TRANSMITTED TO DOE/M. WHITAKER 7/5/95 DEFENSE NUCLEAR FACILITIES SAFETY BOARD February 23, 1995 MEMORANDUM FOR: G.W. Cunningham Technical Director COPIES: Board Members FROM: Donald J. Wille SUBJECT: Savannah River Site - Review of Ventilation and Configuration Management at the Defense Waste Processing Facility (DWPF) - Trip Report (February 13-16, 1995) 1. Purpose: This report documents a review of ventilation systems and configuration management activities at the Defense Waste Processing Facility (DWPF) at the Savannah River Site (SRS) by Defense Nuclear Facilities Safety Board (DNFSB) technical staff, Donald J. Wille and Roger W. Zavadoski on February 13-16, 1995. 2. Summary: The current U.S. Department of Energy (DOE) Order 5480.23 Nuclear Safety Analysis Reports requires that the SAR explicitly demonstrate compliance with applicable Orders. Presently, the DWPF design does not explicitly demonstrate compliance with DOE Order 6430.1A, General Design Criteria, and is not planning to do so. In addition, appropriate deviations have not been submitted to DOE- Headquarters as provided for in the Order. The Configuration Management Program at DWPF is based on continuing development and assessments over a two year period, and is well advanced. Review of one Design Change Package (DCP) of 25 DCPs prepared to implement an extensive facility modification did raise a question regarding the lack of descriptive material and potential difficulty to perform independent technical reviews of the engineering and design. 3. Background: The "Assured Confinement" review by DWPF led to the upgrading of selected ventilation and purge systems to safety class items. Prior to this review in 1994, there were no safety class items at DWPF other than portions of the structure. DWPF is currently in startup testing with expected readiness for radioactive operations by the end of 1995. 4. Discussion: Ventilation Systems - DOE Order 5480.23, Nuclear Safety Analysis Reports paragraph, 8.b.(3).(b) requires that "the safety analysis report shall address . . . applicable . . . Departmental Orders." Attachment I to the Order, page 21, further clarifies this statement by adding, "Safety Analysis Reports (SAR) should identify the applicable . . . DOE Orders binding upon the safety basis and operation of the facility. Sufficient detail should be provided for the SAR to serve as a comprehensive reference on applicable . . . DOE Orders for use in engineering, operations management, program management, and safety oversight. Specific sections or references should be included in the SAR that explicitly demonstrate compliance with these applicable . . . Orders." These same requirements are also found on pages 10 through 12 of DOE-STD-3009-YR, Preparation Guide for U.S. Department Of Energy, Nonreactor Nuclear Facility Safety Analysis Report. Currently DWPF plans to present in the SAR a comparison of only safety class items to selected requirements of DOE Order 6430.1A, General Design Criteria. "Discrepancies" with the selected criteria are to be identified in the SAR. This selected method of presentation is contrary to both DOE Order 6430.1A and DOE Order 5480.23. The recent "Assured Confinement" review of the DWPF ventilation systems has identified systems and portions of systems that required upgrading to Safety Class Items. These as well as other modifications and alterations to the DWPF ventilation systems bring these ventilation and purge systems under the purview of DOE Order 6430.1A as found in Division 1, Section 0101-1 of the Order. This in turn requires compliance with all other criteria in Order 6430.1A including the methodology of "Criteria Deviations" as found in Section 0101-2. As an example of criteria currently not being explicitly addressed by the DWPF SAR consider the following requirements of DOE Order 6430.1A Division 1300 Sections 1.4 and 3. These require in part that "Releases of hazardous materials postulated to occur as a result of DBAs [Design Basis Acidents] shall be limited by designing facilities such that at least one confinement system remains fully functional following any credible DBA (i.e., unfiltered/unmitigated releases of hazardous levels of such materials shall not be allowed following such accidents). Facility design shall provide attenuation features for postulated accidents (up to and including DBAs) that preclude offsite releases that would cause doses in excess of the DOE 5400 series limits for public exposure. "Safety class items are systems, components, and structures, including portions of process systems, whose failure could adversely affect the environment or the safety and health of the public. Specifically, safety class items are those systems, components, and structures with the following characteristics: ù Those whose failure would produce exposure consequences that would exceed the guidelines in Section 1300-1.4, Guidance on Limiting Exposure of the Public, at the site boundary or nearest point of public access. ù Those required to maintain operating parameters within the safety limits specified in the OSRs during normal operations and anticipated operational occurrences. ù Those required for nuclear criticality safety. ù Those required to monitor the release of radioactive materials to the environment during and after a DBA. ù Those required to achieve and maintain the facility in a safe shutdown condition. ù Those that control the safety class items described above." and "The design of systems, component and structures that are not safety class items, as a minimum, be subject to conventional industrial design standards, codes, and quality standards. Failure of these items shall not adversely affect the environment or the safety and health of the public. In addition, their failure shall not prevent safety class items from performing their required functions." From this short list of but a few requirements, the following three potential conflicts are noted: 1. The present SAR does not explicitly state which DOE 5400 Series limit for public exposure is being used. This limit is significant in defining when a mitigating feature becomes a safety class item. 2. In addition, the current SAR does not explicitly state which ventilation systems are operational to prevent "unmitigated /unfiltered" releases which are not allowed by section 1300-1.4. 3. Further, the current SAR does not explicitly address the failure of nonsafety class items preventing safety class items from performing their required functions. These are but a very few of the requirements listed in DOE 6430.1A that apply to safety class items and examples of how they are not being met at DWPF. The DNFSB staff explained to the DWPF staff that explicit comparison of the ventilation and purge systems to the criteria in DOE Order 6430.1A, Divisions 100, 1100, 1300, 1500 and 1600 would have to be assiduously applied to assure compliance with both DOE 6430.1A and 5480.23. Deviations from the criteria are allowed provided the requirements of Section 0101-2, DOE Order 6430.1A are met. Presently, the application of the deviation requirements in DOE Order 6430.1A at DWPF are not being met. Configuration Management - Design Change Package Review - As an example of the design change process, the contents and organization of one Design Change Package (DCP) were reviewed in the DWPF Document Control Center. This DCP covered the addition of ammonia scrubbers to the facility and included the scrubber that was involved in the recent event during testing when water was inadvertently added to the Melter Feed Tank through a vent line. The DCP was one of 25 DCPs that collectively implemented the DWPF Ammonia Mitigation Modification. This DCP had a cumulative index listing all changes to the documents included in the package, however there was no Table of Contents or description of the change. The calculation for sizing of the orifices in the water supply to the scrubbers was not included or referenced in the DCP. Apparently there was no overall description of how the 25 DCPs were related to each other to implement the functional requirements of the modification. It was expected that the cognizant engineer(s) would provide the necessary integration through the technical review process. This approach raises the question whether an independent technical or management reviewer would be able to adequately review the DCP from a technical or safety basis. Assessments - Initial assessment of configuration management elements was performed in 1993 and all resulting issues and action items were closed out by August 1994. Revision 3 of the DWPF Configuration Management (CM ) Plan incorporated the lessons learned of the initial assessment. On-going assessments result from the startup testing program and post-modification testing, as well as QA surveillances and self assessments. A post-implementation (of CM program) readiness self assessment is scheduled from May to August 1995. The DNFSB staff plans to review the results of the readiness self assessment. CM Plan - The site level CM program is detailed in SRS Manual 7E and implements DOE-STD-1073-93, Guide for Operational Configuration Management Program. In addition, according to WSRC personnel, the DWPF S/RID has been prepared to be in conformance with the wording and intent of the DOE standard. The specific CM Implementation Plan for DWPF is contained in procedure WSRC-IM-92-07, Revision 3, and Revision 4 is expected to be issued in March 1995. The Material Condition and Aging element has not been defined, awaiting development of a site wide program. The DNFSB staff plans to review the CM portion of the S/RID and Rev. 4 of the DWPF CM Plan when received. CM Responsibility - Configuration management is the responsibility of the operating division for the facility. The operating division Engineering group, which is the design authority, is responsible for reaching and maintaining compliance with CM requirements. The site Engineering and Construction Services Division (E&CSD) provides site wide CM services and has a DWPF CM group matrixed into the DWPF Engineering group at the facility. This DWPF CM group provides services as authorized by the DWPF Program Manager through the DWPF Engineering Director. For example, the preparation of System Design Descriptions (SDD) by a contractor, Raytheon, is directed by the CM group and the SDDs are reviewed and approved by the cognizant engineer in the Engineering group. System Design - DWPF has 137 systems with identified boundaries for design purposes. These systems have been grouped into 69 System Groups for development of corresponding SDDs and one Facility Design Description (FDD). Twenty-seven SDDs have been prepared to date and 25 more will be completed by the end of FY 95. Safety classification of these systems and equipment into four categories in accordance with their Manual E7 procedure 2.25, and consistent with the recently completed accident analyses, is in progress. The DNFSB staff plans to review selected SDDs as part of the review of the safety basis and configuration management program. Technical Baseline - The DWPF Facility Engineering documents included in the Technical Baseline and controlled through the CM program are identified in a facility procedure with the corresponding change mechanism for the document. This Technical Baseline includes design input and design output documents, such as reports, design calculations, plans, diagrams, drawings, etc. The documents controlled under the CM program also include computer software programs which are specific to the DWPF facility operation. Examples of this software are programs for automatic operations sequences when manually initiated, programs for performing process calculations as part of plant control system, and a facility specific program for simulation of the facility response to changes in process parameters. Document control - Central document control for the Savannah River Site has a DWPF Satellite Document Control Center located at the facility. This provides easy access to documents by the staff and permits timely updating of the essential documents in the DWPF Control Area. After a plant modification is field completed, the affected essential drawings (630 total) are updated and reissued to the Control Area within 7 days, with a goal to reduce this time to 2 days. Temporary Modifications - All temporary modifications to DWPF are covered by a E-7 Site Manual procedure 2.06, Rev.1 and require the Operations Manager and Engineering Director's approvals. Each temporary modification has a design authority technical review, including an Unreviewed Safety Question (USQ) review, and is installed and removed by the Work Control process. A Temporary Modification log is maintained and is subject to a monthly audit by Operations. The temporary modifications currently installed in DWPF total 81, down from 152 in January 1994 and a peak of 272 in 1993. The goal for the end of 1995 is 45 active temporary modifications. The approach and performance to date indicates that the temporary modification process is treated seriously and is not to be used to bypass the formal change process. 5. Future Staff Actions: The DNFSB staff plans to review the following items at DWPF: a. Additional review will be necessary to assure compliance with the requirements of DOE Orders 5480.23 and 6430.1A regarding the ventilation and purge systems. b. Review of Configuration Management procedures, System Design Descriptions, and Design Change Packages regarding the requirements of DOE Order 5700.6C, Quality Assurance.