Safety-related control systems standards

There is possibility of confusion regarding use of two standards viz ISO 13489. lEC 62061. Normally when medium other than electrical system, ISO 13489 may be more appropriate. Whereas for customer demand for demonstrating safety lEC 62061 may appropriate. Fot safety-related control systems, standard components can be used as it is allowed as pet standard also. However, safety components offer the advantage of reducing workload as the safety-oriented assessment, and analysis of the components used, is carried out by the producer of the safety components. For functional safety, the systematic integrity of components is taken into account, in addition to the use of a suitable category, the implementation of necessary fault detection and the... 

B1 Standards. These apply to particular aspects, such as surface temperatures and safety distances. Some B1 examples are EN 418 (Emergency Stop Systems), EN 954-1 (Safety Related Control Systems), and EN 60204-1 (Electrical Requirements of Machinery). 

The standard is large and complex, and its contents are not easily absorbed. Whereas this may not be a particular issue for companies developing safety-related systems for the likes of major petrochemical companies, it may act as an impediment to its adoption by small and medium size machinery manufacturers. Moreover, it is generic in nature, meaning that it is not targeted at any particular applications, although the thrust of it is more appropriate for complex safety-related control systems in the process, nuclear, railway and similar industries than for simple non-complex machinery control systems. 

Turning to the field of safety-related control systems, a significant initiative in the UK is the development of a scheme known as the conformity assessment of safety-related systems (CASS), already mentioned in Chapter 13. The initiative, which is supported by the DTI under its sector challenge programme and which will be championed and implemented by a UKAS-accredited company known as CASS Scheme Ltd, is concerned with conformity assessment for systems based on the aforementioned standard lEC 61508. The scheme has a broad scope and covers all those involved in the design, development, manufacture, implementation, support and application of complete safety-related systems and their components. 

Title Safety of Machinery - Safety Related Parts of Control Systems Description Parts of machinery control systems are fi equently assigned to perform safety functions. Part 1 of this standard provides safety requirements and guidance on the general principles of safety related parts of control systems. Part 2 specifies the validation process including both analysis and testing for the safety functions and categories for the safety-related control systems. 

Table 3,2-4 lists the structures, systems, and major components of the plant and indicates the classification and, if "safety-related", the radionuclide control function of each. This correlation of equipment classified as "safety-related" to the radionuclide control function performed by each is also illustrated on Figure 3.2-2. The specific application of the classification process resulting in the indicated "safety-related" designations is discussed in Safety-Related Structures, Systems, and Components for the Standard MHTGR. (Ref. 6)... 

Safety-related controllers in conjunction with safety or fail safe I/O modules are used for critical and hazardous applications where an incident can result in danger to persons, and/or damage to plant and environment. These safety-related controllers can work with the safety-related distributed I/O system (may be with internal verification for input or output via safety switches as described in Clause 5.0.1—safe PLC approach), or directly with fail-safe transmitters cormected via the fieldbus. These controllers are supposed to detect faults both in the process and their own internal (self-diagnosis) to the system. It is the duty of the same to automatically set the plant to a safe state in the event of a fault. These controllers need to work in multitasking environment — may be in a mix of standard BPCS or safety-related applications, if integrated operation is permitted by the end-user. The programs of BPCS and SIS must be functionally separate, so that faults in BPCS applications have no effect on safety-related applications and vice versa. Special tasks with very short response times can also be implemented [14]. For safety applications controllers and I/O modules need to individually certified by third party and to comply SIL 2/SIL 3 (as the case may be — SIL 4 only for nuclear application) as per lEC 61508. For safety-related applications a few restrictions are followed such as ... 

Modern factory and industrial automation is more flexible and open and meant towards higher productivity. These systems replace conventional relay or solid state control systems, with extensive use of open programmable electronics in all types of scalable and demanding solutions. Modem safety integrated safety-related controllers of various designs with a variety of hardware and software architectures, including PC-based solutions, cover all sectors and types of factory automations. Associated standards for factory automations are ... 

If from the general risk assessment some form of Safety-Related Control Function (SRCF) is required, then there is a choice of which of the two standards (EN ISO 13849 or EN 62061) to follow in order to assess the safety requirements for each safety function and how to assess that any proposed system meets the requirements. In general if the safety protection is an electrical-based system either standard could be used. Figure 9.4 gives guidance on which is the more suitable standard based on the type of technology to be used for the safety function. 

These standards closely mirror the requirements of IEC80001 but require a proportionate set of controls reflecting the less critical nature of advisoiy or safety related software systems. There is no regulatory requirement for this class of systems. All assurance is conducted by accreditation of supplier process and subsequent inspection of safety deliverables. In this respect it was hoped to avoid the burdens of a compliance scheme such as the medical devices directive (which in its current form is felt by suppliers to be burdensome and overly bureaucratic for this category of software). 

The PSS system has been designed to allow standard (or basic ) control functions to be performed as well as safety related control functions. Safety functions are known as FS and standard are called ST. FS software runs in all three processors using an FS working bus. A separate bus is provided for the A processor to perform ST instructions. The dual function structure of the PSS has fail-safe controls operating with an independent triple voting bus whilst standard or non-safety functions operate only in processor A on a separate working bus. 

The generic standard of the safety community is IEC 61508, Functional Safety of E/E/PE safety-related Systems. The engineering community has built a set of standards based on IEC 61508 for specific sectors, taking into account the experiences, background knowledge and requirements the process control sector, medical sector, nuclear, railways, and is still continuing (e.g., automotive in progress). But this standard takes only the safety view, security is not even mentioned ... 

It has been demonstrated, that mass deployment of networked, dependable embedded systems with critical control functions require a new, holistic system view on safety critical and security critical systems. Both communities have to interact, communicate and integrate at the end. A unified approach to address the safety AND security requirements of safety related systems is proposed, based on the functional safety standard IEC 61508 and IT-Security management standards, handbooks and guidelines. 

IS015189 Medical Laboratories—-Particular Requirements for Quality and Competence is a universal standard for quahty management in medical laboratories that specifies requirements in general terms applicable to all medical laboratory fields, The standard is intended to form the basis for accreditation of medical laboratories. In addition to general laboratory conditions in relation to quality control, the standard focuses on medical competence, interpretation of test results, selection of tests, reference intervals, ethical aspects, and safety. An annex concerns quality management of laboratory computer systems. 

International Electrotechnical Commission. International standard lEC 61508 functional safety of electrical/electronic/programmable electronic safety related systems. Geneva 2000. Health and Safety Executive. Controlling the risks in the workplace. [Online]. 2015 [cited 2015 July. Available from http //www.hse.gov.uk/risk/controlling-risks.htm. 

The design constraints identified as necessary to control system hazards are passed to the implementers and assurers of the individual system components along with standards and other requirements. Success is determined through feedback provided by test reports, reviews, and various additional hazard analyses. At the end of the development process, the results of the hazard analyses as well as documentation of the safety-related design features and design rationale should be passed on to the maintenance group to be used in the system evolution and sustainment process. 

The final element of the Standard MHTGR licensing bases is the classification of plant equipment. In concert with development of the lOCFRlOO Design Criteria, this classification of equipment is done to focus attention on the minimum set of structures, systems, and components (SSCs) capable of performing all of the radionuclide control functions required to limit releases from DBFs to those allowed by lOCFRlOO, and, therefore, capable of fulfilling the design commitments made in the criteria. To draw this focus, these SSCs are designated as "safety-related."... 

The lEC 61508 standard defines safety as "freedom from unacceptable risk" (Ref. 1). Functional safety has been defined as "part of the overall safety relating to the process and the Basic Process Control System (BPCS) which depends on the correct functioning of the SIS and other protection layers." The phrase "correct functioning of the SIS" identifies the key concern. A high level of functional safety means that a safety... 

International Organization for Standardization [ISO].- ISO 13849-1 2006/Cor 1 2009, Safety of machinery - Safety-related parts of control systems. 

Fast forward a decade and a half to 1998 and echoes of the Markham report resonate in the standard EN 61508. This standard, called Functional safety ofelectrical/electronic/program-mable electronic safety-related systems, was developed in response to an increasing number of industrial accidents whose cause was attributed to Programmable Electronic Systems (PES). The increasing trend was to use the PES to perform the safety and plant control functions, and move away from mechanical or hardwired electrical controls. While the estabhshed method... 

Since the release of EN 61508, there have been rafts of other standards developed that address specific industries and other disciplines. Two standards that are commonly asked to comply with in designing hoisting are EN 62061 Safety of machinery Functional safety of electrical, electronic and programmable electronic control systems, and EN ISO 13849-1 Safety of machinery Safety-related parts of control systems. The latter standard caters for design of safety systems irrespective of the technology used, whether it is electrical, mechanical, hydraulic, pneumatic etc. 

The SCS does not utilize any pneumatically operated valves. The instrumentation, controls, and electric equipment pertaining to the SCS is designed to applicable portions of IEEE Standards 279, 308 and 603. In addition to normal offsite power sources, physically and electrically independent and redundant emergency power supply systems are provided to power safety-related components. See Chapter 8 for further information. 

Safety Series Nos 50-SG-D3, Protection System and Related Features in Nuclear Power Plants (1986) 50-SG-D8, Safety-related Instrumentation and Control Systems for Nuclear Power Plants (1984) and Safety Standards Series No. NS-G-2.2, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants (2000). 

The protection of safety-related equipment instrument sensing lines from freezing can be accomplished by providing environmental control systems which meet the requirements of 10 CFR 50, Appendix A (GDCs) and industry standard ISA-S67.02, and the intent of Regulatory Guide 1.151, and SRP Sections 7.1, (Rev. 3), 7.1 Appendix A, (Rev. 1), 7.5, (Rev. 3), and 7.7, (Rev. 3). 

The System 80+ Standard Design is designed to preclude water spray from the fire protection system onto safety-related equipment. The sprinkler systems protecting the safety-related equipment is of the automatic sprinkler type. Actuation of these sprinkler systems requires the opening of the fusible link sprinkler heads and detection by combustible-products and/or heat detectors. In addition, the operator has the capability of isolating flow from the control room by isolating the Sub-sphere Building headers or, locally by manual isolation valves. 

This shall be accomplished by assuring that the interface between safety-related and non-safety-related equipment on Class IE power sources and safety-related systems is adequately controlled by meeting the independence, electrical isolation, and physical separation requirements identified in IEEE Standard 384-1981 and other applicable standards, References 2 and 4 through 6, respectively, taking into consideration the guidance provided in Regulatory Guide 1.75, Revision 2. 

The System 80+ standard Design incorporates the second approach for assuring the reliability and adequate level of safety for the Class IE power sources and safety-related systems by the selective connection of non-safety-related equipment and strict control of the interface between the non-safety-related equipment and Class IE power system. 

The requirement for reducing the probability of reactor trip in the event of a loss of a single safety-related bus (criterion 2) is met by the System 80+ Standard Design, also as described in detail in CESSAR-DC, Section 8 3.2. As shown in CESSAR-DC, Figure 8.3.2-2, the safety-related (Class IE) DC power supply system consists of four separate isolated channels. The DC bus from each channel can be isolated from its battery bank and alternately supplied from its division s DC bus. For typical Class lE DC and AC instrumentation and control power supply systems, either the Channel A or Channel C DC bus can be supplied from the Division I, also a IE DC bus. Similarly, either the Channel B or Channel D bus can be supplied from the Division II, also a IE DC bus. Cross-ties between buses, however, are isolated through two sets of manually operated fusible disconnects. 

The System 80+ Standard Design utilizes the Shutdown Cooling System (SCS), the Reactor Coolant Gas Vent System (RCGV), the Safety Depressurization System (SDS), the Atmospheric Dump Valves (ADV), and the Emergency Feedwater Systems (EFW) as the preferred means to bring the reactor plant from hot standby to a cold shutdown condition within a reasonable period of time. These safety-related systems are normally operated from the control room and are described in CESSAR-DC, Sections 5.4.7, 10.1, and... 

In summary, the design, manufacture, pre-operational testing, and in-service testing of the boundary valves used in the interface between safety-related HP and LP systems is controlled in accordance with the ASME Code and, thus, satisfies the intent of SRP Section 3.9.6, Revision 2. Therefore, this issue is resolved for the System 80+ Standard Design. 

---