TRANSMITTED TO DOE/M. WHITAKER 05/15/95 DEFENSE NUCLEAR FACILITIES SAFETY BOARD February 4, 1995 MEMORANDUM FOR: G. W. Cunningham, Technical Director COPIES: Board Members FROM: Ajit K. Gwal SUBJECT: Savannah River Site (SRS) - In-Tank Precipitation (ITP) and Defense Waste Processing Facility (DWPF) - Trip Report (January 4-6, 1995) 1. Purpose: This report documents a review of electrical, instrumentation and control systems at the In-Tank Precipitation (ITP) facility and open issues from previous meetings at the Defense Waste Processing Facility (DWPF). These reviews were performed by Defense Nuclear Facilities Safety Board (Board) technical staff, Ajit K. Gwal and R. Todd Davis on January 4-6, 1995. 2. Summary: a. ITP: 1. Electrical Calculations: Electrical calculations, which are required by industry standards (American National Standards Institute (ANSI) and Institute of Electrical and Electronics Engineers (IEEE)) to ensure the adequacy of ITP electrical equipment during fault conditions, are not available. Therefore, the capability of electrical equipment to withstand short circuit currents and not create unsafe conditions for site workers cannot be verified. 2. Electrical Installation: Excessive overfill of ITP cable trays is a fire hazard; this condition also reduces the electrical system reliability. In addition, several 480 volt cables are routed on the grated steel floor above tank 48; this creates a worker safety concern. 3. Backup Power Supply: Diesel generators (DGs) were recently downgraded in classification from Critical Protection (CP) to Production Support (PS). This change may reduce the backup power supply system reliability requirement. These DGs supply backup power for important critical loads that are safety related (e.g., nitrogen ventilation, oxygen monitors, etc.) 4. Loss of Electrical Power: During a loss of electrical power, there is a possibility of contamination spread due to an air leakage path available in the filter building cells and from tanks 48 and 49. b. DWPF: 1. Control Room Fire Suppression: The planned use of a water sprinkler system in lieu of a halon system in the control room may damage control room equipment. In addition, water intrusion into electrical panels could result in electrical shorts and spurious operation, thereby making it difficult to control the plant from remote control panels. 2. Alarm Management System: Although 38% of the process alarms have been removed, 2,000 process alarms remain; further reductions and software improvements are planned. A large number of alarms sounding simultaneously may confuse the control room operators and create unsafe conditions. 3. Emergency Lighting: The illumination level of emergency lighting does not meet the criteria of the National Fire Protection Association (NFPA) 101, Life Safety Code (LSC), based on test results. 3. Background: The ITP facility is used to separate high-level waste supernate into a high-level waste and a low-level waste. The high-level waste will be the feed material for vitrification operations at the DWPF. The low-level waste will be processed at the saltstone facility. The ITP facility and the DWPF vitrification plant are scheduled to commence radioactive operations in June 1995 and December 1995, respectively. At the DWPF, eleven open issues in the fire protection, electrical, instrumentation and control systems were previously identified by the Board's staff. 4. Discussion: a. The review identified the following potentially significant safety issues at the ITP facility: 1. Electrical Calculations: Electrical calculations for voltage profile, short circuit studies and protective device coordination, as required by the American National Standards Institute (ANSI)/Institute of Electrical and Electronics Engineers (IEEE) standard 141, "IEEE Recommended Practice for Electrical Power Distribution for Industrial Plants," and ANSI/IEEE standard 242, "IEEE Recommended Practice for Protection and Coordination of Industrial and Commercial Power Systems," are not available. Therefore, the capability of electrical equipment to withstand available short circuit currents and not create unsafe conditions for site workers cannot be verified. In addition, without these calculations the safety performance of electrical equipment cannot be evaluated. 2. Electrical Cable Installation: During a review of electrical cable installation practices, Board staff observed serious overfill conditions in the cable trays. This condition could create a fire hazard; it could also reduce electrical system reliability. The Board's staff also observed that several 480 volt power cables are routed on steel grating above tank 48. This condition violates NFPA 70, National Electric Code (NEC), requirements and creates a worker safety concern. The staff considers that this deficiency be resolved as soon as possible. 3. Backup Power Supply: Two standby diesel generators (non- redundant) supply backup power for some loads including loads classified as CP (e.g., Nitrogen ventilation, Composite Lower Flammability Limit (CLFL) and Oxygen monitors). Recently, the Westinghouse Savannah River Company (WSRC) changed the classification for these diesel generators from CP to PS. The classification change may result in reduced backup power reliability for the CP systems because of maintenance and engineering support differences. WSRC will provide the Board's staff with documentation identifying the maintenance and support differences between a PS generator and a CP generator, and will also provide the rationale for feeding CP loads from a PS supply. 4. Loss of Electrical Power: During a review of a complete loss of power scenario (both normal and backup power), Board staff observed that a leakage path exists in the filter building from the filter cell covers. Under normal conditions, the filter building ventilation system maintains air flow into the filter cells and prevents spread of contamination. During a complete loss of power, the air flow will cease and contamination may be released from the filter cells to the crane control room that may be occupied by operators. This creates a hazardous condition for the operators since there are no continuous air monitors in that room. Similar leak paths (during a complete loss of power) are present in the tank 48 and 49 tops. 5. Composite Lower Flammability Limit (CLFL) and Oxygen Analyzers: ITP tanks 48 and 49 have two oxygen analyzers per tank. The highest oxygen analyzer concentration signal is used to control nitrogen purge flow during normal purge system lineup. Failure of both oxygen analyzers may result in inadvertent decrease in nitrogen flow. However, concentration signals are compared by a control system that notifies operators of any analyzer malfunction. WSRC will evaluate this condition and determine if redundant oxygen analyzers are required. ITP tanks 48 and 49 also have one CLFL analyzer per tank. Failure of the CLFL analyzer precludes monitoring and alarm of elevated benzene levels. ITP is installing analyzers that are identical to CLFL analyzers used in the H-area tank farms for the last three years. The estimated sensing element lifetime for these monitors is approximately three years. There is currently neither a requirement to periodically replace sensing elements nor a program for evaluating sensing element condition. Preventive maintenance of both types of analyzers consists of quarterly calibration. Both types of analyzers have the capability of measuring instrument sensitivity that is useful in predicting analyzer failure. The Board's staff believes that a procedure for determining analyzer condition and replacement criteria is necessary to ensure that these safety related analyzers are operating properly. 6. Lightning Protection: Lightning protection analysis in accordance with NFPA-780, Lightning Protection Code, is not available. WSRC states that any future modifications will be done in accordance with NFPA-780; however, one analysis reviewed assumes that the new modification falls under the "zone of protection" of the facility stack although the lightning protection analysis of the stack is not available. 7. Control and Alarm Systems: ITP utilizes two process control systems. The first system, which provides process parameter display and limited control capability, uses Programmable Logic Controllers (PLCs) that communicate with several computer systems. The second control system, which partially replaced the PLC based system to provide increased process control, flexibility and reliability, utilizes a Texas Instruments designed Distributed Control System (DCS). Because all required safety-related alarms and interlocks are hardwired independent of these two control systems, these systems are not classified as CP systems. In 1993, WSRC established an alarm review committee to review the large number (approximately 1300) of alarms and interlocks associated with the control systems. The review verified that all safety alarms and interlocks are hardwired independent of the control systems. Although over 100 alarms were deleted, a significant number of process related alarms remain. WSRC is taking additional steps to classify the alarms that will allow prioritization when multiple alarms sound. This will eliminate the possibility of any confusion by a large number of alarms sounding simultaneously during certain accident scenarios. The hardwired alarms have a separate display panel which ensure prompt attention to safety-related alarms. Although the DCS system typically provides alarms that are redundant with the hardwired alarms, the hardwired alarms appear to be used by control personnel because of their fewer number and the display panel is simpler. b. The review identified the following issues at the DWPF: 1. WSRC presented resolution of nine of the eleven fire protection, electrical, instrumentation and control open issues identified in earlier staff trips to DWPF. Five of these resolutions required hardware or software design modifications. The Board's staff considers the plan for closure of these nine issues technically adequate; however, the staff will review the technical documentation, when received, to confirm final closure of these issues. A description and status of all open DWPF fire protection, electrical, instrumentation and control open issues are provided in the attachment. 2. During this review, the Board's staff noted that a large number of alarms sounding simultaneously may confuse the control room operators during certain accident scenarios. WSRC plans to group the remaining alarms to provide a simpler display for operators by November 1995. Also, WSRC is installing a software package that intercepts incoming alarms and attempts to determine the cause of the alarm condition based on other plant status available in the distributed control system. This is scheduled to be complete in May 1995. 3. Because halon will not be available in the future, WSRC plans to use a water sprinkler system in the control room. Inadvertent water discharge from this system may damage control room equipment. A large number of alarms sounding simultaneously may confuse the control room operators and create unsafe conditions by a confused operator's inability to shut down the plant. WSRC is evaluating this concern and will determine the appropriate fire suppression system for the control room prior to January 30, 1995. 5. Future Staff Actions: The Board's staff will perform follow-up reviews as required to pursue the issues raised in this trip report. Attachment DWPF Fire Protection, Electrical, Instrumentation and Control Issues I. Introduction: This attachment provides a listing and discussion of the Defense Waste Processing Facility (DWPF) fire protection, electrical, instrumentation and control issues. II. Open DWPF Issues: The following two DWPF issues remain open: A. Control Room Fire Suppression: WSRC intends to provide a water sprinkler fire suppression system in lieu of a halon system in several areas containing electrical equipment, including the control room. The Board's staff is concerned that water intrusion into electrical panels could result in electrical shorts and spurious operation, thereby making it difficult to control the plant from remote control panels. WSRC is still reviewing the fire suppression options and has committed to determine the appropriate system for the control room prior to January 30, 1995. B. Alarm Management System: The Board's staff is concerned about the design, management, and handling of alarms at DWPF. The Distributed Control System (DCS) has approximately 12,000 monitoring points (measurement points, interlocks, and alarms) and approximately 3,100 process alarms. A large number of alarms sounding simultaneously may confuse the control room operators during certain accident scenarios and create unsafe conditions. DWPF has implemented an alarm management program to reduce the number of alarms and to prioritize and simplify the remaining alarms. Approximately 1,100 process alarms were removed but 2,000 alarms remain. Currently, WSRC is "ganging" related alarms to provide a simpler display for operators. Completion of alarm reduction and "ganging" is scheduled for November 1995. As a part of the alarm handling system, the number of operator alarm acknowledgement steps has been reduced from five to two. A WSRC contractor has developed an alarm management computer software system that will further simplify the DWPF alarm system. An intelligent software system intercepts incoming alarms and attempts to determine the cause of the alarm condition based on other plant parameters available in the DCS. WSRC is scheduled to complete installation of this system in May 1995. III. Other DWPF Issues: Board staff reviewed the following additional open DWPF issues: A. Diesel Generators: The two DWPF Diesel Generators (DGs) were tested by WSRC to determine their adequacy to accept sequenced load while maintaining the required voltage regulation. However, the test was performed with the DGs loaded to only approximately 50% of the rated capacity. Based on anticipated design modifications, as stated by WSRC electrical personnel, the DGs may be loaded to approximately 100% of rated capacity. Based on the higher loading, WSRC will perform a loss of offsite power test with full rated capacity to confirm the DG adequacy in June 1995. The Board staff will review the test results to ensure the DGs are adequate to perform their intended function. B. Emergency Lighting Adequacy: The illumination level of emergency lighting does not meet the criteria of NFPA 101, Life Safety Code (LSC), based on a test performed by WSRC. WSRC management and a fire protection engineer performed a walk down of the facility under emergency lighting conditions and determined that the illumination levels are adequate for egress. Based on this walk down, WSRC has requested DOE to waive the LSC illumination requirement. The Board's staff will review the test results and waiver documents, when received. The Board's staff was concerned that emergency lighting equipment is neither seismically qualified nor seismically supported. In the event of an earthquake, emergency light is needed for personnel egress from the facility. WSRC will evaluate this condition. C. Battery Room Ventilation: WSRC has satisfactorily resolved the following Board staff concerns by issuing and implementing design modifications to the battery room ventilation system: 1. Exhaust points in the battery room are now moved near the ceiling high enough to ensure complete hydrogen removal. 2. Battery room exhaust now have loss of air flow alarms as required by ANSI C2, National Electrical Safety Code. 3. Calculations are available to support an assessment of battery room ventilation. D. Instrument Bus Redundancy: Two separate, fully redundant ventilation systems with power supply from separate distribution busses are provided for the central control room. However, flow instrumentation for both ventilation systems are receiving power from a single power distribution bus. WSRC has implemented a design modification that places the power feed for the flow instrumentation on separate redundant busses. E. Protective Device Coordination: Based on ANSI/IEEE-242, "IEEE Recommended Practice for Protection and Coordination of Industrial and Commercial Power Systems," WSRC has completed the coordination calculations and will provide the calculations to the Board's staff by January 30, 1995. F. Rosemount Transmitters: DWPF utilizes greater than 500 Rosemount transmitters. Two models are the subject of concern as identified in Nuclear Regulatory Commission Inspection and Enforcement (IE) Bulletins. Based on the lower service pressures and lower safety significance, however, WSRC does not believe that any action on the transmitter needs to be taken. G. Glass Waste Storage Building(GWSB): The GWSB is designed for safe handling and interim storage of glass filled waste canisters while they await transfer to a permanent storage location. In previous reviews Board staff has expressed concerns that the temperature monitoring system may not detect "hot spots" which could result in structural degradation. WSRC evaluations show that temperature monitoring is sufficient. In addition, WSRC stated that canisters will be loaded into the GWSB in a staggered manner to ensure an even heat distribution. DWPF calculations will be reviewed by the Board's staff to ensure that structural integrity is maintained following design basis events that cause long-term loss of ventilation. H. Fire Pump Electrical Data: DWPF has provided the staff with design specifications and calculations for the fire pump motor system. The Board's staff will review the design to ensure the fire pump system is adequate. I. Loss of Power: A complete loss of power occurred at DWPF on July 13, 1994. Several corrective actions were identified as a result of this event. WSRC stated that all 15 corrective actions have been completed and has submitted the closure documentation.