- Email: [email protected]
A Reliability Assurance Program for Control Systems
CopYr ig h t © IF.-\ C In d u stri "l Process Co ntrol Svste rm. B r uges. Belgium. I <.jH~
A RELIABILITY ASSURANCE PROGRAM FOR CONTROL SYSTEMS I. M. Niemela and T. A. Pulli R Fliabillty ElIgi ll Fnillg SFctio ll , E lectrica l ElIgill Fnillg LabSrato l'\' , T echll ical R f5f{//c h Ce lltre of Filllalld, Espoo, Filllalld
Abstract. A systematic reliability assurance program for control systems is described. It is intended for control system users not having a functioning rel iabil ity program at the moment . It covers the entire life cycle of the control system from the conceptual design.to the modifications of the system . The reliability target is set based on the risk analysis of the system to be controlled . The program assures that the reliability requirements are built into the control system . Keywords. Reliability management; control system; risk identif i cation
INTRODUCTION
This reliability program is intended for companies not having a functioning systematic reliability program at the moment . The objective of the reliability program is not to establish a separate reliability organization, but to integrate the reliability design into the everyday work of the designers. However, a rel iabil ity manager must be appointed for the rel iabil ity program. In each task he works with experts relevant to the task .
This paper describes the main features of a r~1i abil ity program for cont ro 1 systems . It 1 S based on experiences from a peat-fired power plant control system reliability program. At the moment the power plant is under construction and it is scheduled to start in the beginning of 1990.
Some experi ence have already been ga i ned from the rel iabil ity program. The experience shows that the fi rst steps of the program have succeeded quite well.
In this context the word "control system" refers to an entity including the electronics itself and possibly also the protection system, transducers, actuators, programs, power system, cabling and so on .
The rel iabil ity program consists of 15 tasks totaling approximately 1000 man-hours.
THE AIM OF THE RELIABILITY PROGRAM BACKGROUND The re 1i abil ity program is intended to be used by the control system buyers and designers in order to define and fulfill the reliability criteria during des i gn or purchase of a control system .
Reliability is always a characteristic of a technical system, whether it is designed or not. In an unreliable system its good technical propert i es wi 11 be only 1atent. In that case a more reliable system will be chosen, although it might be more rest r icted in other technical properties .
The program describes the reliability design tasks , by which 1. The reliability target is defined .
The designers are often using the principles of the reliability technology, but not always systematically. Therefore a systematic approach is required in order to design a system with well balanced reliability characteristics . The necessity of the systematic reliability design is even more vital if the system is to be designed to meet a reliability target.
2. The acceptable reliability level is guaranteed. 3. The deciSion-making of control
sign is supported.
system de-
4 . The rel iabil ity design attitudes and pro-
cedures are enhanced or established .
Here we present the basic tasks of a reliability program. The main idea of the reliability program is to integrate the reliability design into the normal design process . The reliability program defines tasks to assure that acceptab~e and balanced reliability properties are achleved. The reliability program covers the entire 1ife cycl e of the system from the conceptual design to the operation and maintenance .
The aim set forth for the rel iabil ity program is: To design and construct a control system meeting the reliability criteria of the controlled system.
129
1. \1.
130
~iemela
and T. A. Pulli
The reliability criteria will be defined in task number 2.
5.
The support in the selection of the deliverers.
The tasks of rel iabil ity program will be timed by the control system design process . Therefore the tasks will not delay the design and construction schedules.
6.
The decision support during the initial design.
7.
The support of the cabling deSign.
For the reliability program two responsible persons must be appoi nted: the supervi sor and the reliability program manager.
8.
The support of the instrumentation design .
9.
The support of the detailed design.
The supervisor is responsible for the degree of app 1 i cat i on of the re 1 i abi 1 ity program and for its acceptance. He should be the leader of the control system design or someone participating in the design.
10.
The support of the application programming.
11.
The support of the sequence programming.
12.
The support of the factory test.
13.
The support of the contracts.
14 .
The support of the on-site test.
15.
The support of the operat i on, ma i ntenance and modifications.
The reliability program manager should be a person who is acqua i nted with re 1 i abil ity engineering. In each task he works with experts best suited for the task . He is responsible for the reliability program tasks as defined by the reliability program supervisor.
THE APPLICATION OF RELIABILITY PROGRAM In each application of the reliability program the re 1i abi 1ity target wi 11 be defi ned on the basis of the risks in the controlled system . To rea 1 i ze the re 1 i abil i ty target is the ma in object of the re 1 i abi 1 i ty program. Hence, the program transforms from one controlled system to another.
THE PRINCIPLE OF THE RELIABILITY PROGRAM The basic principle of the rel iabil ity program is to guide the existing control system design process in order to attain the acceptable reliability. This is accomplished by correctly timed guiding impulses. The principle is shown in figure 1. The impulses are requirements and propositions for the system design. They are based on wellknown principles of reliability theory, on information obtained from the system during the des i gn process, and on re 1 iabil i ty analyses of the system. The timing of the impulses is critical in order not to slow down the design process by the reliability program. The control system design supervisor is still responsible for the reliability of the system. The reliability program is only a tool for supporting the reliability design and decisions.
THE TASKS OF THE RELIABILITY PROGRAM In order to guarantee the acceptable reliabil~ ty, the following tasks are to be performed 1n the reliability program:
1.
The onset of the reliability program.
2.
The definition of the reliability target .
3.
The survey of the reliability capabilities of the delivery candidates.
4.
The development of the reliability text for the requests for quotation .
In each application of the reliabilility program some tasks may be 1eft out, if they are not relevant in achieving the reliability target .
1. The onset of the reliability program
In this task the supervisors for the reliability program are selected . The experts of each design field will be recognised and their possibilities in participating the reliability program are explored . The schedule for the control system design will be determined and the application area for the reliabflity program will be defined. The reliability resources and skills will be figured out and the necessary materials, knowl edge and computer programs wi 11 be obta i ned . 2. Reliability target
In this task the reliability target for the control system in the specific case is defined. It can be stated in numerical values, but above all it must be stated in clearly defined properties of the control system . The reliability program guarantees that the system fulfills the target as well as possible . When defining the reliability target, a smallscale risk and availabil ity analysis for the controlled system will be made. These can be useful also in some other contexts outside the reliability program. The reliability target is defined on the basis of the recognised risks of the controlled system . Thus the rel iabil ity target is well balanced with the reliability and safety requirements of the system to be control1ed. The reliability target may be stated either in qual itative or in quantitative statements. Often it is eas i er to set forth aqua 1 i tat i ve re 1i abi 11ty target than a quant i tat i ve one. We have formulated a simple classification method for transforming the results of the risk analysis into the qualitative reliability target . The method gives the first approximation for the reliability target. An example of a qualitative reliability requirements is given in appendix 1.
A Reli ability Assurance Program for Control Systems
If we have stated quantitative reliability requirements, also they must be written out in qua 1 itat i ve form as a 1 i st of system des i gn criteria. When the system is designed in accordance with these criteria, it fulfills the reliabil i ty target. The quantitative reliability target may be defined either directly by reliability parameters or by parameters derived from the reliability characteri st i cs (often these parameters are fi nancial). An example of a quantitative reliability target is given in appendix 2. 3. Deliverer survey In this task we investigate the reliability skills and practice of the delivery candidates . On the bas is of the survey we must be able to answer the following questi~ns : 1.
Does the candidate have a credible reliabi1ity pol icy?
2. Which parts of the rel iabil ity design can be given to the candidate? In addition to these we should try to find answers to the following questions: 3.
In which areas of reliability design the candidate is better than the others?
4.
Which are the weak points in the reliabi1 ity design of the candidate that require particular attention during the reliability program?
In this task a questionnaire is given to the candidates during the preliminary negotiations. The quest i onna ire is based on well - known pri nciples of reliability theory and practice (MILHDBK-338, 1984). The task is performed on the basis of the answers to the questionnaire. This task must be finished before sending out the requests for quotation . 4. Reliability text development In this task we specify the reliability requirements of the requirement for quotation based on the results of the previous task. We also collect the experience gained from previous control system projects . The spare parts requi rement wi 11 be predi cted by the former operat i ng experience . Often the rel iabil ity text in the quotation is far too ambiguously defined (Kirran, 1986). We may say, for example, that the ava il abil i ty has to be 99 .9% without specifying the failed or functioning states of the system . The availability/reliability is heavily dependent on these definitions. The definitions in appendix 2 can be cons i dered as adequate from th is poi nt of view.
131
5. Deliverer selection The a i m of thi s task is to determi ne whether there is a significant difference in the rel iability of the systems offered by different del ivery candidates. The aim is also to make sure that the del iverer can produce a system that is sufficiently reliable . In this task we explore the structure of the systems and estimate the reliability of selected critical operations (one I/O channel, one typical control loop, data traffic etc.). As a result we also have the final reliability text of the contract . 6. Initial design support The aim of this task is to support the initial design of the control and interlocking diagrams e.g. in the following decisions: 1. Where to introduce redundancy? 2. How many sensors or actuators are needed? 3.
Is the design safe?
The aim is also to plan the periodical tests together with the process designers. Al so a (computerized) reliability model will be constructed i nc 1ud i ng the necessary parts of the system. The deSigners wi 11 be given processed rel iabi1ity knowledge in easy-to-use format . It must include e .g. reliability information for single, doub 1ed, etc. measurement ch an ne 1 in understandable format. In add i t i on to th is, when the control system designers need more accurate reliability information, reliability computations will be performed . If necessary, the basic control system rel iabil ity model is updated and several alternatives will be computed. A flexible computer code has been developed for control system reliability analysis (RELVEC manual, 1986) . In order to guarantee the safety of the system, design reviews will be organized. During the revi ews also cri t i ca 1 components to be tested periodically will be identified .
7. Cabling design In this task we provide the cabling designers with a check-l ist for the cabl ing design. The designers will be motivated for reliability thinking. The design guidel ines for avoiding single point failures in necessary points will be given . 8. Instrumentation design In this task we equip the designers with design quidelines and a check-list for instrumentation design.
I. \1. :\iemeW. and T. :\. Pulli
132
9. Detailed design
15. Operation and modifications
In this task we equip the designers of the manu· facturer with design quidelines and a check·list for avoiding single point and common cause failures in necessary points . Small-scale failure modes and effects analyses (FMEA) are performed in critical points of the system, especially for critical sensors and actuators.
The aim of thi s task is to support the operation, maintenance and modifications of the system from rel iabil ity point of view . Maintenance, periodical testing and field failure data collection and analysis are treated in this task. The spare parts storage will be val idated . For larger modifications separate reliability programs will be arranged.
10. Application programming In thi s task we construct a check-l i st for the application programs . The aim of the check-list is to make sure that the programs are safe also during equipment failures. Also we try to limit the propagation of failures. Especially points i dent ifi ed ri sky wi 11 be checked once more in design reviews . 11. Sequence programming In this task we construct a check-l ist for the sequence programs . The aim of the check-list is to make sure that the sequence programs are safe also during equipment failures. Also we try to 1imi t the propagat i on of fa il ures . Espec i ally points identified hazardous will be checked once more in design reviews . The completeness of the interlockings is checked .
RESOURCE DEMANDS The extra work required by the reliability program shoul d not be of any concern, because the designers have to consider reliability problems in any case . By the assistance provided by the reliability program , the designers accomplish the rel i abil i ty target better. The extra cost of the rel i abil ity program wi 11 be compensated due to more reliable operation of the system . The resource demand for a moderately sized system is about 1000 man-hours . When the designers learn to use the methods of the rel iabil ity technology in their work, the demand . f?r training decreases i n the succeeding rellablllty programs . Hence we can achieve more reliability design in the succeeding programs by the same amount of labor.
12. Factory test REFERENCES In this task we construct testing quidelines and check-lists for the identification of single point and common cause failures and for testing the critical operations. All deficiencies will be documented and fixed . 13 . Contracts The aim of thi s task is to make sure that the designed inherent rel iabil ity will be constructed in practice. All failures and construction deficiencies that could lead to failures will be reported. A supervi sor wi 11 be appoi nted for the construct i on phase, whose task is to look after the quality of the work . 14. On-site test The aim of this task is make sure, that no failures or deficiencies will be caused during the on-site test. The observed reliability deficiencies will be documented and fixed . For the operational phase of the system guidel ines for reliability data collection and handling will be defined .
Kir r an,P . P. (1986) . Common errors in ARM plans. In J . Moltoft and F.Jensen (Ed.), European Reliability Conference-REL-CON '86 , Participants Edition-Part 1, North-Holland , Amsterdam . 6,pp . 129-134 . MIL-HDBK-338 (1984). Electronic Reliability Des i gn Handbook , Vo 1 I & I!, Department of Defense, Washington. 1500 pp. RELVEC Manual (1986) . RELVEC manual, Vol III!, Technical Research Centre of Finland, Espoo. 210 pp.
A Reliability Assurance Program for Control Systems
CONTROL SYSTEM DESIGN
REUABIUTY PROGRAM ONSET OF PROGRAM
PRELIMINARY NEGOTIATIONS r - - - RELIABILITY TARGETr----'-------------i
DELlVERERER CAPABILlTIESKr--RELIABILITY TEXT Kr---
DELIVERER SELECTION INITIAL DESIGN
INITIAL DESIGN SUPPORT
CABLING DESIGN
CABLING DES. SUPPORT
INSTRUMENTATION DES.
INSTUMENTATION DES. SUPPORT
DETAILED DESIGN
DETAILED DES. SUPPORT
APPLICATION PROGRAMMING
APPL. PROG. SUPPORT
SEQUENCE PROGRAMMING
SEQUENCE PROG. SUPPORT
FACTORY TEST
FACTORY TEST SUPPORT
CONTRACTS
CONTRACT SUPPORT
ON-SITE TEST
ON-SITE TEST SUPPORT
OPERATION Fig. 1.
The principle of the rel iabil ity program
OPERATION SUPPORTh-----J
133
I. M. !'iiemeia and T. A. Pulli
134
Appendix 2.
Appendix 1. An example of qualitative relhbility requirements
I.
The reactor must be protected against explosion by a doubled protection system, which may not have any common failure source with the control system. The protection system must fail safely.
An example of quantitative reliability requirements . 1.
During the entire 1ife cycle of the plant the probability of a reactor explosion caused by the control system fail ures may not exceed 1/1000 .
2.
The number of poi sonous releases below I minute due to a control system failure may not exceed 2 in a year. The mean interval between releases lasting 1-5 minutes must exceed 3 years. The number of releases longer than 5 minutes may not exceed 2 during the entire life cycle of the plant .
2. The 1eakage of poi sonous material must be prevented by a protection system that must fail safely. 3.
The temperature control of the reactor and the control of downloading the reactor must be doubl ed. Good qual i ty components must be used.
4. The control of reactor feeding system must be constructed using good quality components . 5.
Pump PII must be protected against breakdown e .g. by vibration monitoring .
3. The mean interval of solidifications of the end product in the reactor due to a control system failure must exceed 2 years. 4.
The reactor feeding system may be failed due to a control system failure at most 50 hours in a year.
5. The number of long control system repairs lasting more than 40 hours may not exceed I in a year.
A RELIABILITY ASSURANCE PROGRAM FOR CONTROL SYSTEMS I. M. Niemela and T. A. Pulli R Fliabillty ElIgi ll Fnillg SFctio ll , E lectrica l ElIgill Fnillg LabSrato l'\' , T echll ical R f5f{//c h Ce lltre of Filllalld, Espoo, Filllalld
Abstract. A systematic reliability assurance program for control systems is described. It is intended for control system users not having a functioning rel iabil ity program at the moment . It covers the entire life cycle of the control system from the conceptual design.to the modifications of the system . The reliability target is set based on the risk analysis of the system to be controlled . The program assures that the reliability requirements are built into the control system . Keywords. Reliability management; control system; risk identif i cation
INTRODUCTION
This reliability program is intended for companies not having a functioning systematic reliability program at the moment . The objective of the reliability program is not to establish a separate reliability organization, but to integrate the reliability design into the everyday work of the designers. However, a rel iabil ity manager must be appointed for the rel iabil ity program. In each task he works with experts relevant to the task .
This paper describes the main features of a r~1i abil ity program for cont ro 1 systems . It 1 S based on experiences from a peat-fired power plant control system reliability program. At the moment the power plant is under construction and it is scheduled to start in the beginning of 1990.
Some experi ence have already been ga i ned from the rel iabil ity program. The experience shows that the fi rst steps of the program have succeeded quite well.
In this context the word "control system" refers to an entity including the electronics itself and possibly also the protection system, transducers, actuators, programs, power system, cabling and so on .
The rel iabil ity program consists of 15 tasks totaling approximately 1000 man-hours.
THE AIM OF THE RELIABILITY PROGRAM BACKGROUND The re 1i abil ity program is intended to be used by the control system buyers and designers in order to define and fulfill the reliability criteria during des i gn or purchase of a control system .
Reliability is always a characteristic of a technical system, whether it is designed or not. In an unreliable system its good technical propert i es wi 11 be only 1atent. In that case a more reliable system will be chosen, although it might be more rest r icted in other technical properties .
The program describes the reliability design tasks , by which 1. The reliability target is defined .
The designers are often using the principles of the reliability technology, but not always systematically. Therefore a systematic approach is required in order to design a system with well balanced reliability characteristics . The necessity of the systematic reliability design is even more vital if the system is to be designed to meet a reliability target.
2. The acceptable reliability level is guaranteed. 3. The deciSion-making of control
sign is supported.
system de-
4 . The rel iabil ity design attitudes and pro-
cedures are enhanced or established .
Here we present the basic tasks of a reliability program. The main idea of the reliability program is to integrate the reliability design into the normal design process . The reliability program defines tasks to assure that acceptab~e and balanced reliability properties are achleved. The reliability program covers the entire 1ife cycl e of the system from the conceptual design to the operation and maintenance .
The aim set forth for the rel iabil ity program is: To design and construct a control system meeting the reliability criteria of the controlled system.
129
1. \1.
130
~iemela
and T. A. Pulli
The reliability criteria will be defined in task number 2.
5.
The support in the selection of the deliverers.
The tasks of rel iabil ity program will be timed by the control system design process . Therefore the tasks will not delay the design and construction schedules.
6.
The decision support during the initial design.
7.
The support of the cabling deSign.
For the reliability program two responsible persons must be appoi nted: the supervi sor and the reliability program manager.
8.
The support of the instrumentation design .
9.
The support of the detailed design.
The supervisor is responsible for the degree of app 1 i cat i on of the re 1 i abi 1 ity program and for its acceptance. He should be the leader of the control system design or someone participating in the design.
10.
The support of the application programming.
11.
The support of the sequence programming.
12.
The support of the factory test.
13.
The support of the contracts.
14 .
The support of the on-site test.
15.
The support of the operat i on, ma i ntenance and modifications.
The reliability program manager should be a person who is acqua i nted with re 1 i abil ity engineering. In each task he works with experts best suited for the task . He is responsible for the reliability program tasks as defined by the reliability program supervisor.
THE APPLICATION OF RELIABILITY PROGRAM In each application of the reliability program the re 1i abi 1ity target wi 11 be defi ned on the basis of the risks in the controlled system . To rea 1 i ze the re 1 i abil i ty target is the ma in object of the re 1 i abi 1 i ty program. Hence, the program transforms from one controlled system to another.
THE PRINCIPLE OF THE RELIABILITY PROGRAM The basic principle of the rel iabil ity program is to guide the existing control system design process in order to attain the acceptable reliability. This is accomplished by correctly timed guiding impulses. The principle is shown in figure 1. The impulses are requirements and propositions for the system design. They are based on wellknown principles of reliability theory, on information obtained from the system during the des i gn process, and on re 1 iabil i ty analyses of the system. The timing of the impulses is critical in order not to slow down the design process by the reliability program. The control system design supervisor is still responsible for the reliability of the system. The reliability program is only a tool for supporting the reliability design and decisions.
THE TASKS OF THE RELIABILITY PROGRAM In order to guarantee the acceptable reliabil~ ty, the following tasks are to be performed 1n the reliability program:
1.
The onset of the reliability program.
2.
The definition of the reliability target .
3.
The survey of the reliability capabilities of the delivery candidates.
4.
The development of the reliability text for the requests for quotation .
In each application of the reliabilility program some tasks may be 1eft out, if they are not relevant in achieving the reliability target .
1. The onset of the reliability program
In this task the supervisors for the reliability program are selected . The experts of each design field will be recognised and their possibilities in participating the reliability program are explored . The schedule for the control system design will be determined and the application area for the reliabflity program will be defined. The reliability resources and skills will be figured out and the necessary materials, knowl edge and computer programs wi 11 be obta i ned . 2. Reliability target
In this task the reliability target for the control system in the specific case is defined. It can be stated in numerical values, but above all it must be stated in clearly defined properties of the control system . The reliability program guarantees that the system fulfills the target as well as possible . When defining the reliability target, a smallscale risk and availabil ity analysis for the controlled system will be made. These can be useful also in some other contexts outside the reliability program. The reliability target is defined on the basis of the recognised risks of the controlled system . Thus the rel iabil ity target is well balanced with the reliability and safety requirements of the system to be control1ed. The reliability target may be stated either in qual itative or in quantitative statements. Often it is eas i er to set forth aqua 1 i tat i ve re 1i abi 11ty target than a quant i tat i ve one. We have formulated a simple classification method for transforming the results of the risk analysis into the qualitative reliability target . The method gives the first approximation for the reliability target. An example of a qualitative reliability requirements is given in appendix 1.
A Reli ability Assurance Program for Control Systems
If we have stated quantitative reliability requirements, also they must be written out in qua 1 itat i ve form as a 1 i st of system des i gn criteria. When the system is designed in accordance with these criteria, it fulfills the reliabil i ty target. The quantitative reliability target may be defined either directly by reliability parameters or by parameters derived from the reliability characteri st i cs (often these parameters are fi nancial). An example of a quantitative reliability target is given in appendix 2. 3. Deliverer survey In this task we investigate the reliability skills and practice of the delivery candidates . On the bas is of the survey we must be able to answer the following questi~ns : 1.
Does the candidate have a credible reliabi1ity pol icy?
2. Which parts of the rel iabil ity design can be given to the candidate? In addition to these we should try to find answers to the following questions: 3.
In which areas of reliability design the candidate is better than the others?
4.
Which are the weak points in the reliabi1 ity design of the candidate that require particular attention during the reliability program?
In this task a questionnaire is given to the candidates during the preliminary negotiations. The quest i onna ire is based on well - known pri nciples of reliability theory and practice (MILHDBK-338, 1984). The task is performed on the basis of the answers to the questionnaire. This task must be finished before sending out the requests for quotation . 4. Reliability text development In this task we specify the reliability requirements of the requirement for quotation based on the results of the previous task. We also collect the experience gained from previous control system projects . The spare parts requi rement wi 11 be predi cted by the former operat i ng experience . Often the rel iabil ity text in the quotation is far too ambiguously defined (Kirran, 1986). We may say, for example, that the ava il abil i ty has to be 99 .9% without specifying the failed or functioning states of the system . The availability/reliability is heavily dependent on these definitions. The definitions in appendix 2 can be cons i dered as adequate from th is poi nt of view.
131
5. Deliverer selection The a i m of thi s task is to determi ne whether there is a significant difference in the rel iability of the systems offered by different del ivery candidates. The aim is also to make sure that the del iverer can produce a system that is sufficiently reliable . In this task we explore the structure of the systems and estimate the reliability of selected critical operations (one I/O channel, one typical control loop, data traffic etc.). As a result we also have the final reliability text of the contract . 6. Initial design support The aim of this task is to support the initial design of the control and interlocking diagrams e.g. in the following decisions: 1. Where to introduce redundancy? 2. How many sensors or actuators are needed? 3.
Is the design safe?
The aim is also to plan the periodical tests together with the process designers. Al so a (computerized) reliability model will be constructed i nc 1ud i ng the necessary parts of the system. The deSigners wi 11 be given processed rel iabi1ity knowledge in easy-to-use format . It must include e .g. reliability information for single, doub 1ed, etc. measurement ch an ne 1 in understandable format. In add i t i on to th is, when the control system designers need more accurate reliability information, reliability computations will be performed . If necessary, the basic control system rel iabil ity model is updated and several alternatives will be computed. A flexible computer code has been developed for control system reliability analysis (RELVEC manual, 1986) . In order to guarantee the safety of the system, design reviews will be organized. During the revi ews also cri t i ca 1 components to be tested periodically will be identified .
7. Cabling design In this task we provide the cabling designers with a check-l ist for the cabl ing design. The designers will be motivated for reliability thinking. The design guidel ines for avoiding single point failures in necessary points will be given . 8. Instrumentation design In this task we equip the designers with design quidelines and a check-list for instrumentation design.
I. \1. :\iemeW. and T. :\. Pulli
132
9. Detailed design
15. Operation and modifications
In this task we equip the designers of the manu· facturer with design quidelines and a check·list for avoiding single point and common cause failures in necessary points . Small-scale failure modes and effects analyses (FMEA) are performed in critical points of the system, especially for critical sensors and actuators.
The aim of thi s task is to support the operation, maintenance and modifications of the system from rel iabil ity point of view . Maintenance, periodical testing and field failure data collection and analysis are treated in this task. The spare parts storage will be val idated . For larger modifications separate reliability programs will be arranged.
10. Application programming In thi s task we construct a check-l i st for the application programs . The aim of the check-list is to make sure that the programs are safe also during equipment failures. Also we try to limit the propagation of failures. Especially points i dent ifi ed ri sky wi 11 be checked once more in design reviews . 11. Sequence programming In this task we construct a check-l ist for the sequence programs . The aim of the check-list is to make sure that the sequence programs are safe also during equipment failures. Also we try to 1imi t the propagat i on of fa il ures . Espec i ally points identified hazardous will be checked once more in design reviews . The completeness of the interlockings is checked .
RESOURCE DEMANDS The extra work required by the reliability program shoul d not be of any concern, because the designers have to consider reliability problems in any case . By the assistance provided by the reliability program , the designers accomplish the rel i abil i ty target better. The extra cost of the rel i abil ity program wi 11 be compensated due to more reliable operation of the system . The resource demand for a moderately sized system is about 1000 man-hours . When the designers learn to use the methods of the rel iabil ity technology in their work, the demand . f?r training decreases i n the succeeding rellablllty programs . Hence we can achieve more reliability design in the succeeding programs by the same amount of labor.
12. Factory test REFERENCES In this task we construct testing quidelines and check-lists for the identification of single point and common cause failures and for testing the critical operations. All deficiencies will be documented and fixed . 13 . Contracts The aim of thi s task is to make sure that the designed inherent rel iabil ity will be constructed in practice. All failures and construction deficiencies that could lead to failures will be reported. A supervi sor wi 11 be appoi nted for the construct i on phase, whose task is to look after the quality of the work . 14. On-site test The aim of this task is make sure, that no failures or deficiencies will be caused during the on-site test. The observed reliability deficiencies will be documented and fixed . For the operational phase of the system guidel ines for reliability data collection and handling will be defined .
Kir r an,P . P. (1986) . Common errors in ARM plans. In J . Moltoft and F.Jensen (Ed.), European Reliability Conference-REL-CON '86 , Participants Edition-Part 1, North-Holland , Amsterdam . 6,pp . 129-134 . MIL-HDBK-338 (1984). Electronic Reliability Des i gn Handbook , Vo 1 I & I!, Department of Defense, Washington. 1500 pp. RELVEC Manual (1986) . RELVEC manual, Vol III!, Technical Research Centre of Finland, Espoo. 210 pp.
A Reliability Assurance Program for Control Systems
CONTROL SYSTEM DESIGN
REUABIUTY PROGRAM ONSET OF PROGRAM
PRELIMINARY NEGOTIATIONS r - - - RELIABILITY TARGETr----'-------------i
DELlVERERER CAPABILlTIESKr--RELIABILITY TEXT Kr---
DELIVERER SELECTION INITIAL DESIGN
INITIAL DESIGN SUPPORT
CABLING DESIGN
CABLING DES. SUPPORT
INSTRUMENTATION DES.
INSTUMENTATION DES. SUPPORT
DETAILED DESIGN
DETAILED DES. SUPPORT
APPLICATION PROGRAMMING
APPL. PROG. SUPPORT
SEQUENCE PROGRAMMING
SEQUENCE PROG. SUPPORT
FACTORY TEST
FACTORY TEST SUPPORT
CONTRACTS
CONTRACT SUPPORT
ON-SITE TEST
ON-SITE TEST SUPPORT
OPERATION Fig. 1.
The principle of the rel iabil ity program
OPERATION SUPPORTh-----J
133
I. M. !'iiemeia and T. A. Pulli
134
Appendix 2.
Appendix 1. An example of qualitative relhbility requirements
I.
The reactor must be protected against explosion by a doubled protection system, which may not have any common failure source with the control system. The protection system must fail safely.
An example of quantitative reliability requirements . 1.
During the entire 1ife cycle of the plant the probability of a reactor explosion caused by the control system fail ures may not exceed 1/1000 .
2.
The number of poi sonous releases below I minute due to a control system failure may not exceed 2 in a year. The mean interval between releases lasting 1-5 minutes must exceed 3 years. The number of releases longer than 5 minutes may not exceed 2 during the entire life cycle of the plant .
2. The 1eakage of poi sonous material must be prevented by a protection system that must fail safely. 3.
The temperature control of the reactor and the control of downloading the reactor must be doubl ed. Good qual i ty components must be used.
4. The control of reactor feeding system must be constructed using good quality components . 5.
Pump PII must be protected against breakdown e .g. by vibration monitoring .
3. The mean interval of solidifications of the end product in the reactor due to a control system failure must exceed 2 years. 4.
The reactor feeding system may be failed due to a control system failure at most 50 hours in a year.
5. The number of long control system repairs lasting more than 40 hours may not exceed I in a year.