With the increasing reliance on SMART instruments in safety systems, the problem of substantiating the software in these instruments has been a concern of the NII for years
The Nuclear Decommissioning Authority (NDA) owns the UK’s civil nuclear assets, including the Sellafield and Capenhurst sites. Sellafield manages operations on the sites under contract to the NDA.
The Sellafield site is one of the world’s most complex and compact nuclear sites, with current activities centred on remediation, decommissioning and clean up of the historic legacy. The site is also home to the Thorp and Magnox reprocessing plants, the Sellafield MOX plant and a wide range of waste management and effluent treatment facilities.
The predicament
The UK Health and Safety Executive (HSE) has stated that IEC 61508 will be used as a reference standard for determining whether a reasonably practicable level of safety has been achieved when E/E/PE systems are used to carry out safety functions.
Compliance to IE61508 can be achieved through a number of different means including self assessment and ‘proven in use’ arguments. This has meant that there is no common framework for these assessments that satisfies the requirements of the nuclear industry.
While hardware assessments are more easily verified, the verification of software as it relates to the safety function has been a concern of the nuclear industry for a number of years. The potential for undetected systematic faults in the firmware is the issue of concern.
This has led to reluctance from the nuclear industry to use software-based or SMART instruments in safety instrumented systems, which has reduced flexibility and limited the opportunities presented by the latest technologies.
Each major nuclear operator created its own verification program to meet the requirements of the NII for evidence of compliance with the safety certification.
This led to reluctance on the part of SMART instrument suppliers to subject themselves to this rigorous and costly verification program for each licensee in return for a small sale in relative terms.
The solution
After extensive research by the Control & Instrumentation Nuclear Industry Forum (CINIF), the Emphasis program was developed. Originally intended as a set of written guidelines, the Emphasis program soon evolved into a software tool that can be used for assessment of SMART instruments for the nuclear industry.
Emphasis has been subjected to extensive validation, and has been adopted by the Nuclear Industry Smart Instruments Working Group (NISIWG) comprising the major players from the UK Nuclear Industry.
Emphasis is based upon a lifecycle approach as specified in IEC61508, and provides an evidence gathering tool in the form of a comprehensive set of questions covering all relevant aspects relating to the company and the product under review.
Alarm annunciators
A key component in nuclear safety systems is the alarm annunciator, considered a vital tool in modern safety systems because they provide an additional layer of protection in the safety strategy on the plant.
Alarm annunciators are simple to deploy, which provides an easily verifiable safety function in the system. They also provide early warnings to operators of a potential plant upset that can often allow intervention before the upset occurs. The involvement of the operator also provides a sophisticated analysis capability to events that may not have been predicted at plant design.
Modern alarm annunciators such as the Omni16C are SMART instruments, and so the verification of these products to meet nuclear requirements is imperative.
The result
The Omni16C has been the alarm annunciator of choice at Sellafield and other major UK nuclear facilities for a number of years. According to Omniflex, the Omni16C was the first alarm annunciator in the world to be certified to SIL1 in accordance with IEC61508. This product has provided reliable service and, from the Omniflex statistics gathered over the years, certainly qualifies as ‘proven in use.’
“We have been very happy with the performance of the Omni16C,” said Mike Hadfield, programmable electronic systems centre of expertise leader at Sellafield. “The new Emphasis tool created an opportunity for us to formally substantiate the reliability of this important product.”
Sellafield approached Omniflex with a view to subjecting the Omni16C to the Emphasis program.
“Exposing your books to outside scrutiny is always a risk,” said Gary Bradshaw, Omniflex UK Director, “but our good relationship with Sellafield, and the proven performance of the Omni16C gave us confidence to proceed with this audit.”
A team from Sellafield visited the Omniflex factory and conducted a thorough review of the design and production methods of the Omni16C. Both the hardware and the software were evaluated using the Emphasis tool to IEC61508 SIL1.
“The Emphasis tool provides us the rigour to evaluate the software embedded in SMART instruments,” said Paul Caspall-Askew, PES Team Leader, Sellafield. “The software development process employed at Omniflex as well as the Omni16C test methods were thoroughly reviewed using this tool.
“We found sufficient evidence to justify the SIL1 claim made by the company, and are now satisfied that the Omni16C is suitable for use in the UK nuclear industry.”
Omniflex and the Omni16C passed the rigorous audit without any corrective actions required.
For more information contact Ian Loudon, Omniflex, +27 (0)31 207 7466, [email protected], www.omniflex.com
| Tel: | +27 31 207 7466 |
| Email: | [email protected] |
| www: | www.omniflex.com |
| Articles: | More information and articles about Omniflex Remote Monitoring Specialists |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version