implementation plan for isa 84 (safety manual management ... · rpp-27195 table of contents ......

Implementation Plan For ISA 84 (Safety

Instrumented Systems)

Manual

Document

Page

Issue Date

Management Plan

TFC-PLN-138, REV B-1

1 of 21

January 11, 2018

Ownership matrix

RPP-27195

TABLE OF CONTENTS

1.0 PURPOSE AND SCOPE ................................................................................................................ 2 2.0 PROGRAM PLAN ......................................................................................................................... 2

2.1 Objective ............................................................................................................................. 2 2.2 ISA 84 Overview ................................................................................................................ 2 2.3 Clause by Clause Summary of ISA 84 ............................................................................... 3

3.0 DEFINITIONS ................................................................................................................................ 8 4.0 SOURCES ..................................................................................................................................... 10

4.1 Requirements .................................................................................................................... 10 4.2 References ......................................................................................................................... 10

TABLE OF TABLES

Table 1. WRPS SIS Life Cycle Implementing ISA 84 Clause 8 Through 18. ........................................... 13 Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives. 14 Table 3. WRPS SIS Safety Life Cycle Activitites and Implementing Plans and Procedures. ................... 17

http://toc.wrps.rl.gov/rapidweb/PRO/index.cfm?pageNum=232



Manual

Document

Page

Issue Date

Management Plan


2 of 21

January 11, 2018

1.0 PURPOSE AND SCOPE

This management plan describes the integration and implementation of ANSI/ISA 84.00.01-2004,

Part 1 (IEC 61511-1 Mod), “Functional Safety: Safety Instrumented Systems for the Process

Industry Sector (ISA 84), into the established WRPS processes for development of safety related

controls in compliance with 10 CFR 830 Subparts A and B. ISA 84 specifies many requirements

that are consistent with the intent and application of the established processes that implement 10

CFR 830 Subparts A and B. Therefore, this plan establishes through tabulated matrices, the

established plans, policies, and/or procedures that satisfy the objectives and effectively

implements the requirements specified in ISA 84. Unique elements of ISA 84, not covered by

previously established WRPS processes, have been developed and appear as appropriate in the

matrices. A description of ISA 84 is provided in the text, on a clause by clause basis, with a brief

description of the existing WRPS processes that meet the requirements of the clause.

Additionally, WRPS deviations from the stated requirements in ISA 84 will be identified in the

text of this plan.

This plan is applicable to Safety Instrumented System (SISs) as determined by the WRPS Process

Hazard Analysis Procedure TFC-ENG-DESIGN-C-47. SISs are systems that (1) require

instrumented systems to fulfill the system safety function and (2) have a functional classification

of safety significant.

2.0 PROGRAM PLAN (4.1.1)

2.1 Objective

The objective of this plan is to implement ANSI/ISA-84.00.01-2004, Part 1 (ISA 84), through the

use of WRPS management systems and procedures developed in compliance with U.S.

Department of Energy (DOE) directives and contract requirements. This plan shall be applied to

the design, installation, testing, operation, modification, and decommissioning of Safety

Significant (SS) Safety Instrumented Systems. Where the WRPS implementation differs from the

stated requirements of ISA 84, this plan identifies the alternative means employed. Specific

clarifications, modifications, substitutions, additions, or deletions to the identified sections of

ISA 84 are included in this plan.

2.2 ISA 84 Overview

ISA 84 provides an extensive set of requirements for the specification, design, installation,

operation, and maintenance of an SIS. An SIS is an instrumented system, composed of any

combination of sensor(s), logic solver(s) and final element(s), used to implement one or more

safety instrumented functions (SIF). An operator response may also be part of the SIS. A SIF is

selected for potential process hazard(s) to place and/or maintain the process in a safe state in

response to a significant hazardous process condition. The ISA 84 standard relies on a controlled

process to ensure the SIS will perform the designated SIF(s) at a level that provides the necessary

degree of risk reduction for the safety function. The performance target for the SIS is defined as

a Safety Integrity Level (SIL) related to the SIF’s average probability of failure on demand

(PFDAVG).

The ISA 84 standard covers the entire SIS safety life cycle through a rigorous design and

controlled management process specified in Clauses numbered 1 through 19. Clauses 1 through 3

provide the administrative framework and definitions for the standard and do not contain

requirements. Clause 4 defines compliance with ISA 84, while Clauses 5 through 7 and 19 are



Manual

Document

Page

Issue Date

Management Plan


3 of 21

January 11, 2018

programmatic in nature and apply to all life cycle phases. Clauses 8 through 18 specify

requirements applicable to the various phases of the life cycle which will result in the design,

construction, testing, operations and maintenance of a SIS capable of performing its required

SIF(s) upon demand and maintained at its specified SIL.

Table 1 defines the SIS life cycle as a series of phases and identifies the major activities

performed in each phase to satisfy the objectives of Clauses 8 through 18. The WRPS SIS life

cycle phases are:

Initiation

Design

Construction, Testing and Commissioning

Validation

Operation & Maintenance, Modification, and Decommissioning.

Table 2 provides a matrix showing the WRPS plans and procedures that effectively implement

the programmatic requirements specified in Clauses 5 through 7 and 19. Table 3 expands the SIS

life cycle in compliance with Clause 6 by identifying the WRPS plans and procedures for each

phase along with the phase inputs and outputs.

Implementation of ISA 84 at WRPS is facilitated by the existing quality assurance and nuclear

safety infrastructure established to comply with DOE regulations specified in 10 CFR 830

Subparts A and B. This plan identifies, in Tables 1 through 3, the overarching plans and

procedures within that infrastructure that satisfy the objectives specified in Clauses 5 through 19.

Applying these plans and processes, along with subordinating procedures, to the SIS life cycle as

shown in this plan will represent compliance with ISA 84, Part 1 and conformance to Clause 4.

2.3 Clause by Clause Summary of ISA 84

The objectives of each ISA 84 Part 1 Clause is described below with a general summary of the

WRPS processes that satisfy those objectives. Specific exceptions, clarifications, modifications,

substitutions, additions, or deletions to the requirements specified in ISA 84 are discussed in the

following summary on a clause by clause bases.

Clause 4 Conformance to this International Standard

This clause states: “To conform to this International Standard, it shall be shown that each of the

requirements outlined in Clauses 5 through 19 has been satisfied to the defined criteria and

therefore the clause objective(s) has (have) been met.” The policies, plans and procedures

identified in Table 2 shows compliance to the objectives of the programmatic requirements

specified in Clauses 5 through 7 and 19, while those activities and associated plans and

procedures identified in Table 3 show compliance with Clauses 8 through 18. Applying the

processes identified in this plan to the all phases of the SIS life cycle will show conformance to

ISA 84.

Clause 5 Management of Functional Safety

The objective of ISA 84 Clause 5 requirements is to identify the management activities necessary

to ensure the functional safety objectives are met. Requirements 5.2.1 through 5.2.5 are met

through policies, plans and procedures implementing the QA and Nuclear Safety program

requirements specified in 10 CFR 830, Subparts A and B. Clause 5 requirements pertaining to

functional safety assessments are met through multiple independent reviews and assessments



Manual

Document

Page

Issue Date

Management Plan


4 of 21

January 11, 2018

performed throughout the SIS life cycle phases leading to authorization of the Tank Farm

operations. This includes the Safety Basis amendment that adds the SIS as a credited safety

significant control, along with all supporting engineering technical reports and calculations. In

accordance with WRPS programs and procedures, an independent verification from an equally

qualified peer is required for the documentation that establishes the Safety Basis and all

supporting engineering documents (including calculations, technical reports, drawings,

engineering change notes, and specifications). This requirement extends to the Hazards Analysis,

Safety Requirements Evaluation Document, SIL verification calculation, and Functional Safety

Assessment Report performed to implement the SIS as a credited safety basis control, as well as

the Documented Safety Analysis (DSA) and Technical Safety Requirements (TSR) that establish

the Safety Basis. An ISA 84 SME, in accordance with TFC-ENG-DESIGN-P-43, verifies that all

safety, design and functional requirements needed to comply with ISA 84 are specified in the

final SRED and implemented in the design of the SIS as evidenced in design. TFC-ENG-

DESIGN-P-44 requires completion of FSA Report which provides record of verification to

demonstrate the SIS was properly developed, and will be operated and maintained in a manner

that ensures it is capable of performing its SIF at the required SIL. Table 2 provides a list of

policies, plans and procedures that will implement the requirements of Clause 5.

Clause 6 Safety Life Cycle Requirements

ISA 84, Clause 6, discusses the safety life cycle requirements. The safety life cycle structure is

defined in Table 1 as a series of phases with activities identified that implement specific ISA 84

Clauses. The SIS life cycle phases, activities, corresponding plans and procedure, as well as

phase inputs and outputs are specified in Table 3. WRPS processes that satisfy Clauses 5 through

7 and 19 are specified in Table 3. As shown in Table 2, implementation of this clause is achieved

by this Plan (TFC-PLN-138). This clause is applicable throughout all WRPS project phases.

Clause 7 Verification

ISA 84, Clause 7, provides the requirements to demonstrate by review, analysis, and/or testing

that the required outputs satisfy the defined requirements for the appropriate phases of the safety

life cycle. This clause is applicable throughout all WRPS project phases. WRPS satisfies the

objective of Clause 7 by conducting the various life cycle processes in accordance with written

procedures. Independent verifications are required for safety related processes. Assessments are

conducted to determine that processes have been conducted properly and that the desired output

of the process has been met. Design reviews, safety basis implementation checklists, test result

reviews and readiness assessments assure that an SIS is capable of performing its required SIF at

the required SIL prior to turnover to operations. Operations and maintenance phase verifications

come in the form of reviews of proof tests and inspections conducted in accordance with written

procedures . Table 2 provides a list of policies, plans and procedures that will implement the

requirements of Clause 7.

Clause 8 Process Hazard and Risk Assessment

ISA 84, Clause 8, provides the requirements to perform a hazard and risk assessment of the

process and its associated equipment. This clause is implemented by TFC-ENG-DESIGN-C-47.

Clause 9 Allocation of Safety Functions to Protection Layers

ISA 84, Clause 9, discusses the allocation of safety functions to protection layers, the

determination of required safety instrumented functions, and the associated safety integrity level.



Manual

Document

Page

Issue Date

Management Plan


5 of 21

January 11, 2018

This clause is implemented during the Control Decision Meeting SIS project phase, which is an

element of TFC-ENG-DESIGN-C-47.

The following clarifications are applicable to ISA 84, Clause 9:

It is assessed that ISA 84 sub-clause 9.3, which pertains to additional requirements for

safety integrity level 4, is not applicable to WRPS. The process hazard analysis

procedure (TFC-ENG-DESIGN-C-47) shows that the maximum safety integrity level

required for the applicable accident scenarios is SIL-2. Implementing the requirements

necessary to achieve and maintain a SIL-4 SS SIS is not considered cost-effective.

ISA 84, Sub-Clause 9.4, states that the basic process control system (BPCS) may be

identified as a protection layer with a risk reduction factor of less than 10. In accordance

with TFC-ENG-DESIGN-C-47 independent protection layers (IPL) at WRPS need to be

safety-class or safety-significant systems, structures, and components (SSC), specific

administrative controls (SAC), and Administrative Control (AC) Key Elements. Any use

of the BPCS as an IPL needs to conform to these requirements as well as ISA 84, Clause

9.4.

Clause 10 SIS Safety Requirements Specification

ISA 84, Clause 10, identifies the requirements needed to design a SIS to enable it to perform its

specified safety instrumented function. TFC-ENG-DESIGN-P-43 is implemented to satisfy this

requirement. A Safety Requirements Evaluation Document (SRED) will be produced in

accordance with this procedure. Development of the SRED requires performance of Failure

Modes and Effects (FMEA) for the components of the conceptual design, a SIL scoping

calculation , and determination of appropriate proof test methods. Each of these processes are

repeated as necessary as the design matures. Table 3 provides a list of policies, plans and

procedures that will implement the requirements of Clause 10.

Clause 11 SIS Design and Engineering

ISA 84, Clause 11, provides the requirements for the design of one or multiple SISs to provide

the safety instrumented function(s) and meet the specified safety integrity level(s). The SIS

design will be in accordance with the design requirements specified in the SRED as developed in

accordance with Clause 10 taking into account the requirements and limitations included in

Clause 11. The output of the design process will be the engineering documents and drawings

developed in accordance with WRPS design processes and procedures (TFC-PLN-03 and TFC-

PLN-136). WRPS design processes flow down from the QA requirements specified in TFC-

PLN-02. Table 3 provides a list of policies, plans and procedures that will implement the

requirements of Clause 11.

The following clarifications are applicable to ISA 84, Clause11:

TFC-ENG-DESIGN-P-43, General Requirement 4.c, modifies

ISA 84, Sub-Clause 11.2.4, which requires that the SS SIS use separate sensors, logic

solvers and final elements from the non-safety BPCS. For existing WRPS facilities and

other applications where compliance is cost prohibitive, a deviation may be approved by

the Chief Engineer and Project Manager after performance of a detailed analysis to show

that a dangerous failure rate of the shared component is sufficiently low.



Manual

Document

Page

Issue Date

Management Plan


6 of 21

January 11, 2018

ISA 84, Sub-Clause 11.2.6 will be interpreted to as: “Operator action to bring the facility

or process system to a safe state as the result of a process system alarm or indication may

be considered a component of the SIS if there is sufficient time for the operator to

respond to the alarm or indication, and such action can be justified by operator

qualification and training.”

ISA 84, Sub-Clause 11.2.11, pertains to the design requirements for subsystems that do

not fail to the safe state on loss of power. In addition to loss of electrical power, this sub-

clause is interpreted to include any loss of external motive force (e.g., instrument air) that

is required to complete the SIF and does not fail a system or subsystem to a safe state.

These systems or subsystems should be assessed for detection of the loss of motive force

and/or the provision of backup systems. The requirement to address the loss of all types

of motive force, not just the inferred electrical power, is necessary where motive forces

such as instrument air or pneumatics are required to complete the SIF.

TFC-ENG-DESIGN-P-43 places restrictions on the use of ISA 84 Sub-Clauses 11.4.5

(Alternate Fault Tolerance) and 11.5.3 (Prior Use). Application of these clauses requires

approval by the Chief Engineer and Project Engineer.

ISA 84, Sub-Clause 11.5.2.1, which describes the requirements for selecting components

and subsystems for use in SIS applications, is modified for WRPS applications to also

include the option that components and subsystems may be approved for use in

accordance with the Commercial Grade Dedication procedure TFC-ENG-DESIGN-C-15.

A SIL Verification Calculation shall be performed in accordance with TFC-ENG-

DESIGN-P-43 to ensure the final design meets the SIL (including target average

probability of failure on demand, risk reduction or frequency of dangerous failures to

perform the safety instrumented function) and/or hardware fault tolerance requirements

specified in the Safety Requirements Evaluation Document. The SIL Verification

Calculation will satisfy the requirements of ISA 84, Sub-Clause 11.9.

ISA 84, Sub-Clause 11.9.1, is modified by TFC-ENG-DESIGN-P-43 to provide specific

minimum target average probability of failure on demand values for demand mode SIFs

and minimum target frequency of dangerous failure values for continuous mode SIFs:

SIL Mode Target

1 Demand PFDAVG ≤ 2×10-2 (Risk reduction ≥ 50)

2 Demand PFDAVG ≤ 2×10-3 (Risk reduction ≥ 500)

1 Continuous Dangerous Failures ≤ 2×10-6

2 Continuous Dangerous Failures ≤ 2×10-7

For existing facilities and other applications where compliance is cost prohibitive, a

deviation may be approved by the Chief Engineer and Project Manager with justification

of why the chosen target value is acceptable.

An analysis of the final design, including a design compliance assessment to verify all

design requirements in ISA 84, Clause 11, have been met, shall be performed in

accordance with TFC-ENG-DESIGN-P-43.



Manual

Document

Page

Issue Date

Management Plan


7 of 21

January 11, 2018

An Safety Requirements Evaluation Document shall be produced in accordance with

TFC-ENG-DESIGN-P-43 to document the final design FMEA, SIL Verification, and

provide final safety design requirements and controls.

Clause 12 Requirements for Application Software, Including Selection Criteria for Utility

Software

ISA 84, Clause 12, provides the requirements for software used in SIS applications. Application

software developed as part of the SIS will be produced in accordance with TFC-ENG-DESIGN-

P-12. Embedded software , i.e., firmware embedded in sensors, logic solvers, and final elements

and which are integral to the performance of the safety function of the SIS is controlled in

accordance with directions provided in TFC-ENG-DESIGN, P-43. Table 3 provides a list of


Clause 13 Factory Acceptance Testing (FAT)

ISA 84, Clause 13, recommends a factory acceptance test (FAT) of the logic solver and

associated software together to ensure it satisfies the requirements defined in the safety

requirements specification. While ISA 84, Clause 13, is a recommendation, it is WRPS policy

that all programmable electronic logic solvers shall have a FAT prior to release for service. The

need for a FAT should be specified during the design phase of a project with specific direction

provided by the SIS Implementation Plan.

Clause 14 SIS Installation and Commissioning

ISA 84, Clause 14, provides the requirements to install the SIS according to the specifications and

drawings, and to commission the SIS so that is ready for final system validation. SIS installation

and commissioning will be done in accordance with the Project Execution Plan, TFC-PLN-84,

and the Engineering Change Control Process, TFC-ENG-DESIGN-C-06 . SIS construction,

construction acceptance testing, and turnover will be performed in accordance with construction

project management procedures. Startup testing will be conducted in accordance with Test

Program Plan reviewed and approved by the Joint Test Review Committee. Commissioning will

be conducted in accordance with TFC-PLN-72, Project and Facility Turnover Program Plan.

Table 3 provides a list of policies, plans and procedures that will implement the requirements of

Clause 14.

Clause 15 SIS Safety Validation

ISA 84, Clause 15, provides the requirements to validate, through inspection and testing, that the

installed and commissioned SIS and its associated SIFs meet the requirements stated in the safety

requirements specifications. WRPS will comply with validation requirements by assessment of

outputs from the previous phases prior to commencement of the operation and maintenance

phase. The activities include completion of a Functional Safety Assessment datasheet, in

accordance with TFC-ENG-DESIGN-P-44,that provides a record of verification to demonstrate

the SIS was properly developed, and will be operated and maintained in a manner that ensures it

is capable of performing its SIF at the required SIL. Operational and/or management readiness

review assessments will be conducted in accordance with a plan developed in accordance with the

WRPS Readiness Review Program Plan. These assessment will ensure the facility and SIS are

ready to commence operations based on review of equipment, personnel and procedures. Table 3

provides a list of policies, plans and procedures that will implement the requirements of Clause

15.



Manual

Document

Page

Issue Date

Management Plan


8 of 21

January 11, 2018

Clause 16 SIS Operation and Maintenance

ISA 84, Clause 16, addresses the operation and maintenance of the SIS to ensure that the required

SIL and designed functional safety are maintained. Upon turnover to operations, the SIS will be

maintained and operated in accordance with TFC-OPS-OPER-C-01, through implementation of

WRPS operations and maintenance procedures. As a safety significant control, a SIS will be

maintained in an operable state, i.e., capable of performing its safety function, at any time the

hazards for which it has been designed are present. The operability requirements will be included

in the Technical Safety Requirements (TSR) for the facility and the SIS fully described in the

Documented Safety Analysis (DSA). Proof testing requirements will be in the form of

surveillance requirements specified in the TSR. Maintenance of the SIS will be in accordance

with TFC-PLN-29, Nuclear Maintenance Management Program. Table 3 provides a list of


Clause 17 SIS Modification

ISA 84, Clause 17, provides the requirements to ensure that modifications to any SIS are properly

planned, reviewed, and approved prior to making the change, and that the required SIL is

maintained. SIS modifications will be performed in accordance with the Engineering Change

Control, TFC-ENG-DESIGN-C-06. An unreviewed safety question determination in accordance

with TFC-ENG-SB-C-03 will assess the impact of the modification on the capability of the SIS to

perform its SIF. Configuration control will be maintained in accordance with TFC-PLN-23 while

activities from other phases (initiation, design, construction, etc.) are implemented as necessary to

ensure that the modified SIS will perform its required SIF and maintain its required SIL. Table 3

provides a list of policies, plans and procedures that will implement the requirements of Clause

17.

Clause 18 SIS Decommissioning

ISA 84, Clause 18, ensures that safe conditions are maintained during and after the

decommissioning of an SIS. The SIS will only be decommissioned if another control has been

implemented that performs the required SIF or if the hazard for which the SIS is designed is no

longer present. The USQ process, engineering change control and configuration management

processes will satisfy the objective of Clause 18. Table 3 provides a list of policies, plans and

procedures that will implement the requirements of Clause 18.

Clause 19 Information and Documentation Requirements

ISA 84, Clause 19, requires that information be available and documented to ensure that all

phases of the safety life cycle may be effectively performed, including the verification, validation,

and the functional safety assessment activities. This requirement is primarily met through

implementation of TFC-PLN- 17. Table 2 provides a list of policies, plans and procedures that

will implement the requirements of Clause 19.

3.0 DEFINITIONS

Acceptance Test. Inspections and tests performed to validate that the installed and commissioned

safety instrumented system and the associated safety instrumented functions achieve the

requirements stated in the safety requirement specification.



Manual

Document

Page

Issue Date

Management Plan


9 of 21

January 11, 2018

Basic Process Control System (BPCS). A system that responds to input signals from the process,

its associated equipment, other programmable systems and/or an operator, and generates output

signals causing the process and its associated equipment to operate in the desired manner. The

BPCS does not perform any safety instrumented functions.

Failure Modes and Effects Analysis (FMEA). A failure modes and effects analysis tabulates

failure modes of equipment and their effects on a system or plant. The failure mode describes

how equipment fails (open, closed, on, off, leaks, etc.). The effect of the failure mode is

determined by the system’s response to the equipment failure. An FMEA is well suited to

identify single failure modes of automated system functions that either directly result in or

contribute significantly to an accident.

Independent Protection Layer (IPL). An IPL is an independent mechanism that reduces risk by

control, mitigation, or prevention. IPLs may include but are not limited to: (1) design features

such as siting, containment, confinement and shielding, (2) administrative controls that restrict

deviations from safe operations through operating procedures or limiting conditions of operation,

(3) mechanical or process systems, and (4) an SS SIS.

Phase. A phase is the period within the safety life cycle where the described activities take place.

Probability of Failure on Demand (PFD). A value that indicates the probability of a system

failing to respond to a demand. The average probability of a system failing to respond to a

demand in a specified time interval is referred to as PFDAVG.

Process Hazards Analysis (PrHA). The detailed examination of a process in order to identify and

characterize any hazards associated with the process.

Safety Instrumented Function (SIF). Safety function with a specified safety integrity level which

is necessary to achieve functional safety and which can be either a safety instrumented protection

function or a safety instrumented control function.

Safety Instrumented System (SIS). An instrumented system that may include sensors, logic

solvers, and final control elements used to implement one or more safety functions. Operator

actions directed by a Limiting Condition of Operation (LCO) action statement or actions in a

SAC may also be considered to be part of an SIS. See below for an example of SIS architecture.

Notes:

1) SIFs can include either safety instrumented control functions or safety instrumented

protection functions or both.

2) A SIS may or may not include software.



Manual

Document

Page

Issue Date

Management Plan


10 of 21

January 11, 2018

3) When a human action is a part of an SIS, the availability and reliability of the operator

action must be specified in the SRS and included in performance calculations for the SIS.

Safety Integrity Level (SIL). Discrete level (one out of four) for specifying the safety integrity

requirements of the SIFs to be allocated to the SIS. SIL 4 has the highest level and SIL 1 has the

lowest.

Safety Life Cycle. Necessary activities involved in the implementation of SIFs occurring during

a period of time that starts at the concept phase of a project and finishes when all of the SIFs are

no longer available for use.

Safety Requirements Specification (SRS). A specification that contains all the requirements of

the SIF that have to be performed by the SIS.

4.0 SOURCES

4.1 Requirements

1. ANSI/ISA-84.00.01-2004 series, “Functional Safety: Safety Instrumented Systems for

the Process Industry Sector.”

4.2 References

1. TFC-BSM-CP_CPR-C-05, “Procurement of Services.”

2. TFC-BSM-CP_CPR-C-06, “Procurement of Items (Materials).”

3. TFC-BSM-IRM_STD-11, “Incident Management and Corrective Action Standard.”

4. TFC-CHARTER-33, “Safety Basis Change Review Board.”

5. TFC-CHARTER-43, “Integarted Project Review Team (IRPT).”

6. TFC-ENG-ADMIN-D-07, “Engineering Assessments.”

7. TFC-ENG-DESIGN-C-06, “Engineering Change Control.”

8. TFC-ENG-DESIGN-C-15, “Commercial Grade Dedication.”

9. TFC-ENG-DESIGN-C-25, “Technical Document Control.”

10. TFC-ENG-DESIGN-C-35, “Process Hazard Analysis Determination and Technique

Screening.”

11. TFC-ENG-DESIGN-C-47, “Process Hazard Analysis.”

12. TFC-ENG-DESIGN-C-52, “Technical Reviews.”

13. TFC-ENG-DESIGN-C-56, “Modification Traveler.”



Manual

Document

Page

Issue Date

Management Plan


11 of 21

January 11, 2018

14. TFC-ENG-DESIGN-P-12, “Plant Installed Software.”

15. TFC-ENG-DESIGN-P-17, “Design Verification.”

16. TFC-ENG-DESIGN-P-43, “Control Development Process for Safety -Significant Safety

Instrumented Systems.”

17. TFC-ENG-DESIGN-P-44, “Safety Instrumented System Functional Safety &

Performance Assessment Process.”

18. TFC-ENG-FACSUP-P-01, “TOC System Engineer Program.”

19. TFC-ENG-SB-C-01, “Safety Basis Issuance and Maintenance.”

20. TFC-ENG-SB-C-03, “Unreviewed Safety Question Process.”

21. TFC-ESHQ-AP-C-02, “Independent Assessments/Audits.”

22. TFC-ESHQ-Q_ADM-C-09, “Supplier Quality Assurance Program Evaluation.”

23. TFC-ESHQ-Q_C-C-01, “Problem Evaluation Request.”

24. TFC-OPS-OPER-C-01, “Technical Safety Requirement Compliance.”

25. TFC-OPS-OPER-C-02, “Safety Basis Implementation Checklist Preparation, Review,

and Approval.”

26. TFC-OPS-OPER-C-24, “Occurrence Reporting.”

27. TFC-OPS-OPER-C-34, “Independent Verification.”

28. TFC-PLN-02, “Quality Assurance Program Description.”

29. TFC-PLN-03, “Engineering Program Management Plan.”

30. TFC-PLN-05, “Conduct of Operations Implementation Plan.”

31. TFC-PLN-10, “Assessment Program Plan.”

32. TFC-PLN-16, “Operational Readiness Program Plan.”

33. TFC-PLN-17, “Information Resource Management Operational Services Program

Description.”

34. TFC-PLN-23, “Configuration Management Plan.”

35. TFC-PLN-26, “Test Program Plan.”

36. TFC-PLN-29, “Nuclear Maintenance Management Program.”

37. TFC-PLN-61, “Tank Operations Contractor Training and Qualification Program.”



Manual

Document

Page

Issue Date

Management Plan


12 of 21

January 11, 2018

38. TFC-PLN-72, “Project and Facility Transition and Closeout Program Plan.”

39. TFC-PLN-80, “Procedure Program Description.”

40. TFC-PLN-84, “Tank Operations Contract Project Execution Management Plan.”

41. TFC-PLN-98, “Inspections, Tests, Analysis, and Acceptance Criteria (ITAAC) Program

Plan.”

42. TFC-PLN-136, “Engineering Design Program.”

43. TFC-PLN-138, “Implementation Plan for ISA 84 (Safety Instrumented Systems).”

44. TFC-POL-16, “Integrated Safety Management Policy.”

45. TFC-PRJ-CM-C-01, “Construction Management.”

46. TFC-PRJ-CM-C-08, “Construction Completion and Turnover.”

47. TFC-PRJ-CM-C-16, “Construction Acceptance Testing.”

48. TFC-PRJ-PM-C-28, “Project Turnover and Closeout/Suspension.”

49. TFC-PRJ-SUT-C-02, “Operational Acceptance Test Preparation.”

50. TFC-PRJ-SUT-C-03, “Conduct of Testing.”

51. TFC-PRJ-SUT-C-04, “Test Results Report Preparation.”



Manual

Document

Page

Issue Date

Management Plan


13 of 21

January 11, 2018

Table 1. WRPS SIS Life Cycle Implementing ISA 84 Clause 8 Through 18.

PH

AS

E

Initiation

Design

Construction, Testing &

Commissioning

Validation

Operation & Maintenance,

Modification And

Decommissioning

ISA

84

Clauses 8 and 9

Clauses 10, 11, and 12

Clauses 13 and 14

Clause 15

Clauses 16, 17 and 18

PH

AS

E A

CT

IVIT

IES

Problem Identification

Hazard Analysis

Control Decision Meeting

Project Initiation

Draft SRED

Detailed Design

Final SRED

SIL Verification

Calculation

Spurious Trip Rate

Calculation

Procurement

Construction /

installation

Factory Acceptance

Testing

Startup Testing

Safety Basis

development

Procedure (ops and

maint) development

Training

SB Implementation

Project Turnover

Functional Safety

Assessment

Operational Readiness

Review

Cognizant System

Engineer SIS Health

Monitoring

TSR Compliance

Nuclear Maintenance

Management

USQ Evaluation

Engineering Change

Control

Configuration Management



Manual

Document

Page

Issue Date

Management Plan


14 of 21

January 11, 2018

Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives.

ISA 84

Section

Requirement WRPS Process or Procedure

5.2.1 General:

(1) The policy and strategy for achieving safety shall

be identified together with the means for

evaluating its achievement and shall be

communicated within the organization.

(2) A safety management system shall be in place so

as to ensure that where safety instrumented

systems are used, they have the ability to place

and/or maintain the process in a safe state.

TFC-POL-16, Integrated Safety Management Policy

TFC-ENG-SB-01, Safety Basis Document Maintenance Process

5.2.2 Organization and Resources TFC-PLN-02, Quality Assurance Program Description

TFC-PLN-03, Engineering Program Management Plan

TFC-PLN-61, Tank Operations Contractor Training and Qualification Program

5.2.3 Risk Evaluation and Risk Management

Hazards identified, risk evaluated and controls

selected

TFC-ENG-DESIGN-C-47, Process Hazard Analysis

5.2.4 Planning

Safety planning shall take place to define the

activities that are required to be carried out along

with the persons, department, organization or

other units responsible to carry out these

activities. This planning shall be updated as

necessary throughout the entire safety life cycle

TFC-POL-16, Integrated Safety Management Policy



Manual

Document

Page

Issue Date

Management Plan


15 of 21

January 11, 2018

Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives. (cont.)

ISA 84

Section


5.2.5.1 Implementing and Monitoring – prompt follow-up and

satisfactory resolutions to recommendations from:

(1) Hazard analysis and risk assessment

(2) Assessment and auditing activities

(3) Verification activities

(4) Validation activities

(5) Post-incident and post-accident activities

TFC-ENG-DESIGN-C-47, Process Hazard Analysis

TFC-PLN-10, Assessment Program Plan

TFC-ENG-DESIGN-P-17, Design Verification

TFC-ENG-DESIGN-P-44, Safety Instrumented System Functional Safety &

Performance Assessment Process;

TFC-PLN-26, Test Program Plan

TFC-OPS-OPER-C-24, Occurrence Reporting and Processing of Operations

Information

TFC-BSM-IRM-STD-11, Incident Management and Corrective Action

Standard

TFC-ESHQ-AP-C-02, Independent Assessments/Audits

TFC-ENG-ADMIN-D-07, Engineering Assessments

TFC-OPS-OPER-C-34, Independent Verification

5.2.5.2 Suppliers QA requirement TFC-ESHQ-Q_ADM-C-09, Supplier Quality Assurance Program Evaluation

TFC-BSM-CP_CPR-C-05, Procurement of Services;

TFC-BSM-CP_CPR-C-06, Procurement of Items (Materials)

5.2.5.3 SIS Performance Evaluation

Identify and prevent systematic failure

Assess whether SIS dangerous failure rates are in

accordance with design assumptions

TFC-ENG-FACSUP-P-01, TOC System Engineer Program

TFC-ESHQ-Q_C-C-01, Problem Evaluation Request

TFC-ENG-DESIGN-P-43, Control Development Process for Safety Significant

Safety Instrumented Systems

5.2.6.1 Functional Safety Assessment

Procedure for FSA

FSA team structure

Life cycle stages for FSA identified

FSA prior to hazards being present

Development and production tools used subject to

FSA

FSA results documented

All relevant information available to FSA team

TFC-ENG-DESIGN-P-44, Safety Instrumented System Functional Safety &

Performance Assessment Process.

TFC-OPS-OPER-C-02, Safety Basis Implementation Checklist Preparation,

Review, and Approval

Facility Documented Safety Analysis (DSA)

Facility Technical Safety Requirements (TSR)



Manual

Document

Page

Issue Date

Management Plan


16 of 21

January 11, 2018

Table 2. WRPS Policies, Plans and Procedures that Conform to Clause 5 through 7 and 19 Objectives. (cont.)

ISA 84

Section


5.2.6.2 Auditing and Revision

Procedures developed for auditing to include,

frequency of audit, independence of auditors, and

record generated by audits

Modification procedures in place

TFC-PLN-10, Assessment Program Plan

TFC-ESHQ-AP-C-02, Independent Assessments/Audits

TFC-ENG-DESIGN-C-06, Engineering Change Control

5.2.7 SIS Configuration Management

Procedures for SIS and software configuration

management available

TFC-PLN-23, Configuration Management Plan

TFC-BSM-IRM-STD-02, Software Configuration Management Standard

6.2 Safety Life Cycle Requirements

Safety life cycle phases defined in terms of

inputs, outputs and verification activities

Safety planning for each life cycle phase

TFC-PLN-138, ANSI/ISA 84.01-2004 Part 1 Plan

7.1 Verification

Plan

Performed

Documented

TFC-CHARTER-33, Safety Basis Change Review Board

TFC-CHARTER-43, Integrated Project Review Team

TFC-PLN-26, Test Program Plan

TFC-ENG-DESIGN-P-17, Design Verification;

TFC-ENG-DESIGN-P-44, Safety Instrumented System Functional Safety

Assessment Process.

19 Information and Documentation Requirements TFC-PLN-17, Information Resource Management Operational Services

Program Description

TFC-PLN-23, Configuration Management Plan;



Manual

Document

Page

Issue Date

Management Plan


17 of 21

January 11, 2018

Table 3. WRPS SIS Safety Life Cycle Activities and Implementing Plans and Procedures.

Phase Activity ISA 84

Clause

Phase Input(s) WRPS Implementing

Documents

WRPS Document

Description

Phase Output(s)

INIT

IAT

ION

Identification of Need NA New/modified process

Potential Inadequacy in

Safety Analysis (PISA)

DOE direction

TFC-ENG-DESIGN-C-35

TFC-ENG-SB-C-03

Process Hazard Analysis

Determination and Technique

Screening

Unreviewed Safety Question

Process

Description of condition that is

not bounded by current safety

basis

Process Hazard

Analysis

8 Description of process in

which need for PrHA has

been identified

TFC-ENG-DESIGN-C-47 Process Hazard Analysis Hazardous Event(s)

Cause(s) of hazardous event(s)

Consequence

Potential controls for each

cause

Assumptions

Control Decision

Meeting

9 Hazardous Event(s)

Cause(s) of hazardous

event(s)

Consequence

Potential controls for

each cause

Assumptions

TFC-ENG-DESIGN-C-47 Process Hazard Analysis SIS selected as credited control

for specific event cause(s)

SIS safety function identified

SIS safety instrumented

function (SIF) defined

SIS safety integrity level

determined



Manual

Document

Page

Issue Date

Management Plan


18 of 21

January 11, 2018

Table 3. WRPS SIS Safety Life Cycle Activities and Implementing Plans and Procedures. (cont.)


Clause


Documents

WRPS Document

Description

Phase Output(s)

Project Initiation NA SIS selected as credited

control for specific event

cause(s)

TFC-PLN-84

TFC-ENG-DESIGN-C-

56

TOC Project Execution Plan

Modification Traveler

Projectized Operational

Activity to design, construct

and commission SIS

DE

SIG

N

Develop SIS safety

requirements

specifications

10

12 SIS selected as credited

control for specific event

cause(s)

SIS safety function

identified

SIS safety instrumented

function (SIF) defined

SIS safety integrity level

determined

TFC-ENG-DESIGN-P-

43

TFC-ENG-DESIGN-P-

12

Control Development

Process for Safety

Significant Safety

Instrumented Systems

Plant Installed Software

Conceptual Design

Draft Safety Requirements

Evaluation Document (SRED)

SIL Scoping Calculation

Proof test methods identified

Spurious Trip Rate Calculation

draft

Software Quality Assurance

Documentation

Detailed Design 11 Draft SRED containing

SIS functional and design

requirements

Modification Traveler

TFC-PLN-03

TFC-PLN-136

TFC-PLN-23

Engineering Management

Plan

Engineering Design

Program


Plan

Engineering Drawings

ECNs

Specifications

Procurement technical

requirements

Equipment lists

Plant installed software

documentation



Manual

Document

Page

Issue Date

Management Plan


19 of 21

January 11, 2018



Clause


Documents

WRPS Document

Description

Phase Output(s)

Design Verification 10

11

12

Engineering Drawings

ECNs

Specifications

Equipment lists

Embedded Software


TFC-ENG-DESIGN-P-

43

TFC-ENG-DESIGN-C-

52

TFC-ENG-DESIGN-P-

12

Control Development

Process for Safety

Significant Safety


Technical Reviews


Final SRED

FMEA on Final Design

SIL Verification Calculation

Proof Test Methods

Final Spurious Trip Rate

Calculation

Software Quality Assurance

Documentation

CO

SN

TR

UC

TIO

N,

TE

ST

ING

&

CO

MM

ISS

ION

ING

Procurement 14 Procurement technical

requirements

TFC-BSM-CP_CPR-C-

06

TFC-ENG-DESIGN-C-

15

Procurement of Items

Commercial Grade

Dedication

Components meeting SIS

technical requirements

Construction/Installati

on

14 Engineering Drawings

ECNs

Specifications

Equipment lists

Embedded Software


TFC-PRJ-CM-C-01

TFC-PRJ-CM-C-16

TFC-PRJ-CM-C-08

Construction Management

Construction Acceptance

Testing

Construction Completion

and Turnover

SIS installed and ready for

startup testing

Factory Acceptance

Testing

13

Equipment fabricated

and ready for factory test

TFC-PLN-98

TFC-PLN-26

TFC-BSM-IRM-STD-01

Inspections, Test, Analysis

and Acceptance Criteria

Program

Test Program Plan

Software Life Cycle

Standard

SIS equipment and components

ready for delivery to WRPS



Manual

Document

Page

Issue Date

Management Plan


20 of 21

January 11, 2018



Clause


Documents

WRPS Document

Description

Phase Output(s)

SIS Preoperational

Testing

14 SIS installed and ready

for startup testing

TFC-PLN-26

TFC-PLN-98

TFC-PRJ-SUT-C-04

Test Program Plan

Inspections, Test, Analysis

and Acceptance Criteria

Program

Test Result Report

Test Result Report

Safety Basis

Development

14 Final SRED TFC-ENG-SB-C-01

TFC-OPS-OPER-C-02

Safety Basis Document

Maintenance Process

Safety Basis

Implementation Checklist

Revised DSA and TSRs

approved by DOE

Safety Basis Implementation

Checklist

Procedure

Development

14 Final SRED TFC-PLN-80,

TFC-OPS-OPER-C-02

Procedure Program

Description

Safety Basis

Implementation Checklist

Preparation, Review, and

Approval

Approved procedures for

operation and maintenance of

SIS

Training 14 Final SRED

Operations and

Maintenance procedures

TFC-PLN-61 TOC Training and

Qualification Plan

Training developed and

delivered to operations and

maintenance personnel

Project Turnover 14 SIS Testing Complete

and approved

Procedures approved

Training complete

SB Implementation

Checklist complete

TFC-PLN-72

TFC-PRJ-PM-C-28

Project and Facility

Turnover Plan

Project Turnover and

Closeout

SIS ready for operations



Manual

Document

Page

Issue Date

Management Plan


21 of 21

January 11, 2018

VA

LID

AT

ION

Functional Safety

Assessment

15 SIS Project Turnover to

Operations

TFC-ENG-DESIGN-P-

44

Functional Safety

Assessment Process

Approved FSA Datasheet


Review

15 SIS Project Turnover to

Operations

TFC-PLN-16

TFC-PRJ-PM-C-08

Readiness Review Program

Plan


Review

Identification of readiness for

operations

Corrective actions

OP

ER

AT

ION

& M

AIN

TN

AN

CE

, M

OD

IFIC

AT

ION

, a

nd

DE

CO

MM

ISS

ION

ING

System Monitoring,

Performance and

Reporting

16 Process authorized to

begin operation

TFC-ENG-FACSUP-P-

01

TOC System Engineer

Program

SIS verified capable of

performing SIF on demand

SIS SIL validity

Operation in

Compliance with

Safety Basis

16 Process authorized to

begin operation

TFC-OPS-OPER-C-01

TFC-PLN-05

TFC-PLN-29

Technical Safety

Requirements Compliance

Conduct of Operations

Implementation Plan

Nuclear Maintenance

Management Program

Normal process operations

SIS maintained capable of

performing SIF on demand

Modification 17 Modification to SIS

proposed

TFC-ENG-SB-C-03

TFC-ENG-DESIGN-C-

06

TFC-PLN-23

TFC-ENG-DESIGN-P-

43

TFC-ENG-DESIGN-P-

12

Unreviewed Safety

Question Process

Engineering Change

Control


Plan

Control Development

Process for Safety

Significant Safety



ECNs

Revised SB documents

Revised procedures/training

Software Change Requests

Decommissioning 18 SIS determined to be no

longer needed

TFC-ENG-SB-C-03

TFC-ENG-DESIGN-C-

06

TFC-PLN-23

Unreviewed Safety

Question Process

Engineering Change

Control


Plan

SIS decontaminated and

decommissioned