6 July 2000CSAM Team1 CERN Safety Alarm Monitoring Invitation to Tender Strategy CERN Safety Alarm...

6 July 2000 CSAM Team 1

CERN Safety Alarm MonitoringCERN Safety Alarm Monitoring

Invitation to Tender Invitation to Tender StrategyStrategy

CERN Safety Alarm System Supervisory Board

3st meeting

CSAM project team


OutlineOutline

IEC 61508 basics S. Grau ST/MO

CSAM Safety requirements F. Balda ST/AA,

A. Chouvelon TIS/GS, S. Grau, ST/MO

Contract Strategy P. Ninin ST/MO


IEC 61508 basicsIEC 61508 basics

Functional safety Analysis of your system that provides you a justified confidence on the delivered service

Functional safety of electrical / electronic / programmable electronic safety-related systems structured via a Safety Lifecycle


How should the system diagnose errors ?Which auto tests should be defined? What should be the maintenance politic ?

Will the user know if some functions are not available ?

How much time do we accept system down-time per year ?

Can the system become dangerous in case of functional or transmission pathfailure ?

Reliabilitystudy

Maintainability study

Securitystudy

Availability study



Safety Integrity Level (SIL) Associated to a function and to the risk that the function is dealing with

• SIL 1

• SIL 2

• SIL 3

• SIL 4

Non redundant architectures with PLCs

Integrated control system for subwaysEquipment of Electrical Substations

Sub-system of boiler safeties for thermal power plants



Why should we use it ?Why should we use it ?

Objectives definition Accessible, realistic quantify + Domain of tolerance or variability

Specification of requirements Functional, service quality, dysfunctional behavior

Anticipate degraded modes and control the risks

Justify confidence in the system Based on: experience, expertise, forecast, methods and

standards.



AIMS OF THE SPECIFICATION:

Define a safety strategy both for the team and CSAM developers

Trace a path for a RAMS-validated system Prepare specific requirements Be consistent with IEC - 61508 Use validated risk analysis techniques

CSAM Safety RequirementsCSAM Safety Requirements


ContentsContents

Safety Requirements

Based on IEC - 61508

Constraints

Undesired Events

Objectives

Safety functions and SILassignment

Risk analysis strategy



Basic safety conditions that the system must satisfy in order to be approved

Example: “The system must be in operation 24 hours a day, 365 days per year”

1.- Safety Constraints1.- Safety Constraints



Any accident, simple or complex event that the system users or the community want to avoid

Example: “Total loss of the system”

ACTION: Foresee consequences Require a frequency to make the risk acceptable ALARP model (As Low As Reasonably Practicable)

2.- Undesired Events2.- Undesired Events



The consequence on theprocess can be "Catastrophic"

1: Assign a "ConsequenceCategory"

Total loss of the systemInjury to personnel Damage to equipmentCategory

Criteria

(process)

N. fatalities(indicative -

process)

CHF Loss

(process)

Downtime

(process)

Catastrophic Events capable ofresulting inmultiple fatalities

> 1 > 108 > 3 months

Major Events capable ofresulting in afatality

1 106 – 108 1 week to 3months

Severe Events which maylead to serious,but not fatal,injury

0.1 104 – 106 4 hours to 1 week

Minor Events which maylead to minorinjuries

0.01 0 - 104 < 4 hours

2.- Undesired Events: technique2.- Undesired Events: technique



The maximum allowedfrequency is "Remote"

4: Individuate thresholdfor tolerable risk

3: Use the "Risk Matrix"

2: Define risk classesRisk class Interpretation

I Intolerable risk (unacceptable region)

II Undesirable risk, and tolerable only if risk reduction is impracticable or if thecosts are grossly disproportionate to the improvement gained (ALARP region)

III Tolerable risk if the cost of risk reduction would exceed the improvementgained (ALARP region)

IV Negligible risk (acceptable region)

ConsequenceFrequency

Catastrophic Major Severe Minor

Frequent I I I II

Probable I I II III

Occasional I II III III

Remote II III III IV

Improbable III III IV IV

Negligible / NotCredible

IV IV IV IV

Risk is no more “Intolerable”




The "Required frequency"

for the UE is "Improbable"or "Negligible"

6: Individuate the

"Required frequency"

5: Individuate the "Maximum

frequency" meaning

Common use:

Decrease the “Maximum frequency” of 1 or 2 orders of magnitude

Category Description Indicative frequencylevel (per year)

Frequent Events which are very likely to occur in the facilityduring its lifetime

> 1

Probable Events that are likely to occur in the facility duringits lifetime

10-1 - 1

Occasional Events which are possible and expected to occur inthe facility during its lifetime

10-2 – 10-1

Remote Events which are possible but not expected to occurin the facility during its lifetime

10-3 – 10-2

Improbable Events which are unlikely to occur in the facilityduring its lifetime

10-4 – 10-3

Negligible /Incredible

Events which are extremely unlikely to occur in thefacility during its lifetime

< 10-4




<< Le risque 0 n’existe pas,il peut être quantifié ou << Le risque 0 n’existe pas,il peut être quantifié ou diminué par l’action réfléchit de l’homme >>diminué par l’action réfléchit de l’homme >>

Risk = Frequency x Consequence

Individual risk and collective risk

2.- Undesired Events: Risk recall2.- Undesired Events: Risk recall



Frequency of the recorded events (LEP period):

Fire / small system(minor) ~5/an Fire / installation (severe) ~1/an Fire / building (major) ~2/5ans Fire / experience (catastrophic) ? Fatalities (catastrophic) 6/15ans Injured (major) ~10/an

2.- Undesired Events: Statistics at CERN2.- Undesired Events: Statistics at CERN



Injury to personnel Damage to equipmentCategory

Criteria

(process)

N. fatalities(indicative -

process)

CHF Loss

(process)

Downtime

(process)

Catastrophic Events capable ofresulting inmultiple fatalities

> 1 > 108 > 3 months

Major Events capable ofresulting in afatality

1 106 – 108 1 week to 3months

Severe Events which maylead to serious,but not fatal,injury

0.1 104 – 106 4 hours to 1 week

Minor Events which maylead to minorinjuries

0.01 0 - 104 < 4 hours

2.- 2.- Undesired Events: Consequences CategoriesUndesired Events: Consequences Categories



Detailed conditions which the system is expected to cope with

Example: “Any Undesired Event or chain of events leading to a similar scenario should be characterised by a frequency of at least one or two orders of magnitude less than the one required for an acceptable risk”

3.- Safety Objectives3.- Safety Objectives



Fire Brigade (SCR)E2

XCRE3

TCRE4

Local SynopticE10

Access Control Interlock

E9

DatabaseE8

Power SuppliesE6

S

f

h3

7

Environment CSAME5

eg

i

Accelerator Control Rooms

E7

j

Detection Equipment E1

1

Communication Network

E11

4

2

5

b

c

d

6

a

4.- Safety Functions4.- Safety Functions



SIL 1 10-1 10-5

SIL 2 10-2 10-6

SIL 3 10-3 10-7

SIL 4 10-4 10-8

Maximum rate of failure in a continuous mode of operation,

probability of a dangerous failure per hour

Probability of failure to perform its design on

demandSIL

4.- SIL Assignment4.- SIL Assignment



Number of independent safety-realtedsystems

3 - - - SIL1 SIL 1 SIL2 - - SIL 1 SIL1 SIL 2 SIL2

2 SIL 1 SIL 1 SIL 2 SIL 2 SIL 3 SIL3 SIL 1 SIL 2 SIL 2 SIL 3 SIL3 SIL3

1 SIL 2 SIL 3 SIL 3 SIL3 SIL3 SIL 3 SIL 3 SIL 3 SIL 3 SIL3 SIL3 SIL4

Negligible Improbable Remote Occassional Probable Frequent Negligible Improbable Remote Occassional Probable Frequent

Category Consequences

3 - - - - - SIL 1 - - - - - SIL 1

2 - - - SIL 1 SIL 1 SIL 2 - SIL 1 SIL 1 SIL 2 SIL 2 SIL 2

1 SIL 1 SIL 1 SIL 1 SIL 1 SIL 2 SIL 2 SIL 1 SIL 1 SIL 2 SIL 2 SIL3 SIL 3

Negligible Improbable Remote Occassional Probable Frequent Negligible Improbable Remote Occassional Probable Frequent

Category Consequences

MINOR

Event likelihood

Event likelihood

SEVERE

Event likelihood

CATASTROPHICMAJOR

Event likelihood




• Example Function 1:

<< Send commands to safety equipment for performing safety actions >>

• Related Undesired Events (UE):

UE-8: Safety actions failure • UE Consequences category:

Catastrophic• Event likelihood:

Frequent• SIL assignment:

SIL 3




Preliminary Risk Assessment(PRA)

Risk Analysis

Keep into account the Maintenance politics

Objectives:

• Identify and locate the hazards• Individuate the weak points

• Point out causes and consequences of hazards• Find corrective measures if necessary

• Set special protection systems if necessary

Methods:HazOp, FMECA, Qualitative Fault Trees

Objectives:

• Quantify the probability of foreseen accidents• Quantify the consequences

• Estimate the risk• Quantify reliability and availability

• Validate the good working of the system• Verify that constraints are respected

• Iterate the process if corrective actions have to be undertaken

Methods:Fault Trees, Event Trees, Markov graphs,

Petri nets

5.- Risk analysis strategy for CSAM developers5.- Risk analysis strategy for CSAM developers



A series of precise requirements have been defined

Requirements are based on IEC - 61508 and on widely used safety techniques

A risk analysis strategy has been outlined for CSAM developers

Worst foreseen accidents have been identified

Safety Integrity Levels have been assigned

SummarySummary



Product satisfying functional safety criteria of Availability, Reliability, Maintainability, Security

Upgrade of existing safety alarm systems Modularity, Standardisation, Integration

Operational and Maintenance service on a “per-alarm” driven and controlled by system performance indicators

INB compliant

The Strategic ObjectivesThe Strategic Objectives

Contract StrategyContract Strategy


W P3

W P2

W P1Realisation of a pilot installation of the final

product covering only one CERN Safety ZoneInstalled in parallel to the existing alarm system s

CSAM System designed according to thefunctional safety standards

Product requirem ents including the functionalsafety requirem ent

Validated

Installation of the product in all rem aining CERNSafety Zones by m igrating the existing alarm

system s

Operation and m aintenance of all the installedpart of the product

2001

2011

2002

2004

2002

2002

1 contract -> 3 Work Packages (WP)1 contract -> 3 Work Packages (WP)



B ack to ap p rop riateC S AM safety lifecyc le

p h ase

C S AM M od ification an dR etrofit

1 5

C S AM O p eration ,M ain ten an ce an d R ep air

1 4

C S AM S ite Accep tan cean d S afety Valid ation

1 3

C S AM In s ta lla tion an dC om m iss ion in g

1 2

S afety -re lated sys tem s:E /E /P E S

9 C S AM R ealisation

E/E/PESsafety

lifecycle

Softwaresafety

lifecycle

9

C S AM U ser, S ys tem an dS afety R eq u irem en ts A llocation

5

C SAM planning

C SAMO perational and

M aintenanceplanning

6C SAM Safety

Validationplanning

7

C SAMInstallation andC ommiss ioning

planning

8

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

WP Breakdown based on IEC 61508

Work Packages BreakdownWork Packages Breakdown



ds

T im e

W ork packages andlifecycle phases

Installation (W P2)

Operation & M aintenance (W P3)

KCHF

500

1000

Design(W P1)

2001 2002 2003 2004 2005 2006 2007

Extension (WP3)

Operation and M aintenanceServicesof the installed equipm ent

startof thecontract

Installation of all CERNSafety Zones Operation and M aintenance

Servicesof the com plete installation End

of thecontract

The CSAM commercial strategyThe CSAM commercial strategy



WP1: Concept validated -> payment WP2: Migration of all Safety Zones

Bonus/Malus according to quality & deadlines

WP3: Bonus/Malus according to system performance

Results Oriented ContractResults Oriented Contract



Cost based on the level of integration

HardwareAlarm s

Softwarealarm s

AlarmDatabaseupdates

Hum anCom puterInterfaceupdates

CostHCI

CostDB

CostSW A

CostHW A

Alarm Integration CostAlarm Integration Cost



How the application of functional safety and the Operational and maintenance service will guarantee optimal contract performance?

The functional safety fixes clear measurable results for the functioning of the system

The O&M service has to satisfy the same functional requirements Therefore there is an optimum when

System is well functioning and

Minimum O&M effort is required




System is not functioning

System is well functioning

Two Losers: CERN and the Contractor

Two Winners: CERN and the Contractor

Decrease the performance

Increase the O&Meffort to make it functioning

LOWER THE GAIN

Improve the performance

Maintain the minimum O&Meffort to keep it functioning

INCREASE THE GAIN




Ds ds

Safey Alarms Monitoring Center(SAMC)

X-terminalsandPCs

External Systems(TDS, .....)

CERN Safety Alarm System s(CSAS)

SW

inte

rface

Local Safey Alarms Controller(LSAC)

Central Safety Alarm s Controller(CSAC)

CommonReferenceDatabase

Fire Brigade SCADA server

Safety Alarm Gatewayto external system s

(SAGES)

SCR ConsoleSCADA client

TCR ConsoleSCADA client

Hardwired Safety A larm s(O ne per safety zone)

CERN Safety Alarm Network(CSAN)

LHC Com m unication Infrastructure(Safety A larm Network)

(Technical Services Network)

Existing TechnicalServices Network

Global Superv isionand

Maintenance Manager(G SMM):

Technical Data Server(TDS)

The Safety Alarm Monitoring Center

The Local Safety Alarms Controller

The CERN Safety Alarm Network



CSAMOperation & Maintenance requirements

[TS11]

Project Description[TS1]

CSAMUser Requirement Document

[TS2]

CSAMSafety Requirements

[TS3]

Safety Alarm Monitoring Center Product Requirements

[TS4]

Local Safety Alarm Controller Product Requirements

[TS5]

Safety Alarms Gateway to External SystemsProduct Requirements

[TS7]

CSAM Supervision and Maintenance ManagerProduct Requirements

[TS6]

CSAMInterface document

[TS9]

CSAMAcceptance test document

[TS10]

CERN Safety Alarm NetworkProduct Requirements

[TS8]

Documentation structure

Detailed description of the safety alarm requirements

The Technical Specification structureThe Technical Specification structure



Final version sent for approval to all the concerned parties

Replies expected by the end of June Last Revision Mid-July

The CSAM User RequirementsThe CSAM User Requirements



18 Firms replied to the MS 10 Fully qualified 8 visit planned to take place June/July

Three types of companies: Nuclear Petrol-chemical Security (intrusion and access control, fire detection, etc.)

Status of the Market SurveyStatus of the Market Survey



Real Outsourcing Safety Objectives

-> Contract (System, O&M) -> Result Oriented Payment

IEC 61508 as a safeguard (design, operation, benchmark)

The contractor needs to control its environment !

Others Open question on the Safety networks ( added in the IT2694) IT under ST revision process, out of CERN end of

September

ConclusionsConclusions


6 July 2000CSAM Team1 CERN Safety Alarm Monitoring Invitation to Tender Strategy CERN Safety Alarm...

Documents

Transcript of 6 July 2000CSAM Team1 CERN Safety Alarm Monitoring Invitation to Tender Strategy CERN Safety Alarm...