DEFENSE NUCLEAR FACILITIES SAFETY BOARD RECOMMENDATION 95-2 TO THE SECRETARY OF ENERGY pursuant to 42 U.S.C.  2286a(a)(5) Atomic Energy Act of 1954, as amended. Dated: October 11, 1995 The Defense Nuclear Facilities Safety Board (Board) has issued and the Secretary of Energy has accepted three sets of recommendations (90-2, 92-5, and 94-5) concerning the use of standards by contractors at the Department of Energy's (DOE) defense nuclear facilities, and the level of conduct of operations to be maintained at these facilities. These recommendations intersect in many of their implications. The Board now wishes to combine and modify these recommendations into a form that (1) reflects what it has learned from DOE's response to the recommendations, (2) more sharply focuses continued activity on the objectives DOE and the Board seek to achieve, and (3) is more clearly consonant with the actions which DOE has under way to modify DOE's system of Orders. On March 8, 1990, the Board forwarded to the Secretary of Energy Recommendation 90-2. Briefly paraphrased, it recommended that (1) DOE identify the particular standards that it considered should apply to certain designated defense nuclear facilities of DOE, (2) DOE provide its views of the adequacy of these standards, and (3) DOE establish the extent to which the standards were being applied to the facilities. The Secretary accepted this Recommendation on June 11, 1990, and provided the Board with an acceptable Implementation Plan on November 9, 1994. The principal product of implementation was to be a set of facility-specific documents that set forth the applicable standards and requirements for a selected set of DOE's defense nuclear facilities. These were termed Standards/Requirements Implementation Documents (S/RIDs). The S/RID was to contain those requirements considered necessary and sufficient for ensuring safety in the particular application. These were to be principally extracted from DOE Orders, appropriate standards, NRC guides, and similar sources. The S/RID was envisioned as the basis upon which work controls would be developed and implemented. This concept has been maturing in the course of its application to several DOE defense nuclear facilities. Subsequently, in connection with its internal plans to restructure its system of Orders, DOE has developed the concept of the "necessary and sufficient" set of requirements at a site or a facility or for an activity. As applied to safety requirements, we recognize the "necessary and sufficient" and S/RID concepts to be identical. In the following, the identity of the two will be implicitly understood, although we shall continue to use S/RID as the preferred term for the documented set of applicable standards and requirements in agreements between DOE and its defense contractors. This is the nomenclature found in implementation plans submitted by DOE to the Board. To avoid confusion, we suggest that DOE continue uniform use of the term S/RID in this connection. DOE is to determine the extent to which standards are implemented through a process of Order Compliance Self-Assessment. This has generally been accomplished through review of detailed compliance with the DOE safety Orders of interest to the Board. The practice is to be followed until S/RIDs are in place, after which time, the issue becomes compliance with requirements in S/RIDS. The Board has viewed the Order Compliance Self-Assessment Program of DOE as an initial activity in the formulation of the S/RIDs. As part of this compliance self-assessment, DOE required the contractors to justify in documented form the rationale for judging requirements to be non-applicable. This procedural requirement has been reported to have caused the expenditure of more effort than merited to achieve the end result the Board sought, which was the establishment of the particular subset of requirements upon which the safety management programs at a site would be structured. In the recommendations below, the Board seeks to streamline the process of arriving at an Authorization Basis and Authorization Agreements with respect to DOE's safety management of its sites, facilities, and activities. The review and acceptance by DOE of (1) the hazards assessment of the work contracted, (2) the standards/requirements identified as appropriate, and (3) safety management controls committed by the contractor for conduct of the work would in effect constitute, in the view of the Board, a DOE determination of adequacy relative to sufficiency of the requirements base. In another action, on August 17, 1992, the Board forwarded its Recommendation 92-5, which called for establishing certain safety policies at defense nuclear facilities faced with missions that were changing in response to the shifting world situation. The principal features of Recommendation 92-5 can be paraphrased as follows: (1) that facilities to be used in the longer term in nuclear defense missions or in cleanup from previous nuclear defense activities should be operated according to a superior level of conduct of operations, (2) that certain safety practices be followed at nuclear defense facilities being restarted after a long period of idleness, and (3) that defense nuclear facilities designated for various other kinds of use (such as standby) should be subject to a graded approach of safety criteria and requirements to be developed. The Board requested that it be informed on a timely basis of changes in the intended use of DOE's defense nuclear facilities. Implicit in the Recommendation was a broader view of conduct of operations than adherence to written procedures and related activities directly in support of operations. It encompassed the entire set of practices used to ensure safety in a facility, and in the operations conducted therein, extending to coverage implied by the term "safety culture." On December 16, 1992, the Secretary of Energy accepted Recommendation 92-5, and forwarded to the Board an Implementation Plan which the Board accepted on January 8, 1993. Circumstances affecting DOE's defense programs have continued to evolve since then, and the view of the future of the defense nuclear establishment is now different from that in late 1992. Many facilities then scheduled for restart or standby are now slated for deactivation and decommissioning. Though the future form of the establishment continues to be uncertain, the Board believes that the extent of the changes and other intervening events makes it necessary to bring major features of its Recommendation 92-5 up to date and in line with the updating of Recommendation 90-2. Another important development has been the elaboration of the S/RID concept into a system view of a standards-based safety management system. *Footnote 1. This has shed further light on such important matters as permissible variability of safety management at facilities of different kinds and different levels of risk, and the formal means whereby an Authorization Agreement related to environment, safety and health objectives is incorporated into contractual terms. Principles that should guide the structure and use of safety management, the framework for conduct of operations appropriate to different cases, the basis for grading of safety management and conduct of operations, and the application to the important defense nuclear laboratories of the Department of Energy, are outlined in another document in the DNFSB/TECH sequence. **Footnote 2. The points laid out in DNFSB/TECH-6 are consistent with those in DNFSB/TECH-5. Although the concepts and processes discussed in these documents are couched in terms of radiological hazards, they are more general, and apply as well to hazards of other kinds. In addition, they offer an appropriate match to requirements established elsewhere for safety in decommissioning of facilities, and would serve as a bridge to such operations. The Board agrees with the view adopted by DOE in certain pilot tests presently under way, that the contractor for a site, facility, or activity should originate the drafting of the Safety Management Plan and the S/RID with assistance and input as appropriate by DOE. DOE has the responsibility for determining that the proposed S/RID will ensure an adequate level of safety, and finally approving it when it is found to be satisfactory. In the Board's view, an S/RID should be the central component of the Authorization Agreement which should have contractual status as part of the agreement with the contractor relevant to performance of the work authorized for the site, facility, or activity. *Footnote 1: Fundamentals for Understanding Standards-Based Safety Management, Joseph J. DiNunno, DNFSB/TECH-5. **Footnote 2: Safety Management and Conduct of Operations at the Department of Energy's Defense Nuclear Facilities, DNFSB/TECH-6. In accordance with its statutory directive to review DOE's safety standards and their implementation, the Board plans to track selected S/RIDs and the associated Safety Management Programs as they are developed. The Board will formally review them after their completion and will provide its comments to DOE in letters to the Secretary or in the statutory form of recommendations. The Board would normally expect DOE to have performed its own review with documentation of the results before being formally provided with the Board's comments. We recognize that the various DOE organizational units which may be delegated review and approval authority for S/RIDs and associated Safety Management Programs may not have enough individuals with qualifications in the technical specialties required to carry out effectively the streamlined process being recommended. This means that technical assistance may need to be retained from elsewhere to compensate for such personnel deficiencies where they exist. It also means that DOE may need to augment its own technical expertise so as not to be obliged to continue indefinitely to rely on technical assistance from outside DOE. The Board renews its request that it be informed on a timely basis of changes in planned use of defense nuclear facilities. In addition, the Board now wishes to replace Recommendations 90-2 and 92-5. The schedule agreed to by DOE and the Board for S/RID development and implementation pursuant to Recommendation 90-2 will be revised and carried forward as a part of Recommendation 94-5, which is not being otherwise modified at this time. Therefore, the Board recommends, that DOE: 1. Institutionalize the process of incorporating into the planning and execution of every major defense nuclear activity involving hazardous materials those controls necessary to ensure that environment, safety and health objectives are achieved. 2. Require the conduct of all operations and activities within the defense nuclear complex or the former defense nuclear complex that involve radioactive and other substantially hazardous materials to be subject to Safety Management Plans that are graded according to the risk associated with the activity. The Safety Management Plans and the operations should be structured on the lines discussed in the referenced documents DNFSB/TECH-5 and DNFSB/TECH-6. 3. Establish a new list of facilities and activities prioritized on lines of hazard and importance to defense and cleanup programs, to focus the transition from implementation programs related to 90-2 and 92-5 to this revised development of S/RIDs and associated Safety Management Plans, following the process of Section I of DNFSB/TECH-6. 4. Promulgate requirements and associated instructions (Orders/standards) which provide direction and guidance for this process including responsibilities for carrying it out. The manner of establishing responsibilities and authorities as currently set forth in DOE Order 5480.31 (425.1) for Operational Readiness Reviews should serve as a model for preparing, reviewing, and approving the Safety Management Programs. The requirement for conformance should be made a contract term. 5. Take such measures as are required to ensure that DOE itself has or acquires the technical expertise to effectively implement the streamlined process recommended. John T. Conway, Chairman DNFSB/TECH-6 Safety Management and Conduct of Operations at the Department of Energy's Defense Nuclear Facilities Paper Prepared for the Defense Nuclear Facilities Safety Board October 6, 1995 by Dr. Herbert J.C. Kouts and Mr. Joseph J. DiNunno We wish to acknowledge input from Steven Krahn and Wayne Andrews. The concepts were also assisted in formulation through discussions at DOE's laboratories by a team of DNFSB staff consisting of Steven Krahn, Jan Preston, Albert Jordan, and Donald Owen, along with Dr. Gerald Tape, Dr. Duane Sewell, and Admiral John Drain. REMARKS ON SAFETY MANAGEMENT AND CONDUCT OF OPERATIONS AT THE DEPARTMENT OF ENERGY'S DEFENSE NUCLEAR FACILITIES INTRODUCTION In issuance of the document "Fundamentals for Understanding Standards-Based Safety Management" (DNFSB/TECH-5), by Joseph J. DiNunno, the Defense Nuclear Facilities Safety Board (Board) discussed the nature of safety management of defense nuclear sites, facilities, and activities of the Department of Energy (DOE), managed for the Department by contractors. In this relationship, a contractor ensures safety of the site, facilities, and activities entrusted to him through operation in accordance with Safety Management Plans devised in the first instance by the contractor, and then finalized between the parties. The Safety Management Plan is part of the overall Plan of the contractor for the conduct of specified work covered by the contract. DOE expresses its concurrence in the Plan by its acceding to an Authorization Agreement. The Safety Management Plan and the Authorization Agreement accepting the Plan rest on an Authorization Basis that includes as safety documentation a Safety Analysis Report, a Standards/Requirements Identification Document (S/RID), Technical Safety Requirements (TSRs), and additional requirements that the Department may specify. In 1992 the Board issued its Recommendation 92-5, calling for observance of a high level of conduct of operations at the Department's active defense nuclear facilities. In this Recommendation the Board took a broad view of the meaning of the term "conduct of operations," in effect equating it to the range of operational practices followed to ensure safety. The Safety Management System as described in DNFSB/TECH-5 and the scope of "conduct of operations" are therefore complementary subjects. Broadly speaking, a Safety Management System in the context of the Board's present discussion includes the formal relationship between the Department of Energy and its defense nuclear contractors to ensure safety in operations, including objectives, plans, and commitments. Conduct of operations refers to the body of practice that implements the system. The Board now deems it advisable to elaborate on the concepts of safety management and conduct of operations as outlined in DNFSB/TECH-5, to avoid misunderstanding of the Board's views in these matters. ESTABLISHING A NUCLEAR SAFETY MANAGEMENT SYSTEM The important features of the Safety Management System as they reflect on conduct of operations are the same in application to all defense nuclear facilities, though their appearance may be highly variable because of the great differences in activities at different DOE facilities. All safety management, however, is based on defense in depth, which in this usage is the practice of using systems of equipment and systems of procedures in a structure of mutual reenforcement to avoid exposure of individuals and the environment to undesired nuclear radiation. The process of safety management is discussed in DNFSB/TECH-5. It is shown as a flow diagram on page 8. It begins logically with definition by DOE of the mission to be accomplished by the contractor in operation of a site or facility, or conduct of an activity (Box 1). In other actions by the Department of Energy, requirements are formulated to ensure safety of operations. They are issued in various forms: statements of policy, safety rules, Orders, standards, and nonmandatory guidance. Some of these are appropriate to all activities sponsored by the Department (Box 2). Some might apply only to the specific site or type of site (Box 3). The mission statement and the requirements are provided to the contractor. In order to make complex missions tractable, the contractor breaks the work into work packages (Box 4). The set of work packages may range from a formal work breakdown structure, appropriate to activities of a production type, to a structure by projects or disciplines, as may be more suited to a research or development mission. Once the work is structured in smaller pieces, it is possible to plan how to do each piece and to apply the available resources in facilities, equipment, and manpower. A single mission or activity may require use of several facilities at the site. On the other hand, a large facility may be used in more than one of several unrelated missions or activities. Part of work planning is development of the basis for ensuring safety of what is to be done. Not only must the contractor satisfy the Department as to his plan for achieving the mission, he also must provide assurance that the work will meet the stated safety objectives. The first step toward the latter objective is preparation of a Safety Analysis Report or a set of Safety Analysis Reports, covering the proposed work. The safety analysis becomes a basis for identifying the hazards to workers and the public and the proposed means for avoiding the hazards. The Safety Analysis Reports and material based on their results become part of an Authorization Basis provision of which is the subject of Box 5. The central component of the Authorization Basis is the Standards/Requirements Identification Document which states the standards and requirements that are to be used for safety reasons. Some standards and requirements are of such a general nature that it is appropriate to include them in an S/RID for an entire site. Others may be applicable only to individual facilities or activities, and would therefore be included in corresponding S/RIDs having that coverage. All standards and requirements to be used in ensuring safety somewhere at a site should be included in the appropriate S/RIDs. The contractor, in consultation with DOE, must establish a suitable structure of S/RIDs to cover the site. Then there will be an S/RID for the site, and other S/RIDs for facilities and, possibly, activities. The Authorization Basis also includes other material that is to be relied on to ensure safety. Examples are standards and guides incorporated by reference and Technical Safety Requirements. S/RIDs are first prepared by the contractor, with assistance and input as appropriate by DOE. The cooperation of DOE at this stage is advisable to ensure that the S/RIDs will be found satisfactory by DOE in its approval of the finished product. S/RIDs are the central components of the Safety Management Plan for sites, for facilities to be used in discharge of the mission, or for activities to be conducted for this purpose. The other components of a Safety Management Plan are any commitments in the Safety Analysis Report for the facility or activity; the Technical Safety Requirements (TSRs) that will be applied; referenced material such as DOE Orders and guides, industry standards, or NRC guides and standards; and any other material relied on in developing the S/RIDs. The contractor forwards the proposed work plan and Safety Management Plan to DOE for review and approval (Box 6). A period of discussion and revision may follow, during which modifications may be agreed on in reaching agreement as to acceptability. The end product is agreement on final versions as an Authorization Basis for conduct of the work (Box 7). The agreement is made material in an Authorization Agreement formally endorsed by DOE and the contractor, which is made a contract term along with the S/RIDs. The contractor then proceeds to do the work, subject to the conditions of the Authorization Agreement (Box 8). Conduct of operations then comes into play. Experience (Box 9) may lead to improvement in the work plan and the conditions to be imposed on the work. Though the above is presented in terms of radiological safety, the concepts and their application are completely general, applying just as well to hazards of all other kinds. NORMAL COMPONENTS OF FORMALITY IN AN INTENSIVE PROGRAM OF CONDUCT OF OPERATIONS It is important to understand what is meant by the Board in its use of the term "conduct of operations," since that term is not explicitly defined in DOE's Order 5480.19, Conduct of Operations for DOE Facilities. The Board includes under conduct of operations all those attitudes, processes, and precautions taken in the interest of safety. Though features of a system of conduct of operations may be different at different facilities, the common feature is a formality of operations which will vary in form and degree depending on conditions discussed in the next section. The most intensive application of the concept would be found at the more hazardous facilities subject to the more repetitive types of activities. Operational formality is a structured and systematic way of performing work. It is not simply a listing of functional areas, but rather a mind set, a way of doing business. A comprehensive program of operational formality should provide detailed guidance for performing essential elements of operations, such as: maintaining facility status within the Authorization Basis, formal communications, independent safety reviews, review of operating experience, and preparing, reviewing, approving, and using operating procedures. The Board has in mind issuance of a detailed set of guidelines to ensure that hazardous facilities and activities meriting intensive safety treatment are competently operated with full knowledge of their condition and the effect of operations, in a manner providing proper assurance of worker and equipment safety. In the present document, however, we wish simply to indicate the range and coverage of an intensive system. Such a program would normally include the following:  Line management of operations including a clear chain of safety responsibility,  Detailed procedures for operation and maintenance, including emergency procedures,  For more hazardous operations, line-by-line adherence to the procedures with check off after each step,  A formal process for review and approval of changes to the procedures,  Supervision by highly competent personnel who are knowledgeable as to the results of the safety analysis and operating limits for the facility or activity,  A highly trained and formally qualified staff of operators and maintenance personnel,  An effective radiation protection program,  Adherence to a safety envelope comprised of TSRs and S/RIDs,  A formal process for review and approval of structures, systems, and components important to safety and environmental protection,  A maintenance program that includes regularly scheduled preventive and predictive maintenance and timely corrective maintenance, conducted in accordance with approved procedures,  An orderly workplace,  A process which converts mistakes to lessons learned and uses these as a basis for improvement, and  A process of independent safety review that includes close attention of top management. In application, the scope of operational formality must be reviewed to ensure that each element is appropriate to the operation under consideration. Those elements that are deemed applicable should be tailored in depth and rigor to match the hazards that may be present. THE BASIS FOR GRADED SAFETY MANAGEMENT It is clear that the level of conduct of operations necessary to meet safety objectives may be different in various activities at defense nuclear facilities of the Department of Energy. 1. The most intensive Safety Management System should be found at a facility where the principal activities are of a repetitive nature (such as production or cleanup) performed by technician-level personnel under supervision, where there is some potential for a large accident which could affect the workers or the surrounding public, and the activities in question or similar ones are expected to be continued for a number of years. 2. The features of a facility or operation that may be a basis for grading of safety management are:  The risk as indicated by safety analysis,  The competence and technical sophistication of the operating staff and the technical supervision, and  The expected duration of the operation or use of the facility. 3. Safety management can be graded in a number of ways, principally:  Depth and detail of safety analysis,  Redundancy and assured reliability of safety structures, systems, and components,  Number of TSRs and extent of defense in depth they provide,  Depth and detail of the S/RID,  Detail of written operating and maintenance procedures,  Training and qualification of workers, and  Other forms of formality of conduct of operations. 4. A low level of risk can be the basis for reduced intensity of safety management. However, the system must always include measures that may be needed to ensure a safe workplace, meaning measures that ensure an acceptably low likelihood of unintentional release of radioactive material or nuclear radiation and as low as reasonably achievable (ALARA) practices for normal operations. 5. If a facility is to be active for only a relatively short period of time, so that the benefit of following a normal system of safety management would be questionable when compared to the cost in time and money, it may be justifiable to use alternative procedures that are demonstrably effective. For instance, some training of technician-level personnel can be replaced by assignment of highly qualified individuals on shift, available on a real-time basis as backup to operators. 6. Operations at some facilities consist of research conducted by individuals well conversant with the subject matter underlying the work, such as those having advanced academic degrees in the topics and having demonstrated competence. In such cases, step-by-step procedures where they otherwise would have been needed can be replaced by such documents as those conventionally used for planning of experiments or operations, containing the objective of the work, the plan of operations, and precautions and limits placed on operations for safety reasons. FORMALITY OF OPERATIONS AT DOE's DEFENSE RESEARCH LABORATORIES The Board considers it appropriate that among the family of defense nuclear facilities operated for DOE, the style of conduct of operations may depart most from the detailed features in Section II at the defense research laboratories. A possible format for the research activities at these laboratories is found in the following. Note that it would be expected that production type activities at these laboratories would appropriately fall under the conventional form of Section II . 1. S/RIDs should be a domain of managers whose functions should include seeing that the S/RIDs are complied with. In this context, examples of managers are laboratory directors and their staff; directors of supporting activities such as fire protection, engineering, maintenance, and waste disposal; directors of projects of substantial size; building managers; and managers of production type activities. 2. Research scientists, heads of small projects, and operating staff should be familiar with the main features and results of the safety analysis, the TSRs, other operating limits, and the planning documents as the conditions permitting them to conduct their activities, and they should be bound by these conditions. It is not necessary that they be fully conversant with the contents of S/RIDs, which are to be enforced by the managers. 3. Activities with associated hazards should be conducted in accordance with written procedures that are based on an appropriate safety analysis and are appropriately reviewed and approved. These procedures can range from detailed, step-by-step actions to be followed in relatively routine processes, conducted by technician or production personnel, to more generalized analysis and guidance in the general form of laboratory experiment plans where research projects entail minor hazard. A process of ensuring adequacy of the procedures should be followed, including the process commonly known as walkdown. 4. The S/RIDs, the TSRs, any other operating limits imposed as a result of safety analysis, and the existence of the procedures and the safety analyses (but not their detailed contents) constitute a compact on which agreement to proceed with operations is to be based.