Scribd
Upload
24 views

Procedure For The SIL Determination of T MTXV7V v1 0

Uploaded by

aataylor83
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views

Procedure For The SIL Determination of T MTXV7V v1 0

Uploaded by

aataylor83
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

IDM UID

MTXV7V
VERSION CREATED ON / VERSION / STATUS

18 Jun 2014 / 1.0 / Approved


EXTERNAL REFERENCE

Memorandum / Note

Procedure for the SIL determination of the Occupational


Safety I&C functions
The purpose of this document is to define the method for the determination of safety integrity
levels (SIL) of the Occupational Safety I&C functions. This procedure shall be applied for
specifying the target level of safety integrity for the safety functions to be implemented by
the SCS-OS.

Approval Process
Name Action Affiliation
Author Fernandez Robles C. 18 Jun 2014:signed IO/DG/DIP/CHD/CSD/PCI
Co-Authors Gilardi M. 20 Jun 2014:signed IO/DG/SQS/OHC
Regad M. 19 Jun 2014:signed IO/DG/SQS/OHC
Reviewers Petitpas P. 08 Jul 2014:recommended IO/DG/DIP/CHD/CSD/PCI
Piccolo F. 02 Jul 2014:recommended IO/DG/DIP/PCA/AOP/OPS
Yonekawa I. 03 Jul 2014:recommended IO/DG/DIP/CHD/CSD/PCI
Approver Ramu C. 09 Jul 2014:approved IO/DG/SQS/OHC
Document Security: Internal Use
RO: Petitpas Pierre
Read Access RO, project administrator, LG: PBS48 EXT, AD: ITER, AD: External Collaborators, AD: IO_Director-
General, AD: IC_OMPE_WG, AD: Section - CODAC, AD: Section - Plant Control and Instrumentation, AD:
Auditors, AD: ITER Management Assessor

PDF generated on 09 Jul 2014


DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM
Change Log

Title (Uid) Version Latest Status Issue Date Description of Change

Procedure for the SIL v1.0 Approved 18 Jun Document uploaded to IDM.
determination of the 2014
Occupational Safety
I&C functions
(MTXV7V_v1_0)

Procedure for the SIL v0.0 In Work 11 Jun


determination of the 2014
Occupational Safety
I&C functions
(MTXV7V_v0_0)

PDF generated on 09 Jul 2014


DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM
Table of Contents

1 PURPOSE ............................................................................................................................2
2 SCOPE .................................................................................................................................2
3 DEFINITIONS AND ACRONYMS ..................................................................................4
4 REFERENCE DOCUMENTS ...........................................................................................4
5 RESPONSIBILITIES .........................................................................................................5
6 INTRODUCTION...............................................................................................................5
7 INPUTS FROM PREVIOUS PHASES ............................................................................6
8 DETERMINATION OF THE SIL ....................................................................................6

8.1 ANALYSIS OF THE SITUATION .............................................................................................6

8.2 APPLICATION OF SIL DETERMINATION METHODS...............................................................6

8.3 SIS BARRIERS ALLOCATION ...............................................................................................6

APPENDIX A: RISK GRAPH METHOD (ANNEX E)..........................................................8


APPENDIX B: HAZARDOUS EVENT SEVERITY MATRIX (ANNEX G) ....................11
APPENDIX C: EXAMPLE......................................................................................................13

Page 1 of 13
1 Purpose
The purpose of this document is to define the method for the determination of safety integrity
levels (SIL) of the Occupational Safety I&C functions. This procedure shall be applied for
specifying the target level of safety integrity for the safety functions to be implemented by the
SCS-OS.

2 Scope
The scope is the Safety Instrumented Functions (SIF) of ITER, intended to achieve or maintain
a safe state in respect of a specific hazardous event. They are referred to as I&C protections in
the Procedure for Occupational Health and Safety Hazard Identification and Assessment
(AJLQRF) [RD1]. Occupational Safety I&C functions, those implemented by the SCS-OS are
within the SIF of ITER.

The term Safety Instrumented System (SIS) is used in this document. The SIS’s in ITER
include the SCS-OS but it is not limited to it.

Functions to mitigate nuclear risks are out of the scope of this document.

The determination of the SIL requirement is one of the main activities of the life cycle
proposed by the standards that ITER has decided to follow: IEC 61511 Functional safety -
Safety instrumented systems for the process industry sector [RD3] and IEC 61508 Functional
safety of electrical/electronic/programmable electronic safety-related systems [RD4]. It is
performed within the Risk mitigation phase of the workflow presented in the procedure [RD1],
which is represented in Figure 2-1.

The following steps are the specification of the OS I&C function and the allocation of the
safety requirements to the different Plant Systems involved, and to the CSS-OS safety part.
These activities are covered in other documents.

Page 2 of 13
Figure 2-1 Flow chart proposed by the Procedure for Occupational Health and Safety Hazard
Identification and Assessment

Page 3 of 13
3 Definitions and acronyms
Abbreviation Definition

CODAC Control, Data Access and Communication


CSS-OS Central Safety System for Occupational Safety
FTA Fault Tree Analysis
HMI Human-Machine Interface
I&C Instrumentation & Control
I/O Input / Output
IO ITER Organization
HIRA Hazard Identification and Risk Assessment
PAM Post Accident Management
PSS-OS Nuclear Plant Safety System
RRF Risk Reduction Factor
SCS-OS Safety Control System for Occupational Safety
SIC Safety Importance Class
SIC 1 Safety Importance Class 1
SIC 2 Safety Importance Class 2
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SR Safety Relevant
SRD System Requirements Document
SSC Structures, Systems, and Components
TBC To Be Confirmed
TBD To Be Defined
Table 3-1 Acronym table

4 Reference Documents
[RD1] Procedure for Occupational Health and Safety Hazard Identification and Assessment
(AJLQRF)
[RD2] Occupational Health and Safety Risk Assessment (OHSRA) - Register Template
(7LDUDG)
[RD3] IEC 61511 Functional safety - Safety instrumented systems for the process industry
sector
[RD4] IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-
related systems

Page 4 of 13
5 Responsibilities
The SIL determination shall be performed by the Risk assessment team, which is described in
the Procedure for Occupational Health and Safety Hazard Identification and Assessment
(AJLQRF) [RD1].

6 Introduction
Several techniques can be used for determination of safety integrity levels. Two of the methods
proposed by annex 5 of IEC 61508 [RD4] have been selected:

 Risk graph, described in annex E.


 Hazardous severity matrix, described in annex G.

Both methods are qualitative (although the risk graph can be used on a quantitative basis too),
which enable the safety integrity level of a safety-related system to be determined from a
knowledge of the risk factors associated with the affected system and its control system. They
are preferred over quantitative methods due to the lack of accurate quantitative information
about some of the risks to be mitigated in ITER.

They take into account the role played by all other existing or identified protection barriers,
either explicitly (as in the hazardous severity matrix) or affecting the parameters involved (in
both methods). That is, residual risk parameters should be considered (of course not taking into
account the risk reduction to be provided by the OS function for which the SIL is being
determined).

Not considering properly all the other protection barriers would lead to over specified SIL
requirements, difficult to achieve. According to the applicable standards ([RD3] and [RD4]), it
is assumed a protection barrier not implemented by a SIS can only account for a risk reduction
factor (RRF) of up to 10. It should be noted that this figure should be considered just an upper
bound; in general the RRF of any protection barrier is below 10.

In case there are several of these non-SIS protections, a necessary condition (but not sufficient)
to assign a RRF of 10 to each one is that they are fully independent.

On the other hand, in order to avoid a dangerous SIL underestimation, it is decided to take the
highest level given by the two methods:

SIL = max (SIL (Risk graph method, annex E), SIL (Hazardous event severity matrix, annex G))

Appendixes A and B introduce both methods and provide some guidelines about how to use
them in ITER. A complete description of them is provided by IEC 61508 [RD4] and the
documents referred therein.

The basis of a good SIL allocation exercise is a good understanding of the nature of the risk
and the role of each of the protection barriers, both OS I&C functions and others, previously
existing or identified in the risk analysis. The methodology proposed by this document intends
to ensure that the risk analysis team examines this aspect thoroughly so that the eventual SIL
determination is properly justified and documented.

Page 5 of 13
In the end, given the uncertainty of the input data, some arbitrariness is unavoidable in
determination of the SIL. Following a systematic approach is a way to reduce it. In addition,
the choice of methods more detailed than a simple matrix helps cut the interpretational margin.

7 Inputs from previous phases


Prior to determine the SIL of an OS I&C function, the previous phases shall have been
completed, in particular the Risk analysis and Risk assessment (see Figure 2-1). The main
required inputs is the documentation of the presence of any existing or identified additional
protection barriers that may contribute to the reduction of the risk previously identified (i.e.
only the SIF is not considered).

8 Determination of the SIL


8.1 Analysis of the situation
The first step is to analyse the situation and understand how SIF’s can mitigate the existing risk
in combination with the other protection barriers, either existing or identified.

In order to ease the task, it is proposed, for each hazard, to identify the possible causes with the
complete event chain leading to the associated accident situation. This shall be done
considering the role played by every protection barriers (no OS I&C function yet) inside the
paths driving to the accident. Moreover, this methodology allows a more precise estimation of
the frequency parameter associated to the happening of the hazardous event.

No more than 3 paths leading to the accident shall be identified. In case this proves insufficient
the hazard shall be split the risk into several .

8.2 Application of SIL determination methods


The following methods are applied to get the required SIL level associated to SIF’s to be
implemented by the Safety Instrumented System:

 Risk graph (annex E).


 Hazardous severity matrix (annex G).

Then, the highest level is taken:

SIL = max (SIL (Risk graph, [RD4-annex E]), SIL (Severity matrix, [RD4-annex G]))

Note: SIL requirements only apply to SIF’s. In case none is identified, the SIL
determination is not required. However, the application of the SIL determination
methods could be useful to provide guidance about the desirable risk reduction.

8.3 SIS barriers allocation


This is the final step, in which the SIL of each individual SIF is assigned considering the global
SIL obtained in the previous step.

As starting point, all safety functions should have the SIL requirement obtained in the
precedent section. If there is just one safety function, the process stops here.

Page 6 of 13
In case of several I&C safety functions, it could be possible to reduce the SIL of any function.
This is a delicate decision, which should be properly justified.

For instance, if there are several SIF in the same path, provided that the functions are totally
independent, the global SIL level could be distributed among the different functions (e.g. a
SIL 1 function in series with a SIL 2 function could account for a SIL 3).

It is worth stressing the fact that reducing the SIL of any function is a decision of the risk
analysis team so that the most important aspect is that it is taken based on a thorough analysis
of the situation and it is properly justified.

Page 7 of 13
Appendix A: Risk graph method (annex E)
A complete description of the method is provided by Annex E of IEC 61508-5 [RD4]. Only the
main points are mentioned here.

The risk graph is a qualitative method which enables the safety integrity level to be determined
from knowledge of the risk factors associated with the element under control and its control
system. A number of parameters are introduced which together describe the nature of the
hazardous situation when safety related systems fail or are not available.

One parameter is chosen from each of four sets, and the selected parameters are then combined
to decide the safety integrity level allocated to the safety functions. The following four risk
parameters are considered:

 consequence of the hazardous event (C);


 frequency of, and exposure time in, the hazardous zone (F); it is the fraction of time
during which there is someone exposed to the hazard;
 possibility of failing to avoid the hazardous event (P);
 probability of the unwanted occurrence (W), frequency of the unwanted occurrence
taking place without the addition of any SIS but including any other risk reduction
measures.

Used as a qualitative method, the selection of the parameters is subjective and requires
considerable judgment.

The parameter calibration to be used in ITER is:

CONSEQUENCES (C)

CA Minor according to [RD1]

CB Medium according to [RD1]

CC Serious according to [RD1]

CD Major according to [RD1]

CE Catastrophic according to [RD1]

Table 8-1 Calibration of C parameter

Page 8 of 13
FREQUENCY (F)

FA < 10 % of the time

FB > 10 % of the time

Table 8-2 Calibration of F parameter

POSSIBILITY OF FAILING TO AVOID (P)

PA Possible to avoid

PB Not possible

Table 8-3 Calibration of P parameter

UNWANTED OCURRENCE (W)

W1 Rare according to [RD1]

W2 Unlikely according to [RD1]

W3 Possible according to [RD1]

W4 Likely according to [RD1]

W5 Almost Certain according to [RD1]

Table 8-4 Calibration of W parameter

The method is illustrated in Figure 2. Use of the risk parameters C, F, and P lead to one of eight
outputs. Each one of these outputs is mapped onto one of five scales (W1 to W5) to obtain an
indication of the necessary risk reduction that has to be met by the safety-related system.

The role played by all other protection barriers, already exiting or identified in the risk
analysis, should be taken into account when selecting the parameters.

Page 9 of 13
* To be noted that these positions correspond to areas for which the risk is acceptable according to
[RD1] if a combination of robust protection barriers is implemented. It can be composed of
instrumented and/or administrative whose robustness is similar to SIL. As mentioned above, SIL
requirements only apply if there is any SIF identified.
** The SCS-OS will not be able to implement SIL 4 functions. Therefore, if the SIF is to be
implemented by the SCS-OS, it should be considered that a single SIF is not sufficient.
Figure 2 Risk Graph

Page 10 of 13
Appendix B: Hazardous event severity matrix (annex G)
A complete description of the method is provided by Annex G of IEC 61508-5 [RD4]. Again,
only the main points are mentioned here.

An inherent assumption is that when a protection layer is added that an order of magnitude risk
reduction is achieved. A further assumption is that protection layers are independent of demand
cause and independent of each other. The method as described is not suitable for functions that
operate in continuous mode.

Used as a qualitative method, the selection of the risk factors is subjective and requires
considerable judgment. The main decision is whether to consider a protection barrier explicitly.
It should be done if the barrier is robust, made for safety purposes, is present in all the paths of
the FTA leading to the accident and fully independent from the SIS. A safety procedure can be
considered one of such barriers.

In addition, role played by all existing and identified protection layers should be taken into
account when selecting the other parameters.

The parameter calibration to be used in ITER is:

HAZARDOUS EVENT SEVERITY

Minor Minor or Medium according to [RD1]

Serious Serious according to [RD1]

Extensive Major or Catastrophic according to [RD1]

Table 8-5 Calibration of C parameter

EVENT LIKELYHOOD

Low Rare or Unlikely according to [RD1]

Medium Possible according to [RD1]

High Likely or Almost Certain according to [RD1]

Table 8-6 Calibration of F parameter

Once all parameters have been selected, they should be introduced in the following matrix to
obtain the SIL to be met by the safety-related system.

Page 11 of 13
Figure 3 Hazardous event severity matrix

Page 12 of 13
Appendix C: Example
The example below illustrates the application of the SIL determination methods proposed in
this document.

Table 8-7 Example of SIL determination

Page 13 of 13

You might also like