Safety loop structure

In an automated system, it is important to differentiate the process control and safety functions (SRCF Safety Related Control Function - lEC 62061 [lEC 05]). Safety functions must be managed by a safety system. 

The functions of emergency stop of an engine, of access management, or of ESV (emergency shutoff valve) are intended to ensure the safety of the system in the presence of danger and, therefore, are crucial to prevent damage to goods and people. Risk analysis is used to indicate the safety level that can be achieved. 

In the safety of production systems, we often work in negative logic. The sensors and actuators are in the safe default position and it is the safety data that give them the order to place themselves in an operating position (for example, closed in case of a contactor). Therefore, two things must be ensured  

For signal acquisition, we will include the sensor and signal acquisition element (transducer, digital/analog input card). 

We generally use a NC (normally closed) contact that will trigger the safety function in case the circuit opens. In the case of apphcations on machines, it is called a positive opening maneuver, because the separation of contacts results from the displacement of the control switch organ (contact at tearing). A detector operated by another organ in motion by direct contact is said to a positive command. 

---

Several types of assumptions are relevant. One is the assumptions under which the system will be used and the environment in which the system will operate. Not only will these assumptions play an important role in system development, but they also provide part of the basis for creating the operational safety control structure and other operational safety controls such as creating feedback loops to ensure the assumptions underlying the system design and the safety analyses are not violated during operations as the system and its environment change over time. 

To accomplish these goals, a feedback control loop is needed to regularly track and assess the effectiveness of the development safety control structure and its controls. Were hazards overlooked or incorrectly assessed as unlikely or not serious Were some potential failures or design errors not included in the hazard analysis Were identified hazards inappropriately accepted rather than being fixed Were the designed controls ineffective If so, why ... 

There is no right or wrong design of a safety control structure or SMS. Most of the principles for design of safe control loops in chapter 9 also apply here. The culture of the industry and the organization will play a role in what is practical and effective. There are some general rules of thumb, however, that have been found to be important in practice. 

The theoretical water safety control structure (top) and the structure existing at the time of the accident (bottom). Note the elimination of many feedback loops. 

All of these changes in the Ontario water safety control structure over time led to the modified control structure shown in figure C.7. Dotted lines represent communication, control or feedback channels that still existed but had become ineffective. One thing to notice in comparing the original structure at the top and the one at the bottom is the disappearance of many of the feedback loops. 

This step aims at analjraing the software in the context of the system to identify the potential hazardous causes of software that could lead or contribute to an accident. At this step, the safety analyst will apply STPA to the requirements specification of the whole system. Then he/she will extract the requirements relevant to the software in the context of the system. The safety control structure of a system will include the software in the control loop as the main component... 

In viw PAI and antithrombin are stabilized in their active forms by binding to vitronectin and heparin, respectively. These two serpins seem to have evolved what Max Perutz has called "a spring-loaded safety catch" mechanism that makes them revert to their latent, stable, inactive form unless the catch is kept in a loaded position by another molecule. Only when the safety catch is in the loaded position is the flexible loop of these serpins exposed and ready for action otherwise it snaps back and is buried inside the protein. This remarkable biological control mechanism is achieved by the flexibility that is inherent in protein structures. 

Accidents in STAMP are the result of a complex process that results in the system behavior violating the safety constraints. The safety constraints are enforced by the control loops between the various levels of the hierarchical control structure that are in place during design, development, manufacturing, and operations. 

First off, the balance of plant (BOP) would have no nuclear safety function. Moreover, the STAR-H2 heat source reactor is being designed not only for passive safety response to Anticipated transients without scram (ATWS) initiators but also for passive load follow. The only information flow path from the BOP to the reactor would be the fused salt intermediate heat transport loop, which will convey the BOP heat request to the reactor by means of its flow rate and return temperature (see Fig. XXIV-3). In this way, the reactor could passively adjust its power to match heat demand while remaining in a safe operating regime. The safety implication of passive load follow is that the reactor would safety respond to all possible combinations and timing of ATWS initiators taken more than one at a time it would also safety respond to all conceivable human errors of the maintenance crew and the operator. In summary, all faults exterior to the reactor vessel might be safely accommodated on the basis of passive thermo-structural feedbacks. 

STPA is implemented in four steps [6] (1) establish the fundamentals of analysis (2) identify potentially hazardous control actions (3) use the identified potentially hazardous control actions to create safety requirements and constraints and (4) determine how each potentially hazardous control action could occur. In step 1, the safety analyst must identify the accidents or losses which will be considered, hazards associated with these accidents, and specify safety requirements (constraints). After establishing the fundamentals, the safety analyst must draw a preliminary (high-level) functional control structure of the system. In step 2, the analyst has to use the control structure as a guide for investigating the analysis to identify the potentially unsafe control actions. Then he or she translates them to corresponding safety constraints. In step 3, the analj t has to identify the process model variables for each controller (automated controller or human) in the control loop and analyze each path to determine how each potentially hazardous control actions could occur. At the end of the process, a recommendation for the system design should be developed for additional mitigations. 

The application software Is made of a permanently Iterative structure. One of the four emitters Is activated every time. An Internal variable In the loop Indicates the transmission In process. The Implemented solution of the signature analysis chosen consists In the analysis of line DO of the microprocessor at each run through the loop. Thus 9 the device Is characterized by four different signatures since there Is a signature checking every millisecond. The self-monltorlng unlt and more precisely the safety blocks has been designed so that an error can be detected In 1.5 ms. This detection time Is actually adjustable and depends on the application chosen. 

The rest of the paper is structured as follows first, section 2 summarizes related work. In section 3, an example system is introduced to illustrate the problem of loops for integrated safety analysis models. In section 4, DSMs are used to overcome this problem by re-clustering the component hierarchy. Section 5 summarizes this paper and provides a perspective for future work. 

---