6 July 2000CSAM Team1 CERN Safety Alarm Monitoring Invitation to Tender Strategy CERN Safety Alarm...
-
Upload
austen-fields -
Category
Documents
-
view
215 -
download
1
Transcript of 6 July 2000CSAM Team1 CERN Safety Alarm Monitoring Invitation to Tender Strategy CERN Safety Alarm...
6 July 2000 CSAM Team 1
CERN Safety Alarm MonitoringCERN Safety Alarm Monitoring
Invitation to Tender Invitation to Tender StrategyStrategy
CERN Safety Alarm System Supervisory Board
3st meeting
CSAM project team
6 July 2000 CSAM Team 2
OutlineOutline
IEC 61508 basics S. Grau ST/MO
CSAM Safety requirements F. Balda ST/AA,
A. Chouvelon TIS/GS, S. Grau, ST/MO
Contract Strategy P. Ninin ST/MO
6 July 2000 CSAM Team 3
IEC 61508 basicsIEC 61508 basics
Functional safety Analysis of your system that provides you a justified confidence on the delivered service
Functional safety of electrical / electronic / programmable electronic safety-related systems structured via a Safety Lifecycle
6 July 2000 CSAM Team 4
How should the system diagnose errors ?Which auto tests should be defined? What should be the maintenance politic ?
Will the user know if some functions are not available ?
How much time do we accept system down-time per year ?
Can the system become dangerous in case of functional or transmission pathfailure ?
Reliabilitystudy
Maintainability study
Securitystudy
Availability study
IEC 61508 basicsIEC 61508 basics
6 July 2000 CSAM Team 5
Safety Integrity Level (SIL) Associated to a function and to the risk that the function is dealing with
• SIL 1
• SIL 2
• SIL 3
• SIL 4
Non redundant architectures with PLCs
Integrated control system for subwaysEquipment of Electrical Substations
Sub-system of boiler safeties for thermal power plants
IEC 61508 basicsIEC 61508 basics
6 July 2000 CSAM Team 6
Why should we use it ?Why should we use it ?
Objectives definition Accessible, realistic quantify + Domain of tolerance or variability
Specification of requirements Functional, service quality, dysfunctional behavior
Anticipate degraded modes and control the risks
Justify confidence in the system Based on: experience, expertise, forecast, methods and
standards.
IEC 61508 basicsIEC 61508 basics
6 July 2000 CSAM Team 7
AIMS OF THE SPECIFICATION:
Define a safety strategy both for the team and CSAM developers
Trace a path for a RAMS-validated system Prepare specific requirements Be consistent with IEC - 61508 Use validated risk analysis techniques
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 8
ContentsContents
Safety Requirements
Based on IEC - 61508
Constraints
Undesired Events
Objectives
Safety functions and SILassignment
Risk analysis strategy
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 9
Basic safety conditions that the system must satisfy in order to be approved
Example: “The system must be in operation 24 hours a day, 365 days per year”
1.- Safety Constraints1.- Safety Constraints
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 10
Any accident, simple or complex event that the system users or the community want to avoid
Example: “Total loss of the system”
ACTION: Foresee consequences Require a frequency to make the risk acceptable ALARP model (As Low As Reasonably Practicable)
2.- Undesired Events2.- Undesired Events
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 11
The consequence on theprocess can be "Catastrophic"
1: Assign a "ConsequenceCategory"
Total loss of the systemInjury to personnel Damage to equipmentCategory
Criteria
(process)
N. fatalities(indicative -
process)
CHF Loss
(process)
Downtime
(process)
Catastrophic Events capable ofresulting inmultiple fatalities
> 1 > 108 > 3 months
Major Events capable ofresulting in afatality
1 106 – 108 1 week to 3months
Severe Events which maylead to serious,but not fatal,injury
0.1 104 – 106 4 hours to 1 week
Minor Events which maylead to minorinjuries
0.01 0 - 104 < 4 hours
2.- Undesired Events: technique2.- Undesired Events: technique
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 12
The maximum allowedfrequency is "Remote"
4: Individuate thresholdfor tolerable risk
3: Use the "Risk Matrix"
2: Define risk classesRisk class Interpretation
I Intolerable risk (unacceptable region)
II Undesirable risk, and tolerable only if risk reduction is impracticable or if thecosts are grossly disproportionate to the improvement gained (ALARP region)
III Tolerable risk if the cost of risk reduction would exceed the improvementgained (ALARP region)
IV Negligible risk (acceptable region)
ConsequenceFrequency
Catastrophic Major Severe Minor
Frequent I I I II
Probable I I II III
Occasional I II III III
Remote II III III IV
Improbable III III IV IV
Negligible / NotCredible
IV IV IV IV
Risk is no more “Intolerable”
2.- Undesired Events: technique2.- Undesired Events: technique
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 13
The "Required frequency"
for the UE is "Improbable"or "Negligible"
6: Individuate the
"Required frequency"
5: Individuate the "Maximum
frequency" meaning
Common use:
Decrease the “Maximum frequency” of 1 or 2 orders of magnitude
Category Description Indicative frequencylevel (per year)
Frequent Events which are very likely to occur in the facilityduring its lifetime
> 1
Probable Events that are likely to occur in the facility duringits lifetime
10-1 - 1
Occasional Events which are possible and expected to occur inthe facility during its lifetime
10-2 – 10-1
Remote Events which are possible but not expected to occurin the facility during its lifetime
10-3 – 10-2
Improbable Events which are unlikely to occur in the facilityduring its lifetime
10-4 – 10-3
Negligible /Incredible
Events which are extremely unlikely to occur in thefacility during its lifetime
< 10-4
2.- Undesired Events: technique2.- Undesired Events: technique
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 14
<< Le risque 0 n’existe pas,il peut être quantifié ou << Le risque 0 n’existe pas,il peut être quantifié ou diminué par l’action réfléchit de l’homme >>diminué par l’action réfléchit de l’homme >>
Risk = Frequency x Consequence
Individual risk and collective risk
2.- Undesired Events: Risk recall2.- Undesired Events: Risk recall
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 15
Frequency of the recorded events (LEP period):
Fire / small system(minor) ~5/an Fire / installation (severe) ~1/an Fire / building (major) ~2/5ans Fire / experience (catastrophic) ? Fatalities (catastrophic) 6/15ans Injured (major) ~10/an
2.- Undesired Events: Statistics at CERN2.- Undesired Events: Statistics at CERN
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 16
Injury to personnel Damage to equipmentCategory
Criteria
(process)
N. fatalities(indicative -
process)
CHF Loss
(process)
Downtime
(process)
Catastrophic Events capable ofresulting inmultiple fatalities
> 1 > 108 > 3 months
Major Events capable ofresulting in afatality
1 106 – 108 1 week to 3months
Severe Events which maylead to serious,but not fatal,injury
0.1 104 – 106 4 hours to 1 week
Minor Events which maylead to minorinjuries
0.01 0 - 104 < 4 hours
2.- 2.- Undesired Events: Consequences CategoriesUndesired Events: Consequences Categories
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 17
Detailed conditions which the system is expected to cope with
Example: “Any Undesired Event or chain of events leading to a similar scenario should be characterised by a frequency of at least one or two orders of magnitude less than the one required for an acceptable risk”
3.- Safety Objectives3.- Safety Objectives
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 18
Fire Brigade (SCR)E2
XCRE3
TCRE4
Local SynopticE10
Access Control Interlock
E9
DatabaseE8
Power SuppliesE6
S
f
h3
7
Environment CSAME5
eg
i
Accelerator Control Rooms
E7
j
Detection Equipment E1
1
Communication Network
E11
4
2
5
b
c
d
6
a
4.- Safety Functions4.- Safety Functions
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 19
SIL 1 10-1 10-5
SIL 2 10-2 10-6
SIL 3 10-3 10-7
SIL 4 10-4 10-8
Maximum rate of failure in a continuous mode of operation,
probability of a dangerous failure per hour
Probability of failure to perform its design on
demandSIL
4.- SIL Assignment4.- SIL Assignment
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 20
Number of independent safety-realtedsystems
3 - - - SIL1 SIL 1 SIL2 - - SIL 1 SIL1 SIL 2 SIL2
2 SIL 1 SIL 1 SIL 2 SIL 2 SIL 3 SIL3 SIL 1 SIL 2 SIL 2 SIL 3 SIL3 SIL3
1 SIL 2 SIL 3 SIL 3 SIL3 SIL3 SIL 3 SIL 3 SIL 3 SIL 3 SIL3 SIL3 SIL4
Negligible Improbable Remote Occassional Probable Frequent Negligible Improbable Remote Occassional Probable Frequent
Category Consequences
3 - - - - - SIL 1 - - - - - SIL 1
2 - - - SIL 1 SIL 1 SIL 2 - SIL 1 SIL 1 SIL 2 SIL 2 SIL 2
1 SIL 1 SIL 1 SIL 1 SIL 1 SIL 2 SIL 2 SIL 1 SIL 1 SIL 2 SIL 2 SIL3 SIL 3
Negligible Improbable Remote Occassional Probable Frequent Negligible Improbable Remote Occassional Probable Frequent
Category Consequences
MINOR
Event likelihood
Event likelihood
SEVERE
Event likelihood
CATASTROPHICMAJOR
Event likelihood
4.- SIL Assignment4.- SIL Assignment
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 21
• Example Function 1:
<< Send commands to safety equipment for performing safety actions >>
• Related Undesired Events (UE):
UE-8: Safety actions failure • UE Consequences category:
Catastrophic• Event likelihood:
Frequent• SIL assignment:
SIL 3
4.- SIL Assignment4.- SIL Assignment
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 22
Preliminary Risk Assessment(PRA)
Risk Analysis
Keep into account the Maintenance politics
Objectives:
• Identify and locate the hazards• Individuate the weak points
• Point out causes and consequences of hazards• Find corrective measures if necessary
• Set special protection systems if necessary
Methods:HazOp, FMECA, Qualitative Fault Trees
Objectives:
• Quantify the probability of foreseen accidents• Quantify the consequences
• Estimate the risk• Quantify reliability and availability
• Validate the good working of the system• Verify that constraints are respected
• Iterate the process if corrective actions have to be undertaken
Methods:Fault Trees, Event Trees, Markov graphs,
Petri nets
5.- Risk analysis strategy for CSAM developers5.- Risk analysis strategy for CSAM developers
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 23
A series of precise requirements have been defined
Requirements are based on IEC - 61508 and on widely used safety techniques
A risk analysis strategy has been outlined for CSAM developers
Worst foreseen accidents have been identified
Safety Integrity Levels have been assigned
SummarySummary
CSAM Safety RequirementsCSAM Safety Requirements
6 July 2000 CSAM Team 24
Product satisfying functional safety criteria of Availability, Reliability, Maintainability, Security
Upgrade of existing safety alarm systems Modularity, Standardisation, Integration
Operational and Maintenance service on a “per-alarm” driven and controlled by system performance indicators
INB compliant
The Strategic ObjectivesThe Strategic Objectives
Contract StrategyContract Strategy
6 July 2000 CSAM Team 25
W P3
W P2
W P1Realisation of a pilot installation of the final
product covering only one CERN Safety ZoneInstalled in parallel to the existing alarm system s
CSAM System designed according to thefunctional safety standards
Product requirem ents including the functionalsafety requirem ent
Validated
Installation of the product in all rem aining CERNSafety Zones by m igrating the existing alarm
system s
Operation and m aintenance of all the installedpart of the product
2001
2011
2002
2004
2002
2002
1 contract -> 3 Work Packages (WP)1 contract -> 3 Work Packages (WP)
Contract StrategyContract Strategy
6 July 2000 CSAM Team 26
B ack to ap p rop riateC S AM safety lifecyc le
p h ase
C S AM M od ification an dR etrofit
1 5
C S AM O p eration ,M ain ten an ce an d R ep air
1 4
C S AM S ite Accep tan cean d S afety Valid ation
1 3
C S AM In s ta lla tion an dC om m iss ion in g
1 2
S afety -re lated sys tem s:E /E /P E S
9 C S AM R ealisation
E/E/PESsafety
lifecycle
Softwaresafety
lifecycle
9
C S AM U ser, S ys tem an dS afety R eq u irem en ts A llocation
5
C SAM planning
C SAMO perational and
M aintenanceplanning
6C SAM Safety
Validationplanning
7
C SAMInstallation andC ommiss ioning
planning
8
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
WP Breakdown based on IEC 61508
Work Packages BreakdownWork Packages Breakdown
Contract StrategyContract Strategy
6 July 2000 CSAM Team 27
ds
T im e
W ork packages andlifecycle phases
Installation (W P2)
Operation & M aintenance (W P3)
KCHF
500
1000
Design(W P1)
2001 2002 2003 2004 2005 2006 2007
Extension (WP3)
Operation and M aintenanceServicesof the installed equipm ent
startof thecontract
Installation of all CERNSafety Zones Operation and M aintenance
Servicesof the com plete installation End
of thecontract
The CSAM commercial strategyThe CSAM commercial strategy
Contract StrategyContract Strategy
6 July 2000 CSAM Team 28
WP1: Concept validated -> payment WP2: Migration of all Safety Zones
Bonus/Malus according to quality & deadlines
WP3: Bonus/Malus according to system performance
Results Oriented ContractResults Oriented Contract
Contract StrategyContract Strategy
6 July 2000 CSAM Team 29
Cost based on the level of integration
HardwareAlarm s
Softwarealarm s
AlarmDatabaseupdates
Hum anCom puterInterfaceupdates
CostHCI
CostDB
CostSW A
CostHW A
Alarm Integration CostAlarm Integration Cost
Contract StrategyContract Strategy
6 July 2000 CSAM Team 30
How the application of functional safety and the Operational and maintenance service will guarantee optimal contract performance?
The functional safety fixes clear measurable results for the functioning of the system
The O&M service has to satisfy the same functional requirements Therefore there is an optimum when
System is well functioning and
Minimum O&M effort is required
The CSAM commercial strategyThe CSAM commercial strategy
Contract StrategyContract Strategy
6 July 2000 CSAM Team 31
System is not functioning
System is well functioning
Two Losers: CERN and the Contractor
Two Winners: CERN and the Contractor
Decrease the performance
Increase the O&Meffort to make it functioning
LOWER THE GAIN
Improve the performance
Maintain the minimum O&Meffort to keep it functioning
INCREASE THE GAIN
The CSAM commercial strategyThe CSAM commercial strategy
Contract StrategyContract Strategy
6 July 2000 CSAM Team 32
Ds ds
Safey Alarms Monitoring Center(SAMC)
X-terminalsandPCs
External Systems(TDS, .....)
CERN Safety Alarm System s(CSAS)
SW
inte
rface
Local Safey Alarms Controller(LSAC)
Central Safety Alarm s Controller(CSAC)
CommonReferenceDatabase
Fire Brigade SCADA server
Safety Alarm Gatewayto external system s
(SAGES)
SCR ConsoleSCADA client
TCR ConsoleSCADA client
Hardwired Safety A larm s(O ne per safety zone)
CERN Safety Alarm Network(CSAN)
LHC Com m unication Infrastructure(Safety A larm Network)
(Technical Services Network)
Existing TechnicalServices Network
Global Superv isionand
Maintenance Manager(G SMM):
Technical Data Server(TDS)
The Safety Alarm Monitoring Center
The Local Safety Alarms Controller
The CERN Safety Alarm Network
The CSAM commercial strategyThe CSAM commercial strategy
6 July 2000 CSAM Team 33
CSAMOperation & Maintenance requirements
[TS11]
Project Description[TS1]
CSAMUser Requirement Document
[TS2]
CSAMSafety Requirements
[TS3]
Safety Alarm Monitoring Center Product Requirements
[TS4]
Local Safety Alarm Controller Product Requirements
[TS5]
Safety Alarms Gateway to External SystemsProduct Requirements
[TS7]
CSAM Supervision and Maintenance ManagerProduct Requirements
[TS6]
CSAMInterface document
[TS9]
CSAMAcceptance test document
[TS10]
CERN Safety Alarm NetworkProduct Requirements
[TS8]
Documentation structure
Detailed description of the safety alarm requirements
The Technical Specification structureThe Technical Specification structure
Contract StrategyContract Strategy
6 July 2000 CSAM Team 34
Final version sent for approval to all the concerned parties
Replies expected by the end of June Last Revision Mid-July
The CSAM User RequirementsThe CSAM User Requirements
Contract StrategyContract Strategy
6 July 2000 CSAM Team 35
18 Firms replied to the MS 10 Fully qualified 8 visit planned to take place June/July
Three types of companies: Nuclear Petrol-chemical Security (intrusion and access control, fire detection, etc.)
Status of the Market SurveyStatus of the Market Survey
Contract StrategyContract Strategy
6 July 2000 CSAM Team 36
Real Outsourcing Safety Objectives
-> Contract (System, O&M) -> Result Oriented Payment
IEC 61508 as a safeguard (design, operation, benchmark)
The contractor needs to control its environment !
Others Open question on the Safety networks ( added in the IT2694) IT under ST revision process, out of CERN end of
September
ConclusionsConclusions
Contract StrategyContract Strategy