Recommendation 2019-01

 
CONTENT
Federal Register, Volume 84 Issue 53 (Tuesday, March 19, 2019)
[Federal Register Volume 84, Number 53 (Tuesday, March 19, 2019)]
[Notices]
[Pages 10196-10222]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-04941]
[[Page 10195]]
Vol. 84
Tuesday,
No. 53
March 19, 2019
Part II
 Defense Nuclear Facilities Safety Board
-----------------------------------------------------------------------
 Recommendation 2019-01; Notice
Federal Register / Vol. 84 , No. 53 / Tuesday, March 19, 2019 /
Notices
[[Page 10196]]
-----------------------------------------------------------------------
DEFENSE NUCLEAR FACILITIES SAFETY BOARD
Recommendation 2019-01
AGENCY: Defense Nuclear Facilities Safety Board.
ACTION: Notice; Recommendation.
-----------------------------------------------------------------------
SUMMARY: The Defense Nuclear Facilities Safety Board has made a
Recommendation to the Secretary of Energy concerning implementation of
Nuclear Safety Management requirements and the need to address specific
hazards at the National Nuclear Security Administration's Pantex Plant.
Pursuant to the requirements of the Atomic Energy Act of 1954, as
amended, the Defense Nuclear Facilities Safety Board is publishing the
Recommendation and associated correspondence with the Department of
Energy and requesting comments from interested members of the public.
DATES: Comments, data, views, or arguments concerning the
recommendation are due on or by April 18, 2019.
ADDRESSES: Send comments concerning this notice to: Defense Nuclear
Facilities Safety Board, 625 Indiana Avenue NW, Suite 700, Washington,
DC 20004-2001. Comments may also be submitted by e-mail to
[email protected].
FOR FURTHER INFORMATION CONTACT: Glenn Sklar at the address above or
telephone number (202) 694-7000. To review the figures referred to in
Recommendation 2019-01, please visit http://www.dnfsb.gov.
SUPPLEMENTARY INFORMATION:
Recommendation 2019-1 to the Secretary of Energy
Uncontrolled Hazard Scenarios and 10 CFR 830 Implementation at the
Pantex Plant
Pursuant to 42 U.S.C. 2286a(b)(5)
Atomic Energy Act of 1954, as Amended
    Dated: February 20, 2019.
    Introduction. The Defense Nuclear Facilities Safety Board (Board)
has evaluated the adequacy of safety controls for nuclear explosive
operations at the Pantex Plant and the processes that ensure those
operations have a robust safety basis. Based on this evaluation, we
conclude the following:
     Portions of the safety basis for nuclear explosive
operations at Pantex do not meet Title 10, Code of Federal Regulations,
Part 830, Nuclear Safety Management (10 CFR 830). There are high
consequence hazards that (1) are not adequately controlled; (2) may
have controls, but lack documentation linking the controls to the
hazards; or (3) have controls that are not sufficiently robust or that
lack sufficient pedigree to reliably prevent or mitigate the event.
     Multiple components of the process for maintaining and
verifying implementation of the safety basis at Pantex are deficient,
including (1) completion of annual updates as required by 10 CFR 830,
(2) processes for handling Unreviewed Safety Questions (USQ) and
Justifications for Continued Operations (JCO), and (3) processes for
performing Implementation Verification Reviews of credited safety
controls.
     To date, the National Nuclear Security Administration
(NNSA) Production Office (NPO) and the Pantex contractor have been
unable to resolve known safety basis deficiencies. The Board initially
identified similar issues and communicated them to NNSA in a letter
dated July 6, 2010. Specifically, the letter found that the use of
combined probabilities (i.e., initiating event probability multiplied
by the weapon response) to determine scenario credibility and the
treatment of falling technician scenarios were inappropriate. NNSA and
the Pantex contractor have made little progress resolving these
deficiencies despite the development of multiple corrective action
plans.
    Analysis. The enclosed Findings, Supporting Data, and Analysis
document provides reports that support the Board's conclusions in this
Recommendation.A19MR3.
    The first report concludes there are deficiencies in the safety
basis and control strategy for B61, W76, W78, W87, and W88 operations,
which are designed to prevent or mitigate high consequence hazards.
Pantex dispositioned a subset of the issues in the report via the USQ
process in January 2018. Subsequently, the Pantex contractor submitted
a JCO \1\ to NPO in June 2018 to continue operations on weapon programs
with known legacy safety basis deficiencies. The Pantex contractor
subsequently withdrew the JCO and instead submitted a safety basis
supplement (SBS) \2\ that NPO approved in September 2018. The SBS had
content similar to the previously submitted JCO, but identified certain
compensatory measures to be treated as specific administrative controls
for falling technician scenarios (e.g., safety requirements identifying
appropriate approach paths to the unit and removing tripping hazards at
the beginning of work shifts). However, neither the JCO nor the SBS is
based on a comprehensive analysis of the approved safety basis
documents to identify areas requiring further enhancement and in need
of additional controls. The SBS provides the Pantex contractor relief
for safety basis deficiencies in advance of comprehensive evaluations
to determine the extent of these issues. In addition, neither the JCO
nor the SBS address the suite of hazard scenarios that the enclosed
supporting technical analysis identified as deficient. The Pantex
contractor has developed a corrective action plan \3\ to address safety
basis quality issues. This corrective action plan includes efforts to
review the safety analysis documents for hazard scenarios with no
controls and high order consequences caused by production technician
trips.
---------------------------------------------------------------------------
    \1\ Consolidated Nuclear Security, LLC, Justification for
Continued Operations for Legacy Issues Associated with Documented
Safety Analyses at Pantex, June 29, 2018.
    \2\ Consolidated Nuclear Security, LLC, Safety Basis Supplement
for Legacy Issues Associated with Documented Safety Analyses at
Pantex, September 18, 2018.
    \3\ Consolidated Nuclear Security, LLC, Corrective Action Plan
for DSA Quality Issues, September 27, 2018.
---------------------------------------------------------------------------
    The second report describes the results of a safety investigation
(preliminary safety inquiry) regarding the implementation of 10 CFR 830
at Pantex. It identifies examples of lack of compliance that support
all the above conclusions. For example, contrary to 10 CFR 830.202(c),
the Pantex contractor has failed to update annually the hazard and
safety analysis reports. In addition, contrary to 10 CFR 830.203(g),
the Pantex USQ procedures allow three days to correct discrepant-as-
found conditions--or safety basis implementation and execution errors--
without stopping operations, notifying the Department of Energy (DOE),
or initiating the Pantex process for addressing a potential inadequacy
of the safety analysis.
    The third report describes deficiencies identified within the
special tooling program at Pantex and was sent to the Secretary of
Energy from the Board on October 17, 2018.
    Based on this analysis, the Board finds that deficiencies exist
within the processes used to ensure operations at Pantex have a robust
safety control strategy--the safety basis is inadequate and credible
accident scenarios with high consequences exist with insufficient or no
controls. Hazard scenarios of concern include those with high explosive
violent reaction and/or inadvertent nuclear detonation consequences,
which significantly exceed the DOE Evaluation Guideline
[[Page 10197]]
dose consequence of 25 rem total effective dose to the maximally
exposed offsite individual. As a result, the Board finds that DOE and
NNSA need to take actions to ensure that adequate protection from
hazards associated with nuclear operations at Pantex is sustained.
    Recommendations. The Board recommends that DOE and NNSA take the
following actions at Pantex:
    1. Implement compensatory measures to address all the deficiencies
described in Appendix 1 and Appendix 2.
    2. Perform an extent-of-condition evaluation of the Pantex safety
basis (including the procedures for development and configuration
control of the safety basis documents) and implement subsequent
corrective actions to ensure compliance with DOE regulations and
directives.
    3. Implement actions to ensure process design and engineering
controls (including the use of special tooling) eliminate or protect a
unit from impact and falling technician scenarios, including those
scenarios identified in Enclosure 1.
    4. Ensure the design, procurement, manufacturing, and maintenance
of special tooling is commensurate with its safety function (see
Enclosure 1).
    5. Train safety basis personnel to ensure future revisions to the
safety basis comply with 10 CFR 830 requirements.
-----------------------------------------------------------------------
Bruce Hamilton, Chairman
Risk Assessment for Recommendation 2019-1
Uncontrolled Hazard Scenarios and 10 CFR 830 Implementation at the
Pantex Plant
    Recommendation 2019-1 addresses uncontrolled hazard scenarios and
Title 10, Code of Federal Regulations, Part 830, Nuclear Safety
Management (10 CFR 830), implementation at the Pantex Plant. In
accordance with the Defense Nuclear Facilities Safety Board's (Board)
enabling statute and Policy Statement 5, Policy Statement on Assessing
Risk, this risk assessment considers initiating event frequencies,
adequacy of preventive and/or mitigative controls, and consequences
from the hazards.
    As detailed in the Recommendation and supporting technical
analysis, deficiencies exist within processes used to ensure operations
at Pantex have a robust safety basis. Furthermore, accident scenarios
exist at Pantex with inadequate control strategies, including scenarios
without any preventive or mitigative controls. As specified within the
Pantex safety analysis and hazard analysis reports, these scenarios of
concern--including those without any applied controls--have high
explosive violent reaction and/or inadvertent nuclear detonation
consequences. These consequences have the potential for significant
special nuclear material aerosolized dispersal and therefore
significantly exceed the Department of Energy (DOE) Evaluation
Guideline dose consequence of 25 rem total effective dose to the
maximally exposed offsite individual.
    For the identified inadequately controlled scenarios, the
initiating events primarily involve operational incidents, such as
impacts, drops, gouges, and personnel trips. Following nomenclature
outlined in DOE Standard 3009-1994, Change Notice 3, Preparation Guide
for U.S. Department of Energy Nonreactor Nuclear Facility Documented
Safety Analyses, initiating event frequencies for the scenarios include
Anticipated (probability between 10-1 and 10-2)
and Unlikely (probability between 10-2 and 10-4)
events. Coupled with the significant consequences to the public, DOE
Standard 3009 ranks the risk associated with these events as
Unacceptable. Furthermore, in accordance with DOE Standard 3016-2016,
Hazard Analysis Reports for Nuclear Explosive Operations, the design
agencies provided unscreened (i.e., conditional probability of greater
than 10-9 per insult) weapon responses for these scenarios.
Based on the weapon response, there is sufficient probability that the
consequence could occur given the postulated insult and therefore
controls are required to prevent the accident. In accordance with DOE
Standard 3009 and Standard 3016--safe harbors for compliance with 10
CFR 830--safety class controls are required to provide adequate
protection.
    Using the deterministic process outlined in DOE Standard 3009
demonstrates that Pantex needs safety class controls to maintain
adequate protection. A quantitative risk assessment is not practicable
because the data does not exist. However, there is a qualitative risk
as scenarios currently exist without any applied controls, or with
insufficient control strategies. As a result, the Board finds that DOE
and NNSA need to take actions to ensure that adequate protection from
hazards associated with nuclear operations at Pantex is sustained.
Findings, Supporting Data, and Analysis
Appendix 1
Nuclear Explosive Operations With Uncontrolled Hazards at the Pantex
Plant 4
---------------------------------------------------------------------------
    \4\ This report updated on July 27, 2018, to incorporate
issuance of the Justification for Continued Operations (JCO),
Justification for Continued Operations for Legacy Issues Associated
with Documented Safety Analyses at Pantex, dated June 29, 2018.
Report does not reflect issuance of the subsequent Safety Basis
Supplement, Safety Basis Supplement for Legacy Issues Associated
with Documented Safety Analyses at Pantex, dated September 18, 2018.
---------------------------------------------------------------------------
    Members of the Defense Nuclear Facilities Safety Board's (Board)
staff reviewed the hazard analysis reports (HAR) for B61, W76, W78,
W87, and W88 nuclear explosive operations at the Pantex Plant (Pantex).
The staff team held multiple interactions between November 2017 and
March 2018 with personnel from the National Nuclear Security
Administration (NNSA) Production Office (NPO) and the Pantex
contractor, Consolidated Nuclear Security, LLC (CNS), responsible for
development and maintenance of the Pantex documented safety analysis
(DSA) \5\ to discuss specific scenarios identified in the safety basis
documents.
---------------------------------------------------------------------------
    \5\ DSA refers to the full framework of safety analysis
documents comprising the safety basis for conducting nuclear
operations at Pantex. This includes HARs, safety analysis reports
(SAR), the technical safety requirements (TSR) document, JCOs, and
Evaluations of the Safety of the Situation.
---------------------------------------------------------------------------
    The Board's staff team identified credible hazard scenarios that
lack documented evidence that Pantex has identified and implemented
credited safety controls to prevent high order consequences, i.e.,
inadvertent nuclear detonation (IND) and/or high explosive violent
reaction (HEVR). High order consequences have the potential to
significantly exceed the Evaluation Guideline to the maximally exposed
offsite individual. Through evaluation of the Pantex safety basis, the
staff team identified additional deficiencies related to (1) the design
and classification of administrative controls relied upon for specific
risk reduction, (2) the processing of new information through the
approved unreviewed safety question (USQ) process, and (3) quality
issues in the safety basis documentation.
    Following the multiple interactions conducted during this review,
the staff team concluded that CNS and NPO have not demonstrated how the
current suite of credited controls--i.e., safety class and safety
significant structures, systems, and components (SSC); specific
administrative controls (SAC);
[[Page 10198]]
and safety management programs--effectively prevent the identified
hazard scenarios from resulting in high order consequences.
    Background. In July 2010, the Board transmitted a letter to the
NNSA Administrator communicating issues with HARs for several nuclear
explosive operations at Pantex [1]. The issues included concerns that
the Pantex contractor \6\ inappropriately used initiating event
probabilities to exclude credible hazards from further consideration.
In some instances, this resulted in hazard scenarios where the
responsible design agency provided a credible weapon response but the
Pantex contractor did not identify or implement controls to address
these hazards. In its 2010 letter, the Board concluded that this
practice was inconsistent with the safety basis safe harbor
methodologies in use at the time, i.e., DOE-NA-STD-3016-2006, Hazard
Analysis Reports for Nuclear Explosive Operations [2], and DOE-STD-
3009-1994, Change Notice 3, Preparation Guide for U.S. Department of
Energy Nonreactor Nuclear Facility Documented Safety Analyses [3].
---------------------------------------------------------------------------
    \6\ At the time of the 2010 Board letter, Babcock & Wilcox
Technical Services Pantex, LLC, was the management and operating
(M&O) contractor. Following a contract transition in July 2014, CNS
became the M&O contractor.
---------------------------------------------------------------------------
    NNSA \7\ and the former Pantex contractor, Babcock & Wilcox
Technical Services Pantex, LLC (B&W), developed a DSA Upgrade
Initiative (DSAUGI), in part, to address the concerns communicated in
the Board's 2010 letter. DSAUGI included goals to (1) develop accident
analyses for all hazardous events that do not have screened responses
for IND and HEVR, and (2) update the safety management programs to
ensure that the key provisions of the programs, as they relate to
operational and facility safety, are adequately described and
translated into TSRs [4]. As indicated in initial revisions of the
upgrade initiative, B&W and NNSA intended DSAUGI to be a multi-year
effort, \8\ with detailed schedules of deliverables maintained to
ensure that its goals were accomplished in a timely and complete
manner. Completion of DSAUGI, as it was initially described, would have
entailed significant revisions to the W76, W78, W87, and W88 HARs to
address deficient legacy conditions such as those identified in the
2010 Board letter [4].
---------------------------------------------------------------------------
    \7\ At the time of the 2010 Board letter, the local NNSA office
was referred to as the Pantex Site Office (PXSO). In 2012, PXSO
merged functions with the Y-12 Site Office to form NPO.
    \8\ The original plan, issued in 2011, was to complete DSAUGI by
the end of fiscal year 2015.
---------------------------------------------------------------------------
    In 2013, B&W developed the DSA Improvement Plan (DSAIP) to
``improve the Pantex DSA to achieve consistency and simplification, and
to address legacy issues'' [5]. DSAIP superseded DSAUGI. DSAIP had a
stated goal to ``achieve continuous improvement through incremental
change,'' as realized by incorporation of its core principles in DSA
change package development and during the DSA annual update process
[5]. The original revision of DSAIP specified 15 core principles,
including the following principles relevant to the issues presented in
this report:
     Core Principle 4--``Evaluate important to safety controls
for either elimination or for elevation to a [credited safety-related]
control'' [5].
     Core Principle 10--``Evaluate key elements for either
elimination or for re-categorization as a [credited safety-related]
control'' [5].
     Core Principle 11--``Ensure Specific Administrative
Controls (SACs) are appropriately classified per DOE-STD-1186'' [5].
    Additionally, DSAIP stipulated specific initiatives necessary to
address legacy issues in the safety basis and to accomplish the plan's
goals. These initiatives, developed in part to address the issues
identified by the Board, included an effort to resolve ``screening of
high consequence/low probability events (in both Hazard and Accident
Analyses)'' [5]. The original issue of DSAIP included a notional
schedule to complete this effort through proposed safety basis change
packages, scheduled for submittal to NPO in February 2014 [5].
    B&W and CNS updated DSAIP annually from 2014 to 2017. The 2015 and
2016 DSAIP revisions listed the status of ``Resolving High Consequence/
Low Probability Events in the Accident Analysis'' as ``Ongoing,'' and
no longer provided an explicit path to closure [6, 7].
    The 2017 revision of DSAIP represented a significant change to the
plan--CNS retained the core principles and higher-level objectives, but
no longer provided the status of the specific initiatives, including
the initiative related to resolving high consequence, low probability
events [8]. Based on feedback and concerns from NPO related to the
quality of DSA change package submittals, CNS plans to revise DSAIP in
2018 ``to identify `Core Principle' efforts as discrete projects'' [9].
    In November 2017, the staff team performed a focused review of the
W88 HAR to determine if actions NNSA and CNS had taken, including those
accomplished through DSAUGI and DSAIP, effectively addressed the
concerns presented in the 2010 Board letter. Based on the issues the
staff team identified in the W88 HAR, the team expanded the review
scope to include additional HARs. The issues and conclusions described
in this report stem from that focused review and the staff team's
additional follow-on activities.
    The remainder of this report will explore four types of
deficiencies the staff team identified: (1) Credible hazard scenarios
that lack documented evidence that Pantex has identified and
implemented credited safety controls to prevent high order
consequences, (2) the design and classification of administrative
controls relied upon for specific risk reduction, (3) the processing of
new information through CNS's approved USQ process, and (4) quality
issues in the safety basis documentation.
    Identification of Credited Safety Controls for Credible Hazards.
The Board's staff team reviewed the hazard disposition tables and
related hazard and accident analyses located in the approved HARs for
B61, W76, W78, W87, and W88 operations to identify the controls relied
upon to prevent hazard scenarios from resulting in high order
consequences. While the safety bases identify adequate controls for the
vast majority of credible hazard scenarios, the Board's staff team
identified credible hazard scenarios with unscreened weapon responses
for IND and HEVR for which the safety bases either do not define
credited safety controls or for which the credited safety controls are
not sufficient. Of note, the staff team's review of applicable safety
basis documents was thorough but not exhaustive--additional problematic
scenarios may exist.
    DOE Expectations for the Identification of Credited Safety
Controls--Title 10, Code of Federal Regulations, Part 830, Nuclear
Safety Management (10 CFR 830), requires that the contractor
responsible for DOE nonreactor nuclear facilities establish and
maintain the safety basis for the facility. In doing so, the DSA for
the facility must ``[d]erive the hazard controls necessary to ensure
adequate protection of workers, the public, and the environment,
demonstrate the adequacy of these controls to eliminate, limit, or
mitigate identified hazards, and define the process for maintaining the
hazard controls current at all times and controlling their use'' [10].
The Pantex DSA is intended to implement the safety
[[Page 10199]]
basis requirements specified in 10 CFR 830 through adherence to the
following two safe-harbor methodologies: DOE-NA-STD-3016 for nuclear
explosive operations and DOE-STD-3009 for the facilities in which
nuclear explosive and nuclear material operations are performed. The
guidance and requirements specified in these documents describe DOE's
expectations for identification of necessary hazard controls.
    Per DOE-NA-STD-3016-2016, ``[h]azard scenarios that are not
screened for IND or HEVR consequences . . . are designated as Design
Basis Accidents (DBAs), and are retained for consideration in the
accident analysis section per DOE-STD-3009 . . . . With the exception
of [natural phenomena hazards], initiating event probability
information must not be used to dismiss the need to apply controls for
plausible accident scenarios resulting in IND or HEVR'' [11]. In this
context, ``screened'' is defined as ``[t]he weapon response likelihood
provided for given hazards and associated nuclear weapon configuration
combinations that the responsible DA(s) [design agency] asserts will
not result in a specific weapon response consequence. The assignment of
an IND or HEVR numerical likelihood [weapon response] will be treated
as screened if the likelihood were -9'' [11].
    The 2016 revision of DOE-NA-STD-3016 was accepted into the Pantex
M&O contract in 2016, but has not yet been fully implemented. The
previous revision to this standard, DOE-NA-STD-3016-2006, does not
include a numerical screening threshold, and simply describes screened
weapon responses as ``[h]azards and associated weapon configuration
combinations that cannot result in a weapon response'' [2]. The HAR
development approach specified in DOE-NA-STD-3016 is built around an
assumption and acknowledgement that consequences from HEVR and IND
accidents will challenge the Evaluation Guideline in the absence of any
rigorous analysis. With this in mind, DOE-NA-STD-3016-2016 specifies
that ``[t]he approach to the identification and classification of
controls in the hazard analysis is the same as the process described in
DOE-STD-3009'' [11].
    The Pantex M&O contract applies the requirements of DOE-STD-3009-
1994, Change Notice 3, to existing facilities. This standard specifies
that ``[i]n order to comply with 10 CFR 830, specific safety controls
are to be developed in the DSA'' [3]. It clarifies this expectation by
stating that 10 CFR 830 ``defines safety class designation for SSCs
that are established on the basis of application of the Evaluation
Guidelines. This designation carries with it the most stringent
requirements (e.g., enhanced inspection, testing and maintenance, and
special instrumentation and control systems)'' [3]. When applied in the
context of nuclear explosive operations, the standard stipulates that
compliance with 10 CFR 830 requires application of safety class
controls to prevent or mitigate unscreened hazards with HEVR or IND
consequences.
    W88 Hazards with Insufficient Safety Controls--In November 2017,
the Board's staff team provided NPO and CNS with an initial list of
hazard scenarios from the DSA with weapon responses that were
unscreened for IND and HEVR consequences, and where safety class
controls were not clearly applied. Each of these scenarios potentially
is encountered during W88 operations in nuclear explosive cells. The
scenarios included postulated hazards related to mechanical impacts
caused by falling technicians; mechanical impacts due to dropped
tooling and components; and scrapes, pinches, and gouges of critical
weapon components. The Addendum to this report identifies the specific
scenarios in greater detail.
    Each identified hazard scenario applies a weapon response rule
where the likelihood of high order consequences is listed as
``sufficiently unlikely.'' This frequency bin generally corresponds to
conditional response likelihoods of 10-7 or 10-8
depending on the weapon program and consequence, given a particular
stimulus or insult. In the framework of weapon response and HAR
development, sufficiently unlikely is not equivalent to ``screened.''
While the likelihood of high order consequences for any of these
scenarios is extremely low, credited safety controls are still
necessary.
    Mitigative controls such as the specialized nuclear explosive cell
structure may be credited to reduce the consequences from HEVR
accidents, but such controls are not effective for IND scenarios.
Control sets for scenarios with a credible risk of IND must be
preventive in nature. Additionally, while the nuclear explosive cell
structure could be credited as a mitigative control to provide
protection from HEVR consequences, this control would not prevent high
order consequences in the immediate vicinity of the accident, requiring
the consideration of additional preventive controls. Control sets for
scenarios that occur in nuclear explosive bays with a credible risk of
HEVR or IND must also be preventive in nature because the bay structure
does not mitigate the consequence of such events.
    During an initial interaction with CNS safety analysis engineering
(SAE) and NPO nuclear safety and engineering personnel in November
2017, CNS presented its initial analysis of the identified scenarios to
the Board's staff review team. This initial analysis noted that, while
not currently and explicitly documented in the safety basis, the cell
structure is an in-place, safety class control that CNS could apply to
mitigate the consequences from HEVR accidents in the identified
scenarios.
    In addition, CNS noted that currently it had addressed other
scenarios by compensatory measures implemented via a JCO approved by
NPO in May 2017 [12]. However, CNS acknowledged that the remaining
scenarios did not have readily apparent controls. During subsequent
discussions with the Board's staff team, CNS personnel also indicated
that they had identified the potential for similarly treated hazard
scenarios on the W76 program. Based on these initial concerns, the
staff team decided to expand the scope of its review to include other
HARs that CNS had not updated recently. This included the B61, W76,
W78, and W87 programs.
    Treatment of New Information for W88 Hazard Scenarios--The approved
CNS procedure for USQ determinations defines a process whereby CNS
captures new information and evaluates whether it represents a
potential inadequacy of the safety analysis (PISA).\9\ At Pantex, this
is termed the problem identification and evaluation (PIE) process. Soon
after the initial meeting where the Board's staff team presented the
W88 hazard scenarios of concern, CNS SAE personnel captured the
identified scenarios as new information and initiated the PIE process.
Although CNS personnel indicated to the staff review team that other
programs might contain additional similar scenarios, it did not
formally evaluate other weapon programs via the PIE process.
---------------------------------------------------------------------------
    \9\ CNS has submitted, and NPO has approved, separate USQ
procedures at Pantex and Y-12; there may be inconsistencies with 10
CFR 830 that occur at both sites. CNS plans to consolidate the USQ
processes across both sites.
---------------------------------------------------------------------------
    After approximately one month of evaluation, CNS determined that
the identified new information did not represent a PISA. Specifically,
in response to the question ``Does the situation indicate an unanalyzed
hazard exists or a potential new credited control is needed?'', the PIE
process disposition form states that ``[a]lthough there are hazards
that identify no controls are selected, these hazards have
[[Page 10200]]
been dispositioned'' [13] with one or more specified disposition
pathways. The specified pathways are as follows: (1) Controls are
identified, (2) scenario is covered in the May 2017 JCO, (3) scenario
is not credible, (4) scenario identifies ``Facility Structure'' as a
mitigating design feature, and (5) scenario identifies ``Procedures and
Training'' as a safety management program key element.
    The Board's staff team independently evaluated CNS's disposition of
the identified hazard scenarios. The staff team agrees that the
scenarios dispositioned through the first two pathways, i.e., controls
are identified in the HAR or in the May 2017 JCO, are adequately
controlled. Per the CNS evaluation, these pathways apply to only seven
of the twenty-five identified hazard scenarios.\10\ The staff team
concluded that the three remaining disposition pathways--which CNS
applied for 18 hazard scenarios--are either not technically justified
or insufficient with regards to established expectations for control
reliability and efficacy.
---------------------------------------------------------------------------
    \10\ CNS performed its PIE response for 25 scenarios. The
Board's staff team identified additional scenarios during its
independent evaluation.
---------------------------------------------------------------------------
    CNS concluded through its PIE evaluation that a specific gouge
scenario, in a configuration with bare high explosives, is not
credible. The conclusion that this specific scenario is not credible
contradicts the Hazard Analysis Summary Table in the approved HAR,
which concludes that the hazard is credible. The staff team further
evaluated the scenario by reviewing the associated operating procedures
and could not identify any controls that would preclude the event. With
the current information provided by CNS, the staff team is unable to
independently reach the same conclusion as the Pantex contractor. The
staff review team further notes that CNS would need to request approval
from NPO to reverse a conclusion presented in the approved safety
basis.
    CNS concluded that the remaining 17 scenarios were controlled
through the use of the facility structure or through key elements of
safety management programs. However, as discussed above, the facility
structure is incapable of mitigating the consequences of IND scenarios
or preventing high order consequences in the immediate vicinity of the
accident, requiring consideration of additional preventive controls.
    For the remaining scenarios that have credible IND consequences,
the only preventive features are key elements of safety management
programs, such as ``procedures and training'' or the ``falling man
awareness protocol.'' In some instances, these key elements are ill-
defined and are not developed for the specific context for which they
are currently relied upon. In the case of the W88, the ``procedures and
training'' key element is not carried into the TSR document for
application at the floor level; attributes of the key element are not
defined to allow operators, supervisors, or oversight personnel to
verify their implementation; and the key elements cited by CNS are not
implemented via step-by-step operating procedures that would ensure
they are performed properly. Key elements alone cannot reliably prevent
these accident scenarios and do not meet DOE's established expectations
for controls relied upon to protect the public (this is discussed
further in the Administrative Controls Credited for Specific Risk
Reduction section).
    Extent of Condition Review for Hazards without Identified Safety
Controls--Based on the initial concerns noted on the W88 program, the
Board's staff team conducted an independent extent of condition review.
Specifically, the Board's staff team reviewed the B61, W76, W78, and
W87 HARs, associated nuclear explosive operating procedures, and
sections of applicable SARs. Through this review, the staff team
identified similar scenarios on each of the analyzed programs with the
exception of B61. After a preliminary review of the B61 HAR, the staff
team identified discrepancies in the identification of controls for
scenarios with sufficiently unlikely weapon response but did not find
any instances of a sufficiently unlikely weapon response without
appropriately implemented safety controls. For the remaining programs,
the staff team communicated hazard scenarios of concern to NPO and CNS
as it identified the scenarios. The specific scenarios are identified
in greater detail in the Addendum to this report. At the time of this
report, CNS had not reviewed these scenarios via its PIE process as
actionable new information, with the exception of those identified for
the W88 program.
    W76 Hazards without Identified Safety Controls--The staff team
identified five weapon configurations during W76 cell operations where
the HAR identifies a falling production technician hazard and applies a
sufficiently unlikely weapon response for a high order consequence. For
these hazard scenarios, there is no credited control. During
discussions with NPO and CNS personnel, CNS noted that the ``falling
man awareness protocol'' is an applicable control, albeit currently
uncredited in the HAR. The protocol includes specific training to
ensure the area of approach to a unit is clear of any objects that
could lead to a tripping hazard, to ensure approaches to the unit by
production technicians are minimized and only performed as needed to
support the process, and to ensure that production technicians approach
slowly and cautiously. The falling man awareness protocol was developed
as a best practice when it was implemented in 2014 [14], in part, to
address Board concerns and nuclear explosive safety evaluation findings
[1, 15, 16]. However, CNS has since credited the protocol with
performing a safety class function as a compensatory measure in B83 and
W88 JCOs.\11\ CNS also credited the protocol as an operational
restriction following a PISA on the W76. The development of the
protocol was not intended to meet DOE requirements and guidance for
designation as a safety class control. It is not appropriate to credit
the falling man awareness protocol as an operational restriction or
compensatory measure in lieu of developing engineered controls and/or
SACs and process improvements to prevent the hazard.
---------------------------------------------------------------------------
    \11\ The B83 JCO that includes the falling man awareness
protocol as a compensatory measure expired on May 16, 2018. CNS
administratively paused B83 operations upon its expiration. The W88
JCO remains in effect.
---------------------------------------------------------------------------
    W78 Hazards without Identified Safety Controls--The staff team
identified that the W78 HAR treats sufficiently unlikely weapon
responses as screened--an approach that could result in high order
consequence scenarios existing in the safety basis without safety class
preventive controls. The staff team did not find deficiencies in the
W78 HAR similar to those found for the other weapon programs, but this
could be due to the lack of clarity in assignment of controls to
process steps. Specifically, in the accident analysis, the W78 HAR
inappropriately credits controls that are not applicable in all of the
process steps for which they are credited to perform a safety function.
As a result, the applicable control suite for hazards in each process
step is not explicitly defined. Additionally, W78 program cell
operations recently implemented a transfer cart, mitigating some
falling technician concerns. However, the staff team did identify the
following deficiencies in the identification of safety controls for the
W78 program in the Sitewide and Transportation SARs.
[[Page 10201]]
    For a lightning insult scenario, a single control, i.e., a
transportation cart, is applied that only decreases the potential for
weapon response from the hazard to sufficiently unlikely. Although CNS
has additional controls available that could address this gap--e.g.,
use of a lightning detection and warning system and prohibiting
transport (e.g., movement of transportation cart containing unit within
the ramps that connect the bays and cells at Pantex) during lightning
warnings--W78 transport is currently authorized during lightning
warnings. NPO formally has accepted the risk presented by these
operations.
    During the movement of the unit in other facilities, the unit is at
risk from a hydraulic fluid fire (see Addendum). The hazard analysis
states that based on the weapon response to this threat, there is no
credible response because the frequency is sufficiently unlikely. As a
result, Pantex did not identify any safety class controls to prevent
the high order consequences from this scenario.
    W87 Hazards without Identified Safety Controls--During W87
disassembly operations, the mechanical safe and arm detonator (MSAD)
becomes exposed to mechanical impacts prior to its removal. The HAR
documents mechanical impact scenarios, including dropped tooling or
weapon components, seismic hazards causing an impact, and falling
technicians. The identified hazard scenarios of concern apply a
sufficiently unlikely weapon response for a high order consequence.
Special tooling is installed and the process is defined to minimize
hazards; however, the HAR does not identify any credited engineered or
administrative controls to prevent the accident.
    Additionally, due to the older design of the process, the special
tooling itself is the drop hazard in several cases. The W87 program
does not have an integrated workstand and does not use process carts to
introduce tooling and remove weapon components. These techniques are
standard practice for Seamless Safety for the 21st Century (SS-21) \12\
tooling and process design and have been used successfully to control
similar hazards on other weapon programs. The staff team focused on W87
disassembly operations; similar issues likely exist in assembly
operations.
---------------------------------------------------------------------------
    \12\ An SS-21 compliant process is one that incorporates the
principles outlined in the Design and Production Manual, Chapter
11.3, Seamless Safety (SS-21) For Assembly and Disassembly of
Nuclear Weapons at the Pantex Plant. Such a process prevents the
application of unauthorized or unanalyzed energy from sources
external to the nuclear weapon, contains no single-point failures in
the operation, and minimizes radiation exposure to personnel. NNSA
and the Pantex M&O contractors implemented SS-21 from 2004-2012;
however, the W87 was one of the earlier programs to be evaluated.
Subsequent to its implementation on the W87, SS-21 matured
substantially. In 2017, NNSA directed CNS to evaluate the potential
for undertaking an ``SS-21 refresh'' to implement tooling and
processes that would reflect current SS-21 concepts.
---------------------------------------------------------------------------
    During certain operations, the MSAD is intentionally operated in a
controlled manner. The weapon response summary document supporting the
HAR includes separate response values applicable to both
configurations--where the MSAD is not operated and where it is
operated. The likelihood of high order weapon response for scenarios
involving mechanical insult to the sensitive area of an operated MSAD
is higher than for the un-operated configuration. However, the HAR
assumes that it is not credible to impact the sensitive area of the
MSAD. The staff team reviewed both the HAR and applicable discussion in
the design agencies' weapon response summary document and concluded
that CNS has not adequately described the technical basis or referenced
supporting documentation to support the HAR's assertion that the
scenario is not credible.
    Safety Implications--For the weapon programs discussed in the above
sections, the staff team identified credible scenarios with potential
high order consequences without applied controls. Safety class
controls, meeting DOE expectations for such, are necessary to prevent
scenarios with IND consequences and prevent or mitigate scenarios with
potential HEVR consequences. Without adequate, reliable controls
identified in the Pantex DSA, NNSA has not demonstrated that these
hazards are prevented or mitigated.
    NNSA, CNS, and the design agencies are currently pursuing safety
basis updates on the B61 and W88 programs. The updates will improve the
overall quality of the HARs by using current practices and
methodologies that were not included when the original HARs were
developed--e.g., meeting DOE-NA-STD-3016-2016 expectations, including
additional implementation guidance. As part of the development process
for upcoming modernization of the B61 and W88, both programs'
operations are being overhauled, including making special tooling and
process improvements and upgrading the hazard analysis with the use of
Collaborative Authorization for the Safety-Basis Total Lifecycle
Environment-Pantex (CASTLE-PX).
    CASTLE-PX is a software tool used to organize, maintain, and track
hazards, weapon responses, and controls as Pantex and the design
agencies support hazard analysis development and maintenance. Given
that the W88 HAR currently is being updated, there would be a limited
period where compensatory measures would be needed to allow W88
operations to continue with a compliant and reliable control set. Given
the limited time until the new HAR is approved, a near-term JCO that
identifies controls to address hazard scenarios with unscreened weapon
responses without currently identified controls would be an appropriate
vehicle to implement these necessary compensatory measures.
    With respect to the W76, W78, and W87 HARs, these programs do not
fully use CASTLE-PX, nor have the HARs received a full upgrade since
their implementation. With the W76, a subset of bay operations was
upgraded via CASTLE-PX in 2013; however, the hazard scenarios of
concern identified by the staff team occur during cell operations,
which do not have a related HAR upgrade. With no near-term,
comprehensive safety basis upgrades planned for the W76, W78, and W87
programs, the staff team believes that timely action is needed to
identify controls and make any necessary procedure changes.
    Administrative Controls Credited for Specific Risk Reduction. CNS
has identified key elements of safety management programs, or the
falling man awareness protocol, as the controls relied upon for
preventing high order consequences for some of the hazard scenarios
that the staff review team identified as lacking credited controls.
However, relying on key elements of safety management programs does not
provide a level of protection equivalent to an engineered SSC or a
properly implemented SAC, and does not comply with codified
expectations in DOE directives.
    DOE Expectations for Administrative Controls Identified to Prevent
or Mitigate Accident Scenarios--When a contractor responsible for
operation of a nuclear facility develops the hazard analysis in
accordance with DOE-STD-3009, the contractor is required to put in
place controls to prevent or mitigate the consequence of hazards that
challenge the Evaluation Guideline to an acceptable level. As discussed
above, because the consequences from HEVR and IND are so grave, these
accidents are assumed to exceed the Evaluation Guideline and therefore
require safety class controls.
[[Page 10202]]
    If a contractor cannot design engineered controls for an accident
scenario, it has the option of developing an administrative control.
DOE-STD-1186-2016, Specific Administrative Controls, states, ``SACs
shall be designated where an administrative control performs [a safety
class (SC)] or [safety significant (SS)] safety function to prevent or
mitigate a postulated hazard or accident scenario'' [17]. As such, any
administrative control selected to prevent postulated accident
scenarios where the consequence is HEVR or IND should be designated in
the TSRs as a SAC. Due to the safety importance of SACs (i.e.,
fulfilling the role of a safety class or safety significant engineered
control), these controls require an enhanced pedigree and reliability
compared to other administrative controls to ensure their
dependability. For example, a human reliability assessment is
recommended when developing SACs to ensure their dependability, and a
SAC should be written so that it is verifiable through testing,
examination, and assessment that it is performing its safety function
[17].
    Application of Safety Management Program Key Elements for Specific
Risk Reduction--Key elements might be identified as part of an
administrative control; however, when the administrative control is
relied upon to prevent high order hazard scenarios, the critical
elements of the control should be designated as SACs, not simply noted
as key elements of the administrative control. The following discussion
from DOE-STD-3009-2014, Preparation of Nonreactor Nuclear Facility
Documented Safety Analysis, is relevant:
    The criteria for designating an [administrative control (AC)] as
a SAC include two conditions that need to be met: (1) ACs are
identified in the safety analysis as a control needed to prevent or
mitigate an accident scenario and (2) ACs have a safety function
that would be SS or SC if the function were provided by an SSC.
These . . . may serve as the most important control or only control,
and may be selected where existing engineered controls are not
feasible to designate as SS SSCs. Therefore, when ACs are selected
over engineering controls, and the AC meets the criteria for an SAC,
the AC is designated as a SAC. Controls identified as part of a
safety management program may or may not be SACs, based on the
designations derived from the hazards and accident analyses in the
DSA. Programmatic ACs are not intended to be used to provide
specific or mitigative functions for accident scenarios identified
in DSAs where the safety function has importance similar to, or the
same as, the safety function of SC or SS SSCs--the classification of
SAC was specifically created for this safety function--this
generally applies to the key element of the safety management
program that provides the specific preventive or mitigative safety
function. [emphasis added] [18].
    DOE-STD-3009 identifies several safety management programs that an
M&O contractor might want to consider for inclusion in a potential DSA.
The examples include criticality safety, fire protection, and other
programs. The standard also discusses key elements of these programs
that are critical for ensuring that the program can perform its
credited safety function:
    Key elements are those that: (1) are specifically assumed to
function for mitigated scenarios in the hazard evaluation, but not
designated an SAC; or, (2) are not specifically assumed to function
for mitigated scenarios, but are recognized by facility management
as an important capability warranting special emphasis. It is not
appropriate for a key element to be identified in lieu of a SAC. The
basis for selection as a key element is specified, including detail
on how the program element: (1) manages or controls a hazard or
hazardous condition evaluated in the hazard evaluation; (2) affects
or interrupts accident progression as analyzed in the accident
analysis; and (3) provides a broad-based capability affecting
multiple scenarios. [emphasis added] [18].
    Application of the Falling Man Awareness Protocol--Recently, CNS
has credited the falling man awareness protocol to perform a safety
class preventive function as a compensatory measure in B83 and W88
JCOs, as well as an operational restriction for the W76 program. This
protocol includes the provisions that specific training will be
provided to ensure that:
     Approaches to nuclear explosives are clear of any objects
that could lead to a tripping hazard.
     Approaches to nuclear explosives by production technicians
are minimized and only occur as needed to support the process.
     Production technicians approach the nuclear explosive
slowly and cautiously.
    DOE's nuclear safety directives establish a hierarchy of controls
that specifies a preference for engineered controls over administrative
controls. In instances where engineered controls are not available to
prevent the falling technician hazard, CNS should formalize this
protocol as a SAC during the next annual safety basis update. This is
necessary to meet the intent of DOE directives, as discussed above.
Moreover, CNS should consider application of this SAC across the
remaining weapon programs and evaluate the application of additional
measures (e.g., tooling handoffs, transfer carts, work tables closer to
the unit) to increase the reliability of the control. Of note, on the
W78 program, a SAC is currently implemented to remove any potential
tripping hazards at the beginning of the production technicians' shift.
This SAC does not provide the same level of control as the W88 JCO,
which seeks to control the falling technician concern throughout the
entire shift; however, CNS recently implemented transfer carts for W78
operations, mitigating some falling technician concerns. Adoption of
the falling man awareness protocol SAC on the W78 program should also
be considered to fully control these scenarios.
    Safety Implications--Reliance on procedures and training and other
safety management program key elements as controls for specific risk
reduction in lieu of designation as a SAC is not appropriate in the
Pantex safety basis. There is no reliability assessment or appropriate
pedigree associated with the key elements, and reliance on procedures
and training has inherent weaknesses. Safety management programs do not
have the requisite reliability to assure appropriate prevention or
mitigation of hazards with potential consequences that exceed the
Evaluation Guideline. A recent report from the Board's Pantex resident
inspectors identified multiple breakdowns in the falling man awareness
protocol, a compensatory measure that lacks the required pedigree of a
SAC [19]. The falling man awareness protocol, if used for specific risk
reduction, should be formally codified as a SAC across weapon programs,
and application of additional measures, as noted above, should be
considered to increase the reliability of the control. In instances
where safety management programs are the only measures implemented in
the Pantex DSA to control high order consequences, NNSA has not
demonstrated that the hazards identified in this report are prevented
or mitigated.
    Processing of New Information. The USQ process as implemented at
Pantex includes a PIE process to evaluate new information, operational
events, and discrepant as-found conditions to determine whether they
represent a PISA. As part of the PIE process, CNS safety analysts
answer the following questions to determine if the problem will be
addressed as a PISA:
    1. Does the situation indicate that an unanalyzed hazard exists or
a potential new credited control is needed?
    2. Does the situation indicate that the parameters used or assumed
in the DSA, or in calculations used or referenced in
[[Page 10203]]
the DSA, may not be bounding or are otherwise inadequate with respect
to consequences or frequency?
    3. Does the situation indicate that a directive action SAC may not
provide the safety function assigned to it within the DSA?
    CNS determined that the unscreened hazard scenarios with high order
consequences and without credited safety class preventive controls for
the W88 program did not warrant a PISA designation. As discussed in
detail earlier in this report, the staff team disagrees with CNS's
evaluation. Moreover, the staff team does not believe that CNS has met
the relevant DOE expectations for processing new information.
    DOE Expectations for Evaluating New Information--DOE Guide 424.1-
1B, Implementation Guide for Use in Addressing Unreviewed Safety
Question Requirements, states the following for timeliness of
evaluating new information:
    10 CFR 830. 203(g) requires certain actions for a PISA. A PISA
may result from situations that indicate that the safety basis may
not be bounding or may be otherwise inadequate; for example,
discrepant as-found conditions, operational events, or the discovery
of new information. It is appropriate to allow a short period of
time (hours or days but not weeks) to investigate the conditions to
confirm that a safety analysis is potentially inadequate before
declaring a PISA. The main consideration is that the safety analysis
does not match the current physical configuration, or the safety
analysis is inappropriate or contains errors. If it is immediately
clear that a PISA exists, then the PISA should be declared
immediately. [20]
    CNS flows down this guidance into its local implementing procedure,
CD-3014, Pantex Plant Unreviewed Safety Questions Procedure, as
follows:
    If the determination can be readily made that a PISA does not
exist within 3 business days from when [new information] is
determined to be mature, or an operational event occurs, the
decision will be documented. If the determination cannot be readily
made in this timeframe, a PISA is declared and documented. [21]
    Evaluation of New Information Identifying Credible Hazards without
Credited Safety Controls--CNS dispositioned the W88-focused PIE entry
after approximately one month, concluding there was no PISA. This lack
of timeliness in processing the new information is inconsistent with
the expectations of relevant DOE directives and the NPO-approved site
implementing procedure. Based on its evaluation of the W88 PIE entry,
CNS has not entered the PIE process for the corresponding new
information for the other weapon programs discussed above. Furthermore,
NPO and CNS informed the staff review team that the DSA will be further
improved under the current DSAIP, so more immediate actions are not
needed. However, the staff team identified significant problems with
relying on DSAIP to address the handling of unscreened ``sufficiently
unlikely'' scenarios:
     DSAIP included a core principle to discontinue the use of
key elements of safety management programs as a control for specific
risk reduction. However, CNS has not defined a timeline or included
specific tasks (e.g., individual SARs and HARs) to eliminate this use
of key elements. Additionally, although the core principle has been
present since the original DSAIP was developed in 2013, the use of key
elements as controls for specific risk reduction remains prevalent
throughout the DSA.
     DSAIP included an initiative to meet DSA requirements to
address high consequence, low probability events. DSAIP revisions 1 and
2 included this initiative with explicit tasks and schedules. However,
revisions 3 and 4 included it as a general initiative with an
``ongoing'' schedule status. CNS removed any discussion of high
consequence, low probability events from the current DSAIP (revision
5).
    In a February 2018 interaction with the Board's staff team and a
Board member, NPO and CNS discussed the development of a safety
evaluation report to justify the current safety posture [22].
Additionally, NPO and CNS discussed the concept of separating DSAIP
into an improvement plan and a ``compliance'' directed plan, the latter
of which might be included in support of the safety evaluation report.
NPO and CNS are developing the documents to support the proposed safety
evaluation report. CNS submitted a JCO \13\ to NPO for review and
approval on June 29, 2018, to justify the current safety posture and
continue operations. However, the submitted JCO does not formalize
safety controls for a number of the credible accident scenarios
detailed in this report. As of July 27, 2018, NPO was still reviewing
the JCO. CNS has not taken any immediate actions in the interim, e.g.,
identifying and implementing compensatory measures for the applicable
scenarios.
---------------------------------------------------------------------------
    \13\ Consolidated Nuclear Security, LLC, Justification for
Continued Operations for Legacy Issues Associated with Documented
Safety Analyses at Pantex, June 29, 2018.
---------------------------------------------------------------------------
    Safety Implications--The staff team finds CNS's evaluation of this
new information to be inadequate. CNS has continued nuclear explosive
operations on all applicable programs without applying compensatory
measures or operational restrictions to address the deficiencies
identified by the staff team. Furthermore, CNS's disposition of the PIE
entry for W88 hazard scenarios failed to meet the timeliness
expectations of relevant DOE directives and the NPO-approved site
implementing procedure.
    Overall Challenges with DSA Quality. Throughout the independent
extent of condition review, the staff team encountered numerous DSA
quality concerns, including the following:
     Poor documentation of how hazard scenarios are
dispositioned.
     Unscreened hazard scenarios not carried forward for
control selection.
     Multiple, duplicate scenarios existing in the safety basis
document with different control suites selected.
     Unclear documentation of control selection.
     Inappropriate use of safety management program key
elements.
     Assumptions in safety basis not protected in the TSRs to
show that a hazard is not credible.
     Inconsistencies between HARs on what hazard scenarios
require a control.
     Inconsistencies and conflicting statements between
different sections of the safety basis document.
     Errors in mapping weapon response rule probabilities from
the design agency document to the HAR.
     Unreferenced supporting documentation.
    Additionally, while not within Pantex's control, the quantity of
different design agency-provided weapon response summary documents for
each program can be cumbersome. It is not clear how and when the design
agencies update their weapon response summary documents or which weapon
response rule version is being implemented.
    Each of these quality concerns on its own might not represent a
safety issue; however, it is clear that Pantex DSAs are not
consistently maintained with appropriate rigor. One way DSAs are
maintained and improved is through annual updates, as required by 10
CFR 830. Specifically, 10 CFR 830 requires the M&O contractor to
``[a]nnually submit to DOE either the updated documented safety
analysis for approval or a letter stating that there have been no
changes in the documented safety analysis since the prior submission .
. .'' [10]. In recent years, CNS has had issues with submitting annual
updates on a timely basis. For example, in a December 22, 2016,
memorandum NPO identified to CNS the concern with safety basis annual
[[Page 10204]]
update timeliness, as well as quality concerns. The memorandum
identified specific examples, including the annual updates for the W80
and W78 HARs being overdue for more than four and six months,
respectively [23]. Additionally, the majority of improvement activities
have been de-scoped from Pantex annual updates, leaving little value-
added in the update efforts besides incorporating negative USQs into
HARs and SARs.
    CNS recently started taking actions to address issues with the
quality of DSA change package submittals [9]. Throughout 2017, NPO
rejected or CNS withdrew numerous DSA change package submittals due to
technical and quality issues. While CNS has instituted recent actions
intended to improve submittal quality, these actions will not
necessarily address the types of DSA quality deficiencies encountered
by the staff review team.
Appendix 1 Addendum
    Specific Hazard Scenarios with Uncontrolled Hazards. The Board's
staff team reviewed Hazard Analysis Reports (HAR) and select portions
of the Safety Analysis Reports (SAR) for five weapon programs--B61,
W76, W78, W87, and W88. The staff team reviewed the hazard disposition
tables and related hazard and accident analyses located in the approved
HARs and SARs, and found that they contained hazard scenarios with
unscreened weapon responses for inadvertent nuclear detonation (IND)
and high explosive violent reaction (HEVR) consequences where safety
class controls were not clearly applied. The tables below identify the
specific scenarios of concern. The tables include the hazard
identification number referenced in each corresponding HAR or SAR, a
description of the insult type, the credited controls (if any) for high
order consequences, and additional staff comments. Of note, while
thorough, the staff team's review of applicable safety basis documents
is not exhaustive. Additional scenarios with similar concerns may
exist.
    W88. The Board's staff team reviewed the W88 HAR. The HAR
categorizes certain unscreened scenarios as ``sufficiently unlikely''
to result in weapon response with a high order consequence. In several
such scenarios, although the HAR identified a control, the staff team
identified an issue with the documentation of the control. For the
remaining such scenarios, the HAR did not identify an appropriately
documented control. In the table below, superscript numerals within
each row associate applied controls to the hazard scenarios (if no
superscript exists, the control applies to all listed hazards).
----------------------------------------------------------------------------------------------------------------
                                                                Currently applied
             Hazard ID                     Insult type              controls         Board's staff team comments
----------------------------------------------------------------------------------------------------------------
C.DI.6.I.06........................  Drop..................  Personnel Evacuation    No safety class controls
                                                              (Specific               applied to mitigate/
                                                              Administrative          prevent high order
                                                              Control [SAC]).         consequences. Control of
                                                                                      Equipment (SAC) could be
                                                                                      applied as preventive
                                                                                      control.
C.ADI.I.20,\1\ C.A.22.I.11,\1\       Falling Technician....  Safety Management       Facility Structure credited
 C.A.23.I.02,\1\ C.A.24a.I.06,\1\                             Program (SMP) Key       to mitigate some HEVR
 C.A.19.I.15,\1\ C.DI.6.I.02,\1\                              Element (Procedures     consequences, but no
 C.ADI.I.21 \2\.                                              and Training).*         sufficient controls
                                                              Nuclear Explosive       applied to prevent IND or
                                                              Cells Facility          to protect immediate
                                                              Structure.\1\           vicinity from HEVR. SMP
                                                              Personnel Evacuation    Key Element
                                                              (SAC) \2\.              inappropriately used for
                                                                                      risk reduction.
C.DI.7.I.04, C.ADI.I.22............  General Falling         Use of Process          Two example scenarios
                                      Technician.             Transfer Cart (SAC).    listed are not all
                                                                                      inclusive. Use of Process
                                                                                      Transfer Cart (SAC)
                                                                                      applies for production
                                                                                      technician manipulating
                                                                                      special tooling, but does
                                                                                      not apply for second
                                                                                      technician without special
                                                                                      tooling approaching unit.
C.ADI.I.29.........................  Falling Technician....  Personnel Evacuation    No safety class controls
                                                              (SAC). Procedures and   applied to prevent/
                                                              Training SMP.*          mitigate high order
                                                              Conduct of Operations   consequences. SMPs
                                                              SMP *.                  inappropriately used for
                                                                                      risk reduction.
C.DI.6.G.02........................  Scrape................  No controls applied...  In response to the 11/16/
                                                                                      2017 problem
                                                                                      identification and
                                                                                      evaluation entry,
                                                                                      Consolidated Nuclear
                                                                                      Security, LLC (CNS)
                                                                                      concluded this event is
                                                                                      not credible. The basis
                                                                                      for this determination is
                                                                                      unclear given the
                                                                                      probability of insult
                                                                                      specified in the approved
                                                                                      HAR. As a result, no
                                                                                      safety class controls
                                                                                      applied to prevent/
                                                                                      mitigate high order
                                                                                      consequences.
C.DI.7.G.01........................  Scrape................  Procedures and          No safety class controls
                                                              Training SMP *.         applied to prevent/
                                                                                      mitigate high order
                                                                                      consequences. SMP Key
                                                                                      Element inappropriately
                                                                                      used for risk reduction.
C.DI.9.I.04,1 2 C.DI.9.I.08,3 4      Drop, falling           Personnel Evacuation    The Nuclear Explosive Cells
 C.DI.10.I.09,3 4 C.DI.10.I.10,\1\    technician, and gouge   (SAC).\1\ SMP Key       Facility Structure could
 C.DI.11.I.08,\3\ C.DI.12.I.06,3 4    scenarios resulting     Element (Procedures     be credited to
 C.DI.14.G.02,\3\ C.A.1.I.01,3 4      in HEVR consequences    and Training),\2\ *     mitigateHEVR consequences
 C.A.3.G.02,\3\ C.A.12.I.01,3 4       only (no IND).          Procedures and          but would not protect the
 C.A.12.I.02,3 4 C.A.14.I.04,3 4                              Training SMP.\3\ *      immediate vicinity.
 C.A.16.I.02,\3\ C.A.17.I.16,\3\                             Conduct of Operations
 C.ADI.I.41,\1\ C.ADI.I.70\3\.                                SMP.\4\ *.
[[Page 10205]]

C.DI.12.I.03, C.DI.15.I.02,          Drop and falling        No controls applied...  The Nuclear Explosive Cells
 C.A.2.I.03, C.A.3.I.04,              technician scenarios                            Facility Structure could
 C.A.4.I.06, C.A.10.I.02.             resulting in HEVR                               be credited to mitigate
                                      consequences only (no                           HEVR consequences but
                                      IND).                                           would not protect the
                                                                                      immediate vicinity.
----------------------------------------------------------------------------------------------------------------
* SMP Key Element (Procedures and Training) or SMPs (Procedures and Training or Conduct of Operations) are
  discussed in the HAR as a reason to accept the risk without applied safety class controls. It is not clear
  where attributes of the Procedures and Training Key Element are developed for specific application to W88
  operations (i.e., neither in W88 HAR nor Sitewide SAR).
Source: (U) W88 Disassembly & Inspection and Assembly Hazard Analysis Report, AB-HAR-941335, Issue 28, January
  31, 2018.
    Extent of Condition Review for Hazards without Identified Safety
Controls--Based on the concerns identified in the W88 HAR, the Board's
staff team conducted an independent extent of condition review. Members
of the Board's staff reviewed the B61, W76, W78, and W87 HARs,
associated nuclear explosive operating procedures, and sections of
applicable SARs. Through this review, the staff team identified similar
scenarios on each of the analyzed programs with the exception of the
B61.
    B61. After a preliminary review of the B61 HAR, the staff team
identified discrepancies in the identification of controls for
scenarios with sufficiently unlikely weapon response but did not
identify concerns related to the application of a sufficiently unlikely
weapon response without appropriately identified implemented safety
controls. The hazard scenarios below include safety basis quality
issues.
----------------------------------------------------------------------------------------------------------------
                                                                Currently applied
             Hazard ID                     Insult type              controls         Board's staff team comments
----------------------------------------------------------------------------------------------------------------
5324, 5325, 5329, 5342, 5526, 5529,  Drop/Pressure of Force  Special tooling.......  Special tooling has safety
 5557, 5558, 5571, 5572, 5799,                                                        significant functional
 12716.                                                                               requirements to address
                                                                                      low order consequences but
                                                                                      is not designated safety
                                                                                      class because the HAR
                                                                                      asserts that high order
                                                                                      consequences are
                                                                                      sufficiently unlikely.
                                                                                      Based on the
                                                                                      specifications of the
                                                                                      special tooling program,
                                                                                      there are limited
                                                                                      differences between
                                                                                      analysis activities
                                                                                      required to meet safety
                                                                                      significant functional
                                                                                      requirements and safety
                                                                                      class functional
                                                                                      requirements.
                                                                                      Additionally, each of the
                                                                                      tools relied upon to
                                                                                      prevent the accident have
                                                                                      other safety class
                                                                                      functional requirements
                                                                                      applied for other hazard
                                                                                      scenarios.
5333...............................  Impact or Crush by an   Safety Cable, Tyrap,    This scenario, as listed in
                                      Object (hose whip).     Filament Tape,          the HAR, is controlled for
                                                              Material Access Area    several other weapon
                                                              Operations              configurations.
                                                              Requirement (Sitewide   Authorization Basis Change
                                                              SAR).                   Packages 18-06 and 17-62
                                                                                      implement a new control
                                                                                      suite to require air hose
                                                                                      restraints to be used,
                                                                                      including step-by-step
                                                                                      implementation with two
                                                                                      technician verification.
                                                                                      Per the new control
                                                                                      description, as specified
                                                                                      in B61 HAR section 4.3.1
                                                                                      and Sitewide SAR section
                                                                                      4.3.50, the controls do
                                                                                      not explicitly apply to
                                                                                      the ultimate user
                                                                                      configuration; however,
                                                                                      Hazard ID 5333 applies to
                                                                                      the ultimate user
                                                                                      configuration and lists
                                                                                      HEVR and IND consequences
                                                                                      as sufficiently unlikely.
                                                                                      Rule 2.7.1 in GE1A4947,
                                                                                      (U) General Engineering,
                                                                                      Weapon Response Summary,
                                                                                      B61, Issue C, indicates
                                                                                      that this hazard screens
                                                                                      in this configuration.
----------------------------------------------------------------------------------------------------------------
Source: (U) B61 SS-21 Hazard Analysis Report, AB-HAR-940572, Issue 44, January 18, 2018.
    W76. The staff team identified the following hazard scenarios
during W76 operations that have inadequate controls assigned.
[[Page 10206]]
----------------------------------------------------------------------------------------------------------------
                                                                Currently applied
             Hazard ID                     Insult type              controls         Board's staff team comments
----------------------------------------------------------------------------------------------------------------
2.1.16.3, 2.1.17.3, 2.1.18.3.......  Mechanical Impact.....  Facility Structure....  Section 3.4.2.2.6 of the
                                                                                      HAR states: ``Given the
                                                                                      nature of these operations
                                                                                      and the actions that would
                                                                                      be required to produce a
                                                                                      weapon response, no
                                                                                      additional Task Exhaust or
                                                                                      Pump Fixture controls are
                                                                                      assigned to further reduce
                                                                                      the potential for an
                                                                                      impact from these items.
                                                                                      The event contributors for
                                                                                      Rules 2.1.16.3, 2.1.17.3,
                                                                                      2.1.18.3, 2.1.20.3, and
                                                                                      2.1.21.3, which are all
                                                                                      uncased [high explosive]
                                                                                      configurations, are
                                                                                      dominated by an impact
                                                                                      from a Production
                                                                                      Technician that trips and
                                                                                      falls into the uncased HE
                                                                                      [high explosive]
                                                                                      configuration. No controls
                                                                                      were identified that could
                                                                                      further reduce the
                                                                                      potential for a trip.''
                                                                                      Facility Structure is
                                                                                      credited to mitigate HEVR
                                                                                      consequences, but no
                                                                                      sufficient controls are
                                                                                      applied to prevent IND or
                                                                                      protect immediate vicinity
                                                                                      from HEVR.
2.1.13.8, 2.1.14.11, 2.1.14.16,      Mechanical Impacts to   Personnel Evacuation    The referenced scenarios
 2.1.14.2, 2.1.14.4, 2.1.23.16,       the CSA.                (SAC).                  list a Burning Dispersal
 2.1.23.18, 2.2.2.21, 2.2.2.24,                                                       response of sufficiently
 2.2.5.8.                                                                             unlikely; however, the
                                                                                      applicable weapon response
                                                                                      summary document lists the
                                                                                      burning dispersal response
                                                                                      as screened. The prior
                                                                                      revision of the weapon
                                                                                      response summary document
                                                                                      lists the burning
                                                                                      dispersal response as
                                                                                      sufficiently unlikely, so
                                                                                      the HAR appears to present
                                                                                      outdated information.
2.2.2.22...........................  Mechanical Drop/Topple/ Personnel Evacuation    The referenced rule is not
                                      Swing/Push.             (SAC).                  listed in the referenced
                                                                                      weapon response summary
                                                                                      document. The prior
                                                                                      revision of the weapon
                                                                                      response document
                                                                                      contained a rule that was
                                                                                      formerly applicable. Based
                                                                                      on the current weapon
                                                                                      response summary document,
                                                                                      the staff team concluded
                                                                                      there is no control
                                                                                      deficiency in this
                                                                                      instance.
----------------------------------------------------------------------------------------------------------------
Source: (U) W76-0/1 SS-21 Assembly, Disassembly & Inspection, and Disassembly for Life Extension Program
  Operations Hazard Analysis Report, RPT-HAR-255023, Issue 71, November 30, 2017.
    W78. The staff team identified the following hazard scenarios
during W78 operations that have inadequate controls assigned.
----------------------------------------------------------------------------------------------------------------
                                                                Currently applied
             Hazard ID                     Insult type              controls         Board's staff team comments
----------------------------------------------------------------------------------------------------------------
B.2.H.1, B.3.H.1, B.4.H.1..........  Exothermic Reaction...  Sufficient control set  The HAR inappropriately
                                                              for HEVR.               uses combined frequency
                                                                                      (i.e., initiating event
                                                                                      frequency with weapon
                                                                                      response) to remove IND
                                                                                      from further
                                                                                      consideration. However,
                                                                                      sufficient controls
                                                                                      applied for HEVR
                                                                                      consequences.
Sitewide SAR, (Rule 4.4.3).........  Lightning.............  W78 Transportation      The HAR asserts that the
                                                              Configuration.          mitigated weapon response,
                                                                                      with the applied control,
                                                                                      is sufficiently unlikely,
                                                                                      so no additional controls
                                                                                      were applied. Similar
                                                                                      concerns apply to other
                                                                                      weapon programs.
Transportation SAR, (Rule 3.1.3)...  Hydraulic Fluid Fire..  No controls applied...  No controls applied for
                                                                                      high order consequences.
                                                                                      According to the
                                                                                      Transportation SAR,
                                                                                      ``Based on weapon
                                                                                      response, no credible
                                                                                      response as frequency is
                                                                                      Sufficiently Unlikely.''
                                                                                      Similar concerns apply to
                                                                                      other weapon programs.
----------------------------------------------------------------------------------------------------------------
Source: (U) W78 Step II Disassembly & Inspection and Repair Hazard Analysis Report, AB-HAR-319393, Issue 63,
  September 22, 2017; (U) Transportation SAR, AB-SAR-940317, Issue 81, September 19, 2017; (U) Sitewide SAR, AB-
  SAR-314353, Issue 288, January 31, 2018.
    W87. The Board's staff team reviewed the disassembly portion of the
W87 HAR. Although not reviewed, similar concerns likely exist with the
assembly portion of the W87 HAR. The identified hazard scenarios of
concern apply a sufficiently unlikely weapon response for a high order
consequence. In several instances, the control set is adequate;
however, there is a safety basis quality issue with the documentation
of the control. With the remaining instances, a sufficiently unlikely
weapon response for a high order consequence exists without an
appropriately documented control.
[[Page 10207]]
----------------------------------------------------------------------------------------------------------------
                                                                Currently applied
             Hazard ID                     Insult type              controls         Board's staff team comments
----------------------------------------------------------------------------------------------------------------
B.ISMO.14.D.02, B.ISMO.16.D.02.....  Drop of unit..........  Special Tooling.        While the staff team
                                                              Verification of         believes the control set
                                                              Proper Installation     to be adequate, the
                                                              of the Nuclear          documentation of the
                                                              Explosive/Tooling       hazard scenario does not
                                                              Interface (SAC).        appear to be fully
                                                                                      developed. Tables
                                                                                      3.4.2.2.3-5 and -6 of the
                                                                                      HAR state that the
                                                                                      particular high order
                                                                                      consequence related to the
                                                                                      sufficiently unlikely
                                                                                      weapon response is not
                                                                                      carried forward for
                                                                                      further evaluation, i.e.,
                                                                                      control selection.
D32WS-48, D32WS-52, D32WS-86, D32WS- Drop of weapon          No controls applied...  Table 3.4.2.1.3-3 of the
 100, D32WS-129.                      component and/or                                HAR states that the
                                      tooling onto                                    particular high order
                                      configuration,                                  consequence related to the
                                      Falling technician.                             sufficiently unlikely
                                                                                      weapon response is not
                                                                                      carried forward for
                                                                                      further evaluation, i.e.,
                                                                                      control selection.
B.ISMO.24.I.03, (3rd instance, Rule  Drop of weapon          No controls applied...  Table 3.4.2.1.3-4 of the
 2.1.4.26a), B.ISMO.24.I.09, (1st     component and/or                                HAR states that the
 instance, Rule 2.1.4.25a),           tooling onto                                    particular high order
 B.ISMO.24.I.09, (2nd instance,       configuration,                                  consequence related to the
 Rule 2.1.4.25a), B.ISMO.24.I.09,     Falling Technician.                             sufficiently unlikely
 (3rd instance, Rule 2.1.4.25a).                                                      weapon response is not
                                                                                      carried forward for
                                                                                      further evaluation, i.e.,
                                                                                      control selection. An
                                                                                      example of special tooling
                                                                                      that could be dropped and
                                                                                      result in an impact to the
                                                                                      sensitive area of the
                                                                                      component (per CODT-2004-
                                                                                      0295 Rev. 6, the Lawrence
                                                                                      Livermore National
                                                                                      Laboratory weapon response
                                                                                      summary document) is any
                                                                                      of the three guide
                                                                                      bearings during their
                                                                                      removal. The removal of
                                                                                      the guide bearings occurs
                                                                                      after a protective cover
                                                                                      (Skull Cap) has been
                                                                                      removed, but before the
                                                                                      component is removed. Note
                                                                                      that the Skull Cap is not
                                                                                      a credited safety class
                                                                                      control. The Skull Cap is
                                                                                      analyzed for a particular
                                                                                      force but has not been
                                                                                      evaluated to ensure it
                                                                                      could perform a safety
                                                                                      requirement if needed. For
                                                                                      a falling technician, the
                                                                                      impact location is not
                                                                                      controlled to prevent
                                                                                      impact to the sensitive
                                                                                      area.
N/A................................  Drop of hand tool onto  No controls applied...  HAR does not include this
                                      sensitive area of                               scenario for the unique
                                      component.                                      operation and
                                                                                      configuration analogous to
                                                                                      Hazard ID D32WS-86 above.
D32WS-70...........................  Drop of flashlight      Approved Equipment      Section 3.3.2.1 of the HAR
                                      with electrical         Program.                states that the electrical
                                      coupling.                                       hazard is sufficiently
                                                                                      unlikely, and therefore,
                                                                                      not carried forward for
                                                                                      further evaluation. CODT-
                                                                                      2004-0295 Rev. 6 states
                                                                                      that the weapon response
                                                                                      does not screen. However,
                                                                                      CODT-2004-0295 Vol. 2 Rev.
                                                                                      3 clarifies that the
                                                                                      weapon response screens.
                                                                                      The staff team concluded
                                                                                      that the scenario does
                                                                                      screen, but the discussion
                                                                                      in Section 3.3.2.1 is
                                                                                      inappropriate, and lack of
                                                                                      a singular weapon response
                                                                                      summary document makes for
                                                                                      unclear documentation.
D33WSa-18, D34WS-12, D34WS-14......  Drop of weapon          No controls applied...  Table 3.4.2.1.3-3 in the
                                      component and/or                                HAR states that the high
                                      tooling onto                                    order consequence is
                                      configuration.                                  sufficiently unlikely and
                                                                                      the hazard is not carried
                                                                                      forward for further
                                                                                      evaluation.
D34WS-41...........................  Falling technician      No controls applied...  Table 3.4.2.1.3-3 in the
                                      while carrying                                  HAR states that the high
                                      special tooling                                 order consequence is
                                      (metal with hard                                sufficiently unlikely and
                                      corners/edge).                                  the hazard is not carried
                                                                                      forward for further
                                                                                      evaluation.
N/A................................  Falling technician      No controls applied...  The HAR's Appendix does not
                                      resulting in an                                 include this scenario for
                                      impact to the                                   the unique operation and
                                      sensitive area of                               more sensitive orientation
                                      component.                                      (after rotating) of
                                                                                      configuration analogous to
                                                                                      Hazard ID D34WS-41 above.
                                                                                      Similar hazard scenarios
                                                                                      (D34WS-43, D34WS-50, D34WS-
                                                                                      60) assume the technician
                                                                                      will only impact the side
                                                                                      of the unit. The staff
                                                                                      team believes a direct
                                                                                      impact from a falling
                                                                                      technician to the
                                                                                      sensitive area is a
                                                                                      credible hazard.
B.ISMO.26.I.01.....................  Drop of Hand Tool onto  No controls applied...  The HAR's Appendix states
                                      configuration.                                  that the orange stick is
                                                                                      the only tool used during
                                                                                      this configuration and
                                                                                      that weapon response ``a''
                                                                                      applies. The staff team
                                                                                      notes that the selected
                                                                                      weapon response (2.1.5.15)
                                                                                      does not relate to the
                                                                                      discussion in the HAR's
                                                                                      Appendix. The more
                                                                                      sensitive orientation
                                                                                      (after rotating) is not
                                                                                      considered. The staff team
                                                                                      believes that given the
                                                                                      postulated energies,
                                                                                      weapon response 2.1.5.11b
                                                                                      would be applicable. That
                                                                                      response is applicable
                                                                                      because any postulated
                                                                                      impact could occur over
                                                                                      the sensitive area.
                                                                                      However, if the orange
                                                                                      stick is the only tool
                                                                                      that can be used in this
                                                                                      task, then this hazard
                                                                                      scenario would not be
                                                                                      credible.
[[Page 10208]]

B.ISMO.26.I.03.....................  Drop of special         No controls applied...  The HAR's Appendix states
                                      tooling onto                                    that the design of the
                                      configuration.                                  tool prevents a direct
                                                                                      impact to the sensitive
                                                                                      area of the component;
                                                                                      therefore, weapon response
                                                                                      ``a'' is applied. There is
                                                                                      not an adequate basis for
                                                                                      this assertion. While the
                                                                                      weapon response summary
                                                                                      document provides a probe
                                                                                      size example, it also
                                                                                      states the ``b'' weapon
                                                                                      response applies if the
                                                                                      insult is over the
                                                                                      sensitive area. The staff
                                                                                      team believes the special
                                                                                      tooling could impact the
                                                                                      sensitive area; therefore,
                                                                                      weapon response ``b''
                                                                                      should be applied.
                                                                                      Additionally, the tooling
                                                                                      has sharp (i.e., 90
                                                                                      degree) corners.
N/A................................  Technician trips        No controls applied...  The HAR's Appendix does not
                                      resulting in an                                 include this scenario for
                                      impact to the                                   the same configuration and
                                      sensitive area of                               orientation analogous to
                                      component.                                      Hazard ID B.ISMO.26.I.03
                                                                                      above.
N/A................................  Mechanical impact due   No controls applied...  Rule 2.1.5.24a is not
                                      to hand tool drop.                              referenced in the HAR's
                                                                                      Appendix. However, the
                                                                                      ``a'' weapon response is
                                                                                      used to develop the impact
                                                                                      scenario frequencies in
                                                                                      Table 3.4.2.1.3-2. There
                                                                                      is not an adequate basis
                                                                                      for the selection of the
                                                                                      ``a'' weapon response
                                                                                      usage. The reviewers
                                                                                      believe the special
                                                                                      tooling could impact the
                                                                                      sensitive area; therefore,
                                                                                      weapon response ``b''
                                                                                      should be applied.
                                                                                      Additionally, most
                                                                                      articles of tooling have
                                                                                      sharp (i.e., 90 degree)
                                                                                      corners.
----------------------------------------------------------------------------------------------------------------
Source: (U) W87 Step II Assembly and Disassembly & Inspection Hazard Analysis Report, AB-HAR-940626, Issue 41.
Appendix 1 References
    [1] Defense Nuclear Facilities Safety Board, Review of Hazard
Analysis Reports, Pantex Plant, Washington, DC, July 6, 2010.
    [2] Department of Energy, Hazard Analysis Reports for Nuclear
Explosive Operations, DOE-NA-STD-3016-2006, Washington, DC, 2006.
    [3] Department of Energy, Preparation Guide for U.S. Department
of Energy Nonreactor Nuclear Facility Documented Safety Analyses,
DOE-STD-3009-1994 Chg Notice 3, Washington, DC, 2006.
    [4] Tifany Wyatt, Babcock & Wilcox Technical Services Pantex,
LLC, Documented Safety Analysis Upgrade Initiative Project Plan,
Issue 3, Pantex Plant, May 17, 2011.
    [5] Authorization Basis Department, Babcock & Wilcox Technical
Services Pantex, LLC, The Documented Safety Analysis Improvement
Plan (DSAIP), Revision 1, Pantex Plant, July 25, 2013.
    [6] Safety Analysis Engineering Department, Consolidated Nuclear
Security, LLC, The Documented Safety Analysis Improvement Plan
(DSAIP), Revision 3, Pantex Plant, February 16, 2015.
    [7] Safety Analysis Engineering Department, Consolidated Nuclear
Security, LLC, The Documented Safety Analysis Improvement Plan
(DSAIP), Revision 4, Pantex Plant, February 29, 2016.
    [8] Safety Analysis Engineering Department, Consolidated Nuclear
Security, LLC, The Documented Safety Analysis Improvement Plan
(DSAIP), Revision 5, Pantex Plant, September 21, 2017.
    [9] Memorandum from M.S. Beck to K.D. Ivey, Quality of Pantex
Safety Basis Submittals, Pantex Plant, February 20, 2018.
    [10] Title 10, Code of Federal Regulations, Part 830, Nuclear
Safety Management, January 1, 2011.
    [11] Department of Energy, Hazard Analysis Reports for Nuclear
Explosive Operations, DOE-NA-STD-3016-2016, Washington, DC, 2016.
    [12] NNSA Production Office, Justification for Continued
Operations for W88 Uncased HE Operations, PX-JCO-17-09, Pantex
Plant, May 2017.
    [13] Consolidated Nuclear Security, LLC, Problem Identification
and Evaluation Processing Form, Review ID 20392, Pantex Plant,
January 16, 2018.
    [14] Consolidated Nuclear Security, LLC, Falling Man Awareness
Training, PX-3864, Pantex Plant, 2014.
    [15] Defense Nuclear Facilities Safety Board, Letter from Peter
S. Winokur to Frank G. Klotz, Washington, DC, June 2, 2014.
    [16] NNSA Nuclear Explosive Safety Study Group, Nuclear
Explosive Safety Master Study of the Approved Equipment Program at
the Pantex Plant Volume II--Special Tooling, Pantex Plant, May 31,
2013.
    [17] Department of Energy, Specific Administrative Controls,
DOE-STD-1186-2016, Washington, DC, December 2016.
    [18] Department of Energy, Preparation of Nonreactor Nuclear
Facility Documented Safety Analysis, DOE-STD-3009-2014, Washington,
DC, 2014.
    [19] Defense Nuclear Facilities Safety Board, Pantex Plant
Activity Report for Week Ending April 20, 2018, Pantex Plant, April
2018.
    [20] Department of Energy, Implementation Guide for Use In
Addresssing Unreviewed Safety Question Requirements, DOE-G-424.1-1B,
Chg. Notice 2, Washington, DC, 2013.
    [21] Consolidated Nuclear Security, LLC, Pantex Plant Unreviewed
Safety Questions Procedure, CD-3014, Pantex Plant, July 2017.
    [22] Consolidated Nuclear Security, LLC, DNFSB Member Visit to
Pantex--Joyce Connery, Pantex Plant, February 2018.
    [23] Memorandum from K.A. Hoar to J. Papp, NNSA Production
Office Expectations for Pantex Documented Safety Analysis (DSA)
Annual Updates, Pantex Plant, December 22, 2016.
Findings, Supporting Data, and Analysis
Appendix 2
Nuclear Safety Management at the Pantex Plant 14
---------------------------------------------------------------------------
    \14\ Report published on July 13, 2018, and subsequently
modified to incorporate issuance of the JCO, Justification for
Continued Operations for Legacy Issues Associated with Documented
Safety Analyses at Pantex, dated June 29, 2018. Report does not
reflect retraction of the JCO and issuance of the Safety Basis
Supplement, Safety Basis Supplement for Legacy Issues Associated
with Documented Safety Analyses at Pantex, dated September 18, 2018.
---------------------------------------------------------------------------
    The Defense Nuclear Facilities Safety Board's (Board) conducted a
safety investigation (preliminary safety inquiry) [1] of the
implementation of Title 10, Code of Federal Regulations, Part 830 (10
CFR 830), Nuclear Safety Management, for nuclear explosive operations
at the Pantex Plant located near Amarillo, Texas [2]. Overall, the
inquiry team found that (1) portions of Pantex safety bases are
deficient; (2) multiple components of the safety basis process are
deficient; and (3) the National Nuclear Security Administration (NNSA)
Production Office (NPO) and the contractor, Consolidated Nuclear
Security, LLC (CNS), have been unable to resolve known safety basis
deficiencies.
    Pantex Safety Basis Requirements. Table 2 of 10 CFR 830, Subpart B,
Safety Basis Requirements, prescribes the methodologies and
requirements for preparation of safety analysis reports
[[Page 10209]]
(SAR) and hazard analysis reports (HAR) for nuclear explosive
facilities and operations. SARs are required for the facilities
associated with nuclear explosive operations. These SARs include the
Sitewide SAR, Bays and Cells SAR, and various special purpose nuclear
facility SARs. An approved method of meeting the requirements of 10 CFR
830 for SARs is described in Department of Energy (DOE) Standard 3009,
Preparation Guide for U.S. Department of Energy Nonreactor Nuclear
Facility Safety Analysis Reports [3]. HARs are required for specific
nuclear explosive operations. Hazard analysis teams prepare HARs using
weapon response inputs from the associated weapon design agencies. An
approved method of meeting the requirements of 10 CFR 830 for HARs is
described in Department of Energy (DOE) Standard 3016, Hazard Analysis
Reports for Nuclear Explosive Operations [4].
    Review Scope. The staff team reviewed the following areas in
assessing compliance with 10 CFR 830:
     Controls to Prevent/Mitigate Unscreened Weapon Hazard
Scenarios. The staff team selected two HARs (i.e., W76 and W78) for
review [5, 6]. It evaluated the hazard analyses in the HARs for events
that result in inadvertent nuclear detonation (IND) and/or high
explosive violent reaction (HEVR). For each event that was not screened
as physically incredible by the weapon design agency, the staff team
evaluated the adequacy of the safety control set to prevent or mitigate
the event. Identification of hazard controls to ensure adequate
protection is required by 10 CFR Sec.  830.204.
     Implementation of USQ Process. An unreviewed safety
question (USQ) process is required by 10 CFR Sec.  830.203 to ensure
that operations are conducted within the DOEapproved safety basis. The
staff team evaluated the USQ process implemented at Pantex. It reviewed
USQ procedures, specific deficiencies identified in a potential
inadequacy of the safety analysis (PISA), and justifications for
continued operations (JCO).
     Safety Basis Maintenance. SARs and HARs are required to be
updated and maintained in accordance with 10 CFR Sec.  830.202. These
requirements obligate the contractor annually to submit updates or a
letter stating no changes have been made since the last submittal. The
staff team reviewed safety basis maintenance to include annual updates
and improvement plans.
    The staff team reviewed the pertinent documents, prepared agendas,
and held onsite discussions with representatives from NPO and CNS. It
conducted the onsite visits during the weeks of May 28 and June 11,
2018. The onsite visits included observing nuclear explosive operations
involving the W76 and W78 programs.
    Conclusions. The staff team found that (l) portions of Pantex
safety bases are deficient; (2) multiple components of the safety basis
process are deficient; and (3) NPO and CNS have been unable to resolve
known safety basis deficiencies. The conclusions are summarized below
with the detailed evidence to follow:
     Portions of the safety bases are deficient in meeting 10
CFR Sec.  830.204(b). There are high consequence hazards that (1) are
not adequately controlled; (2) may have controls, but the controls are
not clearly linked to the hazards; or (3) have controls that are not
sufficiently robust or that lack sufficient pedigree to reliably
prevent or mitigate the event. This conclusion is supported by
observations 1 through 6 below.
     Multiple components of the safety basis process are
deficient. (1) Contrary to 10 CFR Sec.  830.202(c), CNS has failed to
update annually the HARs and SARs. (2) Contrary to 10 CFR Sec.
830.203(g), Pantex USQ procedures allow three days to correct
discrepant-as-found conditions or implementation/execution errors
without stopping operations, notifying DOE, or issuing a PISA. (3)
Contrary to DOE G 424.1-1B, NPO and CNS revise existing JCOs instead of
issuing new ones, thereby extending the expiration date and reliance on
the compensatory measures beyond a year. (4) Contrary to DOE Guide
423.1-1B, CNS does not re-assess procedural controls via implementation
verification reviews (IVR) every three years. This conclusion is
supported by observations 7 through 10 below.
     NPO and CNS have been unable to resolve known safety basis
deficiencies. (1) NPO and CNS have been unable to resolve several
legacy conditions of approval (COA). (2) CNS has a Documented Safety
Analysis Improvement Plan (DSAIP) that lacks sufficient information and
resource loading required for the process to be successful, and is
behind schedule. (3) Despite the fact that issues related to falling
technician accident scenarios were identified in 2010, there is no
timeline for improvements to be incorporated into the safety basis.
This conclusion is supported by observation 11 below.
    The staff team noted 11 observations over the course of its review
that support these conclusions:
    1. Missing Specific Administrative Control (SAC) for Operators
Applying Brakes on Testers--The W76 HAR identifies multiple events with
credible IND and HEVR consequences that require safety class controls
but are prevented by an initial condition. The initial condition is a
safety management program (SMP) (i.e., Electrical Equipment Program for
Testers). The SMP ensures that the design of electrical testers (e.g.,
PT3746 Preset Tester) precludes mechanical and electrical insults to
the weapon. The initial condition in the HAR references Section 18.2.3
of the Sitewide SAR. The Sitewide SAR, page 18-16, states that testers
are ``[d]esigned to withstand the forces of a 95th percentile person
falling into the tester without the tester tipping or moving the
target'' [7]. However, this analysis relies on the operator engaging a
wheel locking device. Therefore, the design requirements contained in
the SMP are insufficient as the lone control for this event. The
operator action of engaging the wheel locking device is not protected
by a SAC and is not marked as a critical step in the procedures.
Additionally, the tester is not credited as a safety class design
feature in the hazard analysis tables. The review team concludes the
safety control set for these events does not meet DOE requirements. CNS
generated a problem identification and evaluation (PIE) form (PIE-18-
537) and issued a PISA following the onsite discussions. The PISA was
followed by a positive USQ determination.
    2. Analysis Supporting Adequacy of Safety Class Carts not
Bounding--The W78 HAR includes events involving toppling of a
preparation cart while carrying various items. The weight of the cart
and items on top of it are assumed to impact a weapon configuration.
This event results in the need for safety class controls since IND and
HEVR are not screened by the design agency. The preventive control for
this event is the design of the preparation cart. The HAR, Section
4.3.l.l.2, credits the preparation cart with the functional requirement
to ``. . . withstand the forces imparted by a 95th percentile
Production Technician as well as the forces due to a PC-3 [performance
category-3] seismic event without toppling into the unit.'' However,
the assumed weight of the items on the cart in the HAR event exceeds
the assumed weight in the supporting engineering analysis [8].
Therefore, the engineering analysis does not adequately demonstrate
that the preparation cart is capable of fulfilling its safety
functional requirements. CNS generated a PIE form (PIE-18-539) and
[[Page 10210]]
issued a PISA following the staff team's onsite discussions. CNS
followed the PISA with a positive USQ determination.
    3. Missing Safety Class Controls for Impact and Electrostatic
Discharge (ESD) Events--The W76 HAR identifies rolling impact and ESD
events involving a weapon configuration that represents a general bin
of 16 separate configurations. The rolling impact is caused by
production technicians pushing ``freestanding equipment'' into the 16
different weapon configurations. Freestanding equipment is defined as
equipment or tooling not attached to the facility and not hand carried.
The rolling impact events require safety class controls since the
design agency did not screen them for IND and HEVR. The ESD events are
postulated from production technicians being in contact with
freestanding equipment or the wrist strap checker. The documented
safety analysis currently requires safety significant controls for
these ESD events. The preventive control for the rolling impact and ESD
events is a SAC (i.e., W76 Operations--Control of Equipment and
Tooling). Among other requirements, this SAC prohibits freestanding
equipment not required by the W76 process from being placed within 6.5
feet of any W76 configuration installed in the assembly stand,
insertion cart, or assembly carts. Designating this SAC for these
events as a preventive control results in several errors:
     The SAC does not include all freestanding equipment that
could cause a rolling impact or ESD event (e.g., a tool box) to the
weapon configurations. Therefore, this freestanding equipment excluded
from the SAC represents an uncontrolled hazard.
     The ESD event involving a wrist strap checker credits the
SAC as a preventive control, but the SAC does not include the wrist
strap checker in the list of included equipment. Therefore, the wrist
strap checker needs to be added to the SAC. The Nuclear Explosive
Operating Procedures (NEOPs) and other technical procedures do include
a safety requirement for production technicians to not bring the wrist
strap checker near the weapon. However, this requirement does not flow
down from this SAC.
     The SAC states that the 6.5-foot exclusion zone applies to
W76 configurations installed in the assembly stand, insertion cart, or
assembly carts. Although the majority of the 16 weapon configurations
are processed in an assembly cart, the components that make up these
configurations are processed on a bench or table. The SAC does not
apply to operations on a bench or table.
     Some tools included in the list of freestanding equipment
do not have wheels. Therefore, it is inappropriate to include these
pieces of equipment in rolling impact events.
    CNS generated a PIE form (PIE-18-536) and issued a PISA following
the onsite discussions. The PIE form states: ``A PISA was declared on
5/31/18, which resulted in pausing W76-0/1 Mechanical Assembly and
Disassembly bay operations until operational restrictions were
implemented.'' CNS followed the PISA with a positive USQ determination.
    4. Non-Credited Administrative Controls/Training Used in Place of
Safety Class Controls for ESD Hazards--The W76 HAR identifies multiple
events with credible IND and HEVR consequences that are dispositioned
by a ``Category 2 Equipment Evaluation.'' These events require safety
class controls since the design agency did not screen them for IND and
HEVR. The hazard analysis tables contain a note that refers to
equipment evaluations for the Overhoff monitor/hose and wrist strap
checkers (i.e., EEE-06-0030 and EEE-06-0037, respectively) [9, 10]:
     EEE-06-0030 provides ``General Requirements'' that
prescribe keeping the Overhoff more than 6.5 feet away from a nuclear
explosive during ``Radiation Safety Usage.'' During ``Manufacturing
Usage'' the Overhoff may make contact with a nuclear explosive using a
short hose, which has a credited insulator. CNS personnel explained
that during ``Manufacturing Usage'' the production technicians hold the
Overhoff in one hand while guiding the hose to the nuclear explosive
with the other hand (within \1/4\ inch of the nuclear explosive). The
NEOPs do not include safety requirements, critical steps, warnings,
cautions, or general notes that alert the production technicians to
potential hazards associated with dropping the Overhoff onto the
nuclear explosive. CNS personnel stated in onsite discussions that
hazards involving the Overhoff are not credible due to its intended use
and production technicians' ``normal behavior'' via training; thus no
control is identified for this hazard.
     EEE-06-0037 prescribes a 6.5-foot standoff distance for
the wrist strap checker from all explosives and nuclear explosives and
references P7-2003, Weapon Assembly/Disassembly Operations Requirements
(U) [11], as the implementing procedure. P7-2003 is a general use level
procedure that implements the standoff distance requirement for the
wrist strap checker via a boxed note. The staff team also reviewed the
NEOPs that are critical-use-level procedures (higher level than general
use). The staff team found that the NEOPs include a safety requirement
to not carry the wrist strap checker to the unit. The production
technicians are required to be familiar with the NEOP safety
requirements, but they are not required to read them prior to
performing NEOP steps. The NEOPs also do not specify a specific
standoff distance (i.e., 6.5 feet). The wrist strap checker is secured
to the wall in a bracket but may need to be removed for calibration.
CNS personnel stated that production technicians and calibration
technicians are trained to not bring the wrist strap checker within 6.5
feet of a nuclear explosive, referencing TABLE- 0068, Safety Checklist,
which contains additional requirements for maintaining a 6.5-foot
standoff distance to a nuclear explosive [12]. TABLE-0068, however, is
not part of the technical safety requirements (TSR) for nuclear
explosive operations.
    The staff team finds that Pantex personnel ultimately rely on non-
credited administrative controls and production technician training to
implement safety class functional requirements for HAR events involving
the Overhoff monitor/hose and wrist strap checkers. There are no
credited safety class controls for these events. The review team
concludes that this situation does not meet DOE requirements for
identification of safety class controls for high consequence events,
and as such represents a PISA. CNS has not declared a PISA regarding
its controls for these hazards.
    5. Missing Safety Class Controls for Production Technician Tripping
Hazards--The W78 HAR identifies multiple events involving a production
technician who trips and impacts the unit in various configurations.
This event results in the need for safety class controls since IND and
HEVR are not screened by the design agency. The hazard analysis tables
do not identify controls specific to these events. Instead, the hazard
analysis tables refer to Section 3.4.2.4 of the HAR, dedicated to
evaluating impact hazards. Section 3.4.2.4 lists the identified
controls for this hazard. After reviewing the list of controls, the
most applicable control is a SAC (i.e., W78 Process--Tripping Hazards),
designated in the HAR to perform functions equivalent to a safety-
significant control. This SAC requires production technicians to check
for tripping hazards once per shift.
    The staff team traced the SAC requirement to NEOPs. The NEOPs do
contain critical steps in their setups that
[[Page 10211]]
require signature for ensuring tripping hazards have been removed.
However, if this SAC is implemented to prevent the event (i.e.,
production technician trip), it would be an inadequate safety class
preventive measure because it does not prevent the tripping hazards
from accumulating during operations. As a result, the review team
concludes that the events involving a production technician trip are
uncontrolled. During onsite discussions, Pantex personnel agreed that
they do not have adequate controls in place for tripping events
identified in the HAR. However, CNS personnel stated that this is a
known deficiency and CNS is developing a JCO.\15\ Per 10 CFR Sec.
830.203(g), CNS is required to enter the PISA process and implement
operational restrictions prior to issuing a JCO. The review team
concludes that this situation does not meet DOE requirements and as
such represents a PISA. CNS has not declared a PISA regarding its
controls for these hazards.
---------------------------------------------------------------------------
    \15\ CNS issued the JCO titled, Justification for Continued
Operations for Legacy Issues Associated with Documented Safety
Analyses at Pantex, on June 29, 2018.
---------------------------------------------------------------------------
    6. Drop Hazards--The W78 HAR identifies several drop events
involving a shielded apron or various pieces of equipment, tooling, or
materials impacting weapon configurations from a height of two or four
feet. These events result in the need for safety class controls since
the design agency did not screen them for high order consequences. A
SAC (i.e., W78 Process--Hand Lifts) is one of the credited controls to
prevent this event. The SAC flows down to safety requirements at the
beginning of the NEOPs. The SAC justifies reliance on production
technician training by stating:
    With the training to the technicians on not lifting hand tools,
tooling, and materials over the unit unless required for the process
and to only lift the object as high as required for the operation,
both the frequency of a drop that would impact the units [is]
reduced, and the possible impact energy is reduced if a drop were to
occur. . . . Based on the height of the unit being worked on, there
would be no reason to lift the hand tooling 2 feet over the unit and
it would be an unnatural act to do so. It is not considered credible
that the tooling would be lifted more than 2 feet over the unit and
dropped.
    Similarly, although not explicitly stated in the SAC, the NEOPs
also cite a specific safety requirement for the shielded aprons to be
relocated to staging cubicles or corridors out of direct line of sight
of the cells when not in use. However, contrary to MNL-293084, Pantex
Writer's Manual for Technical Procedures, the NEOPS do not provide
critical steps or warnings when handling the specific equipment or
materials, that when dropped, could initiate a high order consequence
[13]. The staff team discussed the shielded apron and six different
individual pieces of equipment considered in the HAR during the site
visit. CNS stated that production technicians are sufficiently trained
to not lift items more than 2 feet over the weapon. Given the high
consequences, the SAC would be strengthened by adding additional
specificity (e.g., do not lift equipment higher than a set height above
the weapon). In addition, consistent with MNL[dash]293084, the NEOPs
should include critical steps or warnings when handling specific
equipment or materials that could initiate a high order consequence if
dropped.
    7. Process for Discrepant As-Found Conditions--The site USQ
procedure, approved by NPO, does not comply with the requirements of 10
CFR 830 or recommendations of DOE Guide 424.1-1B, Implementation Guide
for Use in Addressing Unreviewed Safety Question Requirements [14].\16\
In situations when a ``discrepant as-found condition'' is observed for
a TSR-related control, the procedure allows returning the system to the
original condition as described in the documented safety analysis (DSA)
within three days without having to declare a PISA, formally notifying
DOE, performing an extent of condition review, or implementing any
compensatory measures.
---------------------------------------------------------------------------
    \16\ CNS has prepared, and NNSA has approved, a USQ procedure
for the Y-12 National Security Complex that contains the same
deficiency and inconsistency with the requirements of 10 CFR 830.
---------------------------------------------------------------------------
    10 CFR Sec.  830.203, Unreviewed Safety Question Process, requires
the contractors to ``establish, implement, and take action consistent
with a USQ process that meets the requirements of this section.''
Paragraph (g) of this section states: ``If a contractor responsible for
a hazard category 1, 2, or 3 DOE nuclear facility discovers or is made
aware of a potential inadequacy of the documented safety analysis, it
must:
    1. Take action, as appropriate, to place or maintain the facility
in a safe condition until an evaluation of the safety of the situation
is completed;
    2. Notify DOE of the situation;
    3. Perform a USQ determination and notify DOE promptly of the
results; and
    4. Submit the evaluation of the safety of the situation to DOE
prior to removing any operational restrictions. . . . ''
    CNS has prepared a USQ procedure, CD-3014, Pantex Plant Unreviewed
Safety Question Procedure [15], approved by NPO, that does not comply
with the requirements of 10 CFR 830. More specifically, Procedure CD-
3014 allows the following:
    If the discrepant as-found condition can be restored to be
within the DSA in a matter of hours, not to exceed three business
days, a PISA does not exist [emphasis added]. This is limited to
conditions where 1) an SSC [structure, system, or component] does
not conform to the documented design description and specifications,
or 2) implementation/execution errors, for which any immediate
actions taken would be to return the facility to conditions
described in the DSA. When the determination is made that the
discrepant as-found condition can be fixed in three business days or
less, the affected operations are restricted until actions are
completed to restore compliance.
    This contractor procedure and its NPO approval do not comply with
the four fundamental elements of the USQ process as established by 10
CFR 830:
     The Pantex procedure restricts operations whereas 10 CFR
830 requires the contractor to place or maintain the facility in a safe
condition.
     The Pantex procedure does not require DOE to be notified
of the discrepancy and actions taken. As a result, CNS may operate the
facility up to three days outside the DOE approved safety basis without
DOE's formal knowledge of the situation.
     The Pantex procedure states that a PISA does not exist
when a discrepant as-found condition can be resolved within three
business days, whereas following 10 CFR 830 would result in a PISA
followed by a USQ determination.
     The Pantex procedure does not require an evaluation of the
safety of situation for submittal to DOE prior to removing the self-
established operational restrictions, whereas 10 CFR 830 requires DOE's
acknowledgement of the safety of the situation prior to the contractor
removal of the operational restrictions.
    During the discussions at the site, CNS and NPO personnel referred
to an approval memorandum received from the NNSA Chief of Defense
Nuclear Safety (CDNS) for application of the three-day grace period for
not issuing a PISA. The CDNS memorandum [16], however, refers to
conditions that involve defense in depth or other non-safety SSCs
because those SSCs ``wouldn't have LCOs [limiting condition for
operations] associated with them but will normally wear out, or may be
non-conforming for some other reason.'' While the CDNS's concurrence
with a situation that involves non-safety related controls may be
justified, its extension by Pantex to
[[Page 10212]]
safety-related and TSR controls is not permitted by DOE requirements of
10 CFR 830.
    Additionally, Appendix C to CNS's USQ procedure, CD-3014, describes
the PIE process that is a precursor to identification and declaration
of a PISA. As part of the PIE process an inquiry is made [17]: ``Does
the situation indicate a directive action Specific Administrative
Control (SAC) may not provide the safety function assigned to it within
the DSA?'' If the answer is ``yes,'' a PISA is declared. The staff
review team concludes that, consistent with DOE requirements, SACs
perform a safety class or safety-significant function and are part of
the TSRs of the facility. SACs should not be subject to the USQ or PISA
process; however, the analysis that led to the derivation of the SAC
may be subject to the USQ/PISA process if the analysis is found to be
incorrect. Any change to a SAC in order to perform its intended safety
function should be considered a TSR change, and DOE must approve it. 10
CFR 830.205, Technical Safety Requirements, mandates contractors to
``(2) Prior to use, obtain DOE approval of technical safety
requirements and any change to technical safety requirements; and (3)
Notify DOE of any violation of a technical safety requirement.'' This
section of 10 CFR 830 is stand-alone and specific to the TSRs; it
stands apart from the USQ process (i.e., Section 203 of 10 CFR 830). As
such, the staff team concludes that 10 CFR 830 requires a TSR violation
to be directly reportable to DOE, and outside the USQ process.
    An example of mishandling safety-related controls by using the USQ
procedure CD-3014 occurred when a piece of safety-related electrical
equipment failed testing in accordance with the in service inspection
(ISI) requirement of the TSR for its commercial grade dedication. CNS
issued a PISA on March 10, 2017, followed by a USQ determination [18],
which CNS determined was negative and did not submit for DOE approval.
The USQ determination stated that the piece of equipment credited was
``redundant'' and that CNS at a later date would provide DOE ``a change
to Chapter 4 of the Sitewide SAR to delete [this piece], add [another
piece of equipment] as a reference, and delete the ISI to inspect from
the TSRs. . . . ''
    DOE Guide 424.1-1B identifies that a failure of a safety-related
control, identified in Chapter 4 of the DSA and part of the TSRs, would
be reportable to DOE upon verification under a positive USQ
determination. Revision of the associated TSR for the failed equipment
and replacement by the new piece are required to be completed and
approved by DOE before lifting operational restrictions, and not at
some later date when the DSA or the Sitewide SAR is revised. The staff
review team notes that CNS has not successfully revised the Pantex
Sitewide SAR via an annual update since 2014, and DOE has not approved
the changes CNS has proposed in the last three years (including the
change described above). Consequently, discrepancies exist between the
approved Sitewide SAR and its associated set of controls (i.e., the
failed equipment) and the contractor's set of controls relied on to
support ongoing operations (i.e., the redundant equipment).
    8. Long Term JCOs--Some JCOs last for several years without
updating the relevant safety basis document, relying on compensatory
measures without implementing rigorous controls (i.e., engineered
design features). Section 7 of CD-3014 states that ``[t]he purpose of a
JCO is to make a temporary (i.e., less than one year) change to the
facility safety basis that would allow the facility to continue
operating. . . . '' This statement, however, is not codified to lead to
closure of the JCOs within a certain period of time (i.e., less than
one year) or incorporate the open JCOs into the next annual update of
the safety basis documents, as required by DOE.
    Per 10 CFR 830.202, Safety Basis, the contractors are required to
``(1) [u]pdate the safety basis to keep it current, and to reflect
changes to the facility, the work and the hazards as they are analyzed
in the documented safety analysis. (2) Annually submit to DOE either
the updated documented safety analysis for approval or a letter stating
that there has been no change in the documented safety analysis since
the prior submission.''
    These requirements of 10 CFR 830 serve two purposes: (1)
Consolidate all positive USQs and JCOs prepared during the year into
one safety basis document for DOE approval and (2) ensure that
compensatory measures, and thus less reliable controls, implemented for
temporary changes resulting from the JCOs do not become the permanent
control for hazards.
    CNS applies the JCO process to temporary changes as reflected in
CD-3014, and to allow deviations from approved safety basis documents.
The latter application has resulted in JCOs extending over several
years for multiple Pantex operations without CNS integrating them into
the annual update of the safety bases. Consequently, CNS has relied
heavily on compensatory measures for long periods of time while the
JCOs are in effect [19-21].
    9. Maintenance of the DSA--CNS has struggled to complete and obtain
NPO approval of the yearly updates required by 10 CFR 830.202. Starting
in 2015, NPO has not approved the annual updates CNS has submitted for
the Sitewide SAR. In 2016, CNS was unable to meet the annual DSA update
requirements for the Sitewide and Transportation SARs and the W76 and
W78 HARs. As NPO rejected CNS's submittals, a backlog developed. This
process culminated in three rejected submittals and five approvals
total in 2017. Overall, this resulted in 11 of 16 SARs and HARs not
being approved for annual updates in 2017. In particular, the Sitewide
SAR has not been successfully updated and approved via the annual
update process since 2014.
    In lieu of completing the 2017 annual updates, CNS submitted, and
NPO approved, a schedule to ``rework'' three previously submitted
annual updates and catch up on the remainder with calendar year 2018
annual updates. If CNS successfully executes its plan to submit and
obtain NPO approval of a full slate of 2018 annual updates, it will be
back on course to meeting the DSA maintenance requirements.
    10. Safety Basis Assessments--CNS has processes and procedures for
performing management assessments and IVRs. The review team found
sufficient evidence that management assessments of safety controls are
being performed on a five-year schedule (i.e., 20 percent per year).
While a few assessments have been missed, the review team's analysis
indicates that CNS is generally holding to that schedule.
    However, CNS performs IVRs when there is a new TSR or a change to
an existing TSR. DOE Guide 423.1-lB, Implementation Guide for Use in
Developing Technical Safety Requirements, specifies that IVRs should be
conducted every three years for controls susceptible to the degradation
of human knowledge (e.g., procedural controls) [22]. Therefore, CNS is
not meeting the three-year guidance for re-verification of SACs.
Furthermore, the review team's evaluation of the management assessments
for SACs for the W76 and W78 indicated that these assessments rarely
identify any strengths, weaknesses, findings, or observations. The
Pantex DSAIP includes an effectiveness review for the management
assessments, but CNS does not have a path forward to improve management
assessments.
    11. Action on Known Deficiencies--CNS currently is implementing a
DSAIP to address several longstanding issues
[[Page 10213]]
with the Pantex safety bases [23]. The DSAIP has existed since 2013 and
is currently in its fifth revision. CNS personnel informed the staff
review team that there has been steady progress on a number of items
contained in the fifth revision of the DSAIP. Of the three items
scheduled for completion in calendar year 2017, CNS completed two.
Seventeen items are scheduled for completion in 2018.
    In addition, the DSAIP lacks detail. The plan is only a list of
titles of activities with a targeted year for completion. It does not
provide any detail of the scope and objectives for each task, the
criteria that should be met for satisfactory execution, or the
resources required for completion. While CNS representatives informed
the staff review team that they understand the items listed and the
tasks involved, the DSAIP does not include detail sufficient to allow
verification of the accomplishments. Consequently, the staff team
cannot independently verify that the plan is comprehensive, achievable,
and on-track to meet the schedule for 2018 and beyond.
    Over several iterations of the DSAIP, CNS has committed to working
down a set of ``legacy'' COAs that existed prior to the creation of
NPO. Originally, there were 40 COAs in this category, and 5 currently
remain open. The current iteration of the DSAIP includes a task in
fiscal year 2018 to develop metrics for tracking progress in resolving
the remaining five COAs. Actual closure dates for the five remaining
COAs currently are not identified in the schedule.
Appendix 2--References
1. DNFSB, Board Notational Vote #Doc#2018-300-098, RFBA by Board
Member Roberson to Publicly Release Documents Associated with the
Pantex Inquiry, September 2018.
2. Code of Federal Regulations, Title 10, Part 830, Nuclear Safety
Management, January 10, 2001.
3. Department of Energy, Preparation Guide for U.S. Department of
Energy Nonreactor Nuclear Facility Documented Safety Analyses,
Change Notice 3, DOE Standard 3009-94, March 2006.
4. Department of Energy, Hazard Analysis Reports for Nuclear
Explosive Operations, DOE Standard 3016, September 2016.
5. Consolidated Nuclear Security, LLC, (U) W76-0/1 SS-21 Assembly,
Disassembly & Inspection, and Disassembly for Life Extension Program
Operations Hazard Analysis Report, Revision 71, RPT-HAR-255023,
November 2017.
6. Consolidated Nuclear Security, LLC, (U) W78 Step II Disassembly &
Inspection and Repair Hazard Analysis Report, Revision 63, AB-HAR-
319393, September 2017.
7. Consolidated Nuclear Security, LLC, (U) Sitewide Safety Analysis
Report (SAR), Revision 288, AB-SAR-314353, January 2018.
8. Pantex Plant, (U) Preparation Cart, Revision 3, Engineering
Analysis 000-2-0836-ANL-03, June 2007.
9. Pantex Plant, (U) System Engineering Category 2 Electrical
Equipment Evaluations, EEE-06-0030, Issue No. 010, March 2014.
10. Pantex Plant, (U) Category 2 Electrical Equipment Evaluation,
EEE-06-0037, Issue No. 010, October 2013.
11. Pantex Plant, (U) Weapon Assembly/Disassembly Operations
Requirements, Issue P7-2003, AT, March 2013.
12. Pantex Plant, Safety Checklist, TABLE-0068, Issue No. 033.
13. Consolidated Nuclear Security, LLC, Pantex Writer's Manual for
Technical Procedures, MNL-293084, Issue No. 12.
14. Department of Energy, Implementation Guide for Use in Addressing
Unreviewed Safety Question Requirements, Change Notice 1, DOE Guide
424.1-1 B, April 12, 2013.
15. Consolidated Nuclear Security, LLC, Pantex Plant Unreviewed
Safety Question Procedure, CD-3014, Issue No. 18.
16. Don Nichols (NNSA Chief of Defense Nuclear Safety) to James Goss
(NNSA Y-12 Site Office), memorandum dated February 2, 2010.
17. Consolidated Nuclear Security, LLC, Problem Identification and
Evaluation Processing Form, PX-4633, Issue No. 14.
18. Consolidated Nuclear Security, LLC, Commercial Grade Dedication
Testing of Delta Arresters, PIE-18750, USQD-17-3434-A, February 24,
2017.
19. Consolidated Nuclear Security, LLC, Justification for Continued
Operation for W80 ESD, PX-JCO-14-04, Revision 5, February 27, 2017.
20. Consolidated Nuclear Security, LLC, Justification for Continued
Operation for B61 ESD, PX-JCO-14-05, Revision 5, October 4, 2016.
21. Consolidated Nuclear Security, LLC, Justification for Continued
Operation for W88 Uncased HE Operations, PX-JCO-17-09, Revision 2,
January 11, 2018.
22. Department of Energy, Implementation Guide for Use in Developing
Technical Safety Requirements, DOE Guide 423.1-lB, March 18, 2015.
23. Consolidated Nuclear Security, LLC, The Documented Safety
Analysis Improvement Plan, Revision 5, SB-MIS-941949, September 21,
2017.
Enclosure 1
Board Letter to the Secretary of Energy Dated October 17, 2018, Titled
``Pantex Plant Special Tooling Program Review''
The Honorable James Richard Perry
Secretary of Energy
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-1000
Dear Secretary Perry:
    In September 2017, the Defense Nuclear Facilities Safety Board
reviewed the special tooling program at the Pantex Plant. We identified
five deficiencies within the special tooling program: (1) application
of the Special Tooling Design Manual, (2) weld quality and application
of non-destructive evaluation techniques, (3) pedigree of preventive
maintenance and in-service inspection programs, (4) performance
criteria within safety basis documentation, and (5) special tooling
loading conditions. These deficiencies continue to exist within the
special tooling program. Further information on each is provided in the
enclosure.
Yours truly,
Bruce Hamilton
Acting Chairman
Enclosure
    c: Mr. Joe Olencz
Enclosure
Pantex Plant Special Tooling Program Review
    This report details the deficiencies that the Defense Nuclear
Facilities Safety Board's (Board) staff review team found within the
special tooling program. Deficiencies exist in the application of the
Pantex Plant (Pantex) Special Tooling Design Manual [1], assurance of
weld quality and application of non-destructive evaluation (NDE)
techniques, pedigree of preventive maintenance and in-service
inspection (ISI) programs, utilization of performance criteria within
safety basis documentation, and special tooling loading conditions.
Based on these deficiencies, the National Nuclear Security
Administration (NNSA) Production Office (NPO) and Consolidated Nuclear
Security, LLC (CNS), have not demonstrated that the currently
implemented process for design, fabrication, production usage, and
maintenance of special tooling at Pantex assures that all special
tooling can meet its required safety-related functions.
    Background. Pantex utilizes special tooling to support and
manipulate nuclear explosive components during operations at the plant.
Special tooling functions as a passive design feature managed through
the special tooling program, and is credited within the Pantex safety
basis to meet minimum factors of safety. Adherence to these design
criteria assures special tooling does not fail during normal and
abnormal loading conditions. Failure of special tooling to meet its
credited safety functions could lead to impacts to sensitive components
of the nuclear explosive (e.g., dropping of unit or
[[Page 10214]]
equipment impacts onto the unit), potentially resulting in high order
consequence events. The requirements for the special tooling program
are identified in the NPO-approved Pantex Sitewide Safety Analysis
Report [2], and specifics are flowed down into the contractor-
established Special Tooling Design Manual, the General Requirements for
Tooling Fabrication & Inspection [3], and the Special Tooling
Operations [4] manual.
    During the onsite review and follow-up teleconference, the staff
review team evaluated various aspects of the Pantex special tooling
program, including safety basis integration; flow down of functional
requirements; technical support documentation and analyses; preventive
maintenance and ISI of special tooling; quality assurance requirements
and processes; and corrective actions resulting from nuclear explosive
safety (NES) evaluations, the CNS Special Tooling Top-Down Review [5],
and the 2015 NPO Special Tooling Assessment [6].
    The staff review team evaluated the special tooling program and its
ability to ensure that credited pieces of special tooling are
adequately designed, fabricated, and inspected, ensuring their ability
to perform safety significant and/or safety class functions. During
this review, the staff review team evaluated more than 75 special
tooling designs, including a vertical slice of special tooling for the
B61 program and a horizontal slice of common special tooling designs
across weapon programs (e.g., vacuum lifting fixtures, lifting and
rotating fixtures, and workstands). Evaluation of the B61 special
tooling allowed the staff review team to examine some of the oldest and
newest tooling designs that are currently authorized for use. The staff
review team noted deficiencies, opportunities for improvement, and
noteworthy practices, which will be described in further detail in the
remainder of this report.
    Content and Application of Special Tooling Design Manual. No
consensus or industry standards currently govern the design,
fabrication, inspection, and maintenance of special tooling, including
factors of safety, weld inspections, and quality assurance practices.
Because there are no standards specifically applicable to these aspects
of special tooling, the guidance and requirements provided in the
Special Tooling Design Manual frequently do not have documented or
cited bases.
    Deviations from Manual Guidance--The staff review team identified
multiple instances where Pantex did not meet the requirements and
guidance in the Special Tooling Design Manual. For example, Pantex
currently does not perform NDE for special tooling welds with low
factors of safety, which appears to be in direct conflict with the
Special Tooling Design Manual (see following sections). In addition,
the Special Tooling Design Manual specifies a minimum of 3:1 factor of
safety to yield or 5:1 factor of safety to ultimate strength, as well
as the 1.25:1 factor of safety to yield for rare events (i.e., seismic
or falling man loads). The staff review team noted instances in which
tooling does not meet the minimum factors of safety specified in the
Special Tooling Design Manual:
     Workstand (061-2-0815) pieces 64 and 65 did not meet the
1.25:1 factor of safety at yield for rare events.
     Penetrator case sleeve (061-2-0738) did not meet the 3:1
factor of safety at yield.
     Assembly press (061-2-0841) did not meet the 3:1 factor of
safety at yield.
    Pantex personnel stated that designs that deviate from the Special
Tooling Design Manual only require the same approval process as those
designs adhering to the manual. As the Special Tooling Design Manual
provides the means to satisfy the programmatic requirements set forth
in the Sitewide Safety Analysis Report, the staff review team suggests
elevating deviations for additional review and approval beyond the
typical process.
    Ambiguous Guidance--The Special Tooling Design Manual contains
imprecise guidance and requirements allowing for multiple
interpretations of certain sections. This has the unintended
consequence of allowing deviations when implementing the manual. For
instance, the section on weld inspection requirements recommends NDE
for welds with a factor of safety less than 10:1 [1]. However, the
manual does not clarify whether this is a factor of safety to ultimate
or yield strength, and does not specify whether this stress analysis
must be done for both yield and ultimate strength. The staff review
noted instances in which Pantex personnel did not implement special
tooling NDE because there was no analysis of the factor of safety to
ultimate strength. Similarly, the special tooling engineer has latitude
to evaluate for either 3:1 at yield or 5:1 at ultimate strength for
normal loads at his or her discretion.
    Basis for Rare Events Factors of Safety--The staff review team
identified a concern with the minimum factors of safety for rare
events, as recommended in the Special Tooling Design Manual. The choice
of factors of safety for rare events (1.25:1 at yield strength and
1.5:1 at ultimate strength) does not represent the level of uncertainty
in the tooling construction and abnormal loading parameters. For
instance, welds in special tooling are currently not subject to NDE
beyond visual inspection. The lack of NDE of welds introduces
uncertainty regarding the material properties of special tooling.
Moreover, as discussed in the 2013 Approved Equipment Program Volume II
NES Master Study (AEP Vol. II NESMS) [7], factors of safety from 1.25
to 1.5 are typically used in weight-sensitive applications and are
appropriate only if there is a strong degree of certainty in the
material properties, loads, and resultant stresses. The special tooling
program does not include measures to provide additional assurance for
the performance of tooling with low factors of safety, such as load
testing to failure or higher maintenance frequency.
    The closure package that Pantex submitted for the 2013 AEP Vol. II
NESMS finding ``Factor of Safety for Special Tooling Rare Event
Analysis'' discusses the level of uncertainty present in design and
materials for special tooling. However, the closure package focuses on
several key areas where uncertainty may be present without
comprehensively analyzing all sources of uncertainty and variability in
design, fabrication, and operation of special tooling [8]. For
instance, weld quality, lack of in-house material certification, and
damage (including material fatigue, wear, and handling damage) during
operations may all introduce uncertainty and variability in
performance. Moreover, the closure package provides only a qualitative
assessment of uncertainty in the determination of factors of safety,
and does not present a quantitative uncertainty analysis to demonstrate
that the safety margins for rare event loading are appropriate.
    Special Tooling Design-Ductile Versus Non-Ductile Systems--Due in
part to the perceived low frequency of seismic events and falling man
events--assumed to be analogous to seismic events in the Special
Tooling Design Manual--Pantex employs less conservative factors of
safety for rare event loads. Factors of safety for rare event loading
are developed in the Technical Basis for Safety Factors [9], which
supports the Special Tooling Design Manual and Special Tooling Seismic
Analysis [10]. This technical basis document states that ``criteria for
tooling design packages are equivalent or more conservative'' [9] than
DOE Standard 1020-2002, Natural Phenomena Hazards Design and
[[Page 10215]]
Evaluation Criteria for Department of Energy Facilities [11]. Part of
this justification specifically focuses on not crediting the ability to
use energy absorption factors to reduce seismic loads for ductile
structural systems similar to building structures.
    While the justification for rare event load paths states that
ductile systems will use the factor of safety of 1.25:1 to yield, and
non-ductile systems will use a 1.5:1 factor of safety to ultimate
strength, there is no guidance in the Special Tooling Design Manual for
what is classified as ductile behavior or materials to avoid in the
design of ductile systems. The manual also does not incorporate the
principles of capacity-based design or overstrength of critical
elements of a load path that consensus seismic standards use.
Furthermore, the Special Tooling Materials Database [12] employed by
special tooling engineers contains examples of permitted materials with
little or no ductility, such as plastics and high-performance alloys
(where yield and ultimate strength can be within a few percent of each
other). Without guidance for determining when systems can be considered
ductile, special tooling engineers determine independently which safety
factor should be used as an acceptance criterion and which materials
are suitable for tooling subject to rare event loads. This use of
engineering judgement could lead to variability in selected factors of
safety and potentially result in a non-conservative special tooling
design.
    Special Tooling Design-Failure Probability--The ultimate goal of
seismic design methods that meet DOE Standard 1020 is to achieve a
certain probabilistic performance for structures, systems, and
components (SSC). An SSC designed for PC-3 design loads using this
standard has an input ground motion with an annual probability of
exceedance of 4x10-4 but is designed with enough margin to
have an annual probability of failure of less than 10-4. In
order to meet this performance, consensus standards such as American
Society of Civil Engineers Standard 43-05, Seismic Design Criteria for
Structures, Systems, and Components in Nuclear Facilities [13],
restrict certain types of materials, designs, or analysis techniques to
ensure adequate ductility and quality. Lower performance SSCs, in turn,
have smaller input forces and higher annual probabilities of failure,
and are permitted to use less rigorous design methods and employ a
wider variety of materials or structural types. The Special Tooling
Design Manual, however, does not incorporate these principles, relying
entirely on its rare event loading factors of safety.
    Neither the Special Tooling Design Manual nor the Special Tooling
Seismic Analysis address how the 10-4 annual probability of
failure expected of PC-3 SSCs is ensured through their selection of
safety factors. DOE Standard 1020 ensures this performance through the
use of consensus standards built around estimates of SSCs' statistical
margin to failure. Because special tooling is a class of custom-made
design features, there is not the same statistical basis for their
beyond design basis performance like other SSCs that DOE Standard 1020
was meant to address. Typically for seismic design, the approach to
non-standard designs or structures is to not credit ductility and use
the most conservative design factors to bound the uncertainty in a
structure's beyond design basis performance, or to use overstrength
factors to ensure the controlling failure modes are well-understood,
ductile failures [14].
    During the 2013 AEP Vol. II NESMS, a NES Study Group evaluated
Pantex's special tooling program and noted this issue in a statistical
analysis of performance for special tooling under rare-event loads. As
described in section 3.3.2 of the Master Study report, the NES Study
Group highlighted that probabilistic margin requires understanding not
just the deterministic safety factors of the special tooling, but the
hazard curves that determine the probability of exceedance for various
intensities of ground motion [7]. In order to have sufficient design
margin, the overstrength of special tooling (defined in this case by
its factor of safety) has to be combined with the probability of both
design basis and beyond design basis ground motions, as well as
uncertainties in these two values. The NES Study Group also observed
that factors of safety this low are normally associated with designs
with high degrees of certainty in not just design and fabrication, but
operating environment, rather than abnormal conditions such as a
falling man or seismic event.
    Pantex developed a white paper justifying its rare event loading
approach that was formalized into the submitted closure package for the
2013 AEP Vol. II NESMS finding ``Factor of Safety for Special Tooling
Rare Event Analysis,'' and documented within the Special Tooling Design
Manual [8]. The closure package qualitatively states that the
conservative design practices, low probability of earthquakes, known
material properties and operational environment for tooling, and the
maintenance of special tooling create a conservative framework for use
of these safety factors. In addition, this closure package states that
``loads and resultant stresses are known with a high degree of
certainty'' [8] citing the Special Tooling Seismic Analysis. However,
this document provides only a high-level discussion and does not cite a
probabilistic goal for tooling performance, relying instead on the
tooling program as a whole to provide sufficient performance. The high
degree of certainty in the demands to which tools are evaluated does
not translate to low variability of potential seismic demands. There is
no quantitative basis that the safety factors and other aspects of the
special tooling program provide seismic margins comparable to
equivalent safety SSCs.
    Weld Quality and NDE of Welds. The Special Tooling Design Manual
requires NDE of welds for the fabrication or modification of tooling in
high-stress applications with factors of safety less than 10:1. Pantex
personnel do not implement NDE beyond visual inspections done by a
qualified weld inspector. However, per the Metals Handbook Volume 10,
Failure Analysis and Prevention [15], while visual inspection can
identify visible features such as cracks, weld mismatch, and bead
convexity or concavity, the following subsurface features would not be
identified through visual inspection, but may be identified through
additional NDE: Underbead crack, gas porosity, inclusions (slags,
oxides, or tungsten impurities), incomplete fusion, and inadequate
penetration. These subsurface features can result in a weld with lower
strength or ductility. During the review, the staff review team
identified three concerns:
     Weld Performance--As discussed previously and shown in
Table 1 of Appendix A, the Special Tooling Design Manual specifies a
minimum factor of safety to yield strength of 1.25:1 and a factor of
safety to ultimate strength of 1.5:1 for rare event loadings, such as
seismic and falling man loads. Special tooling engineers do not
consider any reduction of weld performance due to poor weld quality
through either joint efficiency factors (per American Society of
Mechanical Engineers (ASME) Boiler and Pressure Vessel Code Section
VIII [16] and American Petroleum Institute Standard 653 [17]) or more
conservative safety factors (such as phi-factors used for American
Institute of Steel Constructors (AISC) 360-10, Specification for
Structural Steel Buildings [18]). Due to the low minimum factors of
safety allowed by the Special Tooling Design Manual for rare event
scenarios, a reduction in weld
[[Page 10216]]
performance may challenge the special tooling's ability to perform its
credited safety function. For example, ASME Boiler and Pressure Vessel
Code Section VIII assumes a joint efficiency factor of 0.7 for a double
welded butt joint without radiography or equivalent NDE. Applying the
0.7 joint efficiency factor to tooling designed to the minimum 1.25:1
factor of safety to yield strength (for rare event loading) results in
a factor of safety of 0.875:1. Thus the tooling would be expected to
yield during rare event loading.
     Plastic Deformation--There are instances where special
tooling is anticipated to deform plastically in the course of meeting
its design function during abnormal events (i.e., a deflection limit
for dynamic load), rather than meeting more conservative factors of
safety specified in the Special Tooling Design Manual. In cases of
plastically deforming structures, higher weld quality and performance
are necessary to ensure the structure performs as expected, as
exemplified by demand-critical welds defined in AISC 341-10, Seismic
Provisions for Structural Steel Buildings [14]. However, Pantex
personnel do not perform NDE of welds subject to plastic deformation,
such as the W76 swing arm (000-2-0831). Upon a dynamic impact, the W76
swing arm is credited to deform no more than a certain distance
vertically, such that the unit underneath will not be impacted. Without
NDE verification of weld integrity, Pantex cannot ensure that such
special tooling will meet its safety critical design function.
     Vendor Quality Issues--Pantex personnel provided the staff
review team with vendor performance reports for past and present
special tooling vendors [19]. The staff review team noted that several
of these reports included instances of receipt refusal of procured
tooling due to weld quality issues. Pantex personnel identified these
quality issues during receipt quality control visual inspections. The
staff review team noted that due to the nature of weld quality issues
(e.g., weld penetration depth, heat-affected areas, pores, cracks,
inclusions), visually identified weld quality issues could indicate the
presence of additional weld quality concerns that cannot be identified
through visual inspection alone, and may go undetected.
    As part of the submitted closure package for the 2013 AEP Vol. II
NESMS finding ``Preventative Maintenance,'' Pantex personnel included
additional information in the Special Tooling Design Manual detailing
different types of NDE [20]. While this information includes the
advantages and limitations of different techniques, it does not specify
any NDE requirements, and thus does not address the concerns noted
above.
    Pedigree of Special Tooling Preventive Maintenance and ISIs. The
staff review team noted three methods that Pantex used to ensure that
special tooling--credited design features in the safety basis--can
continue to meet its safety functions throughout its time in service:
(1) As-built designs (e.g., inherently conductive special tooling
fabricated out of stainless steel), (2) production technician
inspections for damage prior to use, and (3) special tooling preventive
maintenance and ISIs.
    Based on observed preventive maintenance activities and subsequent
discussions, the special tooling preventive maintenance and ISI
programs lack the rigor expected for maintenance on and inspection of
equipment with safety class and/or safety significant functions. For
instance, in contrast to other safety-related SSCs, preventive
maintenance and ISIs on special tooling are not performed per detailed
written procedures. As a specific example of maintenance performed with
sufficient rigor, during review of the maintenance and cognizant system
engineering programs at Pantex in December 2017, the Board's staff
observed preventive maintenance of ESD flooring--a design feature--in
two nuclear explosive facilities. Workers conducted the preventive
maintenance according to a detailed, written procedure (i.e., Technical
Procedure TP-MN-06291, ESD Flooring Resistance Measurements, Annual,
Plant [21]) and with an appropriate level-of-use (e.g., reader-worker
practices). In contrast, the staff review team observed that for
special tooling maintenance, Pantex relies heavily on worker knowledge
and the skill of the craft to meet specifications that the special
tooling engineer provides in the supporting data sheets. This practice
could compromise the reproducibility of test results and prevent
reliable testing of important features, given the potential variability
in results.
    Performance Criteria Assurance. The performance criteria for
meeting the functional requirements for safety class and/or safety
significant special tooling are absent from the safety basis and reside
in supporting documents (i.e., design requirements documents,
supporting data sheets, and analyses). Although the requirements for
the special tooling program are governed by the NPO-approved Sitewide
Safety Analysis Report, the performance criteria for program-specific
special tooling are neither within Pantex safety basis documentation
nor reviewed and approved by NPO. DOE Standard 3009-1994, Change Notice
3, Preparation Guide for U.S. Department of Energy Nonreactor Nuclear
Facility Documented Safety Analyses, delineates expectations that the
safety basis chapter on SSCs include ``[i]dentification of the
performance criteria necessary to provide reasonable assurance that the
functional requirements will be met'' [22]. The lack of NPO approval of
the specific performance criteria conflicts with DOE Standard 3009-1994
expectations.
    Special Tooling Loading Conditions. During its review, the staff
review team noted the following deficiencies regarding special tooling
loading conditions:
    W76 Swing Arm--Pantex relies on the test results of a single
(prototype) W76 swing arm [23] to validate that it will perform its
safety basis function under analyzed loads. The staff review team
identified several concerns with this testing, including the following:
     The test assessed whether the swing arm would perform its
safety function in the case of dynamic loading (i.e., the special
tooling would vertically deflect less than a certain distance during an
impact scenario). However, Pantex performed only a single test, and
Pantex personnel informed the staff review team that it was not
performed with a high quality pedigree, such as in accordance with the
quality assurance requirements of ASME NQA-1, Quality Assurance
Requirements for Nuclear Facility Applications [24]. When coupled with
the weld quality concerns and weld manufacturing variances noted above,
it is unclear to the staff review team how Pantex can ensure that all
swing arm copies will be able to perform their safety functions during
an impact scenario (i.e., they will not deflect beyond the specified
limit and potentially impact the unit).
     The staff review team identified an additional falling man
scenario with the W76 swing arm that Pantex had not previously
analyzed. As this impact scenario applies a load on a longer lever arm,
there exists the possibility for a larger deflection of the swing arm
than previously postulated, which would potentially defeat its safety
function. Pantex personnel stated that they do not consider the
scenario to be credible. However, the staff review team contends that
during transient movements of the swing arm, production technicians
have a direct pathway to apply load on the longer lever arm.
[[Page 10217]]
    Falling Man Rare Event Loading--The staff review team noted non-
conservative assumptions regarding placement and distribution of
falling man rare event loading. Per the reviewed analyses, special
tooling engineers typically apply the falling man loading to the center
of gravity of the components supported by special tooling. This usually
results in a symmetric distribution of loads. The staff review team
questioned the appropriateness of this approach, postulating that it
may be more conservative and bounding to assume an uneven distribution
of loads, such as primarily loading one beam of a two-beam system
rather than applying equal loading across both beams.
    Specifically, for the B61 program, the staff review team identified
non-conservative assumptions with the placement and distribution of
falling man rare event loads involving a configuration between the
support beam (061-2-0730) and support and alignment fixture (061-2-
0860). In this configuration, the staff review team noted that falling
man horizontal loads could impart a torsional load component to the
support beam that Pantex had not analyzed. While this may be a robust
piece of special tooling with respect to vertical loading, Pantex did
not evaluate the factor of safety for torsional load. As justification,
special tooling engineers noted that the angles from which production
technicians can approach this configuration preclude this torsional
loading. However, nuclear explosive operating procedures do not
restrict approach angles to protect this assumption, and subsequent
staff review team observations of B61 nuclear explosive operations
revealed that a falling production technician could approach at the
angles of concern and could impact this configuration to generate out-
of-plane loadings not currently evaluated.
    Loss of Special Tooling Design Function during Impacts--Functional
requirements for special tooling include factors of safety based on
static loading conditions. However, as observed during falling man
studies performed at Virginia Polytechnic Institute and State
University [25], special tooling, such as tooling employing a banjo
plate configuration, had considerable elastic deformation during
certain dynamic impact scenarios. Pantex does not typically consider
how deformations under loading could render the special tooling
incapable of performing its safety function throughout the loading
cycle (e.g., a holding fixture deforming under impact and allowing a
held component to be dropped).
    Opportunities for Improvement. The staff review team identified
several opportunities for improvement in the special tooling program.
     Periodic Reevaluation of Analyses--The staff review team
noted that there currently is no requirement or guidance to Pantex
personnel that requires the periodic reevaluation of special tooling
engineering analyses. Such a program would allow opportunities for
Pantex to self-identify incomplete or deficient conclusions, bolster
the analysis methodology to include modern methods (e.g., finite
element analysis software), and provide additional assurance in the
conclusions of the special tooling analysis.
     NES Study Concerns--NNSA does not currently have near-term
plans to redesign or upgrade B61, W76, and W87 special tooling to
address outstanding NES Study concerns, including reducing the size of
gas cylinder carts to eliminate/minimize hazards and discontinuing an
electrical tester cart (i.e., for the PT3746) that is susceptible to
toppling. NES Study Groups have identified aspects of special tooling
associated with these weapon programs that do not meet the intent of
Seamless Safety for the 21st Century, including the W76 program's
continued use of a swing arm and the absence of an engineered control
for potentially cracked high explosive and unnecessary unit lifts on
the W87 program. Furthermore, the staff review team noted that when a
NES Study Group identifies potential deficiencies in the special
tooling design or implementation on one weapon program (e.g.,
elimination of a similar swing arm on the W78 program by introduction
of a transfer cart), NNSA and the Pantex contractor do not consistently
address the deficiency on other applicable weapon programs.
     Validation Testing--The staff review team identified that
Pantex only performs limited testing of special tooling to validate
engineering calculations. For example, the first destructive test of a
piece of special tooling (i.e., the B61 support beam) was conducted in
July 2017. This destructive test was used to confirm the conclusions of
the associated engineering analysis. In case of special tooling with
factors of safety lower than required by the Special Tooling Design
Manual, additional testing would be valuable to eliminate uncertainty
regarding whether the tooling will perform its design function.
     Safety Catches--The staff review team evaluated the use of
W76 vacuum lifting fixtures and the 2015 issue in which cracks were
identified in vacuum lifting fixture safety catches (see Figure 1). The
safety catches are a secondary feature to prevent a drop of high
explosive charges should vacuum fail on the lifting fixture. The staff
review team is concerned that actions taken to-date may not prevent
recurrence of cracking of safety catches. Pantex continues to rely on
production technicians to identify cracking during routine prior-to-use
inspections. The staff review team believes that application of an ISI
or introduction of a specific step within the nuclear explosive
operating procedure to check for safety catch damage prior to use would
bolster the reliability of this check. Alternatively, the safety
catches could be redesigned, substituting a material with a lower
likelihood of cracking (e.g., appropriately coated metal).
    Figure 1. Cracked Safety Catches in the W76 Aft Disassembly
Fixture, 076-2-0382 [26].
     Special Tooling Acceptance Process--As discussed onsite,
in one instance, Pantex delivered an incorrectly fabricated W88 lifting
and rotating fixture (088-2-0377) to production for use, and
technicians subsequently installed it in the facility and began
operations. On this specific piece of special tooling, a component used
to mate the tooling to the stand was out-of-tolerance. The component is
designed with a slight bend; however, the bend angle was out-of-
tolerance by approximately 10 degrees, preventing the component from
interfacing properly with other special tooling during the operation.
The bend angle is neither part of the receipt inspection for
subcontracted tooling (as a recordable feature), nor part of the
quality assurance inspections required before the tooling is released
for production use. A NES Change Evaluation was ultimately required to
authorize the use of a temporary procedure to remove the special
tooling and continue operations. In light of this occurrence and other
instances of special tooling used without all necessary reviews and
approvals [27], the staff review team encourages improvements to the
special tooling acceptance process.
    Noteworthy Practices and Updates. The staff review team identified
a number of noteworthy practices that Pantex has implemented that
contribute to the improvement of the overall safety posture of special
tooling program. In addition, the staff review team noted several
ongoing initiatives.
    Noteworthy Practices--The staff review team noted several practices
that contribute to the safety posture of the special tooling program.
[[Page 10218]]
     Sharing Lessons Learned. Pantex has established methods
for sharing lessons learned among special tooling engineers (e.g., use
of ``Design Tips'' documentation). The staff review team specifically
noted an example with the B61 presray plate (061-2-0761). Given
incidents with this special tooling (e.g., loss of air pressure due to
intrusion of foreign material through the supply air), Pantex took
appropriate actions to apply in-line air filters to all special tooling
requiring air pressure to perform its required functions.
     Quality Assurance Consensus Standard Implementation. As
part of its 2016 approval of the combined Y-12 and Pantex Quality
Assurance Program Description [28], NPO required Pantex to apply the
quality assurance requirements of NQA-1 to the special tooling program
[24, 29]. Historically, special tooling quality assurance has been
governed by the NNSA Weapon Quality Policy (i.e., NAP-24), which
establishes specific weapon and weapon-related product-focused quality
requirements for designing, producing, and surveilling weapon products.
    As part of its extent of condition review, Pantex identified a
large number (between 5,000 and 10,000) of special tooling designs that
will require additional evidence to meet the commercial grade
dedication requirements of NQA-1. Pantex is conducting a pilot study on
six pieces of special tooling in order to inform NPO of the potential
cost and timeframe for complete implementation of NQA-1 for special
tooling. The tooling selected for the pilot study includes an assembly
cart (000-2-1230), W76 lifting & rotating fixture (076-2-0365),
assembly stand (000-2-0832), and a B83 vacuum fixture (083-2-0460).
     Supplier Quality Control Improvements. The staff review
team identified some noteworthy practices by Pantex Supplier Quality.
First, Pantex uses a risk-informed process to determine whether a given
supplier requires additional Pantex oversight to ensure that the
special tooling received from the supplier meets Pantex quality
requirements. The staff review team notes that these risk-based
surveillances occur in addition to the triennial Pantex re-evaluation.
Second, Pantex has developed a Supplier Quality Handbook for Special
Tooling Suppliers [30] that will help inform special tooling suppliers
of many of the pitfalls encountered by Supplier Quality. Third, Pantex
has demonstrated its willingness to remove suppliers who are routinely
at risk from the Qualified and Approved Suppliers List until the
supplier demonstrates compliance with Pantex Supplier Quality
requirements.
    Ongoing Initiatives--Pantex plans to make improvements to the
Special Tooling Design Manual, as well as special tooling engineering
analyses, including the following:
     Clarification of Design Manual. Pantex has revised the
Special Tooling Design Manual to include clarifications and additional
language to provide guidance on factors-of-safety requirements for
special tooling and the use of backup features with friction-based
special tooling. However, Pantex has not provided sufficient additional
guidance for factors of safety for press assemblies. Pantex has
clarified that either the factor of safety of 3:1 at yield or 5:1 at
ultimate strength can be used in analysis, but does not provide
guidance on the appropriateness of one value or the other.
     Guidance for Deviations from Design Manual. Pantex has
updated the Special Tooling Design Manual to provide additional
guidance regarding the approval process for special tooling designs
that deviate from manual requirements. However, the approval process
for deviations from the design manual does not require elevation beyond
the normal approval chain.
     Engineering Mentors. Pantex has updated the Special
Tooling Design Manual to implement a mentor system, in which senior
special tooling engineers will be tasked with providing clarification
and improvements to the design manual.
     Updates to Special Tooling Analyses. Pantex is updating
several special tooling engineering analyses that were discussed during
the staff review team's onsite review (e.g., the W76 swing arm (000-2-
0831), B83 belly band (083-2-0476), W87 primary lifting fixture (087-2-
0400), and B61 penetrator case sleeve (061-2-0738) analyses).
    Specifically for the W76 swing arm, the staff review team
questioned whether the single dynamic loading test would bound the
impact of a falling man scenario, as was indicated in the W76 Hazard
Analysis Report [31]. Pantex personnel have updated the tooling
analysis to defend its safety basis assumption that dynamic testing
bounds the falling man scenario. Pantex personnel have updated their
swing arm calculation to demonstrate that forces from the test exceed
the current falling man load.
Appendix A
Special Tooling Safety Factors
    The Special Tooling Design Manual presents factors of safety for
custom special tooling within the anticipated load paths. These values
do not apply to off-the-shelf components, such as casters or
pressurized tubing. Non-pressurized off-the-shelf components are held
to a factor of safety of 1:1 to working load or 5:1 to vendor-stated
failure load. Pressurized off-the-shelf components are held to a factor
of safety of 1:1 to working load or 4:1 to vendor-stated burst
pressure. In addition, the Special Tooling Design Manual includes
minimum factors of safety for several other types of special tooling,
such as systems relying on vacuum or acting to restrain compressed air
hoses; however, these are not discussed further in this report.
    The factors of safety most relevant to this report are stated
below:
               Table A-1--Factor of Safety Requirements for Custom Special Tooling Components [1]
----------------------------------------------------------------------------------------------------------------
                                                                     To yield                       To ultimate
                           Design case                               strength                        strength
----------------------------------------------------------------------------------------------------------------
Minimum allowable design factors of safety for normal loading                3:1              or             5:1
 (e.g., weight of components, anticipated pressures) \17\.......
Minimum allowable design factors of safety for rare events                1.25:1              or           1.5:1
 (falling man and seismic)......................................
Minimum factor of safety that does not require non-destructive               N/A  ..............       10:1 \18\
 evaluation of welds............................................
----------------------------------------------------------------------------------------------------------------
[[Page 10219]]
    Of  note, special tooling does not require redundancy of load path
elements in design [1]. As noted in the report, based on analyses
reviewed by the staff review team, special tooling engineers typically
apply the loading to the center of gravity of the components supported
by special tooling. This usually results in a symmetric distribution of
loads.
---------------------------------------------------------------------------
    \17\ Pantex personnel do not currently apply these minimum
factor of safety requirements to special tooling that includes high-
pressure press components; Pantex personnel plan to update the
Special Tooling Design Manual to reflect slightly less conservative
factor of safety requirements for this special tooling type.
    \18\ The current revision of the Special Tooling Design Manual
does not state whether this factor of safety requirement is to yield
strength or to ultimate strength; Pantex personnel indicated that it
is intended to be to ultimate strength.
---------------------------------------------------------------------------
References
[1] Consolidated Nuclear Security, LLC, Tooling & Machine Design,
Special Tooling Design Manual, MNL-293130, Issue 8, January 18,
2016.
[2] Consolidated Nuclear Security, LLC, Sitewide Safety Analysis
Report (U), AB-SAR-314353, Revisions 263 and 277.
[3] B.L. Ames, Consolidated Nuclear Security, LLC, Special Tooling &
Tester Design, General Requirements for Tooling Fabrication &
Inspection, Issue 14, May 15, 2014.
[4] Pantex Production Tooling Department, Special Tooling
Operations, MNL-352164, Issue 11.
[5] Consolidated Nuclear Security, LLC, Special Tooling Top-Down
System Review System Improvement Project (SIP), Revision 2, January
21, 2015.
[6] National Nuclear Security Administration Production Office,
Assessment Results for the Independent Assessment of the Special
Tooling Program, December 22, 2015.
[7] Department of Energy Nuclear Explosive Safety Study Group,
Nuclear Explosive Safety Master Study of the Approved Equipment
Program at the Pantex Plant, Volume II--Special Tooling (U), May 31,
2013.
[8] Consolidated Nuclear Security, LLC, Closure Package, Finding
3.3.1: Factor of Safety for Special Tooling Rare Event Analysis,
From the Nuclear Explosive Safety Master Study of the Approved
Equipment Program at the Pantex Plant Volume II Special Tooling,
April 6, 2018.
[9] Pantex Engineering Analysis, Technical Basis for Safety Factors,
ANL-13802, Issue 1, August 15, 2005.
[10] Pantex Tooling & Machine Design, Seismic Analysis, ANL-13468,
Issue 1, March 26, 2004.
[11] Department of Energy Standard 1020, Natural Phenomena Hazards
Design and Evaluation Criteria for Department of Energy Facilities,
January 2002.
[12] Pantex Tooling & Machine Design, Materials Database, November
3, 2016.
[13] American Society of Civil Engineers (ASCE) 43-05, Seismic
Design Criteria for Structures, Systems, and Components in Nuclear
Facilities, 2005.
[14] American Institute of Steel Constructors (AISC) 341-10, Seismic
Provisions for Structural Steel Buildings, June 22, 2010.
[15] ASM Committee on Failure Analysis of Weldments, ``Failure of
Weldments.'' Metals Handbook Volume 10, Failure Analysis and
Prevention, Ed 8, 1975, p. 333.
[16] American Society of Mechanical Engineers Boiler and Pressure
Vessel Code Section VIII, Rules for Construction of Pressure
Vessels, 2017.
[17] American Petroleum Institute Standard 653, Tank Inspection,
Repair, Alteration, and Reconstruction, Edition 5, November 2014.
[18] American Institute of Steel Constructors (AISC) 360-10,
Specification for Structural Steel Buildings, June 22, 2010.
[19] Consolidated Nuclear Security, LLC, Vendor Performance Report
for Date Range 7/10/2016 to 7/10/2017, July 11, 2017.
[20] Consolidated Nuclear Security, LLC, Closure Package, Finding
3.4.1: Preventive Maintenance, From the Nuclear Explosive Safety
Master Study of the Approved Equipment Program at the Pantex Plant
Volume II Special Tooling, April 9, 2018.
[21] Pantex Technical Procedure, ESD Flooring Resistance
Measurements, Annual, Plant, TP-MN-06291, Issue 10, October 20,
2015.
[22] Department of Energy Standard 3009-1994, Preparation Guide for
U.S. Department of Energy Nonreactor Nuclear Facility Documented
Safety Analyses, Change Notice 3, March 2006.
[23] Pantex Engineering Analysis, Swing Arm, ANL-000-2-831, Issue 5,
April 3, 2009.
[24] American Society of Mechanical Engineers, NQA-1, Quality
Assurance Requirements for Nuclear Facility Applications, March 14,
2008.
[25] A.R. Kemper, S.M. Beeman, and D. Albert, Evaluation of the
Falling Man Scenario Part III: Crash Test Dummy Forward Fall
Experiments, Virginia Tech--Wake Forest University Center for Injury
Biomechanics, May 31, 2015.
[26] Pantex Tooling & Machine Design, Engineering Evaluation 15-EE-
0010, Issue 001, May 5, 2015.
[27] ``Unanalyzed Special Tooling approved for Production Use,''
Department of Energy Occurrence Reporting and Processing System,
NA--NPO-CNS-PANTEX-2017-0087, November 30, 2017.
[28] Consolidated Nuclear Security, LLC, Quality Assurance Program
Description, June 21, 2016.
[29] L.R. Bauer, Consolidated Nuclear Security, LLC, Response to NPO
Comments on Quality Assurance Program Description, May 9, 2017.
[30] Consolidated Nuclear Security, LLC, Supplier Quality Handbook
for Special Tooling Suppliers, Issue 1.
[31] Consolidated Nuclear Security, LLC, W76 Hazard Analysis Report
(U), RPT-HAR-255023, Revisions 67 and 70.
Correspondence With the Secretary of Energy
December 27, 2018
The Honorable Bruce Hamilton
Chairman
Defense Nuclear Facilities Safety Board
625 Indiana Avenue NW, Suite 700
Washington, DC 20004
Dear Chairman Hamilton:
The Department of Energy (Department) received the Defense Nuclear
Facilities Safety Board (DNFSB or Board) Draft Recommendation 2018-1,
Uncontrolled Hazard Scenarios and JO CFR 830 Implementation at the
Pantex Plant, on November 29, 2018. In accordance with 42 U.S.C. Sec.
2286d(a)(2), the Department requests a 30-day extension to provide
comments. Lisa E. Gordon-Hagerty, the Department's Under Secretary for
Nuclear Security, will provide the response to the DNFSB by January 28,
2019.
The Department is committed to addressing safety basis deficiencies at
the Pantex Plant. As you may be awai[middot]e, the Department has
already taken action and continues to monitor closely the completion of
actions to address identified concerns. As pait of its efforts, the
Department has also taken into consideration information from the two
DNFSB Staff Issue reports regarding these safety basis deficiencies.
Since the Draft Recommendation presents a complex and extensive
discussion of safety documents at Pantex, a 30-day extension is
necessary to afford the Department sufficient time to assess the Draft
Recommendation's findings, suppo1ting data, and analyses.
If you have any questions, please contact Mr. Geoffrey Beausoleil,
Manager of the National Nuclear Security Administration Production
Office, at (806) 573-3148 or (865) 576-0752.
Sincerely,
Rick Perry
December 28, 2018
The Honorable James Richard Perry
Secretary of Energy
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585-1000
Dear Secretary Perry:
The Defense Nuclear Facilities Safety Board (Board) is in receipt of
your December 27, 2018, letter requesting a 30-day extension to provide
comments on the Board's Draft Recommendation 2018-1, Uncontrolled
Hazard Scenarios and 10 CFR 830 Implementation at the Pantex Plant.
In accordance with 42 U.S.C. 2286d(a)(2), the Board is granting the
extension for an additional 30 days.
[[Page 10220]]
Yours truly,
Bruce Hamilton
January 28, 2019
The Honorable Bruce Hamilton
Chairman
Defense Nuclear Facilities Safety Board
625 Indiana Avenue NW, Suite 700
Washington, DC 20004
Dear Chairman Hamilton:
On behalf of the Secretary, thank you for the opportunity to review
Defense Nuclear Facilities Safety Board (Board) Draft Recommendation
2018-1, Uncontrolled Hazard Scenarios and 10 CFR 830 Implementation at
the Pan/ex Plan/. We appreciate the Board's perspective and look
forward to continued positive interactions with you and your staff on
this important matter. The Department of Energy's National Nuclear
Security Administration (DOE/NNSA) agrees that continuing actions are
needed to further improve the content, configuration management, and
implementation of the safety basis for nuclear explosive operations at
the Pantex Plant (Pantex).
While there are opportunities for improvement, DOE/NNSA believes that
the current safety controls implemented at Pantex provide adequate
protection of public health and safety. DOE/NNSA acknowledges that
legacy issues exist within the current Pantex documented safety
analyses. The enclosed summary outlines a number of actions initiated
by DOE/1\TNSA during the past year to scope and prioritize the
identified and necessary improvements. We believe these actions address
the primary concerns raised in the Board's Draft Recommendation.
Given the importance of these efforts, I have also requested
DOE[middot]s Office of Enterprise Assessments periodically assess the
progress DOE/NNSA is making in this area. The first two assessments
have been scheduled for the third and fourth quaiters of fiscal year
2019. In addition, DOE/NNSA would appreciate the opportunity to provide
the Board with a detailed briefing on the improvement actions taken in
2018 and planned for 2019. If you have ai1y questions, please contact
me or Mr. Geoffrey Beausoleil, Manager of the NNSA Production Office,
at 865-576-0752.
Sincerely,
Lisa E. Gordon-Hagerty
Enclosure - Comments on Draft DNFSB Recommendation 2018-1, Uncontrolled
Hazard Scenarios and 10 CFR 830 Implementation at the Pantex Plant
General Comments
Throughout last year, and more intensely during the second half of the
year, the Department of Energy's National Nuclear Security
Administration (DOE/NNSA and CNS (Pantex)) have taken numerous actions
aimed at improving the quality, configuration management, and
implementation of the Pantex Plant (Pantex) safety basis. Key actions
during this period include the following:
     In September 2018, DOE/NNSA approved a Safety Basis
Supplement (SBS) by CNS that fulfilled two primary objectives. First,
the SBS provides a framework for analyzing and addressing legacy issues
in the Pantex safety basis associated with scenarios previously
determined not to require application of safety controls because they
were evaluated to be ``sufficiently unlikely.'' Requirements have been
established to assure ``sufficiently unlikely'' scenarios are
identified and resolved. Second, the SBS included significant
improvements in safety protocols through the identification of
compensatory measures for preventing events that could result from
``Falling Man'' scenarios. As of December 20, 2018, CNS has implemented
the new `Falling Man' compensatory measures in all active nuclear
explosive cells. Implementation of the new `Falling Man' compensatory
measures in active nuclear explosive bays is expected to be completed
by February 28, 2019.
     In October 2018, DOE/NNSA initiated a project to identify
options for ``redesigning'' the Pantex safety basis, with the goal of
reducing the complexity of the safety basis documents, simplifying
development and maintenance of the documents, and correspondingly
improving implementation of the identified safety controls. Members of
this project team include representatives from DOE/NNSA, the production
plants, the national laboratories, and the Nevada National Security
Site. This initiative will take substantial effort to achieve, but is
essential for ensuring the long-term success of the Pantex national
security mission.
     In November 2018, DOE/NNSA approved a comprehensive
Corrective Action Plan by CNS that includes numerous actions for
improving the Pantex safety basis development process and addressing
legacy weaknesses in the current documents. Execution of this plan will
drive significant improvement in the overall quality of the Pantex
safety basis within the next two years. To date, CNS has completed all
actions on schedule.
    Several elements of the DNFSB's Draft Recommendation arise from
inconsistencies between long-standing Pantex practices and DOE guidance
documents. Examples include DNFSB concerns related to the structure of
the Pantex Unreviewed Safety Question (USQ) procedure, the longevity of
some Justifications for Continued Operations, and the frequency within
which safety control implementation is re-verified. By definition, the
referenced DOE Guides (e.g., DOE Guide 423.1-lB, Implementation Guide
for Use in Developing Technical Safety Requirements and DOE Guide
424.1-1B, Implementation Guide for Use in Addressing Unreviewed Safety
Question Requirements) provide supplemental information that DOE/NNSA
uses to encourage performance of operations and activities across the
complex with a focus on best practices. Similarly, several of the
concerns in the DNFSB's Draft Recommendation related to Special Tooling
are understood to be suggestions to adopt industry best practices
rather than reflecting deficiencies against DOE regulations or
requirements. DOE/NNSA identified similar issues with the Special
Tooling program as part of our oversight activities. DOE/NNSA will
ensure the DNFSB suggestions are evaluated as it continues to develop
additional improvement actions, but do not believe the issues result in
challenging adequate protection of public health or safety.
Safety Controls Associated With Low-Probability/High-Consequent Events
    The DNFSB raised concerns that some scenarios determined to be
`sufficiently unlikely' (i.e., expected to occur between once-in-a-
million and once-in-a-billion years) in the applicable Pantex safety
basis documents did not have clearly identified safety controls for
preventing or mitigating the potentially high consequences (e.g.,
worker fatality or public radiological exposure). The DOE/NNSA provides
the following perspective regarding these concerns:
     As noted in the DNFSB's Draft Recommendation, questions
associated with `new information' related to potential accident
scenarios are evaluated via the Pantex Problem Identification and
Evaluation process. This process ensures that appropriate operational
restrictions or compensatory measures are implemented while resolving
any potential safety issues associated with the adequacy of safety
controls. During the past year, DOE/NNSA has verified this process has
been effectively executed by CNS, and has driven improvements to the
process as warranted.
     One of the concerns raised by the DNFSB, associated with
the adequacy of safety controls for `sufficiently unlikely' scenarios,
was reliance on Key Elements
[[Page 10221]]
of Safety Management Programs to prevent high-consequences during
potential `Falling Man' scenarios. In September 2018, the DOE/NNSA
approved a Safety Basis Supplement that identified additional `Falling
Man' controls, which are structured, credited, and protected as
Specific Administrative Controls (SACs) rather than programmatic Key
Elements. As noted above, CNS implemented these `Falling Man' SACs in
all active nuclear explosive cells as of December 20, 2018, and will
implement them in active nuclear explosive bays by February 28, 2019.
     Other than the control adequacy issues discussed above,
the remaining control adequacy concerns generally relate to weaknesses
in the safety basis documentation. The two most common examples are (a)
controls that are already implemented in the field but are not
specifically linked to and credited for scenarios in the safety basis
that were dispositioned as `sufficiently unlikely' and (b) scenarios
that were inappropriately deemed as `sufficiently unlikely' in the
safety basis where in reality they are not credible (e.g., the scenario
would require deliberate or malicious procedural violations).
    The aforementioned Safety Basis Supplement provides a framework for
evaluating and categorizing these documentation-related issues. CNS
developed a Corrective Action Plan that DOE/NNSA approved in November
2018 that includes commitments to perform extent-of-condition reviews
of all Pantex Safety Basis Documents by the end of 2019, with the
objective of identifying and correcting all instances of these
documentation-related issues. To date, CNS has executed on schedule the
actions captured in this Corrective Action Plan.
Configuration Management of the Pantex Safety Basis
    The DNFSB raised concerns related to the processes used to maintain
configuration management of the Pantex safety basis. Specifically, the
DNFSB expressed concern that: (a) Updates to Pantex safety basis
documents are not always completed on an annual basis; (b) the Pantex
USQ procedure allows discrepant-as-found conditions to be corrected
without suspending impacted operations or making necessary
notifications; and (c) some Justifications for Continued Operations
(JCOs) are extended beyond a year. DOE/NNSA provides the following
perspectives regarding these concerns:
     The DNFSB's concern related to the timeliness of updating
safety basis documents appears to be based on data collected during
2017. The vast majority of Pantex safety basis documents were updated
on-time in 2018, the lone exception being the update associated with
the Site-wide Safety Analysis Report. CNS is committed to updating this
document by March 2019. The aforementioned Corrective Action Plan,
approved by DOE/NNSA in November 2018, includes actions to revise the
administrative procedures for developing and revising Pantex safety
basis documents. These actions specifically identify improving
configuration management of safety basis documents as an objective,
which, when executed effectively, should preclude similar issues from
occurring in the future.
     The DNFSB's Draft Recommendation states that ``the Pantex
USQ procedures allow three days to correct discrepant-as-found
conditions . . . without stopping operations, notifying the Department
of Energy (DOE), or initiating the Pantex process for addressing a
potential inadequacy of the safety analysis.'' While the Pantex USQ
procedure does allow three days to correct a discrepant-as-found
condition prior to declaring a Potential Inadequacy of the Safety
Analysis (PISA), Pantex procedures require: (a) Suspending operations
whenever a safety question is raised (e.g., discovery of discrepant-as-
found conditions); (b) making appropriate notifications to the DOE/NNSA
Production Office (NPO); and (c) initiating the DOE-Approved Pantex USQ
process. Therefore, we believe the proper safety control is in place.
     The DNFSB's Draft Recommendation includes a concern with
the processes for handling JCOs and the extension of some for an
extended period of time. The goal in the Pantex USQ procedure of
addressing JCOs in less than a year is derived from guidance in DOE
Guide 424.1-lB. The intent is to ensure JCOs and their compensatory
measures are used to address temporary changes to the safety basis
until permanent solutions can be identified and incorporated. While one
year is a viable goal for limiting use of a JCO, it is not always
practical to resolve issues in nuclear or nuclear explosive operations
in that time frame. Many of the issues identified in JCOs involve
complex operations or hazard scenarios where a permanent solution
cannot be developed without extensive analysis or physical changes to
facilities, systems, or equipment. Several JCO extensions were to allow
additional time to develop permanent solutions, instead of
incorporating compensatory measures into the safety basis only to
revise the documents again once the permanent solution was developed.
Each extension was approved by the Safety Basis Approval Authority
after NPO fully evaluated the JCO conditions and compensatory measures,
and concluded operations could be continued safely with the JCO
compensatory measures.
Special Tooling Program
    The DNFSB expressed concerns that deficiencies exist within the
Pantex Special Tooling Program. Examples of the identified deficiencies
include: (a) Inconsistencies between Pantex tooling procedures and site
practices; (b) additional Non-Destructive Evaluation techniques being
used to inspect welds on tooling; (c) reliance on worker knowledge and
skill-of-the-craft during tooling inspection, maintenance, and testing
activities; (d) tool-specific performance criteria not being listed in
the Pantex safety basis; and (e) weaknesses in analysis and testing for
mechanical impact scenarios involving tooling. DOE/NNSA provides the
following perspectives regarding these concerns:
     Subsequent to the DNFSB's September 2017 review, tooling-
specific deviations from Pantex procedures were reviewed and confirmed
that continued use of the subject tools meets applicable requirements.
Additional corrective actions have been taken to prevent recurrence of
the inconsistencies.
     Subsequent to the DNFSB's September 2017 review, CNS
engaged an outside expert to review the Pantex welding program, who
concluded that Pantex processes meet expectations. That is, welds are
performed and inspected by qualified welders in accordance with
applicable industry standards.
     Pantex tools are maintained and tested by trained and
qualified journeymen mechanics in accordance with programmatic and
tool-specific requirements.
Conclusion
    DOE/NNSA appreciates the perspective provided by the DNFSB. DOE/
NNSA has thoroughly reviewed the DNFSB input provided in the Draft
Recommendation 2018-1, Uncontrolled Hazard Scenarios and 10 CFR 830
Implementation at the Pantex Plant, and looks forward to continued
positive interactions with the DNFSB on this and other matters. DOE/
NNSA is eager to discuss the Corrective Action Plan in place at Pantex
with the Board so that the DNFSB can see the many actions underway to
address areas known to need improvement.
[[Page 10222]]
    In the interim, DOE/NNSA's efforts continue to focus on our shared
goal of meeting the nation's weapons program needs in a manner that
ensures adequate protection of public health and safety. Through the
comments presented in response to Draft Recommendation 2018-1, DOE/NNSA
takes this opportunity to provide key additional information and stress
its understanding of the importance of the steps it takes to
continuously improve the Pantex safety basis and its implementation.
    Authority: 42 U.S.C. 2286d(b)(2).
    Dated: March 12, 2019.
Bruce Hamilton,
Chairman.
[FR Doc. 2019-04941 Filed 3-18-19; 8:45 am]
 BILLING CODE 3670-01-P