[DNFSB
LETTERHEAD]
February 28, 2006
The Honorable Linton Brooks
Administrator
National Nuclear Security
Administration
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-1000
Dear Ambassador Brooks:
The operating contractor at the
Y-12 National Security Complex, BWXT Y-12, recently submitted the Documented
Safety Analysis (DSA) and Technical Safety Requirements for the 9212 Complex,
thereby completing a significant effort in revising all site safety basis documentation
for compliance with Title 10 of the Code of Federal Regulations, Part 830, Nuclear Safety Management.
The staff of the Defense Nuclear Facilities Safety Board
(Board) conducted a review of these safety basis documents for the 9212 Complex
and noted weaknesses in the documents that have resulted in improper
classification of safety systems and unclear administrative controls, as
discussed in the enclosed report. The
noted weaknesses in the safety basis documents, if uncorrected, could lead to
an inadequate safety basis for the 9212 Complex and impede contractor
implementation. The Board is encouraged
that the Y-12 Site Office has identified similar weaknesses and is taking
action to resolve these issues.
The Board notes that Y-12 has
established a sound methodology for implementation of safety basis controls
that includes a line management assessment and an independent Implementation
Validation Review to confirm proper implementation of controls. The Board looks forward to working with Y-12
as an acceptable DSA is finalized. The
enclosed report is forwarded for your information and use as appropriate.
Sincerely,
A. J. Eggenberger
Chairman
c: Mr. William J. Brumley
Mr.
Mark B. Whitaker, Jr.
Enclosure
DEFENSE
NUCLEAR FACILITIES SAFETY BOARD
Staff
Issue Report
February
9, 2006
MEMORANDUM FOR: J. K. Fortenberry, Technical Director
COPIES: Board Members
FROM: F. Bamdad
R.
Raabe
SUBJECT: Documented Safety Analysis for
the 9212 Complex, Y-12 National Security Complex
This report presents the results
of a review of the Documented Safety Analysis (DSA) for the 9212 Complex at the
Y-12 National Security Complex (Y-12). A
meeting was held at the site on December 5-8, 2005, by members of the staff of
the Defense Nuclear Facilities Safety Board (Board) to discuss their
observations. Members of the Board’s staff
F. Bamdad, M. Duncan, E. Elliott, C.
March, and R. Raabe, together with the Board’s site representatives D. Owen and
T. Davis, participated in these discussions and walked down the facility during
the site visit. Additionally, the staff
had two subsequent conference calls to discuss the issues in this report.
Background. The
existing Department of Energy (DOE) Hazard Category 1, 2, and 3 nuclear
facilities were required to submit a DSA for DOE approval by April 10, 2003,
meeting the requirements of Title 10 of the Code of Federal Regulations, Part
830, Nuclear Safety Management. The
Y-12 site contractor, BWXT Y-12, submitted DSAs for all such facilities for review
and approval before this deadline, except for the 9212 Complex. BWXT Y-12 and the National Nuclear Security
Administration’s Y-12 Site Office (YSO) agreed to delay the submittal date for
the DSA for the 9212 Complex until September 2004. After YSO reviewed the DSA and provided
comments, it was revised by the contractor and resubmitted in November 2005. YSO is planning to complete a Safety
Evaluation Report to document approval by February 2006. BWXT Y-12 is planning to implement the DSA and
its Technical Safety Requirements (TSRs) by August
2006.
Discussion. The
review by the Board’s staff was focused on the adequacy of the DSA[1]
and its companion TSRs. The Safety Analysis Report (SAR) identifies
loss of confinement, criticality, explosion, fires, and natural phenomena
hazards as evaluation basis accidents that may require more detailed analysis
of their consequences for identification of potential safety-class or
safety-significant structures, systems, and components (SSCs).
·
The
plume dispersion analysis is based on a methodology used previously by the contractor
for other defense nuclear facilities at Y-12 and approved by YSO. This
methodology uses a computer program called WAKE that is not a toolbox
code in the DOE Software Assurance Center Registry. The contractor, however, stated that this computer
program has been through a rigorous site-specific quality assurance program,
and has been authorized by YSO for use in safety basis analyses. This program credits the building wake effects
to dilute the plume through the wind-generated vortices from the adjacent
facilities. While this methodology may
have been technically justified for application to the releases from facilities
surrounded by other structures at the site, it is not a conservative approach
for the 9212 Complex, which is located at a higher elevation and with no
facilities downwind in the direction of the site boundary to promote wake
effects.
·
The
airborne release fractions (ARFs) applied to some
materials at risk involved in a fire are based on the mean values provided in
DOE-HDBK-3010-94, Airborne
Release Fractions/Rates and Respirable Fractions for
Nonreactor Nuclear Facilities. Use of the mean value is based
on the guidance provided by a Y-12 site procedure. Application of the recommended bounding values
may increase the accident source terms by about an order of magnitude. Adequate technical justification for using the
mean value is not provided. Therefore,
it would be prudent to use the bounding ARF values for long-term energetic
events, such as large fires, that would potentially determine the
classification of safety controls needed for protection of the public.
·
The
postulated seismically induced fires in the facility do not appear to be based
on a conservative propagation of the events. The SAR assumes that the contents of only one
wing would be involved in a fire that was seismically induced. This is based on the further assumption that a
fire initiated in a wing would not have the continuity of combustible materials
to spread to other wings. The staff
considers that a seismic event could initiate individual fires in each wing,
resulting in several simultaneous wing fires. The material at risk in such a multiple-wing
fire scenario would result in higher consequences at the site boundary than
those identified in the SAR and would portray the seismic risk of the facility
more realistically.
·
The
unmitigated consequences of large fire events in the SAR range from a few rem to
an upper value of about 14 rem TEDE at the site boundary.
The SAR concludes that these values are
conservatively lower than the 25 rem evaluation guideline recommended by DOE
directives for identification of safety-class controls to protect the public,
and therefore identifies the fire suppression system as safety-significant to protect
the site workers. However, the SAR
relies on a specific administrative control prohibiting storage of organic
solutions in a certain location to keep the unmitigated consequences at the
site boundary below 25 rem. An unmitigated analysis that did not credit
this administrative control might conclude that safety-class SSCs were needed. This scenario should be investigated.
The general uncertainties
associated with plume dispersion analyses could lead one to conclude that the
calculated values in the SAR for large fire events are approaching the 25 rem
evaluation guideline and that a safety-class SSC is needed. Additionally, a more conservative analysis of
the bounding fire in the SAR, accounting for the other weaknesses discussed
above, would result in doses higher than the calculated values. Designation of one or more fire suppression
systems as safety-class would protect the public more reliably from the
potential consequences of an event. This
would require the systems to be evaluated through the systematic methodology
described in site procedure Y17-69-417, Safety System Design Adequacy, for identification and
remediation of any potential weaknesses in the systems’ availability and
operability commensurate with their safety-class function. This assessment would need to include at a
minimum hydraulic analysis of the system and the reliability of the water
supply to ensure that it would function as expected during a potential major
fire in the facility.
Technical
Safety Requirements―In addition to observations
regarding the accident analyses, the Board’s staff noted several weaknesses in
the SAR that could impact the identification of safety controls in the TSRs. These weaknesses are associated mainly with
the specific administrative controls (SACs) and safety management programs
(SMP):
·
The
TSRs identify the need for controlling the amount of hazardous materials in the
facility to limit the consequences of an accident to below those calculated in
the SAR. The TSRs, however, refer to the
amounts used in the accident analyses (discussed in Chapter 3 of the SAR)
rather than to a specific table or collected list of such values in the TSRs to
support proper implementation and compliance.
·
The
TSRs list the safety-related engineered features and SACs that have been captured
from the Nuclear Criticality Safety Program and its associated criticality safety
evaluations (CSEs) through the use of a bridging document. Use of the bridging document helps avoid the
need for direct reference in the SAR to specific CSEs. However, the bridging document does not appear
to contain sufficient detail to be used in the change control process (e.g.,
unreviewed safety question determination) without recourse to the CSEs. This defeats the bridging concept, necessitating
reliance on the operations staffs knowledge of the criticality safety controls
discussed in the CSEs.
·
The
SAR and the TSRs rely on SMPs to protect the public and workers from the consequences
of an event. The staff believes the SAR
needs to identify the specific safety attributes of these programs that are
relied upon for adequate protection. These attributes do not appear to be clearly
identified in the SAR to ensure that the SMPs described in the TSRs would be
consistent with the SAR’s analysis. For
example, the SAR relies on the training program to ensure that workers would
evacuate the areas in case of a fire. The SAR refers to the training program as a
control; however, it does not identify evacuation as a required attribute of
the training program to ensure that workers are trained on that specific item.
·
The
Y-12 procedures used to identify and implement safety-significant controls may not
be consistent with DOE-STD-3009-94. The
contractor procedures define two types of safety-significant controls: those
that are needed to protect workers from significant radiological hazards and
those needed for protection against nonradiological hazards. The latter category of safety controls has
less stringent quality assurance and maintenance requirements than the former. DOE-STD-3009-94 requires safety-significant
controls to protect the workers from radiological or chemical hazards in
nuclear facilities, and does not differentiate between the above two categories
based on the type of the hazard. The
Board’s staff has raised this issue with appropriate personnel in DOE’s Office
of Environment, Safety and Health.
Implementation
of Technical Safety Requirements―The
contractor appears to have developed a comprehensive methodology for
implementation of the TSR controls. In
addition to verification of the engineered features, the TSR implementation
program validates that the administrative controls, including the SMPs, are
implemented according to the TSR requirements. The TSR implementation program includes a
management self-assessment and an independent Implementation Validation Review
by the contractor prior to declaring the TSR implemented. However, the success of the TSR implementation
program instituted by the contractor is hindered by the unclear requirements in
the TSRs and the ambiguity of the SACs and the SMPs noted above.
[1] BWXT Y-12 uses the term safety analysis report (SAR) in place of DSA. Accordingly, SAR is used throughout the remainder of this report.