Presentation is loading. Please wait.

Presentation is loading. Please wait.

PLC Workshop at ITER, 4-5 th of December 2014 A. Nordt, ESS, Lund/Sweden.

Published byPeregrine Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "PLC Workshop at ITER, 4-5 th of December 2014 A. Nordt, ESS, Lund/Sweden."— Presentation transcript:

1 PLC Workshop at ITER, 4-5 th of December 2014 A. Nordt, ESS, Lund/Sweden

2 How to define an appropriate integrity level for a protection function and how to implement it and how to make sure its fulfilled?  Good question(s) but quite hard to answer Define a context first please: Focus here on accelerators or Accelerator Driven Facilities (ADF)Focus here on accelerators or Accelerator Driven Facilities (ADF) Focus on: “Machine Protection (System(s))”Focus on: “Machine Protection (System(s))” Separate from safety systems like access safety systemSeparate from safety systems like access safety system INTRODUCTION

3 Some accelerators operate at very high energies or at very high power & an uncontrolled release of such beam can lead to serious damage of equipment, and long downtimeSome accelerators operate at very high energies or at very high power & an uncontrolled release of such beam can lead to serious damage of equipment, and long downtime Typical mitigation: have specific sensors (like beam loss monitors) connected to a beam interlock system (BIS), being able to trigger a beam stop via actuator systems (beam dump system, choppers, beam source)Typical mitigation: have specific sensors (like beam loss monitors) connected to a beam interlock system (BIS), being able to trigger a beam stop via actuator systems (beam dump system, choppers, beam source) Usually this is what we call a machine protection system (MPS)Usually this is what we call a machine protection system (MPS) MACHINE PROTECTION SYSTEM(s) BeamTarget Monitor Beam Interlock System X Beam Source Beam Source

4 Tendency to use the IEC61508 standard as guideline for designing systems relevant for machine protection, especially for the BIS and actuators (CERN, ITER, ESS, JLAB, PSI, etc.)Tendency to use the IEC61508 standard as guideline for designing systems relevant for machine protection, especially for the BIS and actuators (CERN, ITER, ESS, JLAB, PSI, etc.) Why IEC61508?Why IEC61508? Systematic approach (provides structure)Systematic approach (provides structure) Lifecycle modelLifecycle model Estimation of probability of dangerous/random hardware failures to happenEstimation of probability of dangerous/random hardware failures to happen Following this standard helps to gain confidence in systems involved in removing beam from the machine before an uncontrolled release can happen (leading to equipment damage)Following this standard helps to gain confidence in systems involved in removing beam from the machine before an uncontrolled release can happen (leading to equipment damage) IEC61508

5 Machine protection for ADF is concerned about the uncontrolled release of beam power or beam energy (hazard)Machine protection for ADF is concerned about the uncontrolled release of beam power or beam energy (hazard) Following the standard requires to perform a hazard and risk analysis, evaluating all foreseeable events leading to “bad beam parameters” and thus leading possibly to (beam-induced) damage of equipmentFollowing the standard requires to perform a hazard and risk analysis, evaluating all foreseeable events leading to “bad beam parameters” and thus leading possibly to (beam-induced) damage of equipment How to perform such risk analysis?How to perform such risk analysis? APPLYING IEC61508 IN THEORY

6 EXAMPLE FOR RISK IDENTIFICATION Scope Identify risks/hazards of machine protection related systems and related Integrity Level Identify mitigation methods for at least all identified (catastrophic) events Probability Frequent: At least once a year Probable: Once between 1 and 10y Rare: Once between 10 and 100y Exceptional: Not in 100y Severity Production Losses/year Property Losses ≤1 year ≤1 year ≤50 MEUR ≤50 MEUR <2 month <8 MEUR <1 week <1 MEUR <1 day <150 KEUR InsignificantModerateMajorCatastrophic Consequence Ranking 6 5 4 3 2 5 43 2 1 1 1 2 3 3 4

7 DEFINITION OF PROTECTION FUNCTIONS Beam Interlock System (FPGA or PLC based technology) Protection Function ♯ i

8 DEFINITION OF INTEGRITY LEVELS The Integrity Level sets requirements for random failure rates for hardware, diagnostic coverage and fault tolerance for the entire protection function and on techniques and measures to minimize the propensity for systematic failures. The higher the SIL, the more stringent the requirements. Integrity Level for high demand / continuous mode of operation PFH: Probability of Failure per Hour Integrity Level (IL) PFH of Protection Function PFH of BIS

9 Sometimes this can be very/extremely difficult Sometimes this can be very/extremely difficult Reasons are: Lack of manpower,Lack of manpower, Lack of money,Lack of money, Lack of awareness,Lack of awareness, Lack of willingness,Lack of willingness, Suffering from tunnel vision: “this always worked at xx and therefore it should work for yy just the same way”, or: ”My system never fails and even if it would be, then such failure is not relevant for your machine protection”Suffering from tunnel vision: “this always worked at xx and therefore it should work for yy just the same way”, or: ”My system never fails and even if it would be, then such failure is not relevant for your machine protection” Lack of support from upper managementLack of support from upper management Lack of being a “REAL” safety system (prioritization)Lack of being a “REAL” safety system (prioritization) APPLYING IEC61508 IN PRACTICE

10 Must haves (in my opinion): Different layers of protectionDifferent layers of protection (don’t just account all to 1 function). (don’t just account all to 1 function). Upper management must be aware of machine protection (especially in research facilities where very complex and unique machines are being operated and where major accidents may be the end of a project).Upper management must be aware of machine protection (especially in research facilities where very complex and unique machines are being operated and where major accidents may be the end of a project). Management must support and assure the efforts required to implement and maintain a proper level of machine protection facility-wide (MP is not just building a BIS).Management must support and assure the efforts required to implement and maintain a proper level of machine protection facility-wide (MP is not just building a BIS). APPLYING IEC61508 IN PRACTICE

11 Must haves (cont.): Set up working group: constant communication is a key parameter to be successful.Set up working group: constant communication is a key parameter to be successful. Set up “machine protection committee” or ”machine protection panel” empowered to take major decisions (involve representatives from whole facility)Set up “machine protection committee” or ”machine protection panel” empowered to take major decisions (involve representatives from whole facility) Work hard to put a safety/protection culture in placeWork hard to put a safety/protection culture in place APPLYING IEC61508 IN PRACTICE

12 There is no clear and single way to define an integrity level for a protection functionThere is no clear and single way to define an integrity level for a protection function IEC61508 is a useful guideline but does hardly cover software, is a bit poor in providing guidelines for verification, etc.IEC61508 is a useful guideline but does hardly cover software, is a bit poor in providing guidelines for verification, etc. Principle of integrity level is a tool and should be used only in the proper contextPrinciple of integrity level is a tool and should be used only in the proper context Its not enough to just hand over a requirement on an integrity level to the systems owner (make sure they understand it)Its not enough to just hand over a requirement on an integrity level to the systems owner (make sure they understand it) Key ingredients needed to define an appropriate integrity level for a protection function are: communication, flexibility and awarenessKey ingredients needed to define an appropriate integrity level for a protection function are: communication, flexibility and awareness Very important: safety/protection cultureVery important: safety/protection culture SUMMARY AND CONCLUSIONS

Download ppt "PLC Workshop at ITER, 4-5 th of December 2014 A. Nordt, ESS, Lund/Sweden."

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Operational Risk Management (ORM)

Operational Risk Management (ORM)
André Augustinus 15 March 2003 DCS Workshop Safety Interlocks.

André Augustinus 15 March 2003 DCS Workshop Safety Interlocks.
Supervisor & Managers Safety Responsibilities (R & R) Presented by Chris Lease, Safety Director.

Supervisor & Managers Safety Responsibilities (R & R) Presented by Chris Lease, Safety Director.
Workshop on Machine Protection, focusing on Linear Accelerator complexes Summary of Fifth Session – Operational Aspects 1)RF Breakdown recovery 2)CLIC.

Workshop on Machine Protection, focusing on Linear Accelerator complexes Summary of Fifth Session – Operational Aspects 1)RF Breakdown recovery 2)CLIC.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
HAZARD AND RISK ASSESSMENT. Today’s Session 1.Taking a look at hazard and risk assessment. 2. Definitions. 3.What hazard and risk management does for.

HAZARD AND RISK ASSESSMENT. Today’s Session 1.Taking a look at hazard and risk assessment. 2. Definitions. 3.What hazard and risk management does for.
Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.

Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.
Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.

Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.
Vegard Joa Moseng BI - BL Student meeting 09.09.2013 Reliability analysis summary for the BLEDP.

Vegard Joa Moseng BI - BL Student meeting Reliability analysis summary for the BLEDP.
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Risk Management at a Glance. Terms Hazard Hazard Risk Risk Probability Probability Severity Severity Estimating Estimating Exposure Exposure Risk Assessment.

Risk Management at a Glance. Terms Hazard Hazard Risk Risk Probability Probability Severity Severity Estimating Estimating Exposure Exposure Risk Assessment.
Controlling Risk by Managing Change Jessica Blaydes & Gary Fobare Honeywell Aerospace 2013 Region IX Workshop.

Controlling Risk by Managing Change Jessica Blaydes & Gary Fobare Honeywell Aerospace 2013 Region IX Workshop.
Objectives  Understand what a Loss Incident is.  Know the real cost of a Loss Incident.  Understand the Causes of a Loss Incident.  Understand what.

Objectives  Understand what a Loss Incident is.  Know the real cost of a Loss Incident.  Understand the Causes of a Loss Incident.  Understand what.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Software Project Management

Software Project Management
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

Similar presentations

Ads by Google