This document proposes an integrated approach to facility change control that addresses both physical design changes and operational changes. It defines two categories of facility changes - physical changes that alter the facility structure or components, and activity changes that alter personnel actions. Changes can also be categorized as permanent or temporary.
The document notes that existing change control guidance can result in "entanglement" by combining different types of changes. It analyzes Los Alamos National Laboratory procedures to show how they focus more on either physical changes or activity changes.
The proposed model categorizes all facility changes to prevent bias and allow separate review of different change types. It aims to improve efficiency of the facility change review process.
2. Page 1 of 17
Integrated Facility Change Control and the
Relationship to Safety Basis
Abstract
This paper presents a proposed integrated approach to facility change control that addresses changes to
both facility design and operations in a formal and organized manner, based on an extrapolation of
existing guidance. The relationship of safety basis to the facility change process is explored and the
integration of safety basis into the facility change control process is considered. There follows a
discussion of change control guidance for the Department of Energy (DOE) complex with a comparison
of DOE change control with that of change control in commercial nuclear reactors. It concludes with a
derivation of suggestions for implementing a facility change control model with safety basis
participation into the facility change control process to allow for an integrated review that may
eliminate many of the issues that have plagued DOE complex change control in the past.
Introduction
The Nuclear Safety Management Rule, 10 CFR 830, came out in 2001 and contained the requirement for
Documented Safety Analysis (DSA) development for Hazard Category (HC) 1, 2, and 3 facilities. Back in
the 1980s, the 5480 series of DOE orders required some form of safety analysis/hazard categorization
for DOE nuclear facilities for which a potentially significant nuclear hazard existed. During the almost
forty years since the original guidance on facility hazard categorization/hazard analysis, there have been
several updates to the facility hazard categorization guides and standards, including DOE-STD-3009,
DOE-STD-1027, DOE-STD-3011, and there are current efforts to update 10 CFR 830 itself. After of all this
time and effort, one might expect that all DOE facilities now have some form of hazard
categorization/safety basis, that the hazard analysis/categorization is relatively mature, and the need for
nuclear safety analysts has been greatly reduced.
Those of us who work in the nuclear safety organizations at DOE facilities know this is not true. While
hazard inventories, characterization, and analysis for DOE facilities are largely complete—and while the
safety basis documents for the majority of these facilities are relatively mature and robust—there is still
a significant need for safety analysis resources. This need is being driven in large part by the need to
support facility changes in the DOE complex. This need was recognized as far back as 1991; as stated in
DOE Order 5480.21, Unreviewed Safety Question: “When DOE facilities were first authorized to operate,
it was not anticipated that the need for facility modifications would be implemented with the frequency
that has proven to be necessary. As a result, the need for elaborate configuration and modification
controls were not clearly understood.”
Therefore, while the safety basis resources necessary to produce and maintain hazard analysis and
categorization for DOE facilities may have been reduced, current safety basis demand is often being
driven by the necessity of supporting facility change control. While there have been significant efforts to
update and refine the Unreviewed Safety Question (USQ) process as it applies to DOE facilities, and a
3. Page 2 of 17
significant upgrade to DOE-STD-1189, it might be timely to explore the role of safety basis in the overall
facility change process.
Background
The origin of this report began with a simple question, which occurred during an assignment to revise
Los Alamos National Laboratory (LANL) Safety Basis procedure SBP-114-9, Safety Basis Checklist and
Technical Review. This procedure’s stated purpose is to “provide a method and checklist for a safety
analyst to perform Safety Basis technical reviews on proposed changes to a nuclear, accelerator, or non-
nuclear facility that is consistent with principles outlined in DOE-STD-1073-2016, Configuration
Management.” I had previously revised another LANL Safety Basis procedure, SBP-111-3, New or
Changed Activity Approval Process, whose purpose states “This procedure sets forth the process to
obtain authorization for new, changed, or resumed work activities at Los Alamos National Laboratory
(LANL) for low hazard facilities.” While both procedures profess to have a difference in purpose and
applicability, they both rely on a checklist consisting of a series of questions designed to determine the
nature of the change, the permits and reviews required, and what support personnel may be required to
implement the change properly. Because these procedure checklists and instructions were so eerily
similar, questions arose from my comparison: “Do we have duplicative procedures?” “Can both of these
procedures be combined into an integrated facility change review?” In attempting to answer these
questions, a thorough analysis of “what is a facility change as defined in this document” was derived.
Anatomy of a Facility Change
In order to implement an integrated change control approach, we need to establish a framework to
understand what a facility change consists of in the context of facility change control. The beginning of
this framework starts with an observation. It is termed an observation because it is not an original
concept and the concept appears frequently in existing change control documents. The concept is that
all facility changes may be separated into two general categories: changes in operations (activities) and
changes in design (physical). While this concept is generally useful and appears regularly, I have yet to
find a formal definition of either. This lack of definition and reliance on intuitive understanding can lead
to several issues.
Beginning at this observation, we will define the two types of changes and create our first rule on
integrated change control. This rule is as follows:
All changes to a facility can be placed into one of two categories, physical facility changes and
changes to activities.
A physical change is any change that alters any physical condition or characteristic of any object within
the defined facility boundaries.
Understand that this definition of physical changes to a facility is more inclusive than that of a design
change in that it includes any physical change, including things such as painting, adding programmatic
equipment to an existing room, and an exact replacement of a worn existing component for a new one.
Conversely, an activity change is any change within the facility boundaries that consists of an alteration
in personnel behavior or actions.
4. Page 3 of 17
In essence, any change to a facility that is not a physical change may be categorized as an activity
change. Examples of facility change category activities and physical changes are provided in Table 1.
Table 1 – Change Category Examples
Activity Change Physical Change
Facility repurposing
Adding a new hazard (biological, explosives, etc.)
Adding a new process
Increase in quantity of existing hazard
Adding a new technique
Increasing current process throughput
New Facility
Major Modification
Footprint expansion
Addition of equipment
Replacement of equipment
Changing a lightbulb
We have now defined two categories of facility change and defined a rule of use. What advantages does
that provide?
Prevention of Entanglement
One of the main purposes of creating two categories is the prevention of entanglement. This may occur
when reviewing or evaluating a design change—with its associated activity changes, or an activity
change with its associated physical changes—as a single composite entity, such that the review of one
type of change compromises or influences the review of the associated changes. This may be caused by
considering a physical change as an adjunct to an activity change (i.e., needed for a new activity) and
vice versa. Entanglement occurs when the result of a review of physical and activity changes together
differs from the results that would occur if reviewed separately. While it may appear to make sense to
evaluate both physical changes and associated activity changes together (and it does), doing it as an
entangled change can result in facility change review bias.
Entanglement is fairly common, and may appear regularly in written guidance. As one example,
DOE G 420.2-1a states ”Use of the USI process to address facility modifications should involve an
evaluation or screening of changes in accelerator operations, modifications of credited controls, or
changes in accelerator safety administrative programs if they have the potential to significantly affect
safety.” It appears to be direction to address physical modifications to an accelerator by reviewing their
effect on operations or administrative programs. While this is the only example cited here, this type of
guidance commonly appears in other DOE guidance.
This effect was also observed in analysis of the LANL procedures for new activity review and safety basis
technical review. Let’s take a look at the first several questions from the respective checklists:
5. Page 4 of 17
From the New Activity Checklist
Could the proposed change:
Item Yes No
1 ☐ ☐ Change an existing process, or create a new process that may introduce unanalyzed
hazards?
2 ☐ ☐ Increase material-at-risk (MAR), or change form, type, location, containment,
confinement, etc., as described in the safety basis?
3 ☐ ☐ Create a new initiator for an existing hazard event or scenario?
From the Safety Basis Review Checklist
Could the proposed change:
Item Yes No
1 ☐ ☐ Change an existing process, or create a new process that may introduce unanalyzed
hazards? Consider SSCs, software, and changes to existing processes. For example,
is a procedure change being introduced that alters a work process involving stored
energy (pressure, vacuum, electrical, etc.), control software, chemical process,
waste stream, material movement, shielding, fuel, heat, or cryogens?
2 ☐ ☐ Increase material-at-risk (MAR), or change form, type, location, containment,
confinement, etc., as described in the safety basis? For example, is MAR being (or
will be as a result of the change) located or relocated to a location not as described
in the DSA or TSRs? Is the form and type of MAR analyzed for this location?
3 ☐ ☐ Create a new initiator for an existing hazard event or scenario? For example, are
pyrophorics, mechanical energy (overhead crane), pressurized gas bottles, etc.
being introduced?
On first review, it appears that we have two procedures that perform the same basic function, and those
two procedures can be combined. However, in order to achieve this combination, some significant
differences exist that need to be overcome. While the SBRT questions may be the same or similar to the
new activity questions, there is a definite design-centric emphasis to their approach.
It appears that although these documents attempt to address facility changes by a simultaneous
consideration of both the physical changes to the facility and operational changes to the facility, the
guidance provided may be unintentionally inserting bias into the process. The LANL Safety Basis
Checklist and Technical Review procedure, SBP-114-9, contains questions dealing with operations, but
purely in the context of design change control. The LANL New or Changed Activity Approval Process
procedure contains questions on the changes to the physical design of the facility to support the activity,
but marginally. This means it is quite possible that you could review the exact same facility change
through the two procedures and obtain different conclusions. While it is always possible to introduce a
bias into any facility change review, it important to recognize it – not institutionalize it.
6. Page 5 of 17
The Graded Approach
Before we move on, I want to recognize the important yet familiar concept of the graded approach as
applies to facility change review. The list of physical changes to the facility previously presented starts
with a major modification and reduces in complexity until it ends with changing a lightbulb. This was
intentional for two reasons. The first is to demonstrate that this paper’s meaning of physical changes to
the facility is more inclusive than the set of changes considered in the USQ process (i.e., changing a
lightbulb would not be considered a change to the facility as described in the DSA.) The second is to
demonstrate that the range of scope and complexity for physical changes varies significantly. This is also
true of activity changes. There is a large difference between repurposing a facility and simply increasing
the throughput of a process.
This range is recognized here to emphasize that any approach to facility change should ideally be graded
to the complexity and inherent risk of the change. That being said, there are some issues in doing so. It is
difficult to establish absolute thresholds for determining the rigor of a specific facility change review. We
have seen this difficulty in establishing thresholds for a major modification subject to DOE-STD-1189.
There are so many permutations possible with facility modifications that it becomes extremely difficult
to determine absolutes for the application of requirements, guidance or techniques. Replacing a HEPA
filter covered in dried picric acid crystals (an explosive)—which would normally be considered an exact
replacement requiring little review—might actually be more dangerous than the installation of a whole
new process line. Realize that this paper is covering the entire range of possible facility changes, and the
recommendations presented here should be graded to accommodate the changes under review.
Completing the Model
To complete the model, we introduce the next rule for integrated facility change management:
Both physical and activity changes can be defined as one of two types: permanent and
temporary.
This is a purely temporal characterization of the two categories of changes. Permanent changes are
defined as changes that will exist once the facility change is completed. These are the intended products
of a fully implemented facility change. Temporary changes, which are sometimes referred to as interim
changes, are those changes that are completed or do not exist after the facility change is fully
completed.
As an example:
Activity Physical
Permanent New operating procedures
New maintenance procedures
New testing procedures and
schedule
Equipment installed and tested
Parts exchanged/repaired
Updated drawings
Equipment labeled
Temporary Completing design
Writing work package
Updating safety basis
Permits obtained
System locked out
Scaffolding erected
Equipment disassembled
7. Page 6 of 17
As with the previous rule, this is not an original concept, but an expansion of concepts that are present
in existing change control guidance. For instance, Section 2.1 of DOE G 424-1.1 addresses temporary or
permanent changes in a facility directly. However, this is an important distinction, because the change
characteristics of temporary vs. permanent are significantly different, as is their treatment under the
USQ process.
An illustration of our holistic facility design road map is provided for reference below:
One significant difference between temporary and permanent facility changes is how they may behave
over time. Permanent changes are static and remain constant as long as not altered by a subsequent
facility change, and therefore can be considered “products” of the change. Temporary changes are not
only transient, but some are also constantly changing. For instance, most construction/installation jobs
physically change over time. Also, realize there is a range to the degree and duration of a facility change.
Adding a new facility wing takes a lot more physical changes with time than simply changing a lightbulb.
It also important to note that temporary changes often must be performed in a specific sequence. A
physical change cannot be made without a work package, the work package cannot be completed until
the design is finalized, etc. This is in contrast to permanent changes that would usually coexist
concurrently once the facility change is complete.
Another reason for this distinction is to prevent an entangled review. The bias toward the physical state
of a facility can sometimes be seen in the USQ process with regard to consideration of the “interim
state” when reviewing a work control document. The use of the term “state” connotes an emphasis on
the physical state of the facility rather than the actual process of changing the facility itself. Indeed, the
examples usually provided for training on considering the interim state are physical ones—such as
Diagrammatic Model of
Facility Change
This model encompasses
the entire universe of
facility changes, whether
they are subject to
USQ/other safety basis
review or not. In this
diagram, the entire set of
facility changes falling under
one category is depicted by
the white square areas,
while the blue quarter
circles represent the subset
of those particular blocks
whose changes would
typically be subject to
USQ/safety basis review.
8. Page 7 of 17
scaffolding potentially impacting a safety system, or removal of ceiling tiles potentially compromising a
credited fire suppression system. DOE G 424.1-1B itself addresses the subject of hazards during
installation of a facility modification in section B.2 by stating “DOE relies on the contractor’s normal
work control procedures to address worker hazards involved in the actual installation of a modification,
not on the USQ process”; however “the conduct of the work may involve the introduction of hazards
that can constitute a threat to the facility safety basis such as the use of a crane that could fall on
equipment important to safety.” This suggests that the actual activity of making a facility change or
modification does not require attention as facility safety programs adequately cover it; however,
attention must be paid to intermediate physical conditions that may impact facility safety.
Just as with the entanglement of physical and activity changes, entanglement can occur between review
of permanent and temporary changes. For instance, some USQ procedures exempt drawings from the
USQ process with the caveat that “drawings do not make a change to the facility. The work package
actually makes the change.” However, reviewing a work package without any of the design documents
requires the reviewer to try to determine the nature of the change with limited information. This
example of safety basis forensics attempts to determine the permanent physical change (a product)
from a temporary activity document. Similarly, reviewing maintenance and testing procedures without
the design documents is an example of reviewing a permanent activity change without information on
the permanent physical change.
Putting the Model to Use
All of this analysis would be little more than an interesting concept if it is not put to use. Let us see if it is
useful in making the process of facility change review more efficient.
One way this model might be used is to better define what aspects of a facility change needs review. In
the instance of an activity change to the facility that requires no physical change, only review of the
activity changes (left two quadrants) need be required as shown:
If the particular new activity happens to require only a change to procedures, our safety basis review
may collapse to a single quadrant (permanent activity change).
New or Changed Activity
Review
This figure shows that only items on
the left side of the diagram need be
considered for the facility change.
While this seems obvious, review of a
physical change reveals a completely
different result.
Eliminated from review
9. Page 8 of 17
This situation changes completely when we consider a physical change to the facility. Most physical
changes will require a consideration of all four quadrants of the facility change model. This is because a
physical change not only creates temporary physical changes that require review; it requires at least one
temporary activity to change the physical facility. Many of these physical change activities meet the
requirements of a “test or experiment”—such as never having been performed previously, never to be
performed again, and not anticipated in the original analysis. Even an exact replacement requires an
activity to make the exchange (which might result in a need for review.) In addition, unless the change is
an equivalent part, there are usually permanent activity changes in the form of new or updated
operations, maintenance, and testing procedures.
This not only demonstrates why physical changes are more complex than activity changes, but it also
brings us to our next rules:
No matter whether the changes to the facility are physical- or activity-related, they will always
require temporary activities to make the change.
A change in facility activity may not require a physical change to the facility, but every physical
change to the facility requires an associated activity.
Both activity and physical changes require temporary activities to produce those changes. The good
news for safety basis review is that some of the temporary activities—such as writing procedures,
obtaining permits, creating work packages, completing designs, and updating facility safety basis—are
explicit or implicit (usually institutional) procedures as described in the DSA and are not in themselves
subject to the USQ process. However, the products of these processes usually are. Therefore, safety
basis input into these products during the development phases can often be beneficial, regardless of
whether these products would require USQ or not.
This last observation is significant. Because the activities in the temporary activity quadrant are often
institutional administrative activities (i.e., writing procedures or completing designs), the activities in the
temporary quadrant are often overlooked or neglected. However, it is often the list of temporary
activities that many of the change processes are trying to ascertain. Reviews of new activity review
processes, the safety basis technical review processes, or facility change organizations (like a change
control board or facility safety committee), indicates their major purpose is often to determine what
The Root of All Changes
This diagram shows that the
root of all facility changes
originates with temporary
activities. It also
demonstrates that while
changes to activities originate
from temporary activities,
physical changes also
originate with temporary
activities that must dogleg
through temporary physical
changes before complete.
10. Page 9 of 17
needs to be done (activities) to implement a proposed change and who needs to be involved in these
activities. Many of the reviewed facility change review committees consist of members of various
constituent organizations that listen to a series of questions so that the committee members can
determine what their organization’s level of participation in production of the facility change products.
This brings up an important observation in this discussion. There appears to be a need to have some
form of early review of a proposed facility change to determine what needs to be done, who needs
to do it, who needs to approve it, and who needs to have input. In particular, a safety basis pre-USQ
review of a proposal can help determine if a change can be performed without DOE approval, how
to make the change to avoid DOE approval requirements, how to minimize operational risk, which
products will require USQ review, and provide input for safety in the design. While some may
assume that this is the purpose of a USQ process, this would not be very efficient, especially as the
proposal becomes more complicated and risky. For instance, why go through the trouble of creating
a design change package that gets a positive USQD when some form of preliminary safety basis
review would have informed the proposer that it would be positive, or that it would be a negative if
they had simply made a simple change to the design?
When asked how safety basis participates in change control for a facility with a DOE-approved safety
basis, many will respond “through the USQ/USI process.” However, the purpose of the USQ/USI
process is not to provide safety basis design control input, but to determine approval authority for
the proposed facility change. USQ Guide DOE G 424.1-1 confirms this with the following statement:
“Each facility should identify the methods for making facility changes (for example, whether changes
are made under modification processes, nonconformance processes, or maintenance processes).
After methods have been identified, the contractor needs to maintain control of the facility change
process and perform and document changes in accordance with approved procedures.”
POC Model
This figure
shows how the
facility change
model can aid in
determining the
primary contact
organization for
each aspect of a
facility change.
11. Page 10 of 17
The need for some type of facility change review process outside of (and prior to) the USQ process
appears in several places. In the following quotes, the current USQ guide comments on the
integration of safety basis:
“The USQ process is intended to be implemented along with a change control process that includes
generalized steps for— 1) identifying and describing the temporary or permanent change, and
2) technical reviews of the change,”
At LANL we have a new activity review process whose primary purpose is to determine if there
needs to be a change to the facility safety basis. Additionally, LANL has a separate safety basis
technical review process that is designed to be used to evaluate any change to the facility that may
affect the safety envelope prior to the USQ process. LANL also has change control procedures at
other facilities that intend to “ensure that physical or operational configuration changes are
properly identified, developed, reviewed, approved, implemented, and documented.” Based on
these and other indications, it is safe to conclude that there seems to be a need for a
comprehensive facility change review process, separate from the USQ process, for proposed facility
changes that do not require following the major modification process or the DOE submittal of a new
or revised facility DSA.
Why Direct Application of the Commercial Nuclear USQ Process Creates Difficulty at
DOE Sites
As a safety analyst who began my career in the commercial nuclear field, I have often been
questioned on how the USQ process works in the commercial world and why it seems less resource-
intensive. This segue from the discussion of facility change analysis is designed to provide some
insight into the change control processes at commercial nuclear facilities with the intent that it will
help provide recommendations on facility change control for DOE sites.
At the end of 1991, DOE Order 5480.21, Unreviewed Safety Question, was issued. DOE Order
5480.21 acknowledges its derivation directly: “This Order has been developed according to some of
the same principles present in the commercial industry and enumerated in 10 CFR 50.59. The
purpose of this Order is similar to that of 10 CFR 50.59.” Thus, the seven USQ questions that we
have currently in the DOE USQ process have their genesis in the commercial nuclear 50.59 review
process that existed over a quarter of a century ago.
Since that time, 10 CFR50.59 has been updated and now contains the following eight questions:
(2) A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a
proposed change, test, or experiment if the change, test, or experiment would:
(i) Result in more than a minimal increase in the frequency of occurrence of an accident
previously evaluated in the final safety analysis report (as updated);
(ii) Result in more than a minimal increase in the likelihood of occurrence of a
malfunction of a structure, system, or component (SSC) important to safety previously
evaluated in the final safety analysis report (as updated);
(iii) Result in more than a minimal increase in the consequences of an accident
previously evaluated in the final safety analysis report (as updated);
12. Page 11 of 17
(iv) Result in more than a minimal increase in the consequences of a malfunction of an
SSC important to safety previously evaluated in the final safety analysis report (as
updated);
(v) Create a possibility for an accident of a different type than any previously evaluated
in the final safety analysis report (as updated);
(vi) Create a possibility for a malfunction of an SSC important to safety with a different
result than any previously evaluated in the final safety analysis report (as updated);
(vii) Result in a design basis limit for a fission product barrier as described in the FSAR
(as updated) being exceeded or altered; or
(viii) Result in a departure from a method of evaluation described in the FSAR (as
updated) used in establishing the design bases or in the safety analyses.
There are two differences in these newer 50.59 questions that are probably most notable for DOE
safety analysts. The first is the absence of the “margin of safety question”. The second is the use of
the term “more than a minimal increase” in several of these questions.
There is also another provision in the NRC rule that differentiates it from the DOE counterpart:
“(4) The provisions in this section do not apply to changes to the facility or procedures when the
applicable regulations establish more specific criteria for accomplishing such changes.”
This means that in the commercial utility world, changes to procedures or the facility that are
governed by their radiation protection, OSHA, and other regulations are exempt by law from the
USQ process.
In addition to the differences in the current USQ regulatory guidance, there is also a significant
difference in the facilities themselves. A commercial nuclear reactor is a single-use facility whose
sole purpose is to make money for the utility. It makes electricity, is refueled and maintained, and
then makes electricity again. This means that there is very little incentive to make facility changes.
Related to this is the fact that most of the major physical changes to the facility are being done at
the direction of the regulator, thereby not requiring any 10 CFR 50.59 (NRC USQ process) review.
While these explain some of the differences, there are also some other differences between
commercial nuclear facilities and DOE facilities that may not be apparent to those who don’t have
the experience of working at both. One of these differences is that commercial nuclear facilities
have redundant trains for all of their safety systems. (Redundancy is the duplication of critical
components or functions of a system with the intention of increasing reliability of the system,
usually in the form of a backup or fail-safe.) This means that it is often possible to take out a safety
component or equipment to change, maintain, or test it without compromising the safety function
of the overall system. This can usually be performed under an action statement of a Technical
Specification (a commercial TSR) that would not require a USQ.
Most importantly, there is a major difference in work scheduling for commercial utilities. Probably
the biggest factor contributing to the reduction in facility review is that most major facility physical
work is performed during the time the reactor is shut down for a scheduled outage. With the fuel
13. Page 12 of 17
safely cooling off in the spent fuel pit, there is little that can be done to the facility that would create
any significant risk. Maintenance and construction can lock out entire systems, build scaffolding, and
cut and weld to their hearts’ delight. As long as the area is cleaned up and the system tests okay
before start-up, there is little else to be concerned about from a safety basis standpoint.
Because of the redundancy and the fact that most change work is done during an outage, the
interim state is inconsequential and our model for facility change becomes the following:
This makes the job of facility review a lot less cumbersome, as all the intermediate changes are
performed in a mode or condition that cannot affect facility safety. The USQ screening questions
also begin to make more sense. Without a need to consider the intermediate changes, you can
simply look at the changes to the procedures and changes to the facility (permanent changes)
without concern for the temporary changes.
This is in stark contrast to physical modifications that occur in DOE nuclear facilities. Besides DOE
reactors and some accelerators, very few DOE facilities go into an extended outage. These physical
modifications not only occur while there are operations occurring in the facility, sometimes these
modifications occur while there are operations ongoing in close proximity. This can severely
complicate physical changes versus how they are performed in a shutdown facility. For example, if
your boss tells you to get the oil changed in the company vehicle, it is usually a simple matter. You
take it to the garage, and when it is returned—as long as the oil is new and full and the car does not
leak—you simply drive off. What if that same boss asks for an oil change for the same car, but this
time he tells you the car is too valuable to put in the shop and take out of service. You will have to
do the oil change while the car is still in service and able to be driven. That task suddenly becomes
much more complicated, even if it is a simple maintenance task (not even a modification!). Refueling
a bomber on the ground is pretty simple. Refueling in the air is a lot more complicated, and if the
plane has not been modified to allow such an activity, it is almost impossible.
The point being made here is that the commercial nuclear (and the naval nuclear) USQ process has
been able to largely ignore the interim state or activity and just look at the end result of a facility
change because of the mode of operation they are in when they make those changes. DOE facilities
Eliminated from review
14. Page 13 of 17
do not always have the luxury of performing all their changes under outage conditions, and
therefore, attention to intermediate activities and conditions are required to ensure the facility
safety basis is maintained.
Lessons Learned
There is a need for a pre-USQ review.
There appears to be a need for some sort of safety basis or management review of somewhat
complex changes to a facility that do not rise to the level of requiring compliance with
DOE-STD-1189. The safety basis review purpose would be to determine:
if the change could be made without requiring a change to the facility safety basis,
which facility change products safety basis input would be valuable to, and
which products would require a USQ review when completed.
There also appears to be a need to have some form of early review of a proposed facility change to
determine what needs to be done, who needs to do it, who needs to approve it, and who needs to
have input. In particular, a safety basis pre USQ review of a proposal can help determine if a change
can be performed without DOE approval, how to make the change to avoid DOE approval
requirements, how to minimize operational risk, which products will require USQ review, and
provide input for safety in the design. While some may assume that this is the purpose of a USQ
process, this would not be very efficient, especially as the proposal becomes more complicated and
risky. For instance, why go through the trouble of creating a design change package that gets a
positive USQD when some form of preliminary safety basis review would have informed the
proposer that it would be positive, or that it would be a negative if they had simply made a simple
change to the design?
The facility change model might be useful in determining safety basis participation in pre-USQ
activities.
The pre-USQ process would best be incorporated into an overall facility safety or operational review
process. This pre-USQ process might also be used to determine other participants’ roles and
requirements in the facility change.
An integrated facility change control process that incorporates the facility change model introduced
previously would consist of the following:
A review should begin with lists of the permanent changes in their respective categories. We begin
by trying to determine all the products (the permanent change quadrants) that are required to
implement the requested change. A proper start to the facility change process is to first answer
these two questions:
What is/are the physical change(s) required in the facility?
What is/are the changes required in the activity(ies)?
By clearly defining the specific facility changes (permanent/products) and placing them in the
permanent activity change or permanent physical change columns, we can evaluate them separately
in such a way as to avoid bias or entanglement. For instance, a change in operation may only require
a review of an operating procedure, but a physical change may require not only looking at the
15. Page 14 of 17
change of the facility design, but also the associated activities of operating, maintaining, testing, and
installing required by the physical facility change.
Once all the products required for the facility change have been specified, the activities required to
complete them can be determined. (This will be largely an emphasis on the temporary activity
quadrant of the model, as the specifics of the temporary physical changes may not be available yet.)
Therefore, the next question of the facility change process is:
What activities must occur in order produce the permanent changes determined from
the above two questions?
The information used to determine the interim physical state will not be available until the work
package is completed. Nevertheless—even very early in the conceptual phase of a change—
procedures, permits, evaluations, work packages, etc., that are required can be identified. This will
provide management with a roadmap for change implementation that can be used to determine
proper safety basis input and participation.
At this stage of a facility change, once the model has been populated to the degree possible,
determinations can be made as to the individuals who would be performing these activities, what
safety basis input should be provided, and which products require USQ determinations.
The suggested final step of this integrated facility change control process is to proceed to execute
the activities as a coordinated unified package.
This may sound counterintuitive at first. Why would you deconstruct a change into specific
individual parts, only to attempt to work them as a single unit? One reason is that until the specific
steps required for the change are specified in detail, it becomes difficult to schedule and coordinate
all the activities with appropriate accuracy. It also allows the individual actions to get the attention
they require, prevents entanglement, and eliminates the possibility that they are forgotten or
neglected altogether.
One of the differences in the commercial nuclear industry not mentioned above is that all design
changes are done as packages. These packages would have all the design documents, drawings,
product manuals, hazard analysis, and suggested changes to the license (if applicable) in the original
engineering design document. These design changes are then closed out as packages, adding
additional documentation such as the work packages, the drawing updates, QA documents, and the
procedure changes to the final close out package submittal. This requirement for a close-out
package means that the actions are coordinated and that all the information pertaining to the
project is available in one location.
Conclusion
This report attempts to explore the relationship of safety basis in the facility change control process.
It begins with an effort to determine exactly what constitutes a facility change and what the
differences are between an activity change and a physical change to the facility. This leads to a
model for analyzing facility changes that are derived largely from previous change control guidance.
Based on this model, an integrated change control process is suggested. Finally, the role of safety
basis and the USQ/USI process is discussed, resulting in the following suggestions:
16. Page 15 of 17
Performing USQs and safety basis reviews on a comprehensive package is always preferred.
There is nothing in the regulatory guidance that requires the differing products needed to
implement a facility change to be USQ-reviewed individually. Asking the safety basis reviewer to
determine the physical change to a facility from a work package or operating procedure alone is not
efficient and can lead to errors. Having a complete package to review, as is usually done in the
commercial nuclear industry, provides the reviewer with all the information required to perform the
job and allows efficient production of USQs while minimizing the need for research by multiple
reviewers.
Design changes that are performed in a mode or condition that allows taking parts of the facility out
of service can simplify the safety basis issues by eliminating concern over the temporary activities and
interim state.
This should be common sense, but making physical changes in the midst of other operations creates
much more complexity to the operation, and potentially additional risk. Whether you make a
physical change during a shutdown, off-shift hours, or in a situation with a room or wing shutdown,
having the ability to simply take a system out of service, do whatever needs to be done, return the
system to service, and test it is the simplest, most efficient method of performing physical changes.
Use of the provided facility change model could provide a proper roadmap to implement facility
changes and allow for use of the integrated change control process suggested.
We created a model of facility change based on four simple rules:
All changes to a facility can be placed into one of two categories: physical facility changes and
changes to activities.
Both physical and activity changes can be defined as one of two types: permanent and
temporary.
No matter whether the changes to the facility are physical- or activity-related, they will always
require temporary activities to make the change.
A change in facility activity may not require a physical change to the facility, but every physical
change to the facility requires an associated activity.
These rules are represented visually below:
17. Page 16 of 17
Use of this model by first identifying the permanent physical and activity changes desired and then
determining the activities required to produce them, the effects of entanglement is reduced and
each of the specific aspects of the change can be provided with the attention that is proper. While
the model can be applied to even the simplest of changes, usefulness of this model and the
associated integrated change process will increase proportional to the complexity of the project.
There appears to be a need for a graded safety basis review/coordination process that is separate
from the USQ process for facilities that do not require use of the DOE STD 1189 (or DOE O 413.3B for
the HAR).
In reviewing many of these documents, I concluded that we might be seeing various attempts at a
solution for a singular problem. As stated previously, facility changes at DOE facilities can present a
range of issues with varying complexity that a one-size fits all solution is hard to come by. While
there is adequate guidance for the most extensive of these projects, there appears to be some need
for a graded approach for projects that do not meet the respective thresholds. This report was not
intended to provide the ultimate solution, but I hope that by exploring this subject in an analytical
and comprehensive manner, it may be beneficial for those sites that are dealing with the same
issues.
Early Safety Basis engagement can reduce costs and help to minimize project errors and delays.
Acknowledgements
James Clark
Lyndsey Morgan Fyffe
Elizabeth L. Joseph (Beth)
Karen McHugh
Heath Erik Mclaughlin
Dorothy Winkler
The Root of All Changes
This diagram shows that the
root of all facility changes
originates with temporary
activities. It also
demonstrates that while
changes to activities originate
from temporary activities,
physical changes also
originate with temporary
activities that must dogleg
through temporary physical
changes before complete.
18. Page 17 of 17
References
10 CFR 50.59, Changes, tests and experiments.
10 CFR 830, Nuclear Safety Management
DOE 5480.5, Safety of Nuclear Facilities
DOE G 420.1-1A, Nonreactor Nuclear Safety Design Guide for use with DOE O 420.1C, Facility Safety
DOE G 420.2-1a, Accelerator Facility Safety Implementation Guide for DOE O 420.2B, Safety of
Accelerator Facilities
DOE O 420.1C, Facility Safety
DOE O 5480.21, Unreviewed Safety Question
DOE-STD-1073-2016, Configuration Management
SBP-111-3, New or Changed Activity Approval Process
SBP-114-9, Safety Basis Checklist and Technical Review