DEFENSE NUCLEAR FACILITIES SAFETY BOARD

February 3, 1997

1. Purpose
   
   

   This report documents a visit by Defense Nuclear Facilities Safety Board (Board) staff members D. Napolitano and R. Tontodonato to the Savannah River Site (SRS) on January 21–22, 1997. The purpose of this visit was to review the Technical Safety Requirements (TSRs) developed for the SRS high-level waste tank farms.

2. Summary
   
   

   The Board staff is encouraged by SRS's effort to develop a comprehensive safety basis for the high-level waste tank farms. However, two issues emerged during the trip:
   
   

   • The safety analysis process may not be producing robust controls to prevent or mitigate the effects of certain accidents.
     
     
   • The tank farm safety margin might be reduced by the plan to implement new TSRs before determining whether equipment upgrades are necessary to support them.

   
   

3. Background
   
   

   An approved Basis for Interim Operations (BIO) is currently the governing safety analysis document for the high-level waste tank farms. A Final Safety Analysis Report is scheduled to be issued by September 1997. TSRs associated with the BIO are being implemented in phases. Administrative controls, limiting conditions for operation, and upgrades to conductivity probes and evaporator interlocks are scheduled to be implemented by September 1997. SRS plans to perform a backfit analysis to determine whether the equipment upgrades required by the remainder of the TSRs are justified from a cost/benefit perspective.

4. Discussion
   
   

   The following subsections document the staff's observations related to the robustness of safety controls and the schedule for implementing these controls.

   Robustness of Safety Controls. The Board staff is concerned about the development of three programs: the Critical Lift Program, the system to prevent hydrogen deflagration, and controls for tank overheating. Reviews of these programs indicate that in some cases they either neglect proven good practices or lack consistency.

   Critical Lift Program—The Critical Lift Program attempts to prevent load drops. A load drop can cause perforation or collapse of a tank top. A critical lift procedure divides lifts into two categories: "critical lifts," which can perforate a tank, and "ordinary lifts," which cannot. The critical lift procedure aims to reduce human error, the largest cause of load drops. If a lift is critical, rigging sketches must be drawn, and equipment ratings and inspection tags double-checked.

   The Critical Lift Program is an administrative program. The safety analysis assumes it makes the probability of an accident "extremely unlikely" by capturing all important good practices. However, the Board staff found two possible weaknesses in the program. First, the critical lift procedure does not emphasize physical equipment failures. This concern is heightened because some of the below-the-hook lifting devices used at SRS are old. Second, there is no SRS requirement to ensure that before a device is used, it meets industry standards for the design factor of safety. The Department of Energy (DOE) Hoisting and Rigging Manual and industry standards state that these devices should have a factor of safety of 3 on yield. However, SRS personnel could not provide the Board staff with the safety factors for below-the-hook devices.

   The safety margin against physical equipment failures could be substantially improved by requiring redundant rigging or a more frequent and rigorous inspection program, as described, for example, in American National Standards Institute N14.6, Radioactive Materials—Special Lifting Devices for Shipping Containers Weighing 10,000 Pounds or More. Presently, load testing or detailed inspections on below-the-hook devices are performed at SRS only before initial use and when a problem is suspected. Additionally, SRS is presently attempting to determine the safety factors on its equipment.

   Hydrogen Deflagration—The thrust of SRS's plan is to institute enough controls and surveillance requirements to ensure that the annual probability of a tank explosion is less than 1 x 10^-6. This approach relies on the monitoring of flammable gas concentrations. This is a new approach that eliminates the historically used ventilation requirement. Ventilation has proven effective in preventing flammable gases from accumulating, but SRS personnel are concerned that the safety analysis cannot show it achieves the 10^-6 value without installation of new instrumentation. The ventilation system will still be called out in procedures, but it will not be linked to any safety requirement.

   Probability analyses has shown that the 10^-6 value can be realized by requiring many redundant checks on monitoring and surveillance of lower flammability limit (LFL) instrumentation. The Board staff notes two possible problems with the probability analysis: (1) it uses an unvalidated assumption regarding the frequency at which tanks will exceed the LFL if not ventilated and, (2) it assumes an administrative program is 100 percent accurate at classifying tanks as either rapid or slow generators of hydrogen. Much less stringent surveillance is performed on slow-generation tanks. The Board staff notes that if ventilation were retained as a requirement, the probability analysis would show flammable gas deflagrations to be much less likely.

   Tank Overheating—Preliminary analysis indicates that doses to the public from tank overheating could be substantial. However, SRS contractors have taken the position that the dose analysis is "extremely overly conservative." They conclude that since tanks have boiled in the past with no off-site radiological consequences having been observed, this accident scenario is insignificant. Presently, more realistic dose consequences are being calculated. The Board staff encourages this path.

   However, if these new analyses are not successful, TSRs to prevent overheating would appear to be needed. The controls defined as a result of the existing preliminary calculations lack consistency. There is a TSR requirement to track temperature once active cooling has been lost. However, there is no TSR requirement to monitor whether active cooling is working; instead, this is procedurally controlled.

   Schedule for Implementing Controls. The proper implementation of tank farm TSRs may require safety-class equipment and programs. The TSRs will be implemented in September 1997. However, the necessary equipment and programs credited by the safety analysis may not be in place by this time. A backfit analysis, to be completed after TSR implementation, will determine which upgrades are needed and when.

   This approach could potentially relax existing controls in anticipation of relying on new safety-class equipment that has not yet been installed. As an example, the old requirement to ventilate the tanks proactively will be eliminated in September 1997, and the new TSR requiring vapor monitoring will be implemented. However, the LFL monitors may not be upgraded to safety class by this time. Based on this example, the Board staff believes it would be prudent for DOE to confirm that it is not lowering the tank farms' present safety margin by implementing the new TSRs before completing the backfit analysis.

5. Future Staff Actions
   
   

   The Board staff will continue to follow the development and implementation of safety controls for the SRS tank farms.