NDE, inspection & conditioning monitoring | Functional safety
Get smart20 September 2011
Because of their design complexity, microprocessor-based devices are difficult to prove to be fault-proof. But substantiation of reliability is an essential requirement in the nuclear power industry. The UK nuclear industry has developed a working group and consensus standards to help manage these issues. By Robin Pearce
A smart instrument meets the following criteria. First, the main purpose of the instrument is to measure or directly control a single process variable. Second, despite using a microprocessor (or similar), it is a proprietary or commercial off the shelf (COTS) instrument or device in common use. Third, it may (or may not) include some flexibility in its use, due to parameters that are set by the vendor or user. Fourth, its life cycle includes the production of some generic firmware (built-in fixed computer code) by the manufacturer and may include some particular configuration software or settings accessible by the user. Smart instrumentation—or smarts for short—are not restricted to measurement devices but also include devices such as actuators, valves, motor starters, UPS and other control instruments. For example, smart instrumentation is used in alpha, beta and gamma radiation detectors fitted in operational areas to warn employees of higher-than-normal radiation levels.
In the UK, the civil nuclear industry is intensively regulated by the Office for Nuclear Regulation (ONR). Nuclear sites are licensed, and consents are required prior to each stage to build/test/commission/operate/modify each plant on a licensed site. Consent for continued operations are required for each plant every 10 years.
Safety cases, including substantiation of the engineering (including safety instrumentation) are required to justify the consent being granted. From a nuclear industry perspective, substantiation of the reliability of smart instrumentation seems to be a safety issue only for the ONR; other industry sectors do not appear to be regulated on this issue. In addition, smarts are specifically covered in the generic design assessment (GDA) of the UK new-build reactor safety cases.
The issues with using these instruments in safety applications in the nuclear sector all derive from the systematic failure potential of the instruments. All instruments, whether smart or not, have a random hardware failure potential. This can be predicted by use of techniques such as failure modes effects and diagnostic analysis (FMEDA) or failure data collection for each specific instrument.
Because of their firmware, smart instruments run an additional risk of systematic failures. The potential of these systematic failures cannot be easily predicted. Proprietary smart instruments in common use may have tens of thousands of lines of code in the firmware. Significant amounts of this code may not directly contribute to the measurement of interest but may support auxiliary functions. Thus there is the potential for undetected systematic errors that may lie dormant for years until triggered by specific conditions, for example time, change and/or combination of input conditions, maintenance or calibration. The concern is that the instrument may be installed in a protection system but a latent systematic error will cause it to fail on demand, and thus prevent a nuclear fault sequence being terminated.
In addition, smart instruments can be physically indistinguishable from the conventional non-smart equipment, and installed without realising it. Furthermore, each change of instrument type, make, hardware, and firmware (software) version is required to be re-substantiated prior to use. This may or may not be onerous, depending on the extent of the change. The significance of the change can be identified in an impact analysis.
If redundancy of protection is required, then the issue of potential common mode firmware (software) failure in both channels arises. We can address this by using different instruments, giving some diversity. However this strategy leads into the difficult area of what comprises acceptable software diversity. Two different instruments from the same supplier may share common firmware modules and/or code. Even two seemingly different instruments from different suppliers may share common hardware components and associated firmware.
The regulator first raised the issue of use of smart instruments in safety applications in 1999 with the major licensees in the UK. Even now there is no published nuclear sector standard specifying a design process, nor even the issues that should be addressed, such as documentation. (However, an International Electrotechnical Commission standard, IEC 62671 ‘Nuclear Power Plants, I&C important to safety, Selection and use of industrial digital devices of limited functionality’, is in preparation and due to be published in June 2013).
In the meantime, UK nuclear licencees agreed with the regulator a substantiation approach graded to the safety integrity level, SIL, in 2006. This was based on the NII’s ‘Safety Assessment Principles & Technical Assessment Guide T/AST/046 - Issue 2, computer-based safety systems’. More recently, a revised common position statement of seven European nuclear regulators and authorised technical support organisations for the licensing of safety critical software for nuclear reactors was issued in 2010 (www.hse.gov.uk/nuclear/software.pdf). This document includes a section on smart instruments based on the same substantiation approach.
The substantiation approach has two legs. The first leg is production excellence (PE); the second leg is independent confidence building measures (ICBM).
The production excellence theme tests how well the instrument’s lifecycle from concept and specification to the production stage been undertaken in accordance with the basic all-industry standard IEC 61508, ‘Functional safety of electrical/electronic/
programmable electronic safety-related systems.’ (Although IEC 62671 is a nuclear power plant-specific standard which addresses industrial devices of limited functionality, IEC 61508 covers the functional safety requirements for entire systems from sensor to logic solver to the terminator (for example, level measurement, PLC, valve). The IEC 61508 compliance test is carried out using the Emphasis tool methodology, which asks a series of questions based on the standard.
The Emphasis tool originated from a nuclear research project designed to develop guidelines for the assessment of smart instruments. The tool is based on IEC 61508 and has been subject to extensive validation.
Emphasis originally consisted of three interactive Microsoft Excel worksheets. Part 1 covers the pre-qualification stage. It investigates top-level functional safety management issues which could lead to rejection on vendor non-compliance. Part 2 investigates the hardware procedures and capabilities which might also lead to rejection on vendor non-compliance. Part 3 investigates the software and other in-depth issues to generate a final Emphasis rating for the instrument.
The tool has recently been redeveloped by Adelard Ltd for the nuclear industry using a JAVA web-based application.
It should be noted that currently few instrument suppliers would be able to demonstrate compliance with IEC 61508 lifecycle requirements when developing their instruments. Thus gaps are expected when the Emphasis questions are asked. Compensating activities are required when gaps are found. These activities, undertaken by the manufacturer or others, will depend on the nature of the gap. Gaps can be plugged using techniques such as a review of the curriculum vitae of staff (by licensee), module tests (by manufacturer), or statistical tests (by either).
The second leg is independent confidence-building measures (ICBM), a thorough and practicable assessment of the instruments’ fitness for purpose. It comprises two elements. First, there is a complete (and preferably diverse) check of the finally-validated system by a team which is independent of the system’s suppliers. Second, there is independently-assessed testing that covers the full scope of test activities (for example, verification, validation, and dynamic testing), including traceability of tests to specification, and confirmation that the specification is met. ICBM information sources include engineering, inspection, maintenance and testing records, proof test records, commissioning tests, hardware reliability analysis, certification, supplier pedigree, review of suppliers’ standards and procedures, functional safety assessment, review of tools, prior use, static and dynamic analysis and statistical testing.
The NISIWG forum
The agreements reached in 2006 with the regulator were facilitated by the Nuclear Industry Smart Instruments Working Group (NISIWG). The members of NISIWG consist of the main UK nuclear site licence holders including Sellafield Ltd and EDF Energy (British Energy). New reactor build vendors EDF/AREVA and Westinghouse have recently joined the group. NISIWG is not set up as a legal entity nor is it a certification body. Bilateral agreements are entered into for exchange of assessments with each licensee being responsible for ensuring the assessment is valid for its safety application.
Although the forum initially experienced considerable resistance from instrument suppliers to the assessment process, attitudes have since changed. Suppliers were concerned about intellectual property rights (IPR) and the potential undermining of their safety claims. They were concerned about additional costs that they might have to bear, although in some cases licensees are paying for the supplier’s time to conduct assessments with the licensee’s representatives.
However, the experience of being assessed has given the suppliers confidence in the process and its advantages for them. It has increased their market penetration. Many suppliers now actively seeking assessments to be undertaken.
Costs range from £50,000-£100,000 per instrument, depending upon whether in-house suitably qualified and experienced staff or specialist contractors are used. The project can last up to one year, although most of this time is taken up reaching a supplier’s agreement-in-principle to participate. The assessment itself usually takes five days. Usually the Emphasis tool is issued to the supplier to fill out prior to the assessment visit; then the licensee’s assessors will audit the answers and view the evidence.
Like the instrument suppliers, individual nuclear site licensee corporate managements have challenged the cost, duration and proportionality of this approach, particularly when compared with the purchase cost of a single instrument. However the correct proportionality comparison is the cost of the consequence of a hazard occurring due to failure of the smart instrument. If a substantiated instrument of the same make, type and version is used in many protection loops on a site to prevent the consequences of different hazards, then it can be considered a proportional approach.
Two challenging situations have arisen during the smart process. The first case is the timely replacement of failed obsolete non-smart instruments. The second case is in decommissioning projects, where an instrument may only be needed for a short time to protect against a hazard which could arise during a once-only remediation task. In both of these situations, technical staff develop balance-of-risk and instrument-confidence arguments to justify the use of a smart instrument for a limited duration while the two-legged assessment is completed.
R.T. Pearce BSc(Hons) CEng FIET, Leader C, E, & I Safety Systems Design Capability, Engineering Directorate, Sellafield Ltd, Hinton House, Risley, Warrington, Cheshire, WA3 6GR. This article expands upon a presentation given at IET seminar SMART INSTRUMENTATION 2010 in London on 27 April 2010.Related ArticlesAssessed smart instruments