Volume One: Guidance

Assistant Secretary for Environment, Safety and Health

FOREWORD

This Department of Energy (DOE) Integrated Safety Management System (ISMS) Guide is approved for use by the Office of Environment, Safety and Health (EH) and the National Nuclear Security Administration (NNSA). This Guide is available for use by all DOE components and their contractors. This Guide is a consensus document coordinated by EH and prepared under the direction of the DOE Safety Management Implementation Team (SMIT).

This Guide provides guidance for addressing the following requirements:

• DOE P 450.4, SAFETY MANAGEMENT SYSTEM POLICY;
• DOE P 450.5, LINE ENVIRONMENT, SAFETY AND HEALTH OVERSIGHT;
• DOE P 450.6, SECRETARIAL POLICY STATEMENT, ENVIRONMENT, SAFETY AND HEALTH;
• DOE P 411.1, SAFETY MANAGEMENT FUNCTIONS, RESPONSIBILITIES, AND AUTHORITIES POLICY;
• and Department of Energy Acquisition Regulation (DEAR) clauses promulgated in 48 Code of Federal Regulations (CFR) 970.5223-1, 48 CFR 970.5204-2, and 48 CFR 970.1100-1.

Attachments 1 through 5 to Volume 1 contain the full text of these Policies and the relevant Safety Management System (SMS) sections of the DEAR.

Volume 1 of this Guide addresses the following topics:

• Introduction;
• Chapter I, SMS Integration and Products;
• Chapter II, ISMS Core Functions and Principles;
• Chapter III, ISMS Development, Implementation, Review, and Approval; and
• Chapter IV, Maintaining (Through an ISMS Configuration Control Process) an Approved ISMS and Reporting ISMS Status to DOE on an Annual Basis.

Volume 2 of the Guide includes the following appendixes:

• Appendix A: Glossary;
• Appendix B: Resources for Complying with the SMS Policies, the FRAM, and the DEAR;
• Appendix C: Superseded;
• Appendix D: Discussion of Safety Management Assessment;
• Appendix E: ISMS Evaluation Guidance;
• Appendix F: Examples of Topics Addressed in ISMS Description Documents; and
• Appendix G: Feedback and Improvement Mechanisms.

This Guide was first revised in 1999 to address feedback received as a result of the 6-month trial implementation period following the release and use of Revision 0. Although the Guide was revised throughout, Chapter III, ISMS Development, Implementation, Review, and Approval, and Appendix E, ISMS Evaluation Guidance, were substantially revised based on experience and feedback. Additionally, Section, I.3, Tailoring the ISMS, and Appendix C were removed.

This revision (Revision 2) includes two substantial changes to Volume 1, Chapter II: the addition of a new Section 5.3, Sample Checklist for Authorization Agreements; the replacement of Section 6, Core Function 5, Feedback/Improvement.

The new Section 6 reflects an expanded view of the feedback and improvement function and was developed in response to commitments made in a letter (dated 6-3-98) from the Deputy Secretary to the Defense Nuclear Facilities Safety Board. This proposed revision is supplemented by the other change to the Guide: a proposed new Appendix G, which appears in Volume 2. The new Appendix G provides examples of feedback and improvement mechanisms typically used within DOE. It also provides guidance on the DOE Corrective Action Tracking System operation.

Another significant event that caused revision was the December 11, 2000, publication of the final Nuclear Safety Management rule, 10 CFR 830. The rule now includes a set of safety basis requirements that supersede those in DOE Orders 5480.21, 5480.22, and 5480.23.

Information on Integrated Safety Management (ISM) can be found on the Safety Management Home Page (http://tis-nt.eh.doe.gov/ism), which includes this Guide; Policies relevant to the SMS; DOE M 411.1-1B, MANUAL OF SAFETY MANAGEMENT FUNCTIONS, RESPONSIBILITIES, AND AUTHORITIES (the FRAM); the lower-tier Functions, Responsibilities, and Authorities (FRA) documents; and relevant parts of the DEAR.

Questions concerning the SMS Policy should be directed to Mr. Ted Wyka, Safety Management Implementation Team, at 202-586-3519. Questions concerning administration or content of this Guide should be directed to Mr. Richard Stark, EH, at 301-903-4407.

INTRODUCTION

PURPOSE. This Guide has two purposes. One purpose is to assist Department of Energy (DOE) contractors in developing, describing, and implementing an Integrated Safety Management System (ISMS) in compliance with DOE P 450.4, SAFETY MANAGEMENT SYSTEM POLICY (the SMS Policy); DOE P 450.5, LINE ENVIRONMENT, SAFETY AND HEALTH OVERSIGHT; DOE P 450.6, SECRETARIAL POLICY STATEMENT ENVIRONMENT, SAFETY AND HEALTH; DOE P 411.1, SAFETY MANAGEMENT FUNCTIONS, RESPONSIBILITIES, AND AUTHORITIES (FRAM); and the following provisions of the Department of Energy Acquisition Regulation (DEAR):

• 48 Code of Federal Regulations (CFR) 970.5223-1, which requires integration of environment, safety, and health into work planning and execution;
• 48 CFR 970.5204-2, which deals with laws, regulations, and DOE directives; and
• 48 CFR 970.1100-1, which requires performance-based contracting.

Attachments 1 through 5 to Volume 1 contain the full text of the Policies and the relevant ISMS sections of the DEAR.

A second purpose of this Guide is to assist DOE line managers and contracting officers (COs) who provide ISMS guidance and requirements, review and approve ISMS products,verify implementation of the ISMS, and perform various integrating activities (e.g., planning, budgeting, review, approval, and oversight) that complement or are required for the ISMS.

DOE responsibilities for these activities are described in the three ISMS-related DEAR clauses listed above, DOE M 411.1-1B, MANUAL OF SAFETY MANAGEMENT FUNCTIONS, RESPONSIBILITIES, AND AUTHORITIES (the FRAM), and the lower-tier Functions, Responsibilities, and Authorities (FRA) documents.

This Guide does not override, alter, or minimize the requirements of the SMS Policies, the DEAR, the FRAM, or other DOE regulations and requirements. It is not a prescriptive document but instead offers flexible guidance that complies with the requirements of the Policies, the law, and the FRAM. Other practices that meet the intent of this Guide and comply with the requirements may be used.

ISMS OBJECTIVE. The objective of an ISMS is to incorporate safety into management and work practices at all levels, addressing all types of work and all types of hazards to ensure safety for the workers, the public, and the environment. To achieve this objective, DOE has established guiding principles and core safety management functions. The objectives, principles, and functions are set forth in the attached Policies and DEAR clauses and are discussed in detail in this Guide. An effective ISMS must address these principles and functions while considering the following:

• the planning and performance of all types of potentially hazardous work, including but not limited to the following: construction, operations, maintenance and decommissioning, as well as design, conceptual studies, environmental analyses, safety analyses, hazard reduction analyses, pollution prevention/waste minimization and risk analyses;
• all types of hazards, including chemical, occupational, environmental, nuclear, electrical, transportation, etc.; and the identification, analysis, and control of hazards, and the use of feedback for continuous improvement in defining, planning, and performing work.

In the SMS Policy and this Guide, the term "safety" is used to encompass environment, safety, and health. Management and workers should understand that safety is an integral part of each work activity. Accordingly, safety should be a prime consideration in the work practices of all personnel, including line management at the field office, corporate, and division levels, and program personnel at all management and working levels.

ISMS PROCESS AND PRODUCTS. The three DEAR clauses specify the processes and products in developing and implementing an ISMS, including the following:

The contractor develops and documents an ISMS in accordance with the requirements in the DEAR (48 CFR 970.5223-1) and guidance provided by the CO. The ISMS description allows DOE and the contractor to agree upon a framework for safety management of contracted work.

DOE reviews and approves ISMS documentation in accordance with the DEAR [48 CFR 970- 5204-2(e)] and the responsibilities specified in the FRAM.

DOE evaluates satisfactory ISMS implementation in accordance with the FRAM (Section 9.5.2).

On an annual basis, the contractor reviews and updates for DOE approval its safety performance objectives, performance measures, and commitments, consistent and in response to DOE's program and budget execution guidance and direction [48 CFR 970.5223-1(e)].

In addition, the FRAM requires DOE to perform numerous ISM actions such as monitoring the proper implementation of controls (Section 9.4.4), and performing assessments of their own organizations to identify areas in which continuous improvements in the safety of DOE operations can be realized (Section 9.6.1.4).

APPLICABILITY. This Guide applies to the activities required of DOE/National Nuclear Security Administration (NNSA) line managers and contracting officials (referred to as contracting officers, heads of contracting authorities, or field element managers) in fulfilling their responsibilities, as specified in the ISMS Policies, the DEAR, and the FRAM. (For simplicity, "DOE," as used throughout this Guide, includes NNSA.)

This Guide also applies to the activities required of DOE contractors in fulfilling their responsibilities, as specified in the Policies and in the DEAR.

CHAPTER I

SMS INTEGRATION AND PRODUCTS

DOE is responsible for ensuring that work performed at its sites is conducted efficiently and in a manner that ensures protection of workers, the public, and the environment. To formalize this responsibility, DOE issued DOE P 450.4, SAFETY MANAGEMENT SYSTEM POLICY, on October 15, 1996. The SMS Policy specifies a formal, organized process based on key guiding principles and core functions for ensuring the integration of safety, health, and environmental considerations into all types of work, at all DOE sites and facilities, for all types of potential hazards. As a result of the SMS Policy, DOE subsequently issued the related Department of Energy Acquisition Regulation (48 CFR Chapter 9, the DEAR) on June 27, 1997, which, with regard to integration, requires the following:

•  The contractor shall ensure that management of environment, safety and health (ES&H) functions and activities becomes an integral but visible part of the contractor's work planning and execution processes  [48 CFR 970.5223-1(b)]
• the System shall be integrated with the contractor's business processes for work planning, budgeting, authorization, execution, and change control. [48 CFR 970.5223- 1(e)]

DOE also issued DOE P 411.1, SAFETY MANAGEMENT FUNCTIONS, RESPONSIBILITIES, AND AUTHORITIES POLICY, on 1-28-97, and DOE M 411.1-1A, MANUAL OF SAFETY MANAGEMENT FUNCTIONS, RESPONSIBILITIES, AND AUTHORITIES (the FRAM) on 10-18-99. Additionally, DOE P 450.5, LINE ENVIRONMENT, SAFETY AND HEALTH OVERSIGHT, and DOE P 450.6, SECRETARIAL POLICY STATEMENT ENVIRONMENT, SAFETY AND HEALTH, were issued to emphasize certain aspects of ISMS.

The DEAR describes ISMS responsibilities for both DOE and contractors, while the FRAM (both the Headquarters Level 1 FRAM and the lower-tier directives known as "FRAs") describes responsibilities and authorities for DOE only.

Section 1 of this chapter discusses the general nature of integration and Section 2 discusses the processes and products associated with the development and implementation of an ISMS. Section 3 of this chapter discusses the concept of tailoring an ISMS.

1. GENERAL ASPECTS OF INTEGRATION

In general, the development and implementation of an ISMS requires an organization to integrate safety into all aspects of work planning and execution, using the guiding safety principles and core functions set forth in the SMS Policy. Integration means that all management systems and programs are designed to fit together to permit safe and efficient performance of work. Safety should be incorporated as a value into all business and operations systems. Integration is especially important for programs and activities with conflicting or competing goals or requirements (e.g., fire protection and criticality safety, or personnel safety and safeguards and security). Therefore, to achieve an ISMS that satisfies the DEAR, organizations should document the ISMS policies, programs, procedures, and manuals they plan to use. They should then submit their plan for DOE review and approval before finally implementing it. These processes will generate a number of documents, products, and actions that can be used to track and record the progress and success of the ISMS, as discussed in Section 2 of this chapter.

As described in Sections 1.1 through 1.5 below, choices made during the development of an ISMS are affected by a number of factors. For example, ISMSs can vary significantly among sites (even for similar activities), among facilities (even at the same site), and among activities (even within the same facility). Other factors that may affect SMS integration include

• the relative responsibilities of DOE and contractor personnel;
• business processes, such as budget and resource allocation;
• the type of contract in place;
• the nature of the hazard (i.e., nuclear, chemical, fire, industrial, environmental, and combinations of these potential hazards); and
• the scope of the threat (local, sitewide, public, environmental, and combinations of these individuals and sectors) posed by the hazard.

1.1 SMS Integration by Site, Facility, and Activity

In general, operating organizations use corporate and sitewide safety programs (e.g., fire protection and emergency planning) as well as facility- and activity-specific safety processes. Some of these programs are established at the site level to address, for example, radiation protection, environmental protection, industrial hygiene, industrial safety, and emergency planning. Other programs, such as those for configuration management and conduct of operations, are more appropriately specified at the facility or project level. And some processes, such as quality inspection, or those used for Enhanced Work Planning (EWP), can be specified at the task level.

All safety control measures, programs, and processes, regardless of the level at which they are specified, and regardless of whether they are mandatory or voluntary, flow down and must be implemented at the appropriate work level to achieve adequate safety. Both DOE and the operating organization should review existing processes and programs to ensure they are integrated, flow down to the task/activity work level, and adequately address ISMS requirements. For these reasons, an ISMS must include processes for selecting and applying site and facility processes or procedures to use in developing work-specific control measures. DOE and its contractors also use a variety of voluntary safety initiatives that are outside the contract/ regulatory structure. The EWP initiative, for example, can be used for developing ISMS objectives and expectations at the task/activity level.

Managers and workers at all organizational levels should be involved in developing, maintaining, and improving the controls that must be applied to work at the task/activity level.

Safety must take top priority in keeping the workplace as free as possible of recognized hazards that might endanger workers, the public, or the environment.

Figure 1 illustrates the layered structure that characterizes an ISMS. Each circle represents a single organizational level; that is, the institution or site level, the facility level, and the activity level. Individuals at each level of the organization play a role in work and safety planning. As illustrated in Figure 1, the core safety functions are integrated activities at each level.

At the facility and activity levels, workers (i.e., operational staffs) are essential in identifying and implementing controls and performing work.

At the facility level, multiple activities are defined and the work is planned and integrated so as not to delay, interfere, or hinder other activities. The results of this lower-tier integration feed back to higher tiers in the line management chain for integration with other programs.

At the institutional or facility level, the scope of work is defined using input from DOE (via contracts) and from the lower-level line managers and facility workers who have detailed knowledge of the work activities.

Figure 2 shows how sitewide activities overlay the facility, activity, and work for a Hazard Category 2 facility. Although the SMS Policy is the same for all facilities and activities, the contractor's safety control measures are tailored to the site, facility, and activity based on the hazards and work being performed.

1.2 Integration of DOE and Contractor Roles

Another aspect of integration is the complementary nature of DOE and contractor responsibilities in ensuring integration of safety. Contractor responsibilities are typically defined in the DEAR contract requirements and are incorporated in the contract, corporate policies, and manuals. Application of these documents is outlined in the contractor's ISMS description.

Although the DEAR specifies some DOE responsibilities, most are described in the FRAM. Each line, support, oversight, and enforcement organization within DOE is responsible for establishing a lower-tier FRA document specifying how its functions and responsibilities, as assigned in the FRAM, are to be properly discharged. The FRAM also provides an overview of the interfaces between DOE functions and those of operating organizations; that is, Government-Owned, Contractor-Operated (GOCO) facilities and Government-Owned, Government-Operated (GOGO) facilities. Such safety management responsibilities include budget management as well as the use of feedback from oversight and review functions. 1.3 Integration of Safety and Business Processes

Determining budget and resource allocations necessary to provide safe operations must be integrated with both DOE's and the contractor's annual planning and budget cycle. A first step is to translate missions into work requirements in conjunction with the prioritization of budget and resources. By accomplishing the two tasks work analysis and budget formulation in tandem, DOE can more accurately estimate the funding required for safety analysis and control of hazards associated with the task. Both DOE and contractor line managers should take the lead in bringing safety expertise to bear in support of those programs/activities for which they are responsible [see DEAR 48 CFR 970.5223- 1(b) and (e)]. Integrated safety management should also identify and communicate any projected vulnerabilities and risks not addressed within the projected budget. This ensures that DOE is aware of any potential site vulnerabilities and provides an opportunity to develop and enforce risk management options and strategies, including re-scoping activities, re-allocating funds and resources to address the vulnerabilities, or identifying the consequences of proceeding without addressing them.

1.4 Integration by Type of Risk and Hazard

Integration allows for effective and efficient management of risk to workers, the environment, and the public. It is DOE line management's responsibility to ensure that contractors develop and effectively implement an ISMS tailored to the risk of the work and the associated hazards and develop and effectively integrate their safety management systems with the business and operational systems throughout their organizations.

The integration process must also address all hazards and the possible risks these hazards may present to workers, the public, and the environment. Individuals responsible for engineering the processes (e.g., weapons assembly and disassembly, nuclear material fabrication and stabilization, criticality experiments, waste storage, hazardous waste cleanup, routine maintenance, pollution prevention, and waste minimization) should work with multidisciplinary teams who have direct responsibility for analyzing hazards, identifying control measures derived from that analysis, and ensuring those measures are effective. Similarly, individuals responsible for operations should have direct responsibility for the safety of those operations and should be given the resources to implement the necessary controls.

1.4.1 Integration of Risk (Worker, Public, and the Environment)

Systems for worker safety, industrial hygiene, medical services, radiation worker protection, safeguards and security, emergency response, emissions control, waste management, public safety, and environmental protection perform more effectively and efficiently when they are integrated. For that reason, managers responsible for individual systems should know where each of their processes interfaces with a process owned by another organization. Responsible managers should then communicate routinely with interfacing managers to assess the efficiency and effectiveness of the process and communicate immediately whenever changes occur that have an impact on one or more interfaces.

An ISMS provides the structure by which specific activities can be carried out by different organizations while adopting a uniform approach to protecting the workers, the public, and the environment. At the same time, an ISMS allows an organization the flexibility to adapt and improve systems to its needs, priorities, and changing mission and environment without jeopardizing the needs, priorities, and missions of other, interfacing organizations.

Worker Safety

When worker safety is managed as a vital and valued part of an integrated safety management system, both managers and workers gain ownership in the process. As a result, work can be conducted safely and work processes can be continuously improved. To be successful, however, a viable worker safety system requires commitment from managers and meaningful involvement of workers. Meaningful worker involvement requires each and every employee in an organization to be held accountable for his or her safety performance.

• Meaningful management commitment to worker safety requires the following:
• providing adequate resources for risk management;
• training workers how to work safely; ensuring compliance with all applicable requirements and regulations;
• ensuring accountability for safety performance;
• soliciting worker input regarding workplace hazards and selection of appropriate controls;
• identifying existing and potential workplace hazards and evaluating the risk of associated worker injury or illness;
• encouraging worker responsibility to demonstrate a strong, questioning attitude regarding work and the hazards associated with the work;
• ensuring strict compliance with precautions, limitations, requirements, and constraints of work control documents, including work site conditions;
• empowering workers to exercise their Stop Work authority;
• communicating risk with the worker;
• implementing a process to ensure that all identified hazards, such as radiological, chemical, etc., are managed through a process of prevention/mitigation or control;
• selecting hazard controls based on the following hierarchy:
  • engineering controls,
  • work practices and administrative procedures, and
  • personal protective equipment;
• identifying Occupational Safety and Health Standards; and
• implementing radiological protection policy and practices based on the precept that radiological exposures for workers should be kept as low as reasonably achievable (ALARA).

Public Safety

Integrating public safety into operations requires increased and intentional management awareness and commitment. Work planning must include the consideration of its possible impact on public safety. Every impact that is identified must be managed as a hazard to worker safety would be managed, and subjected to the same responsibility and accountability as part of an integrated safety management system.

Public protection is ensured via rigorous application of the ISMS core functions and principles. The cornerstone of that effort is a thorough understanding of the hazards attained by means of a comprehensive safety analysis program and the implementation of robust control measures. DOE provides considerable guidance for the analysis and evaluation of all types of hazards through its requirements for safety analysis reports (SARs) for nuclear facilities and operations or their equivalents for other types of facilities and operations (e.g., chemical and industrial activities). Although DOE-STD-1120 is specifically written for disposition activities, it provides guidance for all types of hazards and the methodology is generally applicable to other parts of the facility life cycle.

Environmental Protection

The following techniques and methods for dealing with environmental risks are consistent with the guiding principles and core functions to be addressed in an ISMS. Threats to the environment are generally addressed through environmental assessments (EAs) or environmental impact statements (EISs), which are required by NEPA (National Environmental Protection Act, 10 CFR 1021).

In addition, environmental management systems (EMSs) used by the Federal government should be integrated with the ISMS (see Section 3 of DOE STD-1120). An EMS is that part of the overall management system that includes organizational structure, planning activities, responsibilities, practices, procedures, processes, and resources for developing, implementing, achieving, reviewing, and maintaining the environmental policy. A discussion of EMSs is provided in DOE/EH-0573, Environmental Management Systems Primer for Federal Facilities.

An EMS provides the structure by which specific activities can be carried out efficiently and in a manner consistent with key organizational goals; an EMS also allows an organization the flexibility to adapt the system to its needs and priorities. The EMS approach has its genesis in the same movement that created the "quality management" systems traditionally applied to manufacturing. The two predominant EMS documents are the Code of Environmental Management Principles for Federal Agencies (CEMP) and ISO 14001, Environmental Management Systems.

CEMP was developed by the Environmental Protection Agency (EPA) in response to Executive Order 12856, Federal Compliance with Right-to-Know Laws and Pollution Prevention Requirements, signed on August 3, 1993. EPA patterned the CEMP on the common critical elements of a comprehensive management system tailored to the environmental activities of an organization (i.e., an EMS). CEMP uses a construct of five broad principles and underlying performance objectives as the basis for Federal agencies to move toward responsible environmental management. CEMP principles help ensure environmental performance that is proactive, flexible, cost-effective, integrated, and sustainable.

ISO 14001, developed by the International Organization for Standardization, provides a comparable EMS construct that is being implemented throughout the world. The guiding principles and core functions of an ISMS correspond to the elements of an EMS. Thus, an effective ISMS will address the environmental aspects of the safe completion of mission.

DOE is responsible for transitioning facilities from operational status to deactivation and eventual dismantlement or reuse. The characterization of hazards from residuals in such facilities and the establishment of controls to maintain safety during the interim must account for DOE responsibilities under the Atomic Energy Act. However, the controls should also be compatible with the subsequent transition to regulation by EPA and the States during the final disposition of facilities under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA), the Clean Water Act (CWA), the Clean Air Act (CAA), and the Resource Conservation and Recovery Act (RCRA) (e.g., decommissioning of the plutonium concentration facility, 233-S, at Hanford). DOE- STD-1120 provides guidance for such disposition activities.

State, local, and Federal government permits and the controls to implement them (e.g., CERCLA, CAA, and RCRA permits) need to be included in the ISMS.

1.4.2 Hazard Types

An ISMS should have similar and consistent processes for dealing with different types of hazards; that is, nuclear, chemical, and industrial hazards, and natural disasters. Such processes include analysis, development of technical or administrative controls, hazard avoidance and prevention, and implementation of any mitigating measures. For example, permits (both internal and external) issued by different groups at the activity level need to be integrated to preclude duplication of effort and to ensure protection of the worker, the public, and the environment. Further, for processes involving multiple types of hazards, consideration should be given to the use of worker/management teams with a variety of expertise to ensure that each type of hazard receives informed consideration. EWP can be used to accomplish this integration.

1.4.3 Integration Responsibility

Everyone has a role in integrating safety on site! Line management is responsible and accountable for safety, safety management, and the integration of safety into business and operations at a site. Line management is responsible for appropriate use of ES&H in performance of safety assessment tasks. Line management translates mission into work, sets clear and prioritized expectations, directs the work, and bears accountability for the results.

Workers are responsible for participating in the safety management process to the level of their responsibility and accountability for performing work safely. Depending on the level of responsibility, each worker needs to ask, "How do I know safety has been integrated into my work?" and "How do my activities contribute to safety?"

Line management directs work and helps workers translate missions into work, set expectations, prioritize tasks, identify preliminary hazards to determine resource allocation and priority assignment, and develop program plans that outline resources, priorities, and tasks balanced against risks. Workers, on the other hand, perform work and should question whether their work is defined clearly enough to work safely. This is accomplished through stand-up meetings with supervisors, practical training, feedback, and pre-job briefings.

1.5 Integration by Phase of Facility Life Cycle

The five core functions (see Table 1 in Chapter II) of the integrated safety management process can be used at any stage of the facility life cycle (see Figure 3). The exact nature of the activity changes as the safety processes are integrated first, with the conceptual design, preliminary design, and final design activities; second, with the engineering design and development activities; third, with the more traditional integrated safety management activities associated with the physical plant during the construction and operational phases; and finally, with the activities to be performed during facility disposition.

The seven guiding principles of integrated safety management (see Table 1 in Chapter II) are as applicable to controlling conceptual design as to controlling facility operations and facility disposition. Early implementation ensures that safety is integrated into the design process and that operational safety issues are addressed early enough to affect the design. Addressing safety measures early in the process permits cost-effective solutions to be implemented and prevents the use of inappropriate and overly costly controls on hazards that can be reduced or eliminated. The ISMS follows the same basic approach during all phases of facility disposition (deactivation, decommissioning, and long-term surveillance and monitoring). DOE-STD-1120-98 describes the application of ISMS to all facility disposition activities.

2. ISMS DEVELOPMENT AND IMPLEMENTATION PROCESSES AND PRODUCTS

DOE and the contractor should follow the steps outlined in the following sections to develop, review, approve, implement, and monitor an ISMS that is fully integrated with the work. Additional guidance on these development and implementation steps is provided in Chapter III and in Appendixes D, E, and F.

2.1 Develop and Document the ISMS in Accordance with Requirements in the DEAR

The process for developing and documenting an ISMS is specified in the DEAR, 48 CFR 970.5223-1. It includes the following provisions:

Each contractor is to manage and perform work in accordance with a documented ISMS that fulfills all conditions in 48 CFR 970.5223-1(b) and (c) at a minimum. Paragraph (b) of the clause describes the seven guiding principles of the SMS Policy. Paragraph (c) also lists the five core functions.

Each contractor is to submit its ISMS documentation of to the CO for review and approval. The CO then establishes dates for submittal, discussions, and revisions to the SMS [per 48 CFR 970.5223-1(e)].

The contractor-integrated SMS documentation is to describe how the contractor will perform the five core functions using the seven guiding principles [48 CFR 970.5223-1(c)]. In addition, the ISMS documentation is to describe how the contractor will establish, document, and implement safety performance objectives, performance measures, and commitments in response to DOE program and budget execution guidance while maintaining the integrity of the ISMS.

The ISMS documentation shall also describe how the contractor will measure system effectiveness [48 CFR 970.5223-1(d)].

The SMS is to be integrated with the contractor's business processes for work planning, budgeting, authorization, execution, and change control [48 CFR 970.5223-1(e)].

Chapter III, Section 3.2, provides guidance that may be helpful in complying with these requirements.

The DEAR [48 CFR 970.5223-1(e)] also requires the contract to include safety performance objectives and measures, which should cover both sitewide parameters (such as injury-caused lost days of work), specific program measurements (such as SAR approval), and ES&H priorities specific to the work to be accomplished. The DEAR also requires that the contractor measure the performance of the ISMS. Because of the potentially broad application of performance measurement and the opportunity to share the results across programs and at all levels of management, the development of performance objectives and measures is an important integration activity.

2.2 Review and Approve the ISMS as Required by the DEAR and in Accordance with DOE Responsibilities in the FRAM

DOE personnel must review and approve ISMSs in accordance with the DEAR [48 CFR 970.5223- 1(e)] and the FRAM. The process for implementing review and approval is discussed in Chapter III, Section 3, and in Appendix E. Additionally, the Office of the Deputy Assistant Secretary, Oversight (EH-2), performs oversight of DOE safety management functions. The FRAM is organized in accordance with the Policy and addresses DOE responsibilities and authorities for each of the five core functions.

2.3 Evaluate the ISMS Implementation

The contractor should ensure that its approved ISMS description has been implemented. This is done initially with the CO-implemented review and approval. Additional ISMS reviews are done in accordance with DOE P 450.5. DOE evaluates implementation of the ISMS in accordance with the DEAR and the FRAM. This evaluation is an effective process for ensuring the contractor's SMS is integrated and working as described in the ISMS documentation.

2.4 Monitoring and Annual Update of the ISMS in Accordance with Requirements in the DEAR

The DEAR requires the following:

On an annual basis, the contractor shall review and update, for DOE approval, its safety performance objectives, performance measures, and commitments consistent with and in response to DOE's program and budget execution guidance and direction [48 CFR 970.5223-1(e)].

Work processes and organizational safety management performance should be continuously measured and evaluated to ensure that line management is aware of the contractor's compliance with the documented SMS. Accordingly, DOE and contractor organizations perform management and independent assessments using quantitative and/or qualitative information obtained from a variety of sources (e.g., in-process monitoring, performance indicators, occurrence reports, trending, statistical analysis, management assessments, independent assessments, and workers, customers, suppliers, regulators, and stakeholders). Because such evaluations are conducted at all organizational levels, they contribute to safety management integration. Improvement actions identified are shared with similar organizations and are tracked throughout implementation to determine whether they are yielding the anticipated improvements. Evaluation reports, which document the process followed, the results, and measurements indicating the success of the improvements, are part of the ISMS.

3. TAILORING THE ISMS

Because work can range in complexity and hazard potential from high-hazard operations in major facilities to much simpler tasks, such as replacement of a contaminated component, DOE safety management directives are structured to address a variety of hazardous operations. In this context, tailoring is directed principally at developing safety controls fitted to the hazards and the work. Through tailoring, existing guidance and safety management processes can be selectively applied to planned work activities to meet applicable, enforceable requirements while adequately protecting health, safety, and the environment.

The DEAR environment, safety, and health clause [48 CFR 970.5223-1(b)(6)] and the SMS Policy state explicitly that administrative and engineering controls to prevent and mitigate hazards shall be tailored to the work and associated hazards. To meet this requirement, DOE and contractor personnel at all levels should not only tailor their ISMSs, but should also evaluate the effectiveness of their work management systems to continuously improve system performance.

Work management systems must deal effectively with a full spectrum of work types and work activities. They must allow flexibility in planning, analysis, and work preparation, which, in turn, includes tailoring the work and hazard controls to the work at hand. As a result, a successful ISMS should ensure high- quality work and compliance with predetermined performance expectations, while continuously ensuring that work is conducted in an environmentally sound, safe, and healthy way.

DOE G 450.3-3, TAILORING FOR INTEGRATED SAFETY MANAGEMENT APPLICATIONS, provides guidance for tailoring an ISMS and its core functions.

CHAPTER II

ISMS CORE FUNCTIONS AND GUIDING PRINCIPLES

This chapter describes the seven guiding principles and five core functions set forth in the SMS Policy (DOE P 450.4) and DEAR clauses. Attachments 1 and 5 contain the full text of the Policy and DEAR SMS clauses.

The three guiding principles that relate to all core functions are discussed first. The remaining five sections in this chapter correspond to each of the five core functions and include discussions of other guiding principles that apply (see Table 1 below).

Table 1. Matrix Showing How and Where Core Functions and Guiding Principles are Addressed in this Guide

Core Functions [See 48 CFR 970.5223-1(c).] Guiding Principles [See 48 CFR 970.5223-1(b).] Chapter and Section Number

- 1. Line Management Responsibility II.1 (III.4.6)

- 2. Clear Roles and Responsibilities II.1 (III.4.6)

- 3. Competence per Responsibilities II.1 (III.4.7)

1. Define Scope of Work 4. Balanced Priorities II.2 (III.2.1.1; 4.1.4)

2. Analyze Hazards

II.3 (III.3.1.1; 4.2)

3. Develop and Implement Controls 5. Identification of Safety Standards 6. Tailor Hazard Controls to Work II.4 (III.3.1.2; 4.3)

4. Perform Work 7. Operations Authorization II.5 (III.3.1.3; 3.1.2; 4.4)

5. Feedback and Improvement

II.6 (III.3.1.4; 4.5)

Figure 3 illustrates the conceptual relationship among the core safety management functions. However, these functions are not independent, sequential functions but instead, a linked, interdependent collection of functions that often occur at the same time. The output of each function can affect the results of each of the other functions and, potentially, the whole system. Work planning, for example, affects multiple functions several times before a plan is executed.

For instance, by identifying and eliminating hazards during work planning, an organization can reduce the potential for related accidents later. During a Pollution Prevention Opportunity Assessment, options can be identified to reduce or eliminate the use of a toxic chemical, thereby minimizing a hazard to workers and the environment. Similarly, assessment and feedback conducted at any time during the performance of one function can and should affect future planning. Generally, for complex sites or facilities, the five functions are reiterated, with the exchange of information among participants progressing from a broad overview to detailed task descriptions. The reader of this Guide should, therefore, consider the core safety management functions as an integrated whole; however, for ease of presentation, the functions are discussed separately in this chapter. It is important to recognize the iterative character of ISMS functions and the need to integrate specific activities within the functions. An activity like training, for example, may be necessarily addressed in all five core functions.

1. GUIDING PRINCIPLES 1, 2, AND 3

The following three guiding principles relate to responsibilities intrinsic in all five core functions and are therefore addressed here:

• Line Management Responsibility for Safety, Clear Roles and Responsibilities, and Competence Commensurate with Responsibilities.
• These interrelated guiding principles help ensure the management structure has personnel who focus on safe accomplishment of mission, understand their assignments, and can carry out the core safety management functions correctly and efficiently.
• These principles are dependent upon management commitment and employee involvement. Management commitment is demonstrated by the documented ISMS and policy statements that are communicated throughout the organization, managers' accountability for safety performance, and the visible presence of managers addressing safety issues. Management commitment is also demonstrated by fostering employee involvement in development and implementation of the ISMS, and emphasizing the importance of individual accountability for performing work safely.
• Employees/workers should be actively and continually involved in the development and deployment of the ISM processes that execute the ISM function. As individuals and as work teams, employees/workers actively participate in the activities of the ISM processes that address workplace safety, public safety, and environmental protection. Employees/workers continually examine the ISM management processes used to conduct their individual work efforts for continual improvement and actively pursue these improvements with contractor management. Individual accountability for performing work safely is emphasized.

To be used effectively, these principles are dependent upon management commitment and employee involvement. Management commitment can be demonstrated by the following actions:

• Management communicates the documented ISMS and policy statements throughout the organization.
• Managers are held accountable for safety performance.
• Managers are visibly present, addressing safety issues.
• Managers invite and encourage employees at all levels to participate in development and implementation of the ISMS.
• Managers emphasize the importance of individual accountability for performing work safely.
• The ultimate responsibility and accountability for ensuring adequate protection in the operation of DOE facilities, while meeting mission requirements, rests with DOE line management, as described in this section. This principle relies upon a chain of responsibility that extends from the Secretary, through DOE line management and COs, to contractor management and workers:
• DOE, as described in the FRAM, assigns safety responsibility and authority to DOE and contractor line management.
• DOE, as described in the FRAM, assigns safety support responsibilities to organizations outside of line management.
• DOE and contractor line managers are responsible for integrating safety into work.
• DOE and contractor line managers are responsible for ensuring competence of their workforces and line managers.

1.1 DOE Responsibilities

The FRAM establishes the responsibilities for managing those functions that are fundamental to safety management and that need to be performed consistently throughout the Department. In accordance with the first guiding principle, Line Management Responsibility for Safety, the FRAM specifies DOE safety management functions with clear lines of responsibility and authority that are necessary to

define essential safety management functions; ensure compliance with legal and contractual requirements; and implement the standards necessary to provide reasonable assurance that workers, the public, and the environment are adequately protected.

Line management includes any management level within the line organization that is responsible and accountable for directing and conducting work. Accordingly, line managers (i.e., Secretarial Programmatic Officers and Field Managers) are responsible for ensuring operational safety and ES&H compliance with requirements established by contract terms and conditions. It is recognized that these responsibilities include the identification and use of ES&H professionals in performance of some tasks important to safety.

The FRAM is a corporate-level directive. As such, the FRAM addresses functions, responsibilities, and authorities for DOE organizations responsible for overall direction of integrated safety for all DOE operations and facilities. The FRAM also describes roles and responsibilities for setting Departmental direction, a step that must take place before implementation of the safety management functions, plans, mission statements, budget resource allocation, and the technical competence qualifications required of staff.

Implementation details are addressed in lower-tier FRA documents, which are required by the FRAM Policy, DOE P 411.1, for each line, support, oversight, and enforcement organization within DOE. These lower-tier FRA documents specify the functions to be performed and who has the responsibility and authority for performing those functions.

The second guiding principle, Clear Roles and Responsibilities, builds upon the first by stating the following:

• Clear and unambiguous lines of authority and responsibility for ensuring safety shall be established and maintained at all organizational levels within the Department and its contractors.
• The FRAM establishes a continuous line of authority from the Secretary to the DOE interface with contractors by defining DOE roles and responsibilities for Headquarters and field element line management. The FRAM addresses the second guiding principle, Clear Roles and Responsibilities, as follows:
• clearly delineate management and safety responsibilities for approving the contractor's ISMS and other binding agreements that implement the ISMS;
• clarify the roles, responsibilities, lines of authority, and delegations between Headquarters and field organizations;
• define functional relationships and responsibilities among DOE line, support, oversight, and enforcement organizations; and
• address the coordination of line management direction from multiple program offices at a single site.

The FRAM also addresses the third guiding principle, Competence Commensurate with Responsibilities, by assigning each DOE element the responsibility for ensuring that its employees are qualified to perform their assigned functions. The Assistant Secretary for Management and Administration (MA-1) is assigned responsibility for assisting DOE line managers in recruiting and retaining highly qualified technical personnel.

In addition to the FRAM, other DOE directives provide direction for training and qualifying personnel; some are listed below:

DOE O 360.1, TRAINING, provides requirements for establishing, implementing, documenting, and evaluating training programs for Federal employees.

DOE O 541.1, APPOINTMENT OF CONTRACTING OFFICERS AND CONTRACTING OFFICER REPRESENTATIVES, specifies qualifications for contract officers.

DOE O 414.1A, QUALITY ASSURANCE, establishes quality assurance (QA) objectives and requirements, including requirements that personnel are capable of performing their assigned tasks..

The DOE Core Technical Group (CTG) has been established to support and supplement line management as needed for special issues or projects. This group consists of technical experts who may be used by DOE line organizations.

1.2 Contractor Responsibilities

In accordance with the first guiding principle, Line Management Responsibility for Safety, contractor line management is responsible for ensuring that work is performed safely, in a manner that ensures adequate protection for employees, the public, and the environment. Line management includes those contractor and subcontractor employees managing or supervising employees performing work.

The second guiding principle, Clear Roles and Responsibilities, builds upon the first by stating

Clear and unambiguous lines of authority and responsibility for ensuring safety shall be established and maintained at all organizational levels within the Department and its contractors.

The DOE Quality Assurance rule (10 CFR 830.120) applies to contractors operating DOE nuclear facilities. In addition, DOE O 414.1A is a contractual requirement for many DOE contractors. Both the CFR and the Order contain specific requirements for documenting the organizational structure, functional responsibilities, levels of authority, and interfaces for those managing, performing, and assessing the work. These details may be provided by reference to the contract, regulations, and other contractor-specific documents.

The contractor's description of its ISMS organization should clearly define roles and responsibilities by specifying how contractor functions are to be carried out and identifying who has the responsibility and authority to carry out those functions. Note that the organizational description in the ISMS should not be so detailed that minor organizational or personnel changes would require it to be revised.

The organizational description of contractor responsibilities should clearly demonstrate that line management has responsibility for safety. In addition, the description should indicate how responsibilities flow from the contractor's senior management to the worker. Just as with DOE, the contractor's organization should emphasize the flowdown of safety responsibilities through the chain of line management to the worker. In addition, the description should address contractor flowdown to subcontractors and suppliers, which is required by DEAR 970.5223-1, as follows.

• Contractors are responsible for ensuring subcontractors are held accountable for ES&H requirements by
• clearly specifying ES&H requirements pertinent to the work scope in the request for proposals;
• specifying ES&H requirements in the contract language;
• providing daily oversight of the subcontractor's performance of work by a subcontract technical representative;
• ensuring that safety and health representatives oversee the work site;
• providing site-specific training to subcontractors; and
• ensuring that safety professionals review and approve all safety plans and hazard communication programs before the start of any project.

Depending on the complexity and hazards associated with the work, the contractor may require that the subcontractor submit a Safety Management System for the contractor's review and approval.

In addition to requiring clear lines of responsibility and authority [DEAR 970.5223-1(b)(2)], DEAR 970.5223-1(b)(3) requires the contractor to ensure personnel possess the experience, knowledge, skills, and abilities necessary to discharge their responsibilities. Therefore, the contractor's ISMS description should address the third guiding principle, Competence Commensurate with Responsibilities, by identifying the qualifications required for specific contractor positions.

Federal Acquisition Regulation (FAR) 15.605 and 41 United States Code (U.S.C.) 253a require that "evaluation factors" be used in selecting DOE contractors. FAR 15.605 also cites management capability and personnel qualifications as factors that must be evaluated. Accordingly, contractor management determines the basis for selecting individual qualifications for specific position/job responsibilities. Qualifications and capabilities are provided via position/job descriptions, resumes of key personnel, or other, similar descriptions.

The following directives contain information for ensuring that personnel have the necessary qualifications:

• DOE 5480.20A, PERSONNEL SELECTION, QUALIFICATION, AND TRAINING REQUIREMENTS FOR DOE NUCLEAR FACILITIES;
• DOE O 440.1A, WORKER PROTECTION MANAGEMENT FOR DOE FEDERAL AND CONTRACTOR EMPLOYEES; and
• DOE O 414.1A/10 CFR Part 830.120, QUALITY ASSURANCE.

2. CORE FUNCTION 1, DEFINE SCOPE OF WORK, AND GUIDING PRINCIPLE 4, BALANCED PRIORITIES

DOE and the contractor identify and prioritize work and allocate resources. The contractor's role in this core function is generally to translate broad missions into specific work packages. DOE provides performance expectations by strategic plans, goals, and objectives, and through program execution guidance.

A well-defined scope of work is critical to the success of an SMS because it sets the stage for the scope and depth of hazards identification/analysis, is the foundation for the budget formulation/allocation process, and is the primary factor in establishing expectations and accountability.

A fundamental objective of Core Function 1, Define the Scope of Work, is to identify the scope, schedule, and costs of activities necessary to achieve DOE missions and expectations in a safe and environmentally sound manner.

2.1 Describing the Work

Work planning begins the integration of all systems pertinent and necessary to a process, operation, or task. The responsible manager is accountable for understanding as completely as possible the work to be done through every phase of the work cycle: (l) inception, (2) development and planning, (3) work conduct, and (4) shutdown.

To fulfill its operational responsibilities, line management must first determine the work to be performed. To do that, DOE and contractor line management organizations should establish formal processes for translating DOE mission statements into a scope of work. These processes should be used to establish expectations for satisfactorily accomplishing the work, prioritizing tasks, and allocating resources. DEAR 970.5223-1(b)(4) requires resources to be effectively allocated to address ES&H, programmatic, and operational considerations to ensure that DOE attends to its most significant hazards first, in a cost-effective manner. Therefore, when translating the mission into a meaningful definition of the work, DOE and contractor line management, including the Cognizant Secretarial Officer (CSO), must prioritize resources to ensure that work and safety are integrated, and that sufficient resources are available to conduct the work safely.

Each field office is expected to develop appropriate work plans, delineating scope, schedule, and funding allocations for each fiscal year. These plans should reflect the CSO mission assignments to the field and the mission in terms of work by facilities, projects, and programs (FRAM 9.2.1). The plans should also be consistent with the DOE budget formulation process; DOE O 130.1, BUDGET FORMULATION; and the annual budget, prepared by the Field Element Manager (FEM), and his or her contractors.

At the Department or program level, work is generally defined in terms of broad mission objectives, major projects, key milestones, etc. At this level, DOE performance expectations (e.g., cost, safety, quality, pollution prevention, schedules, etc.) address both the work processes and the work product and are described in DOE strategic plans, goals, and objectives and in the contract. (Section 9.1 of the FRAM describes DOE's development of strategic plans.)

Below the Department or program level, DOE and its contractor organizations should establish a hierarchy of work planning processes so that the plan at each successively lower tier reflects an increasingly detailed description of the work to be performed. In this manner, broad DOE mission objectives are eventually translated into discrete tasks for contractor personnel to complete. DOE renders these descriptions into a formal scope of work through a variety of work authorizing means, including the following examples: program execution guidance (PEG) documents, the Albuquerque Workload Planning Guide (AWLPG), the Nuclear Weapons Production and Planning Directive (P&PD), the Office of Environmental Management (EM) Accelerated Cleanup: Paths to Closure, and project data sheets.

Section 3.1 of DOE STD 1120 illustrates the work planning process down to the level of detail for a specific task or activity.

2.2 Determining the Level of Detail

It is extremely important for DOE and its contractors to formally establish and clearly define the work to be performed, the priority assigned, and the expectations for completion. The level of detail required in a given scope of work should be commensurate with the importance of the work, its complexity, and the potential risk of the associated hazards.

In some cases, the level of detail contained within the contract scope of work may be adequate for both parties to clearly understand what is to be performed. In other cases, such as a management and operating contract for a large DOE site, the scope of work stated in the contract may be expressed in broad, general terms. Whatever the case, the work scope should include those activities (such as fire protection, radiation protection, chemical hazards protection, training, etc.) that are necessary to control hazards associated with the work.

If the scope of work is highly sensitive to changes in mission or annual budgets, it may be necessary to adopt a more formal way to clarify the statement of work. For research and development work conducted at a laboratory, for example, the scope of work may be simple: to conduct certain experiments and to report on the technical progress or results. But if additional detail is necessary, it can be provided through one or more documents formally required by the contract, such as the annual operating plan (AOP), project execution plan, implementation plan, award fee plan, accelerated cleanup, performance-based incentive, or activity description sheet (ADS). DOE O 430.1A, LIFE- CYCLE ASSET MANAGEMENT, establishes requirements for planning and planning approvals. Planning activities for decommissioning projects should be consistent with DOE and EPA memorandums of agreement.

2.3 Establishing Expectations

Internally, each contractor organization should have one or more methods for establishing expectations for satisfactorily defining work, accomplishing work, prioritizing tasks, and allocating resources. Such methods may include contractor project management system(s); site/facility/activity operational plans and budgets; work packages, job plans, and special work permits; and project management plans and work plans, which can include objectives, costs, and methods. The use of multidisciplinary teams to conduct preliminary hazard analysis and develop hazard controls can enhance the contractor's ability to define expectations clearly. Again, the formality required may depend upon the amount of work, its complexity, and the hazards. For complex, hazardous activities, a detailed work plan may be warranted, using inputs from operational staff who follow written procedures that require verbatim compliance. For low-hazard, simple activities, the method for establishing expectations may be much less formal; for example, simple verbal instructions provided by a supervisor to a worker may suffice for establishing a clear understanding of the work to be performed and how safety should be integrated with that work.

2.4 Worker Participation in Work Planning

Worker input should be integrated into planning activities. Methods for accomplishing this integration include (1) involving workers early in the planning process before work tasks are selected and assigned, (2) involving workers directly in the preparation and review of planning documentation, and (3) ensuring planners receive input from workers on proposed work methods, hazards, and controls. The benefits from these activities typically are improved worker morale, reduction in unknowns such as work conditions or hazards that impact planning effectiveness, and increased potential cost savings from improved work planning.

In developing an ISMS, DOE and the contractor should consider approaches for worker involvement that have been defined as a part of the DOE Voluntary Protection Program (VPP), Enhanced Work Planning (EWP), and Behavior Based Safety (BBS). More information on EWP can be found on the EWP Web site at http://tis-nt.eh.doe.gov/WPPHM/ewp/ewp2.htm. Additional information on VPP may be found on the DOE EH web site at http://www.tis.eh.doe.gov/. It is important to distinguish between DOE and other regulatory ES&H requirements and elective ES&H programs, such as ISO 14001, DOE-VPP, the Chemical Manufacturer's Association's Responsible Care, and EPA's Project Xcel, which are available to DOE contractors who choose to go beyond compliance in environmental and/or worker safety and health management. These elective programs, consisting of management systems for preventing and controlling occupational and environmental hazards, augment ES&H protection at the site beyond DOE requirements.

The responsible manager is accountable for communicating the parameters of the work to the workers involved. Successful planning, which happens only when managers and workers plan the work together, can efficiently and economically change work to eliminate or control hazards.

Some examples of actions that managers may take to promote worker involvement in planning include the following:

• Define and incorporate into written procedures, mechanisms for incorporating worker involvement and input to the work planning processes.
• Involve workers early in the planning process.
• Involve workers directly in the preparation and review of planning documentation and job hazard analysis, and ensure that planners incorporate input from workers on proposed work methods, hazards, and controls.
• Hold line managers accountable for including workers in the work planning process.
• Obtain information from other sites where management/worker trust has been successfully addressed.
• Incorporate improved management/worker relationships into the supervisory process using trust-building exercises and other behavioral change approaches.
• Develop, publish, and make visible work-planning-related performance indicators that the workers can directly affect.
• Obtain union buy-in for the worker involvement process, wherever possible.
• Provide training for supervisors, managers, and work planners regarding effective use of worker input.
• Establish safety committees.
• Perform job hazard analyses.
• Walk around with management.

Worker safety is addressed in 29 CFR 1910, 29 CFR 1926,10 CFR 835, and DOE O 440.1A. The Department's Voluntary Protection Program (DOE-VPP) is available to contractors seeking recognition for excellence in safety and health management.

2.5 Providing for Integration

The ISMS should integrate environment, safety, and health into the contractor's business processes for work planning, budgeting, authorization, execution, and change control. This requires integration within each line organization and integration among the different organizational elements (e.g., legal, procurement, business administration, engineering, facility and laboratory management, etc.).

Consistent with the guiding principles, some formal document should exist to establish clear lines of authority within each organization for defining the scope of work, including approval of subsequent changes. For contractors, this documentation would typically be a combination of company-level policies, charters established for organizational elements, and position descriptions. For DOE, the FRAM and the lower-tier FRA documents are the formal documentation that establishes clear lines of authority.

In addition, a single work permit that replaces several permits (i.e., radiological, confined space, hot work, etc.) can be used to ensure that integration flows down to the first-line supervisors and workers. This single document should include all hazard information and controls required by the individual permits while providing all information to the first-line supervisor and workers in a single document. Figure 4a illustrates the general concept of developing ES&H controls for various hazards and integrating them at the activity level.

2.6 Establishing Priorities

Protecting the public, workers, and the environment is a top priority whenever the Department plans and performs work. Critical to this objective is providing adequate resources and ensuring that those resources are effectively allocated. Each organizational level (i.e., DOE Headquarters, DOE field element, contractor) should, therefore, establish a method for ensuring a proper balance among competing priorities of the organization (e.g., budget, schedule, safety, quality). To do this, organizations should establish a process for reconciling internal and external conflicts and imposing change control. In many cases, support activities, such as fire protection, radiation protection, training, etc., must be integrated into the work scopes for programs those activities support. Typically, a senior management review committee or council within DOE or the contractor organization may be established to resolve conflicts, establish priorities, and ensure a balance in resource allocation. In addition to Guiding Principle 4, Balanced Priorities, which demonstrates the Department's focus on prioritization, DEAR 970.5223-1(b)(4) provides guidance for balancing priorities, as does DOE-DP- STD-3023-98, DOE Limited Standard, Guidelines for Risk-Based Prioritization of DOE Activities.

An ISMS should address a variety of options and tradeoffs to promote the safe completion of work. These tradeoffs include negotiating work scope, establishing performance objectives, identifying resources, selecting personnel, and adjusting schedules. The goal is to define work and allocate resources so that work is done safely and contributes to accomplishment of the DOE mission. Each work package should be clearly defined so that the sum of the work packages is necessary to accomplish the assigned mission.

DOE O 130.1, BUDGET FORMULATION, and DOE O 135.1, BUDGET EXECUTION FUNDS DISTRIBUTION AND CONTROL, address DOE budget formulation and execution activities. Contract performance measures are a key feature of performance-based contracting, which is required by 62 FR 34842 (which amends DEAR 48 CFR 970.1100-1). DOE G 120.1-5, GUIDELINES FOR PERFORMANCE MEASUREMENT, gives guidance on contract performance measures.

3. CORE FUNCTION 2, ANALYZE HAZARDS

The objective of hazards analysis is to develop an understanding of the potential for the hazard to affect the health and safety of the worker, the public, and the environment. Hazard controls are then established based on this understanding and other factors related to the work. The analysis includes two steps: (1) identifying and categorizing the hazard and (2) analyzing accident scenarios related to hazardous work. In identifying hazards at the task/activity level, workers are a valuable resource for their knowledge of the process and its hazards. Categorization may address the character of the work [nuclear, chemical, thermal, electrical, and kinetic (motion)] and the magnitude of the hazard. Several other methods (e.g., checklist, "what-if," HAZOP study, FMEA, etc.) are also suited to particular work environments and/or hazard magnitudes.

DOE and its contractors have many acceptable ways of performing hazard analyses. For example, during work design, or in the early project planning stages, hazards may be identified and evaluated using broad, simple tools that delineate hazards and assess the potential magnitude of the harm. At this stage, a simple hazard analysis can be sufficient as a tool for design evaluation and design improvement.

For nuclear facilities, the hazard analysis should be based on the direction in 10 CFR 830.200, Safety Basis Requirements, and DOE 5480.23, NUCLEAR SAFETY ANALYSIS REPORTS, for identification of the safety-class and the safety-significant structures, systems, and components. This level of hazard analysis is then used as the foundation for more detailed analysis at the facility level, which in turn is used as the basis for the activity or task level hazard analysis.

Two types of analysis methods commonly used by industry for evaluating hazards at the facility and task level are the process hazard analysis (PHA) and the job hazard analysis (JHA). [See DOE O 440.1A, WORKER PROTECTION MANAGEMENT FOR DOE FEDERAL AND CONTRACTOR EMPLOYEES; OSHA 29 CFR 1910.119, Process Safety Management (PSM) of Highly Hazardous Chemicals; and OSHA 3071, Job Hazard Analysis.] A JHA or a Job Safety Analysis (JSA) is a basic and widely used tool for analyzing and reviewing operations and procedures to identify potential worker protection hazards and deficiencies and can satisfy a significant portion of the worker-protection hazard-identification requirements at most workplaces. These hazard analyses are performed by experienced teams of hazard analysts, facility and systems engineers, process operators, human factors engineers, and facility workers. These may include safety professionals and technicians in specialities such as criticality, hazard analysis, radiological protection, chemical process safety, industrial hygiene, and occupational safety.

DOE has promulgated a number of directives (Policies, Regulations, Orders, Notices, Standards, and Guides) that may be used for hazard analysis and hazard categorization. These include the following:

• 10 CFR 830.200, Safety Basis Requirements;
• DOE 5480.23, NUCLEAR SAFETY ANALYSIS REPORTS, addresses nuclear facilities.
• DOE O 420.2, SAFETY OF ACCELERATOR FACILITIES, addresses accelerator facilities.
• DOE 5481.1B, SAFETY ANALYSIS AND REVIEW SYSTEMS, addresses non-nuclear facilities.
• DOE-STD-3009, Preparation Guide for U.S. Department of Energy Nonreactor Nuclear Facility Safety Analysis Reports, describes SAR preparation and review process, includes the PSM process for nuclear facilities. This Standard also integrates the worker safety hazard review requirements of 29 CFR 1910.119 into the 5480.23 safety/hazard analysis and review process for identifying and understanding the hazards associated with highly hazardous chemicals.
• 10 CFR 830.200, Safety Basis Requirements;
• DOE-STD-3011, Guidance for Preparation of DOE 5480.22 (TSR) and DOE 5480.23 (SAR) Implementation Plans;
• DOE-EM-STD-5502, Hazard Baseline Documentation;
• DOE-EM-STD-5503, Health and Safety Plan Guidelines;
• DOE-HDBK-1100, Chemical process Hazard analysis;
• DOE-STD-1027, Guidance on Preliminary Hazard Classification and Accident Analysis Techniques for Compliance with DOE Order 5480.23, Safety Analysis Reports;
• DOE-STD-1120-98, Integration of Safety and Health into Facility Disposition Activities, provides specific guidance for safety management activities at facilities being deactivated or decommissioned. This DOE Standard focuses on the deactivation, decommissioning, and long- term surveillance and monitoring phases regarding SMS Policy requirements for facility disposition activities. Although this document primarily addresses disposition activities, the methods are generally applicable.
• DOE O 440.1A, WORKER PROTECTION MANAGEMENT FOR DOE FEDERAL AND CONTRACTOR EMPLOYEES, provides general worker protection requirements for all DOE operations and establishes requirements for a comprehensive worker protection program that ensures that DOE and its contractor employees are afforded a level of health and safety at least equal to that provided to private-sector employees under the Occupational Safety and Health Act, 1970. DOE O 440.1A should be applied directly at the task or activity level.
• DOE G 440.1-1A, WORKER PROTECTION MANAGEMENT FOR DOE FEDERAL AND CONTRACTOR EMPLOYEES GUIDE FOR USE WITH DOE O 440.1, provides specific guidance for undertaking exposure assessments at the worker task/activity level. For those activities not covered by HAZWOPER, multidisciplinary teams should undertake hazards analysis at the task (activity) level using standard techniques like those described in this Guide.
• DOE O 151.1, COMPREHENSIVE EMERGENCY MANAGEMENT SYSTEM, provides for comprehensive emergency management systems to accompany safety analysis.
• DOE/DP-0135, U.S. Department of Energy Model Pollution Opportunity Assessment Guidance.
• DOE O 452.2A, SAFETY OF NUCLEAR EXPLOSIVE OPERATIONS, provides requirements for nuclear explosive operations.
• DOE G 452.2A-1A, IMPLEMENTATION GUIDE FOR DOE ORDER 452.2A, SAFETY OF NUCLEAR EXPLOSIVE OPERATIONS, provides guidance for nuclear explosive operations.
• DOE-DP-HDBK-XXXX, Draft HAR Handbooks for Pantex and Nevada.
• DOE-DP-STD-3016-99, Hazard Analysis Reports for Nuclear Explosive Operations.

Such directives, when incorporated into a contract, establish the processes and expectations for contractor performance of hazards analyses. Note that, in addition, DOE has developed proposed regulations that correspond to existing DOE nuclear safety Orders. These proposed rules remain compatible with the ISMS and provide for implementation into ISMSs.

Requirements for hazards analyses to be performed to adequately protect the worker, the public, and the environment can also be found as statutory and regulatory requirements. Examples include 29 CFR 1910, 29 CFR 1926, 10 CFR 71, and 10 CFR 1021. Unless a DOE or contractor activity is specifically exempted or waived, such regulatory requirements are mandatory (see Attachment 5).

For decommissioning activities, 29 CFR 1910.120 and 29 CFR 1926.65 can be used to analyze hazards. For environmental remediation and decommissioning hazardous waste work, the HAZWOPER requirements of 29 CFR 1910.120 and 1926.63 may be applied for hazard characterization.

EWP applications have yielded tools that can aid integration of hazards identification analysis and control, such as the "Automated Job Hazard Analysis" (AJHA) used at Project Hanford. The AJHA integrates hazards related to radiological protection, industrial safety and hygiene, environmental compliance, fire protection, and nuclear safety.nt.eh.doe.gov/WPPHM/ewp/Ewp2.htm.

In addition, Pollution Prevention Opportunity Assessments (PPOAs) can be used to identify the nature and amounts of waste, releases and emissions, and energy usage resulting from processes and projects within a site's operation; identify the opportunities for pollution prevention and energy conservation; and evaluate those opportunities for feasible implementation.

Regardless of the specific requirements and methods calling for different types of hazard analysis, each analysis should depend and build upon the others. In this way, activity hazard analyses can be totally integrated with site- and facility-level analyses (i.e., detailed hazard analyses performed for a specific work task may take into account the impact of the work on other areas of the site or facility, as well as how facility and site hazards affect the work task).

All types and levels of hazard analysis should provide for worker input to the process. Facility workers are often the most knowledgeable regarding work conditions and associated hazards. Worker involvement as members of the planning team is particularly important when performing job hazards analysis because this process focuses specifically on a worker's interactions with hazards during the course of job duties. For more information on worker involvement in job hazard analysis and control of hazardous exposures, see DOE G 440.1-3, OCCUPATIONAL EXPOSURE ASSESSMENT.

As with all other aspects of the work, the level of management involvement in reviewing and approving the hazard analysis should be commensurate with the complexity of the work and the hazards entailed. For example, activities involving nuclear hazards (e.g., Hazard Category 1, 2, and 3 nuclear facilities, as defined by DOE-STD-1027) may require DOE to review and approve the hazard analysis. For EM facilities, DOE-EM-STD-5502, Hazard Baseline Documentation, provides guidance for determining the level of facility safety documentation not only for nuclear facilities, but for tailoring appropriate levels of documentation according to chemical inventory thresholds for high, moderate, or low hazard non0nuclear and other industrial facilities.

Such categorizing of facilities will aid in tailoring the DOE requirements and expectations to the work and hazards. Many DOE Orders use the hazard category to include or exclude specific requirements. For example, DOE 5480.23 and 10 CFR 830.200 for nuclear facilities exclude the requirement to address inadvertent criticality for Hazard Category 3 facilities as defined in DOE-STD-1027 because such facilities do not contain sufficient fissile materials to present a criticality hazard. Similarly, the hazard category plays a significant role in DOE O 420.1, FACILITY SAFETY, relative to establishing seismic design requirements and seismic analysis requirements.

Regulatory and contractual requirements applicable to the work (i.e., the set of safety standards and requirements) and the complexity and hazard of the work (i.e., scope of work) will dictate the methods used by a contractor to analyze hazards. This illustrates the importance of the relationship between the core functions of defining the scope of work and analyzing hazards, which lead to Core Function 3, Develop and Implement Controls.

4. CORE FUNCTION 3, DEVELOP/IMPLEMENT CONTROLS; GUIDING PRINCIPLE 5, IDENTIFICATION OF SAFETY STANDARDS AND REQUIREMENTS; AND GUIDING PRINCIPLE 6, HAZARD CONTROLS TAILORED TO WORK BEING PERFORMED

4.1 Identification of Appropriate Standards

The terms and conditions that define DOE safety expectations for its contractors are set forth as contract requirements. DEAR 970.5204-2 requires the contractor to comply with the requirements of applicable Federal, State, and local laws and regulations (including DOE Regulations) in developing and implementing controls, unless the appropriate regulatory agency has granted relief in writing. DOE has identified safety requirements in Rules and DOE Orders and has developed a wide variety of associated Technical Standards, Guides, and Manuals; in addition, DOE encourages the use of national consensus technical standards.

In addition to complying with the requirements of applicable Federal, State, and local laws and regulations (including DOE Regulations) in developing and implementing controls, as required by DEAR 970.5204-2(a) (List A), the contractor must comply with the requirements of applicable DOE directives appended to the contract [List B at DEAR 970.5204-2(b)].

ES&H requirements appropriate for work conducted by a contractor may be determined using a DOE-approved process to (1) evaluate the work and the associated hazards and (2) identify an appropriately tailored set of standards, practices, and controls. When such a process is used, the set of tailored ES&H requirements must be reviewed for adequacy and approved by the CO. The approved set shall be incorporated into List B as contract requirements with full force and effect. These approved processes may also be used to identify standards that are specific to facilities or activities and are generally, but not necessarily, a subset of List A and List B.

Approved processes for establishing ES&H requirements include the following:

• incorporation of a Standards/Requirements Identification Document (S/RID) into the contract (per 90-2 Implementation Plan, Rev. 5);
• use of the Work Smart Standards Processes (DOE M 450.3-1, THE DEPARTMENT OF ENERGY CLOSURE PROCESS FOR NECESSARY AND SUFFICIENT SETS OF STANDARDS); and
• compliance with DOE directives and other applicable laws and regulations.

Once DOE has agreed to the sitewide ES&H requirements established by the contractor, those requirements are implemented by the contractors' manuals of practice. Figure 4b illustrates how ES&H requirements flow down, through contractual requirements, to the contractor's safety management program (implemented in manuals of practice) and are applied to facility, activity, or task work. DOE approval of the contractor's ISMS description and oversight of its implementation are fundamental to the Department in satisfying its own responsibilities for ensuring safety. Operation- specific controls, tailored to the hazards, to be mutually agreed upon by DOE and the contractor, become contractual terms and conditions for performing the work.

Before work is performed, appropriate controls are developed and an applicable set of safety standards and requirements identified. These safety standards and requirements may be from List A or List B, or they may be a tailored set of standards derived from List B or other sources. Developing and implementing hazard controls at the site or facility level includes:

• identifying applicable standards and agreed-upon sets of requirements (to the extent that appropriate requirements have not already been identified in the contractor's manuals of practice),
• identifying controls including pollution prevention options to prevent/mitigate hazards,
• establishing boundaries for safe operations (establishing a safety envelope), and
• implementing and maintaining configuration of controls [e.g., technical safety requirements (TSRs) and operational safety requirements].

Specific controls needed at the activity level are developed using the results of activity hazard analysis. For hazards that have been included in the sitewide analyses, the applicable standards are included in lists A and B. However, facility-level and activity-level hazards analysis may also identify new hazards or unanalyzed conditions for existing hazards that require unique activity-specific controls be placed in the corporate manuals of practice or the authorization agreement if one is needed for the project or facility. The hierarchy of controls (i.e., engineering, administrative, and personal protective equipment) used at this level is the same as that used at higher management levels, which are applied in a risk-based manner. The controls developed, implemented, and maintained should be integrated with other controls and commitments, particularly those in sitewide safety programs, such as fire protection and radiation protection (See Figure 4a). In general, the use of administrative controls to address each hazard should be minimized where the effectiveness and value of engineering controls can be demonstrated.

Although identification of standards is discussed here, as part of Core Function 3, Develop/ Implement Controls, standards identification may also occur during activities that define the scope of work, analyze hazards, or provide feedback and improvement.

4.2 Sitewide Requirements

A multidisciplinary hazard analysis team composed of line management, health and safety professionals, and workers should tailor the set of standards that apply to the work at each management level. These standards should be commensurate with the hazards involved, per Guiding Principle 5. To achieve this objective, DOE and contractor line management identify laws, statutes, and Federal regulations that apply. Such requirements are generally mandatory and non-discretionary for DOE and the contractor, although exemptions may be obtained when necessary. DOE and contractor line management should establish (through the contract) any additional requirements necessary to ensure adequate safety. These requirements may be derived from DOE directives, DOE Technical Standards, or national consensus standards. Whatever the approach, both DOE and contractor line management should review and concur on the set of standards and requirements selected. The CO is responsible for ensuring that the set of requirements selected is sufficient to achieve an adequate level of safety.

4.3 Facility-Specific Requirements [Identification of Appropriate Controls]

The ISMS should have a process to identify engineering, administrative, and personal protective equipment controls and pollution prevention/waste minimization options imposed on the work, as derived from the agreed-upon set of standards and requirements. As with the set of standards and requirements, the derived controls should be tailored to the work and the associated hazards, in accordance with Guiding Principle 6. The controls should encompass all aspects of the work (including potential abnormal or emergency situations) and each phase of work performance (e.g., preparation, review, authorization, and execution). Emphasis should be on designing the work and/or controls to reduce or eliminate the hazards and to prevent accidents and unplanned releases and exposures [DEAR 48 CFR 970.5223-1(b)(6)].

Controls should be developed systematically at each management level, addressing all relevant functional areas or disciplines of concern (e.g., quality assurance, fire protection, industrial safety, radiological protection, chemical process safety, emergency preparedness, criticality safety, maintenance). The information developed for controls at each management level should be used as the basis for the next-lower level of controls (i.e., site controls should be integrated with facility controls, which should be integrated with the controls applied to work at the task level). The EWP process relies on a work planning team that includes subject matter experts to specify the controls for the task/activity level of work. Controls should use inherently safe design aspects and should be based on defense-in-depth considerations. (DOE-STD-3009 provides relevant guidance for nuclear facilities.) Such controls should address preventive and mitigative considerations, passive and active aspects, and automatic versus manual operating needs. DOE 5480.23, DOE 5480.22, 10 CFR 830.200, and corresponding DOE-STD-3009 provide guidance for nuclear facilities on establishing documented safety limits, limiting control settings, and limiting conditions for operation, surveillance requirements, administrative controls, and design features that result from a disciplined safety analysis. DOE 5481.1B contained requirements and guidance for non-nuclear facilities. The following directives provide additional information for DOE weapons facilities:

• DOE O 452.1A, NUCLEAR EXPLOSIVE AND WEAPON SURETY;
• DOE G 452.2A-1A, IMPLEMENTATION GUIDE FOR DOE ORDER 452.2A, SAFETY OF NUCLEAR EXPLOSIVE OPERATIONS; and
• DOE O 452.2A, SAFETY OF NUCLEAR EXPLOSIVE OPERATIONS.

Specific controls derived from the agreed-upon set of standards and requirements may take several forms: engineered controls, written procedures, or other administrative controls. The form selected should be tailored to the hazard or importance of the desired attribute and, again, should be determined by line management responsible for the work based on safety/hazard analyses. The knowledge, skills, and abilities of the work force should be considered when selecting the form of controls. DOE and contractor agreement on the safety envelope is required as a condition for authorizing operations to proceed. Figure 5 shows the interconnection of DOE Rules and Orders that may be used to establish the safety envelope for nuclear facilities.

Once a set of controls has been established, processes should be provided for maintaining work performance within the safety envelope established in the safety/hazard analysis. The processes should clearly identify the controls used to establish the safety envelope. Some contractors achieve this objective by using work packages, job plans, maintenance plans, and TSRs (nuclear facilities). A process to review, approve, and provide change control of the safety envelope should exist.

4.4 Worker Protection

DOE O 440.1A requires DOE elements and contractors to implement a written worker protection program that describes an integrated management organization and support systems that fully satisfy DOE worker protection requirements of all technical disciplines. DOE O 440.1A also requires that workers be allowed, through their supervisors, to stop work when they discover conditions that may expose them to imminent danger or other serious hazards. The stop-work procedure should be exercised in a justifiable and responsible manner. DOE elements and contractors should establish procedures that address stop-work authority and ensure that workers are trained in those procedures.

DOE and contractor line organizations should assign and communicate worker protection responsibilities to workers, ensuring that they have adequate authority and resources to carry out those responsibilities. Line management should encourage and promote employee involvement and commitment. An important component of employee involvement is the establishment of worker protection committees to promote employee participation in developing program goals, objectives, and performance measures and identifying and correcting workplace hazards. Employees should also be encouraged to perform informal worksite inspections as part of their daily work. For inspections to be effective, employees should be trained in hazard recognition, have access to worker protection professionals and reference sources (DOE requirements, guides, technical standards, etc.), and be knowledgeable enough to suggest and track corrective actions.

5. CORE FUNCTION 4, PERFORM WORK, AND GUIDING PRINCIPLE 7, OPERATIONS AUTHORIZATION

DOE and the contractor identify and implement safety controls BEFORE starting to work. Once work begins, it is performed in accordance with those safety controls.

Accordingly, each contractor's ISMS should have a process to confirm adequate preparation, including adequacy of controls, prior to authorizing work to begin at the facility, project, or activity level. DEAR 970.5223-1(b)(7) requires that DOE and the contractor establish and agree upon the conditions and requirements to be satisfied for operations to be initiated and conducted. These conditions and requirements are included in the contract and are therefore binding upon the contractor. The formality and rigor of the review process and the extent of documentation and level of authority for agreement should be based on the hazard and complexity of the work being performed. The process should ensure programs addressing all applicable functional areas are adequately implemented to support safe performance of the work.

DOE O 425.1, STARTUP AND RESTART OF NUCLEAR FACILITIES, provides readiness guidance for nuclear facilities. The requirement for an independent assessment or DOE review should be established within the set of agreed-upon standards and requirements established for the scope of work. Internal or external oversight groups, review teams, and audit organizations should evaluate the process to identify and correct deficiencies. The process should ensure corrective actions are effective in establishing a state of readiness. Examples of methods used by DOE and contractors to confirm readiness include readiness assessments, operational readiness reviews (ORRs), and Title III inspections (project design). Guiding Principle 7 and the DEAR require conditions to be satisfied and established for operations to be initiated and operated.

These agreed-upon conditions and requirements are requirements of the contract and binding upon the contractor. The extent of documentation and level of authority for agreement shall be tailored to the complexity and hazards associated with the work and shall be established in a Safety Management System [48 CFR 970.5223-1(b)(7)].

The QA Rule, 10 CFR 830.120, and DOE O 414.1A require that work be performed to established technical standards and controls. For certain sitewide systems and activities, such as fire protection, emergency planning, and operator training, readiness may be confirmed periodically. The following provide requirements and guidance for sitewide programs involving nuclear operations:

• 10 CFR 830.200, Safety Basis Requirements;
• DOE 5480.20A, PERSONNEL SELECTION, QUALIFICATION, AND TRAINING REQUIREMENTS FOR DOE NUCLEAR FACILITIES;
• DOE O 420.1, FACILITY SAFETY;
• DOE O 460.1A, PACKAGING AND TRANSPORTATION SAFETY; and
• 10 CFR 835, RADIATION PROTECTION FOR OCCUPATIONAL WORKERS.

For nuclear facilities, 10 CFR 830.200/DOE 5480.23 require the development and description of facility initial testing programs; facility in-service surveillance programs; facility maintenance programs based on DOE O 433.1, MAINTENANCE PROGRAM FOR NUCLEAR FACILITIES; conduct of operations programs that define worker communications; and  activities based on DOE 5480.19, CONDUCT OF OPERATIONS REQUIREMENTS FOR DOE FACILITIES.

DOE O 430.1A, LIFE-CYCLE ASSET MANAGEMENT, provides similar requirements for non- nuclear facilities. DOE-HDBK-XXXX-YR (proposed), CHEMICAL MANAGEMENT HANDBOOK, provides guidance for specific programmatic chemical safety management considerations wherever chemical hazards exist in nuclear or non-nuclear facilities. It should be noted that chemical hazards exist throughout the DOE complex, and may be significant contributors to risk in nuclear facilities, as well as facilities primarily involved in chemical processing.

The ISMS should ensure that safety control measures that have been mutually agreed upon are integrated into work performance and that

personnel are responsible and accountable for performance of work in accordance with the controls established;

the controls are adequate to ensure safe work performance and to prevent accidents, uncontrolled releases, or unacceptable exposures to hazardous materials; the controls established for safety are a discernible part of the plan for work; and

the necessary safety support functions and interfaces required (e.g., training, maintenance, radiological protection, etc.) have been established.

For nuclear facilities, DOE 5480.23 and 10 CFR 830.200 require appropriate consideration of conduct of operations, emergency preparedness, fire protection, etc.

Typically, contractors use a system of written policies, manuals, and procedures to ensure safety controls are integrated into work plans. At the work level, consideration must be given to controls necessary for worker protection. Individual work plans, operating procedures, and maintenance procedures are often used to implement safety controls at the task level. The following should be factored into the selection of worker safety controls:

hands-on training, safety awareness training, and the identification of necessary personal protective equipment (PPE), which are vital in familiarizing a worker with job duties, hazards, and controls;

pre-job briefings and walkdowns, which provide a good opportunity to ensure workers are aware of hazards and knowledgeable on the proper use of prescribed controls; and

worker input, which should be solicited because workers can offer creative solutions for controlling hazards in a safe yet practical and cost effective manner.

It is also important to keep in mind that some PPE may create a hazard. The ISMS should also include a process to identify performance measures, including safety performance measures for the work as required by DEAR 48 CFR 970.1100-1 (see Attachment 5).

5.1 Authorizing Work

DOE and the contractor should formally agree on the need for authorization agreements for those nuclear and significant hazard facilities that must perform work safely without any undue risk to the worker, the public, and the environment.

The contractor's ISMS description should clearly identify the roles of the contractor and DOE in authorizing work at appropriate levels. Understanding DOE and contractor roles with respect to authorizing work and changes to the work is essential for successful implementation of the ISMS. The following discussion on authorization protocol and authorization agreements provides elementary information and guidance for consideration in the development of contractor ISMSs.

5.1.1 Authorization Protocol

The DOE FRAM defines authorization protocols as

Those processes used to communicate acceptance of the contractor's integrated plans for hazardous work. Such protocols are expected to range from preperformance review and approval by DOE of detailed safety-related terms and conditions for performing work (authorization agreement) to less rigorous oversight and postperformance assessment of the contractor's work.

These protocols should be clearly delineated in the contractor's ISMS description and should clarify the understanding and agreements between the contractor and the Department in performing hazardous work.

5.1.2 Authorization Agreement

An authorization agreement is a contractually binding agreement between DOE and the contractor for predetermined hazardous facilities, tasks, or activities. The DOE FRAM defines an authorization agreement as

A documented agreement between DOE and the contractor for high-hazard facilities (Category 1 and 2), incorporating the results of DOE's review of the contractor's proposed authorization basis for a defined scope of work. The authorization agreement contains key terms and conditions (controls and commitments) under which the contractor is authorized to perform the work. Any changes to these terms and conditions would require DOE approval.

The need for an authorization agreement will depend on the organization and adequacy of the existing, contractually binding documentation containing key terms and conditions. For example, at sites or facilities that have S/RIDs in place, it would be undesirable to duplicate the S/RID commitments in an authorization agreement. If an authorization agreement were required, it could simply reference the S/RIDs. The Department and the contractor should ensure that the ISMS includes procedural mechanisms that trigger a review to determine the necessity of having, revising, or eliminating an authorization agreement.

The authorization agreement may serve a number of purposes:

To incorporate the results of DOE's review of the contractor's proposed authorization basis for a defined scope of work.

To define key terms and conditions (controls and commitments) under which the contractor is authorized to perform work; these key terms and conditions must be clearly identified in the agreement and any changes to these key terms and conditions would require DOE approval.

To delineate the key references DOE will approve versus that information that will simply be reviewed for information. (The ISMS description may also serve this function.)

To consolidate the basis for a DOE determination to authorize operations by combining key DOE and contractor authorization basis and assessment documentation into one document.

To minimize the amount of correspondence required between the contractor and the Department when agreements for routine tasks and activities, requiring approval at certain unique facilities, can be approved once.

Authorization agreements have also proved beneficial to DOE and contractors for facilities being affected by significant changes in mission, those requiring significant upgrade for their authorization bases, and those undergoing decontamination and decommissioning.

5.2 Sample Format and Content for Authorization Agreements

The following sample format and content may be useful for documenting an authorization agreement. Like the numerous and varied Nuclear Regulatory Commission licenses, the format and content of agreements are likely to differ because of the unique and diverse facilities and activities in the complex. The authorization agreement establishes agreed-upon operating boundaries for conducting hazardous work by defining key terms and conditions for both DOE and the contractor.

1. Scope of the Agreement

This section should clearly describe the work being authorized and the facility or facilities where the work is to be performed. It should be consistent with the work analyzed in the authorization basis and the controls established.

2. DOE Basis for Approval

This section should include the basis for DOE approval to perform the work and the basis for its conclusion that the work defined in the agreement can be performed without undue risk to the worker, the public, and the environment. This section should include the key reviews and assessments that form the basis of DOE approval. Typical examples include DOE issuance of a SAR; review and approval of a SAR; reviews and approvals of TSRs, ORRs, or assessments; approval of the list of requirements required by the DEAR laws clause; and approval of the contractor's ISMS description in accordance with the DEAR ES&H clause.

3. Listing of Documents that Constitute the Authorization Basis

This section should include a summary listing of key documents such as SARs, the basis for interim operation, NEPA documentation including EIS, environmental permits, etc.

4. Terms and Conditions

This section should specify contractor commitments for assuring DOE that the authorized work will be performed safely. The process to be used to keep the authorization agreement current should be described. Key terms and conditions requiring DOE review and approval need to be clearly identified in this section. This may include specific implementation procedures or manuals of practice. Other terms and conditions may only require DOE notification and review if deemed appropriate. Examples of terms and conditions include the following:

Controls identified in TSRs or TSR-like documents. Such controls would include controls established from hazard analyses and those derived from contractual requirements (i.e., List A and B from the DEAR laws clause).

Commitments to a configuration management program including an unreviewed safety question (USQ) or USQ-like process.

Commitments to a process for reporting noncompliances with established controls or terms of the authorization agreement. This process would include any special actions to be taken if an unplanned event were to occur.

NOTE: Authorization agreements should be carefully written to avoid the need for revision whenever a key reference is updated. It is necessary for the referenced documents, or key conditions and commitments in these documents, to be contractually binding and under configuration control without the need to change the authorization agreement whenever a reference changes. The title and number of referenced documents should be listed. Revisions should be indicated by the words "as amended" or "latest revision" to indicate those documents can change without having to amend the authorization agreement for each revision. For existing facilities with older revisions that predate the first authorization agreement, a method to indicate the subsequent revisions might include "Rev. X or higher." For sites or facilities with S/RIDs in place, it will be wise to avoid duplication in the authorization agreement with certain conditions already specified and agreed upon in the S/RID. For example, it is quite appropriate for the agreement to simply state that operating in accordance with the S/RID is required. In such an instance, the S/RID is the agreement where the particular Emergency Preparedness Program, Fire Protection Program, AB Documentation (including USQ), and other such requirements are located.

5. Contractor Qualification

This section should make a positive statement about DOE's confidence in the contractor's ability to safely perform the work identified in the agreement.

6. Special Conditions

This section should cover any other special conditions that DOE wants to make contractually binding. Such conditions may include aspects of environmental management, safeguards and security, and protection of property.

7. Effective Date and Expiration Date (if it is to expire)

This section would include the duration of the agreement and when it will be renegotiated, reviewed, or extended.

8. Statement of Agreement

This section would include signatures of the agreeing parties (DOE manager and contractor manager) and dates with the typed names below the signature line.

9. Exceptions (if required)

This section would identify any specific exceptions or unusual circumstances that should be noted. For example, at Rocky Flats, authorization agreements might address appropriate liability and the understanding between DOE and the new contractor regarding less than fully analyzed bases for controls.

EXAMPLES:

Examples of executed authorization agreements will be placed on the ISM home page (http://tis-nt.eh.doe.gov/ism). These examples are for information only and should not be interpreted as the only way to develop these agreements. Questions should be directed to the agreement originator or to the Director, Safety Management Implementation Team.

5.3 Sample Checklist for Authorization Agreements

A checklist can improve consistency in the format of authorization agreements and can help ensure that authorization agreements contain appropriate information to document the agreements between DOE and its contractors. The following sample checklist was prepared as an example to assist DOE and contractor personnel in preparing and reviewing authorization agreements. This checklist is based on evaluations of authorization agreements conducted by the Offices of Defense Programs and Environmental Management. The checklist proved to be a useful aid for the DP and EM evaluations. Users are reminded that this is a sample checklist. As such, it cannot be expected to suit every circumstance and the attendant variations in hazards and complexity. The documents that describe corporate expectations and DOE direction for the authorization agreement must be referenced to define an appropriate checklist.

1. The Authorization Agreement Addresses the Following Issues and Follows the Recommended Format

Scope of the Agreement DOE Bases for Approval Listing of Documents that Constitute the Authorization Basis Terms and Conditions Contractor Qualifications Special Conditions Effective and Expiration Dates Statement of Agreement Exceptions

Verify that the authorization agreement states if an issue or area is not applicable, or if there are no contents.

2. Scope of Agreement

Verify that the work to be authorized is clearly described (specific and not too broad).

Verify that the work to be authorized is within the authorization basis.

Verify that the facility(ies) to which the authorization agreement is applied is described (specific and not too broad).

3. DOE Bases for Approval

Verify that the bases for approval are technically strong and clearly defined.

Verify that the DOE approval addresses the multiple dimensions of key nuclear safety, non-nuclear safety, and environmental protection.

Verify that the authorization agreement addresses safety review documents or processes such as safety evaluation reports (SERs), SARs, TSRs, positive USQs, DOE oversight, ORRs/RAs, etc.

Verify that maintenance of authorization agreements is discussed.

4. Listing of Documents that Constitute the Authorization Basis

Verify that the listing of key documents is consistent with authorization basis and DOE direction. The listing may include such documents as nuclear safety (SERs, SARs, basis for interim operations, TSRs, etc.); non-nuclear safety [health and safety plans (HASPs), Hazards Surveys, and Hazards Assessments; Emergency Action Levels (EALs); and default Protective Actions Lists, etc.]; environment (NEPA, EIS, etc.); State/local governments; and DOE approvals of changes resulting from positive USQ determinations, if applicable.

Verify that the references appear to be the correct revision.

5. Terms and Conditions

Verify that a process exists for the contractor to commit to DOE that the authorized work will be performed safely. This may include such measures as controls in TSRs or TSR-like documents, commitments to a noncompliance reporting process, or a process for handling violations of the authorization agreements.

Verify that a process exists for keeping an authorization agreement and basis current; this may include a configuration management process, a process to verify key terms and conditions for DOE approval are identified, a process to verify implementation commitments or justification for continued operations, or a USQ or USQ-like process.

6. Contractor Qualifications

Verify the presence of a positive statement about, and justification for, DOE's confidence in the contractor's ability to perform the activities in the facilities identified in the authorization agreement. The justification may be based on conducting DOE assessments or reviews.

7. Special Conditions

Verify that special conditions relating to the facility and activity have been identified, such as aspects of environmental management, safeguards/security, and property protection.

Verify that the authorization agreement contains a statement that permits emergency actions that depart from approved TSRs (or similar controls) when the actions are needed to protect public health and safety.

8. Effective and Expiration Dates

Verify that the approval date and duration of the agreement (or expiration date) is shown.

9. Statement of Agreement

Verify that the names (typed) and signatures of the DOE and contractor managers are shown.

10. Exceptions

Verify that specific exceptions to Orders, other requirements, S/RIDs, the WSS process, or usual circumstances are shown, if necessary.

6. CORE FUNCTION 5, FEEDBACK/IMPROVEMENT

6.1 How does Feedback and Improvement Contribute to Safety?

Feedback and improvement complete the ISMS loop by connecting practical experiences of work conducted to planning for future work. The feedback and improvement function is intended to

identify and correct processes or deviations that lead to unsafe or undesired work outcomes;

confirm that the desired work outcomes were obtained safely; and

provide managers and workers with information to improve the quality and safety of subsequent similar work.

Mechanisms that support these goals include worker and management observations, pre- and post- work review meetings, quality and safety issue resolution processes, issue tracking systems, performance indicators, lessons learned, internal and external assessments, operational and strategic planning, and a variety of other such activities. Appendix G provides supporting details and examples of feedback and improvement mechanisms at various levels of DOE and contractor organizations. It is necessary for each of these mechanisms to use information from the others to derive maximum benefit from the Feedback and Improvement Safety Management Function.

6.2 Who Performs Feedback and Improvement?

Line management is directly responsible for establishing and implementing feedback and improvement programs and processes to facilitate a culture that promotes ongoing examination and learning. The desired operational and safety culture within DOE is one in which each individual is encouraged and supported in continually asking the following questions:

Was the work properly identified?

Were the hazards properly analyzed?

Were the proper controls established?

Was the work performed as planned and with the expected outcome?

Are there ways to perform the work better and more safely?

6.3 What is Feedback and Improvement?

The terms feedback and improvement are used jointly to describe the fifth ISMS core function; however, in practice, it may be helpful to distinguish between the two terms. Feedback is typically thought of as information generated from actual work or operating experience. That information may be in the form of equipment indicators, such as gauges, analytical tests, or observations by workers, supervisors, and managers. The value of the operating experience feedback is obtained by analyzing the information and comparing it to requirements or expectations. Such analysis is necessary to determine if equipment, people, and systems are operating within acceptable parameters and if the expected results are obtained during the performance of work. Three outcomes of analysis are typical: verification of acceptable performance, identification of needed corrections, and identification of opportunities to improve the quality of work outcomes or processes. The term improvement is most often used to mean identification of needed corrections and identification of opportunities to improve the quality of work outcomes or processes.

The feedback and improvement function generally may be categorized by three principal activities:

1. generate and collect data, 2. analyze data and develop information, and 3. improve the process or activity and share the improvement.

Data generation results from physical measurement, such as in-process monitoring and sampling; work observations; peer review; worker interviews; quality problem and safety issue reports; audits/inspections; and external enforcement actions. A process to collect these data is needed for analysis activity to proceed.

Analysis involves the application of quantitative and qualitative techniques to evaluate performance of systems, components, individuals, and organizational units in comparison to agreed-upon standards of practice. Example analysis outputs include performance indicators, trend reports, suggested corrective/preventive actions, or improvement recommendations.

Learning and improving consist of processes and mechanisms for applying experience-based knowledge to improve deci