July 30, 2007
Mr. Daniel E. Glenn
Pantex Site Office
U.S. Department of Energy
P.O. Box 30030
Amarillo, Texas 79120
Dear Mr. Glenn:
The staff of the Defense Nuclear Facilities Safety Board (Board) recently performed a review or the authorization basis at the Pantex Plant. As documented in the enclosed report, the Board’s staff noted a loss of configuration control or Documented Safety Analyses (DSAs) at Pantex in the last several years, as well as a backlog of hundreds of post-start conditions of approval resulting from reviews of authorization basis documents by the Pantex Site Office. The staff also uncovered issues related to (1) the incomplete treatment of beyond design basis accidents in certain DSAs, (2) the lack of adequate detail for proper implementation of Technical Safety Requirements, and (3) the systematic lack of timeliness in identifying and declaring a Potential Inadequacy of the DSA (PISA) after new information is discovered.
The Board is aware that BWXT-Pantex is addressing several of these issues. BWXT has agreed to improve the treatment of beyond design basis accidents for identified DSAs. BWX'I' has also stated that adequate dctai1 will be added to Technical Safety Requirements (TSR) through the efforts of the End-State DSA project plan and annual updates to the DSAs. In addition, the Pantex Site Office has requested that BWXT develop a technical basis for dispositioning new information to ensure that PISAs are appropriately identified and declared in a timely manner. The Board’s staff will continue to monitor these Corrective actions to ensure satisfactory resolution of the above issues and other efforts to improve authorization basis review and TSR implementation at the Pantex Plant.
A. J. Eggenberger
c: Mr. Mark B. Whitaker, Jr.
DEFENSE NUCLEAR FACILITIES SAFETY BOARD
Staff Issue Report
June 19, 2007
MEMORANDUM FOR: J. K. Fortenberry, Technical Director
COPIES: Board Members
FROM: R. Rauch
SUBJECT: Authorization Basis Review at the Pantex Plant
This report documents a review by the staff of the Defense Nuclear Facilities Safety Board (Board) regarding the authorization basis (AB) at the Pantex Plant. Staff members F. Bamdad, R. Layton, C. Martin, R. Rauch, and site representative D. Kupferer participated in discussions with site personnel during the week of April 23-27, 2007. The staff evaluated the review and approval of AB documents by the Pantex Site Office (PXSO); the accident analyses and Technical Safety Requirements (TSRs) for the W76, W78, and W87 Hazard Analysis Reports (HARs); and processes for New Information (NI), Potential Inadequacy of the Documented Safety Analysis (DSA) (PISA), and Unreviewed Safety Questions (USQ).
Background. Title 10 of the Code of Federal Regulations, Part 830 (10 CFR 830), Nuclear Safety Management (Rule), required all contractors responsible for hazard category 1, 2, and 3 nuclear facilities to submit a Rule-compliant DSA by April 10, 2003. PXSO issued supplementary direction that DSAs be both submitted and approved by the April 2003 deadline. To comply with the requirements of the Rule and the direction of PXSO, the contractor submitted a series of Safety Analysis Report (SAR) “modules” and various supporting documents—including Fire and Lightning Bases for Interim Operation and an Interim Accident Analysis—that identified and analyzed hazards associated with facility operations, transportation activities, and specific weapon systems, and credited corresponding controls to establish an authorized safety envelope for nuclear operations at Pantex. These documents identified approximately 230 engineered and administrative controls that were functionally classified as either safety-class of safety-significant TSRs or designated in the DSAs as “important to safety.” The process for implementing and validating these 230 controls was formally defined in the TSR Integrated Implementation Plan (TSRIIP), which began in October 2003 and was completed in October 2006.
During the execution of the TSRIIP, BWXT began to experience a number of AB-related challenges. As controls from the TSRIIP were implemented, numerous instances were discovered in which either the actual configuration of facility structures, systems, and components (SSCs) or the functional attributes or capabilities of existing SSCs were incorrectly or inappropriately described in the DSA. Delays in implementing approved AB change packages led to a loss of configuration control of the DSA; that is, the master, or “Posted,” DSA no longer reflected the currently approved DSA. This discrepant condition existed for months, leading to situations in which the contractor prepared change packages against an outdated DSA baseline. To address these critical AB issues, BWXT developed an integrated strategy, known as the End-State DSA project plan. That plan has undergone some revisions, but has maintained the same general objectives: to reconstitute configuration control of the DSAs, implement remaining TSRs, and transition to the set of documents that will ultimately compose the End-State DSA.
PXSO Review and Approval of Authorization Basis Documents. After evaluating each DSA, PXSO provides a Safety Evaluation Report to the contractor detailing the conditions of approval (COAs) of the DSA. During the staff’s review, PXSO presented a list of open pre-start and post-start COAs—as well as open technical review comments (TRCs, the latest terminology for post-start COAs)—and its expectations for closure of these items. At the time of the staff’s review, there were 462 open COAs (almost entirely post-start) and 192 open TRCs. The staff reviewed a subset of open COAs and TRCs and found none that, if closed, would reduce the risk accepted by PXSO in any significant way. However, the staff is concerned about the lack of emphasis by both BWXT and PXSO on the closure of post-start COAs and TRCs. In a January 31, 2005, letter to the Department of Energy (DOE), the Board requested that DOE provide the mechanism in place at each site office for verifying the adequacy of actions taken by the contractor to close open COAs. In response to the Board’s letter, BWXT slated that post-start COAs would be closed during all annual DSA updates after completion of the TSRIIP. BWXT has now abandoned this effort and is instead developing a longer-term plan for closing the backlog of open COAs and TRCs. In addition, BWXT is counting on the End-State DSA project plan to close a number of COAs and TRCs through AB streamlining and attendant “natural improvements.” The staff will continue to track the closure of COAs and TRCs in the coming months.
The staff asked PXSO to discuss its expectations for verifying the implementation of TSRs. During the initial stages of the TSRIIP, PXSO verified the implementation of all TSRs. The Board commended PXSO for this effort in a March 13, 2003, letter to the National Nuclear Security Administration (NNSA). However, PXSO subsequently found this approach to be onerous. PXSO abandoned its original strategy and now verifies the implementation of controls in an ad hoc manner. The staff is concerned about PXSO’s change in strategy for verifying TSRs. In light of the implementation issues that BWXT encountered during the TSRIIP, it would be appropriate for PXSO to take a more vigilant approach and explicitly validate all of these controls.
Pantex Accident Analyses and Technical Safety Requirements. The staff reviewed the development and documentation of the Pantex TSRs. Two generic issues were identified: (1) the treatment of beyond design basis accidents in the DSA, and (2) the level of detail in the wording of functional requirements for controls in the TSR document.
Hazard and Accident Analyses— The Pantex DSAs have identified a comprehensive set of operational hazards, external events, and natural phenomena hazards for identification and classification of controls. However, the hazard analyses appear to be deficient in identifying and analyzing beyond design basis accidents as required by DOE directives. BWXT agreed to improve its treatment of beyond design basis accidents.
Technical Safety Requirements—The facility-level controls identified in the hazard and accident analyses are described in detail, including their functional requirements, in Chapters 3 (hazard and accident analysis) and 4 (safety SSCs) of a given DSA. However, the DSA’s level of detail for safety-related controls and their functional requirements is not repeated in the Pantex TSR document. The staff found that the TSRs lacked adequate detail for implementation and compliance with DOE expectations as described in DOE Guides 421.1-1, Implementation Guide for Use in Developing Documented Safety Analyses to Meet Subpart B of 10 CFR 830, and 423.1-1, Implementation Guide for Use in Developing Technical Safety Requirements.
The staff discussed its observations in detail with the BWXT representatives. BWXT has launched an activity to insert the necessary details from Chapter 4 of the DSAs into the TSR document, consistent with the DOE requirements. The inconsistency with the DOE requirements is expected to be corrected gradually through the submittal of AB change packages.
In addition to the lack of adequate detail in the TSRs, the staff is concerned that BWXT, by categorizing certain TSRs as “safety management programs,” may be making it difficult to incur a TSR violation for a one-time infraction. For example, Chapter 4 of the Sitewide SAR provides a list of all containers that are qualified to meet the functional requirements for protection of special nuclear material (SNM) from a fire. The Sitewide SAR refers to the Qualified Containers Program in its administrative controls section to ensure that the approved containers are used at the site. The containers are safety-class passive design features and must be identified as such in the Design Feature section of the TSR document. The use of an unapproved container would logically be a TSR violation. Under the umbrella of the Qualified Containers Program, however, the use of an unapproved container would be a safety management program infraction and would not constitute a TSR violation. Safety management programs can result in a TSR violation only if the program is violated repeatedly, thus demonstrating a systematic breakdown.
The staff also reviewed the design requirements for several safety-related design features to determine whether the controls are designed adequately to meet the safety functional requirements described in the DSA. The staff found that controls were not always implemented in a manner that guaranteed they would meet the requirements specified in the DSA. For example, the Sitewide SAR identifies noncombustible cabinets as safety-class design features that prevent materials stored inside the cabinet from contributing to the combustible loading in the event of a fire. BWXT performed several fire experiments to qualify the cabinets used at the site. These experiments showed that the combustible materials inside the cabinets ignited after the cabinet had been exposed to an external fire for 10 minutes. It was concluded that the cabinets are qualified for use in areas where safety-related fire suppression or deluge systems exist to limit the duration of a fire to less than 10 minutes. However, the TSR contains no mention of the need for noncombustible cabinets to be located in the vicinity of a fire suppression system. BWXT acknowledged this inadequacy in the TSR and agreed to correct it.
In reviewing Pantex safety documents, the staff discovered that a portion of the Pantex DSA could not be analyzed onsite due to security restrictions. A member of the BWXT staff is planning to travel to Sandia National Laboratories, Albuquerque, in the next several months to update this analysis. The staff will review this topic with the BWXT staff member at that time.
New Information, Potential Inadequacy of the DSA, and Unreviewed Safety Question Processes. BWXT’s process for declaring a PISA after discovery of New Information (NI) contains two highly subjective steps. When NI is discovered, it is assigned to a responsible engineer, entered into an NI database for tracking, and an initial determination of the maturity (i.e., either “draft” or “final”) of the NI is made (first subjective step). If the NI is considered “final,” a PISA is declared, and if sufficient documentation is available, a USQ evaluation is performed. However, if the NI is considered “draft,” the need for compensatory measures is determined before a PISA is declared (second subjective step). In defense of this final step of the process, BWXT claims that the mere declaration of a PISA is onerous because of the associated reporting requirements and a specification in the site procedure that an evaluation of the safety of the situation must be performed within 10 days of the declaration. BWXT’s position is that a PISA is warranted only if the safety of the situation necessitates compensatory measures.
The staff has several concerns regarding BWXT’s process for declaring a PISA. Foremost among these is the contractor’s threshold for declaring a PEA, given NI. The process and its associated rationale suggest an attitude of “prove it is unsafe” before taking action to resolve potential safety issues. An entry in the NI database that illustrates the staff‘s concern is discussed below.
In May 2004, a BWXT employee noted that, based on vendor data, it was impossible to tell whether certain facilities could meet the surge suppression requirements stated in the site AB. This discovery was entered into the NI database, and the system engineer began developing a methodology to test the functionality of the surge suppressors in question. These tests were finally performed in December 2005, and it was determined that the surge suppressors did not in fact function as required. A PISA was declared soon thereafter, but this protracted process allowed certain facilities to operate outside the PXSO-approved safety envelope for approximately 20 months.
The staff believes this scenario was a direct result of a flaw in the BWXT PISA process.
The process allows the NI database to be used as a holding tank for information that should have resulted in a PISA. By labeling information as “draft,” BWXT is able to extend the time frame for evaluation of the safety of the situation beyond that intended by the relevant DOE guidelines and site procedures. As specified by 10 CFR 830.203, Unreviewed Safety Question Process, upon discovery of a PISA, a USQ determination must be performed, and the contractor must notify DOE promptly of the results. The Pantex standard for implementing this requirement further specifics “hours or days (not weeks or months)” and requires an evaluation of the safety of the situation within 10 days of the declaration of a PISA. In the case of the above surge suppression issue, had a PEA been declared immediately, the relevant guidelines and site procedures would have forced a prompt evaluation of the safety of the situation and a USQ determination.
The staff understands that it is impossible to remove all subjectivity from the PISA process. For every instance similar to the NI related to surge suppression, there are likely others that do not warrant a PISA declaration. The staff notes that the above issue should not be construed as an indictment of the NI database. It provides the contractor a means of ensuring that all NI entries are properly captured and definitively tracked to closure. At this time, however, the NI database is not maintained with a rigor commensurate with the importance of its function. The staff provided this feedback to BWXT personnel, and they agreed to maintain the NI database with additional rigor.