SlideShare a Scribd company logo

Integrated Facility Change Control and the Relationship to Safety Basis

G
GeorgePeters22

This document proposes an integrated approach to facility change control that addresses both physical design changes and operational changes. It defines two categories of facility changes - physical changes that alter the facility structure or components, and activity changes that alter personnel actions. Changes can also be categorized as permanent or temporary. The document notes that existing change control guidance can result in "entanglement" by combining different types of changes. It analyzes Los Alamos National Laboratory procedures to show how they focus more on either physical changes or activity changes. The proposed model categorizes all facility changes to prevent bias and allow separate review of different change types. It aims to improve efficiency of the facility change review process.

Business
1 of 18
Download to read offline
Integrated Facility Change Control and the Relationship to Safety Basis GEORGE L. PETERS
Page 1 of 17 Integrated Facility Change Control and the Relationship to Safety Basis Abstract This paper presents a proposed integrated approach to facility change control that addresses changes to both facility design and operations in a formal and organized manner, based on an extrapolation of existing guidance. The relationship of safety basis to the facility change process is explored and the integration of safety basis into the facility change control process is considered. There follows a discussion of change control guidance for the Department of Energy (DOE) complex with a comparison of DOE change control with that of change control in commercial nuclear reactors. It concludes with a derivation of suggestions for implementing a facility change control model with safety basis participation into the facility change control process to allow for an integrated review that may eliminate many of the issues that have plagued DOE complex change control in the past. Introduction The Nuclear Safety Management Rule, 10 CFR 830, came out in 2001 and contained the requirement for Documented Safety Analysis (DSA) development for Hazard Category (HC) 1, 2, and 3 facilities. Back in the 1980s, the 5480 series of DOE orders required some form of safety analysis/hazard categorization for DOE nuclear facilities for which a potentially significant nuclear hazard existed. During the almost forty years since the original guidance on facility hazard categorization/hazard analysis, there have been several updates to the facility hazard categorization guides and standards, including DOE-STD-3009, DOE-STD-1027, DOE-STD-3011, and there are current efforts to update 10 CFR 830 itself. After of all this time and effort, one might expect that all DOE facilities now have some form of hazard categorization/safety basis, that the hazard analysis/categorization is relatively mature, and the need for nuclear safety analysts has been greatly reduced. Those of us who work in the nuclear safety organizations at DOE facilities know this is not true. While hazard inventories, characterization, and analysis for DOE facilities are largely complete—and while the safety basis documents for the majority of these facilities are relatively mature and robust—there is still a significant need for safety analysis resources. This need is being driven in large part by the need to support facility changes in the DOE complex. This need was recognized as far back as 1991; as stated in DOE Order 5480.21, Unreviewed Safety Question: “When DOE facilities were first authorized to operate, it was not anticipated that the need for facility modifications would be implemented with the frequency that has proven to be necessary. As a result, the need for elaborate configuration and modification controls were not clearly understood.” Therefore, while the safety basis resources necessary to produce and maintain hazard analysis and categorization for DOE facilities may have been reduced, current safety basis demand is often being driven by the necessity of supporting facility change control. While there have been significant efforts to update and refine the Unreviewed Safety Question (USQ) process as it applies to DOE facilities, and a
Page 2 of 17 significant upgrade to DOE-STD-1189, it might be timely to explore the role of safety basis in the overall facility change process. Background The origin of this report began with a simple question, which occurred during an assignment to revise Los Alamos National Laboratory (LANL) Safety Basis procedure SBP-114-9, Safety Basis Checklist and Technical Review. This procedure’s stated purpose is to “provide a method and checklist for a safety analyst to perform Safety Basis technical reviews on proposed changes to a nuclear, accelerator, or non- nuclear facility that is consistent with principles outlined in DOE-STD-1073-2016, Configuration Management.” I had previously revised another LANL Safety Basis procedure, SBP-111-3, New or Changed Activity Approval Process, whose purpose states “This procedure sets forth the process to obtain authorization for new, changed, or resumed work activities at Los Alamos National Laboratory (LANL) for low hazard facilities.” While both procedures profess to have a difference in purpose and applicability, they both rely on a checklist consisting of a series of questions designed to determine the nature of the change, the permits and reviews required, and what support personnel may be required to implement the change properly. Because these procedure checklists and instructions were so eerily similar, questions arose from my comparison: “Do we have duplicative procedures?” “Can both of these procedures be combined into an integrated facility change review?” In attempting to answer these questions, a thorough analysis of “what is a facility change as defined in this document” was derived. Anatomy of a Facility Change In order to implement an integrated change control approach, we need to establish a framework to understand what a facility change consists of in the context of facility change control. The beginning of this framework starts with an observation. It is termed an observation because it is not an original concept and the concept appears frequently in existing change control documents. The concept is that all facility changes may be separated into two general categories: changes in operations (activities) and changes in design (physical). While this concept is generally useful and appears regularly, I have yet to find a formal definition of either. This lack of definition and reliance on intuitive understanding can lead to several issues. Beginning at this observation, we will define the two types of changes and create our first rule on integrated change control. This rule is as follows:  All changes to a facility can be placed into one of two categories, physical facility changes and changes to activities. A physical change is any change that alters any physical condition or characteristic of any object within the defined facility boundaries. Understand that this definition of physical changes to a facility is more inclusive than that of a design change in that it includes any physical change, including things such as painting, adding programmatic equipment to an existing room, and an exact replacement of a worn existing component for a new one. Conversely, an activity change is any change within the facility boundaries that consists of an alteration in personnel behavior or actions.
Page 3 of 17 In essence, any change to a facility that is not a physical change may be categorized as an activity change. Examples of facility change category activities and physical changes are provided in Table 1. Table 1 – Change Category Examples Activity Change Physical Change Facility repurposing Adding a new hazard (biological, explosives, etc.) Adding a new process Increase in quantity of existing hazard Adding a new technique Increasing current process throughput New Facility Major Modification Footprint expansion Addition of equipment Replacement of equipment Changing a lightbulb We have now defined two categories of facility change and defined a rule of use. What advantages does that provide? Prevention of Entanglement One of the main purposes of creating two categories is the prevention of entanglement. This may occur when reviewing or evaluating a design change—with its associated activity changes, or an activity change with its associated physical changes—as a single composite entity, such that the review of one type of change compromises or influences the review of the associated changes. This may be caused by considering a physical change as an adjunct to an activity change (i.e., needed for a new activity) and vice versa. Entanglement occurs when the result of a review of physical and activity changes together differs from the results that would occur if reviewed separately. While it may appear to make sense to evaluate both physical changes and associated activity changes together (and it does), doing it as an entangled change can result in facility change review bias. Entanglement is fairly common, and may appear regularly in written guidance. As one example, DOE G 420.2-1a states ”Use of the USI process to address facility modifications should involve an evaluation or screening of changes in accelerator operations, modifications of credited controls, or changes in accelerator safety administrative programs if they have the potential to significantly affect safety.” It appears to be direction to address physical modifications to an accelerator by reviewing their effect on operations or administrative programs. While this is the only example cited here, this type of guidance commonly appears in other DOE guidance. This effect was also observed in analysis of the LANL procedures for new activity review and safety basis technical review. Let’s take a look at the first several questions from the respective checklists:
Page 4 of 17 From the New Activity Checklist Could the proposed change: Item Yes No 1 ☐ ☐ Change an existing process, or create a new process that may introduce unanalyzed hazards? 2 ☐ ☐ Increase material-at-risk (MAR), or change form, type, location, containment, confinement, etc., as described in the safety basis? 3 ☐ ☐ Create a new initiator for an existing hazard event or scenario? From the Safety Basis Review Checklist Could the proposed change: Item Yes No 1 ☐ ☐ Change an existing process, or create a new process that may introduce unanalyzed hazards? Consider SSCs, software, and changes to existing processes. For example, is a procedure change being introduced that alters a work process involving stored energy (pressure, vacuum, electrical, etc.), control software, chemical process, waste stream, material movement, shielding, fuel, heat, or cryogens? 2 ☐ ☐ Increase material-at-risk (MAR), or change form, type, location, containment, confinement, etc., as described in the safety basis? For example, is MAR being (or will be as a result of the change) located or relocated to a location not as described in the DSA or TSRs? Is the form and type of MAR analyzed for this location? 3 ☐ ☐ Create a new initiator for an existing hazard event or scenario? For example, are pyrophorics, mechanical energy (overhead crane), pressurized gas bottles, etc. being introduced? On first review, it appears that we have two procedures that perform the same basic function, and those two procedures can be combined. However, in order to achieve this combination, some significant differences exist that need to be overcome. While the SBRT questions may be the same or similar to the new activity questions, there is a definite design-centric emphasis to their approach. It appears that although these documents attempt to address facility changes by a simultaneous consideration of both the physical changes to the facility and operational changes to the facility, the guidance provided may be unintentionally inserting bias into the process. The LANL Safety Basis Checklist and Technical Review procedure, SBP-114-9, contains questions dealing with operations, but purely in the context of design change control. The LANL New or Changed Activity Approval Process procedure contains questions on the changes to the physical design of the facility to support the activity, but marginally. This means it is quite possible that you could review the exact same facility change through the two procedures and obtain different conclusions. While it is always possible to introduce a bias into any facility change review, it important to recognize it – not institutionalize it.
Page 5 of 17 The Graded Approach Before we move on, I want to recognize the important yet familiar concept of the graded approach as applies to facility change review. The list of physical changes to the facility previously presented starts with a major modification and reduces in complexity until it ends with changing a lightbulb. This was intentional for two reasons. The first is to demonstrate that this paper’s meaning of physical changes to the facility is more inclusive than the set of changes considered in the USQ process (i.e., changing a lightbulb would not be considered a change to the facility as described in the DSA.) The second is to demonstrate that the range of scope and complexity for physical changes varies significantly. This is also true of activity changes. There is a large difference between repurposing a facility and simply increasing the throughput of a process. This range is recognized here to emphasize that any approach to facility change should ideally be graded to the complexity and inherent risk of the change. That being said, there are some issues in doing so. It is difficult to establish absolute thresholds for determining the rigor of a specific facility change review. We have seen this difficulty in establishing thresholds for a major modification subject to DOE-STD-1189. There are so many permutations possible with facility modifications that it becomes extremely difficult to determine absolutes for the application of requirements, guidance or techniques. Replacing a HEPA filter covered in dried picric acid crystals (an explosive)—which would normally be considered an exact replacement requiring little review—might actually be more dangerous than the installation of a whole new process line. Realize that this paper is covering the entire range of possible facility changes, and the recommendations presented here should be graded to accommodate the changes under review. Completing the Model To complete the model, we introduce the next rule for integrated facility change management:  Both physical and activity changes can be defined as one of two types: permanent and temporary. This is a purely temporal characterization of the two categories of changes. Permanent changes are defined as changes that will exist once the facility change is completed. These are the intended products of a fully implemented facility change. Temporary changes, which are sometimes referred to as interim changes, are those changes that are completed or do not exist after the facility change is fully completed. As an example: Activity Physical Permanent New operating procedures New maintenance procedures New testing procedures and schedule Equipment installed and tested Parts exchanged/repaired Updated drawings Equipment labeled Temporary Completing design Writing work package Updating safety basis Permits obtained System locked out Scaffolding erected Equipment disassembled
Page 6 of 17 As with the previous rule, this is not an original concept, but an expansion of concepts that are present in existing change control guidance. For instance, Section 2.1 of DOE G 424-1.1 addresses temporary or permanent changes in a facility directly. However, this is an important distinction, because the change characteristics of temporary vs. permanent are significantly different, as is their treatment under the USQ process. An illustration of our holistic facility design road map is provided for reference below: One significant difference between temporary and permanent facility changes is how they may behave over time. Permanent changes are static and remain constant as long as not altered by a subsequent facility change, and therefore can be considered “products” of the change. Temporary changes are not only transient, but some are also constantly changing. For instance, most construction/installation jobs physically change over time. Also, realize there is a range to the degree and duration of a facility change. Adding a new facility wing takes a lot more physical changes with time than simply changing a lightbulb. It also important to note that temporary changes often must be performed in a specific sequence. A physical change cannot be made without a work package, the work package cannot be completed until the design is finalized, etc. This is in contrast to permanent changes that would usually coexist concurrently once the facility change is complete. Another reason for this distinction is to prevent an entangled review. The bias toward the physical state of a facility can sometimes be seen in the USQ process with regard to consideration of the “interim state” when reviewing a work control document. The use of the term “state” connotes an emphasis on the physical state of the facility rather than the actual process of changing the facility itself. Indeed, the examples usually provided for training on considering the interim state are physical ones—such as Diagrammatic Model of Facility Change This model encompasses the entire universe of facility changes, whether they are subject to USQ/other safety basis review or not. In this diagram, the entire set of facility changes falling under one category is depicted by the white square areas, while the blue quarter circles represent the subset of those particular blocks whose changes would typically be subject to USQ/safety basis review.
Page 7 of 17 scaffolding potentially impacting a safety system, or removal of ceiling tiles potentially compromising a credited fire suppression system. DOE G 424.1-1B itself addresses the subject of hazards during installation of a facility modification in section B.2 by stating “DOE relies on the contractor’s normal work control procedures to address worker hazards involved in the actual installation of a modification, not on the USQ process”; however “the conduct of the work may involve the introduction of hazards that can constitute a threat to the facility safety basis such as the use of a crane that could fall on equipment important to safety.” This suggests that the actual activity of making a facility change or modification does not require attention as facility safety programs adequately cover it; however, attention must be paid to intermediate physical conditions that may impact facility safety. Just as with the entanglement of physical and activity changes, entanglement can occur between review of permanent and temporary changes. For instance, some USQ procedures exempt drawings from the USQ process with the caveat that “drawings do not make a change to the facility. The work package actually makes the change.” However, reviewing a work package without any of the design documents requires the reviewer to try to determine the nature of the change with limited information. This example of safety basis forensics attempts to determine the permanent physical change (a product) from a temporary activity document. Similarly, reviewing maintenance and testing procedures without the design documents is an example of reviewing a permanent activity change without information on the permanent physical change. Putting the Model to Use All of this analysis would be little more than an interesting concept if it is not put to use. Let us see if it is useful in making the process of facility change review more efficient. One way this model might be used is to better define what aspects of a facility change needs review. In the instance of an activity change to the facility that requires no physical change, only review of the activity changes (left two quadrants) need be required as shown: If the particular new activity happens to require only a change to procedures, our safety basis review may collapse to a single quadrant (permanent activity change). New or Changed Activity Review This figure shows that only items on the left side of the diagram need be considered for the facility change. While this seems obvious, review of a physical change reveals a completely different result. Eliminated from review
Page 8 of 17 This situation changes completely when we consider a physical change to the facility. Most physical changes will require a consideration of all four quadrants of the facility change model. This is because a physical change not only creates temporary physical changes that require review; it requires at least one temporary activity to change the physical facility. Many of these physical change activities meet the requirements of a “test or experiment”—such as never having been performed previously, never to be performed again, and not anticipated in the original analysis. Even an exact replacement requires an activity to make the exchange (which might result in a need for review.) In addition, unless the change is an equivalent part, there are usually permanent activity changes in the form of new or updated operations, maintenance, and testing procedures. This not only demonstrates why physical changes are more complex than activity changes, but it also brings us to our next rules:  No matter whether the changes to the facility are physical- or activity-related, they will always require temporary activities to make the change.  A change in facility activity may not require a physical change to the facility, but every physical change to the facility requires an associated activity. Both activity and physical changes require temporary activities to produce those changes. The good news for safety basis review is that some of the temporary activities—such as writing procedures, obtaining permits, creating work packages, completing designs, and updating facility safety basis—are explicit or implicit (usually institutional) procedures as described in the DSA and are not in themselves subject to the USQ process. However, the products of these processes usually are. Therefore, safety basis input into these products during the development phases can often be beneficial, regardless of whether these products would require USQ or not. This last observation is significant. Because the activities in the temporary activity quadrant are often institutional administrative activities (i.e., writing procedures or completing designs), the activities in the temporary quadrant are often overlooked or neglected. However, it is often the list of temporary activities that many of the change processes are trying to ascertain. Reviews of new activity review processes, the safety basis technical review processes, or facility change organizations (like a change control board or facility safety committee), indicates their major purpose is often to determine what The Root of All Changes This diagram shows that the root of all facility changes originates with temporary activities. It also demonstrates that while changes to activities originate from temporary activities, physical changes also originate with temporary activities that must dogleg through temporary physical changes before complete.
Page 9 of 17 needs to be done (activities) to implement a proposed change and who needs to be involved in these activities. Many of the reviewed facility change review committees consist of members of various constituent organizations that listen to a series of questions so that the committee members can determine what their organization’s level of participation in production of the facility change products. This brings up an important observation in this discussion. There appears to be a need to have some form of early review of a proposed facility change to determine what needs to be done, who needs to do it, who needs to approve it, and who needs to have input. In particular, a safety basis pre-USQ review of a proposal can help determine if a change can be performed without DOE approval, how to make the change to avoid DOE approval requirements, how to minimize operational risk, which products will require USQ review, and provide input for safety in the design. While some may assume that this is the purpose of a USQ process, this would not be very efficient, especially as the proposal becomes more complicated and risky. For instance, why go through the trouble of creating a design change package that gets a positive USQD when some form of preliminary safety basis review would have informed the proposer that it would be positive, or that it would be a negative if they had simply made a simple change to the design? When asked how safety basis participates in change control for a facility with a DOE-approved safety basis, many will respond “through the USQ/USI process.” However, the purpose of the USQ/USI process is not to provide safety basis design control input, but to determine approval authority for the proposed facility change. USQ Guide DOE G 424.1-1 confirms this with the following statement: “Each facility should identify the methods for making facility changes (for example, whether changes are made under modification processes, nonconformance processes, or maintenance processes). After methods have been identified, the contractor needs to maintain control of the facility change process and perform and document changes in accordance with approved procedures.” POC Model This figure shows how the facility change model can aid in determining the primary contact organization for each aspect of a facility change.
Page 10 of 17 The need for some type of facility change review process outside of (and prior to) the USQ process appears in several places. In the following quotes, the current USQ guide comments on the integration of safety basis: “The USQ process is intended to be implemented along with a change control process that includes generalized steps for— 1) identifying and describing the temporary or permanent change, and 2) technical reviews of the change,” At LANL we have a new activity review process whose primary purpose is to determine if there needs to be a change to the facility safety basis. Additionally, LANL has a separate safety basis technical review process that is designed to be used to evaluate any change to the facility that may affect the safety envelope prior to the USQ process. LANL also has change control procedures at other facilities that intend to “ensure that physical or operational configuration changes are properly identified, developed, reviewed, approved, implemented, and documented.” Based on these and other indications, it is safe to conclude that there seems to be a need for a comprehensive facility change review process, separate from the USQ process, for proposed facility changes that do not require following the major modification process or the DOE submittal of a new or revised facility DSA. Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites As a safety analyst who began my career in the commercial nuclear field, I have often been questioned on how the USQ process works in the commercial world and why it seems less resource- intensive. This segue from the discussion of facility change analysis is designed to provide some insight into the change control processes at commercial nuclear facilities with the intent that it will help provide recommendations on facility change control for DOE sites. At the end of 1991, DOE Order 5480.21, Unreviewed Safety Question, was issued. DOE Order 5480.21 acknowledges its derivation directly: “This Order has been developed according to some of the same principles present in the commercial industry and enumerated in 10 CFR 50.59. The purpose of this Order is similar to that of 10 CFR 50.59.” Thus, the seven USQ questions that we have currently in the DOE USQ process have their genesis in the commercial nuclear 50.59 review process that existed over a quarter of a century ago. Since that time, 10 CFR50.59 has been updated and now contains the following eight questions: (2) A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would: (i) Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the final safety analysis report (as updated); (ii) Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report (as updated); (iii) Result in more than a minimal increase in the consequences of an accident previously evaluated in the final safety analysis report (as updated);
Page 11 of 17 (iv) Result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the final safety analysis report (as updated); (v) Create a possibility for an accident of a different type than any previously evaluated in the final safety analysis report (as updated); (vi) Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated); (vii) Result in a design basis limit for a fission product barrier as described in the FSAR (as updated) being exceeded or altered; or (viii) Result in a departure from a method of evaluation described in the FSAR (as updated) used in establishing the design bases or in the safety analyses. There are two differences in these newer 50.59 questions that are probably most notable for DOE safety analysts. The first is the absence of the “margin of safety question”. The second is the use of the term “more than a minimal increase” in several of these questions. There is also another provision in the NRC rule that differentiates it from the DOE counterpart: “(4) The provisions in this section do not apply to changes to the facility or procedures when the applicable regulations establish more specific criteria for accomplishing such changes.” This means that in the commercial utility world, changes to procedures or the facility that are governed by their radiation protection, OSHA, and other regulations are exempt by law from the USQ process. In addition to the differences in the current USQ regulatory guidance, there is also a significant difference in the facilities themselves. A commercial nuclear reactor is a single-use facility whose sole purpose is to make money for the utility. It makes electricity, is refueled and maintained, and then makes electricity again. This means that there is very little incentive to make facility changes. Related to this is the fact that most of the major physical changes to the facility are being done at the direction of the regulator, thereby not requiring any 10 CFR 50.59 (NRC USQ process) review. While these explain some of the differences, there are also some other differences between commercial nuclear facilities and DOE facilities that may not be apparent to those who don’t have the experience of working at both. One of these differences is that commercial nuclear facilities have redundant trains for all of their safety systems. (Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe.) This means that it is often possible to take out a safety component or equipment to change, maintain, or test it without compromising the safety function of the overall system. This can usually be performed under an action statement of a Technical Specification (a commercial TSR) that would not require a USQ. Most importantly, there is a major difference in work scheduling for commercial utilities. Probably the biggest factor contributing to the reduction in facility review is that most major facility physical work is performed during the time the reactor is shut down for a scheduled outage. With the fuel
Page 12 of 17 safely cooling off in the spent fuel pit, there is little that can be done to the facility that would create any significant risk. Maintenance and construction can lock out entire systems, build scaffolding, and cut and weld to their hearts’ delight. As long as the area is cleaned up and the system tests okay before start-up, there is little else to be concerned about from a safety basis standpoint. Because of the redundancy and the fact that most change work is done during an outage, the interim state is inconsequential and our model for facility change becomes the following: This makes the job of facility review a lot less cumbersome, as all the intermediate changes are performed in a mode or condition that cannot affect facility safety. The USQ screening questions also begin to make more sense. Without a need to consider the intermediate changes, you can simply look at the changes to the procedures and changes to the facility (permanent changes) without concern for the temporary changes. This is in stark contrast to physical modifications that occur in DOE nuclear facilities. Besides DOE reactors and some accelerators, very few DOE facilities go into an extended outage. These physical modifications not only occur while there are operations occurring in the facility, sometimes these modifications occur while there are operations ongoing in close proximity. This can severely complicate physical changes versus how they are performed in a shutdown facility. For example, if your boss tells you to get the oil changed in the company vehicle, it is usually a simple matter. You take it to the garage, and when it is returned—as long as the oil is new and full and the car does not leak—you simply drive off. What if that same boss asks for an oil change for the same car, but this time he tells you the car is too valuable to put in the shop and take out of service. You will have to do the oil change while the car is still in service and able to be driven. That task suddenly becomes much more complicated, even if it is a simple maintenance task (not even a modification!). Refueling a bomber on the ground is pretty simple. Refueling in the air is a lot more complicated, and if the plane has not been modified to allow such an activity, it is almost impossible. The point being made here is that the commercial nuclear (and the naval nuclear) USQ process has been able to largely ignore the interim state or activity and just look at the end result of a facility change because of the mode of operation they are in when they make those changes. DOE facilities Eliminated from review
Page 13 of 17 do not always have the luxury of performing all their changes under outage conditions, and therefore, attention to intermediate activities and conditions are required to ensure the facility safety basis is maintained. Lessons Learned There is a need for a pre-USQ review. There appears to be a need for some sort of safety basis or management review of somewhat complex changes to a facility that do not rise to the level of requiring compliance with DOE-STD-1189. The safety basis review purpose would be to determine:  if the change could be made without requiring a change to the facility safety basis,  which facility change products safety basis input would be valuable to, and  which products would require a USQ review when completed. There also appears to be a need to have some form of early review of a proposed facility change to determine what needs to be done, who needs to do it, who needs to approve it, and who needs to have input. In particular, a safety basis pre USQ review of a proposal can help determine if a change can be performed without DOE approval, how to make the change to avoid DOE approval requirements, how to minimize operational risk, which products will require USQ review, and provide input for safety in the design. While some may assume that this is the purpose of a USQ process, this would not be very efficient, especially as the proposal becomes more complicated and risky. For instance, why go through the trouble of creating a design change package that gets a positive USQD when some form of preliminary safety basis review would have informed the proposer that it would be positive, or that it would be a negative if they had simply made a simple change to the design? The facility change model might be useful in determining safety basis participation in pre-USQ activities. The pre-USQ process would best be incorporated into an overall facility safety or operational review process. This pre-USQ process might also be used to determine other participants’ roles and requirements in the facility change. An integrated facility change control process that incorporates the facility change model introduced previously would consist of the following: A review should begin with lists of the permanent changes in their respective categories. We begin by trying to determine all the products (the permanent change quadrants) that are required to implement the requested change. A proper start to the facility change process is to first answer these two questions:  What is/are the physical change(s) required in the facility?  What is/are the changes required in the activity(ies)? By clearly defining the specific facility changes (permanent/products) and placing them in the permanent activity change or permanent physical change columns, we can evaluate them separately in such a way as to avoid bias or entanglement. For instance, a change in operation may only require a review of an operating procedure, but a physical change may require not only looking at the
Page 14 of 17 change of the facility design, but also the associated activities of operating, maintaining, testing, and installing required by the physical facility change. Once all the products required for the facility change have been specified, the activities required to complete them can be determined. (This will be largely an emphasis on the temporary activity quadrant of the model, as the specifics of the temporary physical changes may not be available yet.) Therefore, the next question of the facility change process is:  What activities must occur in order produce the permanent changes determined from the above two questions? The information used to determine the interim physical state will not be available until the work package is completed. Nevertheless—even very early in the conceptual phase of a change— procedures, permits, evaluations, work packages, etc., that are required can be identified. This will provide management with a roadmap for change implementation that can be used to determine proper safety basis input and participation. At this stage of a facility change, once the model has been populated to the degree possible, determinations can be made as to the individuals who would be performing these activities, what safety basis input should be provided, and which products require USQ determinations. The suggested final step of this integrated facility change control process is to proceed to execute the activities as a coordinated unified package. This may sound counterintuitive at first. Why would you deconstruct a change into specific individual parts, only to attempt to work them as a single unit? One reason is that until the specific steps required for the change are specified in detail, it becomes difficult to schedule and coordinate all the activities with appropriate accuracy. It also allows the individual actions to get the attention they require, prevents entanglement, and eliminates the possibility that they are forgotten or neglected altogether. One of the differences in the commercial nuclear industry not mentioned above is that all design changes are done as packages. These packages would have all the design documents, drawings, product manuals, hazard analysis, and suggested changes to the license (if applicable) in the original engineering design document. These design changes are then closed out as packages, adding additional documentation such as the work packages, the drawing updates, QA documents, and the procedure changes to the final close out package submittal. This requirement for a close-out package means that the actions are coordinated and that all the information pertaining to the project is available in one location. Conclusion This report attempts to explore the relationship of safety basis in the facility change control process. It begins with an effort to determine exactly what constitutes a facility change and what the differences are between an activity change and a physical change to the facility. This leads to a model for analyzing facility changes that are derived largely from previous change control guidance. Based on this model, an integrated change control process is suggested. Finally, the role of safety basis and the USQ/USI process is discussed, resulting in the following suggestions:
Page 15 of 17 Performing USQs and safety basis reviews on a comprehensive package is always preferred. There is nothing in the regulatory guidance that requires the differing products needed to implement a facility change to be USQ-reviewed individually. Asking the safety basis reviewer to determine the physical change to a facility from a work package or operating procedure alone is not efficient and can lead to errors. Having a complete package to review, as is usually done in the commercial nuclear industry, provides the reviewer with all the information required to perform the job and allows efficient production of USQs while minimizing the need for research by multiple reviewers. Design changes that are performed in a mode or condition that allows taking parts of the facility out of service can simplify the safety basis issues by eliminating concern over the temporary activities and interim state. This should be common sense, but making physical changes in the midst of other operations creates much more complexity to the operation, and potentially additional risk. Whether you make a physical change during a shutdown, off-shift hours, or in a situation with a room or wing shutdown, having the ability to simply take a system out of service, do whatever needs to be done, return the system to service, and test it is the simplest, most efficient method of performing physical changes. Use of the provided facility change model could provide a proper roadmap to implement facility changes and allow for use of the integrated change control process suggested. We created a model of facility change based on four simple rules:  All changes to a facility can be placed into one of two categories: physical facility changes and changes to activities.  Both physical and activity changes can be defined as one of two types: permanent and temporary.  No matter whether the changes to the facility are physical- or activity-related, they will always require temporary activities to make the change.  A change in facility activity may not require a physical change to the facility, but every physical change to the facility requires an associated activity. These rules are represented visually below:
Page 16 of 17 Use of this model by first identifying the permanent physical and activity changes desired and then determining the activities required to produce them, the effects of entanglement is reduced and each of the specific aspects of the change can be provided with the attention that is proper. While the model can be applied to even the simplest of changes, usefulness of this model and the associated integrated change process will increase proportional to the complexity of the project. There appears to be a need for a graded safety basis review/coordination process that is separate from the USQ process for facilities that do not require use of the DOE STD 1189 (or DOE O 413.3B for the HAR). In reviewing many of these documents, I concluded that we might be seeing various attempts at a solution for a singular problem. As stated previously, facility changes at DOE facilities can present a range of issues with varying complexity that a one-size fits all solution is hard to come by. While there is adequate guidance for the most extensive of these projects, there appears to be some need for a graded approach for projects that do not meet the respective thresholds. This report was not intended to provide the ultimate solution, but I hope that by exploring this subject in an analytical and comprehensive manner, it may be beneficial for those sites that are dealing with the same issues. Early Safety Basis engagement can reduce costs and help to minimize project errors and delays. Acknowledgements James Clark Lyndsey Morgan Fyffe Elizabeth L. Joseph (Beth) Karen McHugh Heath Erik Mclaughlin Dorothy Winkler The Root of All Changes This diagram shows that the root of all facility changes originates with temporary activities. It also demonstrates that while changes to activities originate from temporary activities, physical changes also originate with temporary activities that must dogleg through temporary physical changes before complete.
Page 17 of 17 References 10 CFR 50.59, Changes, tests and experiments. 10 CFR 830, Nuclear Safety Management DOE 5480.5, Safety of Nuclear Facilities DOE G 420.1-1A, Nonreactor Nuclear Safety Design Guide for use with DOE O 420.1C, Facility Safety DOE G 420.2-1a, Accelerator Facility Safety Implementation Guide for DOE O 420.2B, Safety of Accelerator Facilities DOE O 420.1C, Facility Safety DOE O 5480.21, Unreviewed Safety Question DOE-STD-1073-2016, Configuration Management SBP-111-3, New or Changed Activity Approval Process SBP-114-9, Safety Basis Checklist and Technical Review

Recommended

Moc for lcl
Moc for lclMoc for lcl
Moc for lclvishnu gupta
 
Moc for lcl
Moc for lclMoc for lcl
Moc for lclvishnu gupta
 
Rel maint-final
Rel maint-finalRel maint-final
Rel maint-finalamar sadi
 
Poster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects Analysis
Poster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects AnalysisPoster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects Analysis
Poster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects AnalysisAnas Momen
 
jmeyercons10112016
jmeyercons10112016jmeyercons10112016
jmeyercons10112016John Meyer
 
Resume Rev 02 (1)
Resume Rev 02 (1)Resume Rev 02 (1)
Resume Rev 02 (1)Zvi Eisenberg
 
Safety Standards
Safety Standards Safety Standards
Safety Standards Arjun Aarzoo
 
CaseStudy_MOC_PX_2015_LI
CaseStudy_MOC_PX_2015_LICaseStudy_MOC_PX_2015_LI
CaseStudy_MOC_PX_2015_LISean Cull
 

Recommended

Moc for lcl
Moc for lclMoc for lcl
Moc for lclvishnu gupta
 
Moc for lcl
Moc for lclMoc for lcl
Moc for lclvishnu gupta
 
Rel maint-final
Rel maint-finalRel maint-final
Rel maint-finalamar sadi
 
Poster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects Analysis
Poster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects AnalysisPoster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects Analysis
Poster_EGY_TE_Anas Momen_Hilal-Failure Modes and Effects AnalysisAnas Momen
 
jmeyercons10112016
jmeyercons10112016jmeyercons10112016
jmeyercons10112016John Meyer
 
Resume Rev 02 (1)
Resume Rev 02 (1)Resume Rev 02 (1)
Resume Rev 02 (1)Zvi Eisenberg
 
Safety Standards
Safety Standards Safety Standards
Safety Standards Arjun Aarzoo
 
CaseStudy_MOC_PX_2015_LI
CaseStudy_MOC_PX_2015_LICaseStudy_MOC_PX_2015_LI
CaseStudy_MOC_PX_2015_LISean Cull
 
07_Biofuels_Mngt_of_Change.pptx
07_Biofuels_Mngt_of_Change.pptx07_Biofuels_Mngt_of_Change.pptx
07_Biofuels_Mngt_of_Change.pptxAkshayG52
 
Proceedings of the 2013 Industrial and Systems Engineering Res.docx
Proceedings of the 2013 Industrial and Systems Engineering Res.docxProceedings of the 2013 Industrial and Systems Engineering Res.docx
Proceedings of the 2013 Industrial and Systems Engineering Res.docxstilliegeorgiana
 
Simple robust autotuning rules for 2-DoF PI controllers
Simple robust autotuning rules for 2-DoF PI controllersSimple robust autotuning rules for 2-DoF PI controllers
Simple robust autotuning rules for 2-DoF PI controllersISA Interchange
 
Software Configuration Management.ppt
Software Configuration Management.pptSoftware Configuration Management.ppt
Software Configuration Management.pptDrTThendralCompSci
 
Prestartup Safety Review (PSSR)
Prestartup Safety Review (PSSR)Prestartup Safety Review (PSSR)
Prestartup Safety Review (PSSR)TheSafetyGuru
 
Testing throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesTesting throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesYAObbiIkhsan
 
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMSAN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMSijseajournal
 
Testing throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesTesting throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesNovika Damai Yanti
 
Presentation
PresentationPresentation
PresentationFredrick Onasanya
 
MOC Impact Workflow to Ensure that Relief Systems PSI is Updated with Changes
MOC Impact Workflow to Ensure that Relief Systems PSI is Updated with ChangesMOC Impact Workflow to Ensure that Relief Systems PSI is Updated with Changes
MOC Impact Workflow to Ensure that Relief Systems PSI is Updated with ChangesSmith & Burgess: Process Safety Consulting
 
Condition Asessment.ppt
Condition Asessment.pptCondition Asessment.ppt
Condition Asessment.pptBhaskar Jalan
 
Performance testing methodologies
Performance testing methodologiesPerformance testing methodologies
Performance testing methodologiesDhanunjay Rasamala
 
Maintenance Testing by Graham et al
Maintenance Testing by Graham et alMaintenance Testing by Graham et al
Maintenance Testing by Graham et alEmi Rahmi
 
86One of the fi rst activities of an analyst is to determi.docx
86One of the fi rst activities of an analyst is to determi.docx86One of the fi rst activities of an analyst is to determi.docx
86One of the fi rst activities of an analyst is to determi.docxransayo
 
Presentation1 709[1]
Presentation1 709[1]Presentation1 709[1]
Presentation1 709[1]fdolopez
 
change control
change controlchange control
change controlSrinivasaReddy137
 
BCS 307 Lecture 8.pdf
BCS 307 Lecture 8.pdfBCS 307 Lecture 8.pdf
BCS 307 Lecture 8.pdfJohn119649
 
Milestone One Company Identification You have been hired as a.docx
Milestone One Company Identification You have been hired as a.docxMilestone One Company Identification You have been hired as a.docx
Milestone One Company Identification You have been hired as a.docxARIV4
 
Maintenance Testing
Maintenance TestingMaintenance Testing
Maintenance TestingEmi Rahmi
 
Bab 2
Bab 2Bab 2
Bab 2fadillah alazmi
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 

More Related Content

Similar to Integrated Facility Change Control and the Relationship to Safety Basis

07_Biofuels_Mngt_of_Change.pptx
07_Biofuels_Mngt_of_Change.pptx07_Biofuels_Mngt_of_Change.pptx
07_Biofuels_Mngt_of_Change.pptxAkshayG52
 
Proceedings of the 2013 Industrial and Systems Engineering Res.docx
Proceedings of the 2013 Industrial and Systems Engineering Res.docxProceedings of the 2013 Industrial and Systems Engineering Res.docx
Proceedings of the 2013 Industrial and Systems Engineering Res.docxstilliegeorgiana
 
Simple robust autotuning rules for 2-DoF PI controllers
Simple robust autotuning rules for 2-DoF PI controllersSimple robust autotuning rules for 2-DoF PI controllers
Simple robust autotuning rules for 2-DoF PI controllersISA Interchange
 
Software Configuration Management.ppt
Software Configuration Management.pptSoftware Configuration Management.ppt
Software Configuration Management.pptDrTThendralCompSci
 
Prestartup Safety Review (PSSR)
Prestartup Safety Review (PSSR)Prestartup Safety Review (PSSR)
Prestartup Safety Review (PSSR)TheSafetyGuru
 
Testing throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesTesting throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesYAObbiIkhsan
 
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMSAN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMSijseajournal
 
Testing throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesTesting throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesNovika Damai Yanti
 
Condition Asessment.ppt
Condition Asessment.pptCondition Asessment.ppt
Condition Asessment.pptBhaskar Jalan
 
Performance testing methodologies
Performance testing methodologiesPerformance testing methodologies
Performance testing methodologiesDhanunjay Rasamala
 
Maintenance Testing by Graham et al
Maintenance Testing by Graham et alMaintenance Testing by Graham et al
Maintenance Testing by Graham et alEmi Rahmi
 
86One of the fi rst activities of an analyst is to determi.docx
86One of the fi rst activities of an analyst is to determi.docx86One of the fi rst activities of an analyst is to determi.docx
86One of the fi rst activities of an analyst is to determi.docxransayo
 
Presentation1 709[1]
Presentation1 709[1]Presentation1 709[1]
Presentation1 709[1]fdolopez
 
BCS 307 Lecture 8.pdf
BCS 307 Lecture 8.pdfBCS 307 Lecture 8.pdf
BCS 307 Lecture 8.pdfJohn119649
 
Milestone One Company Identification You have been hired as a.docx
Milestone One Company Identification You have been hired as a.docxMilestone One Company Identification You have been hired as a.docx
Milestone One Company Identification You have been hired as a.docxARIV4
 
Maintenance Testing
Maintenance TestingMaintenance Testing
Maintenance TestingEmi Rahmi
 

Similar to Integrated Facility Change Control and the Relationship to Safety Basis (20)

07_Biofuels_Mngt_of_Change.pptx
07_Biofuels_Mngt_of_Change.pptx07_Biofuels_Mngt_of_Change.pptx
07_Biofuels_Mngt_of_Change.pptx
 
Proceedings of the 2013 Industrial and Systems Engineering Res.docx
Proceedings of the 2013 Industrial and Systems Engineering Res.docxProceedings of the 2013 Industrial and Systems Engineering Res.docx
Proceedings of the 2013 Industrial and Systems Engineering Res.docx
 
Simple robust autotuning rules for 2-DoF PI controllers
Simple robust autotuning rules for 2-DoF PI controllersSimple robust autotuning rules for 2-DoF PI controllers
Simple robust autotuning rules for 2-DoF PI controllers
 
Software Configuration Management.ppt
Software Configuration Management.pptSoftware Configuration Management.ppt
Software Configuration Management.ppt
 
Prestartup Safety Review (PSSR)
Prestartup Safety Review (PSSR)Prestartup Safety Review (PSSR)
Prestartup Safety Review (PSSR)
 
Testing throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesTesting throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniques
 
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMSAN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
AN INVESTIGATION OF THE MONITORING ACTIVITY IN SELF ADAPTIVE SYSTEMS
 
Testing throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniquesTesting throughout the software life cycle & statistic techniques
Testing throughout the software life cycle & statistic techniques
 
Presentation
PresentationPresentation
Presentation
 
MOC Impact Workflow to Ensure that Relief Systems PSI is Updated with Changes
MOC Impact Workflow to Ensure that Relief Systems PSI is Updated with ChangesMOC Impact Workflow to Ensure that Relief Systems PSI is Updated with Changes
MOC Impact Workflow to Ensure that Relief Systems PSI is Updated with Changes
 
Condition Asessment.ppt
Condition Asessment.pptCondition Asessment.ppt
Condition Asessment.ppt
 
Performance testing methodologies
Performance testing methodologiesPerformance testing methodologies
Performance testing methodologies
 
Maintenance Testing by Graham et al
Maintenance Testing by Graham et alMaintenance Testing by Graham et al
Maintenance Testing by Graham et al
 
86One of the fi rst activities of an analyst is to determi.docx
86One of the fi rst activities of an analyst is to determi.docx86One of the fi rst activities of an analyst is to determi.docx
86One of the fi rst activities of an analyst is to determi.docx
 
Presentation1 709[1]
Presentation1 709[1]Presentation1 709[1]
Presentation1 709[1]
 
change control
change controlchange control
change control
 
BCS 307 Lecture 8.pdf
BCS 307 Lecture 8.pdfBCS 307 Lecture 8.pdf
BCS 307 Lecture 8.pdf
 
Milestone One Company Identification You have been hired as a.docx
Milestone One Company Identification You have been hired as a.docxMilestone One Company Identification You have been hired as a.docx
Milestone One Company Identification You have been hired as a.docx
 
Maintenance Testing
Maintenance TestingMaintenance Testing
Maintenance Testing
 
Bab 2
Bab 2Bab 2
Bab 2
 

Recently uploaded

B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Roland Driesen
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfAmzadHosen3
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 

Recently uploaded (20)

B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 

Integrated Facility Change Control and the Relationship to Safety Basis

  • 1. Integrated Facility Change Control and the Relationship to Safety Basis GEORGE L. PETERS
  • 2. Page 1 of 17 Integrated Facility Change Control and the Relationship to Safety Basis Abstract This paper presents a proposed integrated approach to facility change control that addresses changes to both facility design and operations in a formal and organized manner, based on an extrapolation of existing guidance. The relationship of safety basis to the facility change process is explored and the integration of safety basis into the facility change control process is considered. There follows a discussion of change control guidance for the Department of Energy (DOE) complex with a comparison of DOE change control with that of change control in commercial nuclear reactors. It concludes with a derivation of suggestions for implementing a facility change control model with safety basis participation into the facility change control process to allow for an integrated review that may eliminate many of the issues that have plagued DOE complex change control in the past. Introduction The Nuclear Safety Management Rule, 10 CFR 830, came out in 2001 and contained the requirement for Documented Safety Analysis (DSA) development for Hazard Category (HC) 1, 2, and 3 facilities. Back in the 1980s, the 5480 series of DOE orders required some form of safety analysis/hazard categorization for DOE nuclear facilities for which a potentially significant nuclear hazard existed. During the almost forty years since the original guidance on facility hazard categorization/hazard analysis, there have been several updates to the facility hazard categorization guides and standards, including DOE-STD-3009, DOE-STD-1027, DOE-STD-3011, and there are current efforts to update 10 CFR 830 itself. After of all this time and effort, one might expect that all DOE facilities now have some form of hazard categorization/safety basis, that the hazard analysis/categorization is relatively mature, and the need for nuclear safety analysts has been greatly reduced. Those of us who work in the nuclear safety organizations at DOE facilities know this is not true. While hazard inventories, characterization, and analysis for DOE facilities are largely complete—and while the safety basis documents for the majority of these facilities are relatively mature and robust—there is still a significant need for safety analysis resources. This need is being driven in large part by the need to support facility changes in the DOE complex. This need was recognized as far back as 1991; as stated in DOE Order 5480.21, Unreviewed Safety Question: “When DOE facilities were first authorized to operate, it was not anticipated that the need for facility modifications would be implemented with the frequency that has proven to be necessary. As a result, the need for elaborate configuration and modification controls were not clearly understood.” Therefore, while the safety basis resources necessary to produce and maintain hazard analysis and categorization for DOE facilities may have been reduced, current safety basis demand is often being driven by the necessity of supporting facility change control. While there have been significant efforts to update and refine the Unreviewed Safety Question (USQ) process as it applies to DOE facilities, and a
  • 3. Page 2 of 17 significant upgrade to DOE-STD-1189, it might be timely to explore the role of safety basis in the overall facility change process. Background The origin of this report began with a simple question, which occurred during an assignment to revise Los Alamos National Laboratory (LANL) Safety Basis procedure SBP-114-9, Safety Basis Checklist and Technical Review. This procedure’s stated purpose is to “provide a method and checklist for a safety analyst to perform Safety Basis technical reviews on proposed changes to a nuclear, accelerator, or non- nuclear facility that is consistent with principles outlined in DOE-STD-1073-2016, Configuration Management.” I had previously revised another LANL Safety Basis procedure, SBP-111-3, New or Changed Activity Approval Process, whose purpose states “This procedure sets forth the process to obtain authorization for new, changed, or resumed work activities at Los Alamos National Laboratory (LANL) for low hazard facilities.” While both procedures profess to have a difference in purpose and applicability, they both rely on a checklist consisting of a series of questions designed to determine the nature of the change, the permits and reviews required, and what support personnel may be required to implement the change properly. Because these procedure checklists and instructions were so eerily similar, questions arose from my comparison: “Do we have duplicative procedures?” “Can both of these procedures be combined into an integrated facility change review?” In attempting to answer these questions, a thorough analysis of “what is a facility change as defined in this document” was derived. Anatomy of a Facility Change In order to implement an integrated change control approach, we need to establish a framework to understand what a facility change consists of in the context of facility change control. The beginning of this framework starts with an observation. It is termed an observation because it is not an original concept and the concept appears frequently in existing change control documents. The concept is that all facility changes may be separated into two general categories: changes in operations (activities) and changes in design (physical). While this concept is generally useful and appears regularly, I have yet to find a formal definition of either. This lack of definition and reliance on intuitive understanding can lead to several issues. Beginning at this observation, we will define the two types of changes and create our first rule on integrated change control. This rule is as follows:  All changes to a facility can be placed into one of two categories, physical facility changes and changes to activities. A physical change is any change that alters any physical condition or characteristic of any object within the defined facility boundaries. Understand that this definition of physical changes to a facility is more inclusive than that of a design change in that it includes any physical change, including things such as painting, adding programmatic equipment to an existing room, and an exact replacement of a worn existing component for a new one. Conversely, an activity change is any change within the facility boundaries that consists of an alteration in personnel behavior or actions.
  • 4. Page 3 of 17 In essence, any change to a facility that is not a physical change may be categorized as an activity change. Examples of facility change category activities and physical changes are provided in Table 1. Table 1 – Change Category Examples Activity Change Physical Change Facility repurposing Adding a new hazard (biological, explosives, etc.) Adding a new process Increase in quantity of existing hazard Adding a new technique Increasing current process throughput New Facility Major Modification Footprint expansion Addition of equipment Replacement of equipment Changing a lightbulb We have now defined two categories of facility change and defined a rule of use. What advantages does that provide? Prevention of Entanglement One of the main purposes of creating two categories is the prevention of entanglement. This may occur when reviewing or evaluating a design change—with its associated activity changes, or an activity change with its associated physical changes—as a single composite entity, such that the review of one type of change compromises or influences the review of the associated changes. This may be caused by considering a physical change as an adjunct to an activity change (i.e., needed for a new activity) and vice versa. Entanglement occurs when the result of a review of physical and activity changes together differs from the results that would occur if reviewed separately. While it may appear to make sense to evaluate both physical changes and associated activity changes together (and it does), doing it as an entangled change can result in facility change review bias. Entanglement is fairly common, and may appear regularly in written guidance. As one example, DOE G 420.2-1a states ”Use of the USI process to address facility modifications should involve an evaluation or screening of changes in accelerator operations, modifications of credited controls, or changes in accelerator safety administrative programs if they have the potential to significantly affect safety.” It appears to be direction to address physical modifications to an accelerator by reviewing their effect on operations or administrative programs. While this is the only example cited here, this type of guidance commonly appears in other DOE guidance. This effect was also observed in analysis of the LANL procedures for new activity review and safety basis technical review. Let’s take a look at the first several questions from the respective checklists:
  • 5. Page 4 of 17 From the New Activity Checklist Could the proposed change: Item Yes No 1 ☐ ☐ Change an existing process, or create a new process that may introduce unanalyzed hazards? 2 ☐ ☐ Increase material-at-risk (MAR), or change form, type, location, containment, confinement, etc., as described in the safety basis? 3 ☐ ☐ Create a new initiator for an existing hazard event or scenario? From the Safety Basis Review Checklist Could the proposed change: Item Yes No 1 ☐ ☐ Change an existing process, or create a new process that may introduce unanalyzed hazards? Consider SSCs, software, and changes to existing processes. For example, is a procedure change being introduced that alters a work process involving stored energy (pressure, vacuum, electrical, etc.), control software, chemical process, waste stream, material movement, shielding, fuel, heat, or cryogens? 2 ☐ ☐ Increase material-at-risk (MAR), or change form, type, location, containment, confinement, etc., as described in the safety basis? For example, is MAR being (or will be as a result of the change) located or relocated to a location not as described in the DSA or TSRs? Is the form and type of MAR analyzed for this location? 3 ☐ ☐ Create a new initiator for an existing hazard event or scenario? For example, are pyrophorics, mechanical energy (overhead crane), pressurized gas bottles, etc. being introduced? On first review, it appears that we have two procedures that perform the same basic function, and those two procedures can be combined. However, in order to achieve this combination, some significant differences exist that need to be overcome. While the SBRT questions may be the same or similar to the new activity questions, there is a definite design-centric emphasis to their approach. It appears that although these documents attempt to address facility changes by a simultaneous consideration of both the physical changes to the facility and operational changes to the facility, the guidance provided may be unintentionally inserting bias into the process. The LANL Safety Basis Checklist and Technical Review procedure, SBP-114-9, contains questions dealing with operations, but purely in the context of design change control. The LANL New or Changed Activity Approval Process procedure contains questions on the changes to the physical design of the facility to support the activity, but marginally. This means it is quite possible that you could review the exact same facility change through the two procedures and obtain different conclusions. While it is always possible to introduce a bias into any facility change review, it important to recognize it – not institutionalize it.
  • 6. Page 5 of 17 The Graded Approach Before we move on, I want to recognize the important yet familiar concept of the graded approach as applies to facility change review. The list of physical changes to the facility previously presented starts with a major modification and reduces in complexity until it ends with changing a lightbulb. This was intentional for two reasons. The first is to demonstrate that this paper’s meaning of physical changes to the facility is more inclusive than the set of changes considered in the USQ process (i.e., changing a lightbulb would not be considered a change to the facility as described in the DSA.) The second is to demonstrate that the range of scope and complexity for physical changes varies significantly. This is also true of activity changes. There is a large difference between repurposing a facility and simply increasing the throughput of a process. This range is recognized here to emphasize that any approach to facility change should ideally be graded to the complexity and inherent risk of the change. That being said, there are some issues in doing so. It is difficult to establish absolute thresholds for determining the rigor of a specific facility change review. We have seen this difficulty in establishing thresholds for a major modification subject to DOE-STD-1189. There are so many permutations possible with facility modifications that it becomes extremely difficult to determine absolutes for the application of requirements, guidance or techniques. Replacing a HEPA filter covered in dried picric acid crystals (an explosive)—which would normally be considered an exact replacement requiring little review—might actually be more dangerous than the installation of a whole new process line. Realize that this paper is covering the entire range of possible facility changes, and the recommendations presented here should be graded to accommodate the changes under review. Completing the Model To complete the model, we introduce the next rule for integrated facility change management:  Both physical and activity changes can be defined as one of two types: permanent and temporary. This is a purely temporal characterization of the two categories of changes. Permanent changes are defined as changes that will exist once the facility change is completed. These are the intended products of a fully implemented facility change. Temporary changes, which are sometimes referred to as interim changes, are those changes that are completed or do not exist after the facility change is fully completed. As an example: Activity Physical Permanent New operating procedures New maintenance procedures New testing procedures and schedule Equipment installed and tested Parts exchanged/repaired Updated drawings Equipment labeled Temporary Completing design Writing work package Updating safety basis Permits obtained System locked out Scaffolding erected Equipment disassembled
  • 7. Page 6 of 17 As with the previous rule, this is not an original concept, but an expansion of concepts that are present in existing change control guidance. For instance, Section 2.1 of DOE G 424-1.1 addresses temporary or permanent changes in a facility directly. However, this is an important distinction, because the change characteristics of temporary vs. permanent are significantly different, as is their treatment under the USQ process. An illustration of our holistic facility design road map is provided for reference below: One significant difference between temporary and permanent facility changes is how they may behave over time. Permanent changes are static and remain constant as long as not altered by a subsequent facility change, and therefore can be considered “products” of the change. Temporary changes are not only transient, but some are also constantly changing. For instance, most construction/installation jobs physically change over time. Also, realize there is a range to the degree and duration of a facility change. Adding a new facility wing takes a lot more physical changes with time than simply changing a lightbulb. It also important to note that temporary changes often must be performed in a specific sequence. A physical change cannot be made without a work package, the work package cannot be completed until the design is finalized, etc. This is in contrast to permanent changes that would usually coexist concurrently once the facility change is complete. Another reason for this distinction is to prevent an entangled review. The bias toward the physical state of a facility can sometimes be seen in the USQ process with regard to consideration of the “interim state” when reviewing a work control document. The use of the term “state” connotes an emphasis on the physical state of the facility rather than the actual process of changing the facility itself. Indeed, the examples usually provided for training on considering the interim state are physical ones—such as Diagrammatic Model of Facility Change This model encompasses the entire universe of facility changes, whether they are subject to USQ/other safety basis review or not. In this diagram, the entire set of facility changes falling under one category is depicted by the white square areas, while the blue quarter circles represent the subset of those particular blocks whose changes would typically be subject to USQ/safety basis review.
  • 8. Page 7 of 17 scaffolding potentially impacting a safety system, or removal of ceiling tiles potentially compromising a credited fire suppression system. DOE G 424.1-1B itself addresses the subject of hazards during installation of a facility modification in section B.2 by stating “DOE relies on the contractor’s normal work control procedures to address worker hazards involved in the actual installation of a modification, not on the USQ process”; however “the conduct of the work may involve the introduction of hazards that can constitute a threat to the facility safety basis such as the use of a crane that could fall on equipment important to safety.” This suggests that the actual activity of making a facility change or modification does not require attention as facility safety programs adequately cover it; however, attention must be paid to intermediate physical conditions that may impact facility safety. Just as with the entanglement of physical and activity changes, entanglement can occur between review of permanent and temporary changes. For instance, some USQ procedures exempt drawings from the USQ process with the caveat that “drawings do not make a change to the facility. The work package actually makes the change.” However, reviewing a work package without any of the design documents requires the reviewer to try to determine the nature of the change with limited information. This example of safety basis forensics attempts to determine the permanent physical change (a product) from a temporary activity document. Similarly, reviewing maintenance and testing procedures without the design documents is an example of reviewing a permanent activity change without information on the permanent physical change. Putting the Model to Use All of this analysis would be little more than an interesting concept if it is not put to use. Let us see if it is useful in making the process of facility change review more efficient. One way this model might be used is to better define what aspects of a facility change needs review. In the instance of an activity change to the facility that requires no physical change, only review of the activity changes (left two quadrants) need be required as shown: If the particular new activity happens to require only a change to procedures, our safety basis review may collapse to a single quadrant (permanent activity change). New or Changed Activity Review This figure shows that only items on the left side of the diagram need be considered for the facility change. While this seems obvious, review of a physical change reveals a completely different result. Eliminated from review
  • 9. Page 8 of 17 This situation changes completely when we consider a physical change to the facility. Most physical changes will require a consideration of all four quadrants of the facility change model. This is because a physical change not only creates temporary physical changes that require review; it requires at least one temporary activity to change the physical facility. Many of these physical change activities meet the requirements of a “test or experiment”—such as never having been performed previously, never to be performed again, and not anticipated in the original analysis. Even an exact replacement requires an activity to make the exchange (which might result in a need for review.) In addition, unless the change is an equivalent part, there are usually permanent activity changes in the form of new or updated operations, maintenance, and testing procedures. This not only demonstrates why physical changes are more complex than activity changes, but it also brings us to our next rules:  No matter whether the changes to the facility are physical- or activity-related, they will always require temporary activities to make the change.  A change in facility activity may not require a physical change to the facility, but every physical change to the facility requires an associated activity. Both activity and physical changes require temporary activities to produce those changes. The good news for safety basis review is that some of the temporary activities—such as writing procedures, obtaining permits, creating work packages, completing designs, and updating facility safety basis—are explicit or implicit (usually institutional) procedures as described in the DSA and are not in themselves subject to the USQ process. However, the products of these processes usually are. Therefore, safety basis input into these products during the development phases can often be beneficial, regardless of whether these products would require USQ or not. This last observation is significant. Because the activities in the temporary activity quadrant are often institutional administrative activities (i.e., writing procedures or completing designs), the activities in the temporary quadrant are often overlooked or neglected. However, it is often the list of temporary activities that many of the change processes are trying to ascertain. Reviews of new activity review processes, the safety basis technical review processes, or facility change organizations (like a change control board or facility safety committee), indicates their major purpose is often to determine what The Root of All Changes This diagram shows that the root of all facility changes originates with temporary activities. It also demonstrates that while changes to activities originate from temporary activities, physical changes also originate with temporary activities that must dogleg through temporary physical changes before complete.
  • 10. Page 9 of 17 needs to be done (activities) to implement a proposed change and who needs to be involved in these activities. Many of the reviewed facility change review committees consist of members of various constituent organizations that listen to a series of questions so that the committee members can determine what their organization’s level of participation in production of the facility change products. This brings up an important observation in this discussion. There appears to be a need to have some form of early review of a proposed facility change to determine what needs to be done, who needs to do it, who needs to approve it, and who needs to have input. In particular, a safety basis pre-USQ review of a proposal can help determine if a change can be performed without DOE approval, how to make the change to avoid DOE approval requirements, how to minimize operational risk, which products will require USQ review, and provide input for safety in the design. While some may assume that this is the purpose of a USQ process, this would not be very efficient, especially as the proposal becomes more complicated and risky. For instance, why go through the trouble of creating a design change package that gets a positive USQD when some form of preliminary safety basis review would have informed the proposer that it would be positive, or that it would be a negative if they had simply made a simple change to the design? When asked how safety basis participates in change control for a facility with a DOE-approved safety basis, many will respond “through the USQ/USI process.” However, the purpose of the USQ/USI process is not to provide safety basis design control input, but to determine approval authority for the proposed facility change. USQ Guide DOE G 424.1-1 confirms this with the following statement: “Each facility should identify the methods for making facility changes (for example, whether changes are made under modification processes, nonconformance processes, or maintenance processes). After methods have been identified, the contractor needs to maintain control of the facility change process and perform and document changes in accordance with approved procedures.” POC Model This figure shows how the facility change model can aid in determining the primary contact organization for each aspect of a facility change.
  • 11. Page 10 of 17 The need for some type of facility change review process outside of (and prior to) the USQ process appears in several places. In the following quotes, the current USQ guide comments on the integration of safety basis: “The USQ process is intended to be implemented along with a change control process that includes generalized steps for— 1) identifying and describing the temporary or permanent change, and 2) technical reviews of the change,” At LANL we have a new activity review process whose primary purpose is to determine if there needs to be a change to the facility safety basis. Additionally, LANL has a separate safety basis technical review process that is designed to be used to evaluate any change to the facility that may affect the safety envelope prior to the USQ process. LANL also has change control procedures at other facilities that intend to “ensure that physical or operational configuration changes are properly identified, developed, reviewed, approved, implemented, and documented.” Based on these and other indications, it is safe to conclude that there seems to be a need for a comprehensive facility change review process, separate from the USQ process, for proposed facility changes that do not require following the major modification process or the DOE submittal of a new or revised facility DSA. Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at DOE Sites As a safety analyst who began my career in the commercial nuclear field, I have often been questioned on how the USQ process works in the commercial world and why it seems less resource- intensive. This segue from the discussion of facility change analysis is designed to provide some insight into the change control processes at commercial nuclear facilities with the intent that it will help provide recommendations on facility change control for DOE sites. At the end of 1991, DOE Order 5480.21, Unreviewed Safety Question, was issued. DOE Order 5480.21 acknowledges its derivation directly: “This Order has been developed according to some of the same principles present in the commercial industry and enumerated in 10 CFR 50.59. The purpose of this Order is similar to that of 10 CFR 50.59.” Thus, the seven USQ questions that we have currently in the DOE USQ process have their genesis in the commercial nuclear 50.59 review process that existed over a quarter of a century ago. Since that time, 10 CFR50.59 has been updated and now contains the following eight questions: (2) A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would: (i) Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the final safety analysis report (as updated); (ii) Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report (as updated); (iii) Result in more than a minimal increase in the consequences of an accident previously evaluated in the final safety analysis report (as updated);
  • 12. Page 11 of 17 (iv) Result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the final safety analysis report (as updated); (v) Create a possibility for an accident of a different type than any previously evaluated in the final safety analysis report (as updated); (vi) Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated); (vii) Result in a design basis limit for a fission product barrier as described in the FSAR (as updated) being exceeded or altered; or (viii) Result in a departure from a method of evaluation described in the FSAR (as updated) used in establishing the design bases or in the safety analyses. There are two differences in these newer 50.59 questions that are probably most notable for DOE safety analysts. The first is the absence of the “margin of safety question”. The second is the use of the term “more than a minimal increase” in several of these questions. There is also another provision in the NRC rule that differentiates it from the DOE counterpart: “(4) The provisions in this section do not apply to changes to the facility or procedures when the applicable regulations establish more specific criteria for accomplishing such changes.” This means that in the commercial utility world, changes to procedures or the facility that are governed by their radiation protection, OSHA, and other regulations are exempt by law from the USQ process. In addition to the differences in the current USQ regulatory guidance, there is also a significant difference in the facilities themselves. A commercial nuclear reactor is a single-use facility whose sole purpose is to make money for the utility. It makes electricity, is refueled and maintained, and then makes electricity again. This means that there is very little incentive to make facility changes. Related to this is the fact that most of the major physical changes to the facility are being done at the direction of the regulator, thereby not requiring any 10 CFR 50.59 (NRC USQ process) review. While these explain some of the differences, there are also some other differences between commercial nuclear facilities and DOE facilities that may not be apparent to those who don’t have the experience of working at both. One of these differences is that commercial nuclear facilities have redundant trains for all of their safety systems. (Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe.) This means that it is often possible to take out a safety component or equipment to change, maintain, or test it without compromising the safety function of the overall system. This can usually be performed under an action statement of a Technical Specification (a commercial TSR) that would not require a USQ. Most importantly, there is a major difference in work scheduling for commercial utilities. Probably the biggest factor contributing to the reduction in facility review is that most major facility physical work is performed during the time the reactor is shut down for a scheduled outage. With the fuel
  • 13. Page 12 of 17 safely cooling off in the spent fuel pit, there is little that can be done to the facility that would create any significant risk. Maintenance and construction can lock out entire systems, build scaffolding, and cut and weld to their hearts’ delight. As long as the area is cleaned up and the system tests okay before start-up, there is little else to be concerned about from a safety basis standpoint. Because of the redundancy and the fact that most change work is done during an outage, the interim state is inconsequential and our model for facility change becomes the following: This makes the job of facility review a lot less cumbersome, as all the intermediate changes are performed in a mode or condition that cannot affect facility safety. The USQ screening questions also begin to make more sense. Without a need to consider the intermediate changes, you can simply look at the changes to the procedures and changes to the facility (permanent changes) without concern for the temporary changes. This is in stark contrast to physical modifications that occur in DOE nuclear facilities. Besides DOE reactors and some accelerators, very few DOE facilities go into an extended outage. These physical modifications not only occur while there are operations occurring in the facility, sometimes these modifications occur while there are operations ongoing in close proximity. This can severely complicate physical changes versus how they are performed in a shutdown facility. For example, if your boss tells you to get the oil changed in the company vehicle, it is usually a simple matter. You take it to the garage, and when it is returned—as long as the oil is new and full and the car does not leak—you simply drive off. What if that same boss asks for an oil change for the same car, but this time he tells you the car is too valuable to put in the shop and take out of service. You will have to do the oil change while the car is still in service and able to be driven. That task suddenly becomes much more complicated, even if it is a simple maintenance task (not even a modification!). Refueling a bomber on the ground is pretty simple. Refueling in the air is a lot more complicated, and if the plane has not been modified to allow such an activity, it is almost impossible. The point being made here is that the commercial nuclear (and the naval nuclear) USQ process has been able to largely ignore the interim state or activity and just look at the end result of a facility change because of the mode of operation they are in when they make those changes. DOE facilities Eliminated from review
  • 14. Page 13 of 17 do not always have the luxury of performing all their changes under outage conditions, and therefore, attention to intermediate activities and conditions are required to ensure the facility safety basis is maintained. Lessons Learned There is a need for a pre-USQ review. There appears to be a need for some sort of safety basis or management review of somewhat complex changes to a facility that do not rise to the level of requiring compliance with DOE-STD-1189. The safety basis review purpose would be to determine:  if the change could be made without requiring a change to the facility safety basis,  which facility change products safety basis input would be valuable to, and  which products would require a USQ review when completed. There also appears to be a need to have some form of early review of a proposed facility change to determine what needs to be done, who needs to do it, who needs to approve it, and who needs to have input. In particular, a safety basis pre USQ review of a proposal can help determine if a change can be performed without DOE approval, how to make the change to avoid DOE approval requirements, how to minimize operational risk, which products will require USQ review, and provide input for safety in the design. While some may assume that this is the purpose of a USQ process, this would not be very efficient, especially as the proposal becomes more complicated and risky. For instance, why go through the trouble of creating a design change package that gets a positive USQD when some form of preliminary safety basis review would have informed the proposer that it would be positive, or that it would be a negative if they had simply made a simple change to the design? The facility change model might be useful in determining safety basis participation in pre-USQ activities. The pre-USQ process would best be incorporated into an overall facility safety or operational review process. This pre-USQ process might also be used to determine other participants’ roles and requirements in the facility change. An integrated facility change control process that incorporates the facility change model introduced previously would consist of the following: A review should begin with lists of the permanent changes in their respective categories. We begin by trying to determine all the products (the permanent change quadrants) that are required to implement the requested change. A proper start to the facility change process is to first answer these two questions:  What is/are the physical change(s) required in the facility?  What is/are the changes required in the activity(ies)? By clearly defining the specific facility changes (permanent/products) and placing them in the permanent activity change or permanent physical change columns, we can evaluate them separately in such a way as to avoid bias or entanglement. For instance, a change in operation may only require a review of an operating procedure, but a physical change may require not only looking at the
  • 15. Page 14 of 17 change of the facility design, but also the associated activities of operating, maintaining, testing, and installing required by the physical facility change. Once all the products required for the facility change have been specified, the activities required to complete them can be determined. (This will be largely an emphasis on the temporary activity quadrant of the model, as the specifics of the temporary physical changes may not be available yet.) Therefore, the next question of the facility change process is:  What activities must occur in order produce the permanent changes determined from the above two questions? The information used to determine the interim physical state will not be available until the work package is completed. Nevertheless—even very early in the conceptual phase of a change— procedures, permits, evaluations, work packages, etc., that are required can be identified. This will provide management with a roadmap for change implementation that can be used to determine proper safety basis input and participation. At this stage of a facility change, once the model has been populated to the degree possible, determinations can be made as to the individuals who would be performing these activities, what safety basis input should be provided, and which products require USQ determinations. The suggested final step of this integrated facility change control process is to proceed to execute the activities as a coordinated unified package. This may sound counterintuitive at first. Why would you deconstruct a change into specific individual parts, only to attempt to work them as a single unit? One reason is that until the specific steps required for the change are specified in detail, it becomes difficult to schedule and coordinate all the activities with appropriate accuracy. It also allows the individual actions to get the attention they require, prevents entanglement, and eliminates the possibility that they are forgotten or neglected altogether. One of the differences in the commercial nuclear industry not mentioned above is that all design changes are done as packages. These packages would have all the design documents, drawings, product manuals, hazard analysis, and suggested changes to the license (if applicable) in the original engineering design document. These design changes are then closed out as packages, adding additional documentation such as the work packages, the drawing updates, QA documents, and the procedure changes to the final close out package submittal. This requirement for a close-out package means that the actions are coordinated and that all the information pertaining to the project is available in one location. Conclusion This report attempts to explore the relationship of safety basis in the facility change control process. It begins with an effort to determine exactly what constitutes a facility change and what the differences are between an activity change and a physical change to the facility. This leads to a model for analyzing facility changes that are derived largely from previous change control guidance. Based on this model, an integrated change control process is suggested. Finally, the role of safety basis and the USQ/USI process is discussed, resulting in the following suggestions:
  • 16. Page 15 of 17 Performing USQs and safety basis reviews on a comprehensive package is always preferred. There is nothing in the regulatory guidance that requires the differing products needed to implement a facility change to be USQ-reviewed individually. Asking the safety basis reviewer to determine the physical change to a facility from a work package or operating procedure alone is not efficient and can lead to errors. Having a complete package to review, as is usually done in the commercial nuclear industry, provides the reviewer with all the information required to perform the job and allows efficient production of USQs while minimizing the need for research by multiple reviewers. Design changes that are performed in a mode or condition that allows taking parts of the facility out of service can simplify the safety basis issues by eliminating concern over the temporary activities and interim state. This should be common sense, but making physical changes in the midst of other operations creates much more complexity to the operation, and potentially additional risk. Whether you make a physical change during a shutdown, off-shift hours, or in a situation with a room or wing shutdown, having the ability to simply take a system out of service, do whatever needs to be done, return the system to service, and test it is the simplest, most efficient method of performing physical changes. Use of the provided facility change model could provide a proper roadmap to implement facility changes and allow for use of the integrated change control process suggested. We created a model of facility change based on four simple rules:  All changes to a facility can be placed into one of two categories: physical facility changes and changes to activities.  Both physical and activity changes can be defined as one of two types: permanent and temporary.  No matter whether the changes to the facility are physical- or activity-related, they will always require temporary activities to make the change.  A change in facility activity may not require a physical change to the facility, but every physical change to the facility requires an associated activity. These rules are represented visually below:
  • 17. Page 16 of 17 Use of this model by first identifying the permanent physical and activity changes desired and then determining the activities required to produce them, the effects of entanglement is reduced and each of the specific aspects of the change can be provided with the attention that is proper. While the model can be applied to even the simplest of changes, usefulness of this model and the associated integrated change process will increase proportional to the complexity of the project. There appears to be a need for a graded safety basis review/coordination process that is separate from the USQ process for facilities that do not require use of the DOE STD 1189 (or DOE O 413.3B for the HAR). In reviewing many of these documents, I concluded that we might be seeing various attempts at a solution for a singular problem. As stated previously, facility changes at DOE facilities can present a range of issues with varying complexity that a one-size fits all solution is hard to come by. While there is adequate guidance for the most extensive of these projects, there appears to be some need for a graded approach for projects that do not meet the respective thresholds. This report was not intended to provide the ultimate solution, but I hope that by exploring this subject in an analytical and comprehensive manner, it may be beneficial for those sites that are dealing with the same issues. Early Safety Basis engagement can reduce costs and help to minimize project errors and delays. Acknowledgements James Clark Lyndsey Morgan Fyffe Elizabeth L. Joseph (Beth) Karen McHugh Heath Erik Mclaughlin Dorothy Winkler The Root of All Changes This diagram shows that the root of all facility changes originates with temporary activities. It also demonstrates that while changes to activities originate from temporary activities, physical changes also originate with temporary activities that must dogleg through temporary physical changes before complete.
  • 18. Page 17 of 17 References 10 CFR 50.59, Changes, tests and experiments. 10 CFR 830, Nuclear Safety Management DOE 5480.5, Safety of Nuclear Facilities DOE G 420.1-1A, Nonreactor Nuclear Safety Design Guide for use with DOE O 420.1C, Facility Safety DOE G 420.2-1a, Accelerator Facility Safety Implementation Guide for DOE O 420.2B, Safety of Accelerator Facilities DOE O 420.1C, Facility Safety DOE O 5480.21, Unreviewed Safety Question DOE-STD-1073-2016, Configuration Management SBP-111-3, New or Changed Activity Approval Process SBP-114-9, Safety Basis Checklist and Technical Review