Asher Etkin DOE Accelerator Safety Workshop August 18 - 20, 2009 DRAFT DOE STANDARD APPLICATION OF...
-
Upload
agnes-simpson -
Category
Documents
-
view
219 -
download
2
Transcript of Asher Etkin DOE Accelerator Safety Workshop August 18 - 20, 2009 DRAFT DOE STANDARD APPLICATION OF...
Asher Etkin
DOE Accelerator Safety WorkshopAugust 18 - 20, 2009
DRAFT DOE STANDARDAPPLICATION OF SAFETY
INSTRUMENTED SYSTEMS USED AT DOE NON-REACTOR
NUCLEAR FACILITIES
DRAFT DOE STANDARDAPPLICATION OF SAFETY
INSTRUMENTED SYSTEMS USED AT DOE NON-REACTOR
NUCLEAR FACILITIES
22
INTRODUCTION
“Safety Instrumented Systems (SIS) that include both analog and
digital control systems are.. used in the U. S. Department of
Energy’s (DOE) non-reactor nuclear facilities for various safety
controls” “Therefore, DOE recognizes a need for establishing a Standard that
defines practices to be applied for SISs used in safety class and
safety significant non reactor nuclear applications.” At the request of the Defense Nuclear Facility Safety Board Pranab
Guha of HS-21 established a working group to develop such a
Standard for SISs. “DOE technical standards, such as this, do not establish
requirements.” “This Standard provides guidance for developing requirements for
design, procurement, installation, testing, maintenance, operation,
and quality to be applied for Safety Class (SC) and Safety Significant
(SS) Safety Instrumented Systems (SIS) used in safety applications in
the Department’s non-reactor nuclear facilities.”
3
OVERVIEW
The standard discusses design and life cycle requirements primarily for safety significant systems. The discussion is a high level introduction to the subject, that is dealt with more fully in consensus standards developed by national and international bodies. They are:
ANSI/ISA 84.00.01-2004 (IEC 61511 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector – Parts 1, 2, and 3 and the Technical reports in the ISA TR84.00.xx series.
3
4
IEC 61511, Functional Safety – Safety Instrumented Systems for the Process Industry Sector – Parts 1, 2, and 3 (this international standard and ANSI/ISA 84.00.01-2004 are compatible)
IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems (Standard primarily applicable to vendor manufactured products)
And DOE orders and standards applicable to nuclear facilities.
Uses the requirements of ANSI/ISA 84.00.01-2004 Part 1
4
5
Step 1– Develop overall safety requirements (concept, scope
definition, perform hazard and risk assessment)
Step 1– Develop overall safety requirements (concept, scope
definition, perform hazard and risk assessment) Step 2 – Allocate safety requirements
to safety instrumented functions Step 2 – Allocate safety requirements to safety instrumented functions
Step 3 – Design SISStep 3 – Design SIS
Design Safety Instrumented Systems
Step 4 – Testing, Installation, Commissioning and Safety Validation of integrated safety instrumented systems
Step 4 – Testing, Installation, Commissioning and Safety Validation of integrated safety instrumented systems
Step 5 – Operation and Maintenance, Modification and Retrofit, Decommissioning or Disposal
phases of safety instrumented systems
Step 5 – Operation and Maintenance, Modification and Retrofit, Decommissioning or Disposal
phases of safety instrumented systems
Figure 4.1-1: Life-Cycle Steps for Safety Instrumented Systems
Design Safety Instrumented System
Software
6
SIL Level and Performance Ranges for On Demand Mode
SIL Level Designatio
n
Probability of Failure On Demand
PFD(average)
Risk Reduction Factor (RRF)
SIL-1 < 10-1 to ≥ 10-2 PFDavg > 10 to ≤ 100 RRF
SIL-2 < 10-2 to ≥ 10-3 PFDavg > 100 to ≤ 1000 RRF
SIL-3 < 10-3 to ≥ 10-4 PFDavg > 1000 to ≤ 10,000 RRF
SIL-4 < 10-4 to ≥ 10-5 PFDavg > 10,000 to ≤ 100,000 RRF
7
Application Safety Software for Instrumentation and Control Systems
The safety software should be designed to support the following.· Isolation — Critical components are separated from each other in
a manner to preclude undefined interactions. · Independence — Independent hardware inputs are directed to
independent software modules. · Inoperability — Abnormal conditions cause a component to
become inoperable in a safe, predictable manner and before any isolation features are compromised.
· Incompatibility — Components in different parts of the system cannot operate together in a satisfactory manner. To avoid incompatibility, consider that sensors, a logic device (such as a processor), and control devices may have embedded software that needs to be integrated in a networked system. The acceptability of the integration needs to be validated.
8
Software Quality Assurance Requirements Crosswalk With Industry Standards
Software Project Management and Quality Planning Software Risk Management Software Configuration Management Software Procurement and Supplier Management Software Requirements Identification and Management Software Design and Implementation Software Safety Verification and Validation Software Problem Reporting and Corrective Management Training of personnel in the design, development, use and
evaluation of safety software
9
Human Factors Engineering (HFE)
Application of HFE HFE practices and principles need to be factored
into each stage of the SIS development and design process, including planning, analysis, requirements and design, installation, and testing. Improvements for human performance concerns may continue throughout the operation and maintenance phases of the SIS life-cycle.
Human Factors Standards and Guidance Documents for each part of the life-cycle
10
DOE Procurement Requirements Management Process Personnel Competency Maintenance
11
SIS DESIGN REQUIREMENTS
Safety Significant (SS) Safety Instrumented Systems (SIS)· Design· SS SIS Designed as a Defense-In-Depth (DID) Function · Setpoints· Commercial Grade Dedication · Safety Significant Power · SS Functions Not Covered By ANSI/ISA 84.00.01, Part 1
- 1. Evacuation alarms (e.g. nuclear incident monitors (NIM), fire alarms, and public address systems)
- 2. Fire protection/detection systems- 3. Instruments whose sole function is to monitor initial
conditions for process startup
12
Safety Class (SC) Safety Instrumented Systems (SIS) Design Requirements
Code of Record Guidance Appendix A: Safety Integrity Level Determination
Methodology Appendix B: Safety Integrity Level (SIL) Verification
Guidance Appendix C: Illustration of an SIL Determination and
SIL Verification Calculation
13
Conclusions
There is a lot of useful material in this standard. There is also a significant amount of material that is
directed at nuclear facilities and would be a source of confusion for accelerators.
For the accelerator community to benefit from this standard the useful material should be incorporated into a guidance document
14
PLC Code Management Software
Reviewing FactoryTalk AssetCentre and Proficy Change Management products
FactoryTalk AssetCentre is supplied by Rockwell Software the supplier of the software for the PLC’s used in our Particle Accelerator Safety System
GuardLogix and FactoryTalk AssetCentreChange Management
• RSLogix 5000 provides standard functionality
PREVENTION
CONTROL
ACCOUNTABILITY
DETECTION
RECONCILIATION
PREVENTION
CONTROL
ACCOUNTABILITY
DETECTION
RECONCILIATIONVA
LUE
REACTIVE
PROACTIVE
ArchiveArchive
AuditAudit
VerificationVerification
ReportingReporting
Access ControlAccess Control
AuthenticationAuthentication
–Archive–Audit
• Safety specific audit trail additions:– Safety Task Lock/Unlock– Safety Lock Password Changed– Safety Unlock Password Changed– Safety Signature Create/Delete– Tag Mapping Added/Deleted/Modified– GLX Serial Number Match Project
Enable/Disable– Clear Safety Task Fault Log
–Verification/Recovery–Reporting