QUALITATIVE RISK ASSESSMENT OF SANDIA'S ROCKET PREPARATION AND LAUNCH FACILITY AT BARKING SANDS, KAUAI

Jeffrey A. Mahn Sandia National Laboratories

P.O. Box 5800 Albuquerque, NM 87185

j amahn@sandia.gov 5051844-9995

Introduction

This paper demonstrates the application of a qualitative methodology for performing risk assessments using the consequence and probability binning criteria of DOE Order 548 1.1B (Ref. 1). The principles of this methodology, which were presented at the 1995 Safety Analysis Workshop, can be found in Reference 2.

The particular application that is the subject of this paper is a facility risk assessment conducted for Sandia National Laboratories' Kauai Test Facility (KTF). The KTF is a rocket preparation and launch facility operated by Sandia National Laboratories for the Department of Energy and is located on the U.S. Navy's Pacific Missile Range Facility (PMRF) at Barking Sands on the western side of the island of Kauai, Hawaii. The KTF consists of an administrative compound and main launch facility located on the north end of the PMRF, as well as the small Kokole Point launch facility located on the south end of the PMRF. It is classified as a moderate hazard facility in accordance with DOE Order 5481.1B. As such, its authorization basis for operations necessitates a safetyhisk assessment.

This paper briefly addresses the hazards associated with KTF operations and the accidents selected for evaluation, introduces the principal elements of the accident assessment methodology, presents analysis details for two of the selected accidents, and provides a summary of results for all of the accidents evaluated.

Hazard Identification

In addition to the standard industrial types of hazards such as high voltage electrical devices, cranes and hoists, and hydraulic systems, KTF hazards include the following:

explosives and other energetic materials associated with experimental payloads, rocket motors, igniters, initiators, pressure cartridges, and actuators, liquid hypergolic propellants (a class of chemicals consisting of a fuel and oxidizer that react spontaneously upon contact), and RF fields from radar tracking and command transmitter antennae.

This work was supported by the United States Department of Energy under Contract DE-AC04-94AL85000.

The KTF has no radioactive material and, therefore, no ionizing radiation hazard. The solid rocket motors and the liquid propellants constitute the only high energy sources onsite besides standard industrial compressed gas cylinders. Hazardous materials that could present environmental hazards at the KTF include the liquid propellants, gasoline, diesel fuel, hydraulic fluid, and cleaning fluids. However, the latter two fluids are not present in large enough quantities to pose a significant environmental hazard.

Standard industrial accidents involving such hazards as cranes and hoists, forklifts, etc., for which accident preventiodmitigation is covered by existing OSHA regulations, were not addressed in the KTF accident analysis.

Accident Selection

A deterministic approach was used to define the groups of accidents to be considered at the KTF. These generic accident groups, shown in Table 1, encompass internal (or operational) events, natural phenomena events, and external events.

Table 1. Generic Events for Accident Analysis Consideration

I Internal Events

- Fire

- Hazardous material spill/exposure/release

- High energy release (e.g., explosions)

- Non-ionizing radiation exposure

- Other

Natural Phenomena Events

-Earthquake

-Tornado/hurricane/high wind

-Flood

-Other

External Events

-Aircraft crash

-Nearby facility events

-Other

The facility-specific operational events that were selected for analysis include the following:

Electrical fire in the Launch Operations Building (LOB) Solid rocket motor ignition in the Missile Assembly Building (MAB) Inadvertent rocketlmissile ignition on launch pad during “safing” Loss of electrical power (including uninterruptible power) Solid rocket motor explosion during handling

2

DISCLAIMER

This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, make any warranty, express or implied, or assumes any legal liabili- ty or mponsibnity for the accuracy, completeness, or usefulness of any information, appa- ratus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessar- ily state or reflect those of the United States Government or any agency thereof.

Portions of this document may be iiJegible in electronic image pmducts. Images are produced from the best avaiiable original document.

Hazardous material spill Electromagnetic radiation exposure (radar)

In addition, the analysis included the evaluation of natural phenomena event (earthquake, hurricane, tsunami, and lightning) scenarios, as well as an aircraft crash scenario. The accident scenarios selected for evaluation are considered to be the bounding accidents that define the safety envelope for the KTF.

Accident Analvsis Methodolow

The methodology used to perform this accident assessment is documented in SAND950320 (Ref. 2). In accordance with this methodology, the likelihood of occurrence of each accident scenario was categorized as shown in Table 2. The accident scenario consequences were categorized as shown in Table 3. Accident sequences were evaluated in terms of the event tree elements shown in Figure 1. Finally, risk acceptability was assessed in accordance with Figure 2. SAND95-0320 should be consulted for methodology details.

Missile Assemblv Building (MAB) Rocket Motor Fire The MAB is a 36 x 38 x 8 ft. frame structure with aluminum roof and siding. The building is used to assemble and test payloads and small rocket assemblies. The building has no special equipment or utilities. It does not have a fire protection system.

Description of Accident: A solid rocket motor which is not adequately grounded ignites due to a static electrical discharge. The subsequent deflagration in the MAB results in the death of two workers. Inadequate electrical grounding can result from either a failure of the electrical grounding system, or a failure to maintain proper grounding connections on the rocket motor.

Initiating Event (IE): A necessary condition for this accident to occur is inadequate grounding of a solid rocket motor which would allow a static electricity discharge to ignite the motor propellant. The occurrence of static electric charge buildups at KTF is very low because of the relatively high humidity. One measure of the occurrence of static charge buildups can be obtained from the potential gradient measurement system. Review of potential gradient measurement system data reveals measurable atmospheric increases occurred three times in one year at the KTF. Although atmospheric conditions are not the only potential cause of static electricity discharges in the MAB, a value of 3 occurrences per year will be used for risk evaluation purposes since no other relevant data is available. This is judged to be a conservatively high frequency. Since solid rocket motors would be located in the MAB for only two months of the year, the likelihood of this event can be further reduced by a factor of 2/12. Therefore, the initiating event frequency is

IE = (3 per year) x (2/12) = 0.5 per year

System Response (SY): An electrical grounding system is maintained in the MAB to which rocket motors are grounded with redundant connections. The grounding system consists of 8 separate (redundant) reference points, or grounds. From Table 7 of Reference 2 the lowest

3

Table 2. Qualitative Accident Probabilities from DOE/AL 5481.1B

DESCRIPTIVE WORD

Likely

Unlikely

Extremely Unlikely

Incredible

SYMBOL NOMINAL RANGE OF FREQUENCY PER YEAR

A Pe > 10’

B

C

D Pe <

Pe = lo-’ to lo4

Pe = IO4 to lo4

Rank

I

I1

I11

IV

Table 3. Consequence Categories and Levels of Severity

DOE/AL 5481.1 B

Catastrophic

Critical

Marginal

Negligible

Human Impact

- More than one death. - Significant off-site

injury.

~

- Onedeath. - Permanent disability,

severed limb. - Permanent paralysis

or hospitalization. - Minor injuries off-

site.

- Mendable injury that may require surgery, hospitalization, and/or outpatient treatment.

- Moderate or less rehabilitation.

- Injury resulting in 2 or more worker days lost.

- No injuries off-site.

- None to minor injuries requiring none or only little immediate medical attention.

- Less than 2 lost worker days.

Environmental Impact

- >$10,000,000 clean-up cost. - Ground water or surface

water in immediate danger of contamination.

$1,000,000 to $10,000,000 clean-up cost. Significant soil contamination. Likely long-term migration of contamination off-site or to water source. However, does not pose any short-term threat to off-site or endangered animals and fauna.

- $50,000 to $1,000,000 clean-up cost.

with nearly no potential for contaminant migration.

- Minor soil contamination

- <$50,000 clean-up cost. - Small spills or spills that do

not immediately enter into the soil.

quickly and readily cleaned up with on-site or locally available technology.

- Contamination that is

Programmatic Impact

- Loss >$10,000,000 - Programmatic delay

greater than 1 year.

Loss $1,000,000 to $10,000,000 Programmatic delay between 3 months and 1 year.

- LOSS $50,000 to $1,000,000

- Programmatic delay between 1 week and 3 months.

_ _ _ _ ~

- LOSS <$50,000 - Programmatic delay

less than one week.

4

INITIATING EVENT 1 SYSTEMS RESPONSE

AS PLANNED

SY

OPERATOR RESPONSE AS

PLANNED

OR

STRUCIVRAL RESPONSE AS PLANNED

A

C A

Y I

I r I F

I

INITIAL LIKELIHOOD/ CONSEQUENCE

B I N

Figure 1. Generic Event Tree for Accident Sequence Development.

5

.i kel i hood :ategories

A

B

C

D

Acceptable - risk management actions prudent

Acceptable

Acceptable

Beyond design basis events - Acceptable

;onsequence ;ategories IV

Acceptable - actions prudent

Acceptable risk management

Beyond design Beyond design basis events - Acceptable Acceptable

basis events - I I11 I1

Risk management actions may be needed to limit potential consequences +

I Beyond design basis events - Acceptable

I I w

Increasing Severity of Consequences

Actions required to manage risk

Actions to manage risk are prudent

Actions maybe needed to limit consequences

Figure 2. Risk Acceptability Matrix.

6

failure rate for a redundant channel system is selected ( ~ x I O - ~ per demand), based on the degree of redundancy.

The electrical grounding system reference points are tested prior to the start of any activities associated with a rocket or missile launch at the KTF. Thus, an adjustment factor of 0.1 is applied to this value for the existence of a procedurally based program for maintaining KTF electrical grounding systems. Therefore, the likelihood of a grounding system failure is 5x1 0-5 per demand.

Electrical grounding connections to a rocket motor can also become accidentally detached. However, each rocket motor has at least two ground connections, which are checked periodically by workers. The failure to detect and correct an inadequate grounding condition is classified as a “pre-initiator” action (Table 8 of Reference 2). A probability of 3x104 per demand is selected based on the use of established procedures that require the connection of redundant ground straps as a prerequisite for initiating work. An adjustment factor of 0.1 is applied to this value for the effect of worker sensitivity to rocket motor propellant safety issues as a result of appropriate training. Thus, the likelihood of not detecting and correcting inadequate grounding connections for a rocket motor is 3 ~ 1 0 - ~ per demand.

The overall probability of an inadequate electrical grounding condition is then the sum of the grounding system failure rate and the failure to detect and correct faulty conditions.

- SY = 5x10” per demand + 3 ~ 1 0 - ~ per demand = S X ~ O - ~ per demand

Operator Response (OR): No personnel actions, other than those above, function to mitigate either the consequences or the likelihood of occurrence of this accident scenario.

Structural Response (SR): No structures function to mitigate either the consequences or likelihood of occurrence of this accident scenario.

Consequence Bin Assignment: Two worker deaths result in a category I consequence. The programmatic consequence associated with this scenario is the loss of the MAB. This is a category 111 consequence.

Likelihood of Occurrence Bin Assignment: The likelihood of occurrence for this accident scenario is calculated as

P = IE x S y x OR x SR

= (0.5 per year) x (8 x per demand) x 1 x 1 = 4 x yr-’

This is a category C likelihood of occurrence.

Hazardous Material Leak to the Soil

Significant inventories of environmentally hazardous materials at KTF include the hypergolic fuels, gasoline, and diesel fuel. The hypergolic fuels (55 gallons each) are stored onsite in stainless steel containers inside of overpack containers as a precaution against uncontrolled spillage. These containers are each placed in an above-ground concrete lined pit designed to prevent any leakage into the soil. Gasoline is contained in a 2,500 gallon double-walled, underground tank with a leak detection system. Diesel fuel is contained in a 10,000 gallon above-ground tank located inside of a concrete basin that is large enough to contain the entire contents of the tank and then some.

Description of Accident: The containment structures for one of the environmentally hazardous materials fail resulting in an uncontrolled release of the material to the soil. Such a release would also require either a leak detection system failure or inadequate surveillance monitoring.

Initiating Event (IE): The initiating event for this accident scenario is a leak in the primary container of a hazardous material. The likelihood of occurrence for this event is taken from Table 5 of Reference 2 as 0.001 per year.

System Response (SY): The double-walled gasoline tank is equipped with a redundant leak detection system. Failure of this system to detect a leak through the inner tank wall is 0.005 per demand (Table 7, Reference 2). Therefore,

- SY,,, = 0.005 per demand.

Operator Response (OR): Weekly visual “inspections” of the area would be expected to identify any tank leakage. Failure to detect and correct such a leak is classified as a “pre-initiator” action in accordance with Table 8 of Reference 2 with a nominal likelihood of 0.001 per demand. Therefore,

The diesel fuel storage tank is above ground.

mieSel = 0.001 per demand.

Failure to conduct weekly monitoring of the hypergolic fuel tanks is classified as a “pre-initiator” event, with a nominal likelihood of 0.001 per demand. Furthermore, failure to detect (and correct) a leak during the weekly inspection is also classified as a “pre-initiator” event. Thus, the failure to inspect for, detect, and correct such a leak is 0.002 per demand. Therefore,

- OR, = 0.002 per demand.

Structural Response (SR): In the case of the gasoline and diesel fuel, a release to the environment requires the failure of a second containment barrier. Failure of this second barrier has a likelihood of occurrence of 0.05 per demand (Table 9, Reference 2). For the hypergolic hels, a release requires the failure of two more containment barriers. The failure probability for a redundant structure (0.001 per demand) is taken fkom Table 9 of Reference 2. Therefore,

SR = = 0.05 per demand, and -gas

SR, = 0.001 per demand.

Consequence Bin Assignment: Because of the potential cleanup cost associated with releases of these materials to the environment, a category I11 environmental consequence is appropriate. Since leakage of these materials to the soil will not impact the offsite public, a category IV offsite consequence is appropriate.

Likelihood of Occurrence Bin Assignment: materials is calculated as follows:

The release probabilities for each of these

Gasoline: P = IE x S y gas x OR xSR,

= (loe3 per year) x (5x103 per demand) x 1 x ( 5 ~ 1 0 - ~ per demand)

=2.5x10 yr

Diesel Fuel: P = IE x SY x OR x diesel

-7 -1

= (1 0-3 per year) x 1 x (1 Om3 per demand) x (5x 1 0-2 per demand)

=5x10 yr -8 -1

Hypergolic Fuel: P = IE x SY x OR x $R HF

= (1 0-3 per year) x 1 x (2x1 0-3 per demand) x (1 0-3 per demand)

-9 -1 =2x10 yr

All three hazardous material leaks have a category D likelihood of occurrence.

Accident Analysis Results

The results of the KTF accident analysis are summarized in Tables 4 through 7.

Risk AcceDtability

Using Figure 2 to determine acceptability of the assessed risks, the programmatic risk associated with the tsunami event is the only KTF risk that is located in the unacceptable region of the likelihood-consequence grid, although actions to further control this risk are outside the scope of

9

KTF management capabilities. The accident analysis results demonstrate that KTF hazards do not have the potential to significantly affect the onsite or offsite environment or the public. However, because activities include the use of explosives and propellants, there is the potential for catastrophic consequences to workers. Three of the five operational accidents evaluated involve either ignition of a solid rocket motor during rocket motor assembly operations or ignition of a liquid propellant fueled missile while carrying out safing procedures following an aborted launch. In general, the assessment results demonstrate that existing risk management measures employed at the KTF anticipate the possibility of the operational accidents evaluated. Event experience with rocket operations at the KTF and other sites provide the basis for many of the risk management actions that have been incorporated in facility procedures and practices.

Internal

Launch Operations Building Fire

Missile Assembly Building Fire

Ignition During Missile Disarming

Loss of All Electrical Power

Table 4. KTF Accident Analysis Risk Summary Results for Facility Workers.

CATEGORY CATEGORY

Extremely Unlikely (C) Negligible (IV) IV-c

Extremely Unlikely (C) Catastrophic (I) I-c

Extremely Unlikely (C) Catastrophic (I) I-c

Incredible (D) Negligible (IV) IV-D

Earthquake Incredible (D)

Lightning Incredible (D)

Hurricane Unlikely (B)

Tsunami Likely (A)

I 1 Solid Rocket Motor Explosion I Extremely Unlikely (C) 1 Catastrophic (I) I I-c

Catastrophic (I) I-D

Negligible (IV) IV-D

Negligible (IV) IV-B

Negligible (IV) IV-A

I I I Natural Phenomena

I 1 Aircraft Crash 1 Extremely Unlikely (C) 1 Catastrophic (I) 1 I-c

10

Table 5. KTF Accident Analysis Programmatic Risk Summary

EVENT

Internal

Launch Operations Building Fire

Missile Assembly Building Fire

Ignition During Missile Disarming

Loss of All Electrical Power

Solid Rocket Motor Explosion

Natural Phenomena

Earthquake

Lightning

Hurricane

Tsunami

External ~~ _ _ _ ~

Aircraft Crash

FREQUENCY CONSEQUENCE RISK CATEGORY CATEGORY

Extremely Unlikely (C) Marginal (111) 111-c

Extremely Unlikely (C) Marginal (111) 111-c

Extremely Unlikely (C) Critical (11) 11-c

Incredible (D) Negligible (IV) IV-D

Extremely Unlikely (C) Marginal (111) 111-c

Incredible (D) Marginal (111)

Incredible (D) Critical (11)

Unlikely (B) Marginal (111)

Likely (A) Critical (11)

111-D

111-B

Extremely Unlikely (C) Critical (11) I I 11-c

Table 6. KTF Accident Analysis Risk Summary Results for Onsite Environment.

EVENT FREQUENCY CONSEQUENCE RISK CATEGORY CATEGORY

UDMH Leak - SLOW Extremely Unlikely (C) Marginal (111) 111-c from Storage - FAST Incredible (D) Critical (11) 11-D

1 =do; Material Leak I Incredible (D) 1 Marginal (111) I 1 111-D

11

Table 7. KTF Accident Analysis Risk Summary Results for Offsite Public

Hazardous Material Leak

Radar Exposure

EVENT FREQUENCY CONSEQUENCE RISK CATEGORY CATEGORY

Incredible (D) Negligible (IV) IV-D

Likely (A) Negligible (IV) IV-A

I I UDMH Release During Fueling I Incredible (D) 1 Critical (11) I 11-D

Conclusion

As illustrated in the accident scenarios evaluated above, the methodology of Reference 2 involves consideration of individual structure, system, and human performance failure probabilities in determining the overall likelihood of occurrence for an accident sequence. This leads to a more readily defendable probability assessment when using binning criteria such as those shown in Table 2. This particular methodology is also well suited for other applications, including the evaluation of individual risk control measure effectiveness and the identification of nuclear facility safety-class and safety-significant structures, systems, and components (SSCs) in accordance with DOE-STD-3009-94 (Ref. 3).

References

1. DOE Order 548 1. lB, Safety Analysis and Review System, May 19, 1987.

2. Mahn J.A., G.W. Hannaman, and P.M. Kryska, Qualitative Methods for Assessing Risks, Document #SAND95-0320, Sandia National Laboratories, May 1995.

3. DOE-STD-3009-94, - Preparation Guide for US. Department of Energy Nonreactor Nuclear Facility Safety Analysis Reports, July 1994.

12