Presentation on theme: "DOE-STD , Integration of Safety into the Design Process"— Presentation transcript:
1DOE-STD-1189-2008, Integration of Safety into the Design Process Dr. Richard Englehart, Epsilon Systems SolutionsPranab Guha, HS-21John Rice, Epsilon Systems Solutions
2ExpectationsI expect safety to be fully integrated into design early in the project. Specifically, by the start of the preliminary design, I expect a hazard analysis of alternatives to be complete and the safety requirements for the design to be established. I expect both project management and safety directives to lead projects on the right path so that safety issues are identified and addressed adequately early in the project design. – Deputy Secretary of Energy, December 5, 2005Set the stage – What brought us to this point?Reference 12/7/05 DNFSB public meeting on integrating safety into design and the statements made by DOE officials.DNFSB: Less prescriptive design requirements have led to confusion and misuse of safety analysis techniques. Reference was made to issues associated with on active confinement ventilation systems.Timeline – 1189 Development Team Established, Team Composition,Team established Feb. 2006About 25 persons to begin with; about 15 all the way thruEFCOG SAWG and EPWOG, FedsDOE and EFCOG PM near endTeam Meetings,About 10 weeklong meetings from Mar 06 through Mar 081189 in Revcom (March 2007), Approved March 31, 2008
3PurposeDOE Standard 1189 has been developed to show how project management, engineering design, and safety analyses can interact to successfully implement the Deputy Secretary’s expectationsThis course provides the central ideas and themes of 1189 and conveys lessons learned from project implementation of the StandardThe STD-1189 process approach for integrating safety into design is an alternative to a prescriptive approach of requiring specific safety design features.The 1189 approach includes the philosophy of letting safety analyses define what safety functions are required for adequate protection of public and workers.
4Overview of Course Safety-in-Design Concepts Applicability Project Integration and PlanningDesign ProcessHazard and Accident Analyses and Inputs to the Design ProcessAppendices A – CFacility ModificationsLessons LearnedQ & ACase StudyRemainder of appendices are covered as they pertain to the topics addressed in this slide.D: Additional Functional Classification ConsiderationsE: Safety Design StrategyF: Safety-In-Design Relationship with the Risk Management PlanG: Hazards Analysis Table DevelopmentH: Conceptual Safety Design ReportI: Preliminary and Final Design Stage Safety DocumentationJ: Major Modification Determination Examples
5Instructional GoalUpon successful completion of this lesson, students will be able to demonstrate a familiarity level knowledge of the background, philosophy, and contents of DOE-STD-1189, Integration of Safety into the Design ProcessEmphasize familiarity level. More study and familiarity with the Standard’s features is necessary in order to successfully implement it.
6Lesson Objectives (Slide 1 of 5) Explain why DOE-STD-1189 was developed.Identify the “drivers” that require the use of DOE- STD-1189 for integrating safety into design.Identify and explain the key concepts introduced by DOE-STD-1189.Identify and explain the guiding principles for integrating safety into design.Participants should be able to discuss these items, for example, in a test.
7Lesson Objectives (Slide 2 of 5) Explain the purpose of the DOE Integrated Project Team.Explain the purpose of the Contractor Integrated Project Team.Explain the purpose of the Safety Design Integration Team.Explain how the Safety Design Strategy is developed. Describe its scope, preparation, format, and approval process.
8Lesson Objectives (Slide 3 of 5) Describe how the requirements and deliverables identified in DOE-STD-1189 relate to the Project Lifecycle as described in DOE Order 413.3A.Explain how the Critical Decision Process can be tailored based on project type, risk, size, duration, complexity and selected acquisition strategy.
9Lesson Objectives (Slide 4 of 5) Identify and explain the key safety-related activities in each of the phases of a project:Discuss the purpose and content of the following documents:Conceptual Safety Design Report.Conceptual Safety Validation Report.Preliminary Safety Design ReportPreliminary Documented Safety AnalysisDOE Safety Evaluation Report
10Lesson Objectives (Slide 5 of 5) Identify common lessons learned from implementing DOE-STD-1189.State the purpose of the following appendices in DOE-STD-1189 and explain how each is used in the design process:Appendix A, Safety System Design CriteriaAppendix B, Chemical Hazard EvaluationAppendix C, Facility Worker Hazard EvaluationDescribe the facility modification process using DOE-STD-1189
11STD-1189 Roadmap (Slide 1 of 6) For all audiences:Preface, with the key concepts and guiding principles upon which the Standard was developed,Chapter 1, Introduction (background, applicability, must and should) ;Chapter 2, Project Integration and Planning; andChapter 3, Safety Considerations for the Design Process, which provides an overall perspective of the Safety-in-Design process through the Critical Decision stages.See section 1.2 of the Standard.The roadmap was developed to direct specific audiences to sections of the Standard most relevant to their interests.
12STD-1189 Roadmap (Slide 2 of 6) Project safety personnel and DOE safety reviewersChapter 4, Hazard and Accident AnalysesChapter 5, Nuclear Safety Design CriteriaChapter 6, Safety ReportsAppendices A through D,Appendix F, Safety-in Design Relationship with the Risk Management PlanAppendix G, Hazards Analysis Table Development guides this basic safety-in-design input
13STD-1189 Roadmap (Slide 3 of 6) Project management, both federal and contractorChapter 7, Safety Program and Other Important Project InterfacesAppendix E, Safety Design StrategyAppendix F, Safety-in-Design Relationship with the Risk Management Plan
14STD-1189 Roadmap (Slide 4 of 6) Project design personnelChapter 5, Nuclear Safety Design CriteriaChapter 7, Safety Program and Other Important Project InterfacesAppendices A through D, which address safety design classifications for Safety Structures, Systems, and Components (Safety SSCs)
15STD-1189 Roadmap (Slide 5 of 6) Safety Document Preparers and ReviewersAppendices H and I provide format and content guidance for the preparation of the Conceptual Safety Design Report (CDSA), Preliminary Safety Design Report (PDSA), and Preliminary Documented Safety Analysis (PDSA)
16STD-1189 Roadmap (Slide 6 of 6) Project teams for potential major modifications of existing facilities:Chapter 8, Additional Safety Integration Considerations for ProjectsAppendix J, Major Modification Determination Examples
17Safety-in-Design Basic Precepts Appropriate and reasonably conservative safety structures, systems, and components are selected early in project designsProject cost estimates include these structures, systems, and componentsProject risks associated with safety structures, systems, and component selections are specified for informed risk decision-making by the Project Approval AuthoritiesPrecept: A precept is a rule or principle imposing a particular standard of action or conductBy following these precepts, it is intended that DOE projects develop the reputation of reliable and conservative project cost and schedule estimates, especially for Congressional confidence in the funding of them.Cost range at CD-1Project Baseline (total project cost) at CD-2
18Development of STD-1189 (Slide 1 of 2) Designed to be guided by and consistent with the principles of ISM and the requirements and guidance of DOE O 413.3ACorrelates with the DOE O 413.3A Critical Decision stages and safety design requirements of DOE O B and associated guidance documentsMission Need Statement Guide DOE GSee section 3.c of the Guide for pre-conceptual level engineering/technical analysis expectations.Integrated Project Teams Guide DOE GSee section 2.4 of the Guide, IPT Roles and Responsibilities and section 2.6 Membership and Structure (including Contractor participation).Project Execution Plans Guide DOE GSee section 2.3 of the Guide, Tailoring Strategy (relates to 1189 and the SDS).See section of the Guide, Risk Management (relates to 1189 and Risk and Opportunities Assessments).Risk Management Guide DOE GThe Guide describes the risk management process. The 1189 Risk and Opportunity Assessment is the safety in design related input to the Risk Management Plan process.
19Development of STD-1189 (Slide 2 of 2) Specifically references 413.3A guidance onMission Need StatementsIntegrated Project TeamsProject Execution PlansRisk Management Plans
20Correlation to ISM Core Functions Define the work: Mission Need; Alternatives DefinitionAnalyze the hazards: Conceptual Design and follow on stages, hazards analysis, and design basis accidentsIdentify safety controls: Follows from HA and safety classificationPerform the work: Integrate safety in the design processFeedback and Improvement: Iterative process between design and safetyReference: DOE P 450.4, Safety Management System Policy and DOE G B, ISM Guide
21Summary of Key Safety-in-Design Concepts (Slide 1 of 4) Establishment and early involvement of Integrated Project Teams (IPT) and their coordinationFederal and Contractor IPTs; Contractor Safety Design Integration Team (SDIT)Defining the overall strategy for the project, including how safety integration is to be accomplished, and obtaining DOE approval of the strategySafety Design Strategy, derived from DOE safety expectations defined in the pre-conceptual phase, is formalized and approved during conceptual design phase
22Summary of Key Safety-in-Design Concepts (Slide 2 of 4) Identifying CD-1 as the key point in a project when major safety systems and design parameters should be definedFocus on high potential cost safety implications: Hazard Category; building and major components seismic design categories; building confinement strategy; fire protection and power supply system classificationEstablishing objective criteria for the designation and design of safety structures, systems, and componentsSTD-1189 Appendices A, B, and C (seismic design basis; collocated worker SSC safety classifications; in-facility worker safety classifications)Define collocated worker
23Summary of Key Safety-in-Design Concepts (Slide 3 of 4) A conservative front-end approach to safety-in-design that is reflected by a “risk and opportunities” assessmentConservative approach early-on based on assumptions and incomplete information: input to project risk management plan (Risk and Opportunities Assessment) and information for cost estimatesIdentifying key project interfaces (physical and programmatic) that affect design decisionsProject Interfaces: e.g., site infrastructure, security, waste management, emergency preparedness, DNFSB
24Summary of Key Safety-in-Design Concepts (Slide 4 of 4) Ongoing involvement of DOE in safety-in-design decisionsSafety Design Strategy (SDS)Conceptual and Preliminary Safety Design Reports (CSDR, PSDR)Preliminary Documented Safety Design Analysis (PDSA)Related DOE reviews and approvals
25Guiding Principles (Slide 1 of 3) Derived from DOE O 420.1B, DOE O 413.3A, and their associated GuidesUse of O 420.1B and clearly articulated strategies to satisfy requirementsControl selection strategy order of preferenceFollowing the design codes and standards in O 420’s associated GuidesUse of risk and opportunities assessmentsSee pp vii and viii of the StandardCompliance with the Key Concepts and Guiding Principles is necessary in order to comply with the Standard
26Guiding Principles (Slide 2 of 3) Conservative early project safety decisions input to cost/scheduleCD packages describe safety decisionsProject team includes appropriate expertiseSafety personnel involved from onset of project planning
27Guiding Principles (Slide 3 of 3) Important safety functions addressed during conceptual designSDIT invokes the safety-in-design processAll stakeholder issues identified early and addressedBases for safety related decisions are documented
28Applicability The Standard applies to the design and construction of: New DOE hazard category (HC) 1, 2, and 3nuclear facilitiesMajor modifications to DOE HC 1, 2, and 3 nuclear facilities (as defined by 10 CFR 830)Other modifications to DOE HC 1, 2, and 3 nuclear facilities managed under the requirements of DOE O 413.3AO 413.3A: Projects with Total Project Cost > $20 millionO 420.1B modification for STD-1189 will include projects < $20 millionThe “other modifications” refers to modifications to HC 1, 2, and 3 nuclear facilities that are not “major modifications” under 10 CFR 830, but come under O 413.3A because of cost.
29Safety and Design Integration Project Integration and PlanningThis series of slides covers the material in Ch 2 of DOE-STD-1189
30Key Components of Project Integration and Planning SafetyDesignProject ManagementInterfacesSafety-in-DesignFederal Integrated Project TeamContractor Integrated Project TeamSafety Design Integration TeamSafety Design StrategyRisk and Opportunities AssessmentsDOE and Contractor Roles and ResponsibilitiesEach of these bulleted items will be covered in the following set of slides.
31Relationships of Major Project Entities Acquisition ExecutiveDOE SBAA/SBRTContractor IPTEngineeringDesignSafety AnalysisSDITContractor ProjectManagerDOE ProgramFederal IPTFederal ProjectDirectorO 413.3A roles and responsibilities of the FPD, as further described in DOE G (IPT) , are extensive. See paragraph 6.g of the Order. OECM asserts that it is the responsibility of the FPD to get all of the items in table 2 of the Order completed. The FPD makes use of the resources available to him. These primarily include the IPT, the CIPT, and the SDIT.Preferably, the federal IPT is well staffed by feds, including some full time committed personnel, especially in the project management and safety areas.Often the CIPT works in support of the federal IPT, However it can not be put in the position of reviewing and approving its own products. If feds are not available to perform IPT functions, the IPT may be supported by independent contractors.It can be beneficial if the safety person on the IPT is also affiliated with the SBRT, not as the lead (potential conflicts), but optimally as an advisor to the lead. The benefit is that that person will have much background information on the project , which will help the SBRT have a running start for their review responsibilities.31
32Federal Integrated Project Team (Slide 1 of 3) FPD leads an IPT with representation necessary for project successFPD and IPTs must aggressively lead the project (not passively monitor and review)IPT formally established at CD-1 (really needs to be established at the beginning of Conceptual design)Roles, responsibilities, and functions of the Federal IPT are provided in DOE G , Integrated Project Teams Guide for Use with DOE O 413.3AFrom G section 2.4:The series of 413.3A guides assigns nearly 100 roles and responsibilities to IPTs. Some of the more significant are:Support the FPD in developing a PMP and RMPEnsure project interfaces are identified, defined, and managed to completionPlan and participate in project reviewsReview and comment/recommend approval on key project deliverables including CD packagesSection 2.6 of Guide 18 includes the CIPT and SDIT as subgroups to the federal IPT
33Federal Integrated Project Team (Slide 2 of 3) From DOE G :The IPT is the primary tool for breaking down the walls that can exist between different organizations, different professions, and different levels within the different organizations’ command structures. A successful IPT brings these diverse elements together to form a unit that willingly shares information, balances conflicting priorities and ideologies, and jointly plans and executes the project mission. (¶ 2.2)All IPT members and CIPT members, as well as any independent contractors supporting the IPT need to understand these paragraphs. They are important enough that they should be read out loud when this slide is shown.
34Federal Integrated Project Team (Slide 3 of 3) From DOE G (Continued):The initial requirement imposed upon the IPT by DOE O 413.3A is to support the FPD by providing individual expertise to fill the voids in his or her knowledge base in the areas of planning and implementing the project… (¶ 2.4.1)
35What is the Contractor Integrated Project Team? Standard 1189 encourages the formation of the Contractor IPT; similar makeup to Federal IPTComprised of personnel who ensure integration of mission need, safety analysis, and designDiversity of expertise is essentialProject process understanding very helpfulStrong upper management support to IPT membersNeed consistency and longevity of team membersTeam formed after approval of CD-0
36Typical Contractor IPT Representation Facility Owner/OperatorFunding OrganizationProject ManagementHealth, Safety, and Radiation ProtectionNuclear SafetyEngineeringWaste ManagementProcurementSafeguards and Security (as needed)Quality AssuranceComputing, Communications and NetworkingDOE Representative
37Contractor IPT Key Points (Slide 1 of 2) Parallel management functions as the Federal IPT, but from the contractor’s perspectiveSafety Design Integration Team (SDIT) directly supports the CIPT, and through it, the Federal IPTWhile it is preferred that the federal IPT is well staffed and that a core team be assigned full time in support of the FPD, experience has shown that this is not always the case. In such cases, members of the CIPT can help. However, they should never be put in the position of reviewing and recommending approval of contractor products/documentation.NNSA is exploring the idea of providing funds for independent contractor support to the IPT when federal employees are not available to provide the needed support to the FPD.
38Contractor IPT Key Points (Slide 2 of 2) Lesson Learned:Biggest challenge for the CIPT/SDIT is to assure active and effective communications between engineering design activities and safety analysis activitiesEspecially true when they are not collocatedFailure to support the iterative interactions between safety analysis and design is equivalent to failure to implement the processes of STD-1189
39What is the Safety Design Integration Team (SDIT)? OperationsSafetyDesignProvides working-level integration of safety into design for the projectUsually composed of subset of Contractor IPT plus other specialties as neededCore teamSafetyDesignOperations (including maintenance)Additional composition depends on the hazards, safety, and security issuesThe following slides cover the objectives, functions, and the need for formality in establishing the SDIT.The core team should include the leads of the engineering disciplines involved in the design and the lead of the contractor safety team. Operations personnel (including maintenance) are especially important in the role of assuring that the designs are practical from the human factors perspective, as well as their experience in the technologies that may be involved in facility operations.Regarding the interactions between engineering design and safety, especially when different contractors are involved, it would help if project personnel were to receive some training in the type of interactions needed during the design process.One of the lessons learned in project execution is that “safety analyses often lag the design process.” It has also been stated that the needed iterations between design and safety depends on the professionals in these disciplines to “know when they need to communicate.” These lags are exacerbated when such awareness is lacking (training helps).
40SDIT ObjectivesEnsure integration of safety in design by adherence to the key concepts and guiding principles of DOE-STD-1189Document the bases for all safety in design decisionsMaintain consistency of and configuration management between safety and design workResolve initial uncertainties and assumptions for safety in designAchieve consensus and approvals for direction of safety in design progressNote: Through accomplishing SDIT Objectives and Functions (next slide), the SDIT implements the STD 1189 safety in design process. However, to fully implement STD-1189, Project Management must also make use of information developed by the SDIT (e.g., Risk and Opportunity Assessments, Safety Design Strategy, etc.)See Guiding Principle 10
41SDIT Functions (Slide 1 of 2) Timely communications with and support to CIPT and IPTConduct Risk and Opportunities Assessment (input to RMP)Draft safety documents (CSDR, PSDR, PDSA)
42SDIT Functions (Slide 2 of 2) Ensure the iterative safety/engineering design process is effective and that the identified safety functions:Lead to selection of controls that are adequate to serve the safety functions and are consistent with operational needsAre classified appropriatelyAre accommodated in project cost and schedule estimates
43SDIT Best Practices SDIT should have a charter Define membership (core team and SMEs)Designate leadDefine roles and responsibilitiesSpecify required training for membersSDIT should use formal processesIdeally the SDIT lead would have background experience in both engineering design and in safety analysis.The SDIT lead needs to be the driving force in assuring effective and frequent communications between the design and safety disciplines.An objective that was not stated in a previous slide is to minimize the time lag between the design and safety activities.
44Safety Design Strategy (SDS) (Slide 1 of 3) “…must be developed for all projects subject to this Standard.” (¶ 2.3)Developed from CD-0 definition of DOE expectations for execution of safety during designPrepared by SDIT; reviewed by DOE Safety Basis Review Team (SBRT); approved by Federal Project Director and Safety Basis Approval Authority (SBAA)See section 2.3 of the Standard.
45Safety Design Strategy (SDS) (Slide 2 of 3) Is a living document, updated throughout the project stages as neededProvides the mechanism by which all elements of the project and approval authorities can agree on basic safety in design approachesSingle source for project safety policies, philosophies, major safety requirements, and safety goals to maintain alignment of safety with the design basis during project evolution
46Safety Design Strategy (Slide 3 of 3) Addresses:Guiding philosophies or assumptions to be used to develop the designSafety-in-design and safety goal considerations for the projectApproach to developing the overall safety design basis for the projectSignificant discipline interfaces affecting safety
47SDS UpdatesFocus is on those major safety decisions that influence project cost (e.g., seismic design criteria, confinement ventilation, safety functional classification, and strategy)Provide a means by which all parties are kept informed of and agree with important changes due to safety in design evolution between Critical Decision points
48SDS Format (see Appendix E) PurposeDescription of the ProjectSafety Strategy3.1 Safety guidance and requirements3.2 Hazard identification3.3 Key safety decisionsRisks to Project DecisionsSafety analysis approach and plansSDIT – Interfaces and integrationSee Appendix E of the StandardShould be as detailed as needed to communicate the strategy for successfully integrating safety and design and producing safety basis documentation that will be approved to allow either entry into the next critical decision or into operation
49Risk AssessmentDOE O 413.3A CD-1 requirement: “Prepare a preliminary Project Execution Plan, including a Risk Management Plan (RMP) and Risk Assessment… “ (Table 2)Risk management strategies must addressAll technical uncertainties (including schedule and cost implications)Establishment of design marginsIncreased technical oversight requirementsThe SDIT is best prepared to identify safety in design technical issues that need to be managed through a project’s Risk Management Plan
50Risk and Opportunities Assessment (R & OA) (Slide 1 of 2) DOE-STD-1189 Risk and Opportunities Assessment is:Required by the Order and the Standard andProvides the safety-related input to the Project Risk Management PlanPurpose is to recognize and manage risks of proceeding at early stages of design on the basis of incomplete knowledge or assumptions regarding safety issues
51Risk and Opportunities Assessment (R & OA) (Slide 2 of 2) SDIT prepares R & OA and updates it throughout the project phasesReviewed by IPT and DOE Safety Basis Review Team and approved by the Federal Project DirectorDiscussed in DOE STD-1189 Appendix FConservative safety design posture coupled with comprehensive risk and opportunities identification allows the project to define appropriate cost range estimates with a high degree of reliability.Opportunities relate to modifying early conservatisms as design evolves and avoiding later costs.Project risks are assigned to personnel to manage. It is likely that risks identified by the SDIT will be assigned to SDIT personnel to manage.Even risks that are transferred to other organizations need to be aggressively followed up on if resolution is important to the success of the project.
52Example Risk Areas (Slide 1 of 2) TechnicalUncertain seismic requirements (seismic geotechnical investigation)SSC classifications (safety and seismic)Interfaces with site infrastructure and boundaries of safety SSCs with themUndefined, incomplete, unclear safety functions and requirementsNew or undecided technologySee Table F-1 (pp F-3 -4) of STD-1189 for a more extensive list.Does it make a difference in how the FPD manages an issue if it is classified as a risk or as an opportunity? Answer is yes; project managers are more aggressive in pursuing opportunities.
53Example Risk Areas (Slide 2 of 2) Programmatic Level:Interfaces with other facilities (inputs and outputs)Coordination between design and safety organizations (if different)Implications of less than optimum dedicated IPT support for FPDIncluding ability to actively manage risks, including programmatic
54Roles and Responsibilities (Slide 1 of 2) Product/DocumentResponsibilityInterface with Other Documents/ProductsPrepareReviewApproveSDSSDITIPT and SBRTFPD and SBAADOE expectations in Mission Need StatementR&OAFPDInput to RMPCSDRVia CSVRCDRCSVRSBRTIPTSBAA with FPD ConcurrenceCSDR and CDRPSDRVia PSVRPreliminary DesignThis chart and the next one are abbreviated versions of Table 2-1 of STD-1189 (pp 12, 13)These tables are also consistent with Table 2 of O 413.3A (Critical Decision Requirements). Note that the Order table does not identify the FPD as the approval authority for project documents. The FPD is responsible for having all project documents prepared, so the issuance of them implies FPD approval.
55Roles and Responsibilities (Slide 2 of 2) Product/DocumentResponsibilityInterface with Other Documents/ProductsPrepareReviewApprovePSVRSBRTIPTSBAA with FPD ConcurrencePSDRPDSASDITIPT and SBRTVia SERFinal DesignSERDSA and TSRSDIT and Operations TeamTSR is based on the DSA.SBAA
56What Parts of the Standard are Mandatory? (Slide 1 of 2) Originating with STD-1189Safety Design StrategyRisk and Opportunities AssessmentCSDR and PSDR (and DOE reviews)Appendix A seismic design basis and collocated worker safety significant SSC criteriaMajor Modification Determination (documented in SDS)Key Concepts and Guiding Principles (for full implementation of STD-1189)Ref. section 1.4 of the Standard (Must and Should)The word should is used for provisions of the Standard are not required but are recommended in order that the Standard can be effectively implemented.Where an activity is required by a DOE directive, but not directly involved with integration of safety with design, it is assumed to be carried out by the project (indicated by is or are, rather than a must.Musts are also associated with key concepts and guiding principles that are necessary for effective integration of safety with design. Failure to apply one or more of these musts implies failure to fully implement the Standard.Requirements specific to this Standard are defined only for objectively measureable parameters or conditions.Specific elements of the Standard can be tailored to fit a specific project through the SDS.
57What Parts of the Standard are Mandatory? (Slide 2 of 2) Derivative10 CFR : PDSA; design criteria of O 420.1BDOE O 413.3A Chg. 1: requires implementation of STD-1189DOE O 420.1B: nuclear safety, fire safety, criticality, NPH
58Safety and Design Integration DOE-STD-1189-2008 Design Process by Project PhaseThe material in this section is based on Ch 3 of STD-1189.
59Project Lifecycle Pre-Conceptual Conceptual Preliminary Design Final DesignConstructionTurnover/AcceptanceOperationsCD-0CD-1CD-2CD-3CD-4Pre-ProjectPlanningCompare to LANL paradigm of 30, 60, 90 percent designLANL ref. is LANL Engineering Standards Manual PD342It has also been characterized in the following ways:30% Completion of hazards analyses (or 30% of drawings)60% Completion of accident analyses (or 60% of drawings)90 % Completion of PDSA (or 90% of drawings)With advent of STD-1189 and the emphasis on conceptual and preliminary design activities, this paradigm is OBE. Hazard and accident analysis all the way thru; level of detail increasing with increasing design evolution.Note: Title I is preliminary design; Title II is detailed design; Title III is engineering and construction services after CD-3
60Pre-Conceptual PhaseObjective is to identify and assess a program gap and then to propose a project to close the mission related performance gapAnalysis focus:Special Safety RequirementsNew facility or modificationAvailable technologyProcess material inputs and outputsUpper level facility functionsResults in the development of Mission Need which becomes a baseline document in the project if CD-0 is granted
61Safety-Related Activities in Pre-conceptual Phase (Slide 1 of 2) Assign project safety lead (establishes continuity)Initial assessment of project safety issuesIdentify top level hazards (including process inputs and outputs)Determine preliminary hazard categorizationIdentify unique constraints affecting project safety approachDevelop DOE expectations for safety activities
62Develop DOE Expectations for Execution of Safety Activities (Slide 1 of 2) Examples:Anticipated safety issues/hazards and goal (if any) for hazard category(Can affect process capacity through MAR limits; can affect issues regarding criticality hazards; could affect siting)Potential need for improvements in site infrastructure to support facility safety systems (an interface issue that might expand scope of the project)
63Develop DOE Expectations for Execution of Safety Activities (Slide 2 of 2) Potential need for geotechnical studiesExpectations regarding confinement strategyProject tailoring (e.g., PDSA only for a major mod)Anticipated need for exceptions to O 420.1B and associated guides
64Pre-Conceptual PhaseIt is important not to think of each box in these charts as individual steps that are completed along a path to completion.The iterative and interactive nature of the process within 1189 is illustrated by the grouped items and the use of double headed arrows.Note the numbers in some boxes in this and following similar figures. They correspond to section numbers of the Standard where the activities in that box are described further.
65Identify Important Project Interfaces CriticalityQuality AssuranceFire ProtectionEmergency ManagementHuman FactorsSite InfrastructureWorker Safety and Health (10 CFR 851)Radiological ProtectionHazardous Waste ManagementSafeguards and SecurityTransportationEnvironmental ProtectionCoordination with the DOE SBRT
66Conceptual Design Phase Goal for safety-in-design in this phase is to evaluate alternative design concepts, prepare the SDS, and provide a conservative design basis for the preferred conceptPerform sufficient analysis to make informed safety decisions for this phaseDocument risks and opportunities for selections including cost and schedule range impactsBegin considerations of quality requirements, Quality Assurance Program (QAP) established(This phase is the best opportunity for safety analysis to cost-effectively influence design)
67Conceptual Design Phase Note that some of the boxes on these figures have numbers at the bottom. These numbers refer to STD-1189 section numbers.Talk through this diagram in detail. The similar diagrams at Preliminary Design and Final Design are primarily updates on the activities described here.
68Key Safety-Related Activities (Slide 1 of 3) Form Integrated Project Teams (both DOE and Contractor) and SDITDevelop Preliminary Security Vulnerability AssessmentDevelop Preliminary Fire Hazards AnalysisDevelop Safety Design StrategyEstablish Configuration Management
69Key Safety-Related Activities (Slide 2 of 3) Evaluate alternatives and provide recommendationsAssess risks and opportunities as input to the Risk Management PlanDevelop preliminary hazard analysis (PHA) for recommended alternativeDefine safety functionsIdentify high-cost safety systemsInitiate hazard analysis data capture (Appendix G)
70Key Safety-Related Activities (Slide 3 of 3) Identify facility-level design basis accidents (DBAs)Bounding consequencesSafety and seismic classificationCommit to nuclear safety design requirements (DOE O 420.1B) and place under design controlDevelop Conceptual Safety Design Report (CSDR)Maintain project interfaces focus (see Ch 7 of STD )The safety design requirements of O 413.3A and the standards invoked in the associated guides (or alternatives to them) need to be put under design control.Expect to demonstrate implementation. See STD-1189 Appendix I (format and content of PSDR/PDSA) Appendix B of that 1189 appendix.
71Conceptual Safety Design Report (CSDR) (Slide 1 of 2) Document and establish a preliminary inventory of hazardous materialsEstablish a preliminary hazard categorizationIdentify and analyze facility-level DBAsAssess the need for facility-level hazard controls (safety SSCs)This listing is on p 28 of O 413.3A for a CSDR.These items are also consistent with Appendix H of STD-1189, format and content of a CSDR.See also STD-1189 definition for CSDR (p xviii)
72Conceptual Safety Design Report (Slide 2 of 2) Preliminary assessment of appropriate seismic design bases (facility structure and SSCs)Evaluate security hazards that can impact the safety design basisCommitment to nuclear safety design criteriaFormat and content of CSDR in Appendix H
73Conceptual Safety Validation Report (CSVR) CSVR prepared to confirm an appropriately conservative basis to proceed to preliminary design, based on:preliminary hazard categorization of the facilitypreliminary identification of facility DBAsassessment of the need for SC and SS facility-level hazard controlspreliminary assessment of the appropriate seismic design basesposition(s) taken with respect to compliance with the safety design criteria of DOE O 420.1BSee STD-1104 section 5See also STD-1189 Appendix H, section H.1.
74Preliminary Design Phase The activities described here build on similar activities during conceptual design stage and evolve the design to the point of final design (final design - dotting the I’s and crossing the t’s.The activities in the engineering and the safety design rows that are enclosed with dotted lines are highly interactive and iterative. They will be described in more detail in the next section of the course (Safety and Design Interactions).
75Preliminary Design Phase Advance conceptual design toward final designEvolve the Hazard Analysis (HA) to include process level HADevelop design-specific solutions based on safety design requirementsPrepare for final designComplete NEPA documentation by end of design phaseThis is where the bulk of creative development design engineering is done. This assessment/opinion is based on O 413.3A understanding that final design activities focus on preparation of final drawings and specifications (based on the preliminary design) to support procurement.However the final design stage may well cost more than preliminary design just by virtue of the man-hours involved.
76Safety Activities in Preliminary Design (Slide 1 of 2) Update Security Vulnerability AssessmentUpdate hazard analysis (HA) to address process level hazards based on the selected designEvaluate and apply DOE O 420.1B and associated guidesEvolve system-level DBAs with appropriate added specificity based on selected designDecisions reversed after this stage, for whatever reason, can have significant impact on project costs and schedule.Because this is the most intense design stage, it also is where disconnects between design and safety iterations are a great threat.How can these disconnects be avoided?
77Safety Activities in Preliminary Design (Slide 2 of 2) Update Risk and Opportunity AssessmentUpdate SDS reflecting design and safety evolutionDevelop the Preliminary Safety Design Report (PSDR)
78Preliminary Safety Design Report (PSDR) Developed to demonstrate safety adequacy of the preliminary design effortLimited to the extent that design information is also limitedFormat and content guide in DOE STD Appendix IDOE prepares Preliminary Safety Validation Report (PSVR) to approve PSDR, similar to (CSVR) in purpose and scopeNote that the PSDR format is modeled after STD-3009 (although the content is more demanding). The intent is that the PSDR evolves through the PDSA to a DSA for operations in an orderly fashion.
79Safety Activities in Final Design Update and finalize preliminary safety in design analyses, information and documentationUpdate Risk and Opportunity Assessment (as needed)Update SDS reflecting design and safety evolution (as needed)Develop Preliminary Documented Safety AnalysisDOE prepares a Safety Evaluation Report
80Final Design PhasePre-CD3,Final DesignSafetyDsignBProjcEmdM2ApprovalInitiate FinalDesignUpdate SecurityVulnerabilityAnalysisUpdate RiskManagement PlanBaselineManagementPackageValidate Designvs.DesiredControl Functions&Criteria4Develop DesignOutput DocumentsDesign Reviews(Fed and/orContractorasappropriate)Update HazardsMitigated AccidentUpdate SafetySSC Functionsand ClassificationPDSASafety EvaluationReportDOE AuthorizesProcurementConstruction, &FinalImplementationUpdate Safety inDesign RiskOpportunitiesAssessmentExecutionReadinessIndependentReviewUpdated SDSneededUpdate ProjectRiskConsiderationsTransitionCloseout7O 413.3A understanding is that final design activities focus on preparation of final drawings and specifications to support procurement.If this paradigm is met, then the engineering and safety activities (see boxes enclosed by dotted lines) are primarily confirmatory in nature and also includes preparation of key design documents such as SDDs.To the extent this is not true (engineering design activities are still evolving the design) then the interactions in the dotted line enclosed boxes include the types of interactions described for preliminary design.As with preliminary design, other activities are primarily updates of activities begun at conceptual design, to the extent needed.
81Final Design Phase Finalizes HA and DBAs (mitigated analysis) Evolves the preliminary design to the point whereSpecifications are developedSecurity Vulnerability Assessment is finalizedProcurement and construction can be accomplishedTest, inspection, and commissioning requirements are developed and detailedSystem Design Descriptions (SDD) and Facility Design Description (FDD) are completed
82Preliminary Documented Safety Analysis (PDSA) Evolves from the PSDRCompletes the analysis of the designFormat and content covered in Appendix IBased on DOE-STD-3009 formatMinimizes need to rewrite for DSAProvides the basis for design adequacy with respect to safetyChange control of PDSA is established
83Construction ,Transition, and Closeout Phase Design Related Issues Field ChangesGovernment Furnished Equipment (GFE) and other equipment not part of primary designRevisions to PDSAChanges to comply with readiness review issuesInput to Documented Safety Analysis (DSA) and Technical Safety Requirements (TSR)It is important to not wait until now to get operations involved. They should be an active part of the design team from the beginning. This will make TSR development and implementation easier.
84Criteria for Determining PDSA Revision (Slide 1 of 2) The change:alters a safety function for a safety SSC identified in the current PDSAresults in a change in the functional classification, reliability, or rigor of the design standard for an SSC previously specified in the PDSA configuration baselineSee section 6.4 of the Standard.
85Criteria for Determining PDSA Revision (Slide 2 of 2) requires implementation of new or changed safety SSC or proposed TSR controlssignificantly alters the process design or its bases, such as increased material at risk, changes to seismic spectra, major changes to process control software logic, new tanks, new piping, new pumps, or different process chemistry
86Safety and Design Interactions Hazard and Accident Analyses and Inputs to the Design Process
87Hazard and Accident Analysis: Initial Information Needed (Slide 1 of 2) Facility site/locationGeneral arrangement drawingsMAR estimates or assumptions and material flow balancesSizing of major process system containers, tanks, piping
88Hazard and Accident Analysis: Initial Information Needed (Slide 2 of 2) Process block flow diagrams for:VentilationElectrical powerSpecial mechanical handling equipment (e.g., gloveboxes)Instrumentation and control (I&C) system architectureSummary process design description and sequenceConfinement strategy
89Hazard and Accident Analysis (Slide 1 of 2) At conceptual design stage (facility level analyses)Building structureBuilding and process confinementPower systems, including Safety Class single failure criteriaFire protection provisionsSpecial mechanical equipment (e.g., gloveboxes)Initial focus on high-cost safety functions and design requirementsThe items listed are intended to be assessed through facility level DBAs. For example, the seismic design category of the building structure should be a product of the analyses. The approach to building and process confinement can be informed by the analyses. If SC functions are needed, that could affect the need for SC power supply and the application of single failure criterion. ETC.
90Hazard and Accident Analysis (Slide 2 of 2) At preliminary and final design stagesUpdate and refine conceptual design analysesExtend to process and activity level and safety functions and SSCs
91Hazard and Accident Analysis: Accident Types to Consider FiresExplosionsLoss of confinement/containmentProcess upsets (starting in preliminary design)Natural Phenomena HazardsDesign basis accidents (for the accident types)Beyond design basis accidents (starting in preliminary design)
92Hazard and Accident Analysis: Outputs to Engineering Design For Structures, Systems, and Components (SSCs), based on DOE O 420.1B safety design requirementsPerformance Categories (wind, flood, etc.)Seismic Design BasisSafety Class functionsSafety Significant functionsDefense in depth /Important to Safety (ITS) safety functionsDesign codes and standards from Guides associated with DOE O 420.1B
93Hazard Analysis and Design Basis Accidents (DBAs) at Conceptual Design Simple DBAs are postulated based on facility level upsets involving limiting quantities of MAR and facility layoutUnmitigated consequences are assessed to help establish both needed safety function and safety classification of that functionThese accidents are analyzed for both collocated workers and public impact; they are to help define safety functional and design requirementsDBAs are refined and expanded upon in later stages of projectAt conceptual design stage, it is expected that at least a facility layout and locations and quantities of MAR would be available to support DBAs.These DBAs would assume accidents involving the MAR occur and the accident consequence levels (public and collocated worker) are used to classify preventative and mitigative SSCs as SC or SS. They would also be used for seismic design basis categorizations.
94Hazard Analysis (HA) at the Process Level HA and design iterationHA activities support identification of safety functions and selection of DBAsIncludes consideration of in-facility workersDBAs and safety functions support design selection and associated design criteriaDesign selection / criteria support development of a refined HA for the PSDRSeveral iterations may be necessary as preliminary design progressesHazard Analysis table updated as necessary
95Design Basis Accidents in Preliminary Design The Design Basis Accidents (DBAs):Refined from Conceptual Design based on system designProvide input for new or revised design criteriaEstablish system-level safety classificationDBAs are selected based on safety function and magnitude of hazardConsider public and collocated worker consequences
96Safety Interface with Design (Slide 1 of 2) Assist designers in understanding and addressingSafety requirements from hazards and accident analysesSafety implications associated with design alternatives and trade studiesSafety interpretation of DOE O 420.1B and DOE G requirements and recommendations
97Safety Interface with Design (Slide 2 of 2) Safety input into System Design Descriptions (SDD)System boundariesSafety functions and requirementsSupporting analyses (safety SSCs can provide safety function when called upon)Project design reviewsInclude safety design basis information and information included in design products (e.g., SDDs)
98When to Communicate Between Design and Safety FactorEngineering DesignSafetyPotential Accident ScenariosChanges in facility or process layoutBarriers to accident propagation established, changed, or removed (e.g., fire barriers, separation of hazardous materials)Introduction of new sources of energy or hazard (e.g., chemical, mechanical, kinetic, potential, flammable, explosive)Effect of any design factor where change:Introduces a new accident scenarioalters a safety function for an SSCresults in a change in safety functional classification, reliability, or design standardsrequires a new safety SSC or implies a new TSR controlsignificantly alters process design or its basisMaterial at Risk (MAR)Tank SizeProcess details (e.g., inventory in gloveboxes)Total facility inventory, including all hazardous materialsDamage Ratio (DR)Facility and/or process layout, including fire barriersAirborne Release FractionMAR material type and form (gaseous, powder, solid)Leakpath Factor (LPF)Physical barriers to release of hazardous materialsBuilding seismic design basis (SDB: Seismic Design Category/Limit State (SDC/LS))Chi over Q (X/Q)Location changeDefinition of site boundaryThe safety in design process includes significant iterations between the design and safety disciplines.It has been said that, absent a defined process, these iterations require both disciplines knowing when they need to interact.This slide is based on two factors. One is that any change introduces a new accident scenario or that i tmplies a change in the 5 factor formula for accident consequences. Those factors are in the first column. Examples of the types of design changes that might result in changes in these items are listed in the second column.The second factor is the impact of the design changes on factors that might change safety classifications or categorizations that in turn can change the design requirements (codes and standards; single failure criteria; power supply, etc.). These impacts are shown in the third column and are common to each of the factors in the first column. See STD-1189 section 6.4, where these items are listed as those requiring DOE approval if made after an approved PDSA.The design team and the safety analyst need to be sensitive to accident analysis processes broadly and to the things that can impact it to ensure alignment. Stress to the importance of alignment before CD package release. Each group is accountable to communicate to ensure alignment. Basically anything that can drive changes across the columns needs to be communicated between the safety and design teams in real time (whoever generates the potential non-alignment) to ensure alignment. This slide gives good examples of some things that can cause misalignments.
99Quality Assurance Program Activities for Design Process Establish formal work processes (document control, verification processes, configuration management)Training on standards, requirements, work processesPeriodic assessments of documentationIndependent design verifications, validations, assessmentsControlling documents and drawings and changes to them to approved processesIdentifying and controlling design interfacesO 413.3A requires that a QAP is developed and is applied to the project from its inception (during the Conceptual Design Phase).The bullets in this slide are selected from STD-1189 Chapter 7, section 7.1 as being QA activities essential for management of change in the design activities.Configuration management/management of change is essential in keeping track of the flowdown of functional requirements to design documentation and keeping this information consistent with safety documentation. Software tools are available to support this.The safety design requirements of O 413.3A and the standards invoked in the associated guides (or alternatives to them) need to be put under design control. Expect to demonstrate implementation. See STD-1189 Appendix I (format and content of PSDR/PDSA) Appendix B of that 1189 appendix.
100Safety and Design Integration DOE-STD-1189-2008 Appendix A – Safety System Design CriteriaAt one of the first 1189 writing team meetings members from contractor organizations said that one of the most valuable things to do in saving time and money for projects would be to set definitive and objective criteria for seismic design requirements and for Safety Significant SSC designation.This Appendix does that related to radiological hazards.
101Purpose of Appendix AProvides objective criteria requirements for specification of the seismic design basis and for safety classifications of safety SSCsSeismic design basis includes specification of seismic design category (SDC) and limit state (LS) for a safety SSC based on radiological hazardsAdds collocated worker Safety Significant radiological classification criterion along with Safety Class criterion for the publicObjective criteria in Appendix A replace subjective criteria (e.g., significant exposure) previously associated with Safety Significant classification and NPH seismic criteria.Subjective criteria often generated conflicts between designers and reviewers (eye of the beholder problem).
102Seismic Design BasisApplies recently published national standards for seismic design of non-reactor nuclear facilitiesANSI/ANS , Categorization of Nuclear Facility Structures, Systems and Components for Seismic Design; andASCE/SEI 43-05, Seismic Design Criteria for Structures, Systems, and Components in Nuclear Facilities.
103Seismic Design Standards ANSI/ANS 2.26 provides seismic design bases (SDC and LS) for safety SSCs based on unmitigated radiological dose (as modified by DOE) to collocated workers and to the public and on the safety function of the safety SSC.ASCE/SEI provides the design criteria to use with the seismic design basis (SDB)DOE modification for implementation of ANS 2.26 is related to:use of conservative instead of mean values for unmitigated accident analyseslimited to radioactive releases vs. rad and chemical for ANS 2.26rad dose criteria for SDCs differ from Appendix A of ANS 2.26 (a non mandatory part of the Standard)worker is defined as the collocated worker at 100 m (ANS 2.26 does not differentiate between facility and collocated worker)ASCE uses input from ANS 2.26 (SDC and LS) to provide requirements for determining design basis seismic loading (from ANS 2.27 and 2.29) and prescribes design criteria that are tied to Limit States.
104Seismic Design Criteria Unmitigated Consequence of SSC Failure from a Seismic EventCategoryCollocated Worker*Public*SDC-1Dose < 5 remNot applicable – Defaults to SDC-1SDC-25 rem < dose < 100 rem5 rem < Dose < 25 remSDC-3100 rem < dose25 rem < dose**These criteria (and other criteria in this Appendix and in Appendices B and C) are not “health based.” That is, they do not represent acceptable levels of accident consequences.These criteria are for safety classification purposes only. The safety classifications lead to design requirements and codes and standards to be applied in design.* Using the safety classification methodology for public and collocated workers** If the public dose for SDC-3 is exceeded significantly for any project (between one and two orders of magnitude), then the possibility that SDC-4 should be invoked must be considered on a case-by-case basis.
105Limit States (examples From ANS 2.26) SSC TypeLimit State ALimit State BLimit State CLimit State DBuilding structural componentsSubstantial loss of SSC stiffness; some margin against collapseSome loss of SSC stiffness; substantial margin against collapseSSC retains nearly full stiffness and strength; passive components will perform normal and safety functionsSSC damage is negligibleStructures or vessels for containing hazardous materialLow hazardous material; vessel not likely to be repairableModerate hazardous liquids; cleanup and repair expeditiousLow pressure vessels with worker hazard if contents released; damage minorLeak tightness must be assured; moderate to high hazard gases/liquidsStiffness is defined as resistance of an elastic body to deformation by an applied force.K = force/displacementIt is an extensive (vs. intensive) property of a solid body.Note that the elastic modulus is a material property (intensive property).Strength : when a material has reached the limit of its strength, it has the option of either deformation or fracture.Source: WikipediaOther SSCs covered include: confinement barriers (glove boxes, ducts), equipment support structures, filter assemblies and housings, etc.
106Comparison of SDB to Performance Category Ruggedness is related to the extent a structure is deformed with increasing design loads. Components have a range of ruggedness because of design factors used for various types of structural elements and applications.Components in SDC 5D can take the most severe seismic load without permanent deformation. Those in SDC 1A deform under minimum load but retain their structural stability.Seismic Ruggedness Factor was introduced to conceptually compare ANS 2.26/ASCE 43 seismic design provisions with those of STD 1020.Ref.: Seismic Design Implications Working Group Report to DOE HS-21, dated February 2, 2007
107Supplemental Guidance for ANS 2 Supplemental Guidance for ANS 2.26 When Selecting SDCs and Limit States (SDB)Safety analyst, seismic design engineer and the equipment design engineer evaluate the functional requirements for the safety SSC and its subcomponents to determine the appropriate Seismic Design Basis (SDB).If the safety functions of a safety SSC include confinement and leak tightness, a Limit State C or D must be selected.Guidance is provided for an SDC-1 or SDC-2 SSC having safety functions requiring Limit States A, B, C or D.
108Safety Classification Methodology: Public Protection The guidance of DOE G and DOE-STD-3009, Appendix A, should be used in classifying SSCs as Safety Class (SC) for radiological protectionThe words “challenging” or “in the rem range” in those documents should be interpreted as radiological doses equal to or greater than 5 rem, but less than 25 remIn this range (5 to 25 rem), SC designation should be considered, and the rationale for the decision to classify an SSC as SC or not should be explained and justified3009 guidance (public):Unmitigated release calculation:Take no credit for active safety featuresTake credit for passive safety features where they can be shown to survive accident conditionsLeakpath factor (LPF) = 1Source Term = MAR * DR * ARF (includes respirable fraction) * LPFDose = ST * X/Q * DCFNUREG for determining 95th percentile value of X/QX/Q is concentration divided by source term. Correlations are based on experimental observations under varying atmospheric conditions.
109Safety Classification Methodology: Collocated Worker Protection Use unmitigated accident analysis source term guidance in DOE-STD-3009, Appendix A, Section A.3.2 and DOE GUse dose of 100 REM TEDE at 100 mUse ICRP 68 dose conversion factorsApply X/Q value at 100 m of 3.5E-3 sec/m3 for the dispersion calculationCollocated WorkerObjective criteria. Only MAR and ARF are variables; X/Q is specified in order to move discussions from atmospheric dispersion modeling to safety.3009 guidance:Unmitigated release calculation:Take no credit for active safety featuresTake credit for passive safety features where they can be shown to survive accident conditionsLeakpath factor = 1Source Term = MAR * DR * ARF (includes respirable fraction) * LPFDose = ST * X/Q * DCF
110Backfit for Major Modifications For major modifications of existing facilities, Appendix A criteria are applicableBackfit analyses should examine:The need to upgrade interfacing structures, systems, and components in accordance with these criteria, andWhether there should be relief for the modification from the design requirements that application of these criteria in design would imply
111Additional NotesANS 2.27, Criteria for Investigations of Nuclear Facility Sites for Seismic Hazard Assessments, and ANS 2.29, Probabilistic Seismic Hazards Analysis, have been completed and approvedDOE plans to adopt them and to update DOE G (Natural Phenomena Hazard guide)
112SAFETY AND DESIGN INTEGRATION DOE-STD-1189-2008 Appendix B, Chemical Hazard Evaluation
113Purpose of Appendix BDOE is not invoking mandatory classification of safety SSCs or specifying nuclear design requirements based on chemical hazards alone, but the Standard does provide advisory chemical safety criteria.The guidance provides a sense of scale as to what is meant by a “significant exposure” in the criterion for classifying SSCs as safety significant.Note: DNFSB has advised DOE to consider the need to effectively implement controls for chemical hazards, including guidance on the design of hazard controls (ref. letter dated 2/22/08, Dr. Eggenberger to Mr. Sell).Note: NNSA and EM conditions for concurrence with App A of 1189 were that App A not include chemical hazards and that chem hazard criteria now in App B be non mandatory.
114Content of Appendix BGuidance for consideration of Safety Significant designation of SSCs for significant chemical exposures is based on a process of:Screening chemicals (hazardous materials) to determine those that may have the potential to immediately threaten or endanger collocated workers or the public andEvaluating the severity of potential exposures against advisory classification criteria for collocated workers and the publicNote: Chemical exposure for facility workers is addressed in Appendix C.Screening guidance is given in Section B.1 (p B-1) of STD-1189.
115Appendix B Methodology Methods for estimating chemical exposures are detailed in Appendix BUnmitigated chemical consequence analysis should use reasonably conservative values for the parameters related to material release, dispersal in the environment and health consequencesIt is desirable to reduce any tendency toward over- conservatism to achieve the risk-informed balance in the design of the SSCsNote guidance to use mean (instead of reasonably conservative) values of analysis parameters.
116Advisory Criteria for Safety Significant Classification PublicExposure > AEGL-2/ERPG-2/TEEL-2(Potential for irreversible or serious long-lasting health effects)Collocated WorkerExposure > AEGL-3/ERPG-3/TEEL-3(Potential for life threatening health effects or death)HierarchyAEGL, ERPG, TEELAcute Exposure Guideline Levels (AEGL, EPA)Emergency Response Planning Guidelines (ERPG, AIHA)Temporary Emergency Exposure Limits (TEEL, DOE)
117Additional NotesDNFSB issue on design guidance for Safety Significant SSCs is being addressed:in a new draft DOE standard implementing ANSI/ISA (ISA-84), Functional Safety: Safety Instrumented Systems for the Process Industry Sector,by a revision to DOE GNNSA and EM each have issued guidance for Natural Phenomena Hazard (NPH) classification based on chemical hazard levels to the public and to workersNNSA:SS SSC onsite or offsite; SDC 3 for chemical hazards or PC-3 for non seismic NPHFacility worker remaining: SDC 3 for chemical hazardsFacility worker prompt life threatening: consider SDC 3SS SSC for facility worker protection (otherwise) SDC 2EM:Equivalent level of safety for seismic and non seismic NPH events (rad)Atmospheric dispersion for non seismic NPH event same as App A, except for tornado/high wind events, including chemical releasesSS SSC onsite or offsite; SDC 3 for chemical hazards or PC-3 for non seismic NPH, but with C/B exceptions leading to PC-2
118EM Chemical Hazard NPH Guidance Reference: 4/15/09 memo from Owendoff on Implementation of DOE-STD-1189, Integration of Safety into the Design Process for Environmental Management ActivitiesNote: also addresses non-seismic NPHFor chemical hazards, use Appendix A X/Q unless heavy gases or high wind/tornados are involvedCriteria of Appendix B will be applied for safety significant designation and PC-3 designation, subject to cost/benefit analysis and consultation with EM HQConsult the referenced document for details
119NNSA CHEMICAL HAZARD NPH GUIDANCE (Slide 1 of 2) Reference: 7/9/2009 memo from D’Agostino to the Deputy Administrator for Defense Programs (and others), Guidance and Expectations for DOE-STD , Integration of Safety into the Design Process, Natural Phenomena Hazard Design Basis Criteria for Chemical Hazard Safety Structures and ComponentsNote: also addresses non seismic NPHGuidance mandatory for projects not yet in preliminary design (July, 2009)
120NNSA CHEMICAL HAZARD NPH GUIDANCE (Slide 2 of 2) Appendix B criteria suggested for use for safety significant classification and initial categorization of SDC-3 or PC-3 (rad and non-rad)SDC-2 or PC-2 may be justified based on technical or cost/benefit considerations with approval of Acquisition ExecutiveSimilar guidance for in-facility worker protection (SDC-3 or PC-3) when it is necessary for them to remain in the facility after an accident for safety related purposesAppendix C criteria suggested to be used for safety significant classification for in-facility workersConsult the referenced document for details
121Safety and Design Integration DOE-STD-1189-2008 Appendix C – Facility Worker Hazard EvaluationFor worker safety, Safety Significant SSCs are those whose failure is estimated to result in a prompt worker fatality or serious injuries or significant radiological or chemical exposures to workers.Appendix C provides guidance on related hazards analyses and what might be considered “significant” in the context of facility worker exposures.
122Hazard AnalysisA qualitative evaluation of unmitigated consequence to the facility worker (FW) considering:energetic releases of radiological or toxic chemical materials where the FW would be unable to take self-protective actions;deflagrations or explosions where serious injury or death to a FW may result;chemical or thermal burns to a FW that could reasonably cover a significant portion of the FW’s body; andleaks from process systems where asphyxiation of a FW normally present may result.
123Significant ExposureFor radiological consequences, the suggested evaluation criterion is 100 rem TEDE.For chemical exposure, the evaluation criterion is AEGL-3 or equivalent (e.g., ERPG-3, TEEL-3).
124Qualitative ResultsBy comparing the qualitatively derived FW radiological or chemical consequence to these evaluation criteria, an assessment can then be made about the need for SS preventive or mitigative controls.Where the qualitative consequence assessment yields a result that is not clearly above or below the evaluation criteria, then the need for SS FW controls shall be more closely considered by the project.
125Safety and Design Integration DOE-STD-1189-2008 Facility Modifications
126Facility Modifications The process for integration of safety into the design of facility modifications is similar to that for new facilities, but it is tailored to the scope, magnitude, and complexity of the modification.
127Facility Modification Process Note: Because a simple modification could come under O 413.3A (cost greater than 20 million), this figure is not completely accurate. There should be a route into the diamond asking if applies from simple modification.
128MAJOR MODIFICATION DEFINITION AND IMPLICATIONS As defined by 10 CFR 830.3, major modifications are those that “substantially change the existing safety basis for the facility.”A major modification requires the development of a Preliminary Documented Safety Analysis (PDSA) ( ) and approval of the PDSA by DOE ( ) prior to procurement or construction of the modification
129Evaluating Modifications (Slide 1 of 2) Simple modifications - existing hazard analysis is adequate for the modification; hazard controls adequately address the modification and associated activities; implementing the existing change control processes is adequate to support the proposed change.
130Evaluating Modifications (Slide 2 of 2) Note that a simple modification or a less-than-major modification might invoke DOE O 413.3A, and therefore STD-1189, under cost criteria. In those cases, a Safety Design Strategy (SDS) is required, wherein the bases for the modification classification must be described. The SDS also provides the mechanism for tailoring the application of STD-1189.
131Determining a Major Modification It is important to determine the need for a Preliminary Documented Safety Analysis (PDSA) as early as feasible in planning for a modification.In many situations, the need for a PDSA may be readily discernable with little or no detailed evaluation required.The Standard establishes criteria for evaluating the need for a PDSA. If a PDSA is warranted, the facility modification is a Major Modification.
132Major Modification Criteria (Slide 1of 2) Add a new building or facility with a material inventory > HC 3 limits or increase the HC of an existing facility?Change the footprint of an existing HC 1, 2 or 3 facility with the potential to adversely impact any SC or SS safety function or associated SSC?Change an existing process or add a new process resulting in the need for a safety basis change requiring DOE approval?These criteria are presented in the Standard on pages 77 and 78 along with a discussion of each.Examples of application of the criteria are contained in Appendix J of the Standard.No one criterion is controlling. It is a judgment driven process.It may be useful to work through one of the examples in Appendix J
133Major Modification Criteria (Slide 1of 2) Utilize new technology or Government Furnished Equipment (GFE) not currently in use or not previously formally reviewed and approved by DOE for the affected facility?Create the need for new or revised Safety SSCs?Involve a hazard not previously evaluated in the DSA?
134Safety Design Strategy for Major Modification Where a major modification is found to exist, an SDS should be developed that addresses:The need for a CSDR or PSDR (as well as the required PDSA) to support project phasesThe graded content of the PDSA necessary to support the design and modificationThe application of nuclear safety design criteriaThe interface with the existing facility, its operations, and construction activities
135Summary of Major Modification Determination Process Determine whether the modification is a major modificationDetermination involves qualitative evaluations of six criteriaNo one criterion is determiningProcess relies on judgment based on consideration of all the criteria evaluations, on balanceProcess and criteria are described in Ch 8 of the StandardSpecific examples are in Appendix J of the Standard
136Safety and Design Integration DOE-STD-1189-2008 Lessons Learned
137Sources of Lessons Learned DOE Project ReviewsDNFSB Project ReviewsProject Implementation ExperienceImplementation Questions from FieldQuestions During 1189 Training Sessions
138Lessons Learned (Slide 1 of 5) Need for detailed training on STD-1189 for FPDs, safety leads, engineering leadsSurface level review of the Standard; focus on products (SDS, CSDR, PSDR, etc. instead of understanding the integrating process approach)Project management, safety, and engineering design personnel should have a level of familiarity with the requirements and guidance relevant to the other disciplines
139Lessons Learned (Slide 2 of 5) Issues missed in application:Level of HA as function of design stage;Nuclear criticality safety not included in HA/control identification;Risk and Opportunity Assessments not carried into Project Risk Management Plan;Security not included in SDIT
140Lessons Learned (Slide 3 of 5) Need for formality in establishment and activities of Safety Design Integration Team (SDIT)Project management commitment; designation of an SDIT lead (forcing function for effective communication between safety, design, and engineering)140
141Lessons Learned (Slide 4 of 5) Importance of a requirements management system(e.g., Dynamic Object Oriented Requirements System)Need flowdown of functional requirements to design documentation [System Design Descriptions (SDDs)]Need management of changeDon’t let development of SDDs get out of sync with safety input and documentation in CSDR, PSDR, PDSANeed to assess/validate ability of safety SSCs to provide the safety function indicated by hazards analysis
142Lessons Learned (Slide 5 of 5) Role of the Safety Design Strategy (SDS) documentTailoring of CD phases and safety documentationRevising conservative safety assumptions with better information as design proceedsReal time mechanism to achieve consensus on safety in design approaches (living document)
143FAQsDoes commitment to O 420.1B criteria mean commitment to the associated guides as well?Means for choosing/justifying alternative safety design criteria.Level of detail of DOE review of safety design documents (CSDR/PSDR/PDSA) in meeting O 420.1B safety design requirements.How to modify early conservative safety design assumptions/approaches. Considerations.What is Code of Record?
144Commitment To DOE O 420.1B Guides Does commitment to O 420.1B criteria mean commitment to the associated guides as well?Guides are not requirements (unless committed to by contract)DOE expectation is that guides will be followedConsiderations?CostSchedule implicationsEquivalent or better outcomes/demonstration thereof
145Level of DOE Review of Safety Design Documents What is the level of detail of DOE review of safety design documents (CSDR/PSDR and PDSA) in meeting O 420.1B safety design requirements?A function of the stage of designSufficient to identify issues that need to be addressed in the next stageSufficient to determine acceptability of safety-in-design approaches
146How to Modify Early Conservative Safety Design Assumptions/Approaches Potentials for this should be identified in the Safety Design Strategy (SDS, Risk & OA, and the Project RMP)Modify the SDS and get approval of the updateConsiderationsRefined design inputs (process design, MAR, new information…)Cost and schedule impacts of redesign(e.g., redesign of building structure for lower Seismic Design Category/Limit State (SDS/LC)
147What is the Code of Record? Set of design codes, standards, and other requirements that are the bases for design and operationOriginates at CD-2 (preliminary design approval) and is important to cost basisDocumented through design documents and PSDR/PDSACan be added to or modified throughout the life of a facilityExample of where code of record became an issue is the Salt Waste Treatment Facility (SWTF) at SRS.Facility was being designed to NPH requirements that called for PC-3 only when an NPH event could cause a site boundary dose exceeding 25 rem.SRS requirements called for SS designation if collocated worker dose exceeded 100 rem (average meteorology)DNFSB asserted SS designation required PC-3 for building structure if it was relied upon for confinement.EM agreed and directed contractor to comply, thus changing the previous understood code of record
148Summary (Take Aways)The importance of the SDS as a consensus document for planning the path forward.The importance of the SDIT and timely communications in the iterative nature of feedback and improvement between safety input and design outputsThe importance of the CDSR and PSDR and their approvals as timely communication documents to provide the safety-in-design basis for proceeding to the next design stage
149Summary (Take Aways) (Continued) Management support and utilization of the process; utilization of the R &OA; conformance of the project to the Key Concepts and Guiding Principles of 1189The importance of a proactive approach in identifying and addressing safety in design issues in a timely fashion