HAZARD IDENTIFICATION AND THE DEVELOPMENT OF A COMPLETE CONTROL SET
Dr. Lynn E. McCurry
The prevention and mitigation of potential accidents is a fundamental objective of the hazards
identification and control process. To meet this objective, DOE and its contractors are required to
screen identified hazards, identify accident scenarios, and establish effective and reliable safety
controls. This paper highlights the importance of maintaining an adequate linkage between the
hazard identification and control development processes. Weaknesses in this linkage can cause
an incomplete set of hazard controls to be identified. This is due to derivation of a set of non-
bounding accident conditions. The purpose of this paper is to focus on the potential for these
methodology flaws so that they can be prevented in future upgrades and new Documented Safety
Analyses to insure that a bounding set of accident conditions is used in development of hazard
In reviews of dozens of nuclear and non-nuclear analyses, it has been observed that there is often
a disconnect between the hazards identified and the safety controls selected. Ideally, an analysis
team will identify hazards, screen the hazards by risk, group the hazards into accidents, and
identify controls that prevent or mitigate the probability or consequences of the accident.
However, sometimes this methodology is short-circuited due to time and resource constraints.
These short-circuits include
• Performing hazard identification, accident analyses, and derivation of control as independent
processes performed by separate independent analysis teams;
• Allowing insufficient time between the hazard identification and accident analysis process;
• Over-reliance on a preconceived template of accidents and controls based on similar, but not
Separating Hazard Identification, Accident Analysis, and Derivation of
Controls Into Independent Processes
For many Documented Safety Analyses (DSAs), two independent teams are formed to complete
the analyses. The first team is assigned to perform the Hazard Identification/Hazard Analysis.
The second team is assigned to perform the accident analysis.
Approved by ENREGS for Public Release Page 1 of 4
The theory behind this split is that the hazards are well enough understood that the accident
analysis team can start their analysis on known hazard in parallel with the hazard analysis in
order to compress the DSA schedule. However, if there is no continuity and communication
between teams, they may take different approaches to performing the analysis.
The hazard and accident analysis teams may each have a preconceived idea of the hazards
involved and may skew their portion of the analysis to fit their preconceived notion of “the right
answer.” This can lead to a disconnect between the two analyses. The accident team may
include an accident that does not naturally flow from the hazard analysis. For example, the
hazard analysis may show that a crane drop in a facility has acceptable consequences but the
accident analysis may include controls to prevent the drop. The hazard analysis may identify
potential hazards that are not bounded by the accident analysis. For example, the hazard analysis
may identify the potential for a chemical interaction, which is not carried through to the accident
The hazard team may make assumptions in their analysis that should be protected by controls. If
the accident analysis team does not pick up these buried assumptions, then the control set
selected may not be bounding. For example, the hazard identification portion of the analysis
may assume that a heated process maintains a constant temperature below a set value, and screen
the hazard based on this limit. The accident team may not recognize that the temperature sensor
design and reliability is relied upon to eliminate the potential accident.
Finally, the hazards and accidents analysis team may use incompatible methodologies to perform
the analysis, leading to holes and disconnects. For example, the hazards and accident analyses
team may use different frequencies for the same event, creating the potential that a borderline
hazard could be screened by one team and carried forward by another.
Allowing Sufficient Time for Analysis
Due to the short supply of qualified analysts familiar with individual facilities, in some cases
hazard and accident analyses are delayed until the last possible moment. The result is a rushed
analysis that may not make the best use of safety analysis resources and may contain errors due
to short circuiting the review process. Allowing insufficient time also results in the inability to
verify consistency between the different portions of the analysis.
Over-reliance on Template Accident Analysis
There are many facilities that contain similar hazards. In some cases, a similar facility’s DSA is
used as a template for a DSA. While it makes sense to piggyback as much as possible on
previous analysis, care must be taken to review all aspects of the template for applicability to the
new facility. In some cases, DSAs have been submitted which contain sections where even the
name of the similar facility has not been corrected or which describe systems that do not exist in
However, it must be recognized that each facility must be considered in its own right. Using a
template from a facility that is similar but does not have the full array of hazards can lead to
Approved by ENREGS for Public Release Page 2 of 4
holes in the analysis. For example, it may not be recognized that the facility contains chemical
as well as a radiological hazard.
In addition, using a template that is several years old can create problems since evolving
methodologies and standards may make portions of the old analysis obsolete.
Finally, using a template can lead to assumptions of acceptability without performing appropriate
analysis. For example, the original analysis may credit a safety class ventilation system. The
second facility may contain similar hazards but be performed in an existing facility where there
is no pedigree on the ventilation system. It is easy to assign the same amount of credit for
ventilation in the second facility.
Recommended Methods to Eliminate these Disconnects
Methods which can be used to help eliminate these disconnects include:
• Use of computer databases to ensure all hazards are bounded and controlled and assumptions
• Use of a cradle to grave team involved in all aspects of DSA development,
• Increased communication between the hazard identification and accident analysis teams,
• Use of event flow methodology to ensure that all branches of an accident are covered,
• Understanding of the relationship of different portions of the accident/hazard analysis
process so that schedules can appropriately reflect precursor activities to finalizing the
• Understanding the limitations of relying on a template approach for similar hazard analyses
so those pitfalls can be avoided.
Databasing Hazard Tables
One tool that can be used to help eliminate disconnects and ensure that all hazards are bounded
and controlled, is to database the hazard tables. If the hazard tables are databased and cross
referenced to accidents and controls, it is easy to run cross sorts and ensure that all hazards are
enveloped by the accident analysis and the controls selected. This approach is fare superior to
using a word or WordPerfect table where cross checks can not be performed. A final check can
be performed by sorting all hazards that are supposed to be encompassed by an accident to
ensure that they are enveloped prior to final submittal.
Use of a Common Team/Increased Communication
Using common personnel between the Hazard and Accident Analysis team ensures that a
common philosophical approach to the analysis. Use of some common team members ensures
continuity in the analysis and minimizes the learning curve between the two teams.
If the same team cannot be used, it is recommended that there be regular communications
between the two teams to ensure that they are aware of what is going on with the other team
including buried assumptions.
Approved by ENREGS for Public Release Page 3 of 4
Use of Event Flow Methodology
Many accident analyses use qualitative rather than quantitative accident analysis methodology.
Drawing out the accident sequence ensures that all hazards and branches of the accident are
covered. To use this methodology, the accident sequence is diagramed and every point where a
control has the potential to prevent or mitigate the consequences of the accident is identified.
Likelihood of success and failure are assigned, and a final accident likelihood is shown. This can
be presented with and without controls. Every control can be explicitly identified as branches on
the event flow diagram.
Understanding of the Relationship of Different Portions of Accident/Hazard
Understanding of the relationship of different portions of the accident/hazard analysis process so
that schedules can appropriately reflect precursor activities to finalizing the analysis, and
By understanding the relationship of different portions of the hazard and accident analysis,
activities can be appropriately sequences so schedules are not adversely affected in the process.
For example, fire hazard analysis consequences, and dose calculations should be started as early
as possible since they can feed into both the hazards and accidents analysis. In addition, design
and processes should not be changing as the analyses are progressing. Sufficient time should be
allowed in the process to ensure consistency and completeness between all sections of the
Understanding Limitations of a Template Approach
If a template approach is used, the following factors must be considered to ensure its validity:
• Validation that the full array of hazards are encompassed by the template or identification of
where hazards are required to be supplemented or subtracted.
• Validation that the seismic and natural phenomenon hazards are similar or understanding of
where they are different.
• Validation that external hazards are comparable.
• Validation that the seismic construction, and pedigree on similar systems are comparable or
understanding of the differences.
• Understanding of whether any requirements have changed since the template was created.
• Understanding of the regulatory audience that will be required to approve the document and
their differing expectations.
Approved by ENREGS for Public Release Page 4 of 4