DRAFT DOE STANDARD

pribblingchoppedElectronics - Devices

Nov 15, 2013 (3 years and 8 months ago)

104 views

Asher Etkin


DOE Accelerator Safety Workshop

August 18
-

20, 2009

DRAFT DOE STANDARD

APPLICATION OF SAFETY
INSTRUMENTED SYSTEMS USED
AT DOE NON
-
REACTOR NUCLEAR
FACILITIES



2

2

INTRODUCTION


“Safety Instrumented Systems (SIS) that include both analog and
digital control systems are.. used in the U. S. Department of
Energy’s (DOE) non
-
reactor nuclear facilities for various safety
controls”


“Therefore, DOE recognizes a need for establishing a Standard that
defines practices to be applied for SISs used in safety class and
safety significant non reactor nuclear applications.”


At the request of the

Defense Nuclear Facility Safety Board Pranab
Guha of HS
-
21 established a working group to develop such a
Standard for SISs.


“DOE technical standards, such as this, do not establish
requirements.”


“This Standard provides guidance for developing requirements for
design, procurement, installation, testing, maintenance, operation,
and quality to be applied for Safety Class (SC) and Safety Significant
(SS) Safety Instrumented Systems (SIS) used in safety applications in
the Department’s non
-
reactor nuclear facilities.”

3

OVERVIEW


The standard discusses design and life cycle
requirements primarily for safety significant systems.
The discussion is a high level introduction to the
subject, that is dealt with more fully in consensus
standards developed by national and international
bodies. They are:


ANSI/ISA 84.00.01
-
2004 (IEC 61511 Mod),
Functional Safety: Safety Instrumented Systems for
the Process Industry Secto
r


Parts 1, 2, and 3 and
the Technical reports in the ISA TR84.00.xx series.


3

4


IEC 61511,
Functional Safety


Safety Instrumented
Systems for the Process Industry Sector



Parts 1,
2, and 3 (this international standard and ANSI/ISA
84.00.01
-
2004 are compatible)


IEC 61508,
Functional Safety of
Electrical/Electronic/Programmable Electronic
Safety
-
Related Systems

(Standard primarily
applicable to vendor manufactured products)


And DOE orders and standards applicable to
nuclear facilities.


Uses the requirements of ANSI/ISA 84.00.01
-
2004
Part 1

4

5

Step 1


Develop overall safety
requirements (concept, scope
definition, perform hazard and risk
assessment)

Step 2


Allocate safety requirements
to safety instrumented functions

Step 3


Design SIS

Design Safety
Instrumented Systems

Step 4


Testing, Installation,
Commissioning and Safety Validation of
integrated safety instrumented systems

Step 5


Operation and Maintenance, Modification
and Retrofit, Decommissioning or Disposal
phases of safety instrumented systems

Figure 4.1
-
1:
Life
-
Cycle Steps for Safety Instrumented Systems

Design Safety
Instrumented System
Software

6

SIL Level and Performance Ranges for On Demand Mode


SIL Level
Designatio
n

Probability of Failure
On Demand
PFD(average)

Risk Reduction Factor
(RRF)

SIL
-
1

< 10
-
1
to

≥ 10
-
2

PFDavg


> 10 to ≤ 100 RRF

SIL
-
2

< 10
-
2

to ≥ 10
-
3

PFDavg


> 100 to ≤ 1000 RRF

SIL
-
3

< 10
-
3
to

≥ 10
-
4

PFDavg


> 1000 to ≤ 10,000 RRF

SIL
-
4

< 10
-
4
to

≥ 10
-
5

PFDavg

> 10,000 to ≤ 100,000 RRF

7

Application Safety Software for
Instrumentation and Control Systems



The safety software should be designed to support the
following.


Isolation


Critical components are separated from each other in
a manner to preclude undefined interactions.


Independence


Independent hardware inputs are directed to
independent software modules.


Inoperability


Abnormal conditions cause a component to
become inoperable in a safe, predictable manner and before any
isolation features are compromised.


Incompatibility


Components in different parts of the system
cannot operate together in a satisfactory manner. To avoid
incompatibility, consider that sensors, a logic device (such as a
processor), and control devices may have embedded software
that needs to be integrated in a networked system. The
acceptability of the integration needs to be validated.

8

Software Quality Assurance Requirements
Crosswalk With Industry Standards


Software Project Management and Quality Planning



Software Risk Management



Software Configuration Management


Software Procurement and Supplier Management


Software Requirements Identification and Management


Software Design and Implementation



Software Safety



Verification and Validation



Software Problem Reporting and Corrective Management



Training of personnel in the design, development, use and
evaluation of safety software

9

Human Factors Engineering (HFE)



Application of HFE


HFE practices and principles need to be factored
into each stage of the SIS development and design
process, including planning, analysis, requirements
and design, installation, and testing. Improvements
for human performance concerns may continue
throughout the operation and maintenance phases
of the SIS life
-
cycle.


Human Factors Standards and Guidance
Documents for each part of the life
-
cycle

10


DOE Procurement Requirements


Management Process


Personnel Competency



Maintenance




11

SIS DESIGN REQUIREMENTS


Safety Significant (SS) Safety Instrumented Systems (SIS)


Design


SS SIS Designed as a Defense
-
In
-
Depth (DID) Function


Setpoints


Commercial Grade Dedication


Safety Significant Power


SS Functions Not Covered By ANSI/ISA 84.00.01, Part 1

-
1.

Evacuation alarms (e.g. nuclear incident monitors
(NIM), fire alarms, and public address systems)

-
2.

Fire protection/detection systems

-
3.

Instruments whose sole function is to monitor initial
conditions for process startup

12


Safety Class (SC) Safety Instrumented Systems
(SIS) Design Requirements


Code of Record Guidance


Appendix A: Safety Integrity Level Determination
Methodology


Appendix B: Safety Integrity Level (SIL) Verification
Guidance


Appendix C: Illustration of an SIL Determination and
SIL Verification Calculation

13

Conclusions


There is a lot of useful material in this standard.


There is also a significant amount of material that is
directed at nuclear facilities and would be a source
of confusion for accelerators.


For the accelerator community to benefit from this
standard the useful material should be incorporated
into a guidance document

14

PLC Code Management Software


Reviewing
FactoryTalk

AssetCentre

and
Proficy

Change Management products


FactoryTalk

AssetCentre

is supplied by Rockwell
Software the supplier of the software for the PLC’s
used in our Particle Accelerator Safety System



GuardLogix and FactoryTalk AssetCentre

Change Management


RSLogix 5000 provides standard functionality

PREVENTION



CONTROL



ACCOUNTABILITY



DETECTION



RECONCILIATION

VALUE

REACTIVE

PROACTIVE

Archive

Audit

Verification

Reporting

Access Control

Authentication


Archive


Audit


Safety specific audit trail additions:


Safety Task Lock/Unlock


Safety Lock Password Changed


Safety Unlock Password Changed


Safety Signature Create/Delete


Tag Mapping Added/Deleted/Modified


GLX Serial Number Match Project
Enable/Disable


Clear Safety Task Fault Log


Verification/Recovery


Reporting