This document has been reproduced from the best available copy.
Available to DOE and DOE contractors from ES&H Technical
Information Services, U.S. Department of Energy, (800) 473-4375,
fax: (301) 903-9823.
Available to the public from the U.S. Department of Commerce,
Technology Administration, National Technical Information Service,
Springfield, VA 22161; (703) 605-6000.
Change Notice No. 1 DOE-STD-1036-93
December 1998
Guide to Good Practices for Independent Verification
Page / Section Change
p. 11 / Section 4.1.2 The reference to DOE-STD-1030-92, Guide to
Good Practices for Lockouts and Tagouts, was
updated to DOE-STD-1030-96 with the same title.
p. 14 / Section 4.2.1 The reference to DOE-STD-1030-92, Guide to
Good Practices for Lockouts and Tagouts, was
updated to DOE-STD-1030-96 with the same title.
p. 16 / Section 4.2.2 The reference to DOE Order 4330.4A,
Maintenance Management Program, was updated
to DOE Order 4330.4B with the same title.
p. 24 / Section 4.3.7 The reference to DOE-STD-1030-92, Guide to
Good Practices for Lockouts and Tagouts, was
updated to DOE-STD-1030-96 with the same title.
p. 27 / Supplemental Resources The reference to DOE Order 4330.4A,
Maintenance Management Program, was updated
to DOE Order 4330.4B with the same title. The
reference to DOE-STD-1030-92, Guide to Good
Practices for Lockouts and Tagouts, was updated
to DOE-STD-1030-96 with the same title.
Concluding Material The Preparing Activity was updated from NE-73 to
EH-31.
Change Notice No. 1 DOE-STD-1036-93
December 1998
INTENTIONALLY BLANK
DOE-STD-1036-93
iii
FOREWORD
The purpose of this Guide to Good Practices is to provide Department of Energy (DOE)
contractors with information that can be used to validate and/or modify existing programs relative
to Conduct of Operations. This Guide to Good Practices is part of a series of guides designed to
enhance the guidelines set forth in DOE Order 5480.19, "Conduct of Operations Requirements
for DOE Facilities."
KEYWORDS
Concurrent Dual Verification
Lockout/Tagout
Operations Supervisor
DOE-STD-1036-93
iv
INTENTIONALLY BLANK
DOE-STD-1036-93
v
TABLE OF CONTENTS
FOREWORD ............................................................. iii
ACRONYMS ............................................................. vii
DEFINITIONS ............................................................ ix
1. INTRODUCTION ........................................................ 1
2. OBJECTIVE ............................................................ 3
3. DISCUSSION ........................................................... 5
4. GOOD PRACTICES ...................................................... 9
4.1 Systems/Components Requiring Independent Verification .................. 9
4.1.1 Nuclear Safety Functions ................................... 10
4.1.2 Environmental, Safety, and Health (ES&H) Functions .............. 10
4.1.3 Mission-Critical Functions ................................... 12
4.1.4 Components Excluded from Independent Verification Requirements ... 12
4.2 Situations Requiring Independent Verification ......................... 13
4.2.1 Removing Equipment from Service ............................ 14
4.2.2 Placing Equipment in Service ................................ 15
4.2.3 Periodic Checks during Facility Operation ....................... 16
4.2.4 Temporary Modifications ................................... 17
4.3 Verification Techniques .......................................... 17
4.3.1 Verifying Valve Position .................................... 19
4.3.2 Verifying Throttled Valves .................................. 20
4.3.3 Checking Process Parameters ................................ 21
4.3.4 Checking Remote Position Indicators .......................... 22
DOE-STD-1036-93
vi
TABLE OF CONTENTS (continued)
4.3.5 Surveillance (Operational) Testing ............................ 22
4.3.6 Verifying Operational Processes .............................. 23
4.3.7 Verifying Locked/Tagged Components ......................... 24
4.3.8 Resolving Inconsistencies Discovered during Independent Verification . 24
4.4 Operations Self-Appraisal and Verification ............................ 25
SUPPLEMENTAL RESOURCES ............................................. 27
DOE-STD-1036-93
vii
ACRONYMS
EPA Environmental Protection Agency
ES&H Environmental, Safety, and Health
OSHA Occupational Safety and Health Administration
DOE-STD-1036-93
viii
INTENTIONALLY BLANK
DOE-STD-1036-93
ix
DEFINITIONS
Concurrent Dual Verification A method of checking an operation, an act of
positioning, or a calculation, in which the verifier
independently observes and/or confirms the operation or
calculation.
Danger Tags Tags used to identify equipment or controls that MUST
NOT be operated or removed.
Independent Verification The act of checking, by a separate qualified person, that
a given operation, or the position of a component,
conforms to established criteria.
Lockout/Tagout A general term for all methods of ensuring the
protection of personnel and equipment by installing
tagout devices, with or without lockout devices.
Operations Supervisor The individual having authority and responsibility for
operational control of a facility, process, experiment, or
other project.
DOE-STD-1036-93
x
INTENTIONALLY BLANK
DOE-STD-1036-93
1
GUIDE TO GOOD PRACTICES FOR
INDEPENDENT VERIFICATION
1. INTRODUCTION
This Guide to Good Practices is written to enhance understanding of, and provide direction
for, Independent Verification, Chapter X of Department of Energy (DOE) Order 5480.19,
"Conduct of Operations Requirements for DOE Facilities." The practices in this guide
should be considered when planning or reviewing independent verification activities.
Contractors are advised to adopt procedures that meet the intent of DOE Order 5480.19.
"Independent Verification" is an element of an effective Conduct of Operations program.
The complexity and array of activities performed in DOE facilities dictate the necessity for
coordinated independent verification activities to promote safe and efficient operations.
DOE-STD-1036-93
2
INTENTIONALLY BLANK
DOE-STD-1036-93
3
2. OBJECTIVE
The objective and criteria are derived from DOE Order 5480.19. They are intended to aid
each facility in meeting the intent of the order.
Independent verification activities are implemented by appropriate policies and procedures to
ensure correct operation of facility equipment, and aid in the control of equipment and
system status.
Criteria:
a. Components critical to safe, reliable operation of the facility are identified as to their
requirements for independent verification.
b. Occasions requiring independent verification are identified through appropriate policies
and procedures.
c. Independent verification techniques are identified consistent with facility equipment and
operational requirements.
DOE-STD-1036-93
4
INTENTIONALLY BLANK
DOE-STD-1036-93
5
3. DISCUSSION
Independent verification compensates for the human element in facility operation. It
recognizes that any operator, no matter how proficient, can make a mistake. However, the
chance that two operators will independently make the same mistake is unlikely. Therefore,
independent verification provides an extra measure of safety and reliability to facility
operations. Industry experience shows that verifying, or double-checking, important
operating parameters and component alignments reduces the occurrence of unintended
operational events (shutdowns, environmental violations, etc.).
Independent verification is an activity designed to enhance the reliability of facility operations
and safety functions, and to aid in the control of equipment and system status. Its intent is
similar to the quality assurance and engineering checks that are performed during design and
installation of facility systems. However, independent verification is an ongoing process
performed by operations personnel during operations. Independent verification activities are
built on the two concepts portrayed through their name: verification and independence.
Verification is the act of checking that an operation, the status of equipment, a calculation, or
the position of a component conforms to established criteria. Verification only checks for
conformance with the criteria; it does not alter the status of equipment or the position of
components. The criteria used for verification are normally contained in operating
procedures or alignment checklists. All persons performing verification must receive specific
training and qualification on the systems they will verify, and on techniques for verifying
component position or status.
Independence means that the person performing the verification will not be influenced by
observation of, or involvement in, the activity that establishes the component position or
status. For most operating activities, independence can best be achieved by separating the
operation and the verification by time and distance. For example:
DOE-STD-1036-93
6
If a verifier watches an operator read from a procedure, check the component label,
operate the component, and then mark the item off in the procedure, it would be
natural for the verifier to assume that the operation was performed correctly.
However, the operator could have misread the procedure, misread the label,
incorrectly identified the equipment, or performed the wrong operation. If the
verifier is not present during the operation (separated by distance) and performs the
verification at a later time, then the verification will not be affected by the operator's
actions. If the verifier walks through the procedure, personally checking the label
information and verifying the position of the components, any mistake made by the
operator is likely to be detected.
For some operating activities, separating the operation and the verification by time and
distance may not be possible. For example, verifying the position of a throttle valve or other
control may require observation of the positioning activity. Verification for the installation or
removal of jumpers may require checking the intended action before it is performed, because
incorrect performance could cause a shutdown of critical equipment or actuation of a safety
system. For these types of operating activities, the operator and verifier should
independently identify the component and then concur on the action to be performed. The
verifier should observe that the operation is performed correctly. This method is termed
"concurrent dual verification."
Independent verification will be most effective if it is incorporated into existing operating
activities. Each facility's operating guidelines should identify the specific systems, structures,
and components that require independent verification. Within those systems, structures, and
components, the guidelines should identify the occasions when independent verification
should be performed. Facility procedures should provide instructions for the independent
verification techniques appropriate to specific systems and components. These instructions
are necessary to ensure that verification is performed consistently, and that verification
activities do not change the component status or upset the process. Independent verification
requirements should be addressed in pre-job briefings, to identify the personnel involved and
to clarify the methods that will be used. Facility training programs should include subjects
DOE-STD-1036-93
7
related to independent verification, such as development of a questioning attitude, self-
checking techniques, and methods to avoid undue influences while acting as the performer or
verifier.
Separate from the requirement for independent verification of specific operations activities,
the concepts of independent verification can be applied to other functions or activities that
can affect operations. For example, independent appraisals of operating procedures and
training should be performed to verify that environmental, safety, and health considerations
have been addressed in accordance with operational requirements. Personnel should apply
the principles of independent verification to all operating systems in their work areas, not just
those having safety functions. System parameters should be checked against each other and
against expectations. When problems are identified, individuals should notify supervision and
initiate corrective action in accordance with applicable procedures. This process helps ensure
that problems are identified early and corrected before they cause larger problems.
DOE-STD-1036-93
8
INTENTIONALLY BLANK
DOE-STD-1036-93
9
4. GOOD PRACTICES
Each facility should provide written guidelines for implementing independent verification.
Central to these guidelines are two related, but independent, criteria for independent
verification. First, independent verification is clearly important for certain systems and
components, but is not necessary for all facility equipment. Therefore, the facility guidelines
should identify the systems, structures, and components requiring independent verification.
Section 4.1 provides guidance for designating which of these should receive independent
verification.
Second, for those systems, structures, or components that have been designated as requiring
independent verification, there are many routine operating activities performed that require
independent verification. Section 4.2 provides guidance to help determine what situations
involving the designated systems, structures, and components should be identified as
occasions for independent verification.
The methods or techniques used to perform independent verification must be capable of
verifying compliance with the operational criteria, without changing the position or status of
the equipment. Therefore, the facility's guidelines should also specify how independent
verifications should be performed. Examples of techniques that may be applied for
independent verification are given in Section 4.3.
4.1 Systems/Components Requiring Independent Verification
Independent verification should be performed on systems, structures, and components
that impact the safety and reliability of facility operations. Facilities should identify
components requiring independent verification on the basis of safety analysis and
evaluation of the effects that may be caused by mispositioning. Independent
verification should be performed on systems, structures, and components that perform
functions in the following categories:
DOE-STD-1036-93
10
C Related to nuclear safety (for reactors and non-reactor nuclear facilities)
C Essential for preserving environmental, safety, or health controls
C Critical to performance of the facility's designated mission.
4.1.1 Nuclear Safety Functions
Independent verification should be considered for all systems, structures, and
components performing nuclear safety functions. Facilities that handle or
process radioactive materials must determine which facility components require
independent verification, based on the reliance placed on the component for
preventing or mitigating releases of, or exposures to, radioactive materials.
The following are examples of components and systems that may have a
nuclear safety function:
C Components that monitor radiation or radioactive materials (e.g., area
radiation monitor, criticality alert monitor, airborne activity monitor)
C Components that prevent unintentional release of radioactive materials
(e.g., hold-up tanks, vent valves, drain valves)
C Components that are essential for proper response to an emergency
(e.g., deluge systems, automatic barriers, safety injection systems).
4.1.2 Environmental, Safety, and Health (ES&H) Functions
All facilities (not just nuclear facilities) contain systems, structures, and
components that perform safety functions and/or prevent unintentional
releases of hazardous or toxic materials into the environment. Systems,
structures, and components performing these functions should be
DOE-STD-1036-93
11
considered for independent verification. The following are examples of
components and systems that may have an ES&H function:
C Fire protection systems (e.g., fire detection systems, fire-fighting
water supply and storage, halon and carbon dioxide (CO
2
) storage
systems)
C Ventilation systems (e.g., toxic fume hoods, glove boxes, breathing
air supplies)
C Emergency power systems (e.g., uninterruptible power supplies
(UPS), emergency generators, load shedding or transfer switches)
C Components preventing uncontrolled release of toxic or radioactive
materials into the environment (e.g., isolation valves, monitoring
systems, hold-up tanks).
In addition to components of designated safety or environmental
protection systems, certain components in virtually any system may
perform a safety function when used as part of a lockout/tagout. Such
components include circuit breakers and valves used to isolate energy or
hazardous materials from a work area, grounds installed prior to service
on electrical equipment, telltale bleed lines for verifying hazardous
material isolations, etc. The facility's lockout/tagout program should
address the use of these components in protecting personnel and
equipment, and the verification required in connection with that use. A
more complete discussion of the requirements for personnel protection
during service or maintenance is found in DOE Order 5480.19, Chapter
IX, "Lockouts and Tagouts," and in DOE-STD-1030-96, Guide to Good
Practices for Lockouts and Tagouts.
DOE-STD-1036-93
12
4.1.3 Mission-Critical Functions
Independent verification is more than just an adjunct to the facility safety
or environmental control programs; it is a tool that can be used to
enhance the reliability of facility operations. Applying independent
verification to production-related systems and components helps reduce
unscheduled shutdowns and other unplanned reductions in the facility
output. Systems, structures, and components that are critical to the
performance of the facility's mission should be considered for
independent verification.
In addition to the systems, structures, and components that fill nuclear
safety, ES&H, and mission critical functions, independent verification
should also be considered for systems or components that could
challenge a safety system or mission critical system. For example, testing
or changing the alignment of certain components in a non-safety,
non-critical system may cause spurious actuation of a safety system or a
transient upset in a mission-critical system.
4.1.4 Components Excluded from Independent Verification Requirements
In some systems where independent verification is required, specific
components may be excluded from the requirement if certain conditions
are met. Independent verification may not be required for a particular
component if:
C Mispositioning the component would not affect system performance
(i.e., the system could perform its intended function even if the
particular component were mispositioned). For example, a cooling
system may be able to perform its intended function even though an
air vent or water drain valve in a heat exchanger is not properly
DOE-STD-1036-93
13
positioned. In this case, the vent or drain valve may not require
independent verification.
C Mispositioning the component would be known immediately to an
operator (i.e., a reliable indicator of component position or an alarm
would alert an operator if the component position is not correct).
The presence of position indicating lights for a valve is not considered
sufficient justification for excluding the valve from independent
verification requirements. However, the lights may be used along
with other process parameters to verify the valve position.
C Significant exposure to radiation or hazardous material would be
received by the person(s) performing the independent verification. In
this case, an alternative method for verification should be found, such
as observing process parameters or reliable remote indication.
Any components exempted from independent verification requirements
through the criteria listed above should be approved by the operations
supervisor.
4.2 Situations Requiring Independent Verification
Independent verification should be performed whenever there is a reasonable
chance that the proper function of any system, structure, or component identified
in Section 4.1 is jeopardized. For example: whenever components of a system are
manipulated, there is a chance that the resulting alignment is not correct; or, when
operations are performed on similar, nearby systems, there is a chance of
inadvertently manipulating a component in the wrong system. Independent
verification of these activities would prevent further undesirable consequences.
DOE-STD-1036-93
14
This is not meant to imply that every operation in the facility should be
independently verified. The consequences of alignment errors in certain equipment
systems (those not meeting the criteria of Section 4.1) may not justify the
expenditure of resources and effort involved in independent verification. Facilities
should evaluate their operations to determine when independent verification should
be performed, then document the determinations in appropriate guidelines or
procedures. The following subsections discuss four specific situations when
independent verification should be performed on the systems, structures, and
components designated in Section 4.1.
4.2.1 Removing Equipment from Service
When nuclear safety, ES&H, or mission critical equipment is removed
from service, the critical or safety functions the equipment had performed
must often be transferred to other equipment or systems remaining in
service. Independent verification should be performed to ensure that the
critical or safety function is not inadvertently disabled. For example,
consider a safety system containing two redundant pumps that discharge
into a common header. One of the pumps must be removed from service
for maintenance in accordance with lockout/tagout procedures.
C Independent verification should be performed to ensure that the
remaining pump is properly aligned for service and has not been
inadvertently isolated.
C Independent verification should always be performed after installation
of a lockout/tagout to ensure that adequate protection for workers is
provided, as described in DOE Order 5480.19, Chapter IX,
"Lockouts and Tagouts," and in DOE-STD-1030-96, Guide to Good
Practices for Lockouts and Tagouts.
DOE-STD-1036-93
15
4.2.2 Placing Equipment in Service
Whenever nuclear safety, ES&H, or mission critical equipment is placed
in service, or returned to service following maintenance, testing, or an
extended shutdown, independent verification should be performed.
Listed below are some of the reasons for performing independent
verification when placing equipment in service.
C When equipment has been out of service for maintenance, the
position of components within the lockout/tagout boundary could
have been changed during maintenance.
C Components that have been involved in a test may have been left in
the test position and not reconfigured for operation.
C During extended shutdowns, it is often impractical to maintain
equipment in its normal operating configuration.
C Startup activities may involve overlapping procedures for the lineup
or testing of multiple interfacing systems, possibly resulting in
uncertainty as to whether the final position of components is correct.
Independent verification at the time equipment is returned to service is
not the same as, nor intended to take the place of, post-maintenance
testing. Post-maintenance testing is normally required for all facility
equipment, whereas independent verification normally is not required on
non-critical, non-safety equipment. In some limited situations,
post-maintenance testing of critical or safety systems may satisfy a
requirement for independent verification. However, the programs and
criteria remain separate. Further information regarding post-maintenance
testing is contained in DOE Order 5480.19, Chapter VIII, "Control of
DOE-STD-1036-93
16
Equipment and System Status," and DOE Order 4330.4B, Maintenance
Management Program.
4.2.3 Periodic Checks during Facility Operation
Many facilities are required, by technical safety requirements or by
regulatory agencies (e.g., OSHA, EPA, state agencies), to perform
routine periodic checks of the operability of certain systems, structures,
and components. Routine periodic checks include:
C Testing fire protection systems to ensure that they are properly
aligned for operation
C Testing Continuous Emission Monitors to ensure that they detect and
record regulated emissions
C Testing toxic gas monitoring equipment (e.g., in oil well drilling and
production facilities) to ensure that the equipment will detect a
specific concentration of toxic gas and actuate an alarm.
These periodic checks (defined as surveillance tests in some facilities) are
independent of the activities that established the status of the system, and
therefore qualify as independent verifications.
When there are no regulatory requirements for periodic verification or
surveillance, it is still a good practice to periodically check the alignment
and status of safety and mission-critical equipment. Verification may be
performed using normal operating procedures, or specific checklists may
be developed for the purpose. Components to be checked may be
included on operator round sheets.
DOE-STD-1036-93
17
If the position or status of a component is changed during performance
of one of these checks, the check does not qualify as an independent
verification. If the affected component was designated in accordance
with Section 4.1, then a separate independent verification of the
positioning change should be performed.
4.2.4 Temporary Modifications
Installing or removing temporary modifications (e.g., jumpers, bypasses,
or other temporary connections) should be independently verified when
an error could cause the shutdown of critical equipment, actuation or
disabling of a safety system, or uncontrolled start of equipment that could
endanger personnel. In these situations, verification should be performed
before and during performance of the activity using concurrent dual
verification.
4.3 Verification Techniques
It is not the intent of this guide to describe appropriate techniques for independent
verification of all the components and processes used throughout DOE facilities.
Each facility should develop instructions for independent verification, using input
from experienced facility personnel and equipment manufacturer's
recommendations. The instructions should describe techniques for independent
verification of manual valves, motor-operated and air-operated valves, solenoid-
operated valves, blank flanges, circuit breakers, removable links, fuses, availability
of control power, accuracy of calculations, etc. Techniques may involve direct
verification (e.g., physically checking that a valve is closed) or indirect verification
(e.g., observing system parameters to determine that a valve is closed).
The instructions should focus the verifier's attention on the aspects of the
operation that are most susceptible to errors and/or are most critical for proper
DOE-STD-1036-93
18
function of the system. Some operations can be verified by checking the final
condition or position of components against a standard, i.e., a product-based
approach. For example:
C During a lockout/tagout, it is critical that the tags be placed on the correct
components. To ensure that no identification errors were made, the
instructions should require the verifier to independently identify each
component using the same procedures, drawings, checklists, and component
label information that were used by the performer; then verify that the
component is correctly tagged.
C When isolating a component or aligning a system for operation, each valve,
switch, bypass, or other device must be correctly positioned according to an
operating procedure or other documentation. The verifier should be
instructed to independently check the physical position of these components,
or perform other checks that will positively indicate that the components are
properly positioned.
In some operations, it is critical that the performer follow a specific process or
series of sequential steps. It may be impossible for the verifier to determine that
the steps were performed correctly through observation of the finished product.
These operations should be verified by independently observing that the proper
steps, sequence, or adjustments are performed according to a standard. The
method for this is known as concurrent dual verification. For example:
When installing a bolted cover on a piece of equipment, the bolts must be
tightened to a specific torque value in a specific sequence to prevent
damaging the cover. Instructions for verifying this operation should have the
verifier independently observe that the correct torque is applied and that the
bolts are tightened in the required sequence.
DOE-STD-1036-93
19
In all cases, the instructions should minimize the interaction between the performer
and the verifier to preserve the independence of each.
Once the instructions are developed, personnel involved in performing independent
verification should be trained on the techniques. Operating experience alone may
not provide adequate knowledge for performing independent verification. Specific
training on the techniques for independent verification enhances their reliability.
The training may be performed as part of the operator qualification program
and/or the facility continuing training program.
The general guidelines that follow should be considered when developing specific
verification techniques. When possible, verification should be performed using
more than one indication or technique, e.g., performing a physical verification and
checking system parameters.
4.3.1 Verifying Valve Position
It is not always possible to determine if a valve has been completely
closed or opened by merely observing the action. The relative height of a
valve stem is not considered a reliable position indicator for independent
verification. Lines scribed on the valve stem or other positive indicators
of stem position can aid in accurately determining the valve position.
However, a mechanical indicator may not accurately reflect the position
after maintenance has been performed on the valve, or even after a period
of normal use.
The preferred method for verifying valve position is a physical
verification. A visual check of the stem position or position indicators
should be used whenever possible to confirm the physical verification.
Physical verification of a manually operated valve should be performed
DOE-STD-1036-93
20
by attempting to turn the valve in the closed direction. The effects of this
are:
C If the valve is closed, attempting to turn the valve in the closed
direction will not effect its position. Closed valves should NOT be
opened for verification to prevent adversely affecting system
integrity, because even a slight opening can pressurize or release
hazardous materials into the downstream piping.
C If the valve is open, the verifier will be able to turn the valve in the
closed direction. Only a slight movement in this direction is needed
to confirm that the valve is open, without affecting the flow or
process. The verifier should then restore the valve to its original
position.
If the valve position is not in accordance with the requirements, the
verifier should NOT operate the valve further, and should notify the
cognizant supervisor.
4.3.2 Verifying Throttled Valves
Some valves are required to be in a throttled position, i.e., intermediate
between fully open and fully closed. Often the procedure for establishing
the throttled position is to close the valve, then count a specific number
of turns in the open direction. If this same action were to be performed
by a verifier, the original positioning would be nullified, constituting no
verification.
If possible, alternate means should be established for verifying throttled
valves. If the position of the valve stem would provide visible indication
of the valve position, the facility may place a label or scribe marks on the
DOE-STD-1036-93
21
valve stem to use in independent verification. Other types of valve
position indicators may be approved by the facility. In these cases, the
throttled valve position may be independently verified by visually
checking the valve and the position indicator.
If it is necessary to close and reopen the valve to establish its position, it
is preferable to have both the performer and the verifier present
(concurrent dual verification). The verifier should independently verify
that the correct valve was identified, its required position was correctly
determined according to the procedure, the positioning was performed
correctly, and process parameters, if available, confirm the correct
positioning.
4.3.3 Checking Process Parameters
Observation of process parameters (e.g., pressure, flow, voltage) may
help verify the correct position of components. However, process
parameters alone may not give an accurate indication of component
status, because alternate flow paths or other factors may cause
misleading indications. For example,
C Voltage on a circuit does not prove that a particular supply breaker is
closed unless there is no alternate power supply
C Flow and pressure do not necessarily prove that a valve is fully open.
Observation of process parameters should be combined with other
verification methods, such as physical checks of component position,
whenever possible. Facility guidelines should specify where and when
process parameters alone are acceptable indicators of component
position.
DOE-STD-1036-93
22
4.3.4 Checking Remote Position Indicators
Independent verification should always be performed locally, unless
precluded by exposure to radiation, hazards, or other overriding factors.
In those limited situations, independent verification may be performed
using remote position indicators. The most common of these are
indicating lights.
Remote position indicators may seem to represent an ideal method for
independent verification. However, equipment failures in the sensor,
signal transmission, or display device can cause valve-position-indicating
lights and other control board indications to be incorrect. Some failures
of this type have gone undetected for a significant length of time.
Independent verification using remote position indicators should be
checked using other verification methods, such as process parameters,
whenever possible.
4.3.5 Surveillance (Operational) Testing
Certain systems and components are subject to periodic surveillance
(operational) tests due to regulatory requirements. In many cases, the
nature of the test qualifies it as an independent verification of system
alignment and capability. For example, a full-flow test of a system can
prove that the alignment of components and positioning of flow-
controlling valves is correct. This means of proving operability is not the
same as the means used to establish the position of the components, and
therefore is independent of the original activity.
Some surveillance tests may not test the components in their operating
configuration, or they may not include all the components that would be
required for operation. For example, running a pump in recirculation to
DOE-STD-1036-93
23
verify discharge pressure would not prove that the main flow-path valves
were correctly positioned, and may not prove that external cooling or
backup lubrication pumps are properly aligned.
Surveillance testing may be used to satisfy independent verification
requirements ONLY if it is shown conclusively that the test proves the
required position of the components in question. Because surveillance
testing involves operation of equipment, the operations supervisor should
approve any performance of surveillance tests.
4.3.6 Verifying Operational Processes
Sometimes verification is required for an operational process or proper
completion of a series of procedural steps. Concurrent dual verification
is one method for accomplishing this. The following is an example of
independent verification of an operational process, in this case
performing a calculation:
A calculation of the estimated critical position (ECP) for reactor
control rods is required before a reactor startup. In at least two
recent incidents, errors in this calculation went undetected until the
reactor startup was in progress. When the discrepancy was
discovered, the reactors in question were shut down in accordance
with procedures, and further investigation revealed errors in the
calculations. As a result of these incidents, DOE has directed all
reactor facilities to perform two independent ECP calculations when
required for reactor startup. If a computer code is used to calculate
the ECP, two independent determinations of input parameters are
required. The responsible manager must reconcile any differences in
the calculations prior to startup.
DOE-STD-1036-93
24
4.3.7 Verifying Locked/Tagged Components
Components that are danger tagged in accordance with the facility's
lockout/tagout procedure must NOT be manipulated in the performance
of an operating procedure or for the purpose of independent verification.
If such components are encountered during independent verification, the
verifier SHOULD NOT attempt to physically verify the position. The
verifier SHOULD verify that the correct component has been identified,
determine the required position in accordance with the procedure,
determine the position of the component as recorded on the danger tag,
and use all other appropriate methods to verify that the component is
positioned as stated on the danger tag (e.g., observe process parameters,
remote indicators, etc.). Additional information relating to locked/tagged
equipment is contained in DOE Order 5480.19, Chapter IX, "Lockouts
and Tagouts," and in DOE-STD-1030-96, Guide to Good Practices for
Lockouts and Tagouts.
4.3.8 Resolving Inconsistencies Discovered during Independent
Verification
The underlying principle of independent verification is that anyone can
make a mistake. This also means that any inconsistency identified by the
verifier could be the verifier's mistake. The verifier should NOT change
the position or status of a component to correct an inconsistency.
Whenever an inconsistency is discovered, the verifier should immediately
stop and notify the appropriate supervisor. Facility procedures should
identify the supervisory position responsible for resolving independent
verification inconsistencies.
When informed of the inconsistency, the supervisor should resolve the
issue (e.g., by physically verifying the position of the component in
DOE-STD-1036-93
25
question). If repositioning is required, it should be approved by the
supervisor. If the component is subject to administrative controls (e.g.,
lockout/tagout), the supervisor must ensure compliance with those
guidelines during physical verification or repositioning.
4.4 Operations Self-Appraisal and Verification
Independent verification is a formal process for ensuring safety and reliability in
facility systems. However, the concepts of verification and independence have a
wider application. Programs and activities that affect operations should receive
independent appraisals or verifications to ensure that they meet established criteria
relating to safety, health, environmental protection, and operational practices. For
example, procedure development and training are activities that have a direct
impact on operations. These activities should be evaluated through self-appraisal
and independent (e.g., operations organization) review to ensure that they
accomplish their intended purpose and are consistent with applicable regulatory
and operational guidelines.
DOE-STD-1036-93
26
INTENTIONALLY BLANK
DOE-STD-1036-93
27
SUPPLEMENTAL RESOURCES
The following sources provide additional information pertaining to topics discussed in this Guide
to Good Practices.
DOE Order 4330.4B, Maintenance Management Program.
DOE Order 5480.19, Conduct of Operations Requirements for DOE Facilities, Chapter VIII,
"Control of Equipment and System Status."
DOE Order 5480.19, Conduct of Operations Requirements for DOE Facilities, Chapter IX,
"Lockouts and Tagouts."
DOE-STD-1030-96, Guide to Good Practices for Lockouts and Tagouts.
DOE-STD-1036-93
28
INTENTIONALLY BLANK
DOE-STD-1036-93
CONCLUDING MATERIAL
Review Activities:
DOE
DP
EH
EM
ER
NE
NS
Preparing Activity:
DOE-EH-31
Project Number:
MISC-0008
