3
Evaluation of Systemization Safety Performance

This chapter describes the direct and third-party information on which the Stockpile Committee based the assessment of safety performance during the Tooele Chemical Agent Disposal Facility (TOCDF) systemization (operational testing prior to the start of agent operations). The committee's evaluation is based on extensive reviews of safety-related audits, reports or studies made by other organizations on the TOCDF, on data and information requested and received from the Army, and on four visits of the Stockpile Committee to the TOCDF. In addition, specialist subgroups of the committee have concentrated on particular areas of concern by making additional visits to the TOCDF, doing spot-checks on site, and holding meetings with a wide range of personnel at the facility.

Next, Army procedures for a Pre-Operational Survey are discussed. The Army will use the Pre-Operational Survey as the basis for deciding whether to start agent operations at the TOCDF. Since this report predates the completion of the Pre-Operational Survey, the Stockpile Committee's evaluation will be limited to review of the plans and procedures that will be followed by the Army in completing this final review.

Safety-Related Functions and Reviews By Others

Systems Hazard Analysis

As part of the Army's safety program plan for the TOCDF, the Ralph M. Parsons Company performed a systems hazard analysis (SHA) to identify, evaluate, and quantify hazards associated with the activities within the TOCDF munitions demilitarization building and activities required to support the demilitarization process operations (Parsons, 1993). In simple terms, an SHA is a comprehensive and systematic search for and evaluation of all significant failure modes that can be identified by an experienced hazards analysis team. The SHA follows design drawings on a component-by-component basis for all systems and, for the TOCDF, utilizes additional performance information described in detail in the TOCDF Functional Analysis Workbook (U.S. Army, 1993–1995).

The SHA used various hazard and failure mode assessment techniques described in MIL-STD-882B. These techniques included failure modes and effects analysis (FMEA), fault tree analysis (FTA), and event tree analysis (ETA), used as appropriate (or in combination) for particular components or subsystems. Failure modes and effects analysis techniques are applicable to components where only single mode failures need to be considered. Systems or components with potential for multiple/sequential failures are better analyzed using FTA or ETA techniques. Twenty-one plant subsystems were analyzed:

  • by FTA—electrical distribution and power system; compressed air supply; heating, ventilation, and air conditioning (HVAC); fire dampers; fire protection system; Automatic Continuous Air Monitoring System (ACAMS); central decontamination supply system; instrumentation and control system; hydraulic power system; brine reduction area and its pollution abatement system
  • by FMEA—fuel gas supply; agent collection system (ACS); munitions handling; door monitoring; container handling building; dunnage furnace; dunnage pollution abatement system; liquid incinerator; metal parts furnace; deactivation furnace system; "wet" pollution abatement system

After the subsystem analyses were completed, two additional analyses using a combination of ETA and FTA techniques were performed to look for potential critical interactions between subsystems. The two interaction studies were focused on the following areas:

  • HVAC, fire dampers, and fire protection
  • agent and munitions handling


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 28
--> 3 Evaluation of Systemization Safety Performance This chapter describes the direct and third-party information on which the Stockpile Committee based the assessment of safety performance during the Tooele Chemical Agent Disposal Facility (TOCDF) systemization (operational testing prior to the start of agent operations). The committee's evaluation is based on extensive reviews of safety-related audits, reports or studies made by other organizations on the TOCDF, on data and information requested and received from the Army, and on four visits of the Stockpile Committee to the TOCDF. In addition, specialist subgroups of the committee have concentrated on particular areas of concern by making additional visits to the TOCDF, doing spot-checks on site, and holding meetings with a wide range of personnel at the facility. Next, Army procedures for a Pre-Operational Survey are discussed. The Army will use the Pre-Operational Survey as the basis for deciding whether to start agent operations at the TOCDF. Since this report predates the completion of the Pre-Operational Survey, the Stockpile Committee's evaluation will be limited to review of the plans and procedures that will be followed by the Army in completing this final review. Safety-Related Functions and Reviews By Others Systems Hazard Analysis As part of the Army's safety program plan for the TOCDF, the Ralph M. Parsons Company performed a systems hazard analysis (SHA) to identify, evaluate, and quantify hazards associated with the activities within the TOCDF munitions demilitarization building and activities required to support the demilitarization process operations (Parsons, 1993). In simple terms, an SHA is a comprehensive and systematic search for and evaluation of all significant failure modes that can be identified by an experienced hazards analysis team. The SHA follows design drawings on a component-by-component basis for all systems and, for the TOCDF, utilizes additional performance information described in detail in the TOCDF Functional Analysis Workbook (U.S. Army, 1993–1995). The SHA used various hazard and failure mode assessment techniques described in MIL-STD-882B. These techniques included failure modes and effects analysis (FMEA), fault tree analysis (FTA), and event tree analysis (ETA), used as appropriate (or in combination) for particular components or subsystems. Failure modes and effects analysis techniques are applicable to components where only single mode failures need to be considered. Systems or components with potential for multiple/sequential failures are better analyzed using FTA or ETA techniques. Twenty-one plant subsystems were analyzed: by FTA—electrical distribution and power system; compressed air supply; heating, ventilation, and air conditioning (HVAC); fire dampers; fire protection system; Automatic Continuous Air Monitoring System (ACAMS); central decontamination supply system; instrumentation and control system; hydraulic power system; brine reduction area and its pollution abatement system by FMEA—fuel gas supply; agent collection system (ACS); munitions handling; door monitoring; container handling building; dunnage furnace; dunnage pollution abatement system; liquid incinerator; metal parts furnace; deactivation furnace system; "wet" pollution abatement system After the subsystem analyses were completed, two additional analyses using a combination of ETA and FTA techniques were performed to look for potential critical interactions between subsystems. The two interaction studies were focused on the following areas: HVAC, fire dampers, and fire protection agent and munitions handling

OCR for page 28
--> Table 3-1 Severity Ranking Criteria   Severity Level Agent Release In-Plant Personnel System Loss I Catastrophic IDLHa outside engineering controls Illness, death, or injury involving permanent total disability >25% and/or >1 month to repair II Critical Greater than or equals PELsb/ASCsc outside of engineering controls or in ventilation area Injury involving permanent partial disability 10% to 25%; 1 week to 1 month to repair in ventilation area III Marginal Greater than or equals PELs inside nonagent areas Injury involving temporary total disability <10%; <1 week to repair IV Negligible Less than PELs inside nonagent areas Injury involving only aid or minor supportive treatment No system loss, downtime, or repairs completed within 1 day a IDLH = immediately dangerous to life and health. b PEL = permissible exposure limit. c ASC = allowable stack concentration. Source: Parsons, 1993. The SHA teams used standard procedures to identify potential failure modes and used failure rates from extensive databases established by the Department of Energy, the nuclear utilities, and the Institute of Electrical and Electronic Engineers. Components were assumed to be tested and serviced periodically and to be in an "as new" condition every 12 months. The plant operational life was assumed to be five years. Only failures during normal operation were considered; failures caused by external factors (earthquakes, severe flooding, tornados, fires, or other natural disasters) were not included in the SHA.1 In the SHA, each failure mode for each item was documented and discussed. Basic failure-initiating events were identified from models, considering, root causes such as component failure, testing-initiated causes, and maintenance-initiated causes. If the failure could lead to (a) an agent release in the plant; (b) personnel illness, death, or injury; or (c) major system downtime, it was assigned a severity rating. Toxic vapor dispersion models (developed by the Chemical Research and Engineering Center of the U.S. Army Armament Munitions Chemical Command) were used to estimate downwind hazard zones from agent releases. Table 3-1 describes the severity ranking criteria used. Once the severity rating was established, the frequency of occurrence was estimated and frequency levels (events per year) were estimated. Table 3-2 shows the criteria used to establish qualitative frequency categories. Finally, severity and frequency measures were combined to give a single indicator, the risk assessment code (RAC). RAC criteria are shown in table 3-3 (Parsons, 1993). As a result of the SHA activity, four potential RAC 1 events were identified and nine potential RAC 2 events. Recommendations were made for mitigating the effects of each event. Twenty-one potential RAC 3 events were identified, and controls were recommended for each. Utah Department of Environmental Quality Required Report for the Systems Hazard Analysis The Required Report for the Systems Hazard Analysis, an Army report summarizing each of the potential RAC 1, 2, and 3 events, the SHA team recommendations, 1   These failure modes are included in the risk assessment described in chapter 6.

OCR for page 28
--> Table 3-2 Criteria Used to Establish Qualitative Frequency Categories     Qualitative Frequencya Agent Release In-Plant Personnel Injury/Illness System Loss A — frequent A 1E-01 A ± 10.0 A ± 1.0 B — probable 1E-01 > B ± 1E-02 10.0 > B ± 1.0 1.0 > B ± 1E-02 C — occasional 1E-02 > C ± 1E-03 1.0 > C ± 1E-02 > 1E.02 C ± 1E-03 D — remote 1E-03 > D ± 1E-04 1E-02 > D ± 1E-04 1E-03 > D ± 1E-04 E — improbable 1E-04 > E ± 1E-06 1E-04 > E ± 1E-06 1E-04 > E ± 1E-06 F — not credible 1E-06 > F 1E-06 > F 1E-06 > F a Events per year shown in exponential notation (e.g., 1E-02 = 0.01 events per year). Source: Parsons, 1993. and the Army's final mitigation actions, was submitted to the Department of Environmental Quality (DEQ) of the state of Utah as part of the TOCDF Resource Conservation and Recovery Act (RCRA) permit application (U.S. Army, 1993). In a letter to the Army, dated August 11, 1994, the Utah DEQ transmitted approximately 70 comments and questions on the material submitted in the Required Report. On October 3, 1994, the Army submitted a comprehensive response to each of the issues raised by the Utah DEQ. At the time of the reply, some of the action items had not been completed. Most have been completed in the interim, but the Utah DEQ will require full compliance with the stated actions before issuing approval to start agent operations. Facility Construction Certification The RCRA permit for the TOCDF requires that the facility be constructed in accordance with the permit and its attachments. The state of Utah has defined 19 systems with critical components of the facility that must be certified to meet permit requirements. Four of these critical parts are tank systems. Certification of these tank systems was done according to RCRA procedures, namely, 40 CFR 264.192b–f. Because RCRA does not include procedures for certifying nontank systems, procedures for certifying the remaining critical parts of the facility were developed by the external engineering contractor, Forsgren Associates of Salt Lake City. Systems Requiring Construction Certification The critical systems requiring certification included seven waste-handling systems, some of which are hazardous waste management units (HWMUs) and some of which are supporting systems (that are not HWMUs). The following HWMUs required certification: the brine reduction area (BRA); liquid incinerator #1 (LIC); liquid incinerator #2; dunnage furnace (DUN); deactivation furnace system (DFS); metal parts furnace (MPF); and container handling building (CHB). The pollution abatement system (PAS) and electrical interconnect system for the brine reduction area (HWMU 1) and all furnaces (HWMUs 2–6) are included as part of the HWMU. Each liquid incinerator includes the slag removal system. The tank systems that required certification are part of the brine reduction area; the agent collection system; the spent decontamination system; and the agent quantification system (AQS). The state of Utah has required that eight systems that are not HWMUs also be certified. These non-HWMU systems are: electrical alarms, interlocks, and interconnect systems for the four furnaces and the brine reduction area and their associated pollution abatement systems; the halon fire suppression system; the heating, ventilation, and air conditioning filters; the air locks; the

OCR for page 28
--> Table 3-3 Risk Assessment Code (RAC)       Severity Level Qualitative Frequency   I (Catastrophic) II (Critical) III (Marginal) IV (Negligible) A — Frequent 1 1 1 3 B — Probable 1 1 2 3 C — Occasional 1 2 3 4 D — Remote 2 2 3 4 E — Improbable 3 3 3 4 F — Not credible 4 4 4 4 RAC 1—Hazards are unacceptable and measures must be taken to reduce the hazard to an acceptable level. If interim mitigation measures are used, approval to proceed must be granted by the top level designated in the Army's System Safety Management Plan. RAC 2—Hazards are undesirable and measures must be taken to reduce the hazards to an acceptable level. Interim mitigation measures require approval by the second-level authority designated in the Army's System Safety Management Plan. RAC 3—Hazards are considered acceptable with measures or controls taken to reduce the risk. Controls may be instrumentation, administrative, and procedural. RAC 4—Hazards are considered acceptable. Source: Parsons, 1993. ACAMS, the Depot Area Air Monitoring System (DAAMS), and the continuous emission monitoring system (CEMS); demilitarization machine systems; the deactivation furnace system blast enclosure; and the spare demister. Certification assumptions and procedures were the same for nontank HWMU and non-HWMU systems. Construction Certification Assumptions Because the permit was issued when drawings and specifications for the TOCDF were only 60 percent complete, a key portion of the certification procedure was review of the documentation through which the complete design was incorporated into the permit. The following assumptions were used for construction certification: The purpose of the construction certification was to determine if certain systems at the TOCDF had been constructed in accordance with the permit. Conformity of the design and operation of the TOCDF with permit requirements was not part of this certification. No design calculations were verified. Construction certification has been performed only for the 19 systems identified above and only for items within the defined boundaries of each system. No equipment was dismantled as part of this certification. All hidden, buried, covered, or otherwise inaccessible items were evaluated based on a review of written records. Document Review The first step of the certification process was identification and review of facility drawings, specifications,

OCR for page 28
--> and construction documentation. The purpose of this review was: (1) to identify the items in each system that required physical inspection; and (2) to identify and evaluate the documentation for items that could not be physically verified. The following documents were used in information gathering for the certification: RCRA permit and attachments; redline (as-built) drawings; specifications; requests for information; engineering change proposals; turnover packages; and construction inspection reports. The information described in the documents listed above was used to determine which items in each system required certification. After the documentation was reviewed and the HWMU or system being certified was visually inspected, a Certification Report was prepared summarizing the conclusions and identifying deficiencies. The following sections describe the certification procedures. System Description. The first step in the certification process was to accurately define the system or HWMU being reviewed. A description was prepared establishing the boundaries of each system or HWMU, including equipment and intended use. Documentation Review. Based on the descriptions prepared for each system, the appropriate documentation (e.g., specifications, engineering change proposals, vendors' information packages) was requested. The information was reviewed and specific areas lacking appropriate documentation were noted. Inspection Checklists. Based on the document review, checklists were prepared of items that required visual inspection. In most cases, meeting specifications satisfied the requirements of the checklist. When installation instructions from equipment manufacturers were available, they were used as guides for the field inspections. Field Inspection. Each system was observed in the field using redline drawings and checklists to structure the inspections. Checklists were often expanded or modified based on visual observations or field conditions. All completed checklists, as modified for each system, are included in the Certification Report as attachments. Certification Report. After the field inspection and review of additional documentation, a Facility Construction Certification (FCC) report was prepared for each system or HWMU that was inspected. The report summarizes the findings, identifies nonconformance with the permit requirements, describes the certification procedures, and contains a certification statement signed by a professional engineer (Forsgren Associates) registered in the state of Utah. The FCC report was then reviewed with Edgerton, Germerhausen and Grier, Inc. (EG&G, the Army's systems contractor), to identify all nonconformance and unresolved issues and to develop a "work list" for analysis. The outcome of the FCC report review was either (1) permission by the Division of Solid and Hazardous Waste (DSHW) to proceed with systemization; or (2) development by DSHW of a "punch list" of unresolved issues the TOCDF must address to satisfy FCC requirements. Once the FCC reports have been approved by DSHW, the TOCDF can proceed to operational readiness/systemization using hazardous materials. The Facility Construction Certification process as outlined in figure 3-1 ensures that the TOCDF has demonstrated that all systems are designed and constructed to protect human health and the environment. All 19 critical systems require FCC approval prior to the initiation of agent destruction. Inspector General Report Courtesy Chemical Surety Inspection—Tooele CDF At the request of the office of the Program Manager for Chemical Demilitarization (PMCD), inspectors from the U.S. Army Inspector General Agency conducted a courtesy chemical surety inspection of the TOCDF during August 15–18, 1994. The team performed the inspection as if the facility were in operation, although systemization testing was still under way, many procedures were still in draft form, and some final construction was still in progress. The results of the inspection were summarized in a report (U.S. Army, 1994a) transmitted to the Commander, U.S. Army Chemical Material Destruction Agency (now Program Manager for Chemical Demilitarization), on September 6, 1994. Fifteen pages of text described deficiencies found during the inspection. Although this may seem like a long list, it is, in fact, a short list for a facility of this size and complexity. The following topics were covered: mission operations; safety; security; surety management; accident/incident response and assistance; and external support. Many of the deficiencies

OCR for page 28
--> Figure 3-1 Outline of the Facility Construction Certification Process. Source: EG&G, 1995b. involved documentation and procedural matters, incomplete training, problems in the medical clinic programs, and concerns about staffing at both the TOCDF and the Utah DEQ for facilitating approval of necessary permits. On September 29, 1994, the Army submitted a memorandum containing detailed responses to each of the items raised in the Inspector General Courtesy Chemical Surety Inspection report. This memorandum discussed time schedules and corrective actions for procedures and programs that were found deficient, and it concluded that the facility would be in compliance before the start of agent operations. TOCDF Safety Evaluation Report In September 1994, Mr. Stephen Jones, who had recently been terminated by EG&G Defense Materials, Inc., from his position as the TOCDF safety and security manager, put forth allegations of 119 safety-related deficiencies at the TOCDF. The Army Safety Office was directed to perform an investigation into each allegation raised by Mr. Jones. The Army Safety Office completed a Safety Evaluation Report (U.S. Army, 1994b) on these issues and the Secretary of the Army released the report to Congress. The 166-page document cites each of Mr. Jones's claims and the report of the

OCR for page 28
--> person assigned to do the investigation. Approximately half of the claims were found to have some substance, but many of the deficiencies were typical of a plant not yet in operation. A critical reading of the report revealed some inattention on the part of TOCDF personnel to detailed procedures, as well as some problems with the maintenance of auxiliary equipment (e.g., hoist cables, forklifts). The Army Safety Office concluded that the current safety and health risks at the TOCDF are ''minimal and acceptable.'' The Army has indicated that individual allegations that were found valid by the Army Safety Office either have been corrected or will be corrected prior to the start of agent operations. U.S. Army Chief of Engineers Report TOCDF Report on Design-Related Safety Issues and Evaluation of Construction Conformance with Design The Assistant Secretary of the Army for Installations, Logistics and Environment requested that the Army Chief of Engineers review the TOCDF Safety Report to determine if any of the 119 safety allegations by Mr. Jones had design implications. Further, the Chief of Engineers was asked to confirm that the plant had been constructed in accordance with the design. A nine-member team was formed to accomplish this task (U.S. Army, 1994c). Of the 119 allegations addressed in the TOCDF safety report, only 12 were found to be "design-related." None of the 12 was found to compromise either the safety or the environmental integrity of the plant. All were essentially enhancements to improve worker safety during operations. Six of the items reviewed had already been corrected by the time the report was issued, and the remaining six had been scheduled for prompt resolution. With respect to conformance to design, the team reviewed the ongoing Facility Construction Certification Process, required by the State of Utah for RCRA permits. The summary conclusions of the Chief of Engineers were: The Facility Construction Certification Process is consistent and thorough. The consultant's certification reports maintain a consistent format that is clear and concise. Outside references are kept to a minimum and the reports are very detailed. Assumptions were clearly identified in each report. In summary, these reports are effective, stand-alone documents which clearly evaluate and identify the extent to which construction complies with the RCRA permit. The team firmly believes that another consultant operating under the same procedures and methodology would essentially develop the same findings and conclusions. We believe that the repeatability of the certification results is very high. In summary, (1) none of the allegations indicate a flawed or inadequate design; and (2) there is a comprehensive, rigorous, professional program in place that ensures that construction conforms to the permitted design. U.S. Army "Lessons Learned" Programs Over the past several years, the Army has implemented a Programmatic Lessons Learned (PLL) program (U.S. Army, 1995c). The objective of the program is stated as follows: The PLL program consists of an organized and managed system which facilitates the extraction and conveyance of information (Lessons Learned) from and to the primary program focal points. PLL is a method for (1) identifying both effective and ineffective plans, policies, procedures, or actions; (2) providing recommendations and actions to strengthen the chemical demilitarization program; and (3) causing tangible changes to the overall program (changes to equipment, contracts, plans, policies, procedures, etc.). The PLL program operates under a PLL Control Board, consisting of a chairman (Chief of Operations Division of the Office of the Program Manager for Chemical Demilitarization), board members representing U.S. Army Chemical Demilitarization and Remediation Activity (now Program Manager for Chemical Demilitarization) organizations, and support staff. The PLL Control Board reports to the Program Manager for Chemical Demilitarization but has authority for funding and the programmatic implementation of approved PLLs, up to $750,000 per directed change. In its first two years, the PLL program concentrated on gathering information (from all sites, organizations, and program phases), and documenting, evaluating, and identifying actions to be taken. Each identified action was assigned to an organization, which then became responsible for implementation. In early 1995, the PLL program was expanded to include subject area workshops, bringing together

OCR for page 28
--> Army and contractor management and operational personnel from active sites to solicit lessons learned from multiple experts in 19 focused subject areas. The workshops included briefings and roundtable discussions. Any changes/actions are referred to the PLL Control Board for approval and implementation, if appropriate. The subjects of workshops conducted to date include: incinerator operations and maintenance; pollution abatement systems; the brine reduction area; the rocket handling system; the demilitarization process lines and associated training; general operating issues; plant management; laboratory operations; monitoring operations; and environmental issues. Prior to the scheduled start of agent operations, additional workshops are planned. These include: protective clothing; emergency response; medical support; depot issues; support systems; spare parts; construction; systemization; and a second workshop on incinerator operations and maintenance, pollution abatement systems, and the brine reduction area. The PLL program provides a forum for people from different sites to share experiences so that improvements can be implemented in a consistent manner. Because there are different contractors and personnel at each site, the PLL program is a useful mechanism for identifying and managing opportunities for continual improvement throughout the program and maintaining consistency in practices from one operating or training site to another. In addition to the PLL program, the Army has also established a Field Lessons Learned Review Team (FLLRT). The purpose of the FLLRT is to provide central documentation and review for all field-approved engineering change proposals, design-related requests for information, or documented lessons learned at demilitarization facilities currently under construction, systemization, or operation and to provide direction for the preparation of consistent engineering change proposals for other sites. If the FLLRT disagrees with changes submitted for review, the team is required to offer comments to the initiating site Configuration Control Board and to follow up on resolving the disagreement. The permanent members of the FLLRT include the chairman (from the Chemical Stockpile Disposal Program Design Branch) and representatives from the Operations and Training Branch, the Equipment Acquisition Branch, the Safety Branch, the Quality Assurance Branch, and the Environmental and Monitoring Division. The FLLRT meets monthly, and the databases are maintained by the Army's design and systems integration contractor. The Army is also preparing an assessment of the effectiveness of both individual and overall lessons-learned programs. These evaluations will be performed by independent assessment teams. U.S. Army Subject Area Review Reports The office of the Project Manager for Chemical Stockpile Disposal (PM-CSD) has established a Subject Area Review (SAR) program. In this program, particular subject areas are identified (e.g., management, documentation, unique operations) that are important to the safe and efficient operation of the TOCDF, as well as to ensuring compliance with regulatory requirements. The PM-CSD office appoints a review team of knowledgeable and experienced people within the Chemical Stockpile Disposal Program (CSDP). The team develops a review plan, spends several days at the site, and prepares detailed comments and recommendations. (The Stockpile Committee requested, received, and reviewed selected subject area review reports). For example, a five-person review team prepared a subject area review report called "Major Program Documentation." Safety, operations, maintenance, laboratory, and administrative procedures at the TOCDF were evaluated—some by review of documents, some by selected "walk-downs" of procedures (going through a procedure item by item to determine completeness and adequacy), and some by discussion with responsible staff. The report contains 20 recommendations, some of which include detailed suggestions for a number of improvements in the area under review. Because the review was conducted in February 1995, some documentation was still incomplete or not fully reviewed. However, the review team noted these deficiencies and made recommendations for completing action items prior to the end of systemization. For example, they recommended comprehensive walk-downs of preventive maintenance procedures to determine if changes or improvements were needed. They also established requirements for documenting the completion and review of all major program documentation. Major revisions were recommended for some laboratory procedures and the quality control plan. Meetings were scheduled to review progress on all the recommendations, so that all major documentation would be in place and reviewed prior to the end of systemization. Another subject area review team examined management practices during a site visit to the TOCDF in

OCR for page 28
--> February 1995. Suggestions were made for improving the TOCDF Management Plan, forestablishing specific inspection/surveillance requirements for meeting each contractual obligation, and for finalizing the award fee criteria by June 1, 1995 (the deadline has since been changed). The review team also recommended that the office of the Program Manager for Chemical Demilitarization develop consistent policy statements or guide-lines to aid the facilities in their interaction with outside groups, including state agencies, other federal agencies, citizens advisory commissions, and the news media. At present, outside inquiries are being handled at the TOCDF on an individual basis by the TOCDF project manager. Suggestions were also made for improving procedures and training for shift supervisors to cover issues of oversight and communication during shift changeovers. Finally, the review team recommended the development of a "critical activities" manual to identify activities important to safety and/or environmental compliance. The Johnston Atoll Chemical Agent Disposal System (JACADS) critical activities manual will be used as a basis for developing an appropriate manual for TOCDF. As of this writing, 13 subject area reviews have been completed: Emergency Response; Network Analysis System; Major Program Documentation; Training and Qualifications; Surety Program Quality Assurance/Quality Control; Management/Oversight; TOCDF Unique Operations; JACADS Lessons Learned; Medical; Administration; Depot Support; Chemical Stockpile Emergency Preparedness Program (CSEPP) Interface; and Physical Security. The subject area review program has been effective so far in identifying needed improvements in TOCDF systems, procedures, and management and has established schedules and check points for implementing recommendations of the review teams. The subject area review team generates a draft report with recommendations. That draft report is provided to the TOCDF project manager, to the systems contractor (EG&G), and other personnel involved in the TOCDF project for review and comment. The subject area review team reviews these comments and incorporates the ones they agree with. Other comments are discussed with the proponent. If no resolution is reached, the disagreement is referred to the PM-CSD for resolution and direction. Once the comments have been incorporated, the report is submitted to the PM-CSD for approval. This approval is sometimes accompanied by additional directions based upon the PM-CSD review of the Subject Area Review report. Upon signature of the PM-CSD, the subject area review report becomes directional to the TOCDF project manager and to other elements in the office of the Program Manager for Chemical Demilitarization. This means that the Program Manager must approve any deviation from recommended actions. As part of the operational readiness evaluation and Pre-Operational Survey process, the status of subject area review actions will be reviewed to ensure their proper completion. State of Utah Inspections The Utah Department of Environmental Quality (DEQ) has established a number of requirements as part of the RCRA permitting process. In addition to the Required Report for the Operational Verification Tests (U.S. Army, 1993) and the Facility Configuration Certification described earlier in this section, Utah DEQ inspectors are on site at the TOCDF several times a week during the systemization period. As engineering changes are proposed by the site contractor and approved by the Army, they are followed closely by the inspectors to facilitate processing changes that might require modification of the permit. The Utah Industrial Commission, Occupational Safety and Health Division, has also conducted an on-site inspection to evaluate worker safety (in addition to three inspections by the U.S. Department of Labor). Stockpile Committee Site Visits The Stockpile Committee visited the Tooele Chemical Agent Disposal Facility during construction (November 1991 and March 1993) and during systemization (May 1994 and March 1995). Since February 1995, four subgroups of the Stockpile Committee have visited the site to make more detailed evaluations of particular portions of the facility and planned operations. The first subgroup visited on February 23–24, 1995, with the objectives of examining changes in major equipment as a result of recommendations in the OVT report, Part II (NRC, 1994a). The subgroup concentrated on systems for engineering change control, safety and environmental management, and relevant documentation control (e.g., procedures, compliance documentation); and management structures for assuring safe,

OCR for page 28
--> environmentally sound operations. A second subgroup visited the facility on March 28, 1995. This group focused on operations, maintenance, automated control systems, and management of change, spare parts, and training. A third subgroup visited on March 29, 1995, and focused on laboratory operations and monitoring. Finally, a fourth subgroup visited the TOCDF on June 15, 1995, to review safety management issues. The changes made to the baseline system at the TOCDF in response to recommendations by the Stockpile Committee are described in chapter 2. Key observations by the subgroups that pertain to systemization performance follow. Personnel Issues (Recruitment, Training, Turnover) Competence at all levels is a prerequisite to sale operations in any organization. The committee was informed by the TOCDF general manager that his plan to recruit and retain highly qualified employees was based on his organization being a "premier employer" that offers good training, attractive compensation, and a good managerial environment. The following observations concerning competence are based on interviews with first-level operators, such as control room operators, in-plant operators, maintenance technicians, and laboratory technicians. Most of these employees were recruited from the local labor pool (Tooele County and surroundings) and from other Army chemical operations (JACADS, CAMDS, and the Dugway Proving Ground, Utah). The operators interviewed by the committee gave evidence of relevant backgrounds, intelligence, and the desire to take advantage of the opportunities their jobs offered, such as studying at local colleges. Operators are trained both at the Chemical Demilitarization Training Facility (CDTF) at Aberdeen Proving Ground, Maryland, and at the TOCDF. When questioned, operators volunteered detailed explanations of procedures, described improvements that had been made during systemization, diagnosed potential upsets, and demonstrated knowledge of specific procedures for dealing with them. The training philosophy of emphasizing knowledge-based understanding as a basis for rule-based procedures appears to have been successfully assimilated by the operators. Upset drills cannot be performed with the site control panel computers, which are reserved for operational control. As of this writing, it is not clear if operators will return to CDTF periodically for upset training. The Army's management approach is to do all training on site; on-the-job-training at the panels is believed to be the best training, with walk-through simulation for upset drills. The committee and some individuals in the EG&G organization and PMCD headquarters believe refresher training at the CDTF using consoles and process simulators is necessary. Although most upset conditions are believed to be straightforward, the committee believes that realistic upset drills at the consoles are needed for first-rate preparedness. Another training principle, that of training all levels of plant personnel together who work on the same shift, appears to be producing better understanding between groups. Lack of this rapport had been identified as a shortcoming by the Stockpile Committee in early visits to JACADS, where operators and maintenance personnel worked under different subcontractors. Cross-training is beginning at the TOCDF. Control room operators are typically certified on at least two systems. In addition, they often accompany in-plant operators for a better understanding of plant operations. Cross-training programs are expected to be expanded in the future, although cross-training has not yet been implemented in some areas, such as the laboratory. In maintenance, which is based on trade skills acquired before employment at the TOCDF, there is less scope for full cross-training between distinct specialties, between electrical technicians and welders, for example. Training in process operations and agent operations appears to be thorough, but training in general safety practices requires improvement. Some deficiencies observed during the walk-through of demilitarization process areas include open electrical cabinets with exposed conductors with no maintenance personnel or physical barriers present, malfunctioning eye wash stations, lack of clear and enforced practices for protective clothing, conflicting signs for ear and eye protection, and tools left in walkways. A General Observation There appears to be a general belief at the TOCDF that safety practices are primarily for agent operations. As a result, the emphasis on safety has been focused on agent-related issues with less emphasis being given to industrial safety practices. The

OCR for page 28
--> committee believes this is not acceptable for the following reasons: It will be impossible to change habits suddenly when agent operations start. Accidents can happen now as well as when agent operations start. Although agent has yet to be introduced, the TOCDF is no longer a construction site. At this stage of systemization, it is an operational facility. Even for a construction site, better housekeeping and safety practices are appropriate. Plant industrial safety practices still require improvement. Shift Operations The work pattern is based on 12-hour shifts in a standard pattern, rotating between three per week or four per week, with seven-day breaks. This work schedule was considered an advantage by most operators once they had adapted to it. There is little information in the current human factors literature about the frequency of errors at the end of long shifts, but the literature on the subject should be followed closely as more is learned. Because shifts are so long, overtime added to the end of any given shift should be avoided. Overtime was running at a low level during systemization, although one employee claimed to have averaged more than 30 hours of overtime per month during a three-month period. The overtime system appears to be well controlled overall, but such high use, even by a few people, should be closely controlled. The shift-change system was well designed and executed. During the half-hour overlap period (which accounts for some of the overtime), there are face-to-face briefings at all levels, not just between leads and supervisors. There is also a written handoff briefing, which was conscientiously used in a sample examined by the committee. Also, at the start of each shift, there are operator and supervisor meetings as well as plant-wide coordination meetings. Although poor shift-change procedures have led to accidents and incidents in other systems, such as aviation maintenance systems, this does not appear to be a problem at the TOCDF. Maintenance and Spare Parts Maintenance is divided broadly into preventive maintenance and on-demand maintenance. Preventive maintenance is assigned to a dedicated crew and is performed in accordance with a designated schedule indicating maintenance intervals, which can be daily, weekly, or monthly. Most of the maintenance is performed using written procedures and checklists. Increasingly, daily preventive maintenance is being assigned to operators as part of their standing operating procedures. This should improve the (already adequate) relationships between maintenance personnel and operators and provide operators with more detailed knowledge about the state of the equipment. The procedure for nonroutine repairs and maintenance begins with the issuing of a Work Request, which is assigned to a particular maintenance crew. Written procedures are followed for most tasks. The exception is for trade activities when it is not feasible to pre-specify every weld. Here, more general procedures are used by the skilled tradespeople, all of whom have been trained at the Chemical Demilitarization Training Facility. A Safe Work Permit is issued for each work request from the control room, so that the control console operators are aware of all maintenance activities and the areas where maintenance work may be in progress. The Safe Work Permit is also used to check and coordinate activities, such as lockout and tag procedures and equipment status verification, between area operators and maintenance personnel. Spare parts are handled by the warehouse through a computer inventory system that specifies minimum and maximum stock levels and reorder procedures for each of 15,000 or so parts. Levels are initially based on the manufacturer's recommendations and prior experience at JACADS. Levels will be adjusted to reflect subsequent operating experience. Goods received at the warehouse undergo quality control checks, and none will be issued without the applicable Material Safety Data Sheet. Stock outages have not led to changes in the automatic reordering policy so far. The recurrence of expensive and time consuming errors in other industries makes the committee uncomfortable with this reactive approach. During operations, any shortage of parts could be critical and could lead to pressures for alternative, perhaps less safe, ways of maintaining operations. There are standard methods of inventory control in other industries that ensure very high levels of stock out protection without excessive inventory costs. There are no formal controls at the TOCDF to account for tools left inside controlled access areas. TOCDF management indicated that other measures are sufficient to prevent this problem (e.g., workers have to

OCR for page 28
--> pay for lost tools; operations will not sign off on work until the area is cleaned up). General Management Issues A safe plant requires strong, but open, leadership and an appropriate organizational structure. The site visit team was generally impressed with the quality and style of the top leadership at the TOCDF. The organizational structure is necessarily complex in a plant with multiple activities and contractors but did appear to be appropriate. The EG&G management structure was designed to mirror, to some extent, the Army leadership structure under the office of the Program Manager for Chemical Demilitarization, with parallel elements reaching to an extensive level deep within the organization. All relationships between the Army, contractors, and subcontractors appeared to be working well. Within each shift there is a matrix organization that seems effective. There is a designated plant shift manager to whom all section managers report, whether from operations, maintenance, or laboratory (run by Battelle Corporation). No friction was observed between people within this system. An important tool for any organization to evaluate operating procedures is to "benchmark" performance with similar organizations. Data were provided to the visiting team by Science Applications International Corporation (SAIC) on benchmarking safety procedures, but not on other aspects of operations, such as organizational design, laboratory work, or maintenance performance. SAIC presented data to the Stockpile Committee comparing the JACADS and TOCDF lost-time injury rates and recordable injury rates with the rates in comparable industries (SAIC, 1995c). Compared with the top 10 percent of chemical companies and with specific leading companies, rates of lost-time injuries were similar at JACADS and the TOCDF, but worse in terms of total recordable injuries. Although there are special circumstances that may affect the data (e.g., construction activity at the TOCDF and size of organization), the data still indicate a need to devise better indicators of safety than lost-time accident rates. Even recordable injuries are rare enough for rates to fluctuate too much for tracking purposes. Human factors engineers have used near-accidents and self-reported error incidents as more sensitive safety indicators in relatively safe plants. A system to capture information about precursor incidents should be established at the TOCDF and the other sites to provide early warnings of potential complacency. Indeed, as each site progresses from the construction phase through systemization to regular operations, care must be taken to maintain a high level of safety performance. Finally, the TOCDF management should be commended for using a Chemical Personnel Reliability Program (CPRP), which establishes no-penalty checks on fitness for work and helps reduce the probability of sub-optimal performance at all levels. Programmatic Issues Certain issues transcend the boundary of the TOCDF and extend to the Chemical Stockpile Disposal Program itself. During the development of each site, new technology and procedures will be introduced that will not be immediately retrofitted at older sites. This has already happened between JACADS and the TOCDF. The Chemical Demilitarization Training Facility should reflect such changes. Ideally, the training facility could reconfigure equipment and procedures to match the exact needs of each cohort of trainees. The committee recognizes the difficulty of maintaining disparate system setups. At present, there is some lag time between the equipment at the TOCDF and the equipment at the training facility, although all operators interviewed found the training facility to be a good simulation of what they encountered at the TOCDF. The human factors literature on simulation fidelity needs to be reviewed to ensure that compromises in the direction of "generic" systems at the training facility have minimal impact on the transfer of knowledge and skills to actual operations. A second aspect of systems configuration, configuration control, is also important. Permits and good engineering practice require careful consideration of the potential effects of changes in system configuration, e.g., changes in hardware, software, procedures, and training. The configuration control process now in place is designed to ensure that system safety is not compromised. However, this process should never be used to discourage innovations by operators. Operators can often see "better" ways of performing their tasks, but the lowest priority for change is often assigned to improving productivity, even though such changes may improve operator performance and reduce the possibility of human error. A two-way dialogue needs to be established and maintained to ensure that operators'

OCR for page 28
--> suggestions are not just evaluated and dismissed but are taken as a starting point for process improvements. The TOCDF has instituted processes to move important procedural changes through the organization quickly. A number of working level people interviewed by the committee were not familiar with the process; other operators reported that changes they had suggested had been implemented. Thus, the management change process is working but needs continuous encouragement to remain effective. The focus on agent operations as the trigger for implementing safety practices appears to be program-wide. The only way to instill a viable overall safety culture is from the top. Program management and site management must be committed to safety and must tolerate nothing less throughout the organization. More attention must be paid to nonagent safety issues to promote a total safety culture at the facility and to ensure a safety record at a level of the best comparable industry practice. A final program-wide issue is the programmatic lessons learned initiative, described earlier in this chapter. Several people interviewed from the TOCDF and the office of the Program Manager for Chemical Demilitarization characterized this initiative as a highlight of the disposal program. The PLL should remain in place, as it will become even more important once agent operations start at the TOCDF. Pre-Operational Survey Since 1973, the Army has required that all new or modified chemical disposal facilities undergo an extensive Pre-Operational Survey prior to the start of toxic operations. The Pre-Operational Survey is a formal review and assessment of facility operations for compliance with applicable safety, environmental, quality assurance, and surety standards. This review and assessment by the Army is to ensure that the TOCDF is capable of performing its functions in accordance with statutory and regulatory requirements and that an acceptable level of safety, environmental compliance, and operational performance can be achieved when agent operations start. The survey is conducted under the authority of the Program Manager for Chemical Demilitarization, and the survey team chairman acts as the Program Manager's designated representative. The team includes functional area team leaders, who assist in the technical and administrative management of the team, and individual members, who are considered experts in their fields. Table 3-4 is a listing of the team members. In May 1995, a TOCDF Operational Readiness Evaluation was performed under the direction of the PM-CSD. The purpose of this evaluation was to assess the status of the TOCDF preparations for starting agent operations, with emphasis on program documentation and facility and equipment status. The evaluation team also referred to the results of earlier subject area reviews and assessed progress in completing the action items recommended in the earlier reviews. The Pre-Operational Survey was scheduled for the fall of 1995 to review all pertinent documentation, including approval documents, directives, plans, procedures, and records; to conduct a detailed inspection of the facility; to perform an evaluation, under operating conditions, of all equipment and processes associated both directly and indirectly with the disposal of M55 GB rockets; to witness and critique selected system and subsystem tests; and to evaluate responses to a number of simulated contingency scenarios. The operational survey team will also witness and evaluate integrated plant operations under actual plant operating conditions during the processing of simulant M55 rockets. During the survey, all equipment, control systems, monitoring systems, and support systems and procedures will be exercised as if actual chemical munitions were being processed. All activities, starting with munitions handling and ending with treatment of demilitarization process residues, will be witnessed and evaluated by the survey team. Specifically, the areas of interest to the survey team will include: compliance with all statutory regulatory requirements, especially safety, environmental, occupational health, surety, and security requirements operational capability of process and support equipment (4-hour run with simulated rockets), facilities, procedures, and personnel; this includes storage yard, transportation, laboratory, laundry, maintenance, and supply functions process control, including design and function of hardware and software adequacy of program documents including plans, procedures checklists, and limiting conditions of operations; configuration management quality assurance/quality control

OCR for page 28
--> Table 3-4 TOCDF Pre-Operational Survey Team Members Name Affiliation Chairman's Team Robert Perry Chief, Risk Surety Management Division, Program Manager for Chemical Demilitarization (PMCD), Chairman Clifford Dunseth HQDA Safety Office Dianna Rickets Chemical Surety Officer, PMCD, Assistant Carol Bieniek Risk Surety Management Division, PMCD, Team Secretary Quality Team (Quality Assurance, Training, Documentation, and Configuration Management) Tom Kartachak Chief, Quality Assurance Branch, PMCD, Team Chief Nick Stamatakis Quality Assurance Branch, PMCD, Quality Assurance Andrew Roach Project Manager for Chemical Stockpile Disposal (PMCSD), Training Morita Bruce PMCSD, Configuration Management Mike Pratt Science Applications International Corporation (SAIC) Surety Team (Surety, Security, Ammunition Surveillance, CSEPP, Emergency Response) Jeffrey Principe Surety Officer, Chemical and Biological Defense Command (CBDCOM), Citizens Advisory Committee (CAC), Team Chief Rick Knutson Security Specialist, Tooele Army Depot (TEAD), Physical Security Linda Hodgson Security Specialist, Pine Bluff Arsenal (PBA), Physical Security [Not available] Surety Representative Barbara Parsley CBDCOM CAC, Emergency Response Joe Miller Chemical Stockpile Emergency Preparedness Program (CSEPP) Office, PMCD, CSEPP Health/Environmental Team (Air Monitoring, Laboratory, Environmental, Medical) Dr. John Liddle Department of Health & Human Services (DHHS), Team Chief Michael Gooden Environmental Monitoring Division, PMCD, Monitoring/Laboratory Joseph Stang Environmental Monitoring, Division, PMCD, Environmental Jay Smith Department of Health & Human Services, Statistician [Not available] Representative, Tooele Army Depot Environmental [Not available] Representative(s), Raytheon Engineers & Constructors (RE&C), Environmental Dr. Roger McIntosh SAIC, Medical

OCR for page 28
--> Name Affiliation [Not available] Representative, Headquarters Department of the Army (HDQA), Surgeon General's Office, Medical Safety/Operations Team (Equipment, Facilities, Procedures, Worker and Public Safety) Gregory St. Pierre Chief, Safety Branch, PMCD, Safety C.T. Anderson Safety Branch, PMCD, Safety Bernard Bindel Safety Branch, PMCD, Safety Cheryl Maggio PMCSD, Operations Ralph Rogers U.S. Army Center for Health Promotion & Preventive Medicine (USACHPPM), Industrial Hygiene Harvey Rogers DHHS, Safety Operations Harold Oliver TEAD Safety Office, Safety Dale Druyor PMCSD, Protective Clothing/Operations Chuck Papish PMCSD (JACADS), Operations Buddy Webster RE&C, Furnaces/Process Control Steven Blurk U.S. Army Technical Center for Explosives Safety (USATCES), Safety Boyce Ross Corps of Engineers, Huntsville Division (CEHND), Facility Design/Operators Craig, Adams General Physics (GP), Control Systems Sam Blouser PMCSD (CAMDS), Operations Tom Cain MITRE, Munitions Tracking Support Team (Storage Yard, Transport, Munitions Handling, Maintenance, Supply, Laundry) Sonny Smith Anniston Army Depot (ANAD), Team Chief Warren Taylor PMCSD, Maintenance Supply Craig, Hatfield PMCSD, Maintenance Supply Raymond Cornier PMCSD (CAMDS), Munitions Handling, Laundry Tim Baker PMCSD, Maintenance, Supply, Storage Yard CW4 Jose Medina CBDCOM Operations Directorate, Munitions Handling, Transport Doug, Maddox CBDCOM CAC QASAS, Storage Yard, Transport, Munitions Handling, Laundry Dave Underwood GP, Maintenance

OCR for page 28
--> agent and nonagent monitoring and detection handling, testing, inspection, and use of protective clothing and equipment safety systems, including process safety interlocks, alarms, lightning protection system, and ventilation system in-plant audible, visual, and written communications operator training and certification integration of chemical demilitarization activities, including support activities and emergency response activities overall control of people and material calibration and testing program recordkeeping and document control environmental compliance and solid waste management agent and munitions accountability During the survey, findings are classified into three categories: I, II, and III. All Category I findings (essential to the safety of personnel or the operational readiness of the system) are required to be resolved prior to the start of agent operations. The Pre-Operational Survey team is required to verify in writing the closure of each Category I finding. Category II findings (items not considered as critical to the safety of personnel or the operational readiness of the system) require scheduled resolution. Category III findings (noted by a survey team and usually can be corrected on the spot) are suggested improvements. Once the Category I findings are closed out satisfactorily, the site can request permission from the Office of the Program Manager for Chemical Demilitarization to start agent operations. The authority to start agent operations at the TOCDF is vested with the Program Manager for Chemical Demilitarization. This process begins with notification from the TOCDF project manager that the project team believes the facility and the work force are prepared to start agent operations. The Program Manager evaluates this recommendation along with the status of all Pre-Operational Survey findings. In addition, the status of all regulatory-related actions is reviewed to ensure that all regulatory requirements have been satisfied. Given the visibility of the demilitarization effort, the Army chain of command above the office of the Program Manager for Chemical Demilitarization will be fully notified of actions leading to a decision to start agent operations at the TOCDF. Disposal Program Staffing The PMCD staff has grown in order to perform the coordination and oversight functions required during the systemization of the TOCDF. This staff is able to manage effective oversight and interaction with the prime contractor at the TOCDF in areas relating to safety management, environmental management and compliance, design and construction certification, management of change and documentation, the "lessons learned" programs, the subject area reviews, and coordination with external agencies involved in health, safety, and environmental compliance, community relations, and emergency planning. Where necessary, detailed work has been delegated to experienced contractors. The Recommendations report stated concerns about disposal program staffing as follows: The Army should establish a program to incrementally hire (or assign military) personnel to ensure that staff growth is consistent with the workload and with technical and operational challenges. These additional personnel must be assigned and trained before the project office gets deeply involved in addressing each challenge. (REC-21) The committee finds that the present PMCD staff is working very hard and appears to be doing a sound job managing the elements of the program that are important to a high level of safety and environmentally sound performance. The committee noted earlier that improvements in nonagent safety could be made. This is an issue of emphasis rather than staffing. The Army is providing the necessary staffing at present to manage the TOCDF adequately during systemization and into the start of agent operations. However, the committee is concerned that the quality of leadership may be affected because several new and "acting" positions have not been permanently filled. Contractor teams also exhibit good professional capabilities and interact well in support of the office of the PMCD. However, in early May, the EG&G general manager at the TOCDF unexpectedly announced his retirement. The Army and EG&G management are committed to ensuring, that a change in this top management position does not compromise safety and environmental standards, or the safety culture established under the leadership of the former general manager. To ensure continued progress toward the start of agent operations at the TOCDF, a new general manager

OCR for page 28
--> was appointed at the end of June. He worked closely with the former general manager during the months of July and August, and the latter remains available on a consulting basis to assist in the transition from systemization through the start of agent operations. As the Chemical Stockpile Disposal Program continues to expand in the future, the committee's concerns about staffing will remain relevant.