Configuration Management, Vital Safety Systems

AGENCY:

Defense Nuclear Facilities Safety Board.

ACTION:

Notice, recommendation.

SUMMARY:

The Defense Nuclear Facilities Safety Board has made a recommendation to the Secretary of Energy pursuant to 42 U.S.C. 2286a(a)(5) concerning configuration management, vital safety systems.

DATES:

Comments, data, views, or arguments concerning this recommendation are due on or before April 17, 2000.

ADDRESSES:

Send comments, data, views, or arguments concerning this recommendation to: Defense Nuclear Facilities Safety Board, 625 Indiana Avenue, NW, Suite 700, Washington, DC 20004-2901.

FOR FURTHER INFORMATION CONTACT:

Kenneth M. Pusateri or Andrew L. Thibadeau at the address above or telephone (202) 694-7000.

Recommendation 2000-2

The Defense Nuclear Facilities Safety Board (Board) continues a strong interest in safety systems and their effectiveness at defense nuclear facilities. These systems are at the heart of safety at the facilities. Department of Energy (DOE) Standards 3009 and 3016 provide guidance for the identification of safety systems and associated Technical Specifications as important elements of maintaining safety of facilities and operations. In addition, the implementation guide to DOE Order 420.1, Facility Safety, provides guidance on design and procurement of safety systems to attain and sustain reliability in performance.

Most of the facilities of interest to the Board were constructed many years ago, and are undergoing the deterioration attached to aging. It is important that their protective features be maintained serviceable and effective. In the following, the Board recommends measures necessary to ensure reliable performance of the safety systems of both the older facilities and the ones that are relatively new, and in particular stresses the actions required to ensure viability of confinement ventilation systems. Confinement ventilation systems are relied on almost everywhere by DOE as the principal system to protect the public and collocated workers at its more hazardous facilities.

Previous Issuances by the Board on Safety Systems

In May 1995, the Board issued DNFSB/TECH-5, Fundamentals for Understanding Standards-Based Safety Management of Department of Energy Defense Nuclear Facilities, which stressed the importance, among other things, of functions that preserve those structures, systems, and components that are relied upon to protect the public, workers, and the environment (e.g., configuration management, training, and maintenance). In October 1995, the Board issued DNFSB/TECH-6, Safety Management and Conduct of Operations at the Department of Energy's Defense Nuclear Facilities. The report underscored the importance of conduct of operations as the body of practice, or operational formality, that implements the Safety Management System for a defense nuclear facility. Operational formality includes “Supervision by highly competent personnel who are knowledgeable as to the results of the safety analysis and operating limits for the facility or activity.” Key aspects of facility Safety Management Systems discussed in these two reports are central to the issues addressed herein.

In 1996, in response to Recommendation 95-2, Safety Management, DOE provided the Board a plan for upgrading safety management of its defense nuclear facilities. DOE Orders 5480.22, Technical Safety Requirements, and 5480.23, Nuclear Safety Analysis Reports, established requirements for identifying design features important to safety and the conditions/controls to ensure safe operation. DOE authorized its contractors to grade facilities by hazard category and to tailor the comprehensive safety assessments according to hazard potential and operational future. This upgrade effort has reaffirmed the important safety role played by confinement ventilation systems. (See enclosed Appendix B of DNFSB/TECH-26). In general, these systems have been designated as important to safety, making them subject to more stringent quality assurance, maintenance, surveillance, and configuration management programs in recognition of their safety functions. Commitments to such programs are typically made in the Authorization Agreements that capture the contractor-DOE agreed upon conditions for performing the work.

Issuances Concerning Confinement Ventilation Systems

Some of the Board's analyses concerning safety systems focused on confinement ventilation systems in particular. In March 1995, the Board issued DNFSB/TECH-3, Overview of Ventilation Systems at Selected DOE Plutonium Processing and Handling Facilities, which addressed the design of confinement ventilation systems. In its June 15, 1995, letter forwarding that report, and in subsequent correspondence in July 1995, the Board requested that DOE evaluate the design, construction, operation, and maintenance of ventilation safety systems in terms of applicable DOE and industry standards.

In a letter dated October 30, 1997, the Board pointed out the problem of wetting high efficiency particulate air (HEPA) filters during tests of fire sprinkler systems, and the need for complex-wide guidance from DOE concerning the relationship between maintaining filter integrity and fire fighting strategies. HEPA filters are key components of confinement ventilation systems. In its June 8, 1999, letter concerning HEPA filters installed in confinement ventilation systems, the Board requested a report outlining the steps DOE plans to take to resolve those issues. In recent weeks, individual Board members and the Board's staff have met informally with DOE representatives to resolve differences concerning DOE's proposed response to the Board's request.

Current Status of Ventilation Systems

As a part of its continuing oversight of these vital safety systems, the Board's staff has recently completed a review of the operational data on confinement ventilation systems as reported in DOE's Operational Reporting and Processing System (ORPS). The data reviewed covered the period July 1998 to December 1999. An analysis of these data is documented in report DNFSB/TECH-26. This review indicates that the reliability of these systems, for reasons not readily evident, may not be adequate, given the vital safety function they serve.

The operational data reveal deficiencies in areas of test and surveillance, quality assurance (replacement components), maintenance, configuration management, training and qualification, and conduct of operations. One can reasonably deduce from such observations that there exists no single entity assigned responsibility for the configuration and operational state of these systems as a whole.

The Board recognizes that many confinement ventilation systems now require less air flow and permit more particulate loading than in original designs. This allows for more extended useful life than might otherwise be tolerable, particularly with adequate preventive care. However, the operational data suggest that less than optimum care is being given to these systems, considering their age.

Status of Safety Systems in General

Many of DOE's nuclear facilities were constructed years ago and are approaching end-of-life status. Under these circumstances, some degradation of reliability and operability of systems designed to ensure safety can reasonably be expected. To some extent, the effects of aging can be offset by increased surveillance and maintenance. A point occurs, however, where costs for upkeep justify major upgrades or replacement, particularly where mission needs are projected well into the future. While a considerable number of high-hazard defense nuclear facilities have such long-term missions (greater than 10 years, for example), others undergoing phase-outs and decommissioning do not. Some facilities must continue to rely on operational safety systems, such as ventilation systems, to serve a safety function even after their operational mission has ended and well into the decommissioning process. Long-term or short-term, however, the performance required for safety must be ensured.

It has been a long-standing practice in the nuclear business to designate a “system engineer” for each major system vital to successful operation of hazardous processes. Some DOE contractors have done so on occasions (e.g., the Defense Waste Processing Facility at the Savannah River Site), but this practice is not as prevalent as it should be. The Board believes that having specific individuals outside the operational forum, tasked with the configuration management (design and operational constraints) of systems designated as important to safety, would go a long way to ensuring the dependable service such systems must provide.

Recommendation

Considerable upgrading of programs for ensuring reliable and effective performance of confinement ventilation systems has occurred during the years 1995-1999. However, the frequency and variety of off-normal occurrences that continue to be reported clearly indicate that more attention to these vital systems is needed. Likewise, other systems serving equally vital safety functions might well benefit from similar attention. Towards such an end, the Board recommends that the Department of Energy:

1. Establish a team, expert in confinement ventilation systems, to survey the operational records during the past 3 years and the current operational condition of all confinement ventilation systems now designated or that should be designated as important to safety in defense nuclear facilities (i.e., safety class, safety significant, defense-in-depth). In so doing:

a. Assess the root cause or causes for less than satisfactory operational history of these systems and recommend an action plan to address the causes. In so doing evaluate such programs as may exist to ensure reliable system performance. These should include surveillance, maintenance (including quality assured inventory of replacement parts), configuration management (system descriptions, drawings and specifications), and requisite training and qualification of operators.

b. Estimate the remaining system lifetime with and without refurbishing as a function of reliability; (e.g., 1 year—95%, 10 years—50%) and recommend such upgrades or compensating measures as may be appropriate to ensure reliability, current or future, commensurate with the safety functions being served.

2. Include key elements of the plan for addressing the HEPA filters issues identified in the Board's June 8, 1999, letter in any plan developed in response to this recommendation.

3. Amend appropriate directives and associated contract requirements documents (e.g., DOE Order 430.1A, Life Cycle Asset Management, DOE Order 420.1, Facility Safety), to require for the confinement ventilation system and every other major system designated as important to safety:

a. The development and maintenance of documentation that captures key design features, specifications, and operational constraints to facilitate configuration management throughout the life cycle.

b. The designation of a “system engineer” during each facility life cycle—design, construction, operation and decommissioning with:

(1) The requisite knowledge of the system safety design basis and operating limits from the safety analysis; and

(2) The lead responsibility for the configuration management of the design.

c. The education and training of successor “system engineers” as may be required because of contractor organizational changes, facility life cycle change, or other causes for reassignments.

4. Task the Federal Technical Capability Panel established in response to Board Recommendation 93-3 to:

a. Survey the availability and sufficiency of personnel in DOE with expertise in these vital safety systems.

b. Recommend to DOE senior management such actions as may be appropriate to augment, redeploy or otherwise bring such expertise more effectively to bear in the life-cycle-management of vital safety systems.

c. Add to DOE's technical staff qualification program the requisites for qualifying as subject matter experts for these vital systems.

d. Develop descriptions of functions and responsibilities for inclusion in the Function and Responsibilities Authorities Manual for individuals serving as subject matter experts on vital safety systems.

5. Make the scrutiny of the status of all systems serving to protect the public, workers and the environment a regularized part of the assessments performed as required by DOE P 450.5, Line Environment, Safety and Health Oversight. Include in such review the programs, such as quality assurance, maintenance, configuration management and conduct of operations, that contribute much to ensuring these systems will operate as intended.

Appendix—Transmittal Letter to the Secretary of Energy, Defense Nuclear Facilities Safety Board

        March 8, 2000

The Honorable Bill Richardson

Secretary of Energy

1000 Independence Avenue, SW

Washington, DC 20585-1000

Dear Secretary Richardson: Designs of the Department of Energy's (DOE's) high hazard defense nuclear facilities typically include systems whose reliable operation is vital to the protection of the public, workers and the environment. Operations are constrained by technical safety requirements and operational limits established by analyzing the hazards of the operations and the capability of design features to prevent or mitigate consequences of potential mishaps or operational disruptions caused by either man or natural phenomena. The availability and operability of such systems and the conditions specifying operational limits are included in the written agreements established by DOE with its contractors as conditions for authorizing performance of work.

Ventilation systems installed in many defense nuclear facilities are among those that provide vital safety functions. Such systems contribute much to the safe environment for workers and serve a vital confinement function should work process upsets and mishaps result in airborne releases of hazardous materials.

The Defense Nuclear Facilities Safety Board (Board) has advised DOE in various ways during the past several years of the need to increase attention to ventilation systems and of the steps we believe would lead to more certain performance of their important safety functions. Although DOE has responded to some extent, the upgrade efforts to date have been less comprehensive and effective than the matter merits.

The Board further believes that DOE's upgrades of ventilation systems could well serve as a model for implementing similar programs for other vital safety systems that may be needed in defense nuclear facilities.

The Board believes this matter requires additional DOE attention. More explicitly, the Board recommends for your consideration an action plan structured to address the elements set forth in the enclosed Recommendation 2000-2, Configuration Management, Vital Safety Systems.

The Board's recommendation is directed explicitly at systems for ensuring nuclear safety. This is in keeping with the Board's enabling legislation. However, the concepts advocated could be applied to good advantage to systems designed for safety management of hazardous material and processes of non-nuclear nature as well. In the spirit of Integrated Safety Management (ISM) to which DOE is committed, DOE is encouraged to do so.

Recommendation 2000-2, Configuration Management, Vital Safety Systems, was unanimously approved by the Board, and is submitted to you pursuant to 42 U.S.C. § 2286a(a)(5), which requires the Board, after receipt by you, to promptly make this recommendation available to the public. The Board believes the recommendation contains no information which is classified or otherwise restricted. To the extent this recommendation does not include information restricted by the Department of Energy under the Atomic Energy Act of 1954, 42 U.S.C. §§ 2161-68, as amended, please arrange to have this recommendation promptly placed on file in your regional public reading rooms.

The Board will publish this recommendation in the Federal Register.

   Sincerely,