140 likes | 155 Views
Gain insights from an independent safety review of ESS Target Safety System by Safetech Engineering AB, focusing on system design, standards compliance, FMEA evaluation, and functionality assessment.
E N D
Safetech Engineering AB Independent Safety Review of the ESS Target Safety System Short presentation at ESS Lund 2019-05-21
Independent Safety Review of TSS, Short presentation The Reviewer Safetech Engineering AB • Anders Bengtson, Safetech Engineering AB • >35 years experience from the Nuclear Industry • Design reconstitution projects; B1/B2, O2, R1 (BOKA/REDA) • Safety upgrades; Oskarshamn 1, Ringhals 1 • Power upgrades; Oskarshamn 3 • SAR (Safety Analysis Report) upgrades; Ringhals 1 • No experience from ESS or similar plants
Independent Safety Review of TSS, Short presentation The Review Safetech Engineering AB • A “nuclear power plant design view” of the TSS • Reviewed documents • TSS System Requirement Specification • TSS System Architecture Specification • TSS Classification Report • TSS Failure Modes and Effects Analysis (FMEA) • TSS Report of Failure Modes and Effect Analysis • Target Safety System Design Description – Solution • Reviewed with respect to • StrålsäkerhetsmyndighetenSärskildavillkor till ESS-anläggningeni Lund
Independent Safety Review of TSS, Short presentation Result / Charge Questions Safetech Engineering AB Are all TSS relevant SSM conditions identified, or if not, which ones have been omitted? If any conditions were omitted, does the TSS meet part of the omitted conditions or not? • All relevant SSM conditions are identified • Someaspectsof the SSM conditionare not explicitlystated in the Requirementspecification • Possibility to verify TSS in standby/Ready to actwhenneeded (driftklar) (C3) • Classificationofequipment(C8) • Proven design (C13) • Functional separation between Diverse functions(C21) • Physical and functional separation betweensafety and non-safetyequipment(C23, C7)
Independent Safety Review of TSS, Short presentation Result / Charge Questions Safetech Engineering AB Does the TSS design satisfy the SSM conditions, including SF, CCF, redundancy, diversity, functional separation & physical separation? • Robust design, have good potential to fulfill the SSM conditions • In some areas hard to judge • No specification of where requirements are, or plan to be, verified (traceability matrix or similar) • Easier to see if requirements are fully understood • Detailed solutions not reviewed
Independent Safety Review of TSS, Short presentation Result / Charge Questions Safetech Engineering AB If TSS does not satisfy the SSM conditions, including SF, CCF, redundancy, diversity……, then what is missing and what updates are recommended? • Redundancy incl. single failure => Verification not finalized • Diversification => Verification not finalized • Severe H3 fire combined with a CCF => Might be too conservative • Limited physical separation in some areas => Should be justified or improved • Channel A cabinet and Channel B/C cables/sensor in the same fire cell => If possible move cabinet or fire cell border • Functional separation between safety and non-safety => Should be clarified or improved
Independent Safety Review of TSS, Short presentation Result / Charge Questions Safetech Engineering AB Are the applied standards for the TSS, IEC 61226 & IEC 61513 (system design) relevant to fulfil the SSM conditions? • Nuclear standards => OK Are the applied standards for the TSS 61508/61511 (application software) relevant to fulfil the SSM conditions? • Conventional industry standards • Might be OK • Justification needed
Independent Safety Review of TSS, Short presentation Result / Charge Questions Safetech Engineering AB Is FMEA a relevant method, and is it correctly performed, to assess if TSS fulfils conditions for SF and CCF? • The analysis seems to be correct, the result is OK • Unconventional (from an nuclear viewpoint) • Complex • Especially not really suitable for analysis of internal events
Independent Safety Review of TSS, Short presentation Result / Charge Questions Safetech Engineering AB Does the SDD-Sol document provide enough details to: - Give an overall understanding of the TSS?- Describe a system solution which is comparable to other safety solutions on nuclear power plants? • Overall understanding => OK • Not all details was understood by the reviewer • Comparable solution (2/3 design, fail-safe etc.) => OK • Less detailed than a complete System design for a NPP • More ”space” for detail design => might lead to additional review step
Independent Safety Review of TSS, Short presentation Result / Other observations Safetech Engineering AB Definition of a Safety function differ between ESS and NPP • ESS five Safety functions • Stop beam if low Target wheel speed • Stop beam if low helium pressure • Stop beam if high monolith pressure • Stop beam if high helium temperature • Stop beam if low helium mass flow • Would have been one Safety function in a NPP • Stop beam, actuated by five different parameters • Might lead to confusing in discussions with SSM
Independent Safety Review of TSS, Short presentation Result / Other observations Safetech Engineering AB Manual Safety initiation • Classified Cat 3 / EICPB (Cat B according to IEC 61226) for TSS • Similar functions in the NPPs are classified Cat A according to IEC 61226 (or 1E) • SSM probably expects the function to be classified Cat 1 / EICPA • Based on statements from SSM Classification • The functional classification should be broken down to equipment • Important for Isolation devices
Independent Safety Review of TSS, Short presentation Result / Other observations Safetech Engineering AB System Architecture • The presented Architectural design can be improved without changing the design • Now • Three physically and functionally separated channels , including functional diversity • One relay train, functionally separated and diversified from • One PLC train • Can be • Three physically and functionally separated channels , including functional diversity • Two physically and functionally separated relay trains including actuators, completed with • One PLC train, functionally separated and diversified from the relay trains
Independent Safety Review of TSS, Short presentation Result / Other observations Safetech Engineering AB Classification of the PLC train • With the new way to present the System Architechture it is obvious that the PLC train is only needed to cope with CCF in the relay train • Possibility to downgrade the safety class of the PLC train • Easier to qualify / Easier to on justify the use of conventional standards PLC train solution • Single PLC and fail-safe • Might be sensitive to spurious trips => low availability of the plant • Fail-safe can be changed to active signals • PLC train only needed to cope with CCF on relay train
Independent Safety Review of TSS, Short presentation Result / Other observations Safetech Engineering AB Safety classified disconnection of non-safety classified power supply • Classification of the equipment that disconnects the power should be clarified • The border between safety and non-safety should be clarified Non-safety classified power supply of Safety classified equipment (Not included in the review report) • The principals should be described in the documents • Isolation device need to be defined • Safety equipment must be protected against disturbances from non-safety