Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (10)
Similar to AMN_Thesis_Defense
Similar to AMN_Thesis_Defense (20)
AMN_Thesis_Defense
- 1. THESIS DEFENSE: A UNIVERSAL INTERFACE FOR OFF- THE-SHELF SAFETY INSTRUMENTATION AND CONTROLS Andrew Nack
- 2. Outline • Introduction • Multi-Industry Survey • Compare and Contrast • Universal Interface • Conclusion
- 3. Introduction • High risk industries require reliable and correct safety systems • Safety system reliability and correctness must be provable • Typical manufacturers may not achieve the required levels of reliability and correctness, or just can’t prove it
- 4. Introduction • Each high risk industry has its own set of laws, requirements, and guidelines • Standardization could benefit manufacturers and industries • IEC 61508 is intended to be a non-industry specific functional safety standard
- 5. Introduction IEC 61508 (Non-industry specific) • Part 1- general requirements • Part 2- system and hardware requirements • Part 3- software requirements • Part 4- definitions and abbreviations • Part 5- examples of determination of SILs • Part 6- guidelines for Parts 2 and 3 • Part 7- overview of techniques and measures
- 6. Introduction IEC 61508 (Non-industry specific) • Safety Integrity Levels: 1, 2, 3, or 4 • Sample Implementation:
- 8. Multi-Industry Survey • Process Industry • Commercial Nuclear Power Generation • United States Department of Defense
- 9. Multi-Industry Survey • Process Industry Includes: • Chemicals • Oil Refineries • Oil and Gas Production • Pulp and Paper • Non-nuclear Power Production
- 10. Multi-Industry Survey • Process Industry • Relatively low level of regulation • Early adoption of IEC 61508 • Large customer base for manufacturers • SIL 4 applications are unlikely
- 11. Multi-Industry Survey Commercial Nuclear Power Generation • International Atomic Energy Agency (IAEA) • IEEE Standards • United States • Asian Pacific Countries • IEC Standards • European Union
- 12. Multi-Industry Survey Commercial Nuclear Power Generation • Relatively high regulation • Currently only limited adoption and utilization of IEC 61508 • Struggling with the incorporation of digital equipment into safety systems • Small customer base for manufacturers, and therefore, has the greatest potential to benefit from IEC 61508
- 13. Multi-Industry Survey United States Department of Defense Includes: Army, Navy, and Airforce • Wide variety of applications and requirements • No broad adoption of IEC 61508 • A potentially large customer base for manufacturer
- 14. Compare and Contrast Categories for comparison: • Classification of systems and components • Defending against random failures • Preventing systematic faults • Suitability evaluations of “off-the-shelf” equipment
- 15. Compare and Contrast Classification of systems and components • Deterministic vs Probabilistic • Probability accounts for variability of risk • Qualitative vs Quantitative • Levels of Rigor • Standardizes efforts to establish design integrity • Each industry is different but all could map to the SILs
- 16. Compare and Contrast Defending against random hardware failures • Single failure criterion vs probabilistic reliability analysis • Different at the system level but compatible at the component level
- 17. Compare and Contrast Preventing systematic faults • Lifecycle processes and designing techniques • Built-in safety features • Design analysis and verification & validation • Hazard analysis
- 18. Compare and Contrast Preventing systematic faults • Common cause failure prevention • Diversity and defense in-depth (D3) vs general guidance • Environmental qualification • Some applications exceed typical qualification levels
- 19. Compare and Contrast Suitability evaluations of “off-the-shelf” equipment • Functional suitability • Review design processes • Operating history
- 20. Compare and Contrast Category Significance of Differences at the System Level Significance of Differences at the Component Level Classification Schemes Probabilistic vs Deterministic Level of Rigor High High Low Low Defense against Random Hardware Failures High Low Preventing Systematic Faults Lifecycle Processes Built-in Design Safety Features Design Analysis, Verification, and Validation Hazard Analysis Common Cause Failure Prevention Environmental Qualification Low Low Low Low High High Low Low Low Low Low High Suitability Evaluations of “Off-the-Shelf” Equipment Low Low
- 21. Universal Interface • IEC 61508 is a non-industry specific, technical requirements interface • Compatibility of technical requirements at the component level • Third-party certification is a positive indicator
- 22. Universal Interface Example: Moore Industries STZ Transmitter • SIL 3 Capable • Defense against random failures • Preventing systematic faults • Lifecycle processes and designing techniques • Built-in safety features • Design analysis and verification & validation • Hazard analysis • Common cause failure prevention • Environmental qualification (may require extra effort)
- 23. Universal Interface Example: Fisher Controls DVC6200 SIS Digital Valve Controller • SIL 3 Capable • Defense against random failures • Preventing systematic faults • Lifecycle processes and designing techniques • Built-in safety features • Design analysis and verification & validation • Hazard analysis • Common cause failure prevention • Environmental qualification (may require extra effort)
- 24. Conclusion • A universal interface at the component level is feasible and beneficial • IEC 61508 should be that interface • Third-party certification removes significant risk to industries
- 25. Questions
Editor's Notes
- Random hardware failures and systematic faults must be prevented and defended against to an acceptable extent so safety functions are ensured to be able to be performed when needed. Equipment and associated documentation must stand up against severe scrutiny. It can’t be assumed that a typical commercial manufacturer’s equipment designs and associated design activities will be adequate to allow for success in these high risk applications.
- A 7 part set of non-industry specific safety standards. Defines a full range of lifecycle activities Part 2 addresses systematic faults and random failures of hardware Part 3 addresses systematic faults of software Both Parts 2 & 3 addresses the use of the Prior-Use basis of proof
- A 7 part set of non-industry specific safety standards. Defines a full range of lifecycle activities Part 2 addresses systematic faults and random failures of hardware Part 3 addresses systematic faults of software Both Parts 2 & 3 addresses the use of the Prior-Use basis of proof
- The IEC 61508 set of standards exists to fulfill this role, but it is not yet universally embraced. After that occurs, various industries, from nuclear power generation to oil & gas production, will benefit from the existence of a wider range of equipment that has been designed to perform in these critical roles and that also includes the evidence necessary to prove its integrity. The manufacturers will then be able to enjoy the benefit of having a larger customer base interested in their products. The use of IEC 61508, as a universal interface, will also help industries avoid significant amounts of uncertainty when selecting commercial off-the-shelf equipment.
- There are other industries, such as food and drugs production and aviation/aerospace, that involve high risk application for I&C equipment, but one of my early lessons from this thesis work was that I needed to make this task focused. I couldn’t cover everything and it was ok to leave some scope for future work.
- No national regulator specifically designated to supervise any of these industries specifically, such as the NRC, FAA, or FDA. In order to keep levels of regulation relatively low, these industries were motived to self initiate safety standards.
- This is a highly abstracted view. There are several exceptions. Compliance with IAEA varies significantly. Some countries such as Russia, don’t utilize the international standards within their regulatory framework. US, France, and UK surveyed
- IEC 61508 is not well embraced even in the IEC nuclear standards.
- This is the criteria that was used to compare the different industries.
- Nuclear is mainly deterministic Process and DOD are probabilistic
- Nuclear uses single failure criterion Process and DOD use probabilistic reliability analysis
- All of these topics were found to be similar among the industries surveyed Lifecycles facilitate a very methodical process which causes the design team to focus on making sure that they fully accomplished what they set out to do. Built-in safety features: self-diagnostics Design analysis and V&V: generally required but the details are left open ended Hazard analysis: identify potential hazards and mitigate them
- These topics had significant differences and were the most incompatible. Common cause failure is difficult at the system level but not bad at the component level. Environmental qualification may require additional attention when generic requirements are exceeded
- A universal interface is feasible at the component level Some aspects may continue to require extra effort
- Third party certification to SIL 2 or above indicates that a manufacturer is accustom to being audited and scrutinized SIL 1 is excluded because at that level, some uncertainty about the design and manufacturing processes remains due to the greater potential for the “proven in use” basis to be utilized. To achieve SIL 2 or higher it can be more reasonably assumed that the original development activities included intentional efforts to seek compliance with IEC 61508.
- 171 Safe FITs, 166 Dangerous Detected FITs, 85 Dangerous Undetected FITs Self-diagnostics, Fault detection, Configurable safe failed state, Designed to detect faults in: Software control flow, Software data flow FMEDA CE Mark, Explosive atmosphere enclosure
- SIL 3 Capable (Digital Valve Controller Function) De-energize To Trip with Partial Valve Stroke Test 582 Safe Detected FITs, 279 Safe Undetected FITs, 79 Dangerous Detected FITs, 41 Dangerous Undetected FITs Energize To Trip with Partial Valve Stroke Test 487 Safe Detected FITs, 124 Safe Undetected FITs, 273 Dangerous Detected FITs, 94 Dangerous Undetected FITs Fault Detection, Backward recovery, Time-triggered architecture, Static resource allocation FMEDA CSA, FM, Electromagnetic Compatibility, Vibration, Humidity, Explosion-proof, Flameproof