Approaches for Design of Safety Instrumented Systems at DOE Nuclear Facilities

1. Pranab GuhaDOE /HSS Larry Suttinger Savannah River Nuclear Solutions 2010 EFCOG Safety Analysis Workshop April 27, 2010 Approaches for Design of Safety Instrumented Systems at DOE Nuclear Facilities

2. 2 Presentation Overview Purpose Background New Approach Comparison Example Conclusion

3. 3 Purpose The purpose of this presentation is to compare and contrast two approaches for the design of Safety Instrumented Systems: Safety Layer Matrix (SLM) and Layer of Protection Analysis (LOPA) These approaches are prescribed in ISA 84.00.01, Part 1, Functional Safety: Safety Instrumented Systems for the Process Industry Sector ? Part 1: Framework, Definitions, System, Hardware and Software Requirements, (ISA 84.00.01) > Discuss that ISA 84 is an international standard used in the process industries ( e.g., chemical, pharmaceutical, refinery). > The ISA 84 is an OSHA best practice for the design of safety instrumented systems. > Discuss that ISA 84 is an international standard used in the process industries ( e.g., chemical, pharmaceutical, refinery). > The ISA 84 is an OSHA best practice for the design of safety instrumented systems.

4. 4 Background Safety Instrumented System (SIS): Used to implement one or more safety functions. A SIS is composed of any combination of sensors, logic solvers, and final control elements. The standard addresses the design of the entire SIS from the sensor to the final control element that places the process in a safe state.The standard addresses the design of the entire SIS from the sensor to the final control element that places the process in a safe state.

5. 5 DOE has developed a standard for safety significant (SS) SIS design using ISA 84.00.01-2004, Part 1, Functional Safety: Safety Instrumented Systems for the Process Industry Sector ? Part 1: Framework, Definitions, System, Hardware and Software Requirements, (ISA 84.00.01) Background (cont.) > DOE Order 420.1 covers SC and not very well for SS > Both are identified in DOE Std 1189 for “Integration of Safety Into the Design Process” and 1189 describes Chemical and toxic [Appendix C] > DOE G 420.1-1 doesn’t have any codes/standards listed for SS I&C system design other than standard industrial design that might be specified for a warehouse. > The ISA 84.00.01 standard is not prescriptive. It provides a graded approach to design based on acceptable risk (frequency and consequence of event). > The reliability of an SIS is vastly different than for mechanical or structural systems. Active SIS reliability is determined by random hardware failure rates, design configurations, redundancy, functional test frequencies, and diagnostics. > DOE Order 420.1 covers SC and not very well for SS > Both are identified in DOE Std 1189 for “Integration of Safety Into the Design Process” and 1189 describes Chemical and toxic [Appendix C] > DOE G 420.1-1 doesn’t have any codes/standards listed for SS I&C system design other than standard industrial design that might be specified for a warehouse. > The ISA 84.00.01 standard is not prescriptive. It provides a graded approach to design based on acceptable risk (frequency and consequence of event). > The reliability of an SIS is vastly different than for mechanical or structural systems. Active SIS reliability is determined by random hardware failure rates, design configurations, redundancy, functional test frequencies, and diagnostics.

6. 6 DOE-STD-3009, Preparation Guide for U.S. Department of Energy Nuclear Facility Documented Safety Analyses, and DOE-STD-1189, Integration of Safety into the Design Process, provides: requirements for hazard analysis, allocation of Safety Class (SC) and Safety Significant (SS) systems, administrative controls, and  other safety management programs for the protection of facility workers, collocated workers, and the public. Background (cont.) > DOE Order 420.1 covers SC and not very well for SS > Both are identified in DOE Std 1189 for “Integration of Safety Into the Design Process” and 1189 describes Chemical and toxic [Appendix C] > DOE G 420.1-1 doesn’t have any codes/standards listed for SS I&C system design other than standard industrial design that might be specified for a warehouse. > The ISA 84.00.01 standard is not prescriptive. It provides a graded approach to design based on acceptable risk (frequency and consequence of event). > The reliability of an SIS is vastly different than for mechanical or structural systems. Active SIS reliability is determined by random hardware failure rates, design configurations, redundancy, functional test frequencies, and diagnostics. > DOE Order 420.1 covers SC and not very well for SS > Both are identified in DOE Std 1189 for “Integration of Safety Into the Design Process” and 1189 describes Chemical and toxic [Appendix C] > DOE G 420.1-1 doesn’t have any codes/standards listed for SS I&C system design other than standard industrial design that might be specified for a warehouse. > The ISA 84.00.01 standard is not prescriptive. It provides a graded approach to design based on acceptable risk (frequency and consequence of event). > The reliability of an SIS is vastly different than for mechanical or structural systems. Active SIS reliability is determined by random hardware failure rates, design configurations, redundancy, functional test frequencies, and diagnostics.

7. New Approach (cont.) ISA 84.00.01 provides requirements for hazard analysis and the identification of Independent Protection Layers (IPLs) to either prevent or mitigate hazardous events. ISA 84.00.01’s graded approach to design is based on reliability goals which are defined by four distinct Safety Integrity Levels (SILs). DOE’s draft standard prescribes the use of the SLM approach design of SIS. 7

8. 8 ISA 84.00.01 allows for SILs to be expressed as a Probability of Failure on Demand-average (PFDavg), and has four discrete SILs: New Approach (cont.) A SIL-1 system does not require and redundancy. A SIL-2 system requires fault tolerance of 1 based on hardware certification and/or “Prior Use” criteria. A SIL-3 system requires fault tolerance of 2. A SIL-1 system does not require and redundancy. A SIL-2 system requires fault tolerance of 1 based on hardware certification and/or “Prior Use” criteria. A SIL-3 system requires fault tolerance of 2.

9. 9 The SIL level of an SS SIS is determined by assessing all of the safety structures, systems, and components (SSCs) and administrative controls that may be credited as IPLs that provide a safety function to prevent or mitigate a hazardous condition or event. Some sites that have already implemented ISA 84.00.01 have used LOPA for SIL determination. The draft DOE standard prescribes use of a SLM methodology for SIL determination. The SIL of an SIS is determined by assessing the number and qualitative reliability of all of the credited IPLs. New Approach (cont.)

10. 10 Each IPL must be capable of preventing or mitigating the consequences of a specified hazardous event to an acceptable level. IPLs must be independent of the initiating cause and their performance must not be affected by the failure of another IPL credited for the event. The credited IPLs can either be administrative controls, specific administrative controls (SACs), passive design features, or active process systems. Non-SS & SC control systems cannot be credited as IPLs. New Approach (cont.)

11. 11 New Approach (cont.)

12. 12 Comparison Comparison of SIL Determination Methodologies The following methods are allowed in ISA 84.00.01 for determining SIL for the SIS: LOPA and SLM > The ISA standard identifies a number of acceptable SIL determination methodologies. Some SOE sites that have implemented ISA 84.00.01 are using some forma of LOPA for SIL determination. > The new DOE standard has identified the Safety Layer Matrix methodology as the acceptable means of SIL determination.> The ISA standard identifies a number of acceptable SIL determination methodologies. Some SOE sites that have implemented ISA 84.00.01 are using some forma of LOPA for SIL determination. > The new DOE standard has identified the Safety Layer Matrix methodology as the acceptable means of SIL determination.

13. 13 LOPA Methodology  It is a variation of event tree analysis of protection layers where only two outcomes (i.e., failure or success) are considered. Goal is to reduce the risk of a hazardous event to an acceptable/tolerable risk. The frequency of the unmitigated hazardous event in question starts the event tree. There may be number of IPLs which play a role in reducing the event to an acceptable/tolerable risk. Comparison (cont.) LOPA requires that the owner determine the acceptable risk in terms of frequency and consequence for an event. LOPA requires that the owner determine the acceptable risk in terms of frequency and consequence for an event.

14. 14 Comparison (cont.)

15. 15 SLM Methodology The SLM is a qualitative SIL determination method The proposed method to utilize the SLM is to: determine the hazard likelihood category, determine the number of “credited” IPLs, and identify SIL level from the grid intersection, as shown in SLM Table below. Comparison (cont.) The risk tolerance is embedded in the matrix. No calculation of PFDavg is required to use the matrix. The matrix is not to be used to determine the number of IPLs required. Its sole function is to assign a SIL to a SS SIS that was deemed essential by other DOE standards and orders.The risk tolerance is embedded in the matrix. No calculation of PFDavg is required to use the matrix. The matrix is not to be used to determine the number of IPLs required. Its sole function is to assign a SIL to a SS SIS that was deemed essential by other DOE standards and orders.

16. 16 DOE’s SIS Standard prescribes use of SLM. The SLM has the tolerable risk level embedded in the matrix. Rules for the use of qualitative SLM for DOE applications: IPLs may include all credited passive safety features, a SAC, SC and SS mechanical and/or process systems, administrative control program for worker protection, and the SIS itself. Regardless of the number of IPLs credited a SS SIS will have a SIL of no less than SIL-1. Comparison (cont.)

17. 17 Design would result in comparable SIL determination to the LOPA methodology used for collocated worker protection. Methodology would be simplified so that its intended function of providing SIL determination is more readily understood. A SLM Table is developed that would provide equivalent protection for the facility worker, the collocated worker, and the public. Comparison (cont.)

18. 18 Example

19. 19 LOPA methodology: The LOPA determination results in a SIL-2 designation for the SIS, as demonstrated below: Example (cont.) The LOPA method requires the user to either quantitatively or qualitatively determine the PFDavg of the IPLs. The multiplication of the event frequency and the PFDavg of each of the IPLs must be less than the residual risk goal (<10E-4/yr).The LOPA method requires the user to either quantitatively or qualitatively determine the PFDavg of the IPLs. The multiplication of the event frequency and the PFDavg of each of the IPLs must be less than the residual risk goal (<10E-4/yr).

20. 20 SLM Methodology: In the example, there are two IPLs credited with protecting the facility worker. The SAC can only be credited as one IPL. Using the SLM table, the SIL for the High Temperature Interlock is determined by using the number of IPLs (2) and the anticipated column, which result in a determination of SIL-2 for the SIS. Example (cont.)

21. 21 Conclusion For DOE applications, SLM has been selected as most appropriate methodology, since the safety classifications of SISs are determined by hazard analysis (per DOE STD 3009 and 1189), and therefore frequency of event occurrence does not play any further role in the design process. The SLM method requires less effort and engineering expertise than LOPA. The LOPA method requires a calculation or qualitative determination of the PFDavg of all the non-SIS protection layers that can be included in the determination of the SIS PFDavg to meet the tolerable risk goal.

22. 22

23. 23 Backup Slide > This diagram of the SIS safety life cycle is taken from the ISA standard. The discussion for the talk deals with the determination of the required SIL level for an SIS, which is block 3 of the life cycle. > Functional classification as SS and the identification/requirement of an SIS as a protection layer (life cycle steps 1 & 2) will be determined by existing DOE requirements documents (e.g., DOE-STD-3009 & DOE-STD-1189). > The SIL determination process outlined in the new DOE standard will not cover the ISA 84.00.01 life cycle steps 1 & 2.> This diagram of the SIS safety life cycle is taken from the ISA standard. The discussion for the talk deals with the determination of the required SIL level for an SIS, which is block 3 of the life cycle. > Functional classification as SS and the identification/requirement of an SIS as a protection layer (life cycle steps 1 & 2) will be determined by existing DOE requirements documents (e.g., DOE-STD-3009 & DOE-STD-1189). > The SIL determination process outlined in the new DOE standard will not cover the ISA 84.00.01 life cycle steps 1 & 2.