390 likes | 852 Views
Integrated Facility Change Control and the Relationship to Safety Basis. GEORGE L. PETERS. April, 2019. Introduction. Back in the 1980s, the 5480 series of DOE orders required some form of safety analysis/hazard categorization for DOE nuclear facilities
E N D
Integrated Facility Change Control and the Relationship to Safety Basis GEORGE L. PETERS April, 2019
Introduction • Back in the 1980s, the 5480 series of DOE orders required some form of safety analysis/hazard categorization for DOE nuclear facilities • The Nuclear Safety Management Rule, 10 CFR 830, came out in 2001 and contained the requirement for Documented Safety Analysis (DSA) development for Hazard Category (HC) 1, 2, and 3 facilities. • During the almost forty years since the original guidance on facility hazard categorization/hazard analysis, there have been several updates to the facility hazard categorization guides and standards, including DOE-STD-3009, DOE-STD-1027, DOE-STD-3011, and there are current efforts to update 10 CFR 830 itself.
Introduction • Most DOE facilities now have some form of hazard categorization/safety basis, that the hazard analysis/categorization is relatively mature. • The need for nuclear safety analysts has been greatly reduced so we can work with skeleton crews that are just waiting around for work to come in, right? Life is good!
Introduction • NO? Why? • While the safety basis documents for the majority of DOE facilities are relatively mature and robust—there is still a significant need for safety analysis resources. • This need is being driven in large part by the need to support facility changes in the DOE complex. • This need was recognized as far back as 1991; as stated in DOE Order 5480.21, Unreviewed Safety Question: “When DOE facilities were first authorized to operate, it was not anticipated that the need for facility modifications would be implemented with the frequency that has proven to be necessary.” Is it Friday yet?
Introduction • While the safety basis resources necessary to produce and maintain hazard analysis and categorization for DOE facilities may have been reduced, current safety basis demand is often being driven by the necessity of supporting facility change control. • While there have been significant efforts to update and refine the Unreviewed Safety Question (USQ) process as it applies to DOE facilities, and a significant upgrade to DOE-STD-1189, it might be timely to explore the role of safety basis in the overall facility change process.
Anatomy of a Facility Change • In order to implement an integrated change control approach, we will attempt to establish a framework or model of a facility change. • The origin of this model begins with an observation that is a common concept in other facility change documents. • The concept is that all facility changes may be separated into two general categories: changes in operations (activities) and changes in design (physical).
Anatomy of a Facility Change • So our first rule of facility change is as follows: • All changes to a facility can be placed into one of two categories, physical facility changes and changes to activities. • A physical change is any change that alters any physical condition or characteristic of any object within the defined facility boundaries. • This definition of physical changes to a facility is more inclusive than that of a design change in that it includes any physical change, including things such as painting, adding programmatic equipment to an existing room, and an exact replacement of a worn existing component for a new one.
Anatomy of a Facility Change • Conversely, an activity change is any change within the facility boundaries that consists of an alteration in personnel behavior or actions. • In essence, any change to a facility that is not a physical change may be categorized as an activity change. Change Category Examples
Prevention of Entanglement • One of the main purposes of creating two categories is the prevention of entanglement. • Entanglement occurs when the result of a review of physical and activity changes together differs from the results that would occur if reviewed separately. • This may be caused by considering a physical change as an adjunct to an activity change (i.e., needed for a new activity) and vice versa.
Prevention of Entanglement • Entanglement is fairly common, and may appear regularly in written guidance. • Several DOE guidance documents, as well as Los Alamos procedures have statements that discuss facility changes in terms of changes to operations and visa versa. • While it may appear to make sense to evaluate both physical changes and associated activity changes together (and it does), doing it as an entangled change can result in facility change review bias.
The Graded Approach • In this list of changes to the facility, physical changes start with a major modification and reduces in complexity until ending with changing a lightbulb. • This demonstrates that the range of scope and complexity for physical changes varies significantly. • This is also true of activity changes. This is the list of examples provided earlier. It demonstrates the inclusiveness of changes and the range of complexity.
The Graded Approach • Any approach to facility change should ideally be graded to the complexity and inherent risk of the change. • That being said, there are some issues in doing so. • There are so many permutations possible with facility modifications that it becomes extremely difficult to determine absolutes for the application of requirements, guidance or techniques. • The recommendations presented here should be graded to accommodate the changes under review. This is the list of examples provided earlier. It demonstrates the inclusiveness of changes and the range of complexity.
Completing the Model • To complete the model, we introduce the next rule: • Both physical and activity changes can be defined as one of two types: permanent and temporary • This is a purely temporal characterization of the two categories of changes. • Permanent changes are defined as changes that will exist once the facility change project is completed. • Temporary changes are those changes that are completed or do not exist after the facility change project is fully completed. This is an example of the facility change model in tabular form.
Completing the Model • Permanent changes are the intended products of a fully implemented facility change project. • Temporary changes are sometimes referred to as interim changes. • The purpose of the temporary, or “interim”, changes to the facility is to produce the permanent facility changes or “products” of the project. This is an example of the facility change model in tabular form.
Completing the Model • As with the previous rule, this is not an original concept, but an expansion of concepts that are present in existing change control guidance. • DOE G 424-1.1 addresses temporary or permanent changes in a facility directly. • However, this is an important distinction, because the change characteristics of temporary vs. permanent are significantly different, as is their treatment under the USQ process. This is an example of the facility change model in tabular form.
Completing the Model • One significant difference between temporary and permanent facility changes is how they may behave over time. • Permanent changes are static and remain constant as long as not altered by a subsequent facility change. • Temporary changes are not only transient, but some also constantly change over time. • Temporary changes often must be performed in a specific sequence (e.g. design-work package- construction- testing). • Another reason for this distinction is to prevent an entangled review. • The use of the term “state” connotes an emphasis on the physical state of the facility rather than the actual process of changing the facility itself.
Completing the Model Diagrammatic Model of Facility Change This model encompasses the entire universe of facility changes, whether they are subject to USQ/other safety basis review or not. In this diagram, the entire set of facility changes falling under one category is depicted by the white square areas, while the blue quarter circles represent the subset of those particular blocks whose changes would typically be subject to USQ/safety basis review.
Putting the Model to Use • Let us see if the model it is useful in making the process of facility change review more efficient. • One way this model might be used is to better define what aspects of a facility change needs review. • In the instance of an activity change to the facility that requires no physical change, only review of the activity changes (left two quadrants) need be required. • If the particular new activity happens to require only a change to procedures, our safety basis review may collapse to a single quadrant (permanent activity change). Eliminated from review New or Changed Activity Review This figure shows that only items on the left side of the diagram need be considered for the facility change. While this seems obvious, review of a physical change reveals a completely different result.
Putting the Model to Use • Most physical changes will require a consideration of all four quadrants. • A physical change not only creates temporary physical changes that require review; it requires at least one temporary activity to change the physical facility. • Even an exact replacement requires an activity to make the exchange. • Unless the change is an equivalent part, there are usually permanent activity changes in the form of new or updated operations, maintenance, and testing procedures.
Putting the Model to Use • This not only demonstrates why physical changes are more complex than activity changes, but it also brings us to our next rules: • No matter whether the changes to the facility are physical- or activity-related, they will always require temporary activities to make the change. • A change in facility activity may not require a physical change to the facility, but every physical change to the facility requires an associated activity. The Root of All Changes This diagram shows that the root of all facility changes originates with temporary activities. It also demonstrates that while changes to activities originate from temporary activities, physical changes also originate with temporary activities that must dogleg through temporary physical changes before complete.
Putting the Model to Use • Both activity and physical changes require temporary activities to produce those changes. • Some of the temporary activities—such as writing procedures, obtaining permits, creating work packages, completing designs, and updating facility safety basis—are explicit or implicit (usually institutional) procedures as described in the DSA and are not in themselves subject to the USQ process. • The products of these processes typically are. • Safety basis input into these products during the development phases can often be beneficial, regardless of whether these products would require USQ or not.
Putting the Model to Use • Because the activities in the temporary activity quadrant are often institutional administrative activities (i.e., writing procedures or completing designs), the activities in the temporary quadrant are often overlooked or neglected. • However, It is often the list of temporary activities that many of the facility change processes are trying to ascertain. • The major purpose of new activity review processes, the safety basis technical review processes, or facility change organizations (like a change control board or facility safety committee), is often to determine what needs to be done (activities) to produce a proposed change and who needs to be involved in this production.
Need for an Early Facility Change Review • There appears to be a need to have some form of early review of a proposed facility change to determine what needs to be done, who needs to do it, who needs to approve it, and who needs to have input. • A safety basis pre‑USQ review of a proposal can help determine if a change can be performed without DOE approval, how to make the change to avoid DOE approval requirements, how to minimize operational risk, which products will require USQ review, and provide input for safety in the design. • Why go through the trouble of creating a design change package that gets a positive USQD when some form of preliminary safety basis review would have informed the proposer that it would be positive?
Need for an Early Facility Change Review • Safety basis typically participates in change control for a facility with a DOE-approved safety basis through the USQ/USI process. • The purpose of the USQ/USI process is not to provide safety basis design control input, but to determine approval authority for the proposed facility change. • The need for some type of facility change review process outside of (and prior to) the USQ process appears in several guidance documents. For example: The current USQ guide comments on the integration of safety basis: “The USQ process is intended to be implemented along with a change control process that includes generalized steps for • 1) identifying and describing the temporary or permanent change, and • 2) technical reviews of the change,”
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • I have often been questioned on how the USQ process works in the commercial world and why it seems less resource-intensive. • At the end of 1991, DOE Order 5480.21, Unreviewed Safety Question, was issued which acknowledged its derivation from commercial nuclear directly: “This Order has been developed according to some of the same principles present in the commercial industry and enumerated in 10 CFR 50.59. “ • The seven USQ questions that we have currently in the DOE USQ process have their genesis in the commercial nuclear 50.59 review process that existed over a quarter of a century ago.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • Since that time, 10 CFR50.59 has been updated and now contains the following eight questions: (2) A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would: • Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the final safety analysis report; • Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report; • Result in more than a minimal increase in the consequences of an accident previously evaluated in the final safety analysis report; • Result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the final safety analysis report; • Create a possibility for an accident of a different type than any previously evaluated in the final safety analysis report; • Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report; • Result in a design basis limit for a fission product barrier as described in the FSAR being exceeded or altered; or • Result in a departure from a method of evaluation described in the FSAR used in establishing the design bases or in the safety analyses.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • There are two differences in these newer 50.59 questions that are probably most notable for DOE safety analysts: • The absence of the “margin of safety question”. • The use of the term “more than a minimal increase” in several of these questions. • There is also another provision in the NRC rule that differentiates it from the DOE counterpart: “(4) The provisions in this section do not apply to changes to the facility or procedures when the applicable regulations establish more specific criteria for accomplishing such changes.” • This means that in the commercial utility world, changes to procedures or the facility that are governed by their radiation protection, OSHA, and other regulations are exempt by law from the USQ process.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • There is also a significant difference in commercial, versus DOE, facilities themselves. • A commercial nuclear reactor is a single-use facility whose sole purpose is to make money for the utility. It makes electricity, is refueled and maintained, and then makes electricity again. • There is very little incentive to make facility changes, therefore most of the major physical changes to the facility are being done at the direction of the regulator, thereby not requiring any 10 CFR 50.59 (NRC USQ process) review.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • Commercial nuclear facilities have redundant trains for all of their safety systems. • It is often possible to take out a safety component or equipment to change, maintain, or test it without compromising the safety function of the overall system. • This can usually be performed under an action statement of a Technical Specification (a commercial TSR) that would not require a USQ.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • There is a major difference in work scheduling for commercial utilities. • The biggest factor contributing to the reduction in facility review is that most major facility physical work is performed during the time the reactor is shut down for a scheduled outage. • With the fuel safely cooling off in the spent fuel pit, there is little that can be done to the facility that would create any significant risk.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • Because of the redundancy and the fact that most change work is done during an outage, the interim state is inconsequential and our model for facility change becomes the following:
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • Practically all the intermediate changes to a commercial facility are performed in a mode or condition that cannot affect facility safety. • The USQ screening questions make more sensewhen you consider the elimination of concern for intermediate changes, you can simply look at the changes to the procedures and changes to the facility (permanent changes) without concern for the temporary facility changes.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • Besides DOE reactors and some accelerators, very few DOE facilities go into an extended outage. • Physical modifications not only occur while there are operations occurring in the facility, sometimes these modifications occur while there are operations ongoing in close proximity. • This can severely complicate performing physical changes versus those performed in a shutdown facility.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites • To summarize why the 10 CFR 50.59 process is more difficult at DOE facilities: • Commercial nuclear facilities do not perform major facility changes as frequently and when they do, it is often under direction of the NRC. • Commercial nuclear facilities have dual redundant trains for safety systems. • Commercial nuclear facilities do all significant facility changes in a mode or condition (outage) that eliminates the need to consider the intermediate state.
Lessons Learned • There is a need for a pre-USQ review: • There appears to be a need for some sort of safety basis or management review of somewhat complex changes to a facility that do not rise to the level of requiring compliance with DOE STD 1189. • The safety basis review would be to determine: • if the change could be made without requiring a change to the facility safety basis, • which facility change products safety basis input would be valuable to, and • which products would require a USQ review when completed. • There also appears to be a need to have some form of early review of a proposed facility change to determine what needs to be done, who needs to do it, who needs to approve it, and who needs to have input.
Lessons Learned • The facility change model might be useful in determining safety basis participation in pre-USQ activities: • The pre-USQ process would best be incorporated into an overall facility safety or operational review process. • This pre-USQ process might also be used to determine other participants’ roles and requirements in the facility change. • A review would begin with lists of the permanent changes in their respective categories by asking: • What is/are the physical change(s) required in the facility? • What is/are the changes required in the facility activity(ies)? • By clearly defining the specific facility changes (permanent/products) and placing them in the permanent activity change or permanent physical change columns, we can evaluate them separately in such a way as to avoid bias or entanglement.
Lessons Learned • The facility change model might be useful in determining safety basis participation in pre-USQ activities: • Once all the products required for the facility change have been specified, the activities required to complete them can be determined. • The next question of the facility change process would be: • What activities must occur in order produce the permanent changes determined from the above two questions? • At this stage of a facility change, once the model has been populated to the degree possible, determinations can be made as to the individuals who would be performing these activities, what safety basis input should be provided, and which products require USQ determinations. • The suggested final step of this integrated facility change control process is to proceed to execute the activities as a coordinated unified package.
Conclusion • Performing USQs and safety basis reviews on a comprehensive package is always preferred. • Design changes that are performed in a mode or condition that allows taking parts of the facility out of service can simplify the safety basis issues by eliminating concern over the temporary activities and interim state. • Use of the provided facility change model could provide a proper roadmap to implement facility changes and allow for use of the integrated change control process suggested. • There appears to be a need for a graded safety basis review/coordination process that is separate from the USQ process for facilities that do not require use of the DOE STD 1189 (or DOE O 413.3B for the HAR). • Early Safety Basis engagement can reduce costs and help to minimize project errors and delays.
The end! Any questions? Life is good!