DNFSB/TECH-6

Safety Management and Conduct of Operations
at the
Department of Energy's Defense Nuclear Facilities








Paper Prepared for the
Defense Nuclear Facilities Safety Board
October 6, 1995
by
Dr. Herbert J.C. Kouts
and
Mr. Joseph J. DiNunno



We wish to acknowledge input from Steven Krahn and Wayne Andrews. The concepts were also assisted in formulation through discussions at DOE's laboratories by a team of DNFSB staff consisting of Steven Krahn, Jan Preston, Albert Jordan, and Donald Owen, along with Dr. Gerald Tape, Dr. Duane Sewell, and Admiral John Drain.

REMARKS ON SAFETY MANAGEMENT AND CONDUCT OF OPERATIONSCENTER>AT THE DEPARTMENT OF ENERGY'S DEFENSE NUCLEAR FACILITIES



INTRODUCTION

In issuance of the document "Fundamentals for Understanding Standards-Based Safety Management" (DNFSB/TECH-5), by Joseph J. DiNunno, the Defense Nuclear Facilities Safety Board (Board) discussed the nature of safety management of defense nuclear sites, facilities, and activities of the Department of Energy (DOE), managed for the Department by contractors. In this relationship, a contractor ensures safety of the site, facilities, and activities entrusted to him through operation in accordance with Safety Management Plans devised in the first instance by the contractor, and then finalized between the parties. The Safety Management Plan is part of the overall Plan of the contractor for the conduct of specified work covered by the contract. DOE expresses its concurrence in the Plan by its acceding to an Authorization Agreement. The Safety Management Plan and the Authorization Agreement accepting the Plan rest on an Authorization Basis that includes as safety documentation a Safety Analysis Report, a Standards/Requirements Identification Document (S/RID), Technical Safety Requirements (TSRs), and additional requirements that the Department may specify.

In 1992 the Board issued its Recommendation 92-5, calling for observance of a high level of conduct of operations at the Department's active defense nuclear facilities. In this Recommendation the Board took a broad view of the meaning of the term "conduct of operations," in effect equating it to the range of operational practices followed to ensure safety. The Safety Management System as described in DNFSB/TECH-5 and the scope of "conduct of operations" are therefore complementary subjects. Broadly speaking, a Safety Management System in the context of the Board's present discussion includes the formal relationship between the Department of Energy and its defense nuclear contractors to ensure safety in operations, including objectives, plans, and commitments. Conduct of operations refers to the body of practice that implements the system.

The Board now deems it advisable to elaborate on the concepts of safety management and conduct of operations as outlined in DNFSB/TECH-5, to avoid misunderstanding of the Board's views in these matters.



ESTABLISHING A NUCLEAR SAFETY MANAGEMENT SYSTEM


The important features of the Safety Management System as they reflect on conduct of operations are the same in application to all defense nuclear facilities, though their appearance may be highly variable because of the great differences in activities at different DOE facilities. All safety management, however, is based on defense in depth, which in this usage is the practice of using systems of equipment and systems of procedures in a structure of mutual reenforcement to avoid exposure of individuals and the environment to undesired nuclear radiation.

The process of safety management is discussed in DNFSB/TECH-5. It is shown as a flow diagram at the end of this document. It begins logically with definition by DOE of the mission to be accomplished by the contractor in operation of a site or facility, or conduct of an activity (Box 1). In other actions by the Department of Energy, requirements are formulated to ensure safety of operations. They are issued in various forms: statements of policy, safety rules, Orders, standards, and nonmandatory guidance. Some of these are appropriate to all activities sponsored by the Department (Box 2). Some might apply only to the specific site or type of site (Box 3).

The mission statement and the requirements are provided to the contractor. In order to make complex missions tractable, the contractor breaks the work into work packages (Box 4). The set of work packages may range from a formal work breakdown structure, appropriate to activities of a production type, to a structure by projects or disciplines, as may be more suited to a research or development mission.

Once the work is structured in smaller pieces, it is possible to plan how to do each piece and to apply the available resources in facilities, equipment, and manpower. A single mission or activity may require use of several facilities at the site. On the other hand, a large facility may be used in more than one of several unrelated missions or activities.

Part of work planning is development of the basis for ensuring safety of what is to be done. Not only must the contractor satisfy the Department as to his plan for achieving the mission, he also must provide assurance that the work will meet the stated safety objectives. The first step toward the latter objective is preparation of a Safety Analysis Report or a set of Safety Analysis Reports, covering the proposed work. The safety analysis becomes a basis for identifying the hazards to workers and the public and the proposed means for avoiding the hazards. The Safety Analysis Reports and material based on their results become part of an Authorization Basis provision of which is the subject of Box 5.

The central component of the Authorization Basis is the Standards/Requirements Identification Document which states the standards and requirements that are to be used for safety reasons. Some standards and requirements are of such a general nature that it is appropriate to include them in an S/RID for an entire site. Others may be applicable only to individual facilities or activities, and would therefore be included in corresponding S/RIDs having that coverage. All standards and requirements to be used in ensuring safety somewhere at a site should be included in the appropriate S/RIDs. The contractor, in consultation with DOE, must establish a suitable structure of S/RIDs to cover the site. Then there will be an S/RID for the site, and other S/RIDs for facilities and, possibly, activities.

The Authorization Basis also includes other material that is to be relied on to ensure safety. Examples are standards and guides incorporated by reference and Technical Safety Requirements.

S/RIDs are first prepared by the contractor, with assistance and input as appropriate by DOE. The cooperation of DOE at this stage is advisable to ensure that the S/RIDs will be found satisfactory by DOE in its approval of the finished product.

S/RIDs are the central components of the Safety Management Plan for sites, for facilities to be used in discharge of the mission, or for activities to be conducted for this purpose. The other components of a Safety Management Plan are any commitments in the Safety Analysis Report for the facility or activity; the Technical Safety Requirements (TSRs) that will be applied; referenced material such as DOE Orders and guides, industry standards, or NRC guides and standards; and any other material relied on in developing the S/RIDs.

The contractor forwards the proposed work plan and Safety Management Plan to DOE for review and approval (Box 6). A period of discussion and revision may follow, during which modifications may be agreed on in reaching agreement as to acceptability. The end product is agreement on final versions as an Authorization Basis for conduct of the work (Box 7). The agreement is made material in an Authorization Agreement formally endorsed by DOE and the contractor, which is made a contract term along with the S/RIDs.

The contractor then proceeds to do the work, subject to the conditions of the Authorization Agreement (Box 8). Conduct of operations then comes into play.

Experience (Box 9) may lead to improvement in the work plan and the conditions to be imposed on the work.

Though the above is presented in terms of radiological safety, the concepts and their application are completely general, applying just as well to hazards of all other kinds.



NORMAL COMPONENTS OF FORMALITY IN AN INTENSIVE PROGRAM OF CONDUCT OF OPERATIONS

It is important to understand what is meant by the Board in its use of the term "conduct of operations," since that term is not explicitly defined in DOE's Order 5480.19, Conduct of Operations for DOE Facilities.

The Board includes under conduct of operations all those attitudes, processes, and precautions taken in the interest of safety. Though features of a system of conduct of operations may be different at different facilities, the common feature is a formality of operations which will vary in form and degree depending on conditions discussed in the next section. The most intensive application of the concept would be found at the more hazardous facilities subject to the more repetitive types of activities.

Operational formality is a structured and systematic way of performing work. It is not simply a listing of functional areas, but rather a mind set, a way of doing business. A comprehensive program of operational formality should provide detailed guidance for performing essential elements of operations, such as: maintaining facility status within the Authorization Basis, formal communications, independent safety reviews, review of operating experience, and preparing, reviewing, approving, and using operating procedures. The Board has in mind issuance of a detailed set of guidelines to ensure that hazardous facilities and activities meriting intensive safety treatment are competently operated with full knowledge of their condition and the effect of operations, in a manner providing proper assurance of worker and equipment safety. In the present document, however, we wish simply to indicate the range and coverage of an intensive system.

Such a program would normally include the following:

  • Line management of operations including a clear chain of safety responsibility,

  • Detailed procedures for operation and maintenance, including emergency procedures,

  • For more hazardous operations, line-by-line adherence to the procedures with check off after each step,

  • A formal process for review and approval of changes to the procedures,

  • Supervision by highly competent personnel who are knowledgeable as to the results of the safety analysis and operating limits for the facility or activity,

  • A highly trained and formally qualified staff of operators and maintenance personnel,

  • An effective radiation protection program,

  • Adherence to a safety envelope comprised of TSRs and S/RIDs,

  • A formal process for review and approval of structures, systems, and components important to safety and environmental protection,

  • A maintenance program that includes regularly scheduled preventive and predictive maintenance and timely corrective maintenance, conducted in accordance with approved procedures,

  • An orderly workplace,

  • A process which converts mistakes to lessons learned and uses these as a basis for improvement, and

  • A process of independent safety review that includes close attention of top management.


    In application, the scope of operational formality must be reviewed to ensure that each element is appropriate to the operation under consideration. Those elements that are deemed applicable should be tailored in depth and rigor to match the hazards that may be present.



    THE BASIS FOR GRADED SAFETY MANAGEMENT

    It is clear that the level of conduct of operations necessary to meet safety objectives may be different in various activities at defense nuclear facilities of the Department of Energy.

    1. The most intensive Safety Management System should be found at a facility where the principal activities are of a repetitive nature (such as production or cleanup) performed by technician-level personnel under supervision, where there is some potential for a large accident which could affect the workers or the surrounding public, and the activities in question or similar ones are expected to be continued for a number of years.

    2. The features of a facility or operation that may be a basis for grading of safety management are:

  • The risk as indicated by safety analysis,

  • The competence and technical sophistication of the operating staff and the technical supervision, and

  • The expected duration of the operation or use of the facility.

    3. Safety management can be graded in a number of ways, principally:

  • Depth and detail of safety analysis,

  • Redundancy and assured reliability of safety structures, systems, and components,

  • Number of TSRs and extent of defense in depth they provide,

  • Depth and detail of the S/RID,

  • Detail of written operating and maintenance procedures,

  • Training and qualification of workers, and

  • Other forms of formality of conduct of operations.

    4. A low level of risk can be the basis for reduced intensity of safety management. However, the system must always include measures that may be needed to ensure a safe workplace, meaning measures that ensure an acceptably low likelihood of unintentional release of radioactive material or nuclear radiation and as low as reasonably achievable (ALARA) practices for normal operations.

    5. If a facility is to be active for only a relatively short period of time, so that the benefit of following a normal system of safety management would be questionable when compared to the cost in time and money, it may be justifiable to use alternative procedures that are demonstrably effective. For instance, some training of technician-level personnel can be replaced by assignment of highly qualified individuals on shift, available on a real-time basis as backup to operators.

    6. Operations at some facilities consist of research conducted by individuals well conversant with the subject matter underlying the work, such as those having advanced academic degrees in the topics and having demonstrated competence. In such cases, step-by-step procedures where they otherwise would have been needed can be replaced by such documents as those conventionally used for planning of experiments or operations, containing the objective of the work, the plan of operations, and precautions and limits placed on operations for safety reasons.


    FORMALITY OF OPERATIONS AT DOE's DEFENSE RESEARCH LABORATORIES

    The Board considers it appropriate that among the family of defense nuclear facilities operated for DOE, the style of conduct of operations may depart most from the detailed features in Section II at the defense research laboratories. A possible format for the research activities at these laboratories is found in the following. Note that it would be expected that production type activities at these laboratories would appropriately fall under the conventional form of Section II .

    1. S/RIDs should be a domain of managers whose functions should include seeing that the S/RIDs are complied with. In this context, examples of managers are laboratory directors and their staff; directors of supporting activities such as fire protection, engineering, maintenance, and waste disposal; directors of projects of substantial size; building managers; and managers of production type activities.

    2. Research scientists, heads of small projects, and operating staff should be familiar with the main features and results of the safety analysis, the TSRs, other operating limits, and the planning documents as the conditions permitting them to conduct their activities, and they should be bound by these conditions. It is not necessary that they be fully conversant with the contents of S/RIDs, which are to be enforced by the managers.

    3. Activities with associated hazards should be conducted in accordance with written procedures that are based on an appropriate safety analysis and are appropriately reviewed and approved. These procedures can range from detailed, step-by-step actions to be followed in relatively routine processes, conducted by technician or production personnel, to more generalized analysis and guidance in the general form of laboratory experiment plans where research projects entail minor hazard. A process of ensuring adequacy of the procedures should be followed, including the process commonly known as walkdown.

    4. The S/RIDs, the TSRs, any other operating limits imposed as a result of safety analysis, and the existence of the procedures and the safety analyses (but not their detailed contents) constitute a compact on which agreement to proceed with operations is to be based.