Safety is of paramount concern in the nuclear industry. In accordance with the requirements of the UK Nuclear Installations Inspectorate, every nuclear site licensee in the UK must justify its safety case in order to operate in the UK.
This involves substantiating the safety certification of each instrument involved.
With the increasing reliance on "SMART" instruments in safety systems, the problem of substantiating the software in these instruments has been a concern of the NII for a number of years.
The EMPHASIS tool was developed to assist the nuclear site operators to achieve a common level of substantiation whilst eliminating duplication of effort.
The SIL1 certified Omni16C alarm annunciator has been substantiated by EMPHASIS for use in the UK nuclear industry.
The Nuclear Decommissioning Authority (NDA) owns the UK's civil nuclear assets, including the Sellafield and Capenhurst sites.
Sellafield Ltd safely manages the day-to-day operations on the Sellafield and Capenhurst sites under contract to the NDA.
Sellafield Ltd's proud heritage includes the development of the world's first commercial nuclear power station, Calder Hall.
The Sellafield site is one of the world's most complex and compact nuclear sites, with current activities centred around remediation, decommissioning and clean up of the historic legacy. The site is also home to the Thorp and Magnox reprocessing plants, the Sellafield MOX plant and a wide range of waste management and effluent treatment facilities.
The UK Health and Safety Executive (HSE) have stated that IEC 61508, "Will be used as a reference standard for determining whether a reasonably practicable level of safety has been achieved when E/E/PE systems are used to carry out safety functions".
The NII have reiterated this statement, and have released its own internal technical assessment guides that reinforce this view.
Compliance to IE61508 can be achieved through a number of different means including self assessment and "proven in use" arguments. This has meant that there is no common framework for these assessments that satisfies the requirements of the nuclear industry.
While hardware assessments are more easily verified, the verification of software as it relates to the safety function has been a concern of the nuclear industry for a number of years. The potential for unrevealed systematic faults in the firmware is the issue of concern.
This has led to reluctance from the nuclear industry to use software-based or "SMART" instruments in safety instrumented systems which has reduced flexibility and limited the opportunities presented by the latest technologies.
Each major nuclear operator created its own verification program to meet the requirements of the NII for "evidence" of compliance with the safety certification.
This led to reluctance on the part of SMART instrument suppliers to subject themselves to this rigorous and costly verification program for each licensee in return for a small sale in relative terms.
After extensive research by the Control & Instrumentation Nuclear Industry Forum (CINIF), the EMPHASIS program was developed. Originally intended as a set of written guidelines, the EMPHASIS program soon evolved into a software tool that can be used for assessment of SMART instruments for the nuclear industry.
EMPHASIS has been subjected to extensive validation, and has been adopted by the Nuclear Industry Smart Instruments Working Group (NISIWG) comprising the major players from the UK Nuclear Industry.
EMPHASIS is based upon a life- cycle approach as specified in IEC61508, and provides an evidence gathering tool in the form of a comprehensive set of questions covering all relevant aspects relating to the company and the product under review.
A key component in nuclear safety systems is the alarm annunciator. Alarm annunciators are considered vital tools in modern safety systems because they provide an additional layer of protection in the safety strategy on the plant.
Alarm annunciators are simple to deploy, which provides an easily verifiable safety function in the system.
Alarm annunciators also provide early warnings to operators of a potential plant upset that can often allow intervention before the upset occurs. The involvement of the operator also provides a sophisticated analysis capability to events that may not have been predicted at plant design.
Modern alarm annunciators such as the Omni16C range are SMART instruments, and so the verification of these products to meet nuclear requirements is imperative.
The Omni8C/Omni16C range has been the alarm annunciator of choice at Sellafield Limited and a number of other major UK nuclear facilities for a number of years. The Omni16C was the first alarm annunciator in the world to be certified to SIL1 in accordance with IEC61508.
This product has provided reliable service and, from the Omniflex statistics gathered over the years, is certainly "proven in use".
"We have been very happy with the performance of the Omni16C," said Mike Hadfield, Programmable Electronic Systems Centre of Expertise Leader at Sellafield.
"The availability of the new EMPHASIS tool created an opportunity for us to formally substantiate the reliability of this important product."
Sellafield Ltd approached Omniflex with a view to subjecting the Omni16C range to the EMPHASIS program.
"Exposing your books to outside scrutiny is always a risk," said Gary Bradshaw, Omniflex UK Director, "but our good relationship with Sellafield, and the proven performance of the Omni16C gave us confidence to proceed with this audit."
A team from Sellafield visited Omniflex Factory and conducted a thorough review of the design and production methods of the Omni16C range. Both the hardware and the software were evaluated using the EMPHASIS tool to IEC61508 SIL1.
"The EMPHASIS tool provides us the rigour to evaluate the software embedded in SMART instruments," said Paul Caspall-Askew, PES & RSI Team Leader, Sellafield Specialist Design & Delivery Group.
"The software development process employed at Omniflex as well as the Omni8C and Omni16C test methods were thoroughly reviewed using this tool."
"We found sufficient evidence to justify the SIL1 claim made by the company, and are now satisfied that the Omni16C is suitable for use in the UK nuclear industry."