1.0�� BACKGROUND

The Defense Nuclear Facilities Safety Board (Board) issued Recommendation 2000-2 on March 8, 2000.� The Department of Energy (DOE or Department) accepted the Board's Recommendation on April 28^th, 2000.� The Board noted, in Recommendation 2000-2, that it was concerned with the fact that many of the Department's nuclear facilities were constructed years ago and are approaching end-of-life.� The Board expressed concern that some degradation of reliability and operability of systems designed to ensure safety can reasonably be expected and recommended specific actions to assess system condition and apply system expertise in managing the configuration of vital safety systems.

In Recommendation 2000-2, the Board identified recommendations to improve the configuration management of vital safety systems, and defined vital safety systems as safety-class, safety-significant, and defense-in-depth.� The Department's Directives system defines safety-significant as those structures, systems, and components not designated as safety-class structures, systems and components (SSCs) but whose preventive or mitigative function is a major contributor to defense-in-depth (i.e., prevention of uncontrolled material releases) and/or worker safety as determined from hazard analysis. The term vital safety system, as used within this implementation plan, is understood to mean safety-class systems, safety-significant systems, and systems that perform an important defense in depth safety function.� This definition is consistent with the Board's terminology and defined within Appendix C of this implementation plan.

The Department completed its own analysis of the Board's Recommendation and evaluated the impact of safety program weakness upon ventilation and confinement systems that perform safety functions.� The conclusions drawn from the evaluation validate the safety issues and recommendations described in Board Recommendation 2000-2.� The Department's analysis of the Board's Recommendation led to a commitment to develop an implementation plan as described in the Secretary�s acceptance letter of April 28, 2000, to accomplish the following:

� Development of expert-based guidelines for surveying and assessing confinement ventilation systems and implementation of a plan to identify and correct root cause of deficiencies.

� Incorporation of open commitments remaining in the action plan addressing safety issues related to High Efficiency Particulate Air (HEPA) filters.

� Evaluation of existing practices and industry models for use in establishing a cognizant system engineer concept to strengthen the engineering resources available for facility configuration management.

� Assessment of the availability and sufficiency of DOE expertise, identification of actions necessary to ensure expertise can be brought to bear in the life-cycle management of vital safety systems and to assess whether federal technical expertise on safety systems is available to support operating contractors when significant system problems arise.

� Review of line oversight of contractor programs to determine whether safety systems, as well as programs essential to system operability, are being included in those programs.� As necessary, identify corrective actions to improve implementation of line oversight programs.

2.0�� UNDERLYING CAUSES

In accepting the Board�s Recommendation, the Department performed an evaluation of oversight findings and data reported in the Operational Reporting and Processing System (ORPS).� The evaluation reached many of the same conclusions identified by the Board, including the need to assess confinement ventilation systems, and provided a framework for defining the safety issues addressed in this implementation plan.

The Department�s evaluation concluded that, despite their importance to safety, confinement ventilation systems are often not maintained or upgraded in a timely manner.� The ORPS data indicated that the two dominant root causes for occurrences were related to equipment/material deficiencies and management problems (e.g., authorization basis problems, configuration management, and operator qualifications).� The evaluation concluded that problems with resource availability, and their prioritization, often led to �work-around� measures to achieve a marginally operable safety condition in lieu of system upgrades and maintenance.��

3.0�� BASELINE ASSUMPTIONS

The Department made the following baseline assumptions during the development of the 2000-2 Implementation Plan:

� If properly implemented, additional resources are not required to phase in a system engineer concept.

� Actions described within this implementation plan are applicable to defense nuclear facilities.

4.0�� SAFETY ISSUE RESOLUTION

The Department's Integrated Safety Management (ISM) System makes environment, safety and health (ES&H) practices an integral part of the process of planning and performing work safely.� A continuous effort is needed to establish ISM as the central, enduring framework for safely protecting the public, worker, and the environment while accomplishing the Department's mission and work.

Full implementation of ISM cannot be considered accomplished until vital safety systems are identified, responsibility for their operational readiness is clearly established, an understanding of their readiness is developed, and functional maintenance and configuration management systems are in place to ensure continuing readiness.

The resolution approach described within this implementation plan defines actions to initially assess the operability of the Department's vital safety systems and enhances the Department's ability to apply engineering expertise to safely maintain and operate those systems.� The following sections describe actions to:

� Implement a phased approach to assess the current operational readiness of vital safety systems and assess key facilities and/or systems where operability may have degraded.� Corrective actions and compensatory actions will be tracked and managed to ensure that the operational readiness of these systems is maintained.

� Establish a practice of qualifying technical personnel with system expertise and designating them as system engineers for systems and processes that are important to safety.� This practice is expected to enhance the Department's ability to apply engineering expertise in all five functions of ISM.

� Define Federal workforce expertise necessary to support oversight of the contractor's system engineer program.� Once defined, the Department will establish qualification requirements for federal personnel relied upon for system expertise. This practice is also expected to enhance the Department's ability to apply engineering expertise in all five functions of ISM.

� Establish a practice that strengthens line management's review of feedback mechanisms by periodically reviewing the scope and results of ES&H self-assessments and summarizing the results for the Secretary.� This practice is expected to provide senior leadership with an executive summary of the results obtained from mechanisms that make up the feedback and improvement function of ISM.

4.1�� Safety System Operability

In Recommendation 2000-2, the Board describes several technical reports that identify concerns related the ability of ventilation systems to reliably perform their intended safety functions.� In that Recommendation, the Board specifically urged the Department to establish a team of experts to survey the operational condition of ventilation systems and observed that other vital safety systems could benefit from similar attention.

In a September 8, 2000 letter to the Secretary of Energy, the Board amplified the intent of Recommendation 2000-2 and defined the basic thrust of the Board's Recommendation to be the assessment of the operational readiness of vital safety systems and noting that the operational readiness of vital safety systems is at the core of ISM. �As facilities age, a combination of age-related degradation and less than effective implementation of preservation programs (e.g., change control, upgrades, and maintenance) may affect system reliability and ability to perform design safety functions.� In its September 8, 2000 letter, the Board concluded that the Department's operating contractors have not always given equipment designed to serve vital protective functions the attention those safety functions deserve, and urged the Department to ensure the operational readiness of these systems.

Actions to assess ventilation and fire protection systems are described in Section 4.1.2 and 4.1.3.� The following Section describes actions to baseline the operability of the defense nuclear facility vital safety systems and the process to manage the actions necessary to improve and maintain their operability.

4.1.1 Operability Assessments

Resolution Approach

The Department will employ a two-phased approach to verify the operational readiness of vital safety systems.� The following paragraphs provide an overview of the Department's approach.�

During the first phase, operating contractors, overseen by Federal field office personnel, will perform an initial assessment of vital safety system operational readiness.� This will be accomplished by identifying the vital safety systems within defense nuclear facilities of interest listed in Appendix E; reviewing existing operational and maintenance records; and qualitatively determining a readiness state for each vital safety system within these facilities.� To assure consistency, a basic set of criteria will be developed to guide the performance of the initial Phase I assessments.

Once Phase I assessments are complete, the Department will evaluate the results and identify key facilities and/or systems where issues or concerns are identified regarding the operational readiness of vital safety systems.� These key facilities and/or systems will be further assessed in Phase II, while existing self-assessment processes will continue to be relied upon to maintain the condition of the remaining facilities. In Phase II assessments, a vertical slice will be performed upon these key facilities and systems by assembling review teams to tailor assessment criteria and perform a detailed assessment of the operational readiness of systems.� In a manner similar to the approach used by the Department in verifying the implementation of ISM, team leaders will be selected who will, in turn, assemble and train a team to conduct the Phase II assessment.� Team personnel would be recruited locally and, where possible, from other field and program offices.� For the ISM-like assessments, the ventilation system assessment guidance and criteria (discussed in Section 4.1.2) will be tailored for use in specific facilities.

Deficiencies and associated corrective actions/compensatory actions that arise from Phase I and Phase II assessments will be tracked and managed in local corrective action management systems.� Where systemic issues or degradation requiring significant capital upgrades (i.e., upgrades requiring a Congressional budget line item or a major system acquisition) are identified, corrective actions will be documented and managed in the Department's Corrective Action Tracking System.� Budget requirements for corrective� actions resulting from these assessments will be identified on an annual basis and submitted into the budget process.

Commitments

Note:� The Department intends to meet the schedule established by commitments 5, 6, and 7.� However, the time needed to complete commitments 3 and 4 will be evaluated assess the validity of that schedule.� If necessary, completion of commitment 5 will be delayed up to two months, which would in turn delay completion of commitments 6 and 7.

Commitment 1

Commitment Statement:� The Secretary will initiate Phase I assessments and issue guidance/criteria to ensure consistent results.

Deliverable:� Assessment criteria/guidance

Responsible Manager:� Assistant Secretary for Environment, Safety and Health

Due Date:� November 2000

Commitment 2

Commitment Statement:� Cognizant Secretarial Officers (CSOs) will identify and list safety-class systems, safety-significant systems, and other systems that perform important defense in depth functions in defense nuclear facilities at each of their facilities.� These lists will be used for other actions described within this implementation plan and forwarded to the FTCP for use in determining the system expertise needed at the Federal level.

Deliverable:� CSO memos forwarding the system lists to the Chair of the FTCP.

Responsible Manager:� Assistant Secretary for Environmental Management

�� Deputy Administrator for Defense Programs

Due Date:� November 2000

Commitment 3

Commitment Statement:� At the priority facilities listed in Appendix E, the Department will complete initial Phase I assessments of safety class, confinement ventilation, and fire protection systems.

Deliverable:� Response to Phase I assessment guidance/criteria

Responsible Manager: Assistant Secretary for Environmental Management

�� Deputy Administrator for Defense Programs

Due Date:� February 2001

Commitment 4
Commitment Statement:� At the follow-on facilities listed in Appendix E, the Department will complete Phase I assessments of safety class, confinement ventilation, and fire protection systems.
Deliverable:� Response to Phase I assessment guidance/criteria
Responsible Manager: Assistant Secretary for Environmental Management
�� Deputy Administrator for Defense Programs
Due Date:� May 2001

Commitment 5

Commitment Statement:� At all facilities listed in Appendix E, the Department will complete Phase I assessments of remaining vital safety systems.

Deliverable:� Response to Phase I assessment guidance/criteria

Responsible Manager: Assistant Secretary for Environmental Management

�� Deputy Administrator for Defense Programs

Due Date:� June 2001�

Commitment 6

Commitment Statement:� The Department will evaluate the results obtained from Phase I assessments conducted at Facilities of Interest and identify key facilities and/or systems that will receive Phase II assessments.

Deliverable:� Briefing to the Board on the list of key facilities and systems that will receive a Phase II assessment and a schedule for their completion

Responsible Manager: Assistant Secretary for Environmental Management

�� Deputy Administrator for Defense Programs

�� Assistant Secretary for Environment, Safety and Health

Due Date:� July 2001

Commitment 7

Commitment Statement:� The Department will assemble teams and begin Phase II assessments.

Deliverable:� Letter announcing commencement of the first Phase II assessment

Responsible Manager:� Field Office Manager

Due Date:� September 2001

Commitment 8
Commitment Statement:� Deficiencies observed during Phase I and Phase II assessments will be tracked and managed in local corrective action management systems.� Resources allocated to address findings resulting from confinement ventilation system and other assessments within this Implementation Plan will be identified on an annual basis
Deliverable:� Summary of resources allocated within the FY 2003 budget request from congress
Responsible Manager:� Assistant Secretary for Environment, Safety and Health
�� Assistant Secretary for Environmental Management
�� Deputy Administrator for Defense Programs
Due Date:� February 2002

4.1.2 Ventilation System Operability

Resolution Approach

In Recommendation 2000-2, the Board concluded that degradation of confinement ventilation system reliability and operability might be approaching unacceptable levels.� Their conclusion was based upon a review and analysis of DOE occurrence reports.� The frequency and variety of off-normal occurrences led the Board to recommend the establishment of a team to survey operational records and assess the current condition of confinement ventilation systems important to safety in defense nuclear facilities.

In accepting the Board�s Recommendation, the Department performed an analysis of oversight findings and data reported in ORPS.� The analysis reached many of the same conclusions identified by the Board, including the need to assess confinement ventilation systems.

The first step in addressing this safety issue is to develop a set of assessment criteria and guidance to be used to ascertain the current condition of confinement ventilation systems vital to safety within defense nuclear facilities.� A team of experts, with expertise in areas such as system design, reliability/safety analysis, equipment operation and performance, maintenance and operations, health physics, fire safety, industrial hygiene, and assessor/inspector practices will develop the assessment criteria/guidance and test their effectiveness at a limited number of facilities.� The expert team will consist of representatives from the Department, its M&O contractors, and industry organizations with experience with confinement ventilation systems.

The assessment criteria developed for confinement ventilation systems will also begin to address other systems (e.g., electrical power; instrumentation and control systems) whose operation are essential to support this vital safety system.� The assessment will review the general condition of the supporting systems and determine whether their design and classification appropriately support operation of the confinement ventilation system.� This review of supporting systems will provide some indication as to whether the condition of these systems has degraded to the point where they are not capable of supporting the operation of the confinement ventilation system.

Conceptually, the assessment guidelines developed by these experts will have an assessment team begin with a review of technical authorization basis documents to identify critical system functions.� The team will then review system drawings and walk down the system to determine overall material condition and physical layout. Once the assessment team has developed an understanding of the facility-specific conditions and layout, the team will review facility records (e.g., equipment operating logs) and perform additional walk downs to evaluate programs that ensure reliable system performance (e.g., maintenance and operator training) and identify operational trends.�

Where negative trends or problem areas are identified, the assessment team will identify and document causes and recommend actions to address them (e.g., system upgrades, maintenance program adjustments, or training).� Finally, based upon the assessment results and engineering judgment, the assessment team will estimate the ability of the confinement system to reliably perform its safety function(s) over the remaining system lifetime.� As conceived, the assessment results will be documented in a summary report and issued to the field element manager.� Lessons learned during the performance of these assessments will be provided to field element managers for use in future ES&H assessments.

Once assessment criteria and guidance are developed, the expert team will test the criteria's effectiveness at pilot facilities.� Five facility attributes were identified for consideration in selecting facilities to assess as pilots.� The attributes were defined in a manner to maximize the ability to test criteria effectiveness on facilities with a diverse range of missions and complexity.

1. Facility Age.� Moderate to old facilities were considered more desirable as candidates.� Conditions at older facilities were considered to provide the best challenge to assessment criteria.

2. Remaining Mission Life.� The assessment criteria should be tested at a facility with significant missions remaining and one nearing deactivation.

3. Authorization Basis Status.� Pilot tests should be conducted at facilities with recently updated Authorization Basis and well documented system classification (safety-class/safety-significant)

4. System Complexity.� Criteria effectiveness should be initially tested on relatively complex confinement ventilation systems.

5. Program Owner.� Although a number of program offices oversee facilities with confinement ventilation systems, facilities operated by Environmental Management (EM) and Defense Programs (DP) were considered to be representative of the Department.

Several facilities were identified as possible pilot facilities during development of this implementation plan.� All candidate facilities were considered to have a complex ventilation system:

� Rocky Flats Building 371:� Building 371 is an EM facility with a current Authorization Basis.� The facility is approximately 20 years old and will be deactivated in the near future. The confinement ventilation system is safety-class.

� Savannah River H-Canyon:� The canyon is also an EM facility with a good Authorization Basis.� The facility is approximately 45 years old and is expected to remain operational in excess of 10 years.� The confinement ventilation system is safety-class.

� Los Alamos National Laboratory's TA-3 Chemistry and Metallurgical Research Laboratory (CMR):� CMR is a DP facility with a current Basis for Interim Operations.� The facility is approximately 50 years old and is expected to remain operational for another 10 years.� The confinement ventilation system is classified as safety-significant.

� Los Alamos National Laboratory's TA-55 Building 4: TA-55 is a DP facility with a good Authorization Basis.� The facility is approximately 20 years old and is expected to remain operational in excess of 10 years.� The confinement ventilation system is classified as safety-significant.

� Lawrence Livermore National Laboratory's Building 332:� Building 332 is also DP facility with a current Authorization Basis.� The facility is approximately 40 years old and is expected to remain operational in excess of 10 years.� The confinement ventilation system is safety-class.

Once developed and tested by the "expert team," the assessment criteria/guidance will be issued to the CSOs for use at their facilities.� Line management in the field will assemble a team, using local expertise (supplemented as need by expertise available elsewhere in the complex), to assess confinement ventilation systems that are important to safety.� Members of the "expert team" involved in the development and testing of the assessment guidelines will be available to consult with field personnel to ensure consistency in guideline application and assist in evaluating findings relative to criteria in the assessment plan.�

Recommended actions to address issues or concerns identified by assessment teams (e.g., improved maintenance, compensatory measures, or training) will be documented in the reports issued to the field element managers and managed in local corrective action management systems.� The qualitative system reliability evaluation made by an assessment team will be considered when recommending compensatory measures.� Where systemic issues or degradation requiring significant capital upgrades (i.e., upgrades requiring a Congressional budget line item or a major system acquisition) are identified, corrective actions will be documented and managed in the Department's Corrective Action Tracking System.

In a June 8, 1999, letter to the Secretary of Energy, the Board released Technical Report 23, HEPA Filters Used in the Department of Energy's Hazardous Facilities, and requested a plan outlining the steps required to restore the infrastructure that supports the HEPA filter program.� HEPA filters are used extensively at the Department's sites to remove small hazardous and radioactive particles from air flowing from a facility's interior to the outdoors.� The filters are the accepted method to keep airborne particulate emissions within safety standards in order to protect the public, workers, and the environment.

In a response dated December 6, 1999, the Department issued an action plan that addressed four general issues:� assessments, technical issues, management issues, and information exchange.� In the action plan, the Department identified six actions to be taken and committed to providing thirteen deliverables.� In response to Board Recommendation 2000-2, the Department agreed to incorporate into this implementation plan the open commitments from the Secretary's HEPA filter action plan.�

A copy of the Secretary's HEPA filter action plan is provided in Appendix A.� A summary of commitments made in the Secretary's HEPA filter action plan and their status are provided in Table 1.� The open commitments from that action plan are incorporated by reference into this implementation plan and listed in Table 2.

Commitments

Commitment 9
Commitment Statement:� The Department will develop assessment criteria and guidelines to ascertain the current condition of confinement ventilation systems within defense nuclear facilities.
Deliverable:� Assessment criteria and guidelines for Department defense nuclear facilities.
Responsible Manager:� Assistant Secretary for Environment, Safety and Health
�� Assistant Secretary for Environmental Management
�� Deputy Administrator for Defense Programs
Due Date:� March 2001

Commitment 10

Commitment Statement:� The expert team will test the effectiveness of confinement ventilation system assessment criteria and guidelines at two pilot facilities.

Deliverable:� Briefing to the Board

Responsible Manager: Assistant Secretary for Environment, Safety and Health

�� Assistant Secretary for Environmental Management

�� Deputy Administrator for Defense Programs

Due Date:� June 2001

Commitment 11
Commitment Statement:� Field element managers will assemble teams to assess the condition of confinement ventilation systems that are important to safety.� Corrective actions will be entered into local corrective action management systems, and as necessary, the Department's Corrective Action Tracking System.
Deliverable:� CSO letters reporting completion with an enclosed sample assessment report from a facility at each site.
Responsible Manager: � Assistant Secretary for Environmental Management
�� Deputy Administrator for Defense Programs
Due Date:� September 2001

Secretarial HEPA filter report commitments are incorporated by reference include:

� Action 2.0, Deliverable 2.1; Responsible Manager:� Deputy Administrator for DP

� Action 2.0, Deliverable 2.2; Responsible Manager:� Deputy Administrator for DP

� Action 2.0, Deliverable 2.3; Responsible Manager:� Lead Program Secretarial Officers (LPSOs)

� Action 3.0, Deliverable 3.3; Responsible Manager:� LPSOs

� Action 4.0, Deliverable 4.1; Responsible Manager:� Assistant Secretary for EM

� Action 4.0, Deliverable 4.2; Responsible Manager:� Assistant Secretary for EM

� Action 5.0, Deliverable 5.1; Responsible Manager:� Assistant Secretary for EM

4.1.3 �� Fire Protection System Operability

Resolution Approach

In a memorandum dated October 2, 2000 (Appendix F), the Secretary of Energy initiated action to assess the abilities of DOE sites to effectively prevent fires and respond effectively in the event a fire occurs.� The Secretary's initiative begins with an initial review of the Department's current capabilities related to wildfire safety, including those aspects of emergency management that deal with the ability to respond to a wildfire.� A copy of that review, including its site-specific and DOE-wide recommendations for improvement, will be provided to the Board as a deliverable under this implementation plan.�

Using data obtained from the initial review, the Assistant Secretary for Environment, Safety and Health will develop a plan and take the lead in conducting a comprehensive study that provides for an in-depth evaluation of the capability to respond to wildfires and emphasizes facility fire safety, including fire detection and suppression systems and facility-specific programs that support those systems.�

Information obtained as a result of reviewing fire protection systems during the initial Phase I assessments will be factored into the development of the comprehensive study developed by the Office of Environment, Safety and Health.� Conceptually, the facility assessments described in the comprehensive study will be comparable in nature to the Phase II assessments conducted on other vital safety systems under this implementation plan. Additionally, the technical concepts and principles provided by the Board in its Technical Report 27, Fire Protection at Defense Nuclear Facilities, will be incorporated during development of the comprehensive study. The Office of Environment, Safety and Health will coordinate 2000-2 Phase 2 activities with the comprehensive study developed for the Secretary�s fire safety initiative to avoid duplication of efforts.� The comprehensive study is scheduled to commence early in calendar year 2001.� A copy of the plan for the comprehensive facility fire safety study will be provided to the Board as a deliverable under this implementation plan.

Commitments

Commitment 12

Commitment Statement:� The Department will complete an initial review of the ability of DOE sites to effectively prevent fires and respond effectively in the event that a fire occurs.� This review, in addition to the Phase I assessments, will provide the information to plan the comprehensive study described in Commitment 13.

Deliverable:� Initial review report

Responsible Manager: Assistant Secretary for Environment, Safety and Health

Due Date:� December 2000

Commitment 13
Commitment Statement:� The Department will develop a plan for conducting a comprehensive study that provides for an in-depth evaluation of the capability to respond to wildfires and emphasizes facility fire safety, including fire detection and suppression systems and facility-specific programs that support those systems.
Deliverable:� Comprehensive study plan
Responsible Manager: Assistant Secretary for Environment, Safety and Health
Due Date:� April� 2001

4.2�� Safety System Expertise

Safety Issue: Integrated Safety Management (ISM) System processes help to ensure systems are able to perform their design safety functions.� Effective implementation of ISM relies upon the ability to apply engineering expertise to maintain safety system configuration and assess system condition.

4.2.1 System Expertise:� Contractor Personnel

Resolution Approach

In Recommendation 2000-2, the Board observed that the Department has not adopted the nuclear business' long-standing practice of designating system engineers for systems and processes that are vital to safety.� The Board stated a belief that by identifying personnel outside the operational forum, designating them as system engineers, and assigning them responsibility for configuration management, the Department could establish a mechanism that would go a long way toward ensuring reliable safety system performance.�

In developing this implementation plan, the Department performed a review of system engineer guidance and system engineer configuration management practices in place at a number of DOE facilities.� The results of that review are discussed in the following paragraphs.

Although contractors have put into place programs to maintain configuration control of safety systems, the Department has not established a consistent set of requirements related to the application of a system engineer concept to maintain configuration control of safety systems.� DOE STD 1073-93, Guide for Operational Configuration Management Program, which provides guidance related to the elements of a contractor configuration management program, includes a brief, general discussion of the system engineer concept.� Appendix B of Part I of the standard describes the potential value added by the system engineers in managing change control at DOE facilities and outlines the key attributes of a system engineer program.

The Department reviewed configuration management practices at a number of sites. Although configuration management programs were observed, many contractors had not adopted a formal system engineer function.� Where analogous programs exist, rigor and formality varied significantly.� In general, the National Laboratories are organized on a project basis and primarily rely on the facility manager or individual scientist/experimenter to concern themselves with their safety systems and control system configuration.� Of the facilities reviewed, the system engineer programs in place at the Paducah and Portsmouth gaseous diffusion plants represented the most mature programs.

The Nuclear Regulatory Commission (NRC) regulates United States Enrichment Corporation (USEC), which operates the Paducah/Portsmouth gaseous diffusion plants.� The diffusion plants' system engineer programs were developed from a review of successful programs in place at a number of commercial nuclear power plants.� At their plants, USEC has implemented a mature system engineer function that meets NRC expectations regarding the use of system engineers and performs the functions described by the Board.

The Institute of Nuclear Power Operations (INPO) developed Good Practice TS-413, Use of System Engineers, as a guide to assist the commercial nuclear industry develop its own system engineer program.� TS-413 defines the features of an effective system engineer program, lessons learned from the adoption of these programs, and provides an example program as a model for commercial use.

The Department agrees that, if implemented correctly, the system engineer concept could represent a mechanism for applying technical expertise to maintain the design basis, control configuration, and trend performance.� The results obtained from the document and program reviews described in the preceding paragraphs were used to develop a conceptual system engineer model for use at the Department's facilities.� Where safety systems are required to protect the public and workers, the system engineer concept is applicable throughout a facility's life cycle (i.e., new facilities, existing facilities, and facilities undergoing decontamination and decommissioning).� DOE O 430.1A, Life Cycle Asset Management, will be revised to include requirements for a contractor system engineer program.� However, as this implementation plan is being developed, a proposal to cancel DOE O 430.1A and incorporate applicable requirements into other orders is being evaluated by the Department.� If DOE O 430.1A is cancelled, system engineer requirements will be incorporated into another applicable order, such as DOE O 420.1, Facility Safety.

An Order revision will be drafted to establish requirements to address the following program elements:

� Identify systems whose safety significance warrants the use of a system engineer.

� Establish a program to implement key system engineer functions.� Conceptually, a contractor's system engineer program would perform three key functions: configuration management activities, evaluation of system status and performance, and technical support for operations and maintenance activity and evaluation of potential inoperability when a safety function appears compromised.� The system engineer function should be established outside the operational forum, but within line management, to provide a perspective that is insulated from operational pressures and production requirements.

� Establish a need for contractors to define minimum qualification/requalification requirements and establish a process for identifying successor system engineers.� The qualification/requalification requirements defined for system engineers should be consistent with those defined for senior engineering positions described in DOE O 5480.20A, Personnel Selection, Qualification, and Training Requirements for DOE Nuclear Facilities.� The qualification/requalification requirements established for the system engineers will be incorporated into the contractor training programs required by DOE O 5480.20A.

� Safety system assessments:� System engineers must be actively involved in periodic facility condition inspections to assess the condition of their assigned system.� Actions and requirements to address system assessment are contained in DOE O 4330.4B, Maintenance Management Program.

Implementation of these system engineer requirements should be tailored to facility hazards and the systems relied upon to prevent or mitigate those hazards.� A graded approach will be used to implement system engineer Order requirements.[16383]

Development and coordination of new requirements to be included in an Order is expected to take a significant amount of time.� While awaiting formal requirements to be established, the Secretary will provide interim direction that will have contractors define vital safety systems warranting the use of a system engineer and initiate action to develop and implement the type of system engineer program defined within this implementation plan.� This interim direction will describe the elements of a system engineer program to be institutionalized within the Directives system and establish dates for interim implementation while awaiting processing through the Directives system.� The Office of Environment, Safety and Health will monitor the field's response to the Secretary's interim guidance and evaluate implementation progress after one year.��

Although line management is responsible for facility safety, the system engineer is responsible for ensuring the assigned safety system(s) remains operable and receives the care and maintenance necessary to support the facility mission.� DOE STD 1073-93 provides guidance regarding the system engineer concept and the following discussion supplements and reinforces the guidance contained within the document.

Configuration Management:� Conceptually, this program function is associated with maintaining consistency among the system�s design basis and requirements, system documentation, and physical configuration.�� The system engineer would be responsible for identifying documents (e.g., drawings, calculations, applicable portions of documented hazard and accident analyses, and vendor manuals) that define the design basis for a system important to facility safety, identifying additional documents needed, and ensuring system documentation is kept up to date using a formal work control/change control process.� Where a facility�s design basis has not been clearly defined, the system engineer would be responsible for identifying system requirements, performance criteria, and documents considered to be essential to system operation.� DOE STD 3024-98, Content of System Design Descriptions, provides guidance regarding the identification and consolidation of key design documents.� The system engineer will also be responsible for ensuring work control and change control processes are followed and regular assessments of the system to ensure continued operational readiness as detailed in the following paragraph.

Assessment of System Status and Performance:� Conceptually, this program function is associated with being cognizant of ongoing maintenance and operations activities, evaluating system performance, and involvement in the identification and correction of equipment deficiencies.� To be effective, the system engineer must remain apprised of the system�s operational status and ongoing modification activities.� The system engineer would also assist operations to review key system parameters, evaluate system performance, and initiate actions to correct problems.� System material condition should also be periodically reviewed by the system engineer during implementation of facility condition inspections required by the Maintenance Order.� These periodic reviews should include a review of component classification and an assessment of the system's ability to perform design and safety basis functions.�

Technical Support for Operations and Maintenance Activity:� Conceptually, this program function is associated with providing technical assistance in support of maintenance and operations activities.� Once established, a system engineer would function as the individual cognizant of the system-specific maintenance/operations history as well as industry operating experience.� The system engineer would be actively involved in day-to-day activities to identify emerging trends and would provide technical assistance, as necessary, in determining operability or correcting out-of-specification conditions or evaluating questionable data.� When a safety system is suspected to be inoperable or degraded, the system engineer provides an analysis or supports an analysis, which determines operability.� The system engineer will also be responsible for reviewing and concurring with design changes and providing input to the development of special operating/test procedures.

Commitments

Commitment 14

Commitment Statement: While awaiting formal requirements to be established, the Secretary will provide interim direction that will have contractors initiate actions to designate system engineers for vital safety systems.

Deliverable:� Secretarial letter

Responsible Manager: Assistant Secretary for Environment, Safety and Health

Due Date:� November 2000

Commitment 15
Commitment Statement:� The Department will establish requirements for a system engineer concept to manage the configuration of systems designated as important to safety.
Deliverable:� Draft DOE Order revision submitted into the Directives review process.
Responsible Manager: Assistant Secretary for Environment, Safety and Health
Due Date:� March 2001

Commitment 16

Commitment Statement: The Office of Environment, Safety and Health will monitor the field's response to the Secretary's interim guidance and evaluate implementation progress after one year.

Deliverable:� Briefing to the Board

Responsible Manager: Assistant Secretary for Environment, Safety and Health

Due Date:� November 2001

4.2.2 System Expertise:� Federal Personnel

The oversight role of the DOE Federal workforce requires familiarity with vital safety systems and the contractor's application of the system engineer concept.� Once contractors implement a system engineer program, the Department needs to ensure that Federal technical personnel knowledgeable of those safety systems are available to support the contractor's life-cycle management of vital safety systems, particularly when significant system problems arise.

Determination of system expertise needed at the Federal level begins with the identification of safety-class and safety-significant systems at each site.� The types and number of these safety systems at each site will determine the need for Federal personnel with expertise in a particular safety system.� As described in Commitment 2, CSOs will work with field element managers to identify these systems and forward a list of systems from each site to the Federal Technical Capability Panel (FTCP).

As a supplement to the Department's annual workforce needs assessment, the FTCP will assess the availability of DOE Federal expertise and recommend actions necessary to ensure that such expertise can be brought to bear in the life-cycle management of vital systems. Where a field element manager determines it is not practicable to maintain Federal expertise in a particular system, expertise must be available from elsewhere within the complex.� Based on the FTCP's assessment, a report will be generated that describes current organizational methods and processes that align Federal technical expertise with system engineer needs.� Based on recommendations of that report, changes or additions will be made to the Technical Qualifications Program (TQP) standards and processes.� Such changes may include required demonstration of expertise in vital safety systems or involve definition of a qualification standard(s).

Commitments

Commitment 17

Commitment Statement:� As a supplement to the annual workforce analysis, the FTCP will identify system expertise needed at the Federal level and survey the availability and sufficiency of personnel required to ensure effective oversight of contractor safety systems.�

Deliverable:� Letter to the Board forwarding analyses provided to the Chair of the FTCP.

Responsible Manager:� Chair, FTCP

Due Date:� March 2001

Commitment 18

Commitment Statement:� A report will be compiled identifying the Department's needs for Federal technical personnel capable of reviewing safety systems and programs essential to systems operability and the means of addressing critical technical skills gaps.

Deliverable:�� Recommendations provided to the Deputy Secretary

Responsible Manager:� Chair, FTCP

Due Date:� April 2001

Commitment 19

Commitment Statement:� Based on conclusions and recommendations made in Commitment 18, changes or additions will be made to the Technical Qualifications Program (TQP) standards and processes.

Deliverable:� Revised Technical Qualifications Program standard or process for safety system expertise.

Responsible Manager:� Chair, FTCP

Due Date:� June 2001

4.3�� Safety System ES&H Assessments

In Recommendation 2000-2, the Board recommended that the Department ensure safety system status, as well as supporting programs, are scrutinized as a regularized part of assessments performed by the line management.� In accepting the Board's Recommendation, the Department committed to a review of line oversight of contractor programs to determine whether safety systems, as well as programs essential to system operability, are being included in those programs.

DOE P 450.5, Line Environment, Safety and Health Oversight, sets forth the expectations for ES&H oversight and the use of contractor self-assessment programs as the cornerstone of this oversight.� The Policy defines the key elements of a line ES&H program for both the contractor and DOE line organizations.�

The Department and its contractors have an abundance of oversight and feedback mechanisms that satisfy the requirements of DOE P 450.5 and are used to improve operations throughout the DOE complex.� In developing the ISM System, the Department established a guiding principle that line management is responsible for safety, and line managers have a responsibility to get personally involved in reviewing and making use of performance feedback information to drive continuous improvement.

In order to provide senior leadership with information obtained from these oversight and feedback processes, the Department will begin a regular practice of periodically reviewing ES&H assessments performed by DOE and the maintenance and operation (M&O) contractor at each site, and summarizing the results for the Secretary.� Annually, LPSOs will review the results of ES&H assessments performed during the previous year and provide the Secretary with a summary report for each of their sites.� The report for each site will:�

� Summarize the scope and schedule for ES&H assessments performed over the previous 12 months by the M&O contractor, DOE line management, and the Office of Independent Oversight.

� Summarize the results obtained from these assessments, both by program and vital safety systems.� Using a site-specific list of vital safety systems (Commitment 3), the summary report will provide a crosswalk of how ES&H assessment programs at each site review the condition of their vital safety systems.

� Note actions taken to address significant issues.

� Identify issues where the field element manager has asked for assistance.

This annual review of ES&H assessments will be institutionalized as a requirement in the Directives system (e.g., a revision of DOE O 231, Environment, Safety and Health Reporting).

Commitments

Commitment 20
Commitment Statement: Annually, LPSOs will review the results of ES&H assessments performed during the previous year and provide the Secretary with a summary report for each of their sites.
Deliverable:� Summary reports from each LPSO reporting the results of assessments at each of their sites.
Responsible Manager:� Assistant Secretary for Environmental Management
�� Deputy Administrator for Defense Programs
�� Director of the Office of Science
Due Date:� February 2001
�� February 2002

Commitment 21
Commitment Statement: Annual LPSO reviews of ES&H assessments, described in Commitment 20, will be institutionalized within the Directives system.
Deliverable: Draft DOE Order and/or Policy revisions submitted into the Directives review process.
Responsible Manager: Assistant Secretary for Environment, Safety and Health
Due Date:� July 2001

5.0�� Organization and Management

The Responsible manager for overall execution of this implementation plan is the Office of Environment, Safety and Health.� In this capacity, the Responsible manager ensures individuals responsible for deliverables and commitments identified within this implementation plan complete their actions.� To coordinate completion of these commitments, the Responsible manager will establish and chair a team comprised of senior representatives from the field and from the Headquarters program offices of Science, Defense Programs, and Environmental Management.� The various lead responsible organizations identified within the implementation plan are accountable to the Responsible manager with regard to the completion of deliverables.

5.1�� Change Control

Complex, long-range plans require sufficient flexibility to accommodate changes in commitments, actions, or completion dates that may be necessary due to additional information, improvements, or changes in baseline assumptions.� The Department�s policy is to (1) provide prior, written notification to the Board on the status of any implementation plan commitment that will not be completed by the planned milestone date, (2) have the Secretary approve all revisions to the scope and schedule of plan commitments, and (3) clearly identify and describe the revisions and bases for the revisions.� Fundamental changes to the plan�s strategy, scope, or schedule will be provided to the Board through formal revision and reissuance of the implementation plan.� Other changes to the scope or schedule of planned commitments will be formally submitted in appropriate correspondence approved by the Secretary, along with the basis for the changes and appropriate corrective actions.

5.2�� Reporting

To ensure the various Department implementing elements and the Board remain informed of the status of plan implementation, the Department's policy is to provide progress reports until implementation plan commitments are completed.� The Department will provide briefings to the Board approximately every 4 months.

Commitment 22
Commitment Statement: The Department will provide briefings to the Board approximately every four months.
Deliverable: Briefings
Responsible Manager: Assistant Secretary for Environment, Safety and Health
Due Date:� January 2001, and approximately every four months thereafter

Table 1:� Summary Status of Secretarial HEPA Filter Report Commitments

Action Plan Commitment Summary	Commitment Status
Action 1, Deliverable 1.1	The Department has completed this commitment.� On March 1, 2000, the Deputy Secretary issued a memorandum initiating action to assess nuclear facilities.� A copy of the memorandum was provided to the Board on April 19, 2000.
Action 1, Deliverable 1.2	All vulnerability assessments were completed by August 2000.� The Assistant Secretary for Environment, Safety and Health is developing a letter that formally notifies the Board that the Department has completed this action and that the Department intends to reevaluate the condition of HEPA filters during the performance of confinement ventilation system assessments.
Action 1, Deliverable 1.3	The Department�s commitment to enter corrective actions into CATS was completed by September 2000.� The Assistant Secretary for Environment, Safety and Health is developing a letter that formally notifies the Board that the Department has completed this action and that the Department intends to reevaluate the condition of HEPA filters and identify corrective actions under this implementation plan activity to assess confinement ventilation systems.
Action 2, Deliverable 2.1	The Secretary's HEPA filter report committed to a completion date of 12/01/00
Action 2, Deliverable 2.2	The Secretary's HEPA filter report committed to a completion date of 11/30/01
Action 2, Deliverable 2.3	The Secretary's HEPA filter report committed to a completion date of 11/30/01
Action 3, Deliverable 3.1	The Department has completed this commitment.� A page change was developed to DOE HDBK 3010-94 and issued on March 1, 2000.� This completed Action 3, Deliverables 3.1 and 3.1. The Deputy Administrator for Defense Programs provided formal notification to the Board on September 1, 2000.
Action 3, Deliverable 3.2	The Department has completed this commitment.� A page change was developed to DOE HDBK 3010-94 and issued on March 1, 2000.� This completed Action 3, Deliverables 3.1 and 3.1. The Deputy Administrator for Defense Programs provided formal notification to the Board on September 1, 2000.
Action 3, Deliverable 3.3	The LPSO�s have not yet issued letter to field describing the change and identifying the need to screen Authorization Basis documents for unreviewed safety questions.
Action 4, Deliverable 4.1	The Department has completed an evaluation of the management issues related to QPL Laboratory and Filter Test Facility operations. A working group evaluation, which addressed consolidation of filter test facilities at one site, is referred to the DOE Chief Operating Officers (COO�s) for final resolution of recommendations.� The COO�s will decide on the final content of recommendations in December, 2000 and the results will be forwarded to the Board.�
Action 4, Deliverable 4.2	While Action 4.1 and 5.1 are being worked, Headquarters continues to provide funding to support operation of the Filter Test Facility at Oak Ridge.
Action 5, Deliverable 5.1	The Department has completed an evaluation of the management issues related to the testing of HEPA filters.� The recommendations developed through the evaluation did not receive the concurrence of all the Programs.� The recommendations are referred to the Chief Operating Officers (COO�s) for a decision on final content, December, 2000 and the results will be forwarded to the Board.
Action 6, Deliverable 6.1	The Department has completed this commitment.� In December 1999, the Assistant Secretary for Environment, Safety and Health convened a working group to identify options.� On January 12^th, the Department issued a letter to the Board describing actions to support the 26^th Nuclear Air Cleaning conference that is scheduled for September 2000.� The letter also described actions to develop an Internet web site for sharing of information and lessons learned within the air filter and ventilation technology community and coordinate future air cleaning conferences with existing conferences, such as the Department's Waste Management Conference.

Table 2: Summary of Implementation Plan Commitments and Deliverables/Milestones

Number	Commitment	Deliverable	Due Date	Responsibility
1	The Secretary will initiate Phase I assessments and issue guidance/criteria to ensure consistent results.	Assessment criteria/guidance	November 2000	Assistant Secretary for Environment, Safety and Health
2	Cognizant Secretarial Officers (CSOs) will identify and list safety-class systems, safety-significant systems, and other systems that perform important defense in depth functions in defense nuclear facilities at each of their facilities.� These lists will be used for other actions described within this implementation plan and forwarded to the FTCP for use in determining the system expertise needed at the Federal level.	CSO memos forwarding system lists to the Chair of the FTCP.	November 2000	Assistant Secretary, EM�� Deputy Administrator, DP
3	At the priority facilities listed in Appendix E, the Department will complete Phase I assessments of safety class, confinement ventilation, and fire protection systems.	Response to Phase I assessment guidance/criteria	February, 2001	Assistant Secretary, EM� Deputy Administrator, DP
4	At the follow-on facilities listed in Appendix E, the Department will complete Phase I assessments of safety class, confinement ventilation, and fire protection systems.	Response to Phase I assessment guidance/criteria	May 2001	Assistant Secretary, EM� Deputy Administrator, DP
5	At all facilities listed in Appendix E, the Department will complete Phase I assessments of the remaining vital safety systems.	Response to Phase I assessment guidance/criteria	June 2001	Assistant Secretary, EM� Deputy Administrator, DP
6	The Department will evaluate the results obtained from Phase I assessments conducted at Facilities of Interest and identify key facilities and/or systems that will receive Phase II assessments.	List of key facilities and systems that will receive a Phase II assessment and a schedule for their completion	July 2001	Assistant Secretary, EM� Deputy Administrator, DP Assistant Secretary, Environment, Safety and Health
7	The Department will assemble teams and begin Phase II assessments.	Letter announcing commencement of the first Phase II assessment	September 2001	Field Office Manager
8	Deficiencies observed during Phase I and Phase II assessments will be tracked and managed in local corrective action management systems.� Resources allocated to address findings resulting from confinement ventilation system and other assessments within this Implementation Plan will be identified on an annual basis	Summary of resources allocated within the FY 2003 budget request from congress	February 2002	Assistant Secretary, EH Assistant Secretary, EM Deputy Administrator, DP
9	The Department will develop assessment criteria and guidelines to ascertain the current condition of confinement ventilation systems within defense nuclear facilities.	Assessment criteria and guidelines.	March 2001	Assistant Secretary for Environment, Safety and Health
10	The expert team will test the effectiveness of confinement ventilation system assessment criteria and guidelines at two pilot facilities.	Briefing to the Board.	June 2001	Assistant Secretary for Environment, Safety and Health
11	Field element managers will assemble teams to assess the condition of confinement ventilation systems that are important to safety.� Corrective actions will be entered into local corrective action management systems, and as necessary, the Department's Corrective Action Tracking System.	LPSO letters reporting completion with an enclosed sample assessment report from a facility at each site.	September 2001	Assistant Secretary, EM Deputy Administrator, DP
12	The Department will complete an initial review of the ability of DOE sites to effectively prevent fires and respond effectively in the event that a fire occurs.� This review, in addition to the Phase I assessments, will provide the information to plan the comprehensive study described in Commitment 13.	Initial Review report	December 2000	Assistant Secretary for Environment, Safety and Health
13	The Department will develop a plan for conducting a comprehensive study that provides for an in-depth evaluation of the capability to respond to wildfires and emphasizes facility fire safety, including fire detection and suppression systems and facility-specific programs that support those systems.	Comprehensive study plan	April� 2001	Assistant Secretary for Environment, Safety and Health
14	While awaiting formal requirements to be established, the Secretary will provide interim direction that will have contractors initiate actions to designate system engineers for vital safety systems.	Secretarial Letter	November 2000	Assistant Secretary for Environment, Safety and Health
15	The Department will establish requirements for a system engineer concept to manage the configuration of systems designated as important to safety.	Draft DOE Order revision submitted into the Directives review process	March 2001	Assistant Secretary for Environment, Safety and Health
16	The Office of Environment, Safety and Health will monitor the field's response to the Secretary's interim guidance and evaluate implementation progress after one year.	Briefing to the Board	November 2001	Assistant Secretary for Environment, Safety and Health
17	As a supplement to the annual workforce analysis, the FTCP will identify system expertise needed at the Federal level and survey the availability and sufficiency of personnel required to ensure effective oversight of contractor safety systems	Letter to the Board forwarding analyses provided to the Chair of the Federal Technical Capability Panel.	March 2001	Chair, Federal Technical Capability Panel
18	A report will be compiled identifying the Department's needs for Federal technical personnel capable of reviewing safety systems and programs essential to systems operability and the means of addressing critical technical skills gap	Recommendations provided to the Deputy Secretary	April 2001	Chair, Federal Technical Capability Panel
19	Based on conclusions and recommendations made in Commitment 18, changes or additions will be made to the Technical Qualifications Program (TQP) standards and processes.	Revised Technical Qualifications Program standard or process for safety system expertise	June 2001	Chair, Federal Technical Capability Panel
20	Annually, LPSOs will review the results of ES&H assessments performed during the previous year and provide the Secretary with a summary report for each of their sites.	Summary reports from each LPSO reporting the results of assessments at each of their sites.	February 2001 February 2002	Assistant Secretary, EM�� Deputy Administrator, DP Office of Science
21	Annual LPSO reviews of ES&H assessments described in commitment 20 will be institutionalized within the Directives system.	Draft DOE Order or Policy revision submitted into the Directives review process.	July 2001	Assistant Secretary for Environment, Safety and Health
22	The Department will provide briefings to the Board approximately every four months.	Briefings	January 2001, approximately every four months thereafter	Assistant Secretary for Environment, Safety and Health
	HEPA filter report commitments Incorporated in Section 4.2.1:
23	DOE will develop a revision to the Nuclear Air Cleaning Handbook.	Letter to the Board announcing placement of the draft handbook into the Directives system for DOE-wide review.	December 2001	Deputy Administrator, DP
24	DOE will develop a revision to the Nuclear Air Cleaning Handbook.	Issuance of a revision of the Nuclear Air Cleaning Handbook	November 2002	Deputy Administrator, DP
25	DOE will develop a revision to the Nuclear Air Cleaning Handbook.	Issuance of a letter to field office managers describing the handbook changes and the need to screen authorization basis documents for possible unreviewed safety questions, including filter service life.� Corrective actions to be entered into CATS.	November 2002	Assistant Secretary, EM�� Deputy Administrator, DP
26	DOE-HDBK-3010-94 Airborne Release Fractions/Rates and Respirable Fractions for Nonreactor Nuclear Facilities will be revised to eliminate problematic guidance regarding HEPA filter performance.	Issuance of a letter to field office managers describing the handbook changes and the need to screen authorization basis documents for possible unreviewed safety questions, including filter service life.� Corrective actions to be entered into CATS.	November 2000	Assistant Secretary, EM�� Deputy Administrator, DP
27	Field Management Council review of consolidation of the QPL laboratory and FTF operation.	Letter to the Board describing decision and path forward for the QPL laboratory and FTF operation.	January 2001	Assistant Secretary, EM
28	Field Management Council review of consolidation of the QPL laboratory and FTF operation	Maintain operation and funding of the FTF at Oak Ridge, and maintain contact with the Army's Edgewood facility to remain appraised of plans for its continued operation until a revised strategy is established and implemented	January 2001	Assistant Secretary, EM
29	Field Management Council review of the benefit of testing 100% of HEPA filters, including options other than 100% testing.	Letter to the Board describing decision and path forward for testing of HEPA filters.	January 2001	Assistant Secretary, EM

APPENDIX D: DNFS Board Recommendation 2000-2

[DNFSB LETTERHEAD]

March 8, 2000

The Honorable Bill Richardson

Secretary of Energy

1000 Independence Avenue, SW

Washington, DC 20585-1000

Dear Secretary Richardson:

Designs of the Department of Energy�s (DOE�s) high hazard defense nuclear facilities typically include systems whose reliable operation is vital to the protection of the public, workers and the environment.� Operations are constrained by technical safety requirements and operational limits established by analyzing the hazards of the operations and the capability of design features to prevent or mitigate consequences of potential mishaps or operational disruptions caused by either manor natural phenomena.� The availability and operability of such systems and the conditions specifying operational limits are included in the written agreements established by DOE with its contractors as conditions for authorizing performance of work.

Ventilation systems installed in many defense nuclear facilities are among those that provide vital safety functions.� Such systems contribute much to the safe environment for workers and serve a vital confinement function should work process upsets and mishaps result in airborne releases of hazardous materials.

The Defense Nuclear Facilities Safety Board (Board) has advised DOE in various ways during the past several years of the need to increase attention to ventilation systems and of the steps we believe would lead to more certain performance of their important safety functions.� Although DOE has responded to some extent, the upgrade efforts to date have been less comprehensive and effective than the matter merits.

The Board further believes that DOE�s upgrades of ventilation systems could well serve as a model for implementing similar programs for other vital safety systems that maybe needed in defense nuclear facilities.

The Board believes this matter requires additional DOE attention.� More explicitly, the Board recommends for your consideration an action plan structured to address the elements set forth in the enclosed Recommendation 2000-2, Configuration Management, Vital Safety Systems.

The Board�s recommendation is directed explicitly at systems for ensuring nuclear safety.� This is in keeping with the Board�s enabling legislation.� However, the concepts advocated could be applied to good advantage to systems designed for safety management of hazardous material and processes of non-nuclear nature as well.� In the spirit of Integrated Safety Management (ISM) to which DOE is committed, DOE is encouraged to do so.

Recommendation 2000-2, Configuration Management, Vital Safety Systems, was unanimously approved by the Board, and is submitted to you pursuant to 42 U.S.C. � 2286a(a)(5), which requires the Board, after receipt by you, to promptly make this recommendation available to the public.� The Board believes the recommendation contains no information which is classified or otherwise restricted.� To the extent this recommendation does not include information restricted by the Department of Energy under the Atomic Energy Act of 1954, 42 U.S.C. �� 2161-68, as amended, please arrange to have this recommendation promptly placed on file in your regional public reading rooms.

The Board will publish this recommendation in the Federal Register.

Sincerely,

John T. Conway

Chairman

c:� Mr. Mark B. Whitaker Jr.

Enclosures: DNFSB/TECH-26

�� Recommendation 2000-2

DEFENSE NUCLEAR FACILITIES SAFETY BOARD

RECOMMENDATION 2000-2 TO THE SECRETARY OF ENERGY

pursuant to 42 U.S.C. � 2286a(a)(5)

Atomic Energy Act of 1954, as amended

Dated:� March 8, 2000

Background

The Defense Nuclear Facilities Safety Board (Board) continues a strong interest in safety systems and their effectiveness at defense nuclear facilities.� These systems are at the heart of safety at the facilities.� Department of Energy (DOE) Standards 3009 and 3016 provide guidance for the identification of safety systems and associated Technical Specifications as important elements of maintaining safety of facilities and operations.� In addition, the implementation guide to DOE Order 420.1, Facility Safety, provides guidance on design and procurement of safety systems to attain and sustain reliability in performance.

Most of the facilities of interest to the Board were constructed many years ago, and are undergoing the deterioration attached to aging.� It is important that their protective features be maintained serviceable and effective.� In the following, the Board recommends measures necessary to ensure reliable performance of the safety systems of both the older facilities and the ones that are relatively new, and in particular stresses the actions required to ensure viability of confinement ventilation systems.� Confinement ventilation systems are relied on almost everywhere by DOE as the principal system to protect the public and collocated workers at its more hazardous facilities.

Previous Issuances by the Board on Safety Systems

In May 1995, the Board issued DNFSB/TECH-5, Fundamentals for Understanding Standards-Based Safety Management of Department of Energy Defense Nuclear Facilities, which stressed the importance, among other things, of functions that preserve those structures, systems, and components that are relied upon to protect the public, workers, and the environment (e.g., configuration management, training, and maintenance).� In October 1995, the Board issued DNFSB/TECH-6, Safety Management and Conduct of Operations at the Department of Energy�s Defense Nuclear Facilities.� The report underscored the importance of conduct of operations as the body of practice, or operational formality, that implements the Safety Management System for a defense nuclear facility.� Operational formality includes �Supervision by highly competent personnel who are knowledgeable as to the results of the safety analysis and operating limits for the facility or activity.�� Key aspects of facility Safety Management Systems discussed in these two reports are central to the issues addressed herein.

In 1996, in response to Recommendation 95-2, Safety Management, DOE provided the Board a plan for upgrading safety management of its defense nuclear facilities.� DOE Orders 5480.22, Technical Safety Requirements, and 5480.23, Nuclear Safety Analysis Reports, established requirements for identifying design features important to safety and the conditions/controls to ensure safe operation.� DOE authorized its contractors to grade facilities by hazard category and to tailor the comprehensive safety assessments according to hazard potential and operational future.� This upgrade effort has reaffirmed the important safety role played by confinement ventilation systems.� (See enclosed Appendix B of DNFSB/TECH-26).� In general, these systems have been designated as important to safety, making them subject to more stringent quality assurance, maintenance, surveillance, and configuration management programs in recognition of their safety functions.� Commitments to such programs are typically made in the Authorization Agreements that capture the contractor-DOE agreed upon conditions for performing the work.

Issuances Concerning Confinement Ventilation Systems

Some of the Board�s analyses concerning safety systems focused on confinement ventilation systems in particular.� In March 1995, the Board issued DNFSB/TECH-3, Overview of Ventilation Systems at Selected DOE Plutonium Processing and Handling Facilities, which addressed the design of confinement ventilation systems.� In its June 15, 1995, letter forwarding that report, and in subsequent correspondence in July 1995, the Board requested that DOE evaluate the design, construction, operation, and maintenance of ventilation safety systems in terms of applicable DOE and industry standards.

In a letter dated October 30, 1997, the Board pointed out the problem of wetting high efficiency particulate air (HEPA) filters during tests of fire sprinkler systems, and the need for complex-wide guidance from DOE concerning the relationship between maintaining filter integrity and fire fighting strategies.� HEPA filters are key components of confinement ventilation systems.� In its June 8, 1999, letter concerning HEPA filters installed in confinement ventilation systems, the Board requested a report outlining the steps DOE plans to take to resolve those issues.� In recent weeks, individual Board members and the Board�s staff have met informally with DOE representatives to resolve differences concerning DOE�s proposed response to the Board�s request.

Current Status of Ventilation Systems

As a part of its continuing oversight of these vital safety systems, the Board�s staff has recently completed a review of the operational data on confinement ventilation systems as reported in DOE�s Operational Reporting and Processing System (ORPS).� The data reviewed covered the period July 1998 to December 1999.� An analysis of these data is documented in report DNFSB/TECH-26.� This review indicates that the reliability of these systems, for reasons not readily evident, may not be adequate, given the vital safety function they serve.

The operational data reveal deficiencies in areas of test and surveillance, quality assurance (replacement components), maintenance, configuration management, training and qualification, and conduct of operations.� One can reasonably deduce from such observations that there exists no single entity assigned responsibility for the configuration and operational state of these systems as a whole.

The Board recognizes that many confinement ventilation systems now require less air flow and permit more particulate loading than in original designs.� This allows for more extended useful life than might otherwise be tolerable, particularly with adequate preventive care.� However, the operational data suggest that less than optimum care is being given to these systems, considering their age.

Status of Safety Systems in General

Many of DOE�s nuclear facilities were constructed years ago and are approaching end-of-life status.� Under these circumstances, some degradation of reliability and operability of systems designed to ensure safety can reasonably be expected.� To some extent, the effects of aging can be offset by increased surveillance and maintenance.� A point occurs, however, where costs for upkeep justify major upgrades or replacement, particularly where mission needs are projected well into the future.� While a considerable number of high-hazard defense nuclear facilities have such long-term missions (greater than 10 years, for example), others undergoing phase-outs and decommissioning do not.� Some facilities must continue to rely on operational safety systems, such as ventilation systems, to serve a safety function even after their operational mission has ended and well into the decommissioning process.� Long-term or short-term, however, the performance required for safety must be ensured.

It has been a long-standing practice in the nuclear business to designate a �system engineer� for each major system vital to successful operation of hazardous processes.� Some DOE contractors have done so on occasions (e.g., the Defense Waste Processing Facility at the Savannah River Site), but this practice is not as prevalent as it should be.� The Board believes that having specific individuals outside the operational forum, tasked with the configuration management (design and operational constraints) of systems designated as important to safety, would go a long way to ensuring the dependable service such systems must provide.

Recommendation

Considerable upgrading of programs for ensuring reliable and effective performance of confinement ventilation systems has occurred during the years 1995-1999.� However, the frequency and variety of off-normal occurrences that continue to be reported clearly indicate that more attention to these vital systems is needed.� Likewise, other systems serving equally vital safety functions might well benefit from similar attention.� Towards such an end, the Board recommends that the Department of Energy:

[DNFSB LETTERHEAD]

September 8, 2000

The Honorable Bill Richardson

Secretary of Energy

1000 Independence Avenue, SW

Washington, DC 20585-1000

Dear Secretary Richardson:

The Defense Nuclear Facilities Safety Board (Board) acknowledges your August 21, 2000 letter of notification that the Department of Energy (DOE) requires an additional 45 days to transmit the implementation plan for our Recommendation 2000-2, Configuration Management, Vital Safety System.� The Board agrees that the draft plan developed to date can benefit from additional planning.

Section 315(e) of the Atomic Energy Act of 1954, as amended, provides that the Secretary �may implement any such recommendation (or part of any such recommendation) before, on, or after the date on which the Secretary transmits the implementation plan to the Board under this subsection.�� In this regard, the Board notes that some limited, preliminary actions have been taken by DOE to define pre-requisites for tasks still in planning stages, e.g., identification of industry practices/standards relative to development of a contractor system engineer program. The Board suggests that DOE move more aggressively forward with similar initiatives such as the selection of the team for the Ventilation Systems Assessment, the initiation of the development of generic Criteria Review and Approach Documents (CRADs) for vital safety systems, and a review by Field Managers of current Functions and Responsibility assignments of both the Federal and Contractor personnel relative to vital safety systems.� The Board urges DOE to take advantage of the authority granted under Section 315(e) to get more such preliminary actions underway.

Notwithstanding substantial Board staff discussions with DOE personnel responsible for drafting the plan, progress to date has been unduly slow.� These discussions indicate that the leadership of the plan�s development does not clearly understand the basic thrust of the Recommendation. The Board offers further amplification in the enclosed material.� Since your acceptance letter of April 28, 2000, did not reject any part of Recommendation 2000-2, the Board has assumed that the safety issue--Configuration Management of Vital Safety Systems--is to be fully assessed.

The basic thrust of the Board�s Recommendation--assessment of the operational readiness of vital safety systems--is direct and simple.� The operational readiness of vital safety systems, their continued surveillance, maintenance and configuration management are at the core of Integrated Safety Management (ISM).� Both the contractor and the Federal workforces must recognize the pivotal role that these systems play in ensuring safety.� The assessments to be done in response to Recommendation 2000-2 represent an important part of DOE�s continued implementation of ISM throughout the complex.� Full implementation of ISM cannot be considered accomplished until such vital safety systems are identified, responsibility is clearly established for their operational readiness, a satisfactory state of operational readiness is established, and a functional maintenance and configuration management system is put in place to ensure future readiness. Further elaboration of this core concept is described in the amplifying material enclosed.� Ideas are also presented therein for closely coupling this 2000-2 effort with the ISM verification efforts that have been underway for the past several years.� The Board sees no reason why the majority of the assessment effort required cannot be performed by resources, both contractor and Federal, that are already committed to ensuring safety.� The potential for finding that upgrades of infrastructure maybe required should not be cause for delaying assessments, nor should the accomplishment of verification goals set for September 2000 be cause for relaxation of continuing upgrade efforts.

It is the Board�s view that developing a completely acceptable plan in the additional forty five days is not likely unless a change in momentum takes place.� The Board has instructed its staff to continue its clarifying exchanges with the designated leadership of the implementation planning effort.� DOE is urged to move expeditiously to complete the planning effort and to begin full implementation as soon as possible.

Sincerely,

John T. Conway

Chairman

Enclosure

c:� Mark B. Whitaker Jr.

Recommendation 2000-2 Amplification

In performing its diverse missions, the Department of Energy (DOE) and its contractors use hazardous materials and processes.� In doing so, DOE is required to protect the public, the workers, and the environment.� DOE is fulfilling its environmental, safety and health responsibilities through its program of Integrated Safety Management (ISM) as defined by DOE Policy 450.4, Safety Management.� A core function of ISM, �Develop and Implement Hazard Controls,� results in the establishment of a set of safety controls.� Frequently these controls are in the form of systems and equipment designed and operated to protect the public, the worker, and the environment.� Periodic surveillance, maintenance, and configuration management of these systems and equipment are required to ensure their dependability and reliability, to determine whether deterioration is taking place, and to identify technical obsolescence that threatens performance, safety, or facility operation.� Full implementation of ISM cannot be considered accomplished until all such vital safety systems are identified, responsibility is clearly established for their operational readiness, a satisfactory state of operational readiness is established, and a functional maintenance and configuration management program is in place to ensure continued readiness.

DOE has developed the necessary standards and requirements to identify and implement both engineering and administrative controls to prevent accidental releases of hazardous materials or mitigate the consequences of such releases, should they occur.� For accidental events that potentially could cause harm offsite or cause worker deaths or serious injury, such controls and the hazardous processes with which they are associated are described in Safety Analysis Reports (SARs) or equivalent documents.� Limits on hazardous processes and the requisite availability of preventive and mitigative equipment are established as Technical Safety Requirements (TSRs). Such TSRs are made conditions for conducting the hazardous operations.� These are included in �Authorization Agreements,� a set of safety measures mutually agreed upon by DOE and the contractor for operating high hazard facilities.

In addition, other controls to provide workplace safety and protection of the environment are defined through various process hazard analyses, job hazards analyses, environmental impact assessments and environmental permitting processes.� These controls also become conditions for performing the hazardous tasks.� Figure 1 illustrates basic elements of an �Integrated Safety Control Set� and the basic documents in which they are commonly described.

Figure 1

Authorization Protocols

INTEGRATED SAFETY CONTROL SET*

Safety

Sector

Hazards Assessment

Hazards Controls

Authorization Protocol

Macro

Level

Public

Worker

Sector A

SAR and Graded Equivalents DOE Orders 5480.23

Process Hazards Analysis: 29 CFR 1910.119.� Risk Management Program: 40 CFR 68

Technical Safety

Requirements:

� Design (Engineered Controls)

� Work practices and administrative procedures

� Authorization Agreement - High/Moderate Hazards Facilities Category 1 and 2

� Authorizing Correspondence Moderate/Low Hazards Facilities Category 3 and 4

Micro

Level

Worker

Sector B

Job Hazards Analysis and Equivalents

DOE Order 440.1

IG 440.1-1

Work Control Conditions:

� Engineered Controls

� Work practice and administrative procedures

� Rad Work Permits

� Work Control Permits

� Operation Procedure

Environment

NEPA Documentation

Permit Support Documents

Discharge Control:

� Engineered features

� Limits on discharges

Discharge Permits

� air

� water

� solid wastes

This figure is taken from Board Report DNFSB/TECH-16

* Safeguards and Security not included

The Defense Nuclear Facilities Safety Board has emphasized that safety systems relied upon to protect the public, the workers, and the environment deserve special focus.� Their design, procurement, fabrication, installation, operation, maintenance, and configuration management are at the core of ISM.� Both contractors and the Federal workforce must recognize the pivotal role these systems play in ensuring safety and deploy their resources accordingly.

Much of the DOE nuclear complex was built years ago.� Both the Federal workforce and the contractors employed by the government for maintenance and operation have turned over many times during the operational life of the facilities.� Both process knowledge of many hazardous operations and the design basis of protective equipment and associated systems are often not current.� While substantial updating of authorization basis documents is being accomplished under pressures of the ISM program, assessments by both DOE�s internal safety management organizations and the Board�s external safety oversight staff show that DOE�s operating contractors are not always giving equipment designed to serve vital protective functions the attention their safety functions deserve.� Confinement ventilation systems and fire protection systems are good examples.� Recommendation 2000-2 seeks to have DOE systematically assess the readiness state of its vital safety systems and the effectiveness of their configuration management.

The acceptability of any plan offered by DOE in response to Recommendation 2000-2 will be based upon our evaluation of how well the objectives described above are likely to be satisfied. A set of tasks such as the following are visualized:

Task 1.	The identification of high hazard processes performed in all defense nuclear facilities, the vital safety systems/equipment providing protective functions, and the programs that support and preserve these systems (e.g., maintenance).
Task 2.	The targeting of Confinement Ventilation Systems in defense nuclear facilities for priority attention, using a special task force of subject matter experts to:� (a) develop evaluation guidelines to be used in evaluating them, and (b) assess the operational ability to meet design requirements of a selected number of them, including the assessment of programs needed to preserve the system such as surveillance, maintenance, and configuration management programs.
Task 3.	The systematic assessment of the state of all systems/equipment upon which the safety of the site and its hazardous facilities depend (public, worker, and environment) and the adequacy of the resources applied to do surveillance, maintenance, and configuration management. Evaluation guidelines used in the Confinement Ventilation Systems evaluation will be used or adapted as appropriate.� The assessments performed as required by DOE Policy 450.5, Line Environment Safety and Health Oversight will be reviewed to ensure that the assessments provide adequate assurance that the systems maintain their ability to protect the public, the workers, and the environment.
Task 4.	The assessment of functions, responsibilities, and authorities relative to the caretaking of vital safety systems and the adequacy of the resources (number and expertise) dedicated to ensuring their state of readiness. Establish contractor qualification requirements, and qualify system engineers, for hazardous processes and associated vital safety systems identified under Task 1.� This will enhance the DOE�s ability to ensure that engineering expertise is applied in all five functions of ISM. Define Federal workforce expertise necessary to support, review, and oversee the contractor�s system engineer program.� Establish qualification requirements for, and qualify federal personnel, who will be relied upon for system expertise.� This will enhance the DOE�s ability to apply engineering expertise in all five functions of ISM.
Task 5.	The development of an upgrade program, prioritized to ensure reliable operation of systems that prevent or mitigate higher risk.
Task 6.	The resolution of the key HEPA filter issues identified in the Board�s June 8, 1999 letter.

The Board remains open of course to any other alternative that would satisfy the objectives of the recommendation.� The plan needs to not only define the work to be done but also the responsibility for doing it.� The Board recognizes that the assignment of resources is the prerogative of DOE.� However, the Board offers the following observations for DOE consideration.� In keeping with one of the fundamental principles of Integrated Safety Management, the primary responsibility for maintaining vital safety systems in a reliable state of readiness rests with line management - more explicitly, those responsible for developing, reviewing, approving, and maintaining safety bases documentation, the safety controls and the related support programs.� These responsibilities now lie principally with the DOE Operations Offices and their contractors.� Hence, DOE Operations Office Managers and their contractors logically should be tasked to lead and perform the majority of the actions defined in the above tasks.� In the interests of maintaining continuity and consistency with the Phase II verification effort, it would be highly desirable for the Field Managers to use the same individuals that led the Phase II verification assessments for them.� Team membership, however, will require the selection of those expert in the vital safety systems being assessed.

While this recommendation is viewed as largely a field oriented effort, a continuing DOE-Headquarters line oversight of the effort is important to ensure appropriate consistency, accountability, and priority are maintained as these activities are conducted across programs and sites.� Further, there may well be subject matter experts in DOE-Headquarters that could well be brought to bear, for example, in the developing of uniform evaluation guidelines as was done for the ISM Verification Team Leaders Handbook.� The use of an assessment approach similar to that put in place for the Phase II ISM verification will make it clear that 2000-2 tasks are in reality an extension of the ISM verification efforts.

DOE has been seeking to embed Integrated Safety Management as a fundamental responsibility of those in the line responsible for performing hazardous work.� The Safety Management Integration Team (SMIT) was established as an ad-hoc group in response to Board Recommendation 95-2.� Recommendation 2000-2 offers DOE a vehicle for facilitating the transition of the post-September 2000 ISM leadership efforts back to the Lead Program Secretarial Offices (LPSOs) and the Administrator of the National Nuclear Security Agency (NNSA).� This could be accomplished by establishing for 2000-2 a steering group at headquarters, consisting of the Chief Operating Officers (COOs) of the Administrator of NNSA and the LPSOs, and the Principal Assistant Secretary for Environmental, Safety and Health (ES&H).� The headquarters steering group could, for example, be made responsible for selecting expert team leadership and for creating assessment team guidance and generic Criteria Review and Approach Documents (CRADs) for vital safety systems.� Such a steering group could monitor implementation plan progress, brief senior DOE management, and initiate course corrections as appropriate.

[16383] A graded approach is defined within DOE Rules and orders, and would consider factors such as:

� Remaining facility lifetime and the safety significance of remaining operations.� For example, it might not be practicable to designate a system engineer for a facility scheduled to be decommissioned or demolished in a couple of years.� On the other hand, hazards posed by planned operations and decommissioning activities should be reviewed to determine whether a specific safety system would continue to be relied upon following facility decommissioning.� A system engineer should be assigned to safety system(s) where operability is required following facility decommissioning.

� Systems that are important to safety in non-nuclear facilities.� For example, it would be prudent to designate a system engineer for a confinement ventilation system in a facility with significant non-nuclear hazards (e.g., chemical or industrial hazards).

� Multiple systems and facilities.� A system engineer can be assigned responsibility of multiple systems and/or facilities, depending upon the scope of system support needed and the individual engineer's experience and expertise.

� Multiple Systems.� Where several systems important to safety are connected to form a chemical or mechanical process, one system engineer could be designated for the entire process rather than designating a number of system engineers to cover each sub-system.

1.0�� BACKGROUND

2.0�� UNDERLYING CAUSES

3.0�� BASELINE ASSUMPTIONS

4.0�� SAFETY ISSUE RESOLUTION

4.1�� Safety System Operability

4.1.3 �� Fire Protection System Operability

4.2�� Safety System Expertise

4.3�� Safety System ES&H Assessments

5.0�� Organization and Management

Table 1:� Summary Status of Secretarial HEPA Filter Report Commitments

Table 2: Summary of Implementation Plan Commitments and Deliverables/Milestones

Assistant Secretary for Environment, Safety and Health

Assistant Secretary, EM��

Deputy Administrator, DP

Deputy Administrator, DP

Deputy Administrator, DP

Deputy Administrator, DP

Assistant Secretary, EM��

Deputy Administrator, DP

Assistant Secretary for Environment, Safety and Health

Assistant Secretary, EM��

Deputy Administrator, DP

Assistant Secretary, EM��

January 2001

DP PRIORITY FACILITIES

DP FOLLOW-ON FACILITIES

EM FOLLOW-ON FACILITIES

Lawrence Livermore National Laboratory

Executive Summary			i
1.	Background		1
2.	Underlying Causes		2
3.	Baseline Assumptions		2
4.	Safety Issue Resolution		2
	4.1	Safety System Operability	3
	4.2	Safety System Expertise	13
	4.3	Safety System ES&H Assessments	18
5.	Organization Management		20
	5.1	Change Control Reporting	20
	5.2	Reporting	20
LIST OF TABLES
Table 1.		Summary Status of Secretarial HEPA Filter Report Commitments	23
Table 2.		Summary of Implementation Plan Commitments and Deliverables/Milestones	25
APPENDICES
APPENDIX A:		Secretarial HEPA Filter Report
APPENDIX B:		List of Acronyms
APPENDIX C:		Glossary
APPENDIX D:		Defense Nuclear Facilities Safety Board Recommendation 2000-2
APPENDIX E:		Recommendation 2000-2 Defense Nuclear Facilities of Interest
APPENDIX F:		Secretary of Energy Memorandum:� Fire Safety Initiative
APPENDIX G:		Defense Nuclear Facilities Safety Board letter of September 8, 2000

1.0����������� BACKGROUND

2.0����������� UNDERLYING CAUSES

3.0����������� BASELINE ASSUMPTIONS

4.0����������� SAFETY ISSUE RESOLUTION

4.1������ Safety System Operability

4.1.3 �� Fire Protection System Operability

4.2������ Safety System Expertise

4.3������ Safety System ES&H Assessments

5.0����������� Organization and Management

Table 1:� Summary Status of Secretarial HEPA Filter Report Commitments

Table 2: Summary of Implementation Plan Commitments and Deliverables/Milestones

Assistant Secretary for Environment, Safety and Health

Assistant Secretary, EM���

Deputy Administrator, DP

Deputy Administrator, DP

Deputy Administrator, DP

Deputy Administrator, DP

Assistant Secretary, EM���

Deputy Administrator, DP

Assistant Secretary for Environment, Safety and Health

Assistant Secretary, EM���

Deputy Administrator, DP

Assistant Secretary, EM���

January 2001

DP PRIORITY FACILITIES

DP FOLLOW-ON FACILITIES

EM FOLLOW-ON FACILITIES

Lawrence Livermore National Laboratory

1.0�� BACKGROUND

2.0�� UNDERLYING CAUSES

3.0�� BASELINE ASSUMPTIONS

4.0�� SAFETY ISSUE RESOLUTION

4.1�� Safety System Operability

4.2�� Safety System Expertise

4.3�� Safety System ES&H Assessments

5.0�� Organization and Management

Assistant Secretary, EM��

Assistant Secretary, EM��

Assistant Secretary, EM��

Assistant Secretary, EM��