Just as nuclear safety depends on a comprehensive approach to safety analysis and documentation, the development of this technical safety documentation environment depends on comprehensive management of this functional area. Any weakness in the management of the technical area at a nuclear facility can result in a major problem. In contrast to other areas where problems can often be corrected by revising the documentation, the Engineering Organization responsibilities include decisions that are often very close to being irreversible in their impact on the plant. There are examples of simple errors having profound consequences. For example, the improper orientation of a single layout drawing can result in an entire facility being built incorrectly. Sometimes designs of systems are new and untested, and they can result in severe problems if unanticipated interactions or phenomena occur. In each case, the problem will very often involve significant expense to correct, or it might actually result in injury to personnel or damage to equipment. In the worst case, public health and safety could be affected.

To avoid such major problems, the routine activities of the Engineering Organization should be well developed, allowing most of management's attention to focus on non routine business. The development of this underlying routine depends on clear assignments of responsibilities and strict adherence to administrative processes that allow formal and orderly consideration of all aspects of an engineering project or task. Circumvention of the process should be vigorously avoided, ensuring that every check-and-balance element is exercised and each technical expert assigned an area of responsibility feels accountable for that area.

Clear lines of authority and responsibility as well as an accountability system must be established for the engineering and technical support function of an organization. Putting these controls in place will greatly aid in maintaining a consistently high quality engineering and technical support program that would give each organization a more efficient and effective use of their resources. These management controls are needed for the engineering and technical support function of an organization in order to carry out those support programs important to nuclear safety in a consistent manner. If engineering and technical support programs are structured in an informal or haphazard fashion, design control will be lost and errors will eventually be incorporated into the facility design.
 
 

Symptoms

EA1: The assessor reviewing design change documentation can provide information regarding the Engineering Organization assignment of responsibilities and accountabilities by assessing the design change approval process. Key disciplines should be represented, but system engineers, operations managers, and maintenance managers should also be involved. One way of assessing the design change review process is to consider how long it takes for each reviewer to complete his review and how many issues are raised during the process of review and approval. For design changes that resulted in problems, the assessor should consider where in the review process the problem could have been anticipated and avoided. In some cases, responsible reviewers might have been bypasses because someone decided that their review was "not applicable." This is often a self-defeating determination made by non-technical managers or by individuals having an interest in expediting the review process. Thus, the effectiveness of delegating responsibility and ensuring accountability can be reduced.

EA2: Assessors reviewing as-built drawings and other documentation can provide insights regarding whether the Engineering Organization provides comprehensive and systematic reviews, reflecting an effective organizational structure. Revisions of drawings and documents sometimes result from obvious oversights in the initial reviews.

EA3: If the Engineering Organization has an extensive backlog of routine work, it could be due to organizational problems. Although a backlog of work could also indicate careful examination of each project and should not be discouraged, the distribution of review and approval responsibilities sometimes results in an organizational bottleneck that may need attention. The assessor reviewing the engineering backlog should attempt to identify the status of a sample of work packages and determine whether the organizational structure might be a problem.

EA6: The Engineering Organization should be responsive to the other facility organizations, so the assessor reviewing departmental interfaces can help determine whether responsibilities and accountabilities extend across these interfaces. Routine matters should flow readily across departmental interfaces, and only exceptional issues should require elevation to senior management for resolution. Interviews with personnel in other departments might provide insights in this area.

EA7: Assessors attending meetings involving engineering reviews and decisions can help determine the effectiveness of the Engineering Organization by determining the level of preparation for the meeting, the status of and responsibilities for the associated documentation, and the participation by responsible managers. It may be evident that clear lines of authority and responsibility have not been established for routine aspects of the project.

EA8: The assessor reviewing the adequacy of documentation and reference resources can assist in assessing the overall effectiveness of the Engineering Organization. The effectiveness of the Engineering Organization depends on a range of facility documentation and technical information that should be readily available. Support organizations such as the technical library should be managed under clear assignments of responsibilities and expectations. Problems in the management of the technical library should be assessed in terms of assignments of responsibilities, including who is responsible for routinely identifying and correcting problems in this area.

FA5: The assessor reviewing the validity of the fire hazards analysis and similar documentation should consider whether deficiencies in this area may be the result of inadequate emphasis from the Engineering Organization. Lack of emphasis on safety issues not directly involving nuclear hazards may reflect some organizational problems. Nevertheless, the assessor should be able to identify the Engineering Organization manager directly responsible for coordinating and addressing fire protection issues.

OA1: Assessors observing shift turnovers should assess the level of the technical information provided in turnover sheets and on status boards for clarity and adequacy. One problem may be that status boards and turnover sheets are out of date due to design changes or changes in technical requirements. In some cases, deficiencies in these areas could indicate that the Engineering Organization is ensuring comprehensive support. This may be due to weaknesses in the assignment of responsibilities for this type of support.

OA3: Assessors reviewing operating procedures for clarity and consistency with plant equipment labels can provide insights regarding the Engineering Organization's ability to support fundamental requirements of the Operations Organization. Managers responsible for operating procedures and equipment labeling should be identifiable in each of these organizations.

OA10: The assessor observing shift turnover should assess whether the Engineering Organization is providing adequate support on backshifts. In facilities where it is important to maintain operations beyond the normal working day, some provision may be needed for technical support on emergent safety issues. Assessors should be alert to identify instances where safety could be compromised due to lack of timely or effective technical support.

OA11: The assessor evaluating the accuracy and utility of system status displays may identify deficiencies for which the Engineering Organization should take routine responsibility.

OA12: Assessors attending Plan of the Day meetings may identify instances in which the Engineering Organization is not effective in providing support to resolve problems in a timely manner. This could be due to a lack of delegation of responsibility or lack of authority to initiate corrective actions.

TA1: The Training Organization and the Engineering Organization should have routine and well-exercised lines of communication with each other. The assessor of this communication from the training program perspective can provide information on the effectiveness of the Engineering Organization in providing timely information on facility modifications. The responsible managers should be coordinating with each other, allowing preparation of any new training activities and documentation needed to support the implementation of the modification-related training for operators and for maintenance personnel.
 
 

Management Cause Analysis

2C.3/2C.4/2C.5/2C.6: If deficiencies are identified in the area of assignment of organizational responsibilities, it is likely that similar organizational deficiencies exist at all levels. Engineering managers at the various levels of the plant and contractor organizations should be assigned counterparts as needed to facilitate the execution of responsibilities and the oversight of engineering activities. Ideally, each level of management will at least be aware of nonroutine engineering issues and will be providing some kind of direct support or will be using the information to anticipate potential problems at similar facilities. Managers should be able to identify their counterparts readily and should be communicating with them frequently. This is not possible unless all of the levels have technical personnel who are assigned similar responsibilities.

2D.2: In order for the engineering and technical support function to be adequately controlled within a well-structured organization, coordination, cooperation, and communication among the line management organizations and with the Engineering Organization must be established and practiced. The engineering and technical support function within each division must have the support of its supervision and also the Engineering Organization's management in order to coordinate and achieve cooperation with each other. Without communication, coordination, and cooperation, the formal methods of accountability and the clear definition of responsibilities and authority that are established will not be effectively implemented.

2D.3.5: Contractors in the Engineering Organization should have management processes and programs to develop and evaluate the adequacy of safety bases for the facility. If deficiencies exist in the Engineering Organization at the contractor level, they may be due in part to contract issues. For example, the contract may not include maintaining a technical library, or it may not include ensuring that vendor manuals are complete and up to date. Managers should be sensitive to contract deficiencies and should be pursuing corrective actions. The fact that something may not be covered by the contract should not be considered the root cause of such problems. In cases where the contract addresses a requirement that is not being done, root causes are more easily identified. Nevertheless, plant managers and the contractor are responsible for ensuring that contract requirements are met.

2F.2: Each individual's sense of responsibility for safety is largely dependent on the facility safety culture. Responsibility and accountability must shared throughout all of organizational levels, with the ultimate responsibility and accountability residing at the top or the organizational structure. Since senior program managers provide the resources, select subordinate managers, conduct assessments, award contracts, provide training programs, and impact almost everything that occurs at a nuclear facility, they are primarily responsible for deficiencies. When managers attempt to avoid their responsibilities, the safety culture can be adversely affected. Workers are particularly vulnerable to these breakdowns in the safety culture and may become passive participants in ensuring plant safety. Therefore, possible root causes for plant problems are organizational elements in which specific responsibilities are not well established.
 

References

The engineering and technical support organization must include personnel who have the necessary technical skills to ensure continued control of the design intent of the physical plant. This control is not static, so sufficient numbers of qualified personnel must be available to allow engineering control to be exercised at a rate that supports the facility needs. These needs might include a range of routine support activities for design change requests, drawing revisions, procurement support, risk assessments, system performance evaluations, and maintenance support.

The nuclear industry is unique in that it has many nuclear-specific standards and requirements of which the Engineering Organization must be aware. The day-to-day application of those standards throughout all of the Engineering Organization activities requires significant nuclear plant experience and an inquisitive attitude on the part of every member of the Engineering Organization. System interrelations must be understood, as well as their potential impacts on safety.

Failure to provide adequate numbers of qualified personnel in the Engineering Organization will result in increased pressure to get work products completed, which may lead to oversights regarding potential problem areas. For example, understaffed Engineering Organizations frequently base their recommendations only on documentation rather than plant walkdowns. Properly staffed Engineering Organizations will normally be very familiar with the current condition of the physical plant and the documentation.

Also, inadequate staffing in the Engineering Organization prevents timely problem solving. The inability to respond quickly to technical problems can ultimately compromise the efficiency and safety of the facility.
 
 

Symptoms

EA3: The assessor of engineering work backlog can help determine whether the Engineering Organization has adequate staffing. One of the easiest ways to determine whether the Engineering Organization has adequate numbers of qualified personnel is to assess the amount of backlogged work for which the Engineering Organization is responsible. The assessor should keep in mind that part of the job is the paperwork. If the Engineering Organization is keeping pace with design changes, they may be neglecting the task of making the resulting as-built drawing changes.

EA5: The assessor reviewing the basic qualifications of personnel has direct input on the adequacy of the Engineering Organization staff. The initial qualifications of new personnel may reflect an inability to attract qualified candidates. The assessor should compare job descriptions with the qualifications of the people filling the jobs, look for instances where a job is unfilled or filled temporarily, and evaluate work products to determine whether they reflect inadequate qualifications. If inadequacies are found, determine whether the Engineering Organization management or review structure is able to identify potential engineering problems. For example, managers may not critically review the work of their engineers on a routine basis.

FA5: The assessor reviewing the plant fire hazards analysis information can help assess the level of staffing in the Engineering Organization. The assessor should determine whether the Engineering Organization provides any design change information to update the fire hazards analysis. Significant differences between the plant design and the fire hazards analysis may be due to an Engineering Organization that cannot keep up with the need to change safety documentation.

MA1: If the assessor of the material condition of the plant finds excessive corrosion, this might be due to inadequate staffing of the Engineering Organization. One of the most frequent technical failures of Engineering Organizations is to allow combinations of material with environments that are incompatible. This is due to inexperience and to failure to assess material conditions in the field for material problems caused by design oversights.

MA3: The assessor of the calibration program should be sensitive to the possibility of inadequate design basis for calibration requirements. If the Engineering Organization produces design changes that involve instrumentation, they may fail to determine whether the sensors and circuits can be calibrated within the intended operating range, using available instruments and standards. This can sometimes be determined simply by asked M&TE personnel why they selected a particular instrument for a calibration of a new instrument, the trends/frequency of the calibration, and whether the new instrument is actually staying within the designer's intended limits. If problems exist in this area, they may be due to inadequate staffing or training in the Engineering Organization.

MA13: The assessor conducting the evaluation of maintenance backlogs and trends can help to determine whether the Engineering Organization staff is inadequate. To the extent feasible, the assessor should attempt to identify examples of re-work items caused by design issues. These might include instances of incompatible materials, excessive repairs on the same component, and additional difficulty in performing maintenance due to avoidable design characteristics. For example, a pump that is close-coupled to its motor cannot be easily repaired without removing the motor. Also, designs should include access allowances for maintenance. Therefore, one approach is to ask for a list of the most difficult repair jobs. For recently installed modifications, problems such as these may indicate a staffing problem in the Engineering Organization.

TA2: The assessor of training records can assist in determining whether the Engineering Organization is adequately staffed. Of particular interest is whether the Engineering Organization staff receives routine training that maintains and increases their skills. Also, each member of the Engineering Organization staff should have a specific training program that meets their requirements, including recurring training. While reviewing training records, determine whether the Engineering Organization staff receives comprehensive and routine training.
 

Management Cause Analysis

2A.1.1: If there are deficiencies in the Engineering Organization staff, the facility safety documentation might not be maintained up-to-date. If management has failed to identify all of the safety related and other design information that needs to be maintained, then it is also likely they have not provided adequate personnel to maintain the documentation.

2B.1.1: The qualifications of the facility Engineering Organization staff could be supplemented by Field Office or Headquarters staff in the event of key personnel shortages. Also, cooperation with other facilities could allow the temporary or permanent transfer of technical personnel. For some areas of technical expertise, engineers or technicians could be shared as a routine matter. This can be done only if management has an awareness of the staffing issues and looks for such opportunities to coordinate and share resources.

2B.2: Problems with staffing of the Engineering Organization could be caused directly by not having in place management requirements and evaluations that ensure personnel skills are matched with their jobs and maintained as needed to continue to meet job requirements. Processes for selecting and training replacement personnel to meet routine attrition should be in place and should be supported.

2B3: Each nuclear facility should be supported by a training and rotation program that meets the growth needs of the individual as well as the evolving needs of the facility. An adequate staffing plan will address both needs. If this is not being done, it is probably a failure in other organizations besides the Engineering Organization.

2B.4.1: Plant personnel providing oversight of the Engineering Organization require their own training in order to stay abreast of industry standards and technical problems. Sometimes they can receive training at multiple sites, at conferences, or through continuing education and contribute positively to identifying and resolving technical issues. Plant technical managers should be as pro-active as possible. Training of plant managers and staff should be highly developed at all management levels.

2D.1.1/2D.2.1/2D.3.1: If the Engineering Organization staff is inadequate, it could be that the plant program was established without provision for ensuring the availability of trained technical personnel. Plant and contractor managers should have processes and programs to select, qualify, train, and staff personnel at facilities under their control. For example, what is the planned "training pipeline" for each assigned person in the organization? How long does it take? Who is responsible for assessing its effectiveness? What happens if someone does not make it through training?

2E: If the Engineering Organization staff is not adequate, it is possible that this is due to the failure to distribute resources within the program properly. Distribution of resources to provide a safe program depends largely on having an understanding of the relative requirements, avoiding over-providing for some facilities at the expense of others, and having a minimum standard of staffing, below which the facility operations are impacted. In the areas of engineering and technical support, this type of determination is very difficult and may not lend itself to direct determinations. Nevertheless, some attempt should be made to identify and address staffing problems before they become safety problems.

2F.2.2: If the Engineering Organization staff is not adequate, individuals will not be aware of safety standards and expectations in their areas. Nuclear facilities require the development and maintenance of a unique safety culture, which may compensate to some degree for temporary personnel shortage problems. This is primarily a matter of instilling conservatism and inquisitiveness, an attitude that is often reflected in an organization in which no one is afraid to say that he does not know something. Therefore, each assessor interviewing plant personnel or managers should consider asking questions at a gradually increasing depth until the individual must say that he does not know the answer. An inappropriate culture exists if the individual is inclined to guess without indicating that he does not actually know the correct answer.
 

References

EQ3 Is work prioritized to meet the most urgent support engineering requirements of the customer, yet all work is addressed in a timely manner?
 
 

Engineering support requirements frequently will challenge the available resources. This can happen if management has allocated insufficient resources for engineering support. However, even in facilities that have sufficient engineering support resources, the cyclical nature of the demand may still periodically challenge the available resource. When this happens, work must be prioritized.

The problem with prioritization is that lower priority work may not be accomplished at all unless management provides guidelines regarding the accomplishment of those work items near the bottom of the priority list. One concern is that when items remain on the work list for extended periods, the facility resources may be inadequate. In addition, for facilities where a lack of resources prevents accomplishing needed work due to priorities, the affected technical personnel or other plant personnel are not receiving adequate support.

When a technician or other facility worker identifies work that needs to be done, it should be accomplished in a timely manner. Failure to do so potentially results in the problem becoming more severe in at least two ways. First, uncorrected deficiencies can result in physical consequences of increasing severity due to continued degradation, especially if the root causes are not identified. Second, the fact that a plant worker has recommended the accomplishment of work which is not being accomplished has a negative impact on morale and reduces the motivation of personnel to make further recommendations for corrective actions. Thus, it is very important that managers ensure the timely and vigorous correction of all deficiencies pointed out by plant personnel. Where it is not appropriate to take such action, the worker deserves a detailed and satisfactory explanation, and the item should be removed from the work list.

When a nuclear facility work list is so extensive that it must be prioritized for accomplishment over a long period of time, some systematic mechanism should be in place to ensure that the lowest priority work is scheduled and eventually accomplished on schedule. One way of accomplishing this is to assign each new item a priority as well as a date when its priority is number one.

Also, managers must be careful to ensure all safety items are accomplished as soon as possible. In addition to work related to equipment addressed in the safety analysis report, managers should consider certain other equipment to be safety related. For example, deficiencies related to equipment labels should always receive the highest priority for corrective action.
 

Symptoms

EA3: The assessor reviewing the engineering working backlog can help determine whether the Engineering Organization has adequate prioritization strategies and staffing to perform work in a timely manner. One of the easiest ways is to assess the amount of backlogged work for which the Engineering Organization is responsible. The assessor should keep in mind that part of each job is the paperwork, so this is also part of the backlog of work. If the Engineering Organization is keeping pace with design changes, they may be neglecting the task of making the resulting as-built drawing changes.

EA7: Assessors attending meetings involving engineering reviews and decisions can assist in assessing the effectiveness of the Engineering Organization prioritization process and available resources by determining the level of preparation for the meeting, the status of and responsibilities for the associated review documentation, and the participation by responsible managers. Issues of priority and timely completion should be addressed by managers having the authority to ensure credible schedules.

MA4: The assessor reviewing the documentation for a maintenance work order can assess Engineering Organization workloads and priorities. For example, the work may have been recommended for accomplishment at a time prior to its actual accomplishment that does not reflect an appropriate timeliness.

MA5: The assessor conducting interviews with maintenance personnel should discuss how work is prioritized and whether it is accomplished in a timely manner. Prioritizing work is a group effort requiring cooperation and participation from engineering, radiation protection/health physics, and maintenance. The perspective of maintenance personnel relative to the Engineering Organization's responsiveness to facility work requirements should be specifically determined.

MA6: The assessor reviewing a maintenance work order for a new addition to the facility can determine whether the responsibilities of the Engineering Organization in developing the plan for such work activities as initial testing of this new addition are being met and whether the engineering calculations regarding the performance of this equipment were completed in a timely manner.

MA13: The assessor conducting the evaluation of maintenance backlogs and trends can help to determine whether the Engineering Organization system of priorities is inadequate. To the extent feasible, the maintenance work backlog assessor should attempt to identify examples of delays caused by design issues.
 

Management Cause Analysis

2C: If there is a problem with accomplishing all identified Engineering Organization work in a timely manner, it could be due to an inadequately integrated or developed set of management processes. Field offices and contract engineering organizations must have a comprehensive system of policies, directives, and guidance, which clearly establishing organizational relationships, responsibilities, and authorities. The documents contained in the system should amount to an integrated, coordinated set, which is easily understandable and clearly sets forth the roles and missions of the various components of the organization. Work priorities in the engineering organization should be based within this management program on attributes that relate to the urgency and safety implications of a project, but this should not be divorced from concerns for personnel motivation and the need to accomplish all of the work in a timely, responsive manner. Management programs should develop and implement a process for prioritizing work that tracks all projects so that all work requests are systematically and aggressively addressed by the Engineering Organization.

2D.1.2.2/2D.2.2.5: If the Engineering Organization is not keeping up with its workload, the PSO or MFO may not have ensured that resources are provided to maintain their nuclear facilities in a safe and economic manner and to reduce maintenance backlogs to a manageable level consistent with plant goals and objectives.

2E: If there are problems in accomplishing Engineering Organization work, this may be due to inadequate distribution of resources.

2F.3: If the Engineering Organization is not keeping up with its work, this may be due to inadequate integration of safety with other program objectives, or those other objectives have may not have been defined and implemented in program documents. For example, one program objective should be to demonstrate sensitivity to plant personnel recommendations in a manner that encourages continued personal initiative in raising emergent problems to management attention.
 
 

References
 
 

EQ4 Does the technical support organization have adequate facilities and equipment to perform their engineering work to keep up with work requirements?
 

A nuclear facility technical support organization must provide error-free service to line organizations in a timely and professional manner. To reach this error-free objective, the Engineering Organization needs to have good facilities and equipment.

Facilities for technical support organization should be suitable for the types of support equipment in use and for performance of engineering support activities by assigned personnel. For example, calibration equipment and electronic equipment are sensitive to temperature fluctuations and moisture and should be in a facility that has temperature and humidity control.

In addition, the successful performance of an Engineering Organization at a nuclear facility depends heavily on having ready access to a wide range of accurate technical information. Therefore, technical documentation may be considered to be equivalent to equipment for an Engineering Organization. Also, facilities and equipment are often inadequate for the storage of basic documentation such as technical manuals, design calculations, and design change packages. Even if storage is adequate, updating and retrieval can be a problem without the use of modern information systems. The more complex a facility, the more likely that advanced information management systems will be needed to ensure timely updating and retrieval of information. In cases where a nuclear facility is quite old or for other reasons has insufficient technical documentation, the later production of that information is generally quite difficult.

Similarly, equipment for a technical support organization should be suitable for the required activities. Thus, the equipment should be reliable and up-to-date. In terms of quality, the equipment should be comparable to or superior to that used in advanced technology facilities found in the commercial industry. In terms of quantity, there should be sufficient quantity of equipment available for the Engineering Organization to perform the required support activities in a timely manner. There should also be redundant equipment available to continue to work despite occasional equipment failures.
 
 

Symptoms

EA3: The assessor conducting the assessment of the Engineering Organization work backlog will be able to provide the most safety-significant information available regarding the effectiveness of that organization. Even if the nuclear facility has the best engineers available, they often cannot keep up with the demands of the line organization during peak periods such as major outages or plant modifications unless their automation and other equipment needs have been met. Some managers are not aware of the possible adverse effects of backlogged engineering support work on emergent work and overall plant efficiency.

EA8: The assessor reviewing the availability of plant documentation and other reference material will be able to determine whether adequate equipment resources are provided, including automated equipment. Nevertheless, one of the most common failures in the area of documentation is the failure to provide a comprehensive and current general reference library for use of the Engineering Organization. For example, even though plant safety is highly dependent on valves, pumps, and diesel engines, generic handbooks containing valuable design and troubleshooting information for such components. Thus, Engineering Organization personnel are not able to access a large percentage of technical information that may periodically provide additional insights or assist in avoiding design errors. The condition is caused by the failure of managers to identify and provide such generic handbooks.
 
 

Management Cause Analysis

2A.1.1.3: In particular, the availability of technical manuals is limited due to failure to procure technical manual support from vendors at the time of equipment purchase or system development and testing. Technical manual support should include periodic updates that reflect the range of operating and maintenance experience derived from the vendor's interface with other customers and from local customers within the nuclear plant.

2A.1.1.4: Facility drawings are often neglected, or drawing updates are given a priority too low to ensure the availability of as-built or as-modified drawings. Management will often defer "paperwork" in the interest of attending to operations or production. This makes the updating more difficult and costly and results in an increased risk of error, which will result in a compromise of personnel and public safety.

2A.2.1: All documentation at a nuclear plant should be current, applicable, and readily retrievable by the responsible personnel. The Engineering Organization is particularly dependent on having such information. Achieving the needed capability often requires a very sophisticated document control and distribution system.

2E.1: If there are deficiencies in the resources provided to the technical support organization, there will most likely be deficiencies in the quality and timeliness of support to operations, maintenance, and other line activities. These deficiencies will directly impact nuclear safety. Resources must be allocated to develop and maintain whatever facilities and equipment are needed for producing reliable and efficient technical support.
 
 

References

Assuming that the nuclear facility has a fully developed design documentation basis from which to work, nuclear safety-related activities such as design changes and parts procurement will require frequent access to the information contained in that documentation. For engineering work to be performed accurately and efficiently, there must be a very systematic support system for storing, retrieving, and maintaining documents and reference materials. The Engineering Organization staff in particular should have ready access to this information and any additional support information such as procedures, regulatory requirements, industry standards, project-specific specifications, and maintenance records.

Many nuclear facility document support organizations and reference libraries use computers and software applications to increase efficiency and control without unduly inhibiting work. Users are often able to use computer terminals to search for, locate, and download information. Many design documents can be stored and updated in electronic form. Without timely documentation support, managers can not expect the Engineering Organization staff to perform their work to the standards of performance expected. Fortunately, modern information management systems can be used to provide such support.
 
 

Symptoms

EA2: The assessor reviewing the status of the as-built drawings and documents will be able to determine directly whether the technical library is adequate. In particular, the assessor should evaluate the retreivability and the quality of a sample of drawings. Of particular interest is the process by which documents are updated and the associated backlog of work in this area, including how the drawing backlog is identified for the affected users of documents awaiting processing.

EA3: The assessor of the work backlog may discover that one of the problems in getting work planned is the difficulty in obtaining documentation for the work packages. Also, documentation errors might be due to the failure of the design organization or the technical library support staff to keep up with changes. Since the backlog is normally dependent to some degree on the staffing and ability of the work planning organization, the assessor may also discover that planners have their own informal library.

EA8: The assessor reviewing the documentation files and information libraries can support the evaluation of the design process and configuration management program review by determining the ease of access to validated and controlled information. The assessor should determine whether the documentation of design changes are properly filed in a retrievable form that makes new information readily available to support engineering needs. One frequent problem with engineering records is that the evolving design information is filed, but then is not automatically flagged or can not be located when needed. In addition, the assessor should identify situations where informal supplemental information is being maintained in lieu of using the controlled documentation. Experience indicates that informal documentation is most often found in the work planning organization. The presence of informal collections of plant reference documentation indicates the problems exist in the controlled documentation program, but they also increase the probability of a safety problem developing due to the use of outdated information.

FA5: The assessor evaluating the fire hazards analysis can assist in evaluating the technical library support area by determining whether plant safety systems associated with fire protection are accurately represented in the controlled documentation available in the technical library.

MA6: The assessor reviewing a maintenance work order for a new systems addition to the facility can determine whether the documentation for turnover acceptance of this equipment is available to the Engineering Organization. Any new addition to a system at an existing facility will require the engineering organization to have the proper documentation for the startup and turnover of this equipment to the Operations Organization. The documentation should delineate the responsibilities of the Engineering Organization in initial testing of this new addition so that its performance can be properly documented for future reference.

MA10: The assessor reviewing a major component of a safety related system, should review the required maintenance actions and the actual maintenance actions for the past two years. The responsible Engineering Organization should be able to provide the basis for those maintenance requirements, and the applicable vendor technical manual. Ideally, the Engineering Organization, in support of engineering work, should be able to access and retrieve documentation of maintenance and configuration changes that might have occurred in support of engineering work.

OA14: The assessor of the documentation associated with previous incidents or events at the facility may be able to evaluate the capabilities of the technical library in this area. Ideally, information in this area should be kept on file and be retrievable based on key words. Events that required multiple follow-up reports should be fully represented in the library's permanently maintained documentation.

TA1: The assessor of the Training Organization interface should evaluate the level of coordination with the technical library. In addition to the need to ensure that training documentation reflects the latest facility design information, it is appropriate for students to receive specific instruction regarding how to access technical information and verify its accuracy.
 
 

Management Cause Analysis

2A.1.1: If there are deficiencies in the technical library support area, line managers may not have ready access to accurate technical information on which to base their work. Even if the library is up to date on the information being provide, in instances where projects take a number of months or years to reach completion, the technical basis for that work may have changed prior to its completion. This can result in inaccuracies in related documentation such as for long-term procurements, maintenance planning, and the development and maintenance of operating and test procedures. Therefore, some process may be needed to ensure that potentially degraded or out of date information is systematically verified during a project and upon completion.

2A.2.1: The technical library normally is responsible for controlling and distributing technical information. When new documents or revisions of documents are issued, older versions of a document or superseded pages should generally be collected and destroyed. When there are too many copies of a controlled document distributed to allow direct library staff to change controlled documentation directly, some of the controlled copies are not going to be kept up to date by the holders. The option is either to restrict the distribution of controlled documents or to provide additional and formal support within the line organization to manage the maintenance of controlled documentation. The technical library might have to provide periodic audits to ensure that documents are being maintained. Regardless of the process used, managers are responsible for the accuracy of the information used in their work and in their organizations.

2E.1: If there are deficiencies in the resources provided to the technical support organization, there will most likely be deficiencies in the quality and timeliness of support to operations, maintenance, and other line activities. These deficiencies will directly impact nuclear safety. Resources must be allocated to develop and maintain whatever facilities and equipment are needed for producing reliable and efficient technical support.
 
 

References

Systems in a nuclear facility must continuously operate within a well defined safe domain of operating parameters. Whether operation is staying within this domain has to be vigilently monitored through instrumentation and controlled as needed to maintain safety. Additionally, protective devices such as alarms and relief valves are usually used to protect against hazardous conditions. However, these protective devices are considered to be backup protection, often referred to as defense-in-depth. Therefore, it can be generally stated that whenever an alarm or automatic protection device is activated, the operators have loss control of the associated system.

Instrumentation, controls, and protective devices must meet the accuracy requirements of the designer in order to support the intended design safety margins, operating within a predictable range of error but consistently reproducible. This consistency is referred to as the instrument's precision, and changes in precision are referred to as instrument drift. It is the purpose of equipment calibration programs to monitor and correct instrumentation, controls, and protective devices, tracking the effects of instrument drift on accuracy and making appropriate adjustments to stay within the intended operating band. In order to be able to achieve an effective calibration program, even more accurate and precise instrumentation is required, which also has to be calibrated, usually against traceable national standards.

Additional instrumentation and control complexity results from sensor physical limitations, electrical circuit phenomena, transient pressure and temperature conditions, physical design factors such as differences in static head for pressure gages, and even visual parallax changes between gage readings. These complexities must be understood and controlled for every instrument, controller, and automatic safety device in the nuclear facility.

Also, if the allowed operating bands of the instrumentation or controls are too narrow, operators will not be able to control operations effectively and with the intended level of safety. Alarms and relief valves could be activated needlessly, disrupting normal operation and leading to operator complacency regarding alarms.

During transients and accidents, the operating conditions at a nuclear facility can deviate substantially from normal operations. Equipment and instrumentation must be qualify for both normal and worst-case operating environments that are applicable for the facility. Worst-case operating environments must include possible accident and transient conditions. If equipment and instrumentation are not capable of handling these conditions, they would impede the operators from stopping accidents and controlling transients. Facility design staff personnel should consider structural strength and environmental requirements in equipment selection.

Additionally, design personnel must consider plant external accident initiator requirements for: earthquake, tornado, high wind, and flood. The NRC requires facilities to be able to withstand specific external accident initiators based on 1) the facility hazard level, and 2) the accident initiator frequency for that location. The potential for off-site risk determines the facility hazard level. For different geographical locations the frequencies for severe external events are different. For identical locations, higher hazard facilities must be designed to withstand more powerful external accident initiators.

During accident situations, nuclear facility safety systems are expected to continue to perform as needed to maintain the facility in a safe condition. The most effective approach to ensuring safety systems will perform as required is to use a worst-case approach in the design process. Rather than assume typical operating conditions, it is customary for initial conditions for an accident to be set such that accident sequences will result in the most severe consequences. Also, instrumentation is assumed to be at the least favorable state of calibration, and operator response for emergency situations is assumed to be very slow or assumed to be nonexistent.

Since severe accidents can result in rapid changes in temperatures and pressures, both transient and steady state environmental conditions can impact the performance of sensors and instrumentation. Sensors can be too slow to respond to changing conditions, or they can be physically damaged by changes in temperature, pressure, or radiation levels. Likewise, wiring and other circuitry can be affected by changes in temperature or moisture levels. There is also significant nuclear industry experience with the adverse situations that can result from fires.

Unfortunately, it is not always possible to test equipment for all possible environments that might be experienced during a severe accident. Therefore, safety system designs are normally conservative, and redundant sensors and circuits are required for most safety equipment. Support and auxiliary systems are sometimes neglected when accident scenarios are considered.
 
 

Symptoms

EA1: The assessor reviewing design change documentation should note whether safety system modifications include formal consideration of the changes on the facility safety envelope. Also, the assessor should consider whether a major modification might be introducing new accident scenarios not previously considered in the design bases accident analyses for the facility. If the designer fails to consider the worst-case operating environments properly, then design and modification changes could continue to degrade safety system performance and increase risk. Facility managers must assert control and document the approval process to provide a paper trail for justifying design and modification changes. The assessor should examine design changes for proper review. He should also check new designs and modifications against possible accidental conditions for effective configuration management.

EA7: The assessor observing safety review or design review committee meetings should determine whether formal consideration is given to accident analysis or to the potential response of the modified equipment to the plant safety envelope.

EA8: The assessor reviewing engineering documentation should compare the designer's operating range requirements with the associated calibration procedure and allowable operating ranges. Also, the assessor should evaluate the control and management of instrument and control equipment drift.

FA5: The assessor reviewing the fire hazards analysis area should determine whether plant design modifications are routinely reviewed for the potential effects of fires on the new configuration.

MA6: The assessor reviewing a maintenance work order for a new system addition to the facility can determine whether the Engineering Organization has a well-defined understanding of how the design basis relates to the systems and operations needed to maintain the safety envelope. Any new addition to a system at an existing facility will require the engineering organization to review and update the design basis of the plant so that it maintains operations within the designed safety envelope The program involved with the addition of new plant equipment will require the Engineering Organization to have a clear understanding of the systems, components, and operations needed to maintain the plant safety envelope.

MA11/OA14: Assessors reviewing recent incident investigations and occurrences can determine whether the technical staff has a good understanding of how operational requirements are met by the plant design and whether the Engineering Organization is able to verify that operations did not exceed the plant design limits. The assessors should determine whether the information in these reports and the associated corrective actions are formally routed to and reviewed by the Engineering Organization as feedback on facility performance.

OA15: The assessor reviewing operating logs should note any excessive alarm indications or safety system actuations recorded in the logs for possible problems related to the instrumentation and control systems. The assessor should consider whether recorded readings are consistent with each other and whether any problems noted in the log reflect inadequate maintenance and calibration of indication, alarms, control devices, or protective equipment. The current status of corrective actions should also be identified, as feasible.
 
 

Management Cause Analysis

2A.1.1: Nuclear facility design changes implemented over many years can lead to inconsistencies in the as-built condition of the plant as compared with the original design intent. Older plants are particularly vulnerable to the introduction of these inconsistencies because the original design intent may not have been recorded. This results in engineers not understanding why a particular feature was included in the design; thus, they may design the feature out during a modification.

2A.1.2: An assessor conducting an evaluation of the current operating condition might find that the operating parameters have changed due to changes in design or in facility mission. The failure to document the current operating conditions correctly can result in incorrect assessment of needs in instrumentation and protective devices. This includes determining needs for instrument accuracy and calibration frequency.

2A.1.4: For the engineering staff to have clear understanding of the facility safety issues, all of the facility hazards must be documented. This requires current facility hazard and risk assessments. These assessments can aid the Engineering Organization in developing a well defined design basis as it relates to the Technical Safety Requirements and safety envelope of the facility.

2A.3.2/2A.3.3: It is essential for the Line Managers to understand the safety envelope for facility operations. Line managers should know and have access to the documents that describe the facility safety envelope. Management's understanding of these safety parameters will aid in the safe facility operations.

2D.2.1.5: If deficiencies are found in the environmental qualifications of safety equipment, they might be caused by the MFO not having internal procedures and or standards for review of temporary deviations from facility safety analysis reports (SAR), technical specifications, or operational safety requirements (OSR).

2D.3.5.9: Contractors at DOE facilities should obtain approval for any deviations from the facility safety analysis reports, technical safety requirements, or operational safety requirements as they relate to safety analysis requirements from the MFO. Approval for these temporary deviations from the MFO is important in ensuring that the facility is not operated outside the design bases safety envelope.
 
 

References

Configuration management programs at nuclear facilities are relied on to ensure the continued effectiveness of the original design safety margins over the life of the facility. Since design changes to the original configuration are also normally required, there must be a very formal design change control process in place at each nuclear facility. Design changes may be requested by operations or maintenance personnel, they may be required to avoid obsolescence, or they may reflect changes in programmatic requirements. The variety of possible change requirements results in some complexity in the design change development and approval process. Additional problems arise during implementation, since operations frequently must continue during modification work and a transition to the new facility design features can be difficult in terms of training and operational coordination. After a modification has been made, the facility permanent documentation must reflect the change in a timely manner in order to avoid future problems.

For design change control process to be effective, operations and maintenance management and personnel should be involved and should be aware of the need or purpose for changes to plant systems and equipment. Design engineers should review and update operating and maintenance procedures to ensure that the design changes and operational capabilities or intent of systems has not been altered in an unplanned manner. A formal system should be in place that ensures all of the relevant documentation associated with or affected by a design change is controlled.

Nuclear safety can only be ensured if adequate controls exist for ensuring the continuation of the safety intent of the validated design basis, even if modifications and updates are required over the life of the plant. The design intent may or may not have been included in the original design documentation. Even if the design intent is documented, problems can occur. For example, the commercial nuclear power industry experienced a significant design documentation problem because the architect-engineers for some plants failed to retain and turnover to the owner or utility company a complete set of design information for the plant. Even for plants where the initial documentation was generally adequate, the subsequent design changes were not reflected in the design basis documentation, making it very difficult to demonstrate the adequacy of systems designs when safety questions arose.

DOE has many nuclear facilities that potentially have similar problems. Where the original design basis documentation has been lost or has become outdated, the safety basis for the facility cannot be adequately demonstrated. This problem is sometimes more difficult for DOE facilities because they may be one-of-a kind or significantly older than commercial nuclear facilities. Also, DOE is attempting to integrate design control with other long-term functions such as operations and maintenance, ensuring continuous coordination of the design features and changing functional requirements.

The design configuration of DOE nuclear facilities must be established and controlled to ensure that the plant mission can be accomplished reliably and safely. DOE 5480.23, Nuclear Safety Analysis Reports, defines configuration management as "The systematic evaluation, coordination, approval (or disapproval), documentation, implementation, and audit of all approved changes in the configuration of a product after formal establishment of its configuration identification." Configuration management requires control of changes over plant life, ensuring that the facilities continue to conform to required design and satisfy technical requirements. DOE 5480.22, Technical Safety Requirements, provides some basic guidance regarding what safety features are to be controlled. Specifically, the order states that the "purpose of the Design Features Appendix is to describe in detail those features not covered elsewhere in the TSRs that, if altered or modified, would have a significant effect on safety. Three areas need to be addressed: vital passive components, configuration and physical arrangement, and materials."

Configuration management is accomplished by first identifying all change mechanisms and then controlling and coordinating changes in accordance with established configuration management procedures, primarily those for design change control. The configuration management program should include the following elements:

EA1: The assessor reviewing design change documentation will be able to determine the effectiveness of the facility configuration management program. Design change packages should reflect the as-built condition, and system walkdowns should not uncover significant discrepancies between drawings and the physical plant. In a well-developed design change program, documentation should address the conditions before, during, and after the installation of a design change, and multiple changes will be coordinated within the design process. In addition, the design change process will be well coordinated with operations and maintenance personnel, ensuring continuing control of plant systems.

EA2: The assessor reviewing the status of the as-built facility drawings and documents will be able to determine directly whether the configuration management process is adequate. In particular, the assessor should verify the accuracy of a sample of drawings and compare the drawings and the actual plant installation with the original design calculations. Drawings should reference the applicable technical manuals, which may also be obtained and compared with original design calculations, operating procedures, and maintenance requirements. The effectiveness of feedback from the operators and maintenance personnel to the Engineering Organization regarding design problems may also be evaluated as part of the configuration management program.

EA6: The assessor should determine whether other departments have input to facility design changes and support the concept of configuration management. Design changes can be required by or impact different organizations and activities in a facility. Uncoordinated changes can increase facility risk and result in unexpected hazards. For example, as a result of a design change, there might be need to revise emergency plans and reassess fire protection needs. Information on design changes should be reviewed by other departments of the facility to ensure that their needs are met and the facility safety is not jeopardized. Other organizations should understand the importance of configuration management, yet they should be willing to offer timely feedback to the design organization on systems and equipment that is becoming obsolete or difficult to operate and maintain. This feedback should result in a clear and timely response within the design change process that addresses the concern in a proactive manner yet maintains control of the plant configuration.

EA8: The assessor evaluating the documentation files and information libraries can support the evaluation of the design process and configuration management program review by determining the ease of access to validated and controlled information. The assessor should determine whether the documentation of design changes is properly filed in a retrievable form that makes new information readily available to support engineering needs. One frequent problem with engineering records is that the evolving design information is filed, but then is not automatically flagged or can not be located when needed. In addition, the assessor should identify situations where informal supplemental information is maintained in lieu of using the controlled documentation. Experience indicates that informal documentation is most often found in the work planning organization. The presence of informal collections of plant reference documentation indicates the problems exist in the controlled documentation program, but they also increase the probability of a safety problem developing due to the use of outdated information.

FA5: The assessor evaluating the fire hazards analysis can assist in the evaluation of the design change control and configuration management programs by determining whether plant safety systems associated with fire protection are accurately represented in the controlled documentation. In the event of a fire or other significant emergency, nuclear facility systems and equipment must be able to be placed in a safe configuration that requires a minimum level of human intervention. Fire protection barriers and systems may not conform to the original design intent, or the original design may not reflect current operations. The fire protection assessor can look for significant plant design changes in which the fire protection systems were adversely affected or in which new fire protection requirements for new systems were not provided.

MA2: The assessor reviewing the facility's procurement and storage procedures can assist in evaluating whether controlled documentation is used to maintain the safety system design intent over the life of the plant, allowing better control of design changes under the configuration management program. Procurements should be based on validated and controlled materials lists, and storage facilities and procedures should reflect the appropriate classes of cleanliness and environmental requirements. The procedures for procuring and storing safety related materials and parts should be accessible to maintenance personnel in order for them to be able to protect the materials after receipt and during installation.

MA6: The assessor reviewing a maintenance work order for a new system addition to the facility can determine whether a program for configuration management and design control are in place for use by the Engineering Organization. Any new addition to a system at an existing facility will require the engineering organization to review and update the design basis of the plant so that it maintains operations within the designed safety envelope.

MA10: The assessor reviewing a major component of a safety related system, should review the required maintenance actions and the actual maintenance actions for the past two years. The responsible Engineering Organization should be able to provide the basis for those maintenance requirements and the applicable vendor technical manual. Ideally, the Engineering Organization, in support of engineering work, should be able to access and retrieve documentation of maintenance and configuration changes that might have occurred in support of engineering work.

OA5: The assessor evaluating the effectiveness of facility operational control can provide information regarding whether design changes and problems experienced in controlling the plant configuration are promulgated effectively throughout the facility as required operating information and lessons learned. Operators and maintenance personnel should be made aware of all plant design changes before, during, and after their implementation, even if they are on shift work or if they are absent for a period of time. For example, every plant modification should be reflected in the required reading programs used in the plant. Management processes should be in place that support a high level of awareness regarding plant changes and the associated impact on all facility personnel.
 
 

Management Cause Analysis

2A.1.1: If there are significant deficiencies in the configuration management program, line managers can not be assured that they are aware of the current facility design. The inaccurate or untimely information resulting from the deficiencies should result in symptoms that managers recognize as related to documentation control or other aspects of configuration management. In organizations where line managers are not technically involved, deficiencies in the configuration management program will not be noticed. For example, managers may be signing approvals for work packages or design changes without evaluating the accuracy or clarity of the supporting documentation.

2A.1.2: An assessor conducting an evaluation of the current operating condition might find that the operating parameters have changed due to changes in design or in facility mission. The failure to correctly document the current operating conditions can result in incorrect assessment of needs in instrumentation and protective devices. This includes determining needs for instrument accuracy and calibration frequency.

2A.2.1: Some line managers do not require copies of information that is current. Nevertheless, uncontrolled documents should be marked as such and should be used with caution. When a line manager actually does need accurate and current information, controlled copies should be readily available to the manager. Evaluations of the configuration management program may result in findings that indicate the managers do not have ready access to controlled design documents, or that they are using working copies that are out of date and should have been destroyed. For line managers, this type of problem is most often associated with drawings of major systems or system description documents that have collected over a period of time, possibly due to convenience relative to the difficulty in obtaining up-to-date copies.

2C.1.2: If there are deficiencies in the design change control process, the Program Secretarial Officer (PSO) may not have established policies and provided resources needed for corrective actions. In some cases, achieving control of design changes within an inadequate configuration management process that has been in place for a long period of time will require substantial expenditures of resources to correct in a timely manner. For new programs, complete safety margin calculations and the safety analysis goals should be available prior to design work. Then clear design change and configuration management guidance and expectations should be in place at commencement of design work. The PSO must ensure specific direction for all levels of management in the configuration management area.

2C.2.8: If there are deficiencies in the design change control process, the Lead PSO may have failed to implement and review the needed configuration management activities within the program and then hold the responsible managers accountable. The PSO should be able to identify the managers responsible for laying the configuration management program in place, starting with the Lead PSO manager himself and extending to the manager under whose authority or signature a design change can be authorized.

2C.3.7: If there are deficiencies in the design change control or configuration management processes, the Field Office Manager (FOM) should be well aware of them and should be tracking corrective actions. In addition, the FOM should be determining whether the Field Office oversight process is adequate in this area. Every design change package should have been reviewed by assigned Field Office personnel, but there should also be continuing Field Office audits of nuclear safety activities designed to ensure configuration control. The FOM is in the best position to conduct such audits for the PSO.

2C.4.5/2C.5.2: If there are deficiencies in the design change control process, the FOM may not have assigned a specific manager to be responsible for the Field Office and Area Office configuration management program oversight activities. The Field Program Managers and Directors must have the needed experience and should take the time needed to accomplish this oversight activity on a routine basis. The contractor design organization should be well aware of this Field Office and Area Office oversight function and the individuals responsible for nuclear safety activities and should keep them informed of the associated issues.

2D.3.5: Contractors in the Engineering Organization should have management processes and programs to develop and evaluate the adequacy of safety bases for the facility. If deficiencies exist in the Engineering Organization at the contractor level, they may be due in part to managers that are disconnected from design issues or improvements at other similar facilities. Management processes should be in place that provide useful information on design changes and upgrades at other facilities and that cause specific managers to make decisions regarding the relevance of the information to their own facilities.

2F.1.2: If there are significant or recurring deficiencies in design change control or in configuration management, they generally reflect an immature safety culture throughout the organization. The philosophy of adhering closely to safety documentation control procedures such as that found within a formal design change process and thus ensuring the maintenance of the safety design intent over facility design life must be established by higher management through example and must be made visible throughout the organization as a routine expectation.

2F.2.3: Engineering Organization personnel should be familiar with the details of the intended operational capabilities of plant equipment for which they develop design change packages and they should be circumspect in applying their best judgment regarding whether the new design will ensure continued safe and reliable operation. Management should convey the expectation to Engineering Organization personnel the philosophy that working without an inquisitive and circumspect attitude can lead to safety margin problems even when design change procedures are followed and the original configuration is maintained. Opportunities for increasing the safety margin through use of more reliable or capable equipment should be pursued.

2F.3.2: If deficiencies are found in the design change and configuration management program areas, it could be due to management's failure to emphasize its importance relative to other programs. When managers fail to emphasize the need to finish the paper work in one design change project before going on to the next design change, the result can be a growing backlog of work that becomes more difficult to accomplish as time passes. In addition, revised information does not become available to operations and maintenance personnel in a timely manner, potentially resulting in additional inefficiencies and potential opportunities for errors.
 
 

References

Each time the Engineering Organization produces defective work, it is very important to identify and correct the root causes. This is because the facility design safety basis often assumes that the safety system features are installed as designed and that they will operate as intended, except for an occasional equipment malfunction. The single-failure criterion was not intended to compensate for incorrect design features or capabilities.

Therefore, when the Engineering Organization produces work that must be re-done, there can be very significant safety implications. Nuclear facility review processes are designed to ensure that each engineering calculation or design job is done correctly the first time. If the design review process fails, some of the resulting defective work may be discovered during the implementation or installation process. Additional defects could be found during post-installation testing. Some defects might not be found until the associated equipment is needed during an emergency. Therefore, each design deficiency discovered implies that additional design deficiencies have not been found. The amount of required rework caused by the Engineering Organization is an indicator of the potential level of overall design deficiency in the facility.
 

Symptoms

EA1: The assessor of design change documentation should specifically try to identify examples of design change rework requirements caused by inadequate initial design work.

EA3: The backlog of Engineering Organization work may include rework items that resulted from inadequate engineering work. The assessor reviewing the backlog should determine whether the contractor has already identified jobs as rework. Also, the contractor may have assessed the generic implications of such work items. Generic design rework issues often involve several similar components that require the same corrective action or same type of rework.

MA6: The assessor reviewing a maintenance work order for a new systems addition to the facility can determine whether there were instances when engineering rework was required for this new installation. Any new addition to a system at an existing facility may require the engineering organization to perform rework as a result of various inputs. Tracking and evaluating engineering rework will require a management process that can help identify the causes of this rework and reduce its occurrence in future projects.

MA13: The assessor of the Maintenance Organization backlog should attempt to identify any general categories of work that might indicate that the work is required due to inadequate technical support or design work.

TA1: The assessor of Training Organization interactions with other departments should determine whether formal mechanisms are in place to upgrade applicable Engineering Organization lessons-learned into periodic training for engineering staff members, including those for managers. For example, the assessor might inquire regarding what training is provided to design engineers that would provide them with feedback from the quality control, operations, and maintenance organizations.

TA6: The assessor of training mockups should determine whether the mockups are suitable for use by Engineering Organization staff. In many cases, mockups might have been developed by the Engineering Organization staff in order to facilitate design work. The absence of training mockups is also of interest in assessing design interference problems that result in design rework requirements.
 
 

Management Cause Analysis

2A.1/2A.2: If significant amounts of engineering rework are required, this might indicate that the available design information is out of date. In some instances, the problem may be that the information was available but was not used. The reasons for this should be identified and corrected throughout the organization.

2B.2: Engineering rework can be required due to design engineers working beyond their qualifications or level of experience. Personnel qualifications for design engineers are sometimes difficult to establish and validate. Sometimes personnel are hired who have little relevant experience simply because the facility needs to meet a schedule. Qualifications for personnel being hired or transferred to work in design engineering should be validated independently, and any shortfalls should be identified and dealt with formally. Often, additional training or supervision can be provided to compensate for potential weak areas. Managers should have the resources and procedures in place to ensure proper hiring practices.

2D.3.1.1: If significant levels of engineering rework are required, the facility contractor could have training deficiencies. Design engineers should be involved in training that continues to upgrade their knowledge and experience and prepare them for additional responsibility. In particular, the training program should include design engineer training in the areas of safety and reliability standards and requirements.
 

References

DOE nuclear facilities employ specialized defense-related technology which includes unique processes and materials not found in commercial industry. In addition, accidents at nuclear facilities are relatively rare due to the increased emphasis on safety. The accident at Three Mile Island is a good example of both the rarity of accidents and the extreme measures taken to learn from such an accident. Each lesson learned opportunity may not be as dramatic as that at TMI, but each requires the comprehensive review of the entire nuclear industry to ensure that nuclear hazards are avoided wherever possible. The uniqueness and security associated with DOE nuclear weapon facilities, the high cost associated with their operation, and the high risk associated with potential accidents make it essential for DOE and the individual facilities to have very effective lessons-learned programs, but these characteristics may also inhibit the effectiveness of such programs.

Lessons-learned and required reading programs at nuclear facilities should be more vigorously managed than similar processes at non-nuclear facilities. Unfortunately, many DOE facilities are unique and their managers must be even more circumspect and vigorous in order to learn from internal as well as external experience.

Symptoms

EA1: The assessor reviewing design change documentation should identify the sources of those changes and provide information on those found to be based on lessons learned or operating information from other facilities. If none of the design changes reviewed appear to have been based on operational lessons learned, this information should also be provided.

EA3: The assessor reviewing the Engineering Organization work backlog may be able to identify work or support requests submitted by the Operations Organization or initiated due to operational experience at similar plants or at facilities using similar equipment. If such work requests are found, examples should be provided.

EA4: The assessor reviewing system engineer activities may be able to determine whether they are formally involved with discovering and processing lessons learned information on their equipment. Interfaces between the system engineers and outside vendors and facilities are of particular interest.

EA6: The assessor reviewing inputs from other organizations on facility design changes may be able to identify whether these inputs are based on operating lessons learned and whether any information is being received from outside the facility.

EA7: The assessor attending a facility review committee meeting considering an engineering change should note whether the change has been considered in terms of operational lessons learned at this or at other facilities.

MA11: The assessor conducting assessments of occurrence reports should identify any interfaces used with outside facilities in terms of sharing lessons learned information. In some cases, it may be evident that root causes of occurrences might more easily be identified or verified using such an interface.

OA14: The assessor reviewing recent incident investigations can probably determine which corrective actions were (or should have been) developed or assessed relative to outside operating experience. The assessor should also determine if the information in the incident reports and corrective actions is formally routed to and reviewed by the Engineering Organization as feedback on facility performance.
 
 

Management Cause Analysis

2D.2.5/2D.3.5: A lessons-learned program should be developed by the MFO and DOE contractors through the use of management programs and processes. The programs and processes used for evaluating the safety bases at DOE reactor and non-reactor facilities should incorporate design improvements based on the operating experience within the DOE complex. These operating experiences can be used in a lessons-learned program to make design improvements that will increase the safe operation of the facility. It is the responsibility of the MFO and DOE contractors to direct the development and implementation of these lessons-learned programs into the safety analysis of the facility.

References

Design organizations for new facilities and facility modifications play a key role in the startup and acceptance testing program. The design organization establishes criteria to meet specific engineering goals, thus establishing the design intent of systems and components. Except in those cases where a system or component is used extensively in similar facilities for similar purposes involving little or no operational risk factors, the design work must be systematically validated during system or facility startup and turnover acceptance testing. Moreover, the design intent must be sustained over the life of the facility, so it must be periodically revalidated and met, especially after each change or significant repair.

Since the Operations Organization and Maintenance Organization have control of the systems after turnover, the Engineering Organization must provide them with comprehensive operational and preventive maintenance information. In addition, it may be necessary to establish a continuing input of operational information from equipment vendors and from other facilities using the same or similar equipment. Likewise, the Operations and Maintenance Organizations must provide similar feedback to the Engineering Organization.

The turnover and startup responsibilities of the design organization extend throughout the life of the facility. The Engineering Organization must continue to play an integral part in operation and maintenance of every system and component in the facility. Design knowledge should be carried forward to maintenance activities and to design changes.
 
 

Symptoms

EA4: The assessor reviewing the system engineer program can help determine whether there is a program in place which defines turnover responsibilities among the Engineering Organization, construction organizations, the Maintenance Organization, and the Operations Organization. System engineers may be the principal plant personnel monitoring this process.

EA7: The assessor attending meetings or reviews where engineering changes are being considered should be able to note discussions regarding turnovers between organizations. In some cases this may only be between the Maintenance and Operations Organizations, but in others it may involve several handoffs. The specific conditions and requirements associated with the turnovers should be made clear.

MA6: The assessor reviewing a maintenance work order for a new system addition to the facility can determine if a program for startup and turnover acceptance is in place, and if so, whether the specific responsibilities for the Engineering Organization are defined. Any new addition to a system at an existing facility will require the Engineering Organization to have programs that allow for the startup and turnover of this equipment to the Operations Organization. The program should reflect the input and the continuing responsibilities of the Engineering Organization in testing of new equipment and systems and to verify engineering calculations on its intended performance.

MA9: The assessor interviewing Maintenance Organization managers should be able to determine whether the Engineering Organization continues to provide proactive support over the life of the facility. In addition, the Maintenance Organization should be providing meaningful information as feedback to the Engineering Organization.
 
 

Management Cause Analysis

2A.1.1.3: If there is a problem with the Engineering Organization fulfilling its continuing responsibilities over the life of the plant, it should be evident in the current status of the facility technical manuals. Management frequently fails to support maintenance of vendor technical information over the life of the plant.

2A.1.3: Feedback from the Maintenance Organization to the Engineering Organization is potentially included in the material history. If the Engineering Organization is deficient in providing support over the life of the plant, it could be due in part to inadequate material history documentation or its review processes.
 
 

References

EA1 Review examples of design change documentation and assess the level of configuration management control.
 
 

Configuration management programs at nuclear facilities are relied on to ensure the continued effectiveness of the original design safety margins over the life of the facility. Since design changes to the original configuration are also normally required, there must be a very formal design change control process in place at each nuclear facility. Design changes may be requested by operations or maintenance personnel, they may be required to avoid obsolescence, or they may reflect changes in programmatic requirements.

Nuclear safety can only be ensured if adequate controls exist for ensuring the continuation of the safety intent of the validated design basis, even if modifications and updates are required over the life of the plant. The design intent may or may not have been included in the original design documentation. Even if the design intent is documented, problems can occur.
 
 

Symptoms

EQ6: The assessor reviewing design change documentation should note whether safety system modifications include formal consideration of the changes on the facility safety envelope. Also, the assessor should consider whether a major modification might be introducing new accident scenarios not previously considered in the design bases accident analyses for the facility. If the designer fails to consider the worst-case operating environments properly, then design and modification changes could continue to degrade safety system performance and increase risk. Facility managers must assert control and document the approval process to provide a paper trail for justifying design and modification changes. The assessor should examine design changes for proper review. He should also check new designs and modifications against possible accidental conditions for effective configuration management.

EQ7: The assessor reviewing design change documentation should consider whether environmental qualifications are considered for electrical equipment. Worst case temperatures and pressures under which the equipment must function during accident conditions should be indicated in the design change documentation, as applicable. The assessor reviewing design change documentation should also determine whether adequate consideration is given to the impacts of the design change on the support systems affected by the change. For example, support systems may not have adequate capacity to support the design change and still have the necessary reserve capacity to meet design requirements during emergency conditions.

EQ9: The assessor reviewing design change documentation should identify the sources of those changes and provide information on those found to be based on lessons learned or operating information from other facilities. If none of the design changes reviewed appear to have been based on operational lessons learned, this information should also be provided.

FQ11: The assessor reviewing design change documentation should determine whether fire barriers and other fire protection related considerations have been included in the work package.

MQ3: The assessor reviewing design change documentation should determine whether adequate provision has been made for maintenance of new equipment, including compatibility with similar equipment and allowances for access to the equipment for assessment and maintenance.

MQ13: The assessor reviewing design change documentation should determine whether spare parts and repair materials have been identified and will be made available. Also, any special tools or test equipment required for continued maintenance, surveillance, and testing should be identified and available in a timely manner.

MQ14: The assessor reviewing design change documentation should evaluate the detail and applicability of any vendor documentation associated with the design change, including relevant guidance regarding continued maintenance and testing of the equipment.

MQ16: The assessor reviewing design change documentation should determine whether safety related equipment lists are being updated in conjunction with the modifications.

MQ17: The assessor reviewing design change documentation should identify examples of changes required due to obsolescence and attempt to determine whether the original design intent of the equipment will continue to be met.

MQ20: The assessor reviewing design change documentation should determine whether the design change includes post-installation testing that ensures operational requirements are met under the expected range of operation of the equipment.
 
 

Management Cause Analysis

2A.1.1: If there are deficiencies in the design change control process, the facility safety documentation might not be maintained up-to-date. If management has failed to identify all of the safety related and other design information that needs to be maintained, then this may indicate a general lack of appreciation for the importance of configuration control and the need for strict management of the design change process.

2A.2.1: Some line managers do not require copies of information that is current. Nevertheless, uncontrolled documents should be marked as such and should be used with caution. When a line manager actually does need accurate and current information, controlled copies should be readily available to the manager. Assessments of the configuration management program may result in findings that indicate the managers do not have ready access to controlled design documents, or that they are using working copies that are out of date and should have been destroyed. For line managers, this type of problem is most often associated with drawings of major systems or system description documents that have collected over a period of time, possibly due to convenience relative to the difficulty in obtaining up-to-date copies.

2A.3.1: If there are deficiencies in the design change control process, it is likely that the management defense-in-depth and basic level of management circumspectness in this area has significant problems. In particular, some managers may only have an abstract concept of their responsibilities in configuration management or may not consider some equipment to be within the manager's area of responsibility. For example, a mechanical division manager or supervisor may not emphasize the need to control electrical system loading, eventually overloading electrical circuits. A shop foreman might not feel responsible for investigating or addressing impacts of new equipment or processes on production of hazardous wastes, or on the building's fire protection equipment or access and egress issues. A design engineering manager might not allow for removal of old equipment or provide design resources for rendering abandoned systems or equipment connections safe. All of these are examples of the natural reluctance of managers to assume responsibility for avoiding a problem in advance, primarily achieved through managing in a forward looking, comprehensive manner.

2A.3.5: If there are deficiencies in the design change control process, they may be due to the facility managers not be reviewing and addressing potential technical problems in a critical manner. For example, if managers are disconnected from design issues or improvements at other similar facilities, they may eventually have the same problem at their facility. Management processes should be in place that provide useful information on design changes and upgrades at other facilities and that cause specific managers to make decisions regarding the relevance of the information to their own facilities.

2C.1.2: If there are deficiencies in the design change control process, the Program Secretarial Officer (PSO) may not have established policies and provided resources needed for corrective actions. In some cases, achieving control of design changes within an inadequate configuration management process that has been in place for a long period of time will require substantial expenditures of resources to correct in a timely manner. For new programs, complete safety margin calculations and the safety analysis goals should be available prior to design work. Then clear design change and configuration management guidance and expectations should be in place at commencement of design work. The PSO must ensure specific direction for all levels of management in the configuration management area.

2C.2.8: If there are deficiencies in the design change control process, the Lead PSO may have failed to implement and review the needed configuration management activities within the program and then hold the responsible managers accountable. The PSO should be able to identify the managers responsible for laying the configuration management program in place, starting with the Lead PSO manager himself and extending to the manager under whose authority or signature a design change can be authorized.

2C.3.7: If there are deficiencies in the design change control or configuration management processes, the Field Office Manager (FOM) should be well aware of them and should be tracking corrective actions. In addition, the FOM should be determining whether the Field Office oversight process is adequate in this area. Every design change package should have been reviewed by assigned Field Office personnel, but there should also be continuing Field Office audit activities designed to ensure configuration control. The FOM is in the best position to conduct such audits for the PSO.

2C.4.5/2C.5.2/2C.6.2: If there are deficienci