ML19308B769
| ML19308B769 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 07/31/1979 |
| From: | Briscoe G, Lofthouse J, Nertney R EG&G, INC., ENERGY ENGINEERING GROUP |
| To: | |
| References | |
| TASK-TF, TASK-TMR SSDC-17, NUDOCS 8001170268 | |
| Download: ML19308B769 (41) | |
Text
.
SSDC-17 APPLICATIONS OF MORT TO REVIEW OF SAFETY ANALYSES 1
l SYSTEM SAFETY DEVELOPMENT CENTER A
T I
I 0 EGnG
l.= -
P00R ORIGINAL July 1979 UNITED STATES DEPARTMENT OF ENERGY l
DIVl$10N OF OPERATIONAL AND ENVIRONMENTAL 5AFETY 80 01170 2.6sf
l DISCLAIMER This report was prepared as an account of work sponsored by the United States Government. Neither the United States nor the United States Department of Energy nor any of their employees, nor any of their contractors, subcontractors, or their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product or process disclosed, or represents that its use would not infringe privately owned rights.
Available from:
System Safety Development Center EG&G Idaho, Inc.
P. O. Box 1625 Idaho Falls, Idaho 83401 r
I SSDC-17
\\
1 APPLICATIONS OF MORT TO REVIEW 0F SAFETY ANALYSES Prepared By G. J. Briscoe J. H. Lofthouse R. J. Nertney July, 1979
I FOREWORD This report is a guide to evaluating a safety analysis program and determining the content and structure of a safety analysis report.
It is intended as an aid in evaluating the quality and consistency of various safety analysis processes.
The report highlights those elements that will make a safety analysis program functional and effective and provides an apprai'ser with a means to evaluate a safety analysis program.
Finally by proper scaling and choice of analytical methods, it provides the means to detennine the content and structure of a safety analysis report.
The report does not describe the management system necessary to assure proper safety A related guide on work process control [agalysis and risk acceptance.lJ has been prepared by the S Center.
Related gequirements for management of construction prqjectsL ]
2 facility designl3J, and safety analysis of nuclear facilitiesL4J may be found in the DOE Directives System.
l l
l i.
GLOSSARY Acceptable Risk:
The residual risk remaining after controls have been applied to associated hazards that have been identified, quantified to the maximum extent practicable, analyzed, communicated to the proper level of management and accepted after proper evaluation.
Hazard:
A source of risk peril; the potent.al for an unwanted release of energy to result in personal injury or property damage.
JSA: Job Safety Analysis of a specific task.
Residual Risk:
Risk remaining arter the application of resources for prevention or mitigation.
Risk: Mathematically, expected loss; the probability of an accident multiplied by the quantified consequence of the accident.
Risk Analysis:
The quantification of the degree of risk.
Risk Assessment:
The combined functions of risk analysi> and evaluation.
Risk Evaluation:
The appraisal of the significance or consequences of a given quantit,tive measure of risk.
Risk Management:
The process, derived through system safety principles, whereby management decisions are made concerning control and minimization of hazards and acceptance of residual risks.
Safety Analysis Process:
The identification of hazards, analysis of hazards control, and analysis of residual risk.
Safety Analysis Report: A formal written safety analysis.
11
4 Abbreviations and Acronyms CS&R Codes, standards and regulations DDE Department of Energy 55F Detailed operating procedures T75 Frequency severity EEK Human factors analysis JSA Job safety analysis LTA Less than adequate H5NT Management Oversight and Risk Tree P&D Provide and describe PSA Preliminary safety analysis U7K Quality assurance SAR Safety Analysis Report SSOC System Safety Development Ceriter SWP Safe work permit l
iii
CONTENTS FOREWORD...........................
i f
GLOSSARY...........................
ii INTRODUCTION..................
1 PART I DEFINITION AND REQUIREMENTS OF THE SAFETY ANALYSIS PROCESS..................
3 PART II THE SAFETY ANALYSIS REPORT.............
12 REFERENCES..........................
22 APPENDIX A GUIDLINES AND EXAMPLES RELATING KIND OF WORK TO TYPE OF SAFETY ANALYSIS........
A-1 APPENDIX B THE SAFETY PRECEDENCE SEQUENCE..........
B-1 APPENDIX C TYPICAL EXAMPLES OF ENERGY SOURCES........
C-1 FIGURES 1.
Safety analysis requirements tree............
6-7 2.
Safety analysis process tree..............
14-16 3.
SAR design and review matrix..............
21 i
f l
iv
INTRODUCTION Risk management for any system includes the following four steps:
1)
System Definition 2)
Hazards Identification 3)
Risk assessment (including communication to management) 4)
Risk acceptance by proper management levels Safety analysis is an essential element in risk management and is an integral part of the first three steps.
It is the process of identify-ing and evaluating hazards and the controls necessary to reduce the risk to an acceptable level.
It is part of the Hazards Analysis Process and theRiskAssgmentSystemidentifiedasblocksMB3andMB2onthebasic MORT diagram The safety analysis process can range from a judgment or mental evaluation by a worker based on his general training and experience to rigorous formal analysis requiring input from specialists in various disciplines.
l The fourth step involves a value judgment; weighing the risks l
against the benefits.
It is not part of the safety analysis process and is outside the scope of this document.
However, it does imply that iterations of system modifications with safety analysis and reassessment of risk may be required before management will accept the risk.
The material to follow is structured around logic trees.
Part I presents a tree dealing with the definition and requirements of the safety analysis process.
It is designed to provide an appraiser with the means to evaluate a safety analysis system.
By system we mean the people and procedures necessary to produce an adequate safety analysis.
The logic is applicable to systems producing formal safety analysis reports for complex operating systems down to less formal safety-related analysis for much simpler task oriented processes or operations.
The tree presented in Part II deals with development of the actual safety analysis. The guide provides a sequence of questions that should be asked while developing a safety analysis.
They deal with all safety analysis activities, ranging from generation of comprehensive formal safety analysis reports for complex systems down to much less formalized safety processes used by supervisors and workers performing individual tasks.
The process described in Part II should be used in all safety
- analyses, i.e., the listed questions should be asked.
The formality of application, however ranges from using the process as a one-to-one checklist in the preparation of a large scale safety analysis report down to ascertaining whether personnel include the considerations in the less formal analysis performed by field supervisors, safety personnel and workers.
Parts I and II provide a basis for design of safety j
analysis programs, evaluation of existing programs, and for accident l
investigation.
l 1
1 1
Appendix A prevides examples and guidelines to aid the user in scaling the safety analysis to the specific system or type of work being performed.
These guidelines sometimes are rough and additional scaling is often necessary based on considerations other than those in the included basic " laundry lists" of size, quality, location etc.
Appendix B provides a list of safety controls prioritized in order of effectiveness.
Appendix C is a list of energy sources which must be considered whenever a safety analysis is performed.
Safety analysis reports for nuclear reactors are often referred to by the acronym SAR.
This document uses the acronym in the broad sense referring to any safety analysis report.
00E and NRC publish additional guidelines for preparing SARs for nuclear facilities. Appropriate DOE Orders, appropriate parts of Chapter 10 of the Code of Federal Regulations, and appropriate NRC Regulatory Guidelines should be consulted when preparing safety analysis reports for nuclear facilities.
2
PART I DEFINITION AND REQUIREMENTS OF THE SAFETY ANALYSIS PROCESS 3
l Some common failures in the safety analysis process should be watched for:
(1) Failure of specialists and pre:odure writers to fully understand and react to the actual work situation.
'2) Failure of workers to:
(a) Fully understand their own limitations.
(b) Fully understand the work environment.
l (c) Fully understand the consequences of their actions.
(d) Fully understand and appreciate restrictions and/or requirements.
(3) Failure to approach the total safety analysis process in a systematic way.
Keeping in mind these potential failures we can now outline the steps required to establish the complete safety analysis program.
These steps are indicated in the safety analysis requirements tree in Figure 1.
Establishing Requirements for Safety Analysis is shown as the objective in the top box.
These requirements must be consistent with applicable codes, standards, and regulations (CS&Rs) and must be compatible with other scaling systems, e.g. those rules and requisites relating to type of safety review, levels of management control, etc.
Although the safety analysis process (identifying hazards, assessing risk, judging acceptability, etc.) is identical for each situation, different methods may be used.
A study of real-life situations indicates that a variety of safety analysis methods must be used in order to properly scale the analytical effort to the degree of risk.
The first step is to provide and describe l
safety analysis methods which are available for use.
Then these methods must be related to the type of work being done.
These two steps, or requirements, are indicated diagrammatically in the second tier of boxes in Figure 1.
Tree elements in boxes A.4, A.5, and A.6 of Figure 1 relate to three basic ways hazards and risks are identified:
l (1) Hazards and risks that can only be detected by the worker and first line supervisor through their intimate knowledge of and contact with the actual field working conditions, e.g., special characteristie-of a machine or tool.
l (2) Hazards and risks that are not directly apparent to the worker l
and first line supervisor and can only be identified and analyzed by an expert or specialist, e.g., hazards that cannot be detected by the workers physical senses such as nuclear criticality or the presence of certain odorless, colorless toxicants.
1 4
(3) Hazards and risks that require inputs from both the worker and specialist for proper identification, evaluation, and control, e.g., operations generating toxic dusts in which it is necessary to know actual dispersion and toxic properties of the dust.
These task and field oriented snethods are discussed further in Appendix A.
The full safety analysis report and the mini-safety analysis report shown in boxes A.2 and A.3 of Figure 1 are much broader in scope.
They treat large scale projects in which specific tasks are too numerous to analyze separately.
Details on the construction and content of these reports are given in Part II.
Examples and guidelines for when they are needed are given in Appendix A.
The remainder of this section provides guidelines for using the tree in Figure 1 to establish or appraise a safety analysis program.
Questions which should be considered for each element in the tree are listed in the same sequence as given in the tree.
The AND gate is used under box 1.0, " Provide and Describe Safety Analysis Methods", to indicate that all items listed under the AND gate are necessary for a complete safety analysis program, even though for a specific task, one type of process or another may be all that is necessary.
1.0 Are Appropriate Safety Analysis Methods Provided and Described?
Do the methods have the following characteristics?
(1) Do they include all safety analysis methods specifically required by CS&Rs? (This includes environmental impact statements, formal safety analysis reports, single failure analysis etc.)
(2) Do they require visible backup analytics and compliance information?
1.1 (A.1) Are Safety Analysis Methods Provided to Evaluate Comp-liance with Specific Codes, Standards, and Regulations (CS&Rs)?
Do these methods apply to all work? Do they include:
1.1.1 (A.1.1) Methods to Demonstrate Compliance with specific CS&R Requirements?
(1) Are applicable CS&R requirements identified?
(2)
Is information provided that indicates whether compliance exists?
(3) Are any necessary backup analyses required to prove compliance?
Are brief statements of the requirements recorded?
Is there indication of whether the requirement is met or not? Is information relating to disposition of any no c ompliance items provided?
Is the l
5
Establish safety Note:
analysis CS&R: Codes, Standards, and Regulations program
[* Other scaling CS&R compliance
- Identification tree
= and gate Provide and Relate work describe to safety safety analysis analysis methods method as P.8
[All work &
A
[
all energy h
j
\\
sufficient to (cover needs w.
j 2.]
l 2.2 2.3 2.4 2.5 Verbal Numerical Example Other sk descriptions limits groups ormulas computation I
INEL-A 12 684 FIGURE 1 - SAFETY ANALYSIS REQUIREMENTS TREE
1 i
_ n! lii i
1.i fit mu..!
rLpI
!!M.
ii
- n<
im>h u
i g
aa o
e, man
.I I
S[
- k*II
[
(!jf.-
- il t1
/
.I a : I l
it
.trl-I!:
- l gas ll li u
!=t l
L TI b
- }jG J ;j p
La_ _ _ _!
g?!
i;3 3
-.;:,.~
.;pIe'io 9 o
,i 3
s
,e
- _g_,
ii 1
II
!!.ji Eg i
~
.=
fin
=--
2 :!n 4
- !;!!o
! !ll! l iill e POOR ORIGINAL o
=
57
=
'~
k iL 1
l l
7
REECo Cross Index Manual [6] used as a reference in defining CS&R require-ments? Are CS&R requirements r,roperly converted to field working language and communicated to personnel' l.1.2 (A.l.2) Do Methods Exist to Produce All Specified Analyses?
Does the safety process go beyond mechanical requirements, such as posting requirements, egress requirements, etc., into the area of formal safety analyses that may be specified?
In this case, are all requirements of this type properly described and is indication whether the requirement is or is not met p,operly recorded?
Is information relating to disposition of noncompliance items properly recorded? Does this include such items as requirements for stress analyses, common failure mode analyses, chemical analyses, etc.?
1.2 (A.2) Are Methods Provided for Creation of Full Shiety Analyses?
Does work having serious potential consequences in terms of environ-mental impact, safety, or health have associated with it a full written safety analysis that deals specifically with each item discussed in Part II of this report? How does use of the system relate to the guide-lines and examples of such work indicated in Appendix A? Are proper analyses performed for both the initial design and plan and for changes that have potential for serious impact on environment, safety, or health considerations?
1.3 (A.3) Does An Adequate System Exist for Creation of Safety
~
" Mini-Analyses" for Work or Proces::: th-t Do Not Require A Full Formal Safety Analysis?
(Themg-analysisiscomparabletotheSafetyAssessment Document required by DOE
, the primary difference being the mini-analysis is not restricted to nuclear facilities.)
Is work having less serious potential consequences analyzed by appropriate personnel? Are all the basic elements of a safety analysis report contained in Part II of this document considered? Are unusual risks and hazards recorded in writing?
Is compliance with all appli-cable CS&Rs, as well as compliance with organizational criteria demon-strable?
(4 o Processes for Step-By-Step Job Analysis Exist in the f '$ '
l.4 4
f*tSystem?
r Does an appropriate graded series of safety controls relating to actual job performance exist in this system? Does this include the types of controls described in this section as well as the other two levels of control of this type that follow in Sections 1.5 and 1.6? Do the step-by-step processes include:
(1) Appropriate detailed operating or job performance procedures (provided the procedures are designed to provide for safe l
performance of the job and not merely to complete the job in a functional sense)?
8
(2) Job safety analyses, as required (worker participation g observational plans)?
(3) Appropriate human factors step-by-step analyses (provided analyses are designed to provide for safe performance of the job and not merely for general error reduction and operating efficiency)?
Do all of these step-by-step analytical processes include appropriate participation of safety professionals and performance of backup analyses to assure that the step-by-step analysis will expose the safety hazards associated with the job?
1.5 (A.5) Do Proper Methods Exist for Formal Involvement of Safety Personnel?
Do methods exist that are less rigorous than the step-by-step analysis but which do require the formal participation of safety profes-sionals in the safety analysis process? Do these methods include job or task analyses associated with approval of safe work permits, work order safety sign-off, purchase order safety sign-off, continuous safety monitoring requirements, and similar methods? Do these methods include sufficient formal backup analyses to provide guidance to all personnel in performing their part of the safety analyses? Are the criteria to be used by the involved safety professionals and the required safety disci-plines that should be involved clearly defined?
1.6 (A.6) Do Appropriate General Methods (Not Job or Task Specific)
Exist to Back Up the Specific Safety Analysis Methods and Procedures?
Are the informal analyses performed by nonsafety personnel in the normal course of doing their work properly backed up by:
(1) Prejob briefing?
(2) Direct supervisory attention?
(3) Training programs?
(4) Worker selection processes?
(5) General involvement of safety professionals?
Are general analyses relating to the work program, general training programs, day-to-day werking arrangements between the line and safety organizations, etc., adequate?
1.7 (A.7) Are adequate Monitoring, Appraisal, and Review Processes Performed to Evaluate and Improve Overall Safety System Performance?
2.0 Is the Work Being Done Related Properly to the Safety Analysis Methods that Should Be Used?
9 l
Do means exist for relating the work being performed to the available methods of safety analysis? Do these methods of sorting and scaling the work to select the proper method of analysis:
(1) Include all energy types being worked with and all types of work being done?
(2) Indicate the type of analysis to be performed and the, need for any preliminary safety analyses (PSAs) prior to t,e final operational analysis?
A m PSAs performed as required early in the conceptual design phase to assure adequate allocation of safety resources? Are PSAs continued through the design process to reduce retrofit and make-do solutions to a minimum as one approaches final operation? Is this type of thinking applied to both large and small jobs? Are the basic methods for relating work to the appropriate safety analysis method properly and adequately used?
2.1 Are Adequate Verbal Descriptions Provided?
Are there word dercriptions that direct performance of specific hazard analysis activities when specified conditions exist? Are these systems oversimplified (e.g., "if a 'significant' risk exists, perform a hazard analysis") or too complex (very elaborate multilevel systems)?
Are the definitions sufficient to reduce the subjective nature of pure word definitions to an acceptable level?
Is care taken to avoid mis-understandings during initial use of the system when new individuals are developing their use of word definitions?
- 2. 2 Are Sufficient Numerical Limits Provided?
Do methods exist that are based on initiating actions when numerical limits are exceeded (e.g., if more than 400 grams of U-235 is stored, certain analyses must be performed)? Are all variables properly bounded in dealing with multivariable systems (e.g., "for 3792 kPa (550 psi) pressure do not exceed 260*C (500*F), for 6895 kPa (1000 psi) pressure do not exceed 193*C (380 F), etc.")? In the latter case, are " safe operating" curves or envelopes adequately provided?
2.3 Are " Example Groups" Provided to Clarify the Requirements?
Do methods exist that are based on defining actions in terms of "similar" risks or hazards (e.g., "if your job is comparable to the items in Groun A, parform a job safety analysis; if it is more like the items listed in Graup B, it is only necessary to obtain a safe work permit")? A1 ex.mple of such guidelines is included in Appendix A.
2.4 Are.luantitative Risk Computations Performed to Provide Guidance As Necessary?
Do metheis exist that involve taking action on the basis of formal quantitative risk evaluation (e.g., "if the projected probability of an employee dea 6h is greater than once in twenty years, the following 10
action should be taken...")? Are proper advanced state-of-the-art methods used in making this sort of projection? Are the data used appropriate and up-to-date? Do short-cut methods exist for routine screening of jobs?
2.5 If Other Risk Formulas Are Used, Do They Provide Adequate Guidance in Revealing True Risks?
There has been a proliferation of formulas that generate " risk indices", which are related to but not numerically equal to quantitative risk.
These often generate an index " number" that requires > higher level of effort tha n lowsr inaex nu7,beas (e.g., if the " risk index" generated by the formula is " greater than 8", a complete and rigorous i
hazard analysis report must be prepared).
Does a proper combination of the basic scaling methods exist that will result in appropriately scaled safety analyses?
\\
11
PART II THE SAFETY ANALYSIS REPORT 12
This part of the Guide relates to the content of safety analysis reports.
The tree in Figure 2 shows " management system requirements for SAR" in a diamond with no further detail regarding this part of the safety analysis process.
It is emphasized, however, that failure of management to define the requirements for producing and controlling safety analysis reports and to establish risk acceptance guidelines, is frequent fundamental omissions that have a high potential for errors and accidents.
Above and beyond the specific questions raised in the safety analysis process presented in this part, the following management constraints must apply:
(1) Are reports structured in compliance with all applicable codes, standards, and regulations?
(2) Are reports structured and scaled in accordance with appropriate scaling criteria (big risks and hazards require a greater effort than small risks and hazards)?
(3)
Is attention given to the entire frequency-severity spectrum (all levels of risk) of potential accidents and incidents?
(4)
Is attention given to the entire life cycle of projects to which the safety analysis report applies? Are preliminary safety analyses performed, as appropriate, during the early life cycle development of projects and facilities?
(5)
Is attention given to the change controls necessary to protect the validity of the safety analysis report?
(6) Have guidelines and responsibilities been established for risk acceptance only at the proper management level?
In the contractor organization? Within DOE?
(7)
Is sufficient information provided to permit management to make a sound value judgment regarding safety goals and ob-jectives and the acceptability of risk?
As indicated in the tree (Figure 2), there are basically eight censiderations relating to the content of a safety analysis report.
These are:
(1) Does the report include consideration of the safety goals, objectives?
(2) Does the report provide adequate descriptions of the system, the environment, and the system / environment interfaces?
(3) Does the report describe energy release modes and mechanisms?
13 h
i
wwt v
Obtective Perform
.deau.te wefy analyses
'l
- CS&R comotiance
}
_g g,
.
- Scared to F:S l
i L
spectrum
(. tafe e,cie f.
.,, u.
ao I
io l
ro I
ao I
ao I
so I
eo I
7o I
so Describe
"- 7 Describe Highlight operationat Describe aen' 8' D' ' 9 consequences of D'scr'be res duas
'3"trols for management system safety goals.
Describe system ud
,p to saf y Management system obpectives and eav0"*ent energy hamos and risks handoft la operat.ons responsable for 3,,,,,,
ges ed ete requirements for safety acceptab8e risks release and protect groups operation and control anatysas reports
[D A
C E
DOE and contractor l
enputs 1
31 1
32 l
[
a2 Describe releases l
81 l
82 l
83 l 8a gc,%,,,,,,,,
l under normai task
,', c Nscre gawam Mc@ hgn aN Describe change Describe review Describe general Describe specific or operational
,,on,
,o o, goats. objectives and goais, objectives and cond,tions structure and procedure control g,n,,,,,y,,,,
acceptable risks acceptable risks resDonsibileties system W
I I
321 1
322 internas system Fa.6ure due to taalurets) environmental aftputs Note F #S = Frequency $eventy l
h andg.te l
I Fi i
- 2 i
F3 1
ma a e en OntrOf T
f..tures g
m a., -
C3 llE3 C3 s
ll23
-g FIGURE 2 - SAFETY ANALYSIS PROCESS TREE
I
)
I
.e.._.
1 eD i
y-
_t.
t..
,________2,0
' DescnDe system an2,I t
, en
=o-,
L _ _ _. _. _ __ J P t8 B
,e., 9 e..f
- 4 I
si i
s2 i
.3 i
i
.s toeta ea-sv tvoes ment
- poteat+
Dewa s,s'em Dese,,be en.,onme,,
v o,,c,,,,,,,,,,
Fesent 'n the target s of u9eanted ichys.can
,peys,ces, gpp system energy too,
/L'er,,e.ated i
ge,1.f..:at.on,,ee l
I si, o,2 l
.,3 l
l l
l
,3,
,3, Descr,w Descrece cond<tions Desence concetions Desenbe basic con + guration and Destnbe operational and events retevant to and events seievant to Descntie ta'gets Descr.be ta gets s -*
eng>neer$eQ ces'Qn ceaage reaa. ness controis energy trans'er pom energy transfer from eitme the system esteenal to too sys'em W
controis system 3D enwwonment enwronr9ent to system I
l 8119 l
8113 l 0121 l Bt22 Descr'be Conditions Descr:Le condifsons Nscnbe initial Desenbe and events relevant and events resevant to CMsDWien EM cettem g n
to energy trans'et energy transfer from instaHatton controts Control eett)*n system environment to sysm sNE va '2 M' B112 Desenbe Condateons and events reaevant to energy transfer from system to enwwonrnent iib Fig. 2 (cont.d) l2=
r--
i l
l 40 50 rs o i.,,ni,o,ge,at.ona,0 7
r -,ite-- 7 r---- 7 n
o i,
oesc I
I Descrteres,du.i i iconi,o nando,, i cen.e2vence, o, i
e,e....e ed.e i
i ame, and,.... i i,o -a, and i L__
_ _._J L__
_ _ _j Lorosect arouci _j C
D E
l l
l l
l I
I I
I I
I 1
c, c2 D,
o, e,
e2 o
e.
cons Q enCet d' e to Detene key arde e et+ne job safety Test 300 safety Detme key operational v
e f
e at 5 eei of no 8'
Consequences indevidually risms and hazards condit'onS Wm I
I eai I
e.2 Note Detme physical Define administrative 0 A = Ovahty Assu ance controis controis r
lasEL-a-12 Ja2 TC3
!iB f
g Fig. 2 (cont.d)
M
(4) Does the report describe the consequences of energy release?
(5) Does the report describe the residual hazards and risks associated with the system (after application of safety constraints and controls)?
(6) Does the report relate the residual hazards and risks to the safety goals, objectives, and acceptable risks?
(7) Does the report highlight the operational controls that are necessary to protect the validity of the safety analysis report?
(8) Does the report describe the management system and the relationships of management subsystems that are responsible for safe operations and control of the physical system?
Considerations 1.0 through 8.0 on the tree in Figure 2, relating specifically to safety analysis report content, will now be developed in further detail.
The numerical coding for the tree is identical to the report sections given below.
Where alpha-numeric coding is used for the elements of the tree, the tree code is given in parentheses beside the corresponding section number.
1.0 Does the Report Describe or Reference the Safety Goals, Objectives, and Acceptable Risks Associated with the Project or Task?
Does this include both DOE and contractor goals, objectives, and acceptable risks? Does it include:
1.1 (A.1) Applicable general goals, objectives, and acceptable risks?
1.2 (A.2) Goals, objectives, and acceptable risks applicable to the specific project or task?
2.0 Does the Report Describe Safety-Related Considerations and Character-istics of the System and of the Environment?
r (7<
?q$p y{f g.
Arejal,1?; applicable energy types included in Appendix C considered?
2.1 (B.1) Is an appropriate physical description of the system provided that includes:
2.1.1 (B.1.1)
The basic engineering design of the system
(
under study:
2.1.1.1 (B.1.1.1) Conditions and events relating to safe energy transfer within the system?
2.1.1.2 (B.1.1.2) Conditions and events relating to safe energy transfer from the system to the environment?
l 17
2.1.1.3 (B.1.1.3) Conditions and events relating to safe energy transfer from the environment to the system?
2.1.2 (8.1.2) Configuration and change controls that:
2.1.2.1 (B.1.2.1) Assure that the initial system configura-tion com311es with tha design (construction, installation) controls?
2.1.2.2 (B.1.2.2) Assure continuing control of the configur.ition to prevent compromise of designed-in safety (maintenance, operatioral) controls?
g.3(B.l.3) Are operational readiness controls described 2.2 (B.2) Are appropriate descriptions of the physical environment provided? Does this include:
2.2.1 (B.2.1) Environmental conditions and events relevant to energy transfer from the system to the environment (heat, light, sound, physical effluents, etc.)?
2.2.2 (B.2.2) Environmental conditions and events relevant to energy transfer from the environment to the system (earthquake, tornado, rain, etc.)?
2.3 (B.3) Are all energy types present in the system identified?
(See Appendix C.)
2.4 (B.4) Are potential targets (people and things) of energy release described?
2.4.1 (B.4.1) Are targets within the system described?
2.4.2 (B.4.2) Are targets external to the system described?
Does this include both specific targets (people and things) and general targets (e.g., the atmosphere)?
2.5 (B.5) Are the barriers and controls that are designed to protect targets from energy release identified and described?
3.0 Does the Report Describe Energy Release Modes and Mechanisms?
Does this include:
3.1 Energy releases under normal operating or task conditions?
3.2 Energy releases under failed or other abnormal conditions?
Does this include:
3.2.1 Internal system failt.res?
18
3.2.2 Failures due to environmental inputs or conditions?
Are the following types of failure considered?
(1) Human failures (errors) SSDC-2 [8]7 I
(2) Hardware or equipment failures?
(3) Procedural and management control failures?
(4) Security system failure (malevolence).
Is the safety precc.lence sequence (Appendix B), as well as Quality Assurance, Human factors, and Reliability requirements, taken into account in evaluating these elements?
4.0 Are Consequences of Energy Releases Considered?
Do these include:
4.1 (C.1) Consequences of energy transfer, to and from the system, under normal operating or job conditions?
4.2 (C.2) Consequences of energy transfer, to and from the system, under failed or other abnormal conditions?
AretheResidualHazard'sandRisksAssocgedwiththeProjector 5.0 Task Identified and Described (SSDC-11)
?
5.1 (0.1) Are major risks and hazards individually identified and quantitatively described to the maximum practicable degree?
5.2 (D.2) Are minor risks and hazards identified and described in a collective and/or qualitative sense?
6.0 Are the Residual Hazards and Risks Identified and Described in Section 5.0 Related to the Safety Goals, Objectives, and Acceptable Risks Specified in Section 1.0?
Does this include relating hazards and risks to:
6.1 (A.1) General objectives, goals, and acceptable risks?
6.2 (A.2) Objectives, goals, and acceptable risks specific to the project or task under study?
7.0 Are Operational Controls and Required Resources Necessary to Protect and Maintain the Validity of the SAR Highlighted for Handoff to Appropriate Design, Construction, Installation, Test, Operations, Maintenance, Project, and Quality Assurance Groups?
l 19 t
L
l Does this include:
7.1 (E.1) Key hardware quality assurance and maintenance requirements?
7.2 (E.2) Key job safety requirements?
7.3 (E.3) Key test safety requirements?
I l
7.4 (E.4) Key operational safety requirements?
7.4.1 (E.4.1) Physical controls and their bases.
7.4.2 (E.4.2) Administrative controls and their bases.
(Include any special training requirements) 8.0 Does the report describe the management system responsible for safe design and operation of the physical system?
8.1 Does the description show the relationships of management subsystems and their responsibilities? Are organization elements responsible for system design, procedure generation, quality assurance, engineering and safety analysis, facility operations, mainterance and other support functions considered?
8.2 Does t.he report describe the management system for config-uration and procedure control? Does the description show where these functional responsibilities lie in the overall l
management system?
8.3 Is the " Change Control" system and the required management authorizations described and defined?
8.4 Does the report describe the management system that reviews for design, safety, and procedural adequacy?
Has the SAR Design and Review Matrix (Figure 3) been used as a checksheet to verify that all eight safety analysis report elements have been considered for all energy types present in the system?
G n '-
J1.!.f. g 20
Management SAR Desenbe safety Describ. system Describe energy Describe Describe Relate hatards Highlight system goals and and environment release modes consequences of residual and risks to goals operational responsible for objectives and mechanisrr - energy release hazards and risks and objectives controls operation control Energy involved 1.0 2.0 3.0 4.0 5.0 6.0 7.0 80 Electrical Nuclear MGHll)
Pv-kdl2]
Kinetic linear Kinetic-rotational Corrosion to Explosive-pyrophoric Toxic pathogenic Flammable Thermal Acoustical radiation Thermal radiation D
Radiation - other
[1] Mass, gravity, height iNEL-A 12 383
[2] Pressure volume - K-constant distance Qb Fig. 3 Safety Analysis Report Design and Review Matrix C".)
REFERENCES
[1]
M. G. Bullock, Work Process Control Guide (Draf t), SSDC-15 (July 1977)
To be published.
[2] DOE Order 6401, Management and Administration of the Construction Program.
[3] Proposed DOE Order 6430, General Design Criteria.
[4] 00E Order 5480, Chapter V, Safety of Nonreactor Nuclear Facilities (November 22, 1976).
[5]
N. W. Knox, R. W. Eicher, MORT Users Manual, ERDA-76/45-4, SSDC-4 (Rev. 1), (November 1976).
[6] Cross-Index to ERDA-Prescribed Industrial Safety Codes and Standards, Reynolds Electrical and Engineering Company, Inc., Nevada Operations Office, NV0-410-021 (Rev. 3) (January 1977).
[7]
R. J. Nertney, J. L. Clark, and R. W. Eicher, Occupancy-Use Readiness Manual - Safety Considerations, ERDA-76-45-1, SSDC-1 (September 1975).
[8]
R. J. Nertney, M. G. Bullock, Human Factors In Design, ERDA-76-45-2, SSDC-2, (February 1976).
[9]
G. J. Briscoe, Risk Management Guide, ERDA 76-45/11, SSOC-11 (June 1977).
22
w
-w APPENDIX A GUIDELINES AND EXAMPLES RELATING KIND OF WORK TO TYPE OF SAFETY ANALYSIS St A-1
This Appendix provides a sample consensus guideline relating the kind of work to each type of safety analysis described in Part I and Figure 1.
Since the guidelines consist primarily of examples, much judgment must be exercised because the amount of effort and type of safety analysis should be scaled to the amount of risk involved.
For example, a laser isotope separation facility (listed under full safety analysis reports) could range from a minor laser research operation in a single laboratory room to a multimillion dollar facility.
Another example, flammable liquid storage is listed under mini-safety analysis report or only safety professional cognizance.
Thus, even though there is considerable overlapping of each category, a scanning of the examples will scope the type of activity and range of risk which is appropriate for each type of safety analysis.
1.
FULL SAFETY ANALYSIS REPORTS Full Safety Analysis Reports (SARs) are management oriented in that they provide information from which management can determine that the residual risks are acceptable and provide a baseline for judging accept-ability of risks involved in subsequent modifications.
They also provide guidelines (such as those in Sections 3, 4, and 5 of this Appendix) for safety analysis of specific tasks as related to actual job performance.
Examples of activities requiring a full SAR are listed below.
(1) Pilot scale work with new energy systems.
(2) Nuclear fuel processing facility.
(3) Fusion research facility.
(4) Any new nuclear process or facility such as radiography lab, hot cells, radiochem lab, fissile storage facility, etc.
Note that a radiography or radiochem lab may require only a mini-SAR.
(5) Particle accelerator.
(6) Laser isotope separation facility (laboratory research may require only a mini-SAR or a job safety analysis).
(7) Nuclear waste storage or disposal.
(8) Restart of idle, major facility.
(9) Radioactive shipping, packaging, method of transport, etc.
(10) Disposal or storage facility for explosives, toxic materials, etc. (some toxic storage may require only a mini-SAR).
(11) High energy test area, such as explosive sites (including nuclear device test sites).
1 (12)" Hazardous chemical processes (involving exothermic materials, flammables, heat, pressure, or all four).
A-2
2.
MINI-SAFETY ANALYSIS REPORTS The mini-SAR performs the same functions as a full SAR.
It may be an addendum to a full SAR or a brief documentation of safety considera-tions for a project involving no unusual hazards, such as the Safety Assessment Document required by DOE 5480, Chapter V.
It may also ap-proach a full SAR in scope and detail.
The primary difference is that in a full SAR, every item on the tree in Figure 2 is discussed, while in a mini-SAR significant items are discussed without documenting justifica-tion of omissions.
Nevertheless, if challenged, there should exist justification for omissions.
Examples requiring a mini-SAR are:
(1) Modifications affecting full SARs (these could be addendums to full SARs).
(2) Flammable liquid storage (major storage facility may require full SARs).
(3) General building construction and operation where lack of major energy sources make full SARs unnecessary.
(4) Toxic material storage and handling.
(5)
Introduction of new chemical.
(6)
Installation of new crane.
(7) Installation of high energy machines, e.g., X-ray accelerators, etc.
(8) Restart of high energy machines.
(9)
Installation of spray paint or sandblasting booth.
(10) Well drilling operation.
(11) High energy capacitor bank installation (job safety analyses may be adequate, especially for outdoor installation ).
(12) Multiple contractors in same area.
(13) Storage facility for compressed gases.
(14) Low pressure testing facility (e.g., environmental chamber).
(15) Sewage treatment facility.
(16) Implementation of new transportation system.
(17) High pressure test facility.
A-3
(18) High voltage substation.
(19) Chemical cleaning facility.
(20) One-time operations presenting high risk.
(a) Moving test loop to hot cell facility.
(b) Dismantling contaminated water tank on tower.
(c) Relocation of work force.
(d) Crane loads (heavy, delicate, vital, or excessive loads -
include internal load failure).
3.
STEP-BY-STEP JOB SAFETY ANALYSIS These are of three types:
(1)
U.S. Steel type job safety analyses (JSAs).
(2) Step-by-step procedures which have been structured and reviewed to include safety considerations.
(3) Step-by-step human factors analyses which have been structured and reviewed to include safety considerations.
These three types are all applied to specific tasks which are small enough so that each step may be examined for potentia. hazards and reviewed by appropriate specialists.
There is considerable overlapping of each type.
For example, the JSA includes documenting each step, identifying the hazard at each step, and specifying (in writing) how to eliminate or minimize the identified hazards.
The step-by-step procedure may be developed from the JSA if the task is to be repeated a number of times, or JSA information may be integrated into an operational procedure created for other purposes other than safety.
Also, a procedure may be developed and reviewed for safety without the formal documentation of identified hazards.
The third type, human factors analyses, deal with personnel behavior and consist primarily of identifying anticipated personnel errors and specifying design criteria to minimize those errors.
As such, human factors analysis should be a part of every JSA and safety procedure. The tasks listed as requiring human factors analyses are primarily those where operator error may have serious consequences.
These tasks may not require a step-by-step procedure for the operator.
2.1 JSA (1) Material handling (heavy drums)
(2) Work on high energy (>_ 480 V) energized electrical system A-4
(3) Acid / caustic cleaning (4) Crane repair (5) Crane operation (6) Trenching / excavating (7) Erection /use of scaffolding (8) Beryllium, zirconium machining (9) Repairing caustic / acid leaks (10) Car / bus service on hoists (11) Operation of X-ray, low power laser unit 2.2 Step-By-Step Procedure (1) Handling / assembling critical hardware (2) Jobs with concealed hazards (nonvisible such as criticality, microwave, etc.)
(3) Toxic gas transfer (4) Boiler maintenance (5) Work on/over water (6) Jobs where sequence is important (7) Steam cleaning, sandblasting, spray painting (8) Maintenance of contaminated exhaust (9) Refurbishing cask (10) Repair manipulator (11) Handling ammonia, NaK, etc.
(12) Hanging pole mounted transformer (13) Operating 45-Mg (50-ton) press (14) Charging chlorine cylinder (15) Replacing cable on crane A-5
2.3 Human Factors Analysis (1) Emergency action procedure (2) Jobs requiring high degree of vigilance (3) Jobs where operator error leads to serious consequences (4) Crane operation (5) Bus driving (6) Dies, stamps, presses (7) Car / bus service on hoists, ramps (8) Work in high stress noise, temperature, commotion, environment (9) Underwater work (scuba diving, etc.)
(10) Plugging into a 48J V heater (11) Entry work into hazardous areas (12) Toxic material / explosive disposal (13) High pressure air hose Q 103 kPa (15 psi)]
4.
SAFETY PROFESSIONAL COGNIZANCE This level of safety analysis involves concurrence by a safety professional that hazards can be adequately controlled without documented, detailed analyses or procedures.
Included are safe work permits, purchase requisition approvals, job release sign offs, etc.
Precautions or warnings may be written on the permit, but there are usually few or no detailed work descriptions or restrictions.
Minor deviations, if permitted, to tasks already covered by procedure or JSA are included in this category.
Examples are:
(1) Purchase /use of herbicides, pesticides, etc.
(2) Welding / radiography, etc., outside approved areas (this type of work may require JSA and/or procedures within approved areas; the sign-off or work permit is concurrence that the additional risk outside approved areas is minimal and can be controlled by few or no additional restrictions).
(3) Radiation zone work not covered by procedure.
(4) Work in confined spaces.
A-6
(5) Material handling improvization (makeshift ramp for forklift).
(6) Necessary work close to high speed moving machinery (may require human factors and JSA, especially if performed repeatedly).
(7) Operating internal combustion engine in building.
(8) Trenches / excavation in certain areas (assumes procedures exist).
(9) Nonroutine dispensing of large quantities of flammable liquid.
(10) Repair gasoline pump, tank, meter.
5.
INFORMAL SAFETY PROCESSES The informal safety processes include worker judgment, supervisory attention, general professional safety attention, etc.).
(Does the worker, supervisor, etc., know what risks he is authorized to accept?)
(1) Routine craft work (carpentry, machinist, etc.).
(2) Yard work (new type power lawn mower may require human factors analysis).
(3) Work on low voltage energized system.
(4) Using low [< 103 kPa (15 psi)] pressure air.
(5) Operating backhoe.
(6) Using chain saws (human factors on new models).
(7) Moving office furniture equipment.
(8) Office work.
(9) Driving car.
(10) Using ladder.
i A-7
f APPENDIX B THE SAFETY PRECEDENCE SEQUENCE l
l l
B-1
I The following order of effectiveness and reliability shall be generally observed in design of systeme, (most effective to least effective):
(1) Designed for minimum hazard, including fail-safe features and redundancy as appropriate.
(2) Hazards reduced to an acceptable level by use of safety devices.
(3) Warning devices provided to warn of hazards.
(4) Procedures developed to reduce and control hazards.
(5) Residual hazards and risks identified and accepted by the proper level of management.
I
}
1
>l l
B-2 4
e n
1 4
APPENDIX C TYPICAL EXAMPLES OF ENERGY SOURCES C-1
Electrical Kinetic / Linear (In-Plant) (Cont'd) i Battery Banks Presses Diesel Units Crane Loads in Motion High Lines PV Blowdown Transformers Power Assisted Driving Tools Wiring Switchgear Kinetic / Linear (Vehicle)
Underground Wiring Cable Runs Cars Service Outlets and Fittings Trucks Pumps Buses Motors Heaters Kinetic / Rotational Power Tools Small Equipment Centrifuges Motors Nuclear (Out-of-Reactor ',
Pumps Cooling Tower Fans Vaults Cafeteria Equipment Temporary Storage Areas Laundry Equipment Receiving Areas Gears Shipping Areas Ship Equipment (Grinders, Casks Saws, Brushes, etc.)
Burial Grounds Floor Polishers Storage Tanks Canals and Basins PV-KD (Pressure, Tension)
Reactor In-Tank Storage Areas Dollies Boilers Trucks Heated Surge Tanks Hand Carry Autoclaves Cranes Test Loops and Facilities Lifts Gas Bottles Shops Pressure Vessels Hot Cells Coiled Springs Assembly Areas Stressed Members Inspection Areas Gas Receivers Laboratories Pilot Plants MGH (Falls & Drops)
Nuclear (In-Reactor)
Human Effort Stairs Reactors Bucket and Ladder Critical Facilities Trucks Subcritical Facilities Elevators Jacks Kinetic / Linear (In-Plant)
Scaffolds and Ladders Crane Cabs Fork Lifts Pits Carts Excavations Dollies Elevated Doors Railroad Canals Surfaces Vessels Obstructions (Collision With)
Shears MGH (Cranes & Lifts)
C-2 Cranes
MGli (Cranes & Lifts) (Cont'd)
Thermal Radiation (Cont'd)
Slings Lab and Pilot Plant Equipment Hoists Sun Flammable Materials Thermal (Except Radiant)
Pecking Materials Convection Rags Heavy Metal Weld Preheat Gasoline (Storage and in Vehicles)
Exposed Steam Pipes Oil Electric Heaters Coolant Oil Fire Boxes Paint Solvent Lead Melting Pot Diesel Fuel Electrical Wiring and Equipment Buildings and Contents Furnaces Trailers and Contents Grease Explosive Pyrophoric Hydrogen (Including Battery Banks)
Gases - Other Caps Spray Paint Primer Cord Solvent Vats Dynamite Power Metallurgy Corrosive Dusts Hydrogen (Including Battery Banks Acids and Water Decomposition Caustics Gases - Other
" Natural" Chemicals (Soil, Nitrates Air, Water)
Electric Squibbs Decon. Solutions Peroxides-Superoxides
_ Rad _i ation Toxic / Pathogenic Canals Acetone Plug Storage Fluorides Storage Areas Carbon Monoxide i
Storage Buildings Lead Radioactive Sources Ammonia and Compounds Waste and Scrap Asbestos Contamination Trichloroethylene Irradiated Experimental Dusts and Particulates and Reactor Equipment Pesticides-Herbicieds-Insecticides Electric Furnace Bacteria Blacklight (e.g., Magniflux)
Beryllium and Compounds Laser
. Chlorine and Compounds Medical X-Ray Sandblast Radiography Equipment and Sources Metal Planting Welding Asphyxiation-Drowning Electric Arc - Other (High Current Circuits)
Acoustical Radiation Electron Beam Equipment Noise Equipment Noise Ultrasonic Cleaners Ultrasonic Cleaners Boilers Thermal Radiatio _n Engines Furnaces Boilers C-3 Steam Lines
i OTHER SSDC PUBLICATIONS IN THIS SERIES SSrc-1 Occupancy-Use Readiness Manual 55JC-2 Human-Factors in Design SSDC-3 A Contractor Guide to Advance Preparation for Accident Investigation SSDC-4 MORT User's Manual SSDC-5 Reported Significant Observation (RS0) Studies SSDC-6 Training as Related to Behavioral Change SSDC-7 ERDA Guide to the Classification of Occupational Injuries and Illnesses SSDC-8 Standardization Guide for Construction and Use of MORT-Type Analytic Trees SSDC-9 Safety Information System Guide SSDC-10 Safety Information System Cataloging SSDC-11 Risk Management Guide SSDC-12 Safety Considerations in Evaluation of Maintenance Programs SSDC-13 Management Factors in Accident and Incident Prevention (Including Management Self-Evaluation Checksheets)
SSDC-14 Events & Causal Factors Charting SSDC-15 Work Process Control Guide SSDC-16 Systems Safety Analysis Manual for Strategic Petroleum Reserve Office Drilling and Completion Operations i
L
_