isa_84.01_guide
TRANSCRIPT
![Page 1: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/1.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 1/24
Presentation at 2009 EFCOG Workshop
Pranab GuhaOffice of Nuclear Safety Policy and Assistance
DOE Standard for the
Design of Safety Instrumented Systemsat DOE Nuclear Facilities
![Page 2: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/2.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 2/24
2
Presentation Overview
• Background
• New Approach for Design of Safety Instrumented SystemsUsed in Safety Significant Applications
• Examples of Use of New Guidance
• Summary
![Page 3: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/3.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 3/24
3
Background
Safety Instrumented System (SIS): Used to implement one or moresafety functions. A SIS is composed of any combination of sensors,logic solvers, and final control elements.
DOE uses safety instrumented systems to prevent or mitigate theeffects of potential accidents.
• Instrumentation(e.g., pressure sensor or radiation detector)
• Relay Logic• Solid State Logic• PLC
• Solenoids• Valves• Motors
SENSOR LOGIC SOLVERFINAL CONTROL
ELEMENT
![Page 4: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/4.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 4/24
4
Background (cont.)
• SISs are used in nuclear facilities in both Safety Class andSafety Significant applications.
• DOE Order 420.1B, Facility Safety , provides requirements andDOE Guide 420.1-1 provides implementing guidance that points
to application of industry standards.• Safety Class SIS: Nuclear Power Industry Standards referenced
and applied in practice.
• Safety Significant SIS: Several Industry Standards referencedin Guide 420.1-1, but their application is not well defined.
Note: Proposed Standard only addresses Safety Significant SISs
![Page 5: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/5.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 5/24
![Page 6: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/6.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 6/24
6
Design Approach
ISA 84 is a performance-based standard that covers the entirelifecycle of a safety instrumented system. The ISA 84 designapproach can be broken down into five steps:
Step 1: Perform a hazard analysis and develop overall safety
requirements.Step 2: Allocate safety requirements to safety functions, including
safety instrumented functions.
Step 3: Design safety instrumented systems and safety software.
Step 4: Testing, installation, commissioning, and safetyvalidation of integrated safety instrumented systems.
Step 5: Operation and maintenance, modification and retrofit,decommissioning, or disposal phases.
![Page 7: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/7.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 7/247
Step 1:Perform Hazard Analysis
• Initial focus: “How much risk reduction will be required throughoutthe SIS life cycle?”
• DOE uses the criteria of DOE STD 3009, DOE Order 420.1B, andDOE STD 1189 to:
– Perform the Hazard Analysis; – Determine the likelihood and consequence of event scenarios; – Establish the functional classifications; and – Design requirements for the safety systems.
• Design is built in layers of defense, called Independent ProtectionLayers (IPLs), to protect against the release of hazardous materials.
• One of the protection layers could be the SIS designated forpreventing or mitigating the hazardous event.
![Page 8: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/8.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 8/248
Step 2:Allocate Safety Requirements
• Safety Requirements are “allocated” to different “safety layers”with the SIS being a potential safety layer.
• ISA 84 uses a graded approach by defining needed robustness,using a Safety Integrity Level (SIL) as a figure of merit.
• There are four SIL levels (SIL 1 to SIL 4) expressed in reliabilityterms. – Probability of failure on demand-average (PFDavg). – The numerically higher the SIL, the higher the reliability of the SIS.
![Page 9: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/9.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 9/249
SIL Level Probability of FailureOn Demand (PFDavg) Risk Reduction Factor (RRF)
SIL-1 < 10-1
to ≥ 10-2
PFDavg > 10 to ≤ 100 RRF
SIL-2 < 10 -2 to ≥ 10 -3 PFDavg > 100 to ≤ 1,000 RRF
SIL-3 < 10 -3 to ≥ 10 -4 PFDavg > 1,000 to ≤ 10,000 RRF
SIL-4 * < 10 -4 to ≥ 10 -5 PFDavg > 10,000 to ≤ 100,000 RRF
* Note: SIL-4 is not used in the Process Industry Sector
Step 2:Allocate Safety Requirements (cont.)
![Page 10: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/10.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 10/2410
• ISA 84 (Part 3, Annex C) provides an example of a SILdetermination method called the Safety Layer Matrix (SLM).
• SLM is used to determine the SIL of a SIS classified as safetysignificant.
• The SLM accounts for: – The likelihood/consequence of events; and
– The number of Independent Protection Layers (IPLs) that arecredited for a specific safety function as defined by hazard analysisand DOE STD 3009.
Step 2:Allocate Safety Requirements (cont.)
![Page 11: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/11.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 11/2411
• The SLM is a qualitative SIL determination method.
• The proposed method to utilize the SLM is to:
– Determine the hazard likelihood category;
– Determine the number of “credited” IPLs; and
– Identify SIL level from the grid intersection on SLM.
Safety Layer Matrix SIL Determination Methodology3 SIL-1 SIL-1 SIL-1*2 SIL-1 SIL-1 SIL-2*
No. of IPLs(including
SIS) 1 SIL-2* SIL-2* SIL-3*
Hazardous Event Likelihood ExtremelyUnlikely Unlikely Anticipated
* Consider increasing the SIL level or credit an additional IPL for chemical events withpotential of significant impact to the public or fatalities of immediate collocated workers.
Step 2:Allocate Safety Requirements (cont.)
![Page 12: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/12.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 12/2412
• Rules on the use of the qualitative Safety Layer Matrix: – IPLs may include all credited passive safety features, a Specific
Administrative Control (SAC), SC and SS mechanical and/or processsystems, administrative control program for worker protection, and theSIS itself.
– Regardless of the number of IPLs credited, a safety significant SIS willhave a SIL of no less than SIL 1.
• The determined SIL is the required minimum performance level ofthe SIS as measured by the PFDavg.
• The SIL is a design requirement and the objective for designdecisions, component specifications, and procurements.
Step 2:Allocate Safety Requirements (cont.)
![Page 13: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/13.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 13/2413
• Factors that can affect the PFDavg may be considered inthe design process.
– Component failure rate ( D) – Redundancy of structures, systems, and components
– Voting (e.g., one out of two or two out of four) – Testing frequency (TI) – Diagnostic coverage (DC) – Common cause failure ( β) – Human factors
– Technology (i.e., digital vs. analog) – Software integrity (e.g., language complexity, failure detection)
Step 3:Design SIS
![Page 14: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/14.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 14/2414
PFD SIS = PFD PT + PFD LS + (PFD SOV + PFD VALVE )
Common Voting ArchitecturesCommon Voting Architectures
Step 3:Design SIS (cont.)
1oo11oo22oo22oo3
1oo11oo22oo22oo3
1oo11oo22oo2
Sensor LogicSolver
FinalElement
![Page 15: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/15.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 15/2415
1oo1
1oo2
2oo2
2oo3 TI/2**2
**3
2
D D
avg
TI PFD
2
* TI PFD D
avg
TI/2**2
*2
D D
avg
TI PFD
TI/2**2
**2 D
D
avg
TI PFD
Step 3:Design SIS (cont.)
![Page 16: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/16.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 16/2416
• Software Quality Assurance (SQA): SIS must meet safetysoftware quality assurance requirements of DOE Order 414.1Cand Guide 4141.1-4.
– Clarification relative to SIS terminology (e.g. application and
embedded software) – Crosswalk between ISA 84 and G 414.1-4 software quality
assurance requirements
• Human Factors Engineering (HFE): The standard providesadditional details for HFE considerations that are implementedduring the SIS design process thereby ensuring that actionsnecessary for safety are performed correctly and in a timely manner(e.g., task analysis, human reliability analysis, testing, etc.).
Step 3:Design SIS (cont.)
![Page 17: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/17.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 17/2417
• Procurement and Commercial Grade Dedication (CGD):The DOE Standard endorses the use of CGD in addition to themethods provided in ISA 84 for qualifying components for usein a SIS. The Standard provides additional details for CGDproviding reasonable assurance that an item will perform itsintended safety function and can be deemed equivalent to anitem designed and manufactured using appropriate national orinternational consensus standards.
Step 3:Design SIS (cont.)
![Page 18: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/18.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 18/2418
Testing, Installation, Verification,Operation, and Maintenance
• The SIL should be verified at the end of the detailed designto ensure that the design can achieve the assigned PFDavg.
• The final SIL verification is performed after installation and/ormodification.
• The Standard requires verification that the design as installedand maintained complies with the assigned SIL.
• The verification calculation requires a level of understandingand expertise about the factors that affect the PFDavg for a deviceand system and the ability of the device or system to performthe safety function.
Steps 4 & 5:
![Page 19: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/19.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 19/2419
SIS Life Cycle
Hazard Analysis:Define requirements
and SIL targets
Conceptual design
Evaluate designverification of
safety integrity
Modify
OK
Modify
Evaluate actualperformance
Modify?
![Page 20: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/20.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 20/24
20
SIL-1 Design Example
TC1
TT1
TT1
Product
CoolingWater
TV1
BPCS
BPCS BPCS
Feed Y
Feed X
FT3A
FY3A
FC3A
BPCS
BPCS
BPCS
FV3A
FT3B
SS
S
A/S
XY3B
XV3B
SS ComponentsA/S
20
![Page 21: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/21.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 21/24
21
TC1
TY1
TT1
Product
CoolingWater
TV1
BPCS
BPCSBPCS
Feed Y
Feed X
FT3A
FC
3A
FY
3A
BPCS BPCS
FV3A
FT3B
A/S
SS Components
A/S
S
A/S
FY3A-1
SIL-2 Design Example
S
XY3B
XV3B
S
XY3A
XV3A
SS
21
![Page 22: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/22.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 22/24
TC1
TT1
TT1
Product
CoolingWater
TV1
BPCS
BPCS BPCS
Feed Y
Feed X
FT3A
FC
3A
BPCS
FT3B
A/S
A/S
SIL-3 Design Example
FT3C
SS components
FY
3A
BPCS
FV3A
SFY
3A-1 S
XY3B-1
XV3B
S
XY3B-2
S
XY3A-1
XV3A
S
XY3A-2
SS
22
![Page 23: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/23.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 23/24
23
Summary
• DOE will benefit from more specific guidance for SISs usedin safety significant applications which also address digitalinstrumentation and controls.
• Use of ISA 84 will provide appropriate design, safety, and
operation criteria to ensure reliable design of safety significantSISs.
• DOE Standard is under development that provides an approachfor use of ISA 84 within DOE’s Safety Analysis and Facility Designrequirements and practices.
![Page 24: ISA_84.01_Guide](https://reader031.vdocuments.site/reader031/viewer/2022021200/577d21611a28ab4e1e9519f2/html5/thumbnails/24.jpg)
8/3/2019 ISA_84.01_Guide
http://slidepdf.com/reader/full/isa8401guide 24/24
Contact Information
Pranab Guha
Office of Nuclear Safety Policy and Assistance
Office of Nuclear Safety, Quality Assurance and EnvironmentOffice of Health, Safety and Security
Tel: 301-903-7089Fax: 301-903-6172