CERN Safety Alarm Monitoring Invitation to Tender Strategy

1
CERN Safety Alarm MonitoringInvitation to
Tender Strategy

• CERN Safety Alarm System Supervisory Board
• 3st meeting
• CSAM project team

2
Outline

• IEC 61508 basics
• S. Grau ST/MO
• CSAM Safety requirements F. Balda
  ST/AA,
• A. Chouvelon TIS/GS,
• S. Grau, ST/MO
• Contract Strategy
• P. Ninin ST/MO

3
IEC 61508 basics

• Functional safety ?
• Analysis of your system that provides you a
  justified confidence on the delivered service
• Functional safety of electrical / electronic /
  programmable electronic safety-related systems
  structured via a Safety Lifecycle

4
IEC 61508 basics


How much time do we accept system down-time per
year ?
Can the system become dangerous in case of
functional or transmission path failure ?

How should the system diagnose errors ?Which
auto tests should be defined? What should be the
maintenance politic ?
Will the user know if some functions are not
available ?
5
IEC 61508 basics

• Safety Integrity Level (SIL) ? Associated to a
  function and to the risk that the function is
  dealing with

• SIL 1
• SIL 2
• SIL 3
• SIL 4

Non redundant architectures with PLCs
Integrated control system for subways Equipment
of Electrical Substations
Sub-system of boiler safeties for thermal power
plants
6
Why should we use it ?
IEC 61508 basics

• Objectives definition
• Accessible, realistic
• quantify Domain of tolerance or variability
• Specification of requirements
• Functional, service quality, dysfunctional
  behavior
• Anticipate degraded modes and control the risks
• Justify confidence in the system
• Based on experience, expertise, forecast,
  methods and standards.

7
CSAM Safety Requirements

• AIMS OF THE SPECIFICATION
• Define a safety strategy both for the team and
  CSAM developers
• Trace a path for a RAMS-validated system
• Prepare specific requirements
• Be consistent with IEC - 61508
• Use validated risk analysis techniques

8
Contents
CSAM Safety Requirements



Constraints
Undesired Events
Safety Requirements
Objectives
Safety functions and SIL assignment
Risk analysis strategy
9
CSAM Safety Requirements



1.- Safety Constraints

• Basic safety conditions that the system must
  satisfy in order to be approved
• Example The system must be in operation 24
  hours a day, 365 days per year

10
CSAM Safety Requirements



2.- Undesired Events

• Any accident, simple or complex event that the
  system users or the community want to avoid
• Example Total loss of the system
• ACTION
• Foresee consequences
• Require a frequency to make the risk acceptable
• ALARP model (As Low As Reasonably Practicable)

11
CSAM Safety Requirements



2.- Undesired Events technique
12
CSAM Safety Requirements



2.- Undesired Events technique
13
CSAM Safety Requirements



2.- Undesired Events technique
Common use
Decrease the Maximum frequency of 1 or 2
orders of magnitude
14
CSAM Safety Requirements




2.- Undesired Events Risk recall

ltlt Le risque 0 nexiste pas,il peut être
quantifié ou diminué par laction réfléchit de
lhomme gtgt

• Risk Frequency x Consequence
• Individual risk and collective risk

15
CSAM Safety Requirements





2.- Undesired Events Statistics at CERN

• Frequency of the recorded events (LEP period)
• Fire / small system (minor) 5/an
• Fire / installation (severe) 1/an
• Fire / building (major) 2/5ans
• Fire / experience (catastrophic) ?
• Fatalities (catastrophic) 6/15ans
• Injured (major) 10/an

16
CSAM Safety Requirements






2.- Undesired Events Consequences Categories

17
CSAM Safety Requirements






3.- Safety Objectives

• Detailed conditions which the system is expected
  to cope with
• Example Any Undesired Event or chain of events
  leading to a similar scenario should be
  characterised by a frequency of at least one or
  two orders of magnitude less than the one
  required for an acceptable risk

18
CSAM Safety Requirements







4.- Safety Functions

19
CSAM Safety Requirements








4.- SIL Assignment

20
CSAM Safety Requirements









4.- SIL Assignment
21
CSAM Safety Requirements










4.- SIL Assignment

• Example Function 1
• ltlt Send commands to safety equipment for
  performing safety actions gtgt
• Related Undesired Events (UE)
• UE-8 Safety actions failure
• UE Consequences category
• Catastrophic
• Event likelihood
• Frequent
• SIL assignment
• SIL 3

22
CSAM Safety Requirements










5.- Risk analysis strategy for CSAM developers

• Objectives
• Identify and locate the hazards
• Individuate the weak points
• Point out causes and consequences of hazards
• Find corrective measures if necessary
• Set special protection systems if necessary

Preliminary Risk Assessment (PRA)
Methods HazOp, FMECA, Qualitative Fault Trees
Keep into account the Maintenance politics
Risk Analysis

• Objectives
• Quantify the probability of foreseen accidents
• Quantify the consequences
• Estimate the risk
• Quantify reliability and availability
• Validate the good working of the system
• Verify that constraints are respected
• Iterate the process if corrective actions have
• to be undertaken

Methods Fault Trees, Event Trees, Markov
graphs, Petri nets
23
CSAM Safety Requirements










Summary

• A series of precise requirements have been
  defined
• Requirements are based on IEC - 61508 and on
  widely used safety techniques
• A risk analysis strategy has been outlined for
  CSAM developers
• Worst foreseen accidents have been identified
• Safety Integrity Levels have been assigned

24
Contract Strategy











The Strategic Objectives

• Product satisfying functional safety criteria of
  Availability, Reliability,
  Maintainability, Security
• Upgrade of existing safety alarm systems
  Modularity, Standardisation, Integration
• Operational and Maintenance service on a
  per-alarm driven and controlled by system
  performance indicators
• INB compliant

25
Contract Strategy












1 contract -gt 3 Work Packages (WP)
26
Contract Strategy













Work Packages Breakdown

WP Breakdown based on IEC 61508
27
Contract Strategy













The CSAM commercial strategy

• ds

28
Contract Strategy












Results Oriented Contract

• WP1 Concept validated -gt payment
• WP2 Migration of all Safety Zones
• Bonus/Malus according to quality deadlines
• WP3
• Bonus/Malus according to system performance

29
Contract Strategy













Alarm Integration Cost

Cost based on the level of integration
30
Contract Strategy













The CSAM commercial strategy

• How the application of functional safety and the
  Operational and maintenance service will
  guarantee optimal contract performance?
• The functional safety fixes clear measurable
  results for the functioning of the system
• The OM service has to satisfy the same
  functional requirements
• Therefore there is an optimum when

System is well functioning and Minimum OM
effort is required
31
Contract Strategy














The CSAM commercial strategy

System is not functioning
Two Losers CERN and the Contractor
System is well functioning
Two Winners CERN and the Contractor
32
The CSAM commercial strategy


The Safety Alarm Monitoring Center

• Ds
• ds

The CERN Safety Alarm Network
The Local Safety Alarms Controller
33
Contract Strategy















The Technical Specification structure

• Documentation structure
• Detailed description of the safety alarm
  requirements

34
Contract Strategy
















The CSAM User Requirements

• Final version sent for approval to all the
  concerned parties
• Replies expected by the end of June
• Last Revision Mid-July

35
Contract Strategy

















Status of the Market Survey

• 18 Firms replied to the MS
• 10 Fully qualified
• 8 visit planned to take place June/July
• Three types of companies
• Nuclear
• Petrol-chemical
• Security (intrusion and access control, fire
  detection, etc.)

36
Contract Strategy


















Conclusions

• Real Outsourcing
• Safety Objectives -gt Contract (System,
  OM) -gt Result Oriented Payment
• IEC 61508 as a safeguard
  (design, operation,
  benchmark)
• The contractor needs to control its environment !
• Others
• Open question on the Safety networks ( added in
  the IT2694)
• IT under ST revision process, out of CERN end of
  September