[DNFSB LETTERHEAD]
December 11, 2002
The Honorable Spencer Abraham
Secretary of Energy
1000 Independence Avenue, SW
Washington, DC 20585-1000
Dear Secretary Abraham:
The prevention and mitigation of potential
accidents inherent in the mission activities at defense nuclear facilities is a
fundamental objective of both the Department of Energy (DOE) and the Defense
Nuclear Facilities Safety Board (Board).
This objective requires DOE and its contractors to identify accident
scenarios and then establish effective and reliable safety controls to address
them. Engineered controls are preferred
over administrative controls because, in general, engineered controls are
considered to be more reliable and effective than administrative controls. However, in certain applications, DOE and
its contractors have concluded that discrete operator actions or administrative
controls are required to address consequences of accidents that would otherwise
be unacceptable.
The Board agrees with DOE’s overall guidance
for a hierarchy of controls and agrees that administrative controls are
sometimes appropriate to prevent or mitigate accident consequences—even those that exceed evaluation guidelines
for risk to the public. However, the
Board has identified a number of administrative safety controls, proposed or in
use, at various defense nuclear facilities that are technically
inadequate. In many cases, DOE and/or
its contractors have asserted that the methods used to establish these administrative
controls comply with existing DOE directives.
After further analysis, the Board has concluded that the DOE directives
system does not contain adequate requirements for the design, implementation,
and maintenance of important safety-related administrative controls to ensure
that they will be effective and reliable.
As a result, the Board on December 11, 2002,
unanimously approved Recommendation
2002-3, Requirements for the Design,
Implementation, and Maintenance of Administrative Controls, which is
enclosed for your consideration. After
your receipt of this recommendation and as required by 42 U.S.C. § 2286d(a), the Board will promptly make it
available to the public. The Board
believes that the recommendation contains no information that is classified or
otherwise restricted. To the extent
this recommendation does not include information restricted by DOE under the
Atomic Energy Act of 1954, 42 U.S.C. §§ 2161-68, as amended, please see that it is promptly placed on file in
your regional public reading rooms. The
Board will also publish this recommendation in the Federal Register. The Board will evaluate the Department of
Energy response to this recommendation in accordance with Board Policy
Statement 1, Criteria for Judging the Adequacy of DOE Responses and
Implementation Plans for Board Recommendations.
Sincerely,
John T. Conway
Chairman
Enclosure
c: Mr. Mark B. Whitaker, Jr.
DEFENSE
NUCLEAR FACILITIES SAFETY BOARD
RECOMMENDATION
2002-3 TO THE SECRETARY OF ENERGY
Pursuant
to 42 U.S.C. §
2286a(a)(5)
Dated: December 11, 2002
The implementation of an effective and
reliable set of controls is one of the most important cornerstones of safe
operation at defense nuclear facilities.
In this context, the term “control” refers to those structures, systems,
and components (SSCs) and administrative controls that prevent or mitigate
undesirable consequences of postulated accident scenarios. The Defense Nuclear Facilities Safety Board
(Board) has compiled a set of observations that are particularly relevant to
the development and implementation of administrative controls in the Department
of Energy’s (DOE) defense nuclear complex.
The results of these reviews and observations are summarized in this
recommendation.
It has been well recognized that
administrative controls play an important role in establishing and maintaining
overall safety of nuclear activities.
Previous technical reports issued by the Board have underscored the need
for heightened vigilance in the selection and implementation of task-specific
administrative controls, as well as those of a more programmatic nature (e.g.,
criticality control programs). In
particular, in DNFSB/TECH-28, Safety
Basis Expectations for Existing Department of Energy Defense Nuclear Facilities
and Activities (October 2000), the Board observed the need for DOE to
promulgate additional guidance in this area.
However, DOE has taken little action to provide the degree of
specificity necessary to properly design, implement, and monitor the effectiveness
of important administrative controls.
Administrative controls have been defined in
the DOE Nuclear Safety Management rule as, “ . . . the provisions relating to
the organization, management, procedures, record keeping, assessment, and
reporting necessary to ensure safe operation of a facility.” 10 CFR 830.3(a). In practice, however, the concept of an administrative control is
used more broadly in the context of hazard prevention and mitigation. In this regard, an administrative control
can be viewed as an extension of a hazard control and defined accordingly. Thus from a broader and more operational
perspective, some administrative controls should be treated similarly to
engineered or design features that are used to eliminate, limit, or mitigate potential
hazards.
DOE has promulgated guidance to assist
facilities in the classification of controls.
In general, controls necessary to prevent or mitigate significant
consequences to the public are classified as “safety-class” and controls which
contribute significantly to defense-in-depth or worker safety are classified as
“safety-significant.” However, this
guidance has been directed primarily at engineered controls and has been
largely silent with respect to the functional classification of administrative
controls. The Board has observed a
number of instances in which administrative controls have been implemented in
situations where a corresponding engineered feature would warrant functional
classification as either safety-significant or safety-class. A number of defense nuclear facilities have
explicitly characterized certain administrative controls as either safety-class
or safety-significant from a functional classification perspective in the
context of existing DOE guidance.
In addition to controls involving discrete
operator actions, a number of administrative controls are more programmatic in
nature. Examples of such programmatic
controls include combustible loading programs (associated with fire protection
programs), operator training programs, and inset-vice inspection programs. The Board has observed a number of
instances, similar to the examples involving specific operator actions, in
which such programmatic controls are credited for the prevention and mitigation
of specific hazard scenarios.
The Board has observed that the development
and implementation of important administrative controls have not always
conformed to the expectations and quality standards that would be applied to
corresponding safety-class engineered features. The following examples illustrate this point:
1.
During a
review of the process controls for a new aqueous recovery line for plutonium
238 (Pu-238) at Los Alamos National Laboratory (LANL), the Board found that the
facility had placed heavy reliance on administrative controls in lieu of
engineered controls. However, LANL had
not planned to incorporate many of these administrative controls, some of which
were safety-related, into Technical Safety Requirements (TSRs) prior to the
startup of the Pu-238 recovery process.
Examples include procedural controls on the makeup of strong acids used
to elute ion exchange resin and procedural controls designed to monitor for
resin dryout. Strong acids can react
violently with the ion exchange resin, and resin dryout can also lead to
energetic reactions. These concerns
were communicated to DOE in a Board letter dated April 23, 2002.
2.
During a
review at the Y-12 National Security Complex, the Board noted that the fire
protection program for Building 9212 B-l Wing identified 21 administrative
controls needed to protect the facility during testing and process
restart. These administrative controls
include operational considerations in the use of organic solvents, a transient
combustible control program, control of ignition sources, and designated
laydown areas for combustible materials.
The Board determined that the various
administrative controls were not always updated or modified to reflect
changes in plans or equipment, and that there were significant deficiencies in
the contractor’s compliance with these controls. Most important, there was no program providing for a periodic
review to verify that the administrative controls associated with B-l Wing
remained fully effective.
Significantly, many of these administrative controls could be supplanted
by the installation of an engineered control―a fire suppression system. These issues were communicated to DOE in a
letter from the Board dated May 13, 2002.
3.
At the
Savannah River Site, the safety analysis for HB-Line Phase 2 operations
contains requirements for strict control of combustibles in rooms 410N and 410S
to protect the process tanks in the area.
The controls limit the total quantity of combustibles to 400 pounds wood
equivalent and specify separation distances between combustibles and tank
supports. However, the transient
combustible control procedure did not include this portion of HB-Line,
indicating that this administrative control was not complete. Further, a review by Westinghouse Savannah
River Company (WSRC) indicated that the quantity of combustibles in the area
may actually be as high as 5,670 pounds wood equivalent, providing sufficient
fuel to produce a high-temperature (1200°C) flashover fire in the area and boil off the tank contents. As a result, it was determined that
combustible control was no longer a viable administrative control for this
area. Instead, WSRC has implemented an
additional administrative control to limit the concentration of plutonium in
the tanks to 5.5 grams per liter to prevent unacceptable consequences of a fire
in this area. The details of these issues
were documented in a letter from the Board dated July 20, 2001.
The development, selection, and
implementation of an effective set of hazard controls are among the most
important elements of nuclear safety.
At defense nuclear facilities, DOE has established a priority system
that favors preventive over mitigative measures, and passive design features
over active controls. The approved
system recognizes that, where necessary or practical, administrative controls
may play an important role in hazard prevention and mitigation.
In the Board’s view, the activities
associated with the development, implementation, and ongoing verification and
validation of safety-class and safety-significant administrative controls
should be conducted with the same degree of rigor and quality assurance as that
afforded engineered controls or design features with similar safety
importance. Therefore, the Board
recommends the following:
1.
DOE should
promulgate a set of requirements for safety-class and safety-significant
administrative controls to establish appropriate expectations for the design,
implementation, and maintenance of these important safety controls. The requirements should address the
following at a minimum:
(a)
Specific
design attributes to ensure effectiveness and reliability;
(b)
Specific TSRs
and limiting conditions of operation;
(c) Specific training and qualifications to ensure that the appropriate facility operators, maintenance and engineering personnel, plant management, and other staff properly implement each control;
(d)
Periodic
reverification that each control remains effective; and
(e) Root cause and failure analyses, similar to
those required upon failure of an
engineered
system.
2.
DOE should
ensure that all existing administrative controls that serve the function of a
safety-class or safety-significant control are evaluated against these new
requirements and upgraded as necessary and appropriate to meet DOE’s
expectations.