administrative controls, including the SMPs, are implemented according to the TSR requirements. The TSR implementation program includes a management self-assessment and an independent Implementation Validation Review by the contractor prior to declaring the TSR implemented. However, the success of the TSR implementation program instituted by the contractor is hindered by the unclear requirements in the TSRs and the ambiguity of the SACs and the SMPs noted above.
 BWXT Y-12 uses the term safety analysis report (SAR) in place of DSA. Accordingly, SAR is used throughout the remainder of this report.