DEFENSE NUCLEAR FACILITIES SAFETY BOARD December 1, 1994 MEMORANDUM FOR: G. W. Cunningham COPIES: Board Members FROM: C. R. Martin SUBJECT: Nuclear Explosive Safety Studies (NESS) and Nuclear Explosive Risk Assessments (NERA) 1. Purpose: This memorandum provides the comments of Defense Nuclear Facilities Safety Board (DNFSB) staff reviews of five 1994 Nuclear Explosive Safety Study Group (NESSG) meetings, including the NTS FORTUNE NESS [March 29-31, 1994 - Preston, Martin, Drain (SPC)]; the Pantex W87 Rebuild NESS (August 16-19, 1994 - Krahn, Waugh); the NTS NERA for the Lawrence Livermore National Laboratory (LLNL) Arming & Firing and Timing & Control (A&F/T&C) System (August 22-24, 1994 - Preston, McConnell), the NTS Security Operations NESS Master Study update (September 6-9, 1994 - Roarty); and the W-48 Pumpout and Dissolution NESS (November 1-4, 1994 - Von Holle, Martin). 2. Background: Requirements for conducting NESSs are contained in Department of Energy (DOE) Order 5610.11, Nuclear Explosive Safety. The DNFSB issued a letter to DOE on December 8, 1993, that identified several apparent weaknesses in the NESS process and requested DOE to conduct an independent review and provide a report on the review team's assessment of the NESS process. On February 22, 1994, while the independent review was still in process, DOE (DP-20) issued interim guidance on conducting NESSs. The independent review team report was provided to the Board on May 6, 1994, and the DOE corrective action plan for the NESS process was provided to the Board on June 15, 1994. This DNFSB Staff report provides a compilation of the staff's evaluation of several recent NESSs against the above identified documents. 3. Summary: General comments applicable to all studies are included below, while detailed observations and specific comments are included in enclosures. a. Areas of Noted Improvement: 1) Most of the NESSG meetings observed included additional personnel under instruction learning about NESS activities. 2) All NESSGs had access to independent technical advisors to provide specific expertise on issues evaluated during the reviews. 3) The input documents were of significantly higher quality than those reviewed by the staff for NESSs that occurred prior to issuance of the Board's December 8, 1993, letter. There were still, however, both process and technical problems with some aspects of the documents, as described in the enclosures. b. Areas Requiring Continued Improvement: The DNFSB staff observed the following areas of apparent deficiency, including several that were previously noted in the Board's December 8, 1993, letter on the NESS process: 1) Adequate guidance still does not appear to exist on the implementation of the plutonium dispersal safety standard, the use of quantitative risk assessment, and the integration of the NESS process with the overall evaluation of operational safety (including the appropriate scope of the NESS itself). The staff's observations indicate that there is still significant confusion over the intended objectives and use of NERAs, including their proper integration with the traditional NESS evaluation. 2) The actual execution of the NESS process (i.e., the preparation of the input document, the presentation of briefing materials, the evaluations of the individual NESSG members, the NESSG's deliberations, and the NESS report preparation), as observed, still reflects a lack of general agreement over what is necessary and sufficient to yield an appropriate analysis and documentation of all relevant risks. 3) Improvement in the quality and focus of input documents still appears to be needed, including upgrading/revalidation of historical reference documents. The trend is for input documents to contain much greater detail. However, it appears that not all of the presently included material is necessarily relevant, which may actually detract from the ability of the NESSG members to complete their independent safety evaluation in a timely fashion. 4) The NESSG still does not appear to have a mechanism for the complete follow-through that would be expected of a thorough, independent safety evaluation. The "positive measures" identified as ensuring nuclear explosive safety are not always reviewed for adequacy; closure of NESS findings is not always tracked, even for the Master Studies that are intended to serve as part of the approval basis for future studies. 5) The respective responsibilities and authorities of the NESSG Chairman and members still do not seem to be clearly defined or understood. Instances of "advocacy," rather than "independence," were still observed. Chairmen were sometimes observed to: act as defenders of briefers' technical positions, discourage dissent, and "rule" that requests for additional technical information would not be met. One LANL NESSG member was observed to suggest that he would challenge a long-standing LLNL practice in a future NESS if the LLNL NESSG member continued to challenge a long- standing LANL practice during the current review. 4. Future Staff Actions: a. The staff will continue to observe NESS activities at both Pantex and NTS to evaluate the implementation of DOE Order 5610.11, the February NESS Interim Guidance, and any changes made to those documents as a result of implementation of Recommendation 93-1 and the NESS Corrective Action Plan. b. The staff will continue to evaluate the integration of DOE activities to improve the safety of nuclear explosive operations including Recommendation 93-1, Recommendation 93-6, the NESS Corrective Action Plan, and the "Stockpile Stewardship-21" Program. c. The staff will follow up on significant technical issues which required procedural changes or new administrative controls to verify that action items are properly closed out. ENCLOSURE 1 Observations from the FORTUNE Exercise NESS at the Nevada Operations Office Process Comments: 1. The input document prepared by Los Alamos National Laboratory (LANL) was a significant improvement over previous input documents, most notably in the extent and comprehensiveness of the hazard analysis. The supplementary technical briefings presented were well-prepared and delivered. 2. The Assembly, Storage, and Transportation Master Study, conducted in September 1993, and the Insertion and Emplacement (I&E) Master Study, conducted in December 1993, which had not received DP-20 approval at the time of the NESSG meeting, were treated as acceptable base references for this study. Although this NESSG deliberation was later defined as an "exercise" of the NESS process, and not submitted for approval, the practice of using unapproved documents as references does not appear appropriate. 3. One of the most frequently cited "positive measures" (as defined in DOE Order 5610.11) to mitigate a postulated hazard was training and certification; however, in only two instances were the credentials of the operators or their supervisors presented, and then in insufficient detail for an informed and considered opinion to be rendered on the qualifications of the individuals involved. The NESSG Chairman stated, when questioned, that independent evaluation of operator qualifications was not within the purview of the NESSG (although no other independent review appears to take place). 4. After the briefings, each NESSG member was given the opportunity to raise any issue on which he desired further information or discussion. A few technical safety issues were raised and a number of procedural issues were brought up. In nearly all cases, these issues were subsequently dropped after cursory discussion. With the exception of a verbatim transcript [which is a new (1993) addition to the NESS process at NTS], no record was made of the issues raised in the NESSG deliberations, or of their resolution. 5. A disturbing incident was observed during the discussion of one of the technical issues, that evidently has been a long-standing subject of debate between LLNL and LANL regarding "best practice." In apparent response to the LLNL NESSG member's pressure for continued discussion of the current LANL approach, the LANL NESSG member (1) requested that the verbatim record be stopped, then (2) stated that he would challenge long-standing, debatable (in his opinion) LLNL practices at some future NESS, unless the LLNL NESSG member desisted. The record resumed, discussion continued for a while, and the matter was dropped. 6. The NESS process considers the use of administrative procedures to be acceptable "positive measures" for the mitigation of identified nuclear explosive safety hazards. However, the NESSG does not appear to conduct any follow-up effort to verify that these procedures are being properly implemented, thereby ensuring appropriate closure of their safety concerns. The FORTUNE NESSG members identified, for example, an issue that had been listed as "closed" as part of the I&E Master Study but which in fact not been resolved as expected. This problem appeared to be identified only because some I&E NESSG members were also serving on the FORTUNE NESSG. 7. It was determined by the NESSG that there was no apparent internal laboratory design review/approval of calculations used as input to this NESS. Calculational errors were noted in the briefings and it was indicated that "pen and ink" changes would be made to the input document. The fact that the calculations had not been confirmed by independent check (although supervisory and management signatures were on the document) and that an error had occurred generated some concern about adequate design review by several panel members. One NESSG member asserted, however, that the NESS itself constituted the design review, although the NESSG did not appear to check all base calculations. Even after this substantial discussion, however, the NESSG accepted the results of calculations in the input document without further question. 8. While the hazard assessment for this NESS was a dramatic improvement over prior NESSs, there was no attempt by the NTS NESSG to conduct an actual visual assessment of the procedures and activities under review (as is customary at Pantex NESS meetings). Although several of the NESSG members had extensive past experience with the operations, it is unclear how the comprehensiveness and accuracy of the hazard assessment can be validated without such a walk-through. Technical Comments: 1. A number of scenarios appeared to deserve emphasis in the hazard analysis, but were deemed to be "incredible" with no documented justification. The NESSG did not question any of these conclusions. For example, during high winds, the roof of the device assembly area (Area 27, Able site) could blow off allowing material to fall on the device during assembly operations. Similarly, falling or flying objects during a seismic event or a helicopter crash could damage the device. In each case there is the potential for high explosive detonation. 2. Cable Voltage: a. Questions were raised concerning the potential threat presented by the presence of high voltage in the cable bundle from diagnostic equipment, after a nuclear explosive test device has been installed. An accident in the cable yard that could lead to high voltage on the firing cables has been identified by past NESSG members as potentially credible. b. While this topic received a lot of discussion, there was no resolution as to whether the practice was entirely safe - the NESSG accepted the discussion by the briefers and dropped the issue. The observed discussion created the impression that issues that are too difficult or extensive to be resolved at the table during the allotted time for the NESSG meeting might be dropped while reasonable doubts about the safety of a practice remained. ENCLOSURE 2 Observations from the Nuclear Explosives Safety Study for the W-87 Rebuild at the Pantex Plant Process Comments: 1. The input document was generally of a very high quality, a significant upgrade from previous documents. 2. Briefings to the NESSG were at an appropriate level of technical detail, with the exception of the briefing on criticality. This briefing was very summary in nature and did not provide sufficient technical detail to be usable by the NESSG, or to even guide them through the more detailed discussion in the input document. 3. The NESSG Chairman exhibited strong leadership of the review process, in some cases too strong. This at times led to him answering questions posed by other members, when the briefers should have been required to do so. 4. It was encouraging to see a number of NESSG members "in training," observing the actual NESS process. In addition, it was also encouraging to see a DOE-EH representative observing the process. 5. The NESSG had added independent "advisors" on the four technical areas (one-point safety, explosive safety, criticality, and risk assessment) being evaluated. These experts, who were both independent of the briefing organization and unencumbered with other NESSG duties, appeared to significantly enhance the technical vigor of the review. Technical Comments: 1. There was a question with respect to the susceptibility of insensitive high explosive to electrical shocks. The input document had contained only a short statement concerning the basic stability of plastic-bonded explosives with respect to electrical shock, but the document (vintage 1978) went on to note that perhaps some more testing should be done in this area. 2. The criticality presentation was highly summary in nature and did not address the specific configuration expected during operations. The input document provides the results of a number of criticality calculations that could be construed to be "bounding" in nature. However, other than asserting the safety of the operation, the input document did not draw conclusions concerning the specific operations envisioned. ENCLOSURE 3 Observations from the Nuclear Explosives Risk Assessment for the LLNL Arming and Firing & Timing and Control (A&F/T&C) NESS at the Nevada Test Site Process Comments: 1. The LLNL-prepared NERA input document had not been revised or augmented in the eleven months since it was issued. The LLNL A&F/T&C configuration had been simplified since the preparation of the NERA input document. One NESSG member requested that the input document be updated, or supplemented, to represent the current configuration. The Chairman stated that he did not believe any improvements to the input document were required, and would not permit the requested update. 2. One NESSG member questioned whether the NERA report contained the certification by the responsible laboratory management required by the February Interim NESS Guidance. It did not. 3. As of the time of this NESS, the Electrical Phenomena Master Study, which will update and replace the 1976 NTS Lightning Master Study, had not yet been issued. The need for this study was a formal recommendation of the 1988 LANL Timing and Firing Master Study. When questioned, the DOE-Nevada individual responsible stated that the new Master Study report was expected to be completed by the end of October. Although there was no pressing need to complete the NESSG review of the LLNL A&F/T&C NERA, the NESSG did not elect to wait for the completion of this highly relevant document. 4. The NESSG Chairman answered questions from other NESSG members that should have been answered by the briefers. At times, the Chairman appeared to discourage debate among the NESSG members. 5. The NESSG Chairman opened the meeting by noting that this NERA deliberation was the first for an NTS NESSG, and that some "rough spots" were to be expected. Indeed, the NESSG appeared somewhat uncertain about what was expected of them; they discussed (1) whether they were supposed to "approve" the NERA, (2) whether they could request modifications, (3) whether all that was expected was a ruling whether the submitted NERA met the limited risk assessment requirements DOE Order 5610.11, or whether the DP-20 interim guidance was applicable to this pre-dated NERA report, etc. Technical Comments: In general, the determination of credible abnormal environments that could result in a plutonium dispersal involving the A&F/T&C system was not well documented. 1. The NERA was limited to the scope of the hazard analysis of the input document for the 1992 NESS Master Study update, and therefore did not consider any of the scenarios proposed as potentially credible in the minority opinion to that Master Study. Some NESSG members stated that they had not expected the NERA to be limited by the previous study, but instead had expected it to represent an overall "new look." 2. The NERA report concluded (without documentation) that, except for lightning, there were no credible external abnormal event scenarios to introduce appropriate electrical energy to the detonator cables. This determination was made even though the NERA analysis itself also identified that a material fault in the cable (an internal event) was credible without any other initiating event. 3. An independent technical expert advised the NESSG that the NERA was deficient in the area of documentation, most notably for the screening that was done to eliminate abnormal environments from consideration. The technical expert also noted that the lack of adequate documentation made it impossible to determine the comprehensiveness of the analysis. ENCLOSURE 4 Observations from the Nuclear Explosive Safety Master Study of Security Operations at the Nevada Test Site Process Comments: 1. The input document was a significant improvement from previous documents which have been reviewed by the Staff. Technical Comments: 1. Need for Follow-on NESSG Meeting: a. It became evident during the NESS review that the input document did not contain adequate information on the security controls and the relationship between the Security Operations Contractor (Wackenhutt Security International - WSI) for the Device Assembly Facility (DAF) and design laboratories' operations. In particular, DAF security control, alarms, lockout points, and tactical response of WSI had not been finalized. As a result, a follow-up NESS review was determined to be necessary. b. A separate NESSG meeting in December has been scheduled to review the DAF security procedures. 2. The NESS review appears to be proceeding independent of the preparation of the DAF Safety Analysis Report. It appears that the compatibility between the input document for the entire suite of DAF NESSs and the facility SAR should be evaluated. 3. A qualitative risk assessment of process hazards based on security task analyses was prepared by Los Alamos and identified critical hazards, six catastrophic hazards, and two marginal hazards. Positive measures to mitigate each hazard were identified. DOE has adopted the use of qualitative risk assessments for NESS studies to be reviewed this year. Following that, quantitative risk assessments will be performed. ENCLOSURE 5 Observations from the Nuclear Explosive Safety Master Study of the Dimethyl Sulfoxide (DMSO) HE Dissolution Process at Pantex Process Comments: 1. There were more technical advisors at this NESS than has been observed at prior NESSs including experts in high explosives, criticality, metallurgy, risk analysis and other technical specialties. Also present were reviewers from DOE and NESSG trainees. The number of members, advisors, reviewers, and trainees created crowded conditions in the bay. In an improvement over past experience, NESSG members often relied on the technical advisors for expert opinion. 2. The input documents were all submitted in time; however, last minute changes were submitted and discussed by the group and published as appendices to the final report. The most significant changes were to the risk analysis report. The probability of detonation of parts of explosive falling to the floor was decreased by several orders of magnitude upon consultation with the lab expert presenter at the NESSG meeting. 3. The NERA seemed accurate and complete, providing a prioritized set of hazards, for which adequate mitigation was demonstrated. However, there continues to be an apparent separation of the NERA preparation process from the technical input. The preparer from LLNL is not an expert in HE, where most of the hazards reside, and had to rely on experts for input. In one instance, this input was modified at the meeting, changing one probability of an otherwise significant hazard to insignificant. There were some questions regarding the NESS requirements for a NERA; however, most of the NESSG members recognized that only a qualitative risk assessment is currently required and that the DMSO NERA was adequate. 4. The process seemed rushed. It appears that more time should have been allotted to discussion of the issues and the input documents. One day for presentations did not appear to be enough. For example, important discussions on risk assessment were squeezed into a few minutes at the end of one of the days at about 7 p.m. NESSG deliberations on the issues and report writing were also done at the end of long days. 5. In the past, NESSG members often supplied answers to questions posed by other NESSG members' questions instead of allowing the presenter to answer the question. This questionable practice was only observed a few times during this NESS. 6. The NESSG worked on the report and signed off with no minority opinions on Friday before noon. It appears that the members and advisors were satisfied that all significant technical issues were successfully resolved. The final document and its appendices contain many of the changes to the input documents referred to above. Technical Comments: 1. The NESSG noted many problems with the procedures, and criticized Mason & Hanger (M&H) for poor document change control and quality control. 2. Eight technical issues arose during the meeting and were resolved either through revision to the procedures or determined to be insignificant after discussion or additional presentations. For example, M&H was criticized for poor configuration management for allowing unauthorized equipment in the cell in proximity to the cell grounding cable. Also, during execution of the contingency procedures the cell contains many hoses and 110 VAC cords running in complex patterns. In violation of good electrical isolation practice, these hoses and cords come in contact with metal parts of equipment in the bay and with the cell grounding cable. M&H agreed to correct the problems with electrical isolation and change the procedures where required.