Principle cannot be met. Therefore, in the case where a criticality accident is credible and only one
parameter is controlled, the process does not meet the Double-Contingency Principle.
A CSE done for the purpose of demonstrating that a mitigated criticality accident is not a credible event
cannot simply assume that application of double contingency achieves that result. If a criticality accident
is not credible then the risk of a criticality accident is lower than that provided by the application of the
Double-Contingency Principle even if only one parameter is controlled. Therefore, in cases where a
mitigated (i.e., crediting controls that prevent the accident) criticality accident is not credible, DOE Order
420.1B does not require DOE approval. A CSE showing that a mitigated criticality accident is not
credible should not rely on simplistic formulas for the numbers of controls or contingencies in place (i.e.,
by defining not-credible as equivalent to three concurrent contingencies or concurrent failure of four
controls, etc.). The CSE should provide justification for concluding that a criticality accident is not-
credible based on the application of technical practices described in Section 4.2 of ANSI/ANS-8.1-1998.
Such a CSE may rely on controls present in the facility. Controls that are relied upon shall6 be
documented. Reliance should be placed explicitly on engineered features, specific administrative
controls, and/or various administrative programs such as material control and accountability, safeguards
and security, on and off-site transportation requirements, and non-destructive assay to support the
conclusion that a criticality accident is not a credible event. Finally, DSA and TSR level controls should
be developed to ensure that the potential for a criticality accident remains not-credible. See guidance
provided in Section IV of this standard for the selection of controls for inclusion in the DSA.
The first step in the analysis is to understand and analyze the range of normal processing conditions.
Estimates of the normal range of relevant operating parameters including conservative estimates of
anticipated variations in those parameters shall6 be determined, documented, and demonstrated to be
subcritical. This constitutes the `base' or `normal' case for the CSE.
All credible contingencies shall1 be identified, analyzed, and documented. The following three basic
steps should be included in performing the contingency analysis:
1. Know the operation and system being evaluated. The criticality safety engineer should directly
observe the processes and equipment if they currently exist. Facility and equipment drawings
should be reviewed as well as process flow sheets or descriptions. The safety analysis for the
facility (DSA or Safety Analysis Report) is an appropriate source of information on failure modes