Moore looks to nuclear industry following safety assessment
06 March 2009
A Moore Industries process controller has complied with rigorous assessment prior to its use as part of plant improvement modifications at a UK nuclear power plant.
Hunterston B power station. Photo courtesy of British Energy Group plc
The assessment of the 535 single loop process controller used the EMPHASIS assessment method developed by the UK nuclear industry. This method systematically asks questions and requires evidence to show compliance to the international functional safety standard IEC 61508, together with some extra requirements from the UK nuclear industry gained from their experience. EMPHASIS challenges the design and looks for ‘gaps’ in compliance which may need addressing. Additional ‘Compensating Measures’ can be suggested to provide further evidence and confidence in its suitability.
A specific version of the 535 controller, to be used in the plant improvement modifications, pre-dates IEC61508 by some years and, following the assessment ‘compensating measures’ were undertaken. These additional measures, together with the findings of the EMPHASIS assessment, are included in the safety case. In order that installation can proceed, a safety case and justification have to be completed by the nuclear site licensee.
Safety related modifications in a nuclear installation are strictly controlled through a categorisation process and modifications may require regulatory ‘permission’ from the UK nuclear regulator, Nuclear Installations Inspectorate, prior to implementation.
As a nuclear licensee, British Energy needs to make a reasoned claim that an instrument has been subject to good practice in its production processes and requires visibility of evidence supporting the claim. British Energy claims the EMPHASIS tool helped its assessor in structuring the claim and identifying the associated evidence.
What is EMPHASIS and why was it needed?
The nuclear industry is aware that there are a growing number of ‘Smart’ instruments on the market and many claim to have certification to a Safety Integrity Level (e.g. SIL2). However going back to the late 1990’s the regulators were becoming aware of the significance of software/firmware in these devices and the possibility, however small, of introducing ‘systematic’ failure of the device. The methods of dealing with random hardware failures had been well established, but systematic (designed in) flaws in the software are a real concern, especially when looking at consequences in nuclear installations.
Certification and assessment companies with competence in functional safety have been working with end users and vendors around the world and offer varying levels of assessment and ‘certification’. This has been very valuable to engineers and designers in having confidence in selection.
However there is no common framework for assessment for suitability of use of these devices in IEC 61508 applications and this can lead to confusion in interpretation of what is a ‘certified IEC 61508 device’: is it hardware assessment only? What about software? Are proven-in-use IEC 61511 arguments used? The situation is certainly improving and leading functional safety certifying bodies are consolidating on the fundamental requirements ‘to meet certification to a SIL’, but still the expertise and process they use is proprietary and not transparent to the nuclear industry.
For manufacturers themselves, there is a real challenge of risk and reward to consider when engaging with the nuclear industry on such a rigorous assessment program. The purchase order in real terms may be ‘small’ but the time and money to undertake an assessment has been onerous. In addition, what if something unpleasant is found in the process or product during the assessment?
EMPHASIS aims to reduce some of these problems.
The assessment tool itself was part of a long and intensive research and development project undertaken by the UK Control & Instrumentation Nuclear Industry Forum [CINIF], which included nuclear licensees and oversight by the Nuclear Installations Inspectorate.
Moore says that whilst the assessment can seem initially daunting, once you have the right people in the room it can be progressed at a fair pace. The company stresses that such assessments should not be entered into lightly and need the buy-in of senior management to allocate resources. However, by the time the auditor and vendor sit down together they both have a good understanding of expectations in terms of business opportunity and level of openness and co-operation needed to complete the initial Q&A sessions, which may take a day or a day and half. Evidence can then be collected in the following days and weeks, but initial impression from the results of the EMPHASIS Q&A’s will give a very good feel for ‘compliance’ to the required standard and integrity levels.
Being open is crucial to the success of the assessment and commercial confidentiality agreements need to be in place. Considering the rigor with which EMPHASIS examines all aspects of the company, product development and the actual product, it would be surprising if some non-compliance were not found. Non-compliances can be reviewed and corrected, with agreement.
Moore Industries describes the journey through the assessment as a positive experience. The 535 process controller needed and chosen was of an older design from a time way before IEC 61508 and, since EMPHASIS tests the compliance to IEC 61508, the assessment was a challenge. The company was pleased to discover that the instrument, with the required compensating measures, easily made it into the SIL1 category. Senior managers and engineers were heavily involved the company learned to apply new tools and techniques for development and testing.
Leonard Moore, president and CEO of Moore Industries said: “This has taken commitment from our senior managers and engineers, but we have learned and found positive benefits of being involved in EMPHASIS from the very beginning. I can see that for some of the giant instrument vendor companies such focus could be an issue, but for us the customer relationship and service to the nuclear industry is worthwhile”
The company added that the EMPHASIS exercise helped with preparation for third party certification by TÜV for a forthcoming SIL2 product.
Contact Details and Archive...
Most Viewed Articles...