15 December 2004


[Federal Register: December 15, 2004 (Volume 69, Number 240)]
[Notices]               
[Page 75047-75049]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr15de04-45]                         

=======================================================================
-----------------------------------------------------------------------

DEFENSE NUCLEAR FACILITIES SAFETY BOARD

[Recommendation 2004-2]

 
Active Confinement Systems

AGENCY: Defense Nuclear Facilities Safety Board.

ACTION: Notice, recommendation.

-----------------------------------------------------------------------

SUMMARY: The Defense Nuclear Facilities Safety Board has unanimously 
approved Recommendation 2004-2, for DOE to consider. Recommendation 
2004-2 deals with the confinement of hazardous materials at defense 
nuclear facilities in the Department of Energy complex.

DATES: Comments, data, views, or arguments concerning the 
recommendation are due on or before January 14, 2005.

ADDRESSES: Send comments, data, views, or arguments concerning this 
recommendation to: Defense Nuclear

[[Page 75048]]

Facilities Safety Board, 625 Indiana Avenue, NW., Suite 700, 
Washington, DC 20004-2001.

FOR FURTHER INFORMATION CONTACT: Kenneth M. Pusateri or Andrew L. 
Thibadeau at the address above or telephone (202) 694-7000.

    Dated: December 10, 2004.
A.J. Eggenberger,
Vice Chairman.

Recommendation 2004-2 to the Secretary of Energy, Pursuant to 42 U.S.C. 
2286a(a)(5), Atomic Energy Act of 1954, As Amended

    Dated: December 7, 2004.
    There is a long-standing safety practice in the design, 
construction, and operation of nuclear facilities to build-in and 
maintain structures, systems, and components that contain or confine 
radioactive materials. The Department of Energy (DOE) establishes 
requirements to ensure such containment or confinement. In the 
hierarchy of safety controls, passive design features are preferred 
over active systems; however, controls must be capable of performing 
their intended function. Passive confinement systems are not 
necessarily capable of containing hazardous materials with 
confidence because they allow a quantity of unfiltered air 
contaminated with radioactive material to be released from an 
operating nuclear facility following certain accident scenarios. 
Safety related active confinement ventilation systems will continue 
to function during an accident, thereby ensuring that radioactive 
material is captured by filters before it can be released into the 
environment.
    The enclosed technical report, DNFSB/TECH-34, Confinement of 
Radioactive Materials at Defense Nuclear Facilities, compares the 
benefits of including a safety-related active confinement 
ventilation system to those of relying only on a passive confinement 
system. This technical report illustrates that using only a passive 
confinement system for an existing or new defense nuclear processing 
facility would not account for many safety considerations such as 
post-accident monitoring and response, and may result in the release 
of an undeterminable amount of radioactive materials, the 
consequences of which could approach that of the unmitigated 
scenarios.
    The Defense Nuclear Facilities Safety Board (Board) has advised 
DOE in various ways during the past decade regarding the need to pay 
increased attention to the design and operational reliability of the 
confinement ventilation systems at defense nuclear facilities. These 
Board efforts include transmittal of a technical report on May 31, 
1995, Overview of Ventilation Systems at Selected DOE Plutonium 
Processing and Handling Facilities, a letter to the Deputy Secretary 
of Energy dated July 8, 1999, and Recommendation 2000-2, 
Configuration Management, Vital Safety Systems, on March 8, 2000. 
This advice has helped DOE improve the reliability of its 
confinement ventilation systems. However, DOE requirements have 
become less prescriptive during the last decade as DOE Order 
6430.1A, General Design Criteria Manual, was replaced with DOE Order 
420.1, Facility Safety, and its subsequent revisions. Furthermore, 
it has become apparent that the Board's advice on confinement 
systems is not being rigorously pursued as evidenced by the 
following:
     On December 27, 2002, the Board sent a letter to the 
National Nuclear Security Administration (NNSA) regarding the 
confinement concept used for the Highly Enriched Uranium Materials 
Facility at the Y-12 National Security Complex. The proposed 
confinement concept was based on isolating the radioactive material 
in the building using a passive confinement system under certain 
abnormal events. The Board communicated safety concerns associated 
with this concept in the letter; subsequently, the confinement 
concept for HEUMF was modified to adopt a safety-related active 
ventilation system.
     On April 12, 2004, the Board sent a letter to the 
Administrator of NNSA regarding similar safety issues related to the 
confinement systems for the plutonium facility at the Lawrence 
Livermore National Laboratory. The proposed approach utilized 
passive confinement of radioactive material from the facility during 
certain accident scenarios. Further, because the offsite dose 
consequences of such an unfiltered release were calculated to be 
below DOE's evaluation guideline (25 rem), the proposal included 
downgrading the existing safety-class active confinement ventilation 
system to a safety-significant system. The Board believed that the 
new approach was inconsistent with a defense-in-depth philosophy. 
Subsequently, the Livermore Site Office commissioned an independent 
calculation of the amount of the unfiltered release. These 
calculations yielded results that were an order of magnitude greater 
than the original building leakage estimates--clearly indicating 
that significant uncertainties existed in the analytical techniques. 
As a result, NNSA decided to maintain the existing safety-class 
active confinement ventilation system.
     On August 27, 2004, the Board sent a letter to the 
Under Secretary of Energy regarding the confinement approach 
proposed for the Salt Waste Processing Facility at the Savannah 
River Site. The confinement concept for this new facility is based 
on isolation of the process building using passive confinement 
during accident scenarios. The Board suggested that the salt waste 
facility should be designed with a safety-related active ventilation 
system.
    A number of existing facilities (including the TA-55 Plutonium 
Facility, the Device Assembly Facility, and the Hanford Evaporator) 
rely on passive or non-safety related confinement systems. More 
importantly, designs for proposed facilities (including Chemistry 
and Metallurgy Research Replacement Facility and the Salt Waste 
Processing Facility) are based on the same passive confinement 
concept and use an assumed quantitative value for the building leak 
path factor as a design criterion.
    These examples illustrate two primary concerns. First, a 
reliance on calculations that do not appropriately account for large 
uncertainties is not defensible. These analytically determined 
building leak path factors are based on a combination of several 
computer programs that were not specifically designed for this 
purpose. Furthermore, it is generally impossible for these programs 
to model the true conditions of a real accident because of the 
uncertain behavior of the workers and emergency crews responding to 
the event.
    Second, these examples represent a fundamental change in DOE's 
approach to protection of the public near defense nuclear 
facilities. DOE appears to be using the evaluation guideline of 25 
rem exposure at the site boundary as a design criterion and an 
allowable dose to the public. This is contrary to the Board's July 
8, 1999 letter to the Deputy Secretary of Energy that states ``the 
25 rem evaluation guideline is not to be treated as a design 
acceptance criterion nor as a justification for nullifying the 
general design criteria relative to defense-in-depth safety 
measures.'' It is also contrary to DOE-STD-3009 that states that the 
25 rem evaluation guideline ``is not to be treated as a design 
acceptance criterion.'' However, the Board continues to see 25 rem 
at the site boundary used as an acceptance criterion for the 
performance of confinement systems. The Board is concerned that in 
these examples DOE and its contractors are underestimating the 
significance of the performance requirements for a confinement 
ventilation system and are relying on questionable calculations of 
offsite doses to evaluate performance. The Board reiterates that the 
25 rem evaluation guideline is solely to be used for guidance for 
the classification of safety controls, and not as an acceptable dose 
to the public for the purpose of designing or operating defense 
nuclear facilities.
    Notwithstanding the concerns discussed above, DOE continues to 
pursue a passive confinement approach in the design of some new 
nuclear facilities that have the potential for a radiological 
release. The Board recognizes that DOE's defense nuclear complex is 
comprised of a wide variety of nuclear facilities with an equally 
diverse range of materials, forms, activities, and proximities to 
the public. For this reason, it is difficult to prescribe a single, 
broadly-applicable design requirement. However, in light of the 
examples discussed above, the Board believes a more prescriptive 
design requirement is needed.
    The Board further recognizes that certain Hazard Category 2 and 
3 defense nuclear facilities may not benefit significantly from an 
active confinement ventilation system. An example would be a 
facility that stores radioactive material in protected, safety-class 
containers. Other examples may be certain tritium facilities, 
outside storage locations, burial grounds, or facilities with 
planned declining nuclear material inventories and scheduled for 
decommissioning in the near future. This recommendation is not meant 
to require an active confinement ventilation system in all such 
cases.
    Therefore, the Board recommends that DOE:
    1. Disallow reliance on passive confinement systems and require 
an active confinement ventilation system for all new and existing 
Hazard Category 2 defense nuclear facilities with the potential for 
a

[[Page 75049]]

radiological release. These systems are expected to be classified as 
safety-class or safety-significant as required by a conservative 
application of DOE-approved methodology, and should be designed and 
maintained to function during abnormal and accident conditions. 
Exceptions to such classifications should be approved at a level in 
DOE that ensures a consistent, conservative approach throughout the 
complex.
    2. Disallow reliance on passive confinement systems and require 
an active confinement ventilation system for all new and existing 
Hazard Category 3 defense nuclear facilities with the potential for 
a radiological release. These systems would not ordinarily be 
classified as safety-class or safety-significant unless such 
designation is required by the DOE-approved methodology.
    3. Revise all applicable DOE directives pertaining to operation 
of existing facilities, design and construction of new facilities, 
and major modifications to existing facilities, in accordance with 
Items 1 and 2 above. These revisions should include guidance for 
determining when a facility would not benefit from an active 
confinement ventilation system.
    4. Assess existing facilities, ongoing major modifications, and 
new design/construction projects, to ensure that:
    (a) The confinement strategy described above is implemented, and
    (b) The 25 rem evaluation guideline is used solely for 
classification of safety controls.
    Section 42 U.S.C. 2286d(e) provides authority to the Secretary 
of Energy to ``implement any such Recommendation (or part of any 
such Recommendation) before, on, or after the date on which the 
Secretary of Energy transmits the implementation plan to the Board 
under this subsection.'' The Board suggests that the Secretary of 
Energy consider taking action on Item 4 above in parallel with the 
development of an Implementation Plan for this Recommendation.
    In addition, the Board's Recommendation 2004-1, Oversight of 
Complex, High-Hazard Nuclear Operations, addresses the need for 
complex-wide consistency in the application of DOE requirements and 
expectations. The Board expects the mechanisms established in 
response to Recommendation 2004-1 would likewise ensure consistent, 
conservative implementation of the confinement requirement provided 
here.

John T. Conway,
Chairman.
[FR Doc. 04-27426 Filed 12-14-04; 8:45 am]

BILLING CODE 3670-01-P


http://www.deprep.org/2004/fb04d07b.htm

DNFSB/TECH-34

 

 

 

 

CONFINEMENT OF RADIOACTIVE MATERIALS

AT DEFENSE NUCLEAR FACILITIES


 

Defense Nuclear Facilities Safety Board

 

Technical Report

 

 

 

 

 

 

 

 

 

 

 

October 2004

 

 



 

 


Confinement of Radioactive Materials

 at

Defense Nuclear Facilities

 

 

 

 

 

 

 

 

  

This report was prepared for the Defense Nuclear Facilities Safety Board by the following staff members:

 

Farid Bamdad

Roger W. Zavadoski

 

with assistance from:

 

Wayne L. Andrews              Roy E. Kasdorf

Timothy J. Dwyer                 David N. Kupferer

Matthew B. Moury              Charles M. March

 



 

 

  EXECUTIVE SUMMARY

 

 

            The design of defense nuclear facilities includes systems whose reliable operation is vital to the protection of the public, workers, and the environment.  Confinement ventilation systems are among the most important of such systems for protecting the public, and are generally relied upon as the final safety-class barrier to the release of hazardous materials with potentially serious public consequences.  The Defense Nuclear Facilities Safety Board (Board) has advised the Department of Energy (DOE) in various ways during the past decade regarding the need to increase attention to the design and operational reliability of these important systems.

 

            The Board, however, has recently observed a fundamental change in the approach to protection of the public at certain defense nuclear facilities.  This change has resulted in downgrading of the functional safety classification of confinement ventilation systems.  Specifically, DOE contractors operating or designing defense nuclear facilities have, through a strong reliance on analytical estimates of passive leakage, prepared safety bases that have resulted in downgrading and sometimes elimination of the safety-class function of confinement ventilation systems.  This approach can potentially result in the unfiltered release of air containing radioactive materials during an accident.

 

            This report describes this misuse of DOE requirements, which provides only minimum levels of required protection to the public.  The report also compares this approach with the traditional approach of using a safety-class confinement ventilation system; hence, minimizing more effectively any off-site radiological impact.

 

            In addition, this report demonstrates that analytical tools used to predict passive leakage do not account for many of the uncertainties involved (e.g., the dynamics of the event, diurnal effects, wind, emergency evacuation or egress).  Passive leakage analyses often do not consider all of the issues that must be addressed should an accident occur.  These include monitoring of releases, limiting contamination, and supporting accident recovery.  These uncertainties and additional considerations further justify a preference for a safety-class confinement ventilation system as the primary means of protecting the public against the potential release of radioactive material.

 

            In light of these observations, DOE needs to provide additional guidance and explicitly state its policy regarding adequate protection of the public and workers by mandating a safety- related active confinement ventilation system for those defense nuclear facilities that pose the potential for significant radiological consequences.




 


TABLE OF CONTENTS

 

 

Section                                                                                                                                       Page

1.               INTRODUCTION AND BACKGROUND............................................................. 1-1

 

2.               ACTIVE VERSUS PASSIVE CONFINEMENT.................................................... 2-1

 

                             2.1       Active Confinement Systems ................................................................. 2-1

                             2.2       Passive Confinement Systems  .............................................................. 2-3

                             2.3       Case Study for Passive Structural Confinement....................................... 2-6

 

3.               EVOLUTION OF CONFINEMENT REQUIREMENTS...................................... 3-1

 

4.               CONCLUSIONS....................................................................................................... 4-1

 

 

 




 

1.  INTRODUCTION AND BACKGROUND

 

 

            A principal risk to the health and safety of the public and workers from defense nuclear facilities is the release and dispersal of radioactive materials.  Prevention of such release and dispersal is an important function of confinement systems.  This vital function has been the focus of numerous reviews conducted by the Defense Nuclear Facilities Safety Board (Board) during the past decade.

 

            On May 31, 1995, the Board transmitted to the Department of Energy (DOE) the results of a 2-year study on the confinement ventilation systems in the defense nuclear complex in DNFSB/TECH-3, Overview of Ventilation Systems at Selected DOE Plutonium Processing and Handling Facilities.  In a subsequent letter dated June 15, 1995, the Board requested that DOE provide a “report that evaluates the design, construction, operation, and maintenance of ventilation safety systems at DOE’s plutonium processing and handling facilities in terms of applicable DOE and consensus standards . . . .”  Although DOE took several actions in response to the issues raised by the Board, the Board believed that the important safety function of confinement required more attention by DOE.  Consequently, the Board issued Recommendation 2000-2, Configuration Management, Vital Safety Systems, on March 8, 2000.

 

            These efforts by the Board have helped DOE improve the reliability of confinement ventilation systems.  In some instances, degraded components have been identified and repaired or upgraded; in other instances, design deficiencies have been discovered and corrected.  The Board expects DOE to continue this assessment and improvement process.  Such continued vigilance is needed to maintain and improve the reliability of important safety systems.

 

            Despite these efforts by the Board to improve the reliability of confinement ventilation systems at defense nuclear facilities, continued erosion has been observed in recent years in maintaining high expectations for the design and maintenance of such systems.  Several DOE contractors have conducted analytical modeling of passive leakage from existing facilities during accident scenarios to demonstrate that off-site doses fall below DOE’s evaluation guideline, and subsequently used this approach to downgrade the safety classification of the confinement ventilation systems.  Additionally, proposed conceptual or preliminary designs for several new facilities have used passive confinement as the credited safety approach, again relying on calculations of passive leakage to demonstrate that off-site doses remain below DOE’s evaluation guideline.

 

            Unfortunately, as demonstrated in this report, the analytical calculation of a value for the unfiltered leakage from a passive structural confinement system is very subjective, dominated by the uncertainties in the computer programs and the analytical tools.  Calculations reviewed by the Board have not analyzed all of the important phenomena and evaluated the impact of all of the key assumptions.  More importantly, several key assumptions are impossible to maintain during a real accident, due to the unpredictability of the required actions by the emergency crews responding to the event.

 

            As outlined in DOE’s requirements, should the unmitigated off-site dose from an accident challenge DOE’s evaluation guideline of 25 rem total effective dose equivalent, those systems relied upon to prevent or mitigate the release are to be classified as safety-class.  Consistent with good practice, the most effective confinement (especially for nuclear material processing activities) is generally provided by a confinement ventilation system.  Rather than a design requirement to confine the radioactive materials, some contractor safety analysts use a design criterion that allows the public dose to be any amount below 25 rem.  Using this approach for a new facility and designing controls to a 25 rem design criterion represents a significant change in DOE’s approach to protection of the public.  For facilities with the potential for significant radiological insult to the public, the confinement ventilation system would need to be classified as safety-class.  Similarly, a safety-significant confinement ventilation system should be identified to protect workers from significant consequences.

 

            Section 2 of this report describes the advantages and disadvantages of active and passive confinement systems and demonstrates, through the evaluation of a case study, the uncertainties associated with the lack of active safety-class confinement ventilation systems at defense nuclear materials processing facilities.  Section 3 reviews the evolution of confinement requirements in the nuclear industry and the apparent shift in the approach to protecting the public as illustrated by recent proposals to rely on passive instead of active confinement.  The final section presents conclusions.

 


2.  ACTIVE VERSUS PASSIVE CONFINEMENT

 

 

            Confinement of hazardous materials during normal operation and potential accidents should be based on the first principles of systems engineering.  That is, the system designed for a certain function should be capable of performing the intended function.  Consequently, the decision to use an active or passive confinement feature should be based on the type of activity or event that is being confined by such a system.  Using this principle, for example, would lead to the use of passive confinement (or containment) systems for activities (such as storage) with hazardous materials that have no source of energy for releasing the materials.  On the other hand, confinement of hazardous materials released by a fire or explosion should use active confinement systems capable of counteracting the energy of the event.

 

 

2.1       ACTIVE CONFINEMENT SYSTEMS 

 

            These systems are also known as confinement ventilation systems since it is the ventilation system that provides the active function.  (Note that the discussion in this report is limited to the purpose and intended function of ventilation systems as they relate to confining hazardous materials.)  These systems may consist of air supply, recirculating air, process ventilation, and exhaust air systems, together with associated air filters, fans, dampers, ducts, control instrumentation, and supporting systems (such as power supply and facility structure).  DOE Handbook 1169-2003, Nuclear Air Cleaning Handbook, is an excellent reference for the parameters that should be considered in the design and operation of such systems.

 

            Active confinement systems are used during normal operations to confine hazardous materials closest to the source and thus protect workers from exposure to such materials.  The ventilation flow is, therefore, designed using a cascading system that starts with clean air (e.g., from outside the building or from hallways and office spaces); through the laboratories or rooms where the activities are performed; through the gloveboxes, tanks, or vessels where the highest concentrations of the hazardous materials may exist; and out to the environment through a set of high-efficiency particulate air (HEPA) or sand filters.  Such a cascading system can still be as effective during an accident as it is during normal operations if the system remains intact and operating.

 

            Potential operational accidents (e.g., spills, fires, and explosions) may release hazardous radioactive materials outside the intended area (e.g., glovebox) and into a room or laboratory.  An active confinement system is usually designed to direct air contaminated by such releases into the ducts and through the HEPA (or sand) filters before it enters the environment, provided the ventilation system remains intact during the event.  This function is provided immediately at the release point, thus preventing hazardous materials from flowing upstream and exiting the facility.  There is little chance of radioactive materials being spread to the rest of the facility or carried untreated to the outside because of the cascading effect of the active ventilation system.  This confinement function of an active ventilation system will:

 


!                                  Protect those facility workers not in the immediate vicinity of the accident from being exposed to the hazardous material.

 

!                                  Allow facility workers to exit the facility through the closest emergency egress, consistent with life safety code provisions, while minimizing the release of radioactive materials to the environment. 

 

!                                  Confine the contamination locally and minimize the spread of contamination throughout the facility, easing associated cleanup efforts.

 

!                                  Protect that portion of the facility not involved in the accident from its consequences, thus protecting the ability of the facility to accomplish its mission and meet its national security commitments.

 

!                                  Allow the emergency crew more flexibility to access the facility through their preferred access doors and take appropriate action in a timely and effective manner.

 

!                                  Allow for an assessment of the hazardous environment that the emergency crew would be entering through the sampling of air drawn from the accident area.

 

!                                  Allow for an assessment of the radioactive material leaving the facility (e.g., through stack monitoring).

 

!                                  Direct air containing radioactive materials through the HEPA or sand filters before any release to the environment, substantially reducing (e.g., by about four orders of magnitude from HEPA filters) any public exposure to the consequences of the accident.

 

            A safety-related active confinement ventilation system that is identified in a facility’s safety basis as mitigating the dose consequences of an event must be effective during certain normal and abnormal conditions and meet a number of functional requirements.  These requirements include maintaining a certain negative pressure with respect to the outside atmosphere in a cascading manner to ensure that the flow of air would be directed from cleaner areas to more contaminated ones.  Meeting this requirement necessitates limiting the size of facility leakage paths (e.g., cracks around doors and penetrations) to a very small value.  Unfiltered leakage of air containing radioactive materials following an accident is not expected if the active confinement system is designed properly (i.e., considers potential leak paths), remains intact, and continues to operate.  However, if the active system is not designed to remain operational during accident conditions, these same leak paths could exist during the event and would be combined with those created by emergency access to or egress from the building through temporary opening of the doors.

            Other functional requirements may include effective filtration of the materials released during a fire.  Active confinement ventilation systems must be capable of operating during a fire and filtering the hazardous materials out through the use of HEPA or sand filters.  The fire may release particles and combustion products that could clog the filters and prevent them from performing their intended function, if not designed properly.  Detailed guidance regarding the design requirements for protection against such an event is provided in DOE Handbook 1169-2003, Nuclear Air Cleaning Handbook, and DOE Standard 1066-99, Fire Protection Design Criteria.

 

            To maintain the reliability of an active confinement ventilation system at a level to ensure it performs its safety-related function requires continued vigilance on the part of DOE and its operating contractor.  This necessitates routine preventive maintenance and configuration control of the associated system identified in the facility’s safety basis.

 

            It should be noted that an active confinement ventilation system would encompass the features that comprise a passive confinement system.  That is, should power be lost or unavailable to force the air containing hazardous materials through the filters, the passive confinement boundaries would still be available to confine the hazards to a lesser degree as discussed in the following section.

 

 

2.2       PASSIVE CONFINEMENT SYSTEMS

 

            These systems are designed to confine hazards passively.  They consist of an identified contiguous boundary between the hazardous material and the environment.  Such systems have no active components, and are therefore considered less susceptible to failure when called upon to function.  The absence of active components can also lead to reduced installation and maintenance costs, although this is not always the case.

 

            Passive confinement systems are generally used for storage of hazardous materials when sources of energy do not exist within the confinement area and cannot be introduced from the outside to interfere with the system’s intended function.  For example, containers approved by the Department of Transportation are used for storage or transportation of radioactive materials that are not energetic.  These containers are designed to prevent the introduction of external energy sources that could disturb the hazardous materials from their steady-state condition.  Less-robust containers, such as storage drums with HEPA filters, may also be used as passive confinement barriers for storage of radioactive materials that lack the potential for energetic events and are not subject to harsh external hazards.

 

            Given the perception of higher reliability and lower installation and maintenance costs, several operating contractors in the defense nuclear complex have recently extended application of the concept of passive confinement to nuclear processing facilities.  In applying this concept, the building structure and its connecting ports to the outside (e.g., doors, penetrations, and HEPA filters) are identified as the passive confinement system.  The passive confinement system is credited with confining the hazards generated as a result of operational mishaps or other accidents.  The facility ventilation system is not credited in the safety bases as a safety-related component of the confinement boundary, and its active components are not expected to remain operational during an event.  Therefore, accidentally released hazardous materials in the facility are captured by HEPA or sand filters only to the extent that air contaminated with the materials may be passively forced to the outside environment through these ports.  Ideally, during an accident the confinement boundary remains intact, and there is no unfiltered release of air containing hazardous material to the environment.  Should the confinement boundary be breached or have existing leaks, however, hazardous material will escape directly to the environment, carried by air that does not pass through any filtration device.

 

            The concept of passive confinement systems should not be confused with passive safe shutdown.  Although the same systems and boundaries may be involved in these two concepts, their intended functions are quite different.  The latter systems are designed to temporarily confine the hazardous materials that may exist in a facility (e.g., glovebox contamination or radioactive materials staged in a glovebox or tank) in a nonactive operational mode (shutdown). Under the passive safe shutdown concept, the intent is to provide a confinement system that can be relied upon during a shutdown mode.  Operational activities that are capable of disturbing the material are prohibited in this mode.  The hazardous material has to be stowed properly before shutdown.  In essence, passive safe shutdown systems are similar to storage drums with HEPA filters; that is, the material would remain in its steady-state condition and be confined within the boundaries of the barriers without disturbance.  A passive safe shutdown system may consist of the facility boundaries (structure), its HEPA filters, and its penetrations, along with any double doors or airlocks.  No active system is needed to meet the intended functional requirements.  Strict operational procedures are necessary to enforce the allowed operational mode.  Special procedures are also needed to terminate the nonactive operational mode and return to the normal operational mode.

 

            Conceptually, the use of a passive ventilation system is logical and attractive.  However, actual implementation and operation of the system is laden with many uncertainties such that, from a safety perspective, its disadvantages outweigh its advantages.

 

            The first difficulty associated with this concept centers on the integrity of the confinement boundary.  The system must be capable of performing its confinement function under all plausible upset or design basis accident conditions.  The structural features of the boundary must therefore be capable of withstanding these conditions.  It is also necessary to consider preexisting exhaust paths, such as door cracks and penetrations, or those paths created as a result of actions taken during an accident, such as emergency crew members entering or facility workers evacuating the building.


 

            The challenge of accurately calculating the passive leakage is the second problem resulting from the use of passive confinement.  Predicting the amount of release under passive confinement conditions can be quite complex.  Fire or explosions could add energy to the facility’s atmosphere and introduce a motive force that could carry hazardous materials through an exhaust path.  In addition, quantifying the leakage area that exists in a facility, which is analogous to the periodic containment leak rate tests required at commercial nuclear reactors, although possible, is not easily and accurately accomplished at nuclear processing facilities.  Therefore, determination of the amount of radioactive material that could escape the facility becomes very complex and uncertain.  The following list illustrates a number of complications that prevent safety analysts from estimating the consequences of potential events to workers or the public with any degree of accuracy:

 


 

!                               Airborne contaminants would travel throughout the facility following the path of least resistance and under the event’s dynamic forces, which generally cannot be analyzed realistically (e.g., smoke and hot gases, pressure waves, or external parameters such as wind).

 

!                               Facility workers might use any number of emergency exits to evacuate the facility, thus allowing the radioactive material to be released in an undeterminable fashion.

 

!                               The emergency crew and security personnel might access the facility from outside for an indefinite amount of time, allowing air containing the radioactive materials to leave the building unfiltered.

           

!                               The uncontrolled spread of radioactive material in the facility could jeopardize the future use of the facility, interfering with its national security mission, as well as resulting in potential worker safety issues during facility recovery and/or decontamination activities.

 

!                               Environmental postaccident sampling and monitoring would not be possible because of the unknown location of release, amount of release, and rate of volumetric release.

 

!                               Consequences to the public could approach unmitigated values, since this confinement system would allow the unfiltered release of air bearing an undeterminable amount of radioactive material to the outside until the airborne material had settled or been removed by forced interception (e.g., active ventilation or cleanup activities).

 

            Recent attempts by DOE and its operating contractors to quantify accurately the amount of hazardous material released from a passive confinement system after an accident have been unsuccessful.  To this end, the contractors have used elaborate computer programs, capable of modeling the facility as dozens of volumes with hundreds of connecting junctions to represent its openings.  They have combined several different computer programs to model the phenomena that one program alone could not handle.  The uncertainties of these analyses, however, are so high that a conservative estimate of the public dose could become a significant fraction of an unmitigated release. 

            The attempts to quantify the amount of hazardous material released have also given rise to a further disturbing issue:  DOE’s 25 rem evaluation guideline has been used as the measure of success in the performance of passive confinement systems.  The 25 rem evaluation guideline was not intended to be used as a design criterion for exposure to the public.  The 25 rem evaluation guideline was identified as a measure for determining when there is a need for

safety-class controls.  Several defense nuclear facilities for which passive confinement systems recently have been proposed have unmitigated off-site consequences many times greater than 25 rem.

 

            The following case study illustrates some of these issues and uncertainties.

 

 

2.3       CASE STUDY FOR PASSIVE STRUCTURAL CONFINEMENT

 

            The documented safety analysis prepared for a plutonium processing facility used a passive structural confinement system to demonstrate that a safety-class active confinement ventilation system was not needed.  The document was submitted to DOE to comply with the requirements of the Nuclear Safety Management Rule (10 CFR 830).  For a fire scenario, the unmitigated consequence at the site boundary exceeded the evaluation guideline of 25 rem by more than an order of magnitude.  The operating contractor calculated a building leak path factor (LPF)1 of about 1.6 percent to show that the mitigated consequences of about 3 rem would be acceptable, while crediting the passive confinement features as safety-class.  Prior calculations for this facility with no assumed LPF and using an active ventilation system yielded site boundary dose consequences 4 to 8 orders of magnitude smaller (i.e., almost 0 rem) because of the HEPA filtration.

 

            The LPF analysis was based on calculations performed in 1996 and, more recently, an alternative method using the MELCOR computer program to model the facility as 37 volumes or nodes and 122 junctions.  The computer analysis resulted in a calculated LPF of 1.6 percent.  However, the computer analysis was fraught with a number of uncertainties and nonconservatisms. 

 

 

            MELCOR was originally written for analysis of core melt accidents at commercial nuclear power plants, and is capable of solving mass and energy transfer equations, thereby making it possible to follow the transport of airborne materials through volumetric nodes and junctions.  The computer program cannot, however, analyze a fire scenario and must be manipulated externally by providing the temperature rise from a fire as input to the code.  Another computer program must be used to model a fire.  The contractor used CFAST for this purpose.

 

            CFAST is a two-zone model used to calculate the evolving distribution of smoke and fire gases and the temperature throughout a building during a fire.  Its use involves solving a set of equations that predict state variables (e.g., pressure and temperature) based on the enthalpy and mass flux over small increments of time.  CFAST does not include a burning-rate model to predict fire growth, so the user must specify the initial burning-rate, as well as any variations due to changing room conditions.  This can have a significant impact on the accuracy of the resulting calculation.  Further, burning can take place in several areas of the building, an effect that CFAST does not model.  For a fire with sufficient available oxygen, the burning will all take place within the fire plume.  For a fire in which oxygen in the fire plume is limited because of ventilation restrictions, burning will take place where there is sufficient oxygen.  Under this condition, unburned fuel in the plume will successively move into, and burn in, the upper layer of the fire room, the doorway to the next room, the upper layer of the next room, the doorway to the third room, and so forth, until it is consumed or reaches the outside.  This phenomenon can introduce significant uncertainty into the results.

 

            Simply stated, in this case study, CFAST was used to calculate the temperature increase, while MELCOR followed the transfer of airborne contaminants due to the expansion of the air with the rise in temperature.  The MELCOR computer program is not capable of calculating increases in the building pressure due to the fire products.  Other potential interface issues such as changing fire and ventilation conditions (e.g., fuel burning in adjacent compartments) cannot be addressed in a simple manner.  Finally, the combination of the two programs, each designed for a specific, independent purpose, requires a significantly greater number of external analytical manipulations, which can introduce substantial uncertainty into the results.  The number of sensitivity analyses required to arrive at a conservative value using such a concatenation quickly becomes prohibitive.

 

            The communication paths between the volumes (e.g., rooms and laboratories), including those connecting the volumes to the outside (such as door gaps) were analyzed using assumed values.  Many unconservative values were included in these assumptions—openings to the outside (e.g., penetrations) were not taken into account, and several credited door seals did not exist.  The fact is that building leak paths during an accident cannot reliably be predetermined numerically on the basis of facility conditions during normal operations.

 

            The fire scenarios were modeled for an event duration of about 2 hours.  However, because of the diurnal effects of the sun and the facility’s breathing as the inside and outside temperature varies over time, motive forces capable of driving hazardous materials out of the facility continue to exist well beyond the assumed 2-hour limit.  Such phenomena will continue to direct airborne contaminants out to the environment until the contaminants are settled by gravity (i.e., the heavier particles) or removed by other means (e.g., active ventilation or cleanup efforts).  Diurnal effects on building leakage cannot realistically be determined using the two computer models discussed above, and their estimation would require the introduction of yet another model or estimation technique.  This would further increase the complexity and uncertainty of the results.

 

            The 1.6 percent LPF analysis does not appear to have conservatively modeled the potential impact of the external wind on transporting hazardous material out of the building.  In the analysis, the external force of the wind was exerted on the side of the building with the largest openings (e.g., an open emergency exit door) for some scenarios, thus minimizing (or not allowing) the escape of hazardous material from the facility.  On the other hand, the effect of external wind on the building was not modeled at all for some more energetic events, such as fire.

 

            Finally, although emergency evacuation of the facility workers was modeled in some analyses (spill events), a sensitivity analysis was not performed on the timing of the evacuation (e.g, opening the room doors at the same time as the building emergency exit doors).  On the other hand, the emergency evacuation of the building was not modeled for more energetic events such as fire.

 

            Based on these nonconservative analyses, additional inquiry was made to determine a more conservative value for the building LPF.  It was shown that a fire event in one of the rooms would result in an LPF of 25 percent or more.  This analysis, however, did not consider the impact of the opening of the emergency doors by facility workers and its effect on the LPF value.  It is estimated that such considerations could increase the calculated value of LPF to 40 or 60 percent.

 

            As demonstrated above, the analytical calculation of a value for the unfiltered leakage from a passive structural confinement system can be highly speculative.  Such a calculation is likely dominated by the uncertainties and limitations of the computer programs and analytical tools used and is incapable of analyzing all the important phenomena involved and the impact of the controlling parameters.  Furthermore, it is generally impossible to model the conditions of a real accident because of the uncertain behavior of the workers and the emergency crew responding to the event.  Given these analytical uncertainties, a conservative estimate of the public dose for such a confinement system could be more than 60 percent of the unmitigated event.

 

 


3.  EVOLUTION OF CONFINEMENT REQUIREMENTS

 

 

            The U.S. Atomic Energy Commission issued Regulatory Guide 3.12, General Design Guide for Ventilation Systems of Plutonium Processing and Fuel Fabrication Plants, in August 1973.  It sets forth expectations for the design of a ventilation system that, if satisfied, would meet the requirements of 10 CFR 70 that “applicant’s proposed equipment and facilities are adequate to protect health and minimize danger to life or property.”  Regulatory Guide 3.12 considers ventilation systems to be “important to safety because they serve as principal confinement barriers in a multiple confinement barrier system which guards against the release of radioactive or other potentially dangerous materials” and presents the regulatory position that “ventilation systems should assure the confinement of hazardous materials during normal or abnormal conditions including natural phenomena, fire, and explosions.”  The guide states that “the systems must continue to perform their safety functions effectively under all conditions by confining radioactive or other potentially dangerous materials.”

 

            A similar approach was adopted by DOE in its General Design Criteria Manual—DOE

Order 6430.1 (issued in December 1983) and its revision DOE Order 6430.1A (issued in April 1989).  This manual recommends a three-layer approach to achieving confinement objectives:

 

!                               Primary confinement—to be provided by piping, tanks, gloveboxes, encapsulating material, and any off-gas system that controls effluent from within the primary confinement.

 

!                               Secondary confinement—to be provided by walls, floors, roofs, and associated ventilation exhaust systems of the facility.

 

!                               Tertiary confinement—to be provided by walls, floors, roofs, and associated ventilation exhaust systems of the facility.

 

            DOE Order 6430.1A required that the confinement system, defined as a composite of the structure and its associated ventilation systems, remain “fully functional following any credible DBA [design basis accident],” and stated that “unfiltered/unmitigated release of hazardous levels of such materials shall not be allowed following such accidents.”  It also required that design professionals consider the criteria presented in Regulatory Guide 3.12 for applicability to plutonium processing and handling facilities.

 

            In an effort to overhaul its directives system, in 1995 DOE issued DOE Order 420.1, Facility Safety, which superceded DOE Order 6430.1A.  The requirements in this new Order, however, were not as prescriptive, and design requirements were left to be determined by safety analysis reports that would establish the identification and functional classification (i.e., safety-class and safety-significant) of the structures, systems, and components (SSCs) for a facility.  This Order, as well as its latest revision, DOE Order 420.1A, states that “non-reactor nuclear facilities shall be designed with the objective of providing multiple layers of protection to prevent or mitigate the unintended release of radioactive materials to the environment.”  It states further that “defense in depth shall include:  siting . . . ;  the use of successive physical barriers for protection against the release of radioactivity; . . . and to confine and mitigate radioactivity associated with the potential for accidents with significant public radiological impact.”  The Order no longer prohibits the unmitigated accidental release of hazardous materials, and relies on the safety analysis process to demonstrate adequate protection of the public and workers.  However, the Order does state that “all nuclear facilities with uncontained radioactive materials (as opposed to material contained within drums, grout, and vitrified materials) shall have means to confine them.”

 

            In a letter to DOE dated July 8, 1999, the Board expressed its belief that this general approach for identification of safety systems was reasonable “provided that it is made quite clear that the 25 rem evaluation guideline is not to be treated as a design acceptance criterion . . . .” The Board further emphasized that, consistent with the requirements of DOE Order 420.1, the design of Hazard Category 2 and 3 nonreactor nuclear facilities should be based on confining the hazardous radioactive material during normal operation and potential accidents.  The Board also noted that confinement systems should be classified as safety-class or safety-significant SSCs.

 

            In January 2001, DOE issued Subpart B of 10 CFR 830.  It required contractors to establish a safety basis for Hazard Category 1, 2, and 3 nuclear facilities in accordance with its requirements and to perform work in accordance with the hazard controls identified therein.  For new facilities or major modifications, the rule requires contractors to use the safety design criteria identified in DOE Order 420.1 or obtain DOE approval of their proposed criteria.  The rule identifies the methodology presented in DOE’s Preparation Guide for U.S. Department of Energy Nonreactor Nuclear Facility Documented Safety Analyses (DOE-STD-3009-94) as a safe harbor for performing safety analyses for new facilities and major modifications, as well as for existing facilities.  It should be noted that this methodology was originally developed for preparation of safety bases for existing facilities, and its application to new facilities should be limited to its format and content guidance.  In other words, the design requirements identified in DOE Order 420.1 must be met and demonstrated through the safety analyses that are prepared in accordance with DOE-STD-3009-94.

 

            The methodology presented in DOE-STD-3009-94 is hazards-based.  That is, based on the significance of unmitigated consequences to the public and workers, safety-class or safety-significant SSCs should be identified to prevent or mitigate events.  This approach does not override the requirement of DOE Order 420.1A that “all nuclear facilities . . . shall have means to confine” the hazards.  The requirements of the Order must be met, and the methodology from the standard should be used to designate a safety classification for the confinement system.

 

            DOE-STD-3009-94 does not require identification of a safety-related active confinement ventilation system.  It only implies that such a system is part of the safety philosophy and defense in depth for a facility, and requires specific discussion of such a system in Chapter 2, “Facility Description,” of the documented safety analysis.  The standard further states that “the handling of plutonium in a facility with gloveboxes, ventilation zones of confinement, and HEPA filters . . . would be adequate for closure of environmental contamination concerns.”  In a discussion aimed at identifying safety-class SSCs, the standard states, “For existing DOE non-reactor nuclear facilities, some safety systems may already be known and designated as such (e.g., fire protection systems and confinement systems, which include HEPA filtration).  Some SC [safety-class] designations for such safety system[s] may also be self evident.”  The standard stops short of explicitly requiring a safety-class active confinement ventilation system.

 

            Although the use of multiple barriers, defense in depth, and confinement of hazards is discussed in the DOE directives, there is sufficient ambiguity in the requirements to allow contractors to deviate from having to identify a safety-related active confinement system.  Furthermore, the DOE directives are not integrated.  For example:

 

            !   The requirements for radiological postaccident monitoring do not appear in the safe harbors of the Nuclear Safety Management Rule.

 

            !   The guidance for building reentry after an accident and for postaccident recovery is not related to preparation of the documented safety analyses.

 

            !   There are no DOE requirements for protection of a facility’s mission, as it relates to national security or nuclear material stabilization, that should be considered in preparation of the safety bases or design of a new facility.

 

            !   The emergency response procedures and safeguards and security practices are not clearly linked to the accident analyses.

 

            !   Although the documented safety analyses are required to include discussion of the decontamination and decommissioning of the facility, those requirements relate to the final end state of the facility and not to the activities that would be carried out as the result of an accident.

 

            Consequently, due to unclear guidance in the DOE directives, the documented safety analyses and subsequent determinations of adequacy of the confinement systems are mainly focused on the dose at the site boundary should an accident occur and do not reflect consideration of all of the issues discussed above.

 

 

4.  CONCLUSIONS

 

 

            DOE’s requirements as reflected in its orders and standards for preparation of safety bases appear to be consistent with the principles of Integrated Safety Management advocated by the Board.  Those requirements, however, have been implemented using a variety of analytical methods since being issued almost a decade ago.  It appears that the 25 rem public dose evaluation guideline is, in some instances, being used as a design criterion.  It also appears that some analysts may be underestimating the complexity of problems that are solved analytically, ignoring the uncertainties in the computational results, and underestimating the potential impact on public and worker health and safety.  The safety analyses required by DOE are supposed to be an estimate and illustration of how the requirements are met.  The analyses should be bounding, the analytical tools must be pertinent and capable of predicting the results, the assumptions ought to be practical, and the uncertainties of the analyses should be accounted for in the design and operational procedures.

 

            Furthermore, DOE’s safety requirements for the preparation of safety bases are aimed at the identification of controls for protection of the public and workers during abnormal events.  They are not well integrated with other needs, and in some cases may fail to encompass all of the parameters that should be considered in designing and operating a nuclear facility.  Postaccident recovery and building reentry, postaccident monitoring and off-site dose measurements for potential worker and public evacuation, and protection of the mission of the facility are just some of the additional parameters that should play an important role in deciding which type of confinement system is best suited for a defense nuclear processing facility.

 

            This report has demonstrated that the application of passive confinement systems for some operational events at defense nuclear processing facilities may be inappropriate.  An active confinement system is needed to ensure the safety of the public and workers.  Such a system would also provide for some other DOE needs that might not be encompassed by the safety analyses.  The boundaries of such systems need to be clearly defined, including their supporting systems, the power supply, and instrumentation and controls.  The guidance provided in Regulatory Guide 3.12 and adopted in the cancelled DOE Order 6430.1A appears to set a solid foundation for the design and operational reliability of such systems.  DOE needs to provide additional guidance and explicitly state its policy regarding adequate protection of the public and workers by mandating a safety-related active confinement ventilation system for those defense nuclear facilities that pose the potential for significant radiological consequences.  New nuclear facilities with offsite consequences that challenge DOE’s evaluation guidelines, in particular, should be designed with a safety class active confinement ventilation system backed up by a passive confinement system.

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                                                                                                           


 

 

 

 

 

 

 

 

 

           



            1  LPF is the percentage of the airborne material that leaves the facility and reaches the environment.