TRANSMITTED TO M. WHITAKER 02/19/97

DEFENSE NUCLEAR FACILITIES SAFETY BOARD

December 18, 1996

1. Purpose

This report documents observations regarding instrumentation, control, and fire protection systems at the Defense Waste Processing Facility (DWPF) at the Savannah River Site (SRS). These observations were made by members of the Defense Nuclear Facilities Safety Board staff T. Davis and A. Gwal during a visit to SRS on December 10-12, 1996.

2. Summary

DWPF uses a programmable digital controller to initiate several safety interlocks. Failure of this controller is not monitored and therefore might not be identified until the annual interlock test. Moreover, seismic interlocks that would place the facility in a safe condition following an earthquake are collocated and do not appear to conform to the separation and single-failure criteria for safety-class equipment.

3. Background

DWPF has vitrified approximately 90 canisters of waste from the tank farms since operations began in March 1996. The facility is designed to vitrify both sludge from the Extended Sludge Processing Facility and precipitate from the In-Tank Processing (ITP) Facility. Because facilities and systems for precipitate operations were not complete at the time of DWPF startup, Westinghouse Savannah River Company (WSRC) started the facility with sludge-only operations. Additional review and readiness assessments by the contractor and the Department of Energy (DOE) will be required before the facility begins processing precipitate solutions. Construction of precipitate facilities will be complete in May 1997; however, feed from ITP will not be available until late 1997 at the earliest.

4. Discussion

Safety Interlocks. Safety-related instruments monitor important plant parameters and will initiate interlocks to place the facility in a safe condition should a limit be exceeded. For some of these interlocks, a programmable digital controller is used to compare the measured instrument value with a limit stored in memory. Failure of this controller would prevent these interlocks from functioning, although local and distributed control system (DCS) indications would remain operable. The controller has internal monitoring capabilities that will identify failures; however, operators and maintenance personnel do not routinely check this indication. Therefore, software and hardware failures might not be identified until the annual interlock test. WSRC is reviewing the controller design and the daily surveillance procedure to determine whether they require modification.

Two gas chromatographs are used to provide redundant measurement of hydrogen concentration in the chemical process cell. However, a single digital controller monitors both instruments. It would be prudent to use multiple controllers or relays to maintain the redundancy provided by the two gas chromatographs.

Seismic Interlocks. DWPF uses seismic interlocks at the Low Point Pump Pit and the vitrification building that would place the facility in a safe condition following a seismic event. Accelerometers measure ground motion and would initiate the interlocks (using relays instead of a digital controller). Two of these interlocks have been installed to provide redundancy; however, the seismic interlocks at the Low Point Pump Pit are in the same room within several feet of each other. Such an installation does not meet Institute of Electrical and Electronics Engineers standards for separation and single failure for safety-class equipment.

Distributed Control System Upgrade. The DCS will be upgraded during the next 2 years to increase system performance and flexibility. WSRC originally scheduled this upgrade to coincide with melter replacement. However, because WSRC does not plan to replace the melter until it fails, the DCS upgrade will now be completed independently of melter replacement. It will be difficult to upgrade the DCS while the facility is operating. WSRC must ensure that these upgrades are scheduled, installed, and tested so as not to impair operator control of the facility.

Ampacity Derating of Fire-Protected Cables. DWPF uses 2-hour fire-rated barriers to protect cables in the diesel building in the event of a fire. Because fire-protection barriers reduce the cable heat transfer characteristics, the cable ampacity may need to be derated to ensure that the cables perform adequately. WSRC is reviewing these cables to ensure use of the appropriate ampacity derating.

5. Future Staff Actions

To support precipitate solution processing in late 1997, the staff will review the adequacy of the safety systems and programs of the Late Wash Facility, the Low Point Pump Pit, and the salt process cell, including readiness to start up. Additionally, the staff will ensure that the lessons learned in resolving safety issues at ITP are applied to DWPF.