implementation plan for isa 84 (safety manual management ... · rpp-27195 table of contents ......
TRANSCRIPT
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
1 of 21
January 11, 2018
Ownership matrix
RPP-27195
TABLE OF CONTENTS
1.0 PURPOSE AND SCOPE ................................................................................................................ 2 2.0 PROGRAM PLAN ......................................................................................................................... 2
2.1 Objective ............................................................................................................................. 2 2.2 ISA 84 Overview ................................................................................................................ 2 2.3 Clause by Clause Summary of ISA 84 ............................................................................... 3
3.0 DEFINITIONS ................................................................................................................................ 8 4.0 SOURCES ..................................................................................................................................... 10
4.1 Requirements .................................................................................................................... 10 4.2 References ......................................................................................................................... 10
TABLE OF TABLES
Table 1. WRPS SIS Life Cycle Implementing ISA 84 Clause 8 Through 18. ........................................... 13 Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives. 14 Table 3. WRPS SIS Safety Life Cycle Activitites and Implementing Plans and Procedures. ................... 17
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
2 of 21
January 11, 2018
1.0 PURPOSE AND SCOPE
This management plan describes the integration and implementation of ANSI/ISA 84.00.01-2004,
Part 1 (IEC 61511-1 Mod), “Functional Safety: Safety Instrumented Systems for the Process
Industry Sector (ISA 84), into the established WRPS processes for development of safety related
controls in compliance with 10 CFR 830 Subparts A and B. ISA 84 specifies many requirements
that are consistent with the intent and application of the established processes that implement 10
CFR 830 Subparts A and B. Therefore, this plan establishes through tabulated matrices, the
established plans, policies, and/or procedures that satisfy the objectives and effectively
implements the requirements specified in ISA 84. Unique elements of ISA 84, not covered by
previously established WRPS processes, have been developed and appear as appropriate in the
matrices. A description of ISA 84 is provided in the text, on a clause by clause basis, with a brief
description of the existing WRPS processes that meet the requirements of the clause.
Additionally, WRPS deviations from the stated requirements in ISA 84 will be identified in the
text of this plan.
This plan is applicable to Safety Instrumented System (SISs) as determined by the WRPS Process
Hazard Analysis Procedure TFC-ENG-DESIGN-C-47. SISs are systems that (1) require
instrumented systems to fulfill the system safety function and (2) have a functional classification
of safety significant.
2.0 PROGRAM PLAN (4.1.1)
2.1 Objective
The objective of this plan is to implement ANSI/ISA-84.00.01-2004, Part 1 (ISA 84), through the
use of WRPS management systems and procedures developed in compliance with U.S.
Department of Energy (DOE) directives and contract requirements. This plan shall be applied to
the design, installation, testing, operation, modification, and decommissioning of Safety
Significant (SS) Safety Instrumented Systems. Where the WRPS implementation differs from the
stated requirements of ISA 84, this plan identifies the alternative means employed. Specific
clarifications, modifications, substitutions, additions, or deletions to the identified sections of
ISA 84 are included in this plan.
2.2 ISA 84 Overview
ISA 84 provides an extensive set of requirements for the specification, design, installation,
operation, and maintenance of an SIS. An SIS is an instrumented system, composed of any
combination of sensor(s), logic solver(s) and final element(s), used to implement one or more
safety instrumented functions (SIF). An operator response may also be part of the SIS. A SIF is
selected for potential process hazard(s) to place and/or maintain the process in a safe state in
response to a significant hazardous process condition. The ISA 84 standard relies on a controlled
process to ensure the SIS will perform the designated SIF(s) at a level that provides the necessary
degree of risk reduction for the safety function. The performance target for the SIS is defined as
a Safety Integrity Level (SIL) related to the SIF’s average probability of failure on demand
(PFDAVG).
The ISA 84 standard covers the entire SIS safety life cycle through a rigorous design and
controlled management process specified in Clauses numbered 1 through 19. Clauses 1 through 3
provide the administrative framework and definitions for the standard and do not contain
requirements. Clause 4 defines compliance with ISA 84, while Clauses 5 through 7 and 19 are
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
3 of 21
January 11, 2018
programmatic in nature and apply to all life cycle phases. Clauses 8 through 18 specify
requirements applicable to the various phases of the life cycle which will result in the design,
construction, testing, operations and maintenance of a SIS capable of performing its required
SIF(s) upon demand and maintained at its specified SIL.
Table 1 defines the SIS life cycle as a series of phases and identifies the major activities
performed in each phase to satisfy the objectives of Clauses 8 through 18. The WRPS SIS life
cycle phases are:
Initiation
Design
Construction, Testing and Commissioning
Validation
Operation & Maintenance, Modification, and Decommissioning.
Table 2 provides a matrix showing the WRPS plans and procedures that effectively implement
the programmatic requirements specified in Clauses 5 through 7 and 19. Table 3 expands the SIS
life cycle in compliance with Clause 6 by identifying the WRPS plans and procedures for each
phase along with the phase inputs and outputs.
Implementation of ISA 84 at WRPS is facilitated by the existing quality assurance and nuclear
safety infrastructure established to comply with DOE regulations specified in 10 CFR 830
Subparts A and B. This plan identifies, in Tables 1 through 3, the overarching plans and
procedures within that infrastructure that satisfy the objectives specified in Clauses 5 through 19.
Applying these plans and processes, along with subordinating procedures, to the SIS life cycle as
shown in this plan will represent compliance with ISA 84, Part 1 and conformance to Clause 4.
2.3 Clause by Clause Summary of ISA 84
The objectives of each ISA 84 Part 1 Clause is described below with a general summary of the
WRPS processes that satisfy those objectives. Specific exceptions, clarifications, modifications,
substitutions, additions, or deletions to the requirements specified in ISA 84 are discussed in the
following summary on a clause by clause bases.
Clause 4 Conformance to this International Standard
This clause states: “To conform to this International Standard, it shall be shown that each of the
requirements outlined in Clauses 5 through 19 has been satisfied to the defined criteria and
therefore the clause objective(s) has (have) been met.” The policies, plans and procedures
identified in Table 2 shows compliance to the objectives of the programmatic requirements
specified in Clauses 5 through 7 and 19, while those activities and associated plans and
procedures identified in Table 3 show compliance with Clauses 8 through 18. Applying the
processes identified in this plan to the all phases of the SIS life cycle will show conformance to
ISA 84.
Clause 5 Management of Functional Safety
The objective of ISA 84 Clause 5 requirements is to identify the management activities necessary
to ensure the functional safety objectives are met. Requirements 5.2.1 through 5.2.5 are met
through policies, plans and procedures implementing the QA and Nuclear Safety program
requirements specified in 10 CFR 830, Subparts A and B. Clause 5 requirements pertaining to
functional safety assessments are met through multiple independent reviews and assessments
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
4 of 21
January 11, 2018
performed throughout the SIS life cycle phases leading to authorization of the Tank Farm
operations. This includes the Safety Basis amendment that adds the SIS as a credited safety
significant control, along with all supporting engineering technical reports and calculations. In
accordance with WRPS programs and procedures, an independent verification from an equally
qualified peer is required for the documentation that establishes the Safety Basis and all
supporting engineering documents (including calculations, technical reports, drawings,
engineering change notes, and specifications). This requirement extends to the Hazards Analysis,
Safety Requirements Evaluation Document, SIL verification calculation, and Functional Safety
Assessment Report performed to implement the SIS as a credited safety basis control, as well as
the Documented Safety Analysis (DSA) and Technical Safety Requirements (TSR) that establish
the Safety Basis. An ISA 84 SME, in accordance with TFC-ENG-DESIGN-P-43, verifies that all
safety, design and functional requirements needed to comply with ISA 84 are specified in the
final SRED and implemented in the design of the SIS as evidenced in design. TFC-ENG-
DESIGN-P-44 requires completion of FSA Report which provides record of verification to
demonstrate the SIS was properly developed, and will be operated and maintained in a manner
that ensures it is capable of performing its SIF at the required SIL. Table 2 provides a list of
policies, plans and procedures that will implement the requirements of Clause 5.
Clause 6 Safety Life Cycle Requirements
ISA 84, Clause 6, discusses the safety life cycle requirements. The safety life cycle structure is
defined in Table 1 as a series of phases with activities identified that implement specific ISA 84
Clauses. The SIS life cycle phases, activities, corresponding plans and procedure, as well as
phase inputs and outputs are specified in Table 3. WRPS processes that satisfy Clauses 5 through
7 and 19 are specified in Table 3. As shown in Table 2, implementation of this clause is achieved
by this Plan (TFC-PLN-138). This clause is applicable throughout all WRPS project phases.
Clause 7 Verification
ISA 84, Clause 7, provides the requirements to demonstrate by review, analysis, and/or testing
that the required outputs satisfy the defined requirements for the appropriate phases of the safety
life cycle. This clause is applicable throughout all WRPS project phases. WRPS satisfies the
objective of Clause 7 by conducting the various life cycle processes in accordance with written
procedures. Independent verifications are required for safety related processes. Assessments are
conducted to determine that processes have been conducted properly and that the desired output
of the process has been met. Design reviews, safety basis implementation checklists, test result
reviews and readiness assessments assure that an SIS is capable of performing its required SIF at
the required SIL prior to turnover to operations. Operations and maintenance phase verifications
come in the form of reviews of proof tests and inspections conducted in accordance with written
procedures . Table 2 provides a list of policies, plans and procedures that will implement the
requirements of Clause 7.
Clause 8 Process Hazard and Risk Assessment
ISA 84, Clause 8, provides the requirements to perform a hazard and risk assessment of the
process and its associated equipment. This clause is implemented by TFC-ENG-DESIGN-C-47.
Clause 9 Allocation of Safety Functions to Protection Layers
ISA 84, Clause 9, discusses the allocation of safety functions to protection layers, the
determination of required safety instrumented functions, and the associated safety integrity level.
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
5 of 21
January 11, 2018
This clause is implemented during the Control Decision Meeting SIS project phase, which is an
element of TFC-ENG-DESIGN-C-47.
The following clarifications are applicable to ISA 84, Clause 9:
It is assessed that ISA 84 sub-clause 9.3, which pertains to additional requirements for
safety integrity level 4, is not applicable to WRPS. The process hazard analysis
procedure (TFC-ENG-DESIGN-C-47) shows that the maximum safety integrity level
required for the applicable accident scenarios is SIL-2. Implementing the requirements
necessary to achieve and maintain a SIL-4 SS SIS is not considered cost-effective.
ISA 84, Sub-Clause 9.4, states that the basic process control system (BPCS) may be
identified as a protection layer with a risk reduction factor of less than 10. In accordance
with TFC-ENG-DESIGN-C-47 independent protection layers (IPL) at WRPS need to be
safety-class or safety-significant systems, structures, and components (SSC), specific
administrative controls (SAC), and Administrative Control (AC) Key Elements. Any use
of the BPCS as an IPL needs to conform to these requirements as well as ISA 84, Clause
9.4.
Clause 10 SIS Safety Requirements Specification
ISA 84, Clause 10, identifies the requirements needed to design a SIS to enable it to perform its
specified safety instrumented function. TFC-ENG-DESIGN-P-43 is implemented to satisfy this
requirement. A Safety Requirements Evaluation Document (SRED) will be produced in
accordance with this procedure. Development of the SRED requires performance of Failure
Modes and Effects (FMEA) for the components of the conceptual design, a SIL scoping
calculation , and determination of appropriate proof test methods. Each of these processes are
repeated as necessary as the design matures. Table 3 provides a list of policies, plans and
procedures that will implement the requirements of Clause 10.
Clause 11 SIS Design and Engineering
ISA 84, Clause 11, provides the requirements for the design of one or multiple SISs to provide
the safety instrumented function(s) and meet the specified safety integrity level(s). The SIS
design will be in accordance with the design requirements specified in the SRED as developed in
accordance with Clause 10 taking into account the requirements and limitations included in
Clause 11. The output of the design process will be the engineering documents and drawings
developed in accordance with WRPS design processes and procedures (TFC-PLN-03 and TFC-
PLN-136). WRPS design processes flow down from the QA requirements specified in TFC-
PLN-02. Table 3 provides a list of policies, plans and procedures that will implement the
requirements of Clause 11.
The following clarifications are applicable to ISA 84, Clause11:
TFC-ENG-DESIGN-P-43, General Requirement 4.c, modifies
ISA 84, Sub-Clause 11.2.4, which requires that the SS SIS use separate sensors, logic
solvers and final elements from the non-safety BPCS. For existing WRPS facilities and
other applications where compliance is cost prohibitive, a deviation may be approved by
the Chief Engineer and Project Manager after performance of a detailed analysis to show
that a dangerous failure rate of the shared component is sufficiently low.
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
6 of 21
January 11, 2018
ISA 84, Sub-Clause 11.2.6 will be interpreted to as: “Operator action to bring the facility
or process system to a safe state as the result of a process system alarm or indication may
be considered a component of the SIS if there is sufficient time for the operator to
respond to the alarm or indication, and such action can be justified by operator
qualification and training.”
ISA 84, Sub-Clause 11.2.11, pertains to the design requirements for subsystems that do
not fail to the safe state on loss of power. In addition to loss of electrical power, this sub-
clause is interpreted to include any loss of external motive force (e.g., instrument air) that
is required to complete the SIF and does not fail a system or subsystem to a safe state.
These systems or subsystems should be assessed for detection of the loss of motive force
and/or the provision of backup systems. The requirement to address the loss of all types
of motive force, not just the inferred electrical power, is necessary where motive forces
such as instrument air or pneumatics are required to complete the SIF.
TFC-ENG-DESIGN-P-43 places restrictions on the use of ISA 84 Sub-Clauses 11.4.5
(Alternate Fault Tolerance) and 11.5.3 (Prior Use). Application of these clauses requires
approval by the Chief Engineer and Project Engineer.
ISA 84, Sub-Clause 11.5.2.1, which describes the requirements for selecting components
and subsystems for use in SIS applications, is modified for WRPS applications to also
include the option that components and subsystems may be approved for use in
accordance with the Commercial Grade Dedication procedure TFC-ENG-DESIGN-C-15.
A SIL Verification Calculation shall be performed in accordance with TFC-ENG-
DESIGN-P-43 to ensure the final design meets the SIL (including target average
probability of failure on demand, risk reduction or frequency of dangerous failures to
perform the safety instrumented function) and/or hardware fault tolerance requirements
specified in the Safety Requirements Evaluation Document. The SIL Verification
Calculation will satisfy the requirements of ISA 84, Sub-Clause 11.9.
ISA 84, Sub-Clause 11.9.1, is modified by TFC-ENG-DESIGN-P-43 to provide specific
minimum target average probability of failure on demand values for demand mode SIFs
and minimum target frequency of dangerous failure values for continuous mode SIFs:
SIL Mode Target
1 Demand PFDAVG ≤ 2×10-2 (Risk reduction ≥ 50)
2 Demand PFDAVG ≤ 2×10-3 (Risk reduction ≥ 500)
1 Continuous Dangerous Failures ≤ 2×10-6
2 Continuous Dangerous Failures ≤ 2×10-7
For existing facilities and other applications where compliance is cost prohibitive, a
deviation may be approved by the Chief Engineer and Project Manager with justification
of why the chosen target value is acceptable.
An analysis of the final design, including a design compliance assessment to verify all
design requirements in ISA 84, Clause 11, have been met, shall be performed in
accordance with TFC-ENG-DESIGN-P-43.
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
7 of 21
January 11, 2018
An Safety Requirements Evaluation Document shall be produced in accordance with
TFC-ENG-DESIGN-P-43 to document the final design FMEA, SIL Verification, and
provide final safety design requirements and controls.
Clause 12 Requirements for Application Software, Including Selection Criteria for Utility
Software
ISA 84, Clause 12, provides the requirements for software used in SIS applications. Application
software developed as part of the SIS will be produced in accordance with TFC-ENG-DESIGN-
P-12. Embedded software , i.e., firmware embedded in sensors, logic solvers, and final elements
and which are integral to the performance of the safety function of the SIS is controlled in
accordance with directions provided in TFC-ENG-DESIGN, P-43. Table 3 provides a list of
policies, plans and procedures that will implement the requirements of Clause 12.
Clause 13 Factory Acceptance Testing (FAT)
ISA 84, Clause 13, recommends a factory acceptance test (FAT) of the logic solver and
associated software together to ensure it satisfies the requirements defined in the safety
requirements specification. While ISA 84, Clause 13, is a recommendation, it is WRPS policy
that all programmable electronic logic solvers shall have a FAT prior to release for service. The
need for a FAT should be specified during the design phase of a project with specific direction
provided by the SIS Implementation Plan.
Clause 14 SIS Installation and Commissioning
ISA 84, Clause 14, provides the requirements to install the SIS according to the specifications and
drawings, and to commission the SIS so that is ready for final system validation. SIS installation
and commissioning will be done in accordance with the Project Execution Plan, TFC-PLN-84,
and the Engineering Change Control Process, TFC-ENG-DESIGN-C-06 . SIS construction,
construction acceptance testing, and turnover will be performed in accordance with construction
project management procedures. Startup testing will be conducted in accordance with Test
Program Plan reviewed and approved by the Joint Test Review Committee. Commissioning will
be conducted in accordance with TFC-PLN-72, Project and Facility Turnover Program Plan.
Table 3 provides a list of policies, plans and procedures that will implement the requirements of
Clause 14.
Clause 15 SIS Safety Validation
ISA 84, Clause 15, provides the requirements to validate, through inspection and testing, that the
installed and commissioned SIS and its associated SIFs meet the requirements stated in the safety
requirements specifications. WRPS will comply with validation requirements by assessment of
outputs from the previous phases prior to commencement of the operation and maintenance
phase. The activities include completion of a Functional Safety Assessment datasheet, in
accordance with TFC-ENG-DESIGN-P-44,that provides a record of verification to demonstrate
the SIS was properly developed, and will be operated and maintained in a manner that ensures it
is capable of performing its SIF at the required SIL. Operational and/or management readiness
review assessments will be conducted in accordance with a plan developed in accordance with the
WRPS Readiness Review Program Plan. These assessment will ensure the facility and SIS are
ready to commence operations based on review of equipment, personnel and procedures. Table 3
provides a list of policies, plans and procedures that will implement the requirements of Clause
15.
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
8 of 21
January 11, 2018
Clause 16 SIS Operation and Maintenance
ISA 84, Clause 16, addresses the operation and maintenance of the SIS to ensure that the required
SIL and designed functional safety are maintained. Upon turnover to operations, the SIS will be
maintained and operated in accordance with TFC-OPS-OPER-C-01, through implementation of
WRPS operations and maintenance procedures. As a safety significant control, a SIS will be
maintained in an operable state, i.e., capable of performing its safety function, at any time the
hazards for which it has been designed are present. The operability requirements will be included
in the Technical Safety Requirements (TSR) for the facility and the SIS fully described in the
Documented Safety Analysis (DSA). Proof testing requirements will be in the form of
surveillance requirements specified in the TSR. Maintenance of the SIS will be in accordance
with TFC-PLN-29, Nuclear Maintenance Management Program. Table 3 provides a list of
policies, plans and procedures that will implement the requirements of Clause 16.
Clause 17 SIS Modification
ISA 84, Clause 17, provides the requirements to ensure that modifications to any SIS are properly
planned, reviewed, and approved prior to making the change, and that the required SIL is
maintained. SIS modifications will be performed in accordance with the Engineering Change
Control, TFC-ENG-DESIGN-C-06. An unreviewed safety question determination in accordance
with TFC-ENG-SB-C-03 will assess the impact of the modification on the capability of the SIS to
perform its SIF. Configuration control will be maintained in accordance with TFC-PLN-23 while
activities from other phases (initiation, design, construction, etc.) are implemented as necessary to
ensure that the modified SIS will perform its required SIF and maintain its required SIL. Table 3
provides a list of policies, plans and procedures that will implement the requirements of Clause
17.
Clause 18 SIS Decommissioning
ISA 84, Clause 18, ensures that safe conditions are maintained during and after the
decommissioning of an SIS. The SIS will only be decommissioned if another control has been
implemented that performs the required SIF or if the hazard for which the SIS is designed is no
longer present. The USQ process, engineering change control and configuration management
processes will satisfy the objective of Clause 18. Table 3 provides a list of policies, plans and
procedures that will implement the requirements of Clause 18.
Clause 19 Information and Documentation Requirements
ISA 84, Clause 19, requires that information be available and documented to ensure that all
phases of the safety life cycle may be effectively performed, including the verification, validation,
and the functional safety assessment activities. This requirement is primarily met through
implementation of TFC-PLN- 17. Table 2 provides a list of policies, plans and procedures that
will implement the requirements of Clause 19.
3.0 DEFINITIONS
Acceptance Test. Inspections and tests performed to validate that the installed and commissioned
safety instrumented system and the associated safety instrumented functions achieve the
requirements stated in the safety requirement specification.
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
9 of 21
January 11, 2018
Basic Process Control System (BPCS). A system that responds to input signals from the process,
its associated equipment, other programmable systems and/or an operator, and generates output
signals causing the process and its associated equipment to operate in the desired manner. The
BPCS does not perform any safety instrumented functions.
Failure Modes and Effects Analysis (FMEA). A failure modes and effects analysis tabulates
failure modes of equipment and their effects on a system or plant. The failure mode describes
how equipment fails (open, closed, on, off, leaks, etc.). The effect of the failure mode is
determined by the system’s response to the equipment failure. An FMEA is well suited to
identify single failure modes of automated system functions that either directly result in or
contribute significantly to an accident.
Independent Protection Layer (IPL). An IPL is an independent mechanism that reduces risk by
control, mitigation, or prevention. IPLs may include but are not limited to: (1) design features
such as siting, containment, confinement and shielding, (2) administrative controls that restrict
deviations from safe operations through operating procedures or limiting conditions of operation,
(3) mechanical or process systems, and (4) an SS SIS.
Phase. A phase is the period within the safety life cycle where the described activities take place.
Probability of Failure on Demand (PFD). A value that indicates the probability of a system
failing to respond to a demand. The average probability of a system failing to respond to a
demand in a specified time interval is referred to as PFDAVG.
Process Hazards Analysis (PrHA). The detailed examination of a process in order to identify and
characterize any hazards associated with the process.
Safety Instrumented Function (SIF). Safety function with a specified safety integrity level which
is necessary to achieve functional safety and which can be either a safety instrumented protection
function or a safety instrumented control function.
Safety Instrumented System (SIS). An instrumented system that may include sensors, logic
solvers, and final control elements used to implement one or more safety functions. Operator
actions directed by a Limiting Condition of Operation (LCO) action statement or actions in a
SAC may also be considered to be part of an SIS. See below for an example of SIS architecture.
Notes:
1) SIFs can include either safety instrumented control functions or safety instrumented
protection functions or both.
2) A SIS may or may not include software.
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
10 of 21
January 11, 2018
3) When a human action is a part of an SIS, the availability and reliability of the operator
action must be specified in the SRS and included in performance calculations for the SIS.
Safety Integrity Level (SIL). Discrete level (one out of four) for specifying the safety integrity
requirements of the SIFs to be allocated to the SIS. SIL 4 has the highest level and SIL 1 has the
lowest.
Safety Life Cycle. Necessary activities involved in the implementation of SIFs occurring during
a period of time that starts at the concept phase of a project and finishes when all of the SIFs are
no longer available for use.
Safety Requirements Specification (SRS). A specification that contains all the requirements of
the SIF that have to be performed by the SIS.
4.0 SOURCES
4.1 Requirements
1. ANSI/ISA-84.00.01-2004 series, “Functional Safety: Safety Instrumented Systems for
the Process Industry Sector.”
4.2 References
1. TFC-BSM-CP_CPR-C-05, “Procurement of Services.”
2. TFC-BSM-CP_CPR-C-06, “Procurement of Items (Materials).”
3. TFC-BSM-IRM_STD-11, “Incident Management and Corrective Action Standard.”
4. TFC-CHARTER-33, “Safety Basis Change Review Board.”
5. TFC-CHARTER-43, “Integarted Project Review Team (IRPT).”
6. TFC-ENG-ADMIN-D-07, “Engineering Assessments.”
7. TFC-ENG-DESIGN-C-06, “Engineering Change Control.”
8. TFC-ENG-DESIGN-C-15, “Commercial Grade Dedication.”
9. TFC-ENG-DESIGN-C-25, “Technical Document Control.”
10. TFC-ENG-DESIGN-C-35, “Process Hazard Analysis Determination and Technique
Screening.”
11. TFC-ENG-DESIGN-C-47, “Process Hazard Analysis.”
12. TFC-ENG-DESIGN-C-52, “Technical Reviews.”
13. TFC-ENG-DESIGN-C-56, “Modification Traveler.”
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
11 of 21
January 11, 2018
14. TFC-ENG-DESIGN-P-12, “Plant Installed Software.”
15. TFC-ENG-DESIGN-P-17, “Design Verification.”
16. TFC-ENG-DESIGN-P-43, “Control Development Process for Safety -Significant Safety
Instrumented Systems.”
17. TFC-ENG-DESIGN-P-44, “Safety Instrumented System Functional Safety &
Performance Assessment Process.”
18. TFC-ENG-FACSUP-P-01, “TOC System Engineer Program.”
19. TFC-ENG-SB-C-01, “Safety Basis Issuance and Maintenance.”
20. TFC-ENG-SB-C-03, “Unreviewed Safety Question Process.”
21. TFC-ESHQ-AP-C-02, “Independent Assessments/Audits.”
22. TFC-ESHQ-Q_ADM-C-09, “Supplier Quality Assurance Program Evaluation.”
23. TFC-ESHQ-Q_C-C-01, “Problem Evaluation Request.”
24. TFC-OPS-OPER-C-01, “Technical Safety Requirement Compliance.”
25. TFC-OPS-OPER-C-02, “Safety Basis Implementation Checklist Preparation, Review,
and Approval.”
26. TFC-OPS-OPER-C-24, “Occurrence Reporting.”
27. TFC-OPS-OPER-C-34, “Independent Verification.”
28. TFC-PLN-02, “Quality Assurance Program Description.”
29. TFC-PLN-03, “Engineering Program Management Plan.”
30. TFC-PLN-05, “Conduct of Operations Implementation Plan.”
31. TFC-PLN-10, “Assessment Program Plan.”
32. TFC-PLN-16, “Operational Readiness Program Plan.”
33. TFC-PLN-17, “Information Resource Management Operational Services Program
Description.”
34. TFC-PLN-23, “Configuration Management Plan.”
35. TFC-PLN-26, “Test Program Plan.”
36. TFC-PLN-29, “Nuclear Maintenance Management Program.”
37. TFC-PLN-61, “Tank Operations Contractor Training and Qualification Program.”
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
12 of 21
January 11, 2018
38. TFC-PLN-72, “Project and Facility Transition and Closeout Program Plan.”
39. TFC-PLN-80, “Procedure Program Description.”
40. TFC-PLN-84, “Tank Operations Contract Project Execution Management Plan.”
41. TFC-PLN-98, “Inspections, Tests, Analysis, and Acceptance Criteria (ITAAC) Program
Plan.”
42. TFC-PLN-136, “Engineering Design Program.”
43. TFC-PLN-138, “Implementation Plan for ISA 84 (Safety Instrumented Systems).”
44. TFC-POL-16, “Integrated Safety Management Policy.”
45. TFC-PRJ-CM-C-01, “Construction Management.”
46. TFC-PRJ-CM-C-08, “Construction Completion and Turnover.”
47. TFC-PRJ-CM-C-16, “Construction Acceptance Testing.”
48. TFC-PRJ-PM-C-28, “Project Turnover and Closeout/Suspension.”
49. TFC-PRJ-SUT-C-02, “Operational Acceptance Test Preparation.”
50. TFC-PRJ-SUT-C-03, “Conduct of Testing.”
51. TFC-PRJ-SUT-C-04, “Test Results Report Preparation.”
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
13 of 21
January 11, 2018
Table 1. WRPS SIS Life Cycle Implementing ISA 84 Clause 8 Through 18.
PH
AS
E
Initiation
Design
Construction, Testing &
Commissioning
Validation
Operation & Maintenance,
Modification And
Decommissioning
ISA
84
Clauses 8 and 9
Clauses 10, 11, and 12
Clauses 13 and 14
Clause 15
Clauses 16, 17 and 18
PH
AS
E A
CT
IVIT
IES
Problem Identification
Hazard Analysis
Control Decision Meeting
Project Initiation
Draft SRED
Detailed Design
Final SRED
SIL Verification
Calculation
Spurious Trip Rate
Calculation
Procurement
Construction /
installation
Factory Acceptance
Testing
Startup Testing
Safety Basis
development
Procedure (ops and
maint) development
Training
SB Implementation
Project Turnover
Functional Safety
Assessment
Operational Readiness
Review
Cognizant System
Engineer SIS Health
Monitoring
TSR Compliance
Nuclear Maintenance
Management
USQ Evaluation
Engineering Change
Control
Configuration Management
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
14 of 21
January 11, 2018
Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives.
ISA 84
Section
Requirement WRPS Process or Procedure
5.2.1 General:
(1) The policy and strategy for achieving safety shall
be identified together with the means for
evaluating its achievement and shall be
communicated within the organization.
(2) A safety management system shall be in place so
as to ensure that where safety instrumented
systems are used, they have the ability to place
and/or maintain the process in a safe state.
TFC-POL-16, Integrated Safety Management Policy
TFC-ENG-SB-01, Safety Basis Document Maintenance Process
5.2.2 Organization and Resources TFC-PLN-02, Quality Assurance Program Description
TFC-PLN-03, Engineering Program Management Plan
TFC-PLN-61, Tank Operations Contractor Training and Qualification Program
5.2.3 Risk Evaluation and Risk Management
Hazards identified, risk evaluated and controls
selected
TFC-ENG-DESIGN-C-47, Process Hazard Analysis
5.2.4 Planning
Safety planning shall take place to define the
activities that are required to be carried out along
with the persons, department, organization or
other units responsible to carry out these
activities. This planning shall be updated as
necessary throughout the entire safety life cycle
TFC-POL-16, Integrated Safety Management Policy
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
15 of 21
January 11, 2018
Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives. (cont.)
ISA 84
Section
Requirement WRPS Process or Procedure
5.2.5.1 Implementing and Monitoring – prompt follow-up and
satisfactory resolutions to recommendations from:
(1) Hazard analysis and risk assessment
(2) Assessment and auditing activities
(3) Verification activities
(4) Validation activities
(5) Post-incident and post-accident activities
TFC-ENG-DESIGN-C-47, Process Hazard Analysis
TFC-PLN-10, Assessment Program Plan
TFC-ENG-DESIGN-P-17, Design Verification
TFC-ENG-DESIGN-P-44, Safety Instrumented System Functional Safety &
Performance Assessment Process;
TFC-PLN-26, Test Program Plan
TFC-OPS-OPER-C-24, Occurrence Reporting and Processing of Operations
Information
TFC-BSM-IRM-STD-11, Incident Management and Corrective Action
Standard
TFC-ESHQ-AP-C-02, Independent Assessments/Audits
TFC-ENG-ADMIN-D-07, Engineering Assessments
TFC-OPS-OPER-C-34, Independent Verification
5.2.5.2 Suppliers QA requirement TFC-ESHQ-Q_ADM-C-09, Supplier Quality Assurance Program Evaluation
TFC-BSM-CP_CPR-C-05, Procurement of Services;
TFC-BSM-CP_CPR-C-06, Procurement of Items (Materials)
5.2.5.3 SIS Performance Evaluation
Identify and prevent systematic failure
Assess whether SIS dangerous failure rates are in
accordance with design assumptions
TFC-ENG-FACSUP-P-01, TOC System Engineer Program
TFC-ESHQ-Q_C-C-01, Problem Evaluation Request
TFC-ENG-DESIGN-P-43, Control Development Process for Safety Significant
Safety Instrumented Systems
5.2.6.1 Functional Safety Assessment
Procedure for FSA
FSA team structure
Life cycle stages for FSA identified
FSA prior to hazards being present
Development and production tools used subject to
FSA
FSA results documented
All relevant information available to FSA team
TFC-ENG-DESIGN-P-44, Safety Instrumented System Functional Safety &
Performance Assessment Process.
TFC-OPS-OPER-C-02, Safety Basis Implementation Checklist Preparation,
Review, and Approval
Facility Documented Safety Analysis (DSA)
Facility Technical Safety Requirements (TSR)
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
16 of 21
January 11, 2018
Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives. (cont.)
ISA 84
Section
Requirement WRPS Process or Procedure
5.2.6.2 Auditing and Revision
Procedures developed for auditing to include,
frequency of audit, independence of auditors, and
record generated by audits
Modification procedures in place
TFC-PLN-10, Assessment Program Plan
TFC-ESHQ-AP-C-02, Independent Assessments/Audits
TFC-ENG-DESIGN-C-06, Engineering Change Control
5.2.7 SIS Configuration Management
Procedures for SIS and software configuration
management available
TFC-PLN-23, Configuration Management Plan
TFC-BSM-IRM-STD-02, Software Configuration Management Standard
6.2 Safety Life Cycle Requirements
Safety life cycle phases defined in terms of
inputs, outputs and verification activities
Safety planning for each life cycle phase
TFC-PLN-138, ANSI/ISA 84.01-2004 Part 1 Plan
7.1 Verification
Plan
Performed
Documented
TFC-CHARTER-33, Safety Basis Change Review Board
TFC-CHARTER-43, Integrated Project Review Team
TFC-PLN-26, Test Program Plan
TFC-ENG-DESIGN-P-17, Design Verification;
TFC-ENG-DESIGN-P-44, Safety Instrumented System Functional Safety
Assessment Process.
19 Information and Documentation Requirements TFC-PLN-17, Information Resource Management Operational Services
Program Description
TFC-PLN-23, Configuration Management Plan;
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
17 of 21
January 11, 2018
Table 3. WRPS SIS Safety Life Cycle Activities and Implementing Plans and Procedures.
Phase Activity ISA 84
Clause
Phase Input(s) WRPS Implementing
Documents
WRPS Document
Description
Phase Output(s)
INIT
IAT
ION
Identification of Need NA New/modified process
Potential Inadequacy in
Safety Analysis (PISA)
DOE direction
TFC-ENG-DESIGN-C-35
TFC-ENG-SB-C-03
Process Hazard Analysis
Determination and Technique
Screening
Unreviewed Safety Question
Process
Description of condition that is
not bounded by current safety
basis
Process Hazard
Analysis
8 Description of process in
which need for PrHA has
been identified
TFC-ENG-DESIGN-C-47 Process Hazard Analysis Hazardous Event(s)
Cause(s) of hazardous event(s)
Consequence
Potential controls for each
cause
Assumptions
Control Decision
Meeting
9 Hazardous Event(s)
Cause(s) of hazardous
event(s)
Consequence
Potential controls for
each cause
Assumptions
TFC-ENG-DESIGN-C-47 Process Hazard Analysis SIS selected as credited control
for specific event cause(s)
SIS safety function identified
SIS safety instrumented
function (SIF) defined
SIS safety integrity level
determined
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
18 of 21
January 11, 2018
Table 3. WRPS SIS Safety Life Cycle Activities and Implementing Plans and Procedures. (cont.)
Phase Activity ISA 84
Clause
Phase Input(s) WRPS Implementing
Documents
WRPS Document
Description
Phase Output(s)
Project Initiation NA SIS selected as credited
control for specific event
cause(s)
TFC-PLN-84
TFC-ENG-DESIGN-C-
56
TOC Project Execution Plan
Modification Traveler
Projectized Operational
Activity to design, construct
and commission SIS
DE
SIG
N
Develop SIS safety
requirements
specifications
10
12 SIS selected as credited
control for specific event
cause(s)
SIS safety function
identified
SIS safety instrumented
function (SIF) defined
SIS safety integrity level
determined
TFC-ENG-DESIGN-P-
43
TFC-ENG-DESIGN-P-
12
Control Development
Process for Safety
Significant Safety
Instrumented Systems
Plant Installed Software
Conceptual Design
Draft Safety Requirements
Evaluation Document (SRED)
SIL Scoping Calculation
Proof test methods identified
Spurious Trip Rate Calculation
draft
Software Quality Assurance
Documentation
Detailed Design 11 Draft SRED containing
SIS functional and design
requirements
Modification Traveler
TFC-PLN-03
TFC-PLN-136
TFC-PLN-23
Engineering Management
Plan
Engineering Design
Program
Configuration Management
Plan
Engineering Drawings
ECNs
Specifications
Procurement technical
requirements
Equipment lists
Plant installed software
documentation
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
19 of 21
January 11, 2018
Table 3. WRPS SIS Safety Life Cycle Activities and Implementing Plans and Procedures. (cont.)
Phase Activity ISA 84
Clause
Phase Input(s) WRPS Implementing
Documents
WRPS Document
Description
Phase Output(s)
Design Verification 10
11
12
Engineering Drawings
ECNs
Specifications
Equipment lists
Embedded Software
Plant Installed Software
TFC-ENG-DESIGN-P-
43
TFC-ENG-DESIGN-C-
52
TFC-ENG-DESIGN-P-
12
Control Development
Process for Safety
Significant Safety
Instrumented Systems
Technical Reviews
Plant Installed Software
Final SRED
FMEA on Final Design
SIL Verification Calculation
Proof Test Methods
Final Spurious Trip Rate
Calculation
Software Quality Assurance
Documentation
CO
SN
TR
UC
TIO
N,
TE
ST
ING
&
CO
MM
ISS
ION
ING
Procurement 14 Procurement technical
requirements
TFC-BSM-CP_CPR-C-
06
TFC-ENG-DESIGN-C-
15
Procurement of Items
Commercial Grade
Dedication
Components meeting SIS
technical requirements
Construction/Installati
on
14 Engineering Drawings
ECNs
Specifications
Equipment lists
Embedded Software
Plant Installed Software
TFC-PRJ-CM-C-01
TFC-PRJ-CM-C-16
TFC-PRJ-CM-C-08
Construction Management
Construction Acceptance
Testing
Construction Completion
and Turnover
SIS installed and ready for
startup testing
Factory Acceptance
Testing
13
Equipment fabricated
and ready for factory test
TFC-PLN-98
TFC-PLN-26
TFC-BSM-IRM-STD-01
Inspections, Test, Analysis
and Acceptance Criteria
Program
Test Program Plan
Software Life Cycle
Standard
SIS equipment and components
ready for delivery to WRPS
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
20 of 21
January 11, 2018
Table 3. WRPS SIS Safety Life Cycle Activities and Implementing Plans and Procedures. (cont.)
Phase Activity ISA 84
Clause
Phase Input(s) WRPS Implementing
Documents
WRPS Document
Description
Phase Output(s)
SIS Preoperational
Testing
14 SIS installed and ready
for startup testing
TFC-PLN-26
TFC-PLN-98
TFC-PRJ-SUT-C-04
Test Program Plan
Inspections, Test, Analysis
and Acceptance Criteria
Program
Test Result Report
Test Result Report
Safety Basis
Development
14 Final SRED TFC-ENG-SB-C-01
TFC-OPS-OPER-C-02
Safety Basis Document
Maintenance Process
Safety Basis
Implementation Checklist
Revised DSA and TSRs
approved by DOE
Safety Basis Implementation
Checklist
Procedure
Development
14 Final SRED TFC-PLN-80,
TFC-OPS-OPER-C-02
Procedure Program
Description
Safety Basis
Implementation Checklist
Preparation, Review, and
Approval
Approved procedures for
operation and maintenance of
SIS
Training 14 Final SRED
Operations and
Maintenance procedures
TFC-PLN-61 TOC Training and
Qualification Plan
Training developed and
delivered to operations and
maintenance personnel
Project Turnover 14 SIS Testing Complete
and approved
Procedures approved
Training complete
SB Implementation
Checklist complete
TFC-PLN-72
TFC-PRJ-PM-C-28
Project and Facility
Turnover Plan
Project Turnover and
Closeout
SIS ready for operations
Implementation Plan For ISA 84 (Safety
Instrumented Systems)
Manual
Document
Page
Issue Date
Management Plan
TFC-PLN-138, REV B-1
21 of 21
January 11, 2018
VA
LID
AT
ION
Functional Safety
Assessment
15 SIS Project Turnover to
Operations
TFC-ENG-DESIGN-P-
44
Functional Safety
Assessment Process
Approved FSA Datasheet
Operational Readiness
Review
15 SIS Project Turnover to
Operations
TFC-PLN-16
TFC-PRJ-PM-C-08
Readiness Review Program
Plan
Operational Readiness
Review
Identification of readiness for
operations
Corrective actions
OP
ER
AT
ION
& M
AIN
TN
AN
CE
, M
OD
IFIC
AT
ION
, a
nd
DE
CO
MM
ISS
ION
ING
System Monitoring,
Performance and
Reporting
16 Process authorized to
begin operation
TFC-ENG-FACSUP-P-
01
TOC System Engineer
Program
SIS verified capable of
performing SIF on demand
SIS SIL validity
Operation in
Compliance with
Safety Basis
16 Process authorized to
begin operation
TFC-OPS-OPER-C-01
TFC-PLN-05
TFC-PLN-29
Technical Safety
Requirements Compliance
Conduct of Operations
Implementation Plan
Nuclear Maintenance
Management Program
Normal process operations
SIS maintained capable of
performing SIF on demand
Modification 17 Modification to SIS
proposed
TFC-ENG-SB-C-03
TFC-ENG-DESIGN-C-
06
TFC-PLN-23
TFC-ENG-DESIGN-P-
43
TFC-ENG-DESIGN-P-
12
Unreviewed Safety
Question Process
Engineering Change
Control
Configuration Management
Plan
Control Development
Process for Safety
Significant Safety
Instrumented Systems
Plant Installed Software
ECNs
Revised SB documents
Revised procedures/training
Software Change Requests
Decommissioning 18 SIS determined to be no
longer needed
TFC-ENG-SB-C-03
TFC-ENG-DESIGN-C-
06
TFC-PLN-23
Unreviewed Safety
Question Process
Engineering Change
Control
Configuration Management
Plan
SIS decontaminated and
decommissioned