Daily Rules, Proposed Rules, and Notices of the Federal Government
The implementation of an effective and reliable set of controls is one of the most important cornerstones of safe operation at defense nuclear facilities. In this context, the term "control" refers to those structures, systems, and components (SSCs) and administrative controls that prevent or mitigate undesirable consequences of postulated accident scenarios. The Defense Nuclear Facilities Safety Board (Board) has
It has been well recognized that administrative controls play an important role in establishing and maintaining overall safety of nuclear activities. Previous technical reports issued by the Board have underscored the need for heightened vigilance in the selection and implementation of task-specific administrative controls, as well as those of a more programmatic nature (
Administrative controls have been defined in the DOE Nuclear Safety Management rule as, "* * * the provisions relating to the organization, management, procedures, recordkeeping, assessment, and reporting necessary to ensure safe operation of a facility." 10 CFR 830.3(a). In practice, however, the concept of an administrative control is used more broadly in the context of hazard prevention and mitigation. In this regard, an administrative control can be viewed as an extension of a hazard control and defined accordingly. Thus from a broader and more operational perspective, some administrative controls should be treated similarly to engineered or design features that are used to eliminate, limit, or mitigate potential hazards.
DOE has promulgated guidance to assist facilities in the classification of controls. In general, controls necessary to prevent or mitigate significant consequences to the public are classified as "safety-class" and controls which contribute significantly to defense-in-depth or worker safety are classified as "safety-significant." However, this guidance has been directed primarily at engineered controls and has been largely silent with respect to the functional classification of administrative controls. The Board has observed a number of instances in which administrative controls have been implemented in situations where a corresponding engineered feature would warrant functional classification as either safety-significant or safety-class. A number of defense nuclear facilities have explicitly characterized certain administrative controls as either safety-class or safety-significant from a functional classification perspective in the context of existing DOE guidance.
In addition to controls involving discrete operator actions, a number of administrative controls are more programmatic in nature. Examples of such programmatic controls include combustible loading programs (associated with fire protection programs), operator training programs, and inservice inspection programs. The Board has observed a number of instances, similar to the examples involving specific operator actions, in which such programmatic controls are credited for the prevention and mitigation of specific hazard scenarios.
The Board has observed that the development and implementation of important administrative controls have not always conformed to the expectations and quality standards that would be applied to corresponding safety-class engineered features. The following examples illustrate this point:
1. During a review of the process controls for a new aqueous recovery line for plutonium 238 (Pu-238) at Los Alamos National Laboratory(LANL), the Board found that the facility had placed heavy reliance on administrative controls in lieu of engineered controls. However, LANL had not planned to incorporate many of these administrative controls, some of which were safety-related, into Technical Safety Requirements(TSRs) prior to the startup of the Pu-238 recovery process. Examples include procedural controls on the makeup of strong acids used to elute ion exchange resin and procedural controls designed to monitor for resin dryout. Strong acids can react violently with the ion exchange resin, and resin dryout can also lead to energetic reactions. These concerns were communicated to DOE in a Board letter dated April 23, 2002.
2. During a review at the Y-12 National Security Complex, the Board noted that the fire protection program for Building 9212 B-1 Wing identified 21 administrative controls needed to protect the facility during testing and process restart. These administrative controls include operational considerations in the use of organic solvents, a transient combustible control program, control of ignition sources, and designated laydown areas for combustible materials. The Board determined that the various administrative controls were not always updated or modified to reflect changes in plans or equipment, and that there were significant deficiencies in the contractor's compliance with these controls. Most important, there was no program providing for a periodic review to verify that the administrative controls associated with B-1 Wing remained fully effective. Significantly, many of these administrative controls could be supplanted by the installation of an engineered control-a fire suppression system. These issues were communicated to DOE in a letter from the Board dated May 13, 2002.
3. At the Savannah River Site, the safety analysis for HB-Line Phase 2 operations contains requirements for strict control of combustibles in rooms 410N and 410S to protect the process tanks in the area. The controls limit the total quantity of combustibles to 400 pounds wood equivalent and specify separation distances between combustibles and tank supports. However, the transient combustible control procedure did not include this portion of HB-Line, indicating that this administrative control was not complete. Further, a review by Westinghouse Savannah River Company (WSRC) indicated that the quantity of combustibles in the area may actually be as high as 5,670 pounds wood equivalent, providing sufficient fuel to produce a high-temperature (1200degC) flashover fire in the area and boil off the tank contents. As a result, it was determined that combustible control was no longer a viable administrative control for this area. Instead, WSRC has implemented an additional administrative control to limit the concentration of plutonium in the tanks to 5.5 grams per liter to prevent unacceptable consequences of a fire in this area. The details of these issues were documented in a letter from the Board dated July 20, 2001.
The development, selection, and implementation of an effective set of hazard controls are among the most important elements of nuclear safety. At defense nuclear facilities, DOE has established a priority system that favors preventive over mitigative measures, and passive design features over active controls. The approved system recognizes that, where necessary or practical, administrative controls may play an important role in hazard prevention and mitigation.
In the Board's view, the activities associated with the development, implementation, and ongoing verification and validation of safety-class and safety-significant administrative controls should be conducted with the same degree of rigor and quality assurance as that afforded engineered controls or design features with similar safety importance. Therefore, the Board recommends the following:
1. DOE should promulgate a set of requirements for safety-class and safety-significant administrative controls to establish appropriate expectations for the design, implementation, and maintenance of these important safety controls. The requirements should address the following at a minimum:
(a) Specific design attributes to ensure effectiveness and reliability;
(b) Specific TSRs and limiting conditions of operation;
(c) Specific training and qualifications to ensure that the appropriate facility operators, maintenance and engineering personnel, plant management, and other staff properly implement each control;
(d) Periodic reverification that each control remains effective; and
(e) Root cause and failure analyses, similar to those required upon failure of an engineered system.
2. DOE should ensure that all existing administrative controls that serve the function of a safety-class or safety-significant control are evaluated against these new requirements and upgraded as necessary and appropriate to meet DOE's expectations.
Dear Secretary Abraham: The prevention and mitigation of potential accidents inherent in the mission activities at defense nuclear facilities is a fundamental objective of both the Department of Energy (DOE) and the Defense Nuclear FacilitiesSafety Board (Board). This objective requires DOE and its contractors to identify accident scenarios and then establish effective and reliable safety controls to address them. Engineered controls are preferred over administrative controls because, in general, engineered controls are considered to be more reliable and effective than administrative controls. However, in certain applications, DOE and its contractors have concluded that discrete operator actions or administrative controls are required to address consequences of accidents that would otherwise be unacceptable.
The Board agrees with DOE's overall guidance for a hierarchy of controls and agrees that administrative controls are sometimes appropriate to prevent or mitigate accident consequences--even those that exceed evaluation guidelines for risk to the public. However, the Board has identified a number of administrative safety controls, proposed or in use, at various defense nuclear facilities that are technically inadequate. In many cases, DOE and/or its contractors have asserted that the methods used to establish these administrative controls comply with existing DOE directives. After further analysis, the Board has concluded that the DOE directives system does not contain adequate requirements for the design, implementation, and maintenance of important safety-related administrative controls to ensure that they will be effective and reliable.
As a result, the Board on December 11, 2002, unanimously approved Recommendation 2002-3, Requirements for the Design, Implementation, and Maintenance of Administrative Controls, which is enclosed for your consideration. After your receipt of this recommendation and as required by 42 U.S.C. 2286d(a), the Board will promptly make it available to the public. The Board believes that the recommendation contains no information that is classified or otherwise restricted. To the extent this recommendation does not include information restricted by DOE under the Atomic Energy Act of 1954, 42 U.S.C. 2161-68, as amended, please see that it is promptly placed on file in your regional public reading rooms. The Board will also publish this recommendation in the