DNFSB/TECH-5
Fundamentals for Understanding Standards-Based Safety
Management
of
DOE Defense Nuclear Facilities
Paper Prepared for the
Defense Nuclear Facilities Safety Board
Public Meeting, May 31, 1995
on
Standards-Based Safety Management
Joseph J. DiNunno
Note: This paper was developed by the author with assistance of
Board staff for consideration by the Board as a whole, as a part
of the hearing record.
�
Acknowledgement
This paper was developed with the assistance of a number of the
staff of the Defense Nuclear Facilities Safety Board. The author
wishes to acknowledge a core group that included Robert Andersen,
Lester Ettlinger, Robert Warther, Daniel Burnfield, and Farid
Bamdad. In addition, our attempts to better define terms
benefited by informal exchanges with Margaret Sturdivant of
DOE/EH and Frank Arsenault, a DOE support contractor.
�
Fundamentals for Understanding
Standards-Based Safety Management of
DOE Defense Nuclear Facilities
One of the problems encountered in the Defense Nuclear Facilities
Safety Board (Board) and the Department of Energy (DOE) efforts
to achieve an adequate set of safety requirements and a
standards-based safety program is a lack of consistent
nderstanding of such fundamental terms as "standards,"
requirements," and "enforcement." Individuals with
different academic backgrounds (scientific, engineering, legal)
and professional experiences
(operators, regulators, enforcement officers) may interpret these
terms in disparate ways.
To avoid misunderstanding, it is necessary to establish commonly
understood definitions and
to agree conceptually on how these terms fit into a
standards-based safety management
program that both reduce confusion and form a basis for dialogue.
This paper is an attempt
to define key safety terms and apply them, for illustrative
purposes, to the structure of an
integrated safety management program. Among the most critical
terms essential to a
common dialogue on DOE safety programs are the following: safety
standard, safety
requirement, DOE safety "Orders," safety regulations, and
enforcement.
Section I of this document presents a brief background discussion
of the statutory basis for
these key safety terms. Section II introduces the technical and
legal perspective brought to
the use of the terms over several decades of experience. Section
III of this document defines
these terms, differentiates "standards" from "standards imposed
as requirements," and then
discusses how standards and requirements can be incorporated in
DOE contracts and
ultimately enforced. The final Section (IV) explains one
structure for an integrated safety
management program, including the concepts of a
Standards/Requirement Identification
Document (S/RID), a facility and/or activity Authorization Basis,
an activity/facility
Authorization Agreement, and a Certification of Readiness to
Proceed for defense nuclear
facilities.
I. BACKGROUND
Most of the terms used to describe safety programs for defense
nuclear facilities have evolved from nuclear practices and
statutory provisions governing DOE, beginning with
the Atomic Energy Act. The Atomic Energy Act of 1954 provided
that the Atomic
Energy Commission, and later its successor agencies, Nuclear
Regulatory Commission
(NRC) and DOE, would "establish by rule, regulation, or order,
such standards and
instructions . . . necessary or desirable . . . to protect
health or to minimize danger to
life or property." 42 U.S.C. � 2201(b). This was the first
Congressional directive to
DOE's predecessor's organization to establish a standards-based
safety program.
Prior to the Price-Anderson Act Amendments to the Atomic Energy
Act in 1988, DOE
partially met its statutory obligations by issuing DOE Safety
Orders which were
sometimes incorporated into the terms of management and
operations (M&O) contracts
for defense nuclear facilities. Of interest to the Board are
51 DOE Safety Orders which
apply to DOE nuclear facilities and nine DOE Safety Orders
which apply specifically to
weapons assembly, disassembly and testing facilities. As will
be explained in detail
later, DOE safety "Orders" are not automatically mandatory on
the date of issuance, as
the use of the word "Order" would imply. Some of these Orders
were implemented by
DOE at various sites by issuance and use of detailed technical
procedures and other
guidance which spelled out how safe operations are to be
achieved. DOE has not
consistently invoked these Orders, contract terms, and
procedures to define for their
contractors what was expected to assure adequate protection of
public health and safety at
defense nuclear facilities.
The Price-Anderson Act Amendments of 1988 authorized DOE to
impose civil and
criminal penalties upon its indemnified M&O contractors for
violations of nuclear safety
rules, regulations, or orders. These regulations and orders
must, among other things, be
promulgated or issued in accordance with Section 501 of the DOE
Organization Act of
1977 and the Administrative Procedure Act. To date, DOE has
issued two substantive
nuclear safety regulations (radiation protection and quality
assurance), but has not used
its enforcement powers. Some two dozen more regulations are in
various states of
completion.
The Board's first statutory duty is to "review and evaluate the
content and
implementation of the standards relating to the design,
construction, operation, and
decommissioning of defense nuclear facilities of the Department
of Energy (including all
applicable Department of Energy Orders, regulations, and
requirements) at each
Department of Energy defense nuclear facility." 42 U.S.C. �
2286a (emphasis added).
Recognizing that DOE did not have a well-developed set of
requirements or a fully
functional standards-based nuclear safety program, the Board
issued a number of
recommendations designed to prompt DOE to correct the
situation. The first was
Recommendation 90-2. In response, DOE in 1990 accepted the
recommendation and
began to identify, evaluate for adequacy, and determine the
status of implementation of
DOE safety standards. This effort continued but has lagged
behind the pace the Board
expected and DOE had committed in its implementation plan.
This DOE effort has been
marked by attempts (1) to improve and re-issue some
safety-related "Orders," (2) to
transition from the Order system to rules in defining
requirements, and (3) to separate
guidance from requirements. This effort has not been free of
confusion that has slowed
the complex-wide implementation of a standards-based program.
Recently, in
Recommendation 94-5, the Board recommended that DOE integrate
applicable safety
requirements contained in rules, DOE Safety Orders, and
elsewhere into a clear,
coherent, and consistent standards-based nuclear safety
program.
DOE's slow pace in establishing a standards-based nuclear
safety program throughout the
complex after five years of Board prompting involves a number
factors. One of the most
persistent, yet curable, factors is that individuals do not
have a common understanding of
"standards," "requirements," and other fundamental terms. This
results in mis-communication and unrealistic expectations. After
discussions, parties often leave the
table believing that agreement has been reached when in fact
consensus has not been
achieved. Having a set of mutually-acceptable definitions for
key terms is essential to
achieving shared safety goals for standards-based safety
programs at defense nuclear
facilities.
II. INTRODUCTION
Safety standards, which are defined more rigorously in the
following discussion, are
accepted levels or measures of performance, or in the case of
many consensus standards,
accepted methods for safe performance of specific functions.
Standards can be suggested
as guidance or imposed as requirements. If imposed as
requirements, standards are
legally enforceable. That is, legal action can be taken if the
responsible person,
organization or agency fails to follow the standards. If
suggested as guidelines, the
responsible entity is encouraged to follow the standards, or
some alternative that achieves
the same purpose, but cannot be subjected to legal action for
failure to do so.
When standards are incorporated into statutes (i.e., laws),
regulations (synonymous with
rules), or judicial or agency orders (not to be confused with
DOE Safety Orders), or if
they are agreed to as mandatory terms of contracts, they become
legally enforceable
requirements. For example, "adequate protection of the health
and safety of the public"
is a standard for measuring safety that is incorporated in the
Board's enabling statute, the
Atomic Energy Act; an annual dose equivalent of 25 millirems
per year is a safety
standard and limit incorporated in a regulation (40 C.F.R. �
190.10).
Standards that are not imposed as requirements are guidelines,
and could be adopted for
use by means of corporate policy or procedure. For example, an
M&O contractor could
specify to its employees that equipment be designed to a
particular Institute of Electrical
and Electronics Engineers (IEEE) consensus standard or to the
American Society of
Mechanical Engineers (ASME) code. The M&O contractor would not
be subject to legal
action for failing to follow this policy. However, employees
could be disciplined for
failure to follow the standards. Moreover, if the purpose of
the corporate policy is to
provide a preferred process for meeting an underlying safety
requirement, the M&O
contractor would need to implement an equivalent process or
risk liability for failing to
meet the underlying requirement. The liability stems from
failing to meet the
requirement, not from failing to implement the recommended IEEE
or ASME standard.
Similarly, if a regulated entity fails to follow one of its own
procedures, no liability
would result if the procedure was not imposed by requirement
(e.g., regulation or
contract). However, if the procedural error results in failure
to meet a safety
requirement (e.g., adequate fire protection), the regulated
entity could be liable for that
failure. The picture changes if a specific industry consensus
or other standard is made
mandatory by regulation or other process. For example, a
regulation could require that
equipment be designed and tested according to a named consensus
standard. In this case,
the regulated entity must use this standard or face legal
action.
III. DEFINITIONS
Nuclear safety experts and drafters of the relevant Atomic
Energy Act provisions
recognized that safety standards are a broader category than
safety requirements.
Therefore, we begin by defining standards.
A. SAFETY STANDARDS: Documented measures for the safe
performance of work.
Standards may be expressed in at least two ways, namely as:
(1) criteria for
measuring whether or not a condition indicative of safety
has been met; and (2)
prescriptions for how a certain safe result is to be
achieved, including specified
methods, procedures, materials, and actions. Safety
standards are not necessarily
requirements.
This definition acknowledges that the term "standards" can
be used in two ways.
First, a standard can be a criterion for measuring whether
or not a certain status or
condition has been achieved; the standard states what is to
be achieved. These
standards are sometimes called "substantive" or "outcome"
standards, and are often
expressed as measurable limits. As an example, radiation
protection standards have
been characterized in these terms: "standards mean limits on
radiation exposures or
levels, or concentrations or quantities of radioactive
material, in the general
environment outside the boundaries of locations under the
control of persons
possessing or using radioactive material." Reorganization
Plan No. 3 of 1970, 5
U.S.C. Appendix I. Standards of this type are often found
in statutes and agency
regulations.
The second type of standard is a prescription for achieving
a certain status or
condition. A standard of this type may specify methods,
materials, procedures, and
actions on how a certain result is to be achieved. These
types of standards are often
called procedural, but may also address what is to be
achieved. Such standards are
often developed by technical specialists, first as guidance,
often using a consensus
process. The National Fire Protection Association Codes are
examples of consensus
standards developed by technical experts. The Radiological
Protection Control
Manual issued by the DOE or NRC Regulatory Guides are
examples of procedural
standards issued by the government.
As mentioned earlier, individuals with different backgrounds
and experiences may
view and interpret definitions or concepts from different
perspectives or, in a
metaphoric sense, through different lenses - one lens may
bring a sharp focus to an
image, while another lens may obscure or blur the very same
image. In this
document, we will try to bridge those differences to view
the image through the
same, clear, focused lens.
Scientists and engineers often view the second type of
safety standard as a set of
prescriptions by which the success and failure of a
technology can be recorded and
communicated to a broad segment of the professional
community. As a historical
record, these standards are documented and codified sound
engineering practices.
The professional organizations that publish and communicate
these types of safety
standards expect that, if those standards are followed, the
equipment or processes to
which the standards are applied can be built and used
safely.
Safety standards, as a prescription for how certain
conditions are to be achieved, are
usually based upon the best technical information available
to the scientific and
engineering community. Often they emerge from a consensus
process and/or formal
attempts to develop the standard. The process usually
involves the most experienced
professionals in a particular field. The larger
professional community generally
supports their adoption and use in applicable and
appropriate situations.
These safety standards are often viewed as information by
which the more
experienced professional can help guide those with less
experience through a body of
accepted industry practice. Scientific and engineering
standards also distill the
experience and responses to administrative and technical
challenges to a system or
technology. As a result, many safety standards in use today
contain lessons which
the engineering and scientific community have learned the
hard way - through
accidents and through years of examination of methods
practiced by the national and
international community. Viewed through this lens, safety
standards provide the
professional scientific and engineering basis for the
conduct of work.
When a particular safety standard is applicable and is
adopted for use by the scientific
and engineering community and the standard is imposed as an
enforceable
requirement by one of the processes discussed below,
regulators, compliance officers,
and members of the legal community view the safety standard
through another lens.
That lens reveals that any "standard" made a "requirement"
converts it into a
mandate which must be followed; noncompliance will subject
the violator to various
sanctions. The converse of this is, of course, that a
standard which is not imposed as
a requirement cannot be enforced. As a consequence, the
adoption of a particular
standard as a requirement for an application, in whole or in
part, becomes a
challenging intellectual exercise for the scientific,
engineering, and legal community.
Any standard may be made a fully enforceable requirement if
imposed by statute,
rule, or contract term (by Congress and the President, in
the case of statutes; by
DOE, in the case of regulations, and by the
contractor/operator in agreement with
DOE, in the case of contract terms) as discussed below. If
the standard is not made
into a fully-enforceable requirement, it remains only a
standard. See Figure 4.�
B. SAFETY REQUIREMENTS: Enforceable mandates governing
public
health and
safety.
The Atomic Energy Act and the Board's enabling statute
anticipate that certain safety
standards will be made legal requirements, ultimately
enforceable in court. A general
definition of a requirement which is well-suited to the
Atomic Energy Act and the
Board's enabling statute is "an enforceable mandate
governing public health and
safety." Broadly, a requirement is a mandate which can
ultimately be enforced by a
court or other authority having jurisdiction, and which the
person or entity to whom
the mandate is addressed is bound under law to obey. One of
the most important
features distinguishing a safety standard which is a
requirement from a safety
standard which is not a requirement is that the former is
fully enforceable against an
organization or individual in noncompliance with the
requirements. See the definition
of enforcement below. Most requirements are also
enforceable, without resort to
courts, through other administrative or contractual
mechanisms. For example, it is
expected that DOE would administratively enforce DOE
regulatory and contractual
requirements in the first instance. Requirements can be
subdivided into the following
categories based on the sources of requirements and by their
interpretation in law.
1. Statutory Requirements
Statutes, both state and federal, mandate compliance by
individuals, government
bodies, and corporations with certain health, safety, and
environmental standards
specified in the statute. Statutory requirements can be
enforced by empowered
state and federal officials using legal sanctions such as
administrative orders and
fines. These sanctions if resisted can ultimately be
enforced by the courts.
Moreover, enforcement officials often may seek to enforce
against statutory
noncompliance by going to court in the first instance.
2. Judicially-Imposed Requirements
Federal and state courts can issue orders in the form of
injunctions or other
mandates that certain actions be taken (or desisted from)
by individuals,
government bodies, and corporations, to adequately protect
public health and
safety. Court orders and other mandates can be grounded
in statutes, regulations,
or contracts, or can be based on principles of common law
and equity. Tri-Party
agreements under Comprehensive Environmental Response,
Compensation, and
Liability Act (CERCLA), endorsed by federal courts, are
examples of such court-imposed safety, environmental, and health
requirements. Safety standards
incorporated into court orders would be
legally-enforceable requirements to the
affected parties.�
3. Regulatory Requirements
Regulations are the products of rule making and the word
is synonymous with the
word rule when it is used in the formal sense described in
the Administrative
Procedure Act. Federal and state statutes have created
agencies with the power to
issue and enforce safety regulations, pursuant to
statutes, which are designed to
protect public health and safety. Regulations elaborate
upon and expand the
statutory safety requirements by using the agency's
special expertise (usually
scientific or technical) to promulgate detailed, generally
applicable, regulations.
Federal law dictates that safety requirements imposed by
regulation must first be
subjected to notice and comment from the regulated entity
and the interested
public. Safety standards imposed by regulations issued by
such agencies have the
force and effect of law and are enforceable against
persons under the agency's
authorized jurisdiction.
4. Order Requirements
Federal and state agencies are also empowered to issue
orders to specific persons
or corporations to protect public health and safety.
Orders, which carry certain
procedural rights under the Administrative Procedure Act
and parallel state
statutes, can be of several types: (1) compliance orders,
which demand that the
ordered party comply with existing statutory and
regulatory requirements,
(2) penalty orders, which initiate an enforcement
proceeding when a statutory or
regulatory requirement has been allegedly violated, and
(3) adjudicatory orders to
a regulated entity, which are final agency actions in
formal proceedings. All of
these orders should be distinguished from typical DOE
Safety Orders, which are
not legally enforceable until made a term of the contract.
Because DOE safety
"Orders" have not been promulgated according to
Administrative Procedure Act
requirements, and are thus not self-executing, they are
not orders of the type
described in this paragraph. Labelling something a DOE
safety Order does not
make it an enforceable order requirement in the sense just
described. "Order" as
used by DOE in this context is a misnomer and the
"requirements" imposed by
contracts.
5. Contractual Requirements
Two or more parties to a contract can impose on each other
the obligation to take
or desist from certain actions. Properly drafted
contracts specify (1) the criteria
by which performance by each party will be measured, and
(2) the remedies that
each party has in the event of nonperformance by the
other. DOE safety
"Orders" can be made mandatory and become contract terms
when incorporated
as such into contracts between DOE and its operating
contractors. Contractual
requirements are enforceable administratively under the
terms and remedies
provided in the contract, and ultimately in court.
6. Management Imposed Restrictions
Safety standards, such as technical procedures, which are
unilaterally adopted by
M&O contractors, can become "requirements" in a limited
sense for contractor
employees. Corporations and government bodies have the
authority to reasonably
direct the actions of their employees and sanction
misconduct that threatens safe
operations. This authority is circumscribed by
Constitutional constraints (e.g.,
discriminatory conduct) and statutory requirements (e.g.,
Occupational Safety and
Health Administration (OSHA) regulations). However, in
the area of compliance
with safety requirements, employers are typically given a
great deal of latitude in
specifying which procedures must be followed. These
standards become fully
enforceable by DOE against the contractor when they are
promulgated in rules,
agreed to as contract terms, or otherwise imposed as legal
requirements. See
Arrow in Figure 4.
C. ENFORCEMENT OF REQUIREMENTS:
Any action taken by
an
authorized entity
to remedy or penalize (sanction) noncompliance with safety
requirements; the ultimate
goal of enforcement is to bring the entity violating the
requirement back into
compliance and to discourage noncompliance in the future.
In most cases, DOE would initiate the enforcement action
against the noncomplying
contractor or its personnel. However, third parties with
"standing" (some injury
suffered as a result of the noncompliance) may also
institute some forms of
enforcement actions. Different levels of enforceability are
associated with the forums
that decide whether a noncompliance has occurred and what
remedy is appropriate.
Requirements based on contract terms can be enforced by
either party. Thus, a
contractor could enforce the contract against DOE.
1. Judicial Enforcement
Federal and state courts can mandate by judicial order
that the requirements in
statutes, agency regulations, and contracts be carried out
by persons, government
bodies, and corporations. The specific instrument used by
the court to remedy,
or to penalize, noncompliance may be an injunction, a writ
of mandamus, a
decision upholding of a fine or other administrative
sanction, or in criminal cases,
conviction and sentencing of guilty parties.
2. Administrative Enforcement
Federal and state regulatory agencies are granted
enforcement powers which may
include the power to issue compliance orders, impose fines
and other civil
penalties, and to investigate and refer for prosecution
potential criminal
violations. See the definition of Orders. Agency
sanctions may ultimately be
enforced by judicial order.
3. Contract Enforcement
Parties to a complex contract normally specify a range of
remedies for violations
of contract terms. Contractual remedies may include
mandatory compliance
(specific performance), reduction of payments, mandatory
dispute resolution
procedures such as arbitration, and in extreme cases,
contract termination.
4. Managed Compliance
Management officials of government bodies and corporations
can impose internal
policies and procedures upon employees using written
standards of conduct,
employment contracts, and internal directives. Sanctions
to enforce compliance
or punish violations range from informal reprimands to job
termination.
IV. INTEGRATED SAFETY MANAGEMENT PROGRAM
The inherent hazardous nature of radioactive materials has long
been recognized.
Practices that have evolved over the years to protect workers,
the public, and the
environment have been based upon a number of basic concepts.
These include the
following:
Defense In-Depth
Facilities wherein nuclear materials are processed,
fabricated, stored or used must be
designed to provide multiple levels of defense against undue
exposure of workers and
the public to radiation. Combinations of inherent design
characteristics and
engineered features are used to prevent release of
radioactive materials into the work
place or off site.
Minimizing Radioactive Exposures
Keeping radioactive exposures to "as low as reasonably
achievable" (ALARA) is
internationally accepted as a fundamental principle of
radiation protection. This
conservative approach is directed at preventing workers from
being exposed to any
more radiation than is absolutely necessary to achieve the
intended uses of the nuclear
materials or intended results of work in a radiation
environment.
Hazards/Safety Analysis
A Hazards/Safety Analysis is the companion piece to the
defense in-depth concept.
This is a planning exercise done to define the hazardous
aspects of the nuclear
activity and the features needed to render the probability
of inadvertent exposure of
workers and the public extremely low.
Clear Delineation of Safety Responsibility
Congress has made quite clear that with the privilege of
using radioactive materials
comes responsibility for assuring nuclear safety of workers
and the public and for
protecting the environment.
Regulatory bodies of nations with acknowledged nuclear programs
have widely adopted
these concepts in structuring requirements imposed on users of
nuclear materials. These
concepts undergird the regulatory programs of both the NRC and
the DOE.
Safety practices, or functions, that embody these four basic
concepts can be grouped by
the safety functions they are designed to serve, namely:
Prevention
Those requirements pertaining to hazards analysis and design
of structures, systems
or components to prevent undue exposures, whether from
normal or abnormal
conditions attendant the work activity or from unusual but
credible disruptive events.
Preservation
Those requirements to preserve the designed-in capability of
structures, systems and
components important to nuclear safety and protection of the
environment.
Mitigation
Those requirements that reflect possibilities for
operational mishaps, man or nature
caused, and the emergency response capabilities needed to
regain control and mitigate
consequences of dispersion of radioactive materials should
they be released beyond
designed confinement barriers.
Management
Those requirements that address the need for detailed
procedures and trained and
qualified personnel to integrate, manage and execute the
safety functions.
Groupings of safety functions, and the individual functional
areas within the groupings
are illustrated by Figure 1 and Figure 2.
Together, the functional areas provide a framework for
implementing the safety
requirements applicable to any facility at any site, or for
major work activities at any site
involving hazardous or radioactive materials. Currently DOE
nuclear safety-related
orders grouped by functional areas are shown in detail in Table
1. While existing DOE
Orders and Rules associated with specific functional areas are
shown in Table 1, this
does not imply that all requirements in those Orders are
applicable to all sites, facilities
or activities, nor do they necessarily represent a sufficient
set for tailoring facility or
activity specific safety management programs.
The wide variety of DOE nuclear facilities and activities make
it necessary to tailor
safety management programs individually to a large extent.
None-the-less, there is built
into generally applicable requirements the approach that is
common to all nuclear
activities. Requirements in effect prescribe a process,
including basic ingredients, that
begins with the analysis of the hazards and leads to the design
of ways of (1) preventing
exposures to radioactive sources, (2) preserving and properly
using the safety features so
designed (3) preparing in advance for handling and mitigating
effects of potential
mishaps and off-normal situations, and (4) providing the
organizational resources and
structure to effectively manage and execute the safety program.
(although the
requirements that are the focus of oversight by the DNFSB are
limited by statute to
nuclear safety, one should note that the process is equally
applicable to the regulation of
other hazardous materials.)
There are several major elements which are used to define
safety management programs
for defense nuclear sites and facilities. These elements
include: (1) the
Standards/Requirements Identification Document (S/RID), (2) the
Authorization Basis (3)
the Authorization Agreement, and (4) Readiness Certification.
If the conditions and
practices as described in these documents are implemented and
maintained at the site and
facilities as the work is performed, then DOE and its
contractors have reason to expect
that workers, the public, and the environment will be
adequately protected. The
relationship of the S/RID's, Authorization Basis, Authorization
Agreement and
Certification of Readiness is shown in
Figure 3 and is
discussed in more detail in the
sections that follow.
A. STANDARDS/REQUIREMENTS IDENTIFICATION DOCUMENT
The Board has advocated, and the Secretary of Energy has
endorsed, standards-based
safety management programs. DOE has committed (Board
Recommendation 90-2) to
the identification of applicable site-wide and
facility-specific standards/requirements
in Standards/Requirements Identification Documents (S/RIDs).
Within the site S/RID
one would expect to find the identification of safety
standards/requirements which
generally apply to a wide variety of activities conducted at
a site. Theoretically, the
site S/RID may be sufficient to describe the safety
requirements for major facilities
or projects; however, it may be preferable to develop a
tailored set of safety
requirements from the site S/RID that are more
facility-specific (i.e, a facility
S/RID).
During the drafting stage of an S/RID, the contractor at a
facility or site, in
cooperation with DOE, is expected to identify those safety
requirements that have
been established by statutes and rules and any additional
safety standards which are
necessary to achieve adequate protection of public health
and safety. Thus, the
S/RID process provides an opportunity for the contractor and
DOE to identify and
mutually agree upon those requirements and other standards,
such as DOE Safety
Orders, and selected industry standards which are to apply
to a site and/or facility.
Safety requirements imposed by regulation, or other legal
mechanisms are applicable
and enforceable even before they are referred to, or
incorporated in, an S/RID. See
Red Zone, Figure 4 and the yellow
area in Figure 5.
A completed S/RID, which is envisioned to be incorporated
into the contract between
DOE and contractor(s), should contain the explicit safety
requirements applicable to a
particular site or facility (site S/RID or facility S/RID).
See yellow and blue areas of
Figure 5. It is expected that as
activities performed at a
site or facility change, the
S/RID will be modified and updated in an orderly process.
The set of safety
requirements contained in the site S/RID should be organized
such that they can be
changed and applied in seamless fashion as DOE's defense
nuclear facilities progress
through life cycle phases of design, construction,
operation, maintenance, and
decommissioning.
B. AUTHORIZATION BASIS
While the development and incorporation into contract
agreement of a
DOE/Contractor mutually agreed-upon set of requirements is
absolutely essential for
effective compliance/enforcement activities, such
definition is not sufficient.
Agreements must similarly be reached as to how the
applicable requirements are to
be satisfied.
DOE Order 5480.21, Unreviewed Safety Questions, defines
"Authorization Basis" as:
Those aspects of facility design basis and operational
requirements
relied upon by DOE to authorize operation. These aspects
are
considered to be important to the safety of facility
operations. The
authorization basis is described in documents such as the
facility Safety
Analysis Report and other safety analysis; Hazards
Classification
Documents, the Technical Safety Requirements, DOE safety
evaluation
reports and facility-specific commitments made in order to
comply with
DOE Orders or policies.
A similar definition has been proposed as part of 10 C.F.R.
� 830.3. The above
definition captures the essence of an important sub-set of
the health and safety
requirements but may not always be inclusive. In the larger
context, "authorization
basis" must be viewed as the composite of information a
contractor must provide in
response to all ES&H requirements applicable to a facility.
Many of the facilities in the defense nuclear complex were
designed and constructed
to requirements that are not current today. The result is
that much of the
authorization basis that is required of new facilities is
not available or would be
highly costly to reconstruct at best. Further, missions
have dramatically changed and
functions that many facilities were originally designed to
serve are no longer needed.
These conditions notwithstanding, all facilities that
continue to use or contain
substantive quantities of radioactive materials require some
program for safety
management commensurate with the potential risk to the
worker, the public and the
environment. The challenge is to structure a safety
management program for each
such facility, considering its existing mission, its
anticipated future use and the best
knowledge of its radioactive inventory and design that can
reasonably be gathered and
analyzed.
The basic process prescribed for developing these programs
can be, and should be,
conducted even though the data base may be less than an
ideal. For the old facilities
in particular, the difficulty of DOE's review of such
programs for adequacy will rival
the challenge the Department faces in determining the
"necessity and sufficiency" of
facility-specific S/RIDs proposed by their contractors.
C. AUTHORIZATION AGREEMENT
When authorizing operation of a commercial nuclear facility,
the NRC extracts an
explicit set of terms and conditions from information
provided as part of the license
application (e.g., technical specifications, SARs, safety
programs). These terms and
conditions, along with other information such as applicable
regulatory requirements,
are made part of the license to conduct the activities
authorized. An example of such
terms and conditions for the Comanche Peak Unit 2 operating
license is shown in
Appendix I. By analogy, it is possible for DOE to develop
an authorization
agreement which distills terms and conditions from the
authorization basis
information submitted by the contractor (e.g., the SAR,
S/RIDs). This authorization
agreement would set forth the basis on which DOE approves
operation of the facility.
While the analogy to an NRC license is helpful, it is
important to note that an NRC
license and a DOE contract are fundamentally different legal
documents. DOE is the
owner of the facilities operated by contractors and is not
in the same position as the
NRC, which has no ownership interest in the facilities it
licenses.
The terms and conditions of an NRC license identify the
programs and activities to be
conducted by a licensee to ensure compliance with regulatory
requirements, which
are also identified in the license. Similarly, the terms
and conditions in a DOE
authorization for operation should contain the contractor's
commitments to programs
and activities that will be conducted to ensure
performance of obligations stated in the� contract in the form of S/RIDs. Such commitments provide a
concise set of clearly-defined expectations of contractor
performance which form a basis for compliance
and enforcement actions by DOE and/or independent external
oversight organizations.
Historically, DOE has not used Authorization Agreements to
explicitly define and
control terms and conditions governing contractor
operations. However, several
DOE Safety Orders address the desired content of
documentation that in effect would
constitute such contractor activities, authorization
agreement, if so defined.
Particularly pertinent existing DOE guidance from DOE Orders
is summarized in
Appendix II. The marked similarity of the content of
Technical Safety Requirements
(TSRs) that would result from implementing DOE Orders
compared to commercial
practice is illustrated in Table 2, using Comanche Peak,
Unit 2 License conditions as
the commercial reference. One can note that the basic
elements of authorization
agreements are expected to include:
1. Identification of those systems, structures, and
components important to safety
and the commitment to maintain them operational,
2. The technical safety requirements (TSR's), including
limiting conditions of
operations (LCO's),
3. The commitments to programs to preserve the designed-in
capability of structures,
systems, and components important to nuclear safety and
environmental
protection; e.g:
Configuration Management,
Maintenance,
Selection and Qualification of Operating Personnel,
and
Procedures Development and Implementation.
4. The commitments to programs for emergency preparedness
and response, and
5. The commitments to administrative controls necessary to
successfully execute the
activity being authorized.
Whereas, this generalized approach to establishing clear
authorization agreements can
be adapted to every nuclear facility or major activity
involving radioactive and other
hazardous materials, different types of facilities or
environmental restoration activities
may well have different terms and conditions. Some sites
with a multiplicity of
activities of different nature may also find that site-wide
programs, such as
emergency preparedness and response, may be the most
effective means of satisfying
safety functions common to a number of facilities or
activities.
The point to be emphasized is the importance of establishing
clearly the terms and
conditions that form the agreement between DOE and its
contractor(s) as to safe
management of the authorized work and which, if implemented,
well satisfy
contractual objectives set forth in the S/RIDs.
D. CERTIFICATION OF READINESS
Before the start-up of new facilities or the re-start after
shutdown of old facilities, the
DOE has, in response to Board recommendations, instituted a
process of readiness
review and certification both by the operating contractor
and the responsible DOE
authorities. The Board provides oversight. This process,
set forth in DOE safety
Order 5480.31, is intended to insure that a safety
management program responsive to
DOE imposed applicable requirements, is demonstrably in
place and functioning
effectively. Responsible contractors and DOE management
must certify to that effect
and designate the authorizing DOE official.
The basic concepts described above are generic and can be
adapted to the wide range
of facilities and activities that make up the defense
nuclear complex. A good
example of a safety management program for new facilities
structured in this
integrated way are Savannah River's (SR's) Defense Waste
Processing Facility
(DWPF) and the In-Tank Precipitation Facility (ITP). For
DWPF and ITP, the
contractor and DOE/SR have well developed a standards-based
safety management
plan that is currently undergoing the demonstration of
readiness to operate.
SUMMARY
In summary:
1. The model presented herein is structured upon the framework
of existing DOE Rules and
Orders. While the requirements and guidance set forth
therein might well benefit from
reorganization, consolidation and improvement, it is
important to retain the essence of
good safety practices that is embodied in the existing
framework.
2. Requirements in effect prescribe a process that begins with
hazards analysis and leads to
the definition of ways to:
(1) prevent exposures to radioactive sources
(2) preserve and properly use the safety features so designed
(3) prepare for emergencies and mitigate effects of mishaps
(4) manage the authorized activity safely
3. Standards-based safety management programs of DOE and its
operating contractors,
compared to commercial practice, is closely approached in
some of the newer DOE
facilities but existing DOE requirements and guidance are
not consistently or uniformly
applied across the complex.
4. It will require competent, consistent, centralized direction
to achieve uniformity and
consistency in standards-based management of DOE nuclear
facilities and activities.
�
TABLE - 1
Functional Areas and Associated Current DOE Safety
Orders
I. Prevention
A. System and Program Functional Areas to Ensure Defense
in Depth
1. Chemical Systems
a. 6430.1A General Design Criteria
2. Electrical Systems
a. 6430.1A General Design Criteria
3. Instrumentation and Control Systems
a. 6430.1A General Design Criteria
4. Mechanical Systems
a. 6430.1A General Design Criteria
5. Structural Systems
a. 6430.1A General Design Criteria
6. Nuclear Criticality
a. 5480.24 Nuclear Criticality Safety
7. Fire Protection
a. 5480.7A Fire Protection
8. Radiological Protection
a. 5400.5 Radiation Protection of the Public and the
Environment
b. 5480.11 Radiation Protection for Occupational
Workers
c. 5480.15 DOE Laboratory Accreditation Program for
Personnel Dosimetry
9. Waste Management and Minimization
a. 5820.2A Radioactive Waste Management
b. 5400.1 General Environmental Protection Program
� 10. Occupational Safety and Industrial Hygiene
a. 5480.1B Environment, Safety and Health Program
b. 5480.4 Environmental Protection, Safety and Health
Protection Standards
c. 5480.8A Contractor Occupational Medical Program
d. 5480.9A Construction Safety and Health Program
e. 5480.10 Contractor Industrial Hygiene Program
f. 5483.1A Occupational Safety and Health Program for
DOE Contractor
Employees at Government-Owned Contractor-Operated
Facilities
11. Nuclear Explosives Safety
a. 5600.1 Management of DOE Weapon Program and Weapon
Complex
b. 5610.10 Nuclear Explosive and Weapon Safety
Program
c. 5610.11 Nuclear Explosive Safety
d. 5610.12 Packaging of Offsite Transportation of
Nuclear Components, and
Special Assemblies Associated with the Nuclear
Explosive and Weapon
Safety Program
12. External Hazards
a. 5480.28 Natural Phenomena Hazards Mitigation
B. Functional Areas to Analyze for Defense in Depth
1. Safety and Hazards Analysis
a. 5480.6 Safety of DOE-Owned Reactors
b. 5480.21 Unreviewed Safety Questions
c. 5480.22 Technical Safety Requirements
d. 5480.23 Nuclear Safety Analysis Reports
e. 5480.25 Safety of Accelerator Facilities
f. 5480.30 Nuclear Reactor Safety Design Criteria
g. 5481.1B Safety Analysis and Review System
2. Systems Integration Analysis (e.g., reliability,
maintainability, supportability)
3. Packaging, Handling, and On-Site Transportation
a. 1540.2 Hazardous Material Packaging for Transport
- Administrative
Procedures
b. 1540.3A Base Technology for Radioactive Material
Transportation
Packaging Systems
c. 5480.3 Safety Requirements for the Packaging and
Transportation of
Hazardous Substances and Hazardous Wastes
d. 5632.11 Physical Protection of Unclassified
Irradiated Reactor Fuel in
Transit
II. Preservation
A. Functional Areas
1. Conduct of Operations
a. 5480.19 Conduct of Operations Requirements for DOE
Facilities
2. Configuration Management
3. Maintenance
a. 4330.4B Maintenance Management Program
4. Testing and Surveillance
5. Training and Qualification
a. 5480.18B Training Accreditation
b. 5480.20 Personnel Selection, Qualification,
Training and Staffing
Requirements at DOE Reactor and Non-reactor
Nuclear Facilities
III. Mitigation
A. Functional Areas
1. Emergency Management
a. 5500.1B Emergency Management System
b. 5500.2B Emergency Categories, Classes, and
Notification and Reporting
Requirements
c. 5500.3A Planning and Preparedness for Operational
Emergencies
d. 5500.4A Public Affairs Policy and Planning
Requirements
e. 5500.7B Emergency Operating Records Program
f. 5500.10 Emergency Readiness Assurance Program
g. 5530.1A Accident Response Group
h. 5530.2 Nuclear Emergency Search Team
i. 5530.3 Radiological Assistance Program
j. 5530.4 Aerial Measuring System
2. Environmental Protection
a. 5400.2A Environmental Compliance Issue
Coordination
b. 5400.4 CERCLA Requirements
c. 5440.1E NEPA Compliance Program�
3. Safeguards and Security
a. 5632.1C Protection and Control of Safeguards and
Security Interests
b. 5610.13 Joint DOE/DOD Nuclear Weapons System
Safety, Security, and
Control Activities
IV. Integration
A. Functional Areas
1. Management Systems
a. 1360.2B Unclassified Computer Security Program
b. 4700.1 Project Management System
c. 5000.3B Occurrence Reporting and Processing of
Operations Information
d. 5480.26 Trending and Analysis of Operations
Information Using
Performance Indicators
e. 5480.29 Employee Concerns Management System
f. 5480.31 Startup and Restart of Nuclear Facilities
g. 5482.1B Environment, Safety, and Health Appraisal
Program
h. 5484.1 Environmental Protection, Safety and Health
Protection Information
Reporting Requirements
2. Independent Review
a. 5480.17 Site Safety Representatives
3. Inspection and Enforcement
4. Standards Program
a. 1300.2A Department of Energy Technical Standards
Program
5. Quality Assurance
a. 5700.6C Quality Assurance
�
|
Section | Title | Note
(*) |
| 1 | Use and Application | 1 |
| 2 | Safety Limits | 2 |
| 3/4 | Operational Limits and Surveillance
Requirements | 3/4 |
| 5 | Administrative Controls: | 6 |
| 5.a | Contractor
Responsibility | 6.1 |
| 5.b | Contractor
Organization | 6.2.1 |
| 5.c | Procedures | 6.8 |
| 5.d | Programs | 6.8 |
| 5.e | Minimum Operations Shift
Complement | - |
| 5.f | Operating support | 6.2.2 |
| 5.g | Facility Staff Qualifications and
Training | 6.4 |
| 5.h | Operability Definition of Implementation
Principles | 1 |
| 5.i | TSR Basis Control | 6.8 |
| 5.j | Review and Audit | 6.5 |
| 5.k | Reporting Requirements | 6.9 |
| Appendix A | TSR Bases | Attah. to
3/4 |
| Appendix B | Design Features | 5 |
(*) Note: These are corresponding Sections from Table 1,
Technical Specifications,
Operating License, Comanche Peak, Unit #2
Table - 2
Technical Specifications Table of Contents
for DOE upgraded Safety Analysis Program
(DOE Order 5480.22)
�
Appendix I
EXAMPLE TERMS & CONDITIONS FOR AN
OPERATING LICENSE (OL) FOR A COMMERCIAL NUCLEAR POWER
PLANT
As an example of the conditions imposed on operation of
commercial nuclear power plants
the Operating License of Comanche Peak Unit No. 2 was studied.
The OL No. NPF-89 is
basically a five page letter (copy attached). The following is a
brief digest.
The Operating License first discusses how Texas Utilities
Electric meets or satisfies the NRC
requirements specified in the Code of Federal Regulations.
Several of these requirement are
specifically identified in the OL such as 10 CFR chapter 1; 10
CFR 140; 10 CFR 51; 10
CFR parts 30, 40, and 70; 10 CFR 50; and 10 CFR 70. The NRC then
states that the
license is subject to the additional conditions specified in
three Attachments, Appendices A,
B and C outlined below and some exemptions identified in the OL.
The license also lists
three specific programs: fire protection, physical security, and
financial protection, and
clarifies the contents of those programs.
Appendix A: Technical Specifications (NUREG-1468)
Appendix B: Environmental Protection Plan (non
radiological)
Appendix C: Antitrust Conditions
Appendix A - Technical Specifications:
This appendix consists of six (6) sections as shown in Table-1.
Section 6, Administrative
Controls, identifies some committed Safety Programs as individual
subsections e.g.
Responsibility, Organization, Training and Qualification,
Radiation Protection program, and
Review and Audit. Some other committed safety programs are
described under procedures
and programs in subsection 6.8. Whereas is stated that "written
procedures shall be
established, implemented, and maintained" covering the following
activities:
a. Applicable procedures recommended in Appendix A to Reg.
Guide 1.33 (These
procedures define the quality assurance program related to
operations, such as
operating procedures, startup and shutdown procedures,
procedures for combating
emergencies, etc.),
b. Emergency Operating Procedures,
c. Security Plan implementation,
d. Emergency Plan implementation,
e. Process Control Program implementation,
f. Offsite Dose Calculation Manual implementation,
g. Quality Assurance for effluent and environmental
monitoring,
h. Fire Protection program implementation, and
i. Technical Requirements Manual implementation.
In addition, Section 6.8.3 to Appendix A identifies some programs
that "shall be established,
implemented, and maintained", and are related to environmental
monitoring such as:
a) Primary Coolant sources outside containment,
b) In-plant Radiation Monitoring (airborne concentrations),
c) Secondary water chemistry,
d) Post-Accident sampling,
e) Radioactive Effluent controls program, and
f) Radiological Environmental Monitoring program.
�
|
Section | Title |
| 1 | Definitions |
| 2 | Safety Limits and Limiting Safety System
Settings |
| 3/4 | Limiting Conditions of Operations and
Surveillance Requirements |
| 5 | Design Features |
| 6 | Adminitrative Controls: | |
| 6.1 | Responsibility | |
| 6.2 | Organization |
| 6.3 | Staff Qualification |
| 6.4 | Training |
| 6.5 | Review and Audit |
| 6.6 | Reportable Event Action |
| 6.7 | Safety Limit violation |
| 6.8 | Procedures and programs |
| 6.9 | Reporting Requirements |
| 6.10 | Record Retention |
| 6.11 | Radiation Protection Program |
| 6.12 | High Radiation Area |
| 6.13 | Process Control Program |
| 6.14 | Offsite Dose Calculation Manual |
Table - 1, Appendix I
Technical Specifications Table of Contents
for Commercial Nuclear Power Plants
Appendix II
AUTHORIZATION AGREEMENTS
DOE ORDERS GUIDANCE
Much of what might be expected as summary terms and conditions
for safety management of
a nuclear facility or activity is set forth in DOE Order 5480.23,
Safety Analysis Report and
DOE Order 5480.22, Technical Safety Requirements. The guidance
differs somewhat
depending upon whether the facilities structure a safety
management program based upon a
fully completed upgraded safety analysis or an interim
preliminary analysis.
DOE Order 5480.23, Nuclear Safety Analysis Reports, requires all
existing facilities and
operations to submit a plan and schedule for implementing the
requirements of this order
within 180 days of its effective date (April 30, 1992). The
objective was an upgrading and
updating of the authorization basis for facilities with continued
operational missions. In the
interim, a Basis for Interim Operation (BIO) based upon a
preliminary assessment of facility
hazards was to be established.
With respect to existing facilities undergoing SAR upgrades,
pertinent guidance relative to
the development of a BIO includes the following:
a. DOE Standard STD-3011-94, Guidance for preparation of DOE
5480.22 (TSR) and DOE
5480.23 (SAR) Implementation Plans (IP), was issued in
November 1994 to clarify some
of the elements of the IP for submittal to DOE. Appendix A
to this standard discusses
safety assurance via BIO. It states that "The BIO
establishes the interim safety basis for
the facility; i.e., the information upon which DOE depends
for its conclusion that
operations at a facility can be conducted safely on an
interim basis until SAR and TSR
documents complying with the requirements of DOE 5480.22 and
DOE 5480.23 have
been approved."
b. DOE Standard 3011-94 states that the acceptability of the
BIO depends on the (1) Safety
Management Programs, (2) Safety and Hazards Analysis, and
(3) Identification of
Operational Controls. Examples of safety management
programs given in this standard
include: Radioactive and hazardous material waste
management; criticality protection;
radiation protection; hazardous material protection;
training; testing; surveillance;
maintenance; conduct of operations; configuration
management; quality assurance
(including document control); experimental review;
provisions for decontamination and
decommissioning (D&D); emergency preparedness, and human
factors.
c. The Operational Controls are defined in DOE Standard 3011-94
as Operational Safety
Requirements (OSRs), operating limits, surveillance
requirements, and administrative
controls needed to maintain the operations within the bounds
of the SAR. The Standard
explains that "Administrative controls implement safety
programs that also bound the
limits of normal operation. Surveillance requirements
ensure that the necessary
operability and quality of Structures, Systems, and
Components (SSCs) and their support
systems required for safe operations of the facility are
maintained."
For facilities with SARS that are compliant with requirements of
DOE-Order 5480.23:
a. Attachment 1 to DOE Order 5480.22, Technical Safety
Requirements, defines format and
content of a TSR.
b. Section 5.C of DOE Order 5480.22 states that "procedures
should be established,
implemented, and maintained for all activities in support of
the TSR. This should
include:
Emergency operating procedures,
Operating procedures for all phases of operation,
Procedures for all surveillance required by the TSR,
Security plan implementation,
Emergency plan implementation,
Fire protection,
Programs to ensure safety and healthful operation
(examples
detailed in section 5d of
DOE Order 5480.22), and
Administrative Procedures.
