P. 1
ISA_84.01_Guide

ISA_84.01_Guide

|Views: 84|Likes:

More info:

Published by: Obinna Benedict Obioji on Feb 17, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/21/2012

pdf

text

original

Presentation at 2009 EFCOG Workshop

Pranab Guha
Office of Nuclear Safety Policy and Assistance
DOE Standard for the
Design of Safety Instrumented Systems
at DOE Nuclear Facilities
2
Presentation Overview
• Background
• New Approach for Design of Safety Instrumented Systems
Used in Safety Significant Applications
• Examples of Use of New Guidance
• Summary
3
Background
Safety Instrumented System (SIS): Used to implement one or more
safety functions. A SIS is composed of any combination of sensors,
logic solvers, and final control elements.
DOE uses safety instrumented systems to prevent or mitigate the
effects of potential accidents.
• Instrumentation
(e.g., pressure sensor
or radiation detector)
• Relay Logic
• Solid State Logic
• PLC
• Solenoids
• Valves
• Motors
SENSOR LOGIC SOLVER
FINAL CONTROL
ELEMENT
4
Background (cont.)
• SISs are used in nuclear facilities in both Safety Class and
Safety Significant applications.
• DOE Order 420.1B, Facility Safety, provides requirements and
DOE Guide 420.1-1 provides implementing guidance that points
to application of industry standards.
• Safety Class SIS: Nuclear Power Industry Standards referenced
and applied in practice.
• Safety Significant SIS: Several Industry Standards referenced
in Guide 420.1-1, but their application is not well defined.
Note: Proposed Standard only addresses Safety Significant SISs
5
Applicability and Scope
of the SIS Standard
• Applicability: Safety Significant SISs that include instrumentation
and controls that are either analog or digital systems (including
computer-based systems)
• Scope:
– Guidance for use of Process Industry Standard – ANSI/ISA 84.00.01 –
2004 – Part 1 (IEC 61511-1 Mod), Functional Safety: Safety Instrumented
Systems for the Process Industry Sector – Part 1: Framework,
Definitions, System, Hardware and Software Requirements (ISA 84)
– Additional guidance on:
• Commercial grade dedication
• Software quality assurance
• Human factors engineering
• Installation and testing
• Operation and maintenance
6
Design Approach
ISA 84 is a performance-based standard that covers the entire
lifecycle of a safety instrumented system. The ISA 84 design
approach can be broken down into five steps:
Step 1: Perform a hazard analysis and develop overall safety
requirements.
Step 2: Allocate safety requirements to safety functions, including
safety instrumented functions.
Step 3: Design safety instrumented systems and safety software.
Step 4: Testing, installation, commissioning, and safety
validation of integrated safety instrumented systems.
Step 5: Operation and maintenance, modification and retrofit,
decommissioning, or disposal phases.
7
Step 1:
Perform Hazard Analysis
• Initial focus: “How much risk reduction will be required throughout
the SIS life cycle?”
• DOE uses the criteria of DOE STD 3009, DOE Order 420.1B, and
DOE STD 1189 to:
– Perform the Hazard Analysis;
– Determine the likelihood and consequence of event scenarios;
– Establish the functional classifications; and
– Design requirements for the safety systems.
• Design is built in layers of defense, called Independent Protection
Layers (IPLs), to protect against the release of hazardous materials.
• One of the protection layers could be the SIS designated for
preventing or mitigating the hazardous event.
8
Step 2:
Allocate Safety Requirements
• Safety Requirements are “allocated” to different “safety layers”
with the SIS being a potential safety layer.
• ISA 84 uses a graded approach by defining needed robustness,
using a Safety Integrity Level (SIL) as a figure of merit.
• There are four SIL levels (SIL 1 to SIL 4) expressed in reliability
terms.
– Probability of failure on demand-average (PFDavg).
– The numerically higher the SIL, the higher the reliability of the SIS.
9
SIL Level
Probability of Failure
On Demand (PFDavg)
Risk Reduction Factor (RRF)
SIL-1 < 10
-1
to ≥ 10
-2
PFDavg > 10 to ≤ 100 RRF
SIL-2 < 10
-2
to ≥ 10
-3
PFDavg > 100 to ≤ 1,000 RRF
SIL-3 < 10
-3
to ≥ 10
-4
PFDavg > 1,000 to ≤ 10,000 RRF
SIL-4* < 10
-4
to ≥ 10
-5
PFDavg > 10,000 to ≤ 100,000 RRF
* Note: SIL-4 is not used in the Process Industry Sector
Step 2:
Allocate Safety Requirements (cont.)
10
• ISA 84 (Part 3, Annex C) provides an example of a SIL
determination method called the Safety Layer Matrix (SLM).
• SLM is used to determine the SIL of a SIS classified as safety
significant.
• The SLM accounts for:
– The likelihood/consequence of events; and
– The number of Independent Protection Layers (IPLs) that are
credited for a specific safety function as defined by hazard analysis
and DOE STD 3009.
Step 2:
Allocate Safety Requirements (cont.)
11
• The SLM is a qualitative SIL determination method.
• The proposed method to utilize the SLM is to:
– Determine the hazard likelihood category;
– Determine the number of “credited” IPLs; and
– Identify SIL level from the grid intersection on SLM.
Safety Layer Matrix SIL Determination Methodology
3 SIL-1 SIL-1 SIL-1*
2 SIL-1 SIL-1 SIL-2*
No. of IPLs
(including
SIS) 1 SIL-2* SIL-2* SIL-3*
Hazardous Event Likelihood
Extremely
Unlikely
Unlikely Anticipated

* Consider increasing the SIL level or credit an additional IPL for chemical events with
potential of significant impact to the public or fatalities of immediate collocated workers.
Step 2:
Allocate Safety Requirements (cont.)
12
• Rules on the use of the qualitative Safety Layer Matrix:
– IPLs may include all credited passive safety features, a Specific
Administrative Control (SAC), SC and SS mechanical and/or process
systems, administrative control program for worker protection, and the
SIS itself.
– Regardless of the number of IPLs credited, a safety significant SIS will
have a SIL of no less than SIL 1.
• The determined SIL is the required minimum performance level of
the SIS as measured by the PFDavg.
• The SIL is a design requirement and the objective for design
decisions, component specifications, and procurements.
Step 2:
Allocate Safety Requirements (cont.)
13
• Factors that can affect the PFDavg may be considered in
the design process.
– Component failure rate (ì
D
)
– Redundancy of structures, systems, and components
– Voting (e.g., one out of two or two out of four)
– Testing frequency (TI)
– Diagnostic coverage (DC)
– Common cause failure (β)
– Human factors
– Technology (i.e., digital vs. analog)
– Software integrity (e.g., language complexity, failure detection)
Step 3:
Design SIS
14
PFD
SIS
= PFD
PT
+ PFD
LS
+ (PFD
SOV
+ PFD
VALVE
)
Common Voting Architectures Common Voting Architectures
Step 3:
Design SIS (cont.)
1oo1
1oo2
2oo2
2oo3
1oo1
1oo2
2oo2
2oo3
1oo1
1oo2
2oo2
Sensor
Logic
Solver
Final
Element
15
1oo1
1oo2
2oo2
2oo3 | | TI/2 * *
2
*
* 3
2
D
D
avg
TI
PFD ì |
ì
+
(
¸
(

¸

=
2
*TI
PFD
D
avg
ì
=
| | TI/2 * *
2
*
2
D
D
avg
TI
PFD ì |
ì
+
(
¸
(

¸

=
| | TI/2 * *
2
*
* 2
D
D
avg
TI
PFD ì |
ì
+
(
¸
(

¸

=
Step 3:
Design SIS (cont.)
16
• Software Quality Assurance (SQA): SIS must meet safety
software quality assurance requirements of DOE Order 414.1C
and Guide 4141.1-4.
– Clarification relative to SIS terminology (e.g. application and
embedded software)
– Crosswalk between ISA 84 and G 414.1-4 software quality
assurance requirements
• Human Factors Engineering (HFE): The standard provides
additional details for HFE considerations that are implemented
during the SIS design process thereby ensuring that actions
necessary for safety are performed correctly and in a timely manner
(e.g., task analysis, human reliability analysis, testing, etc.).
Step 3:
Design SIS (cont.)
17
• Procurement and Commercial Grade Dedication (CGD):
The DOE Standard endorses the use of CGD in addition to the
methods provided in ISA 84 for qualifying components for use
in a SIS. The Standard provides additional details for CGD
providing reasonable assurance that an item will perform its
intended safety function and can be deemed equivalent to an
item designed and manufactured using appropriate national or
international consensus standards.
Step 3:
Design SIS (cont.)
18
Testing, Installation, Verification,
Operation, and Maintenance
• The SIL should be verified at the end of the detailed design
to ensure that the design can achieve the assigned PFDavg.
• The final SIL verification is performed after installation and/or
modification.
• The Standard requires verification that the design as installed
and maintained complies with the assigned SIL.
• The verification calculation requires a level of understanding
and expertise about the factors that affect the PFDavg for a device
and system and the ability of the device or system to perform
the safety function.
Steps 4 & 5:
19
SIS Life Cycle
Hazard Analysis:
Define requirements
and SIL targets
Conceptual design
Evaluate design
verification of
safety integrity
Modify
OK
Modify
Evaluate actual
performance
Modify?
20
SIL-1 Design Example
TC
1
TT
1
TT
1
Product
Cooling
Water
TV
1
BPCS
BPCS
BPCS
Feed Y
Feed X
FT
3A
FY
3A
FC
3A
BPCS
BPCS
BPCS
FV
3A
FT
3B
SS
S
A/S
XY
3B
XV
3B
SS Components
A/S
20
21
TC
1
TY
1
TT
1
Product
Cooling
Water
TV
1
BPCS
BPCS
BPCS
Feed Y
Feed X
FT
3A
FC
3A
FY
3A
BPCS BPCS
FV
3A
FT
3B
A/S
SS Components
A/S
S
A/S
FY
3A-1
SIL-2 Design Example
S
XY
3B
XV
3B
S
XY
3A
XV
3A
SS
21
TC
1
TT
1
TT
1
Product
Cooling
Water
TV
1
BPCS
BPCS
BPCS
Feed Y
Feed X
FT
3A
FC
3A
BPCS
FT
3B
A/S
A/S
SIL-3 Design Example
FT
3C
SS components
FY
3A
BPCS
FV
3A
S
FY
3A-1
S
XY
3B-1
XV
3B
S
XY
3B-2
S
XY
3A-1
XV
3A
S
XY
3A-2
SS
22
23
Summary
• DOE will benefit from more specific guidance for SISs used
in safety significant applications which also address digital
instrumentation and controls.
• Use of ISA 84 will provide appropriate design, safety, and
operation criteria to ensure reliable design of safety significant
SISs.
• DOE Standard is under development that provides an approach
for use of ISA 84 within DOE’s Safety Analysis and Facility Design
requirements and practices.
24
Contact Information
Pranab Guha
Office of Nuclear Safety Policy and Assistance
Office of Nuclear Safety, Quality Assurance and Environment
Office of Health, Safety and Security
Tel: 301-903-7089
Fax: 301-903-6172
pranab.guha@hq.doe.gov

Presentation Overview

• Background • New Approach for Design of Safety Instrumented Systems Used in Safety Significant Applications • Examples of Use of New Guidance

• Summary

2

g.. 3 . SENSOR LOGIC SOLVER FINAL CONTROL ELEMENT • Instrumentation (e. A SIS is composed of any combination of sensors. and final control elements.Background Safety Instrumented System (SIS): Used to implement one or more safety functions. pressure sensor or radiation detector) • Relay Logic • Solid State Logic • PLC • Solenoids • Valves • Motors DOE uses safety instrumented systems to prevent or mitigate the effects of potential accidents. logic solvers.

) • SISs are used in nuclear facilities in both Safety Class and Safety Significant applications. but their application is not well defined. • Safety Significant SIS: Several Industry Standards referenced in Guide 420. Facility Safety. • Safety Class SIS: Nuclear Power Industry Standards referenced and applied in practice. Note: Proposed Standard only addresses Safety Significant SISs 4 .1-1. provides requirements and DOE Guide 420. • DOE Order 420.1-1 provides implementing guidance that points to application of industry standards.Background (cont.1B.

Definitions. Hardware and Software Requirements (ISA 84) – Additional guidance on: • Commercial grade dedication • Software quality assurance • Human factors engineering • Installation and testing • Operation and maintenance 5 . Functional Safety: Safety Instrumented Systems for the Process Industry Sector – Part 1: Framework. System.01 – 2004 – Part 1 (IEC 61511-1 Mod).Applicability and Scope of the SIS Standard • Applicability: Safety Significant SISs that include instrumentation and controls that are either analog or digital systems (including computer-based systems) • Scope: – Guidance for use of Process Industry Standard – ANSI/ISA 84.00.

including safety instrumented functions. decommissioning. The ISA 84 design approach can be broken down into five steps: Step 1: Step 2: Step 3: Step 4: Step 5: Perform a hazard analysis and develop overall safety requirements. modification and retrofit. 6 . Allocate safety requirements to safety functions. Operation and maintenance. and safety validation of integrated safety instrumented systems.Design Approach ISA 84 is a performance-based standard that covers the entire lifecycle of a safety instrumented system. installation. or disposal phases. commissioning. Testing. Design safety instrumented systems and safety software.

to protect against the release of hazardous materials. DOE Order 420. – Establish the functional classifications. 7 . called Independent Protection Layers (IPLs).1B. – Determine the likelihood and consequence of event scenarios.Step 1: Perform Hazard Analysis • Initial focus: “How much risk reduction will be required throughout the SIS life cycle?” • DOE uses the criteria of DOE STD 3009. • Design is built in layers of defense. • One of the protection layers could be the SIS designated for preventing or mitigating the hazardous event. and DOE STD 1189 to: – Perform the Hazard Analysis. and – Design requirements for the safety systems.

Step 2: Allocate Safety Requirements • Safety Requirements are “allocated” to different “safety layers” with the SIS being a potential safety layer. using a Safety Integrity Level (SIL) as a figure of merit. • There are four SIL levels (SIL 1 to SIL 4) expressed in reliability terms. – Probability of failure on demand-average (PFDavg). – The numerically higher the SIL. the higher the reliability of the SIS. 8 . • ISA 84 uses a graded approach by defining needed robustness.

000 RRF > 10.) SIL Level Probability of Failure On Demand (PFDavg) Risk Reduction Factor (RRF) SIL-1 SIL-2 < 10-1 to ≥ 10-2 PFDavg < 10-2 to ≥ 10-3 PFDavg > 10 to ≤ 100 RRF > 100 to ≤ 1.000 to ≤ 10.000 to ≤ 100.000 RRF * Note: SIL-4 is not used in the Process Industry Sector 9 .000 RRF SIL-3 SIL-4* < 10-3 to ≥ 10-4 PFDavg < 10-4 to ≥ 10-5 PFDavg > 1.Step 2: Allocate Safety Requirements (cont.

) • ISA 84 (Part 3. • SLM is used to determine the SIL of a SIS classified as safety significant. Annex C) provides an example of a SIL determination method called the Safety Layer Matrix (SLM). • The SLM accounts for: – The likelihood/consequence of events.Step 2: Allocate Safety Requirements (cont. 10 . and – The number of Independent Protection Layers (IPLs) that are credited for a specific safety function as defined by hazard analysis and DOE STD 3009.

Safety Layer Matrix SIL Determination Methodology 3 SIL-1 SIL-1 SIL-1* No. 11 . of IPLs (including 2 SIL-1 SIL-1 SIL-2* SIS) 1 SIL-2* SIL-2* SIL-3* Extremely Hazardous Event Likelihood Unlikely Anticipated Unlikely * Consider increasing the SIL level or credit an additional IPL for chemical events with potential of significant impact to the public or fatalities of immediate collocated workers. and – Identify SIL level from the grid intersection on SLM.) • The SLM is a qualitative SIL determination method. • The proposed method to utilize the SLM is to: – Determine the hazard likelihood category. – Determine the number of “credited” IPLs.Step 2: Allocate Safety Requirements (cont.

Step 2: Allocate Safety Requirements (cont.) • Rules on the use of the qualitative Safety Layer Matrix: – IPLs may include all credited passive safety features. and procurements. 12 . administrative control program for worker protection. a Specific Administrative Control (SAC). a safety significant SIS will have a SIL of no less than SIL 1. component specifications. • The SIL is a design requirement and the objective for design decisions. SC and SS mechanical and/or process systems. and the SIS itself. – Regardless of the number of IPLs credited. • The determined SIL is the required minimum performance level of the SIS as measured by the PFDavg.

failure detection) 13 .Step 3: Design SIS • Factors that can affect the PFDavg may be considered in the design process. language complexity. one out of two or two out of four) Testing frequency (TI) Diagnostic coverage (DC) Common cause failure (β) Human factors Technology (i.e. and components Voting (e. – – – – – – – – – Component failure rate (D) Redundancy of structures. systems. analog) Software integrity (e.g... digital vs.g..

) Sensor Logic Solver Final Element Common Voting Architectures 1oo1 1oo2 2oo2 2oo3 1oo1 1oo2 2oo2 2oo3 1oo1 1oo2 2oo2 PFDSIS = PFDPT + PFDLS + (PFDSOV + PFDVALVE) 14 .Step 3: Design SIS (cont.

) 1oo1 PFDavg  D *TI 2 D 2 1oo2 PFDavg   * TI     * D * TI/2  2     2oo2 PFDavg  D * TI   2*    * D * TI/2  2      15 2oo3 PFDavg   * TI   3*    * D * TI/2  2   D 2  .Step 3: Design SIS (cont.

1-4.1C and Guide 4141.) • Software Quality Assurance (SQA): SIS must meet safety software quality assurance requirements of DOE Order 414.g.g.1-4 software quality assurance requirements • Human Factors Engineering (HFE): The standard provides additional details for HFE considerations that are implemented during the SIS design process thereby ensuring that actions necessary for safety are performed correctly and in a timely manner (e.Step 3: Design SIS (cont. testing. task analysis. 16 .). – Clarification relative to SIS terminology (e. application and embedded software) – Crosswalk between ISA 84 and G 414. etc.. human reliability analysis.

17 .) • Procurement and Commercial Grade Dedication (CGD): The DOE Standard endorses the use of CGD in addition to the methods provided in ISA 84 for qualifying components for use in a SIS. The Standard provides additional details for CGD providing reasonable assurance that an item will perform its intended safety function and can be deemed equivalent to an item designed and manufactured using appropriate national or international consensus standards.Step 3: Design SIS (cont.

Steps 4 & 5: Testing. 18 . Operation. • The final SIL verification is performed after installation and/or modification. • The Standard requires verification that the design as installed and maintained complies with the assigned SIL. Installation. • The verification calculation requires a level of understanding and expertise about the factors that affect the PFDavg for a device and system and the ability of the device or system to perform the safety function. Verification. and Maintenance • The SIL should be verified at the end of the detailed design to ensure that the design can achieve the assigned PFDavg.

SIS Life Cycle Hazard Analysis: Define requirements and SIL targets Modify? Evaluate actual performance Conceptual design Modify Modify Evaluate design verification of safety integrity OK 19 .

SIL-1 Design Example A/S BPCS FC 3A SS FY 3A BPCS S XY 3B Product BPCS FT 3A Feed X FV 3A FT 3B XV 3B TT 1 BPCS BPCS TC 1 SS Components BPCS TT 1 A/S Feed Y Cooling Water TV 1 20 .

SIL-2 Design Example FC 3A BPCS FY 3A BPCS A/S A/S S S SS S XY 3A XY 3B Product FY 3A-1 FT 3B FT 3A Feed X TT 1 BPCS FV 3A XV 3A XV 3B BPCS TC 1 TY 1 A/S BPCS SS Components Feed Y Cooling Water TV 1 21 .

SIL-3 Design Example FC 3A BPCS FY BPCS 3A A/S SS XY 3A-1 XY 3B-1 S FY 3A-1 S S S Product S XY 3B-2 TT 1 BPCS FV 3A BPCS TC 1 FT 3A FT 3B FT 3C XY 3A-2 Feed X XV 3A XV 3B TT 1 BPCS A/S SS components Feed Y Cooling Water TV 1 22 .

• Use of ISA 84 will provide appropriate design. 23 . safety. • DOE Standard is under development that provides an approach for use of ISA 84 within DOE’s Safety Analysis and Facility Design requirements and practices.Summary • DOE will benefit from more specific guidance for SISs used in safety significant applications which also address digital instrumentation and controls. and operation criteria to ensure reliable design of safety significant SISs.

guha@hq. Safety and Security Tel: 301-903-7089 Fax: 301-903-6172 pranab.gov 24 .doe.Contact Information Pranab Guha Office of Nuclear Safety Policy and Assistance Office of Nuclear Safety. Quality Assurance and Environment Office of Health.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->