[DNFSB LETTERHEAD]

 

October 11, 2006

 

The Honorable Linton Brooks

Administrator

National Nuclear Security Administration

U.S. Department of Energy

1000 Independence Avenue, SW

Washington, DC 20585-0701

 

Dear Ambassador Brooks:

 

The Defense Nuclear Facilities Safety Board (Board) has completed a review of the Nuclear Criticality Safety program at Lawrence Livermore National Laboratory (LLNL).  The enclosed report prepared by the Board’s staff provides detailed discussion of the results of this review.

 

In 2004 LLNL’s Assurance Review Office conducted an assessment using Department of Energy Standard 1158 (DOE-STD-1158-2002), Self-Assessment Standard for DOE Contractor Criticality Safety Programs.  As a result of this assessment, LLNL concluded that their Nuclear Criticality Safety program substantially met the review criteria in the DOE standard.  The recent review by the Board’s staff confirmed this fact.

 

The Board’s staff noted that the implementation of two requirements of American National Standards Institute/American Nuclear Society (ANSI/ANS)-8.19, Administrative Practices for Nuclear Criticality Safety, would benefit from improved rigor.  Further, the Board’s staff noted the need for additional rigor in conduct of operations and in the verification of compliance with criticality limits.  The Board’s staff also noted a lack of quality assurance procedures for safety-related software systems that are relied upon to verify criticality and other safety limits.

 

Subsequent to the staffs review, LLNL management directed the implementation of improvements to the Nuclear Criticality Safety program.  The Board strongly urges the National Nuclear Security Administration and LLNL to expeditiously pursue these improvements, and to address the other observations from the enclosed report.

 

Sincerely,

 

A. J. Eggenberger

Chairman

 

c:   Mr. Thomas P. D’Agostino

Ms. Camille Yuan-Soo Hoo

Mr. Mark B. Whitaker, Jr.

 

Enclosure

---

 

DEFENSE NUCLEAR FACILITIES SAFETY BOARD

 

Staff Issue Report

 

MEMORANDUM FOR:     J. K. Fortenberry, Technical Director

 

COPIES:                                Board Members

 

FROM:                                   E. Elliott

 

SUBJECT:                            Review of Nuclear Criticality Safety Program Implementation at Lawrence Livermore National Laboratory

 

This report documents a review conducted by the staff of the Defense Nuclear Facilities Safety Board (Board) of the Nuclear Criticality Safety (NCS) program at Lawrence Livermore National Laboratory (LLNL), conduct of operations related to NCS, and implementation of NCS controls.  This review was conducted on July 25-27, 2006.  Subsequent to the outbrief conducted at the conclusion of the review, LLNL management has taken actions to address some of the issues identified by the Board’s staff, especially those related to conduct of operations and identification of NCS parameters.  The staff and site representative have been actively monitoring progress in this regard.  Improvements in these areas are noted in this report.

 

LLNL’s NCS Program.  Requirements of the American National Standards Institute (ANSI)/American Nuclear Society (ANS) Series 8 standards, which are codified by Department of Energy (DOE) Order 420.1A, Facility Safety, are captured by LLNL’s Criticality Safety Section procedures CSG-P-001 through CSG-P-015.  Included in this suite of procedures are requirements for performing NCS analyses and independent reviews, computer software verification and validation, and other necessary elements of an NCS program.  An assessment performed by LLNL’s Assurance Review Office (ARO) in 2004, using DOE Standard 1158 (DOE-STD-1158-2002), Self-Assessment Standard for DOE Contractor Criticality Safety Programs, determined that LLNL’s NCS program substantially met the review criteria in that standard (two noncompliances were identified).  The Board’s staff agrees that LLNL’s NCS program is compliant with the requirements of DOE Order 420.1A and the ANSI/ANS Series 8 standards.  However, implementation of two requirements of ANSI/ANS-8.19, Administrative Practices for Nuclear Criticality Safety, would benefit from improved rigor.

 

Periodic Review of Fissile Material Operations (ANSI/ANS-8.19, Section 7.8)―LLNL conducts quarterly walkthroughs of rooms containing fissile operations and annual reviews of safety procedures (per CSG-P-003).  These walkthroughs cover the majority of review requirements from ANSI/ANS-8.19, but do not require observing actual fissile material activity to “determine if procedures are being followed.”  There are indications that LLNL staff observes actual operations during the periodic reviews, but such observation is not formally required or documented.  The lack of this formal requirement is especially important given the weaknesses observed during fissile material moves (discussed below).

 

Statement of NCS Policy (ANSI/ANS-8-19, Section 4. 2)―NCS policy, the foundation for the site’s NCS program, is typically a succinct, one- or two-paragraph statement endorsed by the company president or vice-president.  The ANSI/ANS requirement states:   “Management shall formulate nuclear criticality safety policy and make it known to employees who handle fissile material.”  When questioned about how this requirement was implemented, LLNL staff pointed to the Environmental, Safety, and Health (ES&H) Manual or to the Documented Safety Analysis (DSA) as providing the NCS policy.  The ES&H Manual and DSA do not clearly and concisely articulate LLNL’s policy for the NCS program.

 

Ongoing Training for NCS Engineers―NCS engineers are required to have ongoing training per DOE’s qualification standard, DOE-STD-1135, Guidance for Nuclear Criticality Safety Engineer Training and Qualification.  The standard does not prescribe the types of training that should be pursued, but gives general examples, such as attendance at professional conferences.  LLNL’s NCS engineers could benefit from a more well-defined program through which particular technical weaknesses, individual or within the NCS program, could be redressed.

 

Conduct of Operations for NCS.  The staff found the effectiveness of conduct of operations related to NCS to be questionable.  The conduct of operations program was established in fall 2005 with the introduction of the conduct of operations manual for the Nuclear Materials Technology Program (NMTP) in a 2-hour presentation, followed by web-based training including a quiz that involved using the manual to answer questions.  Additional web-based refresher training is also required annually.  Further workstation-specific training in conduct of operations is provided during Operational Safety Plan (OSP) training.  Following are the staff’s specific observations on conduct of operations for NCS resulting from this limited-scope review.

 

Conduct of Operations During Fissile Material Movements―The staff observed or talked through approximately six fissile material movements or portions of movements in the Radioactive Material Area on July 25, 2006.  Fissile material handlers (FMHs) did not refer periodically to the general-use operating procedure for material movements (B332-OP-001) during the activity as required by the conduct of operations manual for the NMTP, which states:  “Reference shall be made to the procedure periodically during performance of the work activity to confirm all steps have been performed.”  Fissile material handlers are provided a laminated operator aid card that summarizes the major steps required by the material movement and standard criticality control conditions (SCCC) change procedures.  However, the operators did not consult these either.

 

Several deficiencies in the performance of procedure steps were also observed.  For example, there was a discrepancy whereby the part number of the item being moved (as identified in the Controlled Materials Accountability and Tracking System [COMATS]) was not included on the approved items list of the OSP for the workstation.  The operating procedure requires that the FMHs identify and communicate the safety information contained in the OSP and the Facility Safety Plan (FSP) controls prior to movement.  This procedure step is intended to ensure that the sender provides to the receiver the information necessary to comply with the SCCCs and other facility safety controls.  However, it is not clear that all of the applicable controls are consistently being identified and confirmed since the moves observed by the staff were accomplished without referring to the applicable OSP or the FSP.  This lack of formality may be due to some combination of deficiencies in training as well as in management’s expectations and follow-up to observe and assess compliance with those expectations.  During the following day, the staff observed fissile material movements in which the procedure was referred to, and greater formality was demonstrated in the performance of procedure steps.

 

Integration of NCS Roles and Responsibilities―Several groups have criticality safety responsibilities:  NMTP FMHs, Material Management Section (MMS) FMHs, MMS personnel responsible for COMATS, NCS engineers, the facility manager, the Hazards Control organization, and the NMTP training group.  The efforts of these groups determine the overall performance of the NCS program.  However, the staff observed a lack of the integration necessary to fully utilize the combined resources of all these groups in assessing performance, considering initiatives to improve criticality safety, communicating relevant information, resolving issues, and advising on plans and policies.  Additionally, it appears that the roles and responsibilities of each group are not formally defined through an integrated procedure.  Without effective integration of these parties, mistakes and inconsistencies can develop, a few examples of which were observed during the staffs review.  The LLNL Criticality Safety Advisory Committee should review the integration of NCS roles and responsibilities and recommend changes necessary to address this issue.

 

NCS Audits and Assessments―The most recent yearly audit, conducted in December 2005 and reported in March 2006, yielded no primary or secondary findings but identified three concerns, three observations, and two noteworthy practices.  In particular, two items were identified as concerns that, in the staffs opinion, merit prompt corrective action:  an operator stating that a criticality accident is not possible, and the lack of configuration management for COMATS (see below).

 

Implementation of NCS Controls.  Fissile material movements must comply with the conditions of applicable SCCCs.  Meeting these conditions relies on the expertise of the FMHs and independent verification.  The FMHs must compare item data with the SCCC conditions or limits to determine compliance.

 

In the fissile material movements observed by the staff, COMATS was used as the primary source of determining compliance with SCCC conditions.  However, the only approved safety function of COMATS is as a source of fissile mass and/or item data.  Not all SCCC limits are contained in COMATS, nor is all item data.  It was not evident from the staff observations that all of the data needed to verify compliance with all SCCC limits was readily available to the FMHs.

 

Current procedures also require hand calculations to convert fissile material mass and isotopic information from COMATS to fuel-grade plutonium equivalent in order to demonstrate compliance with room material-at-risk (MAR) limits, even though this conversion is performed automatically by COMATS.  In the past, the staff observed a reliance by FMH’s on the COMATS-produced conversion.

 

The heavy reliance on COMATS in some cases for determining compliance with SCCC and MAR limits, indicates a need to improve the available implementation tools (e.g., COMATS); this will ensure all limits are met and achieve consistent adherence to procedures.

 

A new system, the Criticality Special Support System (CSSS), is being developed to assist FMHs in ensuring compliance with the criticality safety requirements.  However, the CSSS is not expected to be fully deployed until 2008-2010.  Currently CSSS is capable of capturing item data and generating labels that contain all the relevant criticality information.  The Deputy Program Leader for Programmatic Operations recently directed the mandatory use of CSSS labels for movement of fissile material packages.

 

This new labeling process requires the FMHs to obtain and enter all relevant criticality safety data into the CSSS, which will ensure that the FMHs have the information to comply with the SCCCs.  Once the data have been collected in the CSSS data record and displayed on the label for individual fissile material packages, the SCCC requirements can be directly compared with the properties of that item for subsequent material movements.  This improvement will address some of the issues identified by the staff.  To support this initiative, FMHs are required to complete training on the CSSS, else his or her access to the COMATS and CSSS systems to support fissile material movements will be revoked.

 

Additionally, the use of COMATS to ensure compliance with SCCC limits or to perform MAR calculations requires configuration management and quality assurance commensurate with these functions.  In particular, it appears that COMATS meets at least some of the criteria of DOE Order 414.1C, Quality Assurance, for safety software.  The software quality assurance for COMATS needs to encompass the elements promulgated by that Order and implemented in accordance with DOE Guide 414.1-4, Safety Software Guide for Use with 10 CFR 830, Subpart A, Quality Assurance Requirements, and DOE O 414.1C, Quality Assurance.