Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dependability Analysis

Published byKelley Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Dependability Analysis"— Presentation transcript:

1

2 Dependability Analysis
Principle Future fusion power plants will be only possible if ITER proves that the reactor and associated systems can run long plasma discharges reliably. Consequences The ITER interlocks shall: Protect the tokamak integrity Maximise scientific operation time Anticipate and test interlock solutions for future industrial fusion reactors [11] 2

3 Dependability Analysis
Interlock Dependability Analysis Strategy 3 Steps What we manage: Central Interlock System (in-fund) What we coordinate: Plant Interlock Systems (in-kind) All together 1 2 3 [11] 3

4 1. What we manage Central Interlock System
Overall availability (99,9%) Reliability (99,6% over two 8h shifts) Risk mitigation based on FMECA / HAZOP Human Factor Analysis RAMI simulation with BlockSIM Reliability for one ITER plasma operation Availability for 16 months and 20 years Highlights the most critical components Spare parts required for ITER operation time. RAMI analysis Periodic Test and Inspections Plans Maintenance Plan System Integrated Logistics Support Plan (ILS)

5 1. What we manage System integrity assessment flow – 3IL IEC 61508
Our Goal: Probability of a dangerous failure of less than 10-7 per hour CIS Architecture Only for Protection functions Model Based on Interlock functions (Signal flow) 17 Configuration identified Calculation PFH of each component Margin for PIS can be given If PFHCIS is 17.8x10-9 % 3IL-3 is 17.8% (10-7 ) % 3IL-2 is 1.78% (10-8 ) IEC 61508 IEC 61508

6 1. What we manage 17 Function models: cin SL none digital FA do spi
Event Internal Action architecture siganl type % SIL3 %SIL2 1 cin SL none 5.30E-09 5.3% 0.5% 2 1.06E-08 10.6% 1.1% 3 digital FA do 3.03E-08 30.3% 3.0% 4 spi 4.77E-08 47.7% 4.8% 5 dlib 1.43E-08 14.3% 1.4% 6 7 3.93E-08 39.3% 3.9% 8 5.67E-08 56.7% 5.7% 9 blib 8.30E-09 8.3% 0.8% 10 3.33E-08 33.3% 3.3% 11 2.19E-08 21.9% 2.2% 12 4.26E-08 42.6% 4.3% 13 4.99E-08 49.9% 5.0% 14 5.89E-08 58.9% 5.9% 15 di 4.16E-08 41.6% 4.2% 16 17

7 2. What we coordinate 17 Plant Systems 40 Supply contracts (PA)

8 2. What we coordinate Plant System with Operational Background
Cryogenics Cooling Systems

9 2. What we coordinate First of its kind Heating System (ECH, ICH, NBI)
Fueling Systems

10 2. What we coordinate Standardize the tools and methods RAMI
Functional Analysis - FMECA Reliability Block Diagrams HAZOP 3IL Assessments Standards Architectures Support Life Cycle Management This methodologies work when it comes to: Small projects Large projects with well-known technology But they are not enough when dealing with Large projects with unique technology systems Complex high dependability protection systems Large projects ‘running late’

11 3. All Together Machine Protection Panel Long Term Assessment Identifying design weakness Qualitative approach Report to Top Management Assign Responsibilities The main purpose of the MPP is to perform a long term on-going assessment of the interactions of the sub-systems of the project, as stated in the Terms of reference. The panel will identify design weaknesses, with a qualitative approach, requiring a transversal analysis to bridge between the considerations of specific plant sub-systems, and assigning responsibilities for remediation or mitigation of any adverse plant interactions identified. The MPP will be based upon the working methods of the JET Machine Protection Working Group (MPWG), with the purpose of identifying the adverse impacts of each system upon others, and vice versa, and assessing qualitatively the risk of each such impact (likelihood and severity) and accordingly the nature of the protection interlocks that should prevent or mitigate such effects.

12 3. All Together Progressive take over of the local plant system interlocks by the CIS team (commissioning) Commissioning-oriented design Despite the interlocks are rigid by definition some flexibility needs to be included to accommodate: By-passes Threshold management Signal masking Event forcing Protection against humans (which usually are also under commissioning) Although protection systems should be ‘transparent’ during operation, these have to be ‘very popular’ during commissioning: do not hide them! Complete, public and unambiguous user manuals. Formal methods can be very useful [11] 12

13 STPA New Methodologies STPA – System Theoretic Process Analysis
provides a good tool to identify the safety constrains and requirements from the first steps of the design, identifying scenarios that are not evident with the conventional techniques based in probabilistic tools. STPA safety constrains at early stage of the design unsafe control actions which comprise various subsystems. Shall be complemented with conventional techniques Not mature at low level The complexity for bigger systems does not reduce the efforts compared to the conventional techniques, adding complexity

14 Conclusions The ITER Interlock System will most likely be the first machine protection system built with most of its components provided in-kind from up to 36 different countries A strong effort is being put in place to ensure that all actors around the globe design, build and configure the parts of the puzzle to be properly integrated with the central system While a detailed dependability analysis of the Central Interlock System has been already performed, a strategy has been put in place to continuously monitor the progressive growth the overall interlock system. [11] 14

15 @ITERinterlocks

16 ITER RAMI Process

17 Interlock Operation Requirements
CIS self-protection mechanisms Automatic self protection against human errors Covers all possible routine operation mistakes and some of the special ones: Disregard of manual orders if it may lead to a dangerous situation or if the conditions are not the correct ones for changing its internal status. The interlock systems ignores an interlock mask under certain dangerous machine status Identification and label of interlock data Confirmation step on manual commands Particular self-protection during ‘routine’ operations Reliable administrative procedures for critical actions Covers all possible routine operation mistakes and some of the special ones: The interlock system ignores a manual order from the operator if it may lead to a dangerous situation or if the conditions are not the correct ones for changing its internal status. Examples: Request to close the quench loop (reset) when there is still current in the coils Recovery of the ‘power permit’ in a power supply when cryo not OK The interlock systems ignores an interlock mask under certain dangerous machine status Example: interlock by-pass not allowed during certain plasma scenario or coil current levels Identification and label: Interlock data shall be easily distinguishable and labels shall permit the operator to be aware of the interlock classification of the monitoring data and controls displayed/accessible on HMIs. Confirmation step: A repeat confirmation step minimizes the unintentional operator manual commands Particular self-protection is developed during ‘routine’ operations such as unlatch or reset after an interlock function to prevent from any harm due to improper operator action. This is the reason why these operations are considered as non-critical and thus may be performed from CODAC network without jeopardizing machine’s integrity.

18 References [RD1] MQP Policy for ITER Investment Protection (ITER_D_3VUMVW) [RD2] ITER RAMI ANALYSIS PROGRAM (ITER_D_28WBXD) [RD3] Risk Management Plan (ITER_D_22F4LE) [RD7] Template for RAMI Analysis Summary Reports (ITER_D_2N3SS9) [RD9] IEC Functional safety of E/E/EP safety-related systems [RD10] IEC 61511: Functional safety – Safety instrumented systems for the process industry sector. [RD11] IEC Hazards and Operability Studies- Application Guide [RD12] IEC60812 Analysis Techniques for System Reliability – Procedure for FMEA [RD13] IEC Requirements for security programmes for computer-based systems [RD13] An STPA Primer -

19 Databases of Component Failure rate
The following component failure rate databases can support the frequency estimation: INEEL/EXT : Selected component failure rate values from fusion safety assessment tasks. Fusion Component Failure Rate Database: FEVE: This database collects data from European Air Liquide plants operated by “Large Industry department” of the Air Liquide Group. Most of these plants are Air Separation Units (ASU). Data has been collected since 1994. OREDA 2002, 2009 (Offshore REliability DAta). EIReDA (European Industry Reliability Data Bank, 1998): The data bank comprises estimates of reliability parameters, failure rates and probabilities of failure, for equipment as pumps, tanks, valves, motors, sensors, etc. Estimates were based on operation and failure data collected from 1978 to 1995 in nuclear power plants operated by Electricité de France. CCPS - Center for Chemical Process Safety :Guidelines for Process Equipment Reliability Data, 1989. IEEE (Institute of Electrical and Electronics Engineers) database. EXIDA database ( IAEA-TECDOC-478: Component Reliability Data for Use in Probabilistic Safety Assessment IAEA-TECDOC-930: Generic Component Reliability Data for Research Reactor PSA SRS-332 Bellcore/Telcordia Reliability Prediction in Lambda Predict

20 System integrity assessment – 3IL
PFH (Probability of dangerous Failure per Hour) calculation Operation mode of the CIS is considered as high demand mode

21 Dependability Availability Reliability Integrity Security

22

23 3. All Together If something is to do and important job, it needs to be reliable, and the more important the job the more reliable it should be. Software Complex Hardware Risk Analysis Systematic failures unlikely to be possible to claim conformity to a numeric value Greater Rigor

Download ppt "Dependability Analysis"

Similar presentations

Operation & Maintenance Engineering Detailed activity description

Operation & Maintenance Engineering Detailed activity description
Reproduction interdite © ALMA EUROPEAN CONSORTIUM Reproduction forbidden Design, Manufacture, Transport and Integration in Chile of ALMA Antennas Page.

Reproduction interdite © ALMA EUROPEAN CONSORTIUM Reproduction forbidden Design, Manufacture, Transport and Integration in Chile of ALMA Antennas Page.
Course Material Overview of Process Safety Compliance with Standards

Course Material Overview of Process Safety Compliance with Standards
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Stuart East, 22 nd May 2012 Delivering industrial solutions for the fusion research community Stuart East.

Stuart East, 22 nd May 2012 Delivering industrial solutions for the fusion research community Stuart East.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
The Relationship between Nuclear Safety, Security and Safeguards

The Relationship between Nuclear Safety, Security and Safeguards
Prof. Seppo Virtanen TUT Dr. Seppo Virtanen, Professor, Faculty of Engineering Sciences Research and teaching interests: Reliability Engineering, Maintenance.

Prof. Seppo Virtanen TUT Dr. Seppo Virtanen, Professor, Faculty of Engineering Sciences Research and teaching interests: Reliability Engineering, Maintenance.
Reliability and Safety Lessons Learned. Ways to Prevent Problems Good computer systems Good computer systems Good training Good training Accountability.

Reliability and Safety Lessons Learned. Ways to Prevent Problems Good computer systems Good computer systems Good training Good training Accountability.
Prof. Seppo Virtanen TUT PURESAFE Final Conference Tuesday 20 January 2015, 14:20 – 14:40 RAMS Methods and Tools: From LHC to FCC.

Prof. Seppo Virtanen TUT PURESAFE Final Conference Tuesday 20 January 2015, 14:20 – 14:40 RAMS Methods and Tools: From LHC to FCC.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
1 Risk evaluation Risk treatment. 2 Risk Management Process Risk Management Process.

1 Risk evaluation Risk treatment. 2 Risk Management Process Risk Management Process.
Quality Risk Management ICH Q9 Annex I: Methods & Tools

Quality Risk Management ICH Q9 Annex I: Methods & Tools
Testing safety-critical software systems

Testing safety-critical software systems
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
OHT 2.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan

OHT 2.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan
Part of a Broader Strategy

Part of a Broader Strategy
Introduction to Software Quality Assurance (SQA)

Introduction to Software Quality Assurance (SQA)
No: 1 CEMSIS 1 WP3 - Use of pre-developed products Key issues N. Thuy EDF R&D.

No: 1 CEMSIS 1 WP3 - Use of pre-developed products Key issues N. Thuy EDF R&D.

Similar presentations

Ads by Google