PFH and PFDavg Data for Trusted TMR System

Transcription

1 PFH and PFDavg Data for Trusted TMR System Document No Issue 20 Rockwell Automation Publication ICSTT-TD002B-EN-P Date: December 2018

2 Record of Amendments Issue Changes Issue 1 Draft Issue. Issue 2 Issued to TUV for comment. Issue 3 System release 3.3. Issue 4 PFH & PFD calculations based on Siemens SN Edition parts failure rates. MTBF and FPMH added. Issue 5 Example 3 corrected, now 2x. Tables updated. Issue 6 Module list updated. Issue 7 Module list updated with 8310 and Issue 8 All tables corrected. Issue 9 Revised document title Issue 10 HFTs for 8402, 8432 and 8472 corrected. Issue 11 HFTs corrected. Issue 12 Result of 8000 series PFD formulae corrections, 8310 & 8311 PFD of dual and triple formulae used B = 1%. Bd = 0.5% added and used. Issue 13 Results of examples 1, 2 and 4 corrected Issue 14 Correction of 8110B safe failure rates resulting in change to SFF cell X171 was hard coded = 9. Issue , 8449, 8451, 8461, now use XCS30 parts. OFIU updated, new lines 209, 210 added for PSU. Line 279 added and rolled up to line 8 of summary. Changes agreed with TUV 9 th Aug formulae in rows 38 & 39 corrected. Issue CS300 bridge module added Issue 17 Addition of assumptions used during calculations Issue 18 Calculations updated to be IEC 61508:2010 Compliant. Minor edits to bring consistency with other user documents. Issue 19 TUV amendments to soft error values as part of Trusted 3.6 certification added. Issue 20 Updated for Trusted Refresh modules on initial TUV Certificate Revision List. Modified to only show Manual Test Interval (PTI) of 20 years and MTTR of 24 hours. Added Rockwell Automation publication number. Added trademarks statement. Abbreviations FPMH HFT MTBF MTTR PFDavg PFDe PFDde PFHe PFHde SFF MTI Failures Per Million Hours Hardware Fault Tolerance Mean Time Between Failures Mean Time To Repair Probability of Failure on Demand - average Probability of Failure on Demand energised to action Probability of Failure on Demand de-energised to action Probability of Failure per Hour energised to action Probability of Failure per Hour de-energised to action Safe Failure Fraction Manual Test Interval Rockwell Automation Publication ICSTT-TD002B-EN-P Page 2

3 Introduction The information in this document has been compiled as part of the Trusted TMR system IEC 61508:2010 certification, the failure modes and effects analysis of each module having been inspected by TÜV Rheinland. The tables below provide PFDavg data for Trusted TMR system modules used in applications with a 24 hour mean time to repair and a 20 year manual test interval. If a de-energise to trip system is configured to provide a shutdown on the first fault, the MTTR can be considered as infinite and MTTR need not be considered. Assumptions It should be noted that the following assumptions apply to the PFD/PFH calculations of the Trusted TMR system: The random hardware failure rates assume the ambient temperature of the environment in which the system is operating is 40 o C. System operation at an elevated ambient is likely to have a detrimental effect on failure rates. Exposure to Neutrons are assumed to be at sea level (NY, NY) in common with industry standard (JESD89A). The exposure to Neutrons experienced by a system under use at altitude would be expected to be at much greater levels. Capacitors are operated at 50 % of the maximum ratings. The mission time is assumed to be 20 years. Failure Rates Module Module Description MTBF years FPMH T8111C T8151C Communications Interface Triguard Bridge CS300 Bridge T8310C Expander Processor T8311C Expander Interface T8402C Dual 24Vdc Digital Input T8403C TMR 24Vdc Digital Input TMR 120Vdc Digital Input T8424C TMR 120Vac Digital Input T8431C TMR Analogue Input T8432C Dual Analogue Input TMR Isolated Analogue Input Speed Monitor Pulse Generator TMR 24Vdc Zone Interface TMR 24Vdc Valve Monitor T8451C TMR 24Vdc Digital Output T8461C TMR 48Vdc Digital Output TMR 120Vdc Digital Output TMR 120Vac Digital Output T8480C TMR Analogue Output x 750W Power Pack Rockwell Automation Publication ICSTT-TD002B-EN-P Page 3

4 PFH/PFD Data 24 Hour MTTR The following table provide the probability of failures per hour and the probability of failures upon demand for the both energise to trip and de-energise to trip Trusted TMR Series B system configurations. Mean time to repair is 24 hours. MTI = 20 years Module Module Description PFHde PFDde PFHe PFDe T8111C 7.31E E E E-05 T8151C Communications Interface x x x x 8161 Triguard Bridge x 9.66E-07 x 1.18E CS300 Bridge 1.41E E E E-06 T8310C Expander Processor 7.42E E E E-05 T8311C Expander Interface 3.40E E E E-05 T8402C Dual 24Vdc Digital Input 2.75E E E E-05 T8403C TMR 24Vdc Digital Input 2.91E E E E TMR 120Vdc Digital Input 2.91E E E E-05 T8424C TMR 120Vac Digital Input 2.91E E E E-05 T8431C TMR Analogue Input 2.91E E E E-05 T8432C Dual Analogue Input 2.75E E E E TMR Isolated Analogue Input 2.93E E E E Speed Monitor 3.17E E-04 n/a n/a 8444 Pulse Generator 1.33E E E E TMR 24Vdc Zone Interface 1.33E E E E TMR 24Vdc Valve Monitor 1.33E E E E-05 T8451C TMR 24Vdc Digital Output 1.33E E E E-05 T8461C TMR 48Vdc Digital Output 1.33E E E E TMR 120Vdc Digital Output 3.64E E E E TMR 120Vac Digital Output 3.13E E E E-05 T8480C TMR Analogue Output 1.33E E E E-05 Expansion Bus Residual Error Rate PFH/PFD Data The following table provide the probability of failures per hour and the probability of failures upon demand for the Trusted TMR Series B Expansion Bus residual error rate. When the system configuration includes an expansion chassis, the PFH/PFD shown must be added to each Trusted IO module in the expansion chassis (both energise to trip and de-energise to trip configurations). Expansion Bus MTI = 2 years (see Safety Manual) IO Module Description PFH PFD Trusted Input IO Module 2.52E E-07 Trusted Output IO Module 9.88E E-06 Rockwell Automation Publication ICSTT-TD002B-EN-P Page 4

5 Safe Failure Fraction & Hardware Fault Tolerance The following table provides the SFF and HFT data for the Trusted TMR Series B system used in deenergise to trip mode and when used in energise to trip mode. Note: SFFde is for a normally energised system, de-energised to action. A first fault is forced to the safe state and dc output modules incorporate a Group Fail-Safe Switch. Therefore a single failure does not compromise the MTTR. Module Module Description SFF de SFF e HFT T8111C 99.80% 96.02% 1 T8151C Communications Interface x x x T8310C Expander Processor 97.38% 97.26% 1 T8311C Expander Interface 97.19% 97.07% 1 T8402C Dual 24Vdc Digital Input 99.47% 99.23% 1 T8403C TMR 24Vdc Digital Input 99.46% 99.26% 1 T8424C TMR 120Vac Digital Input 99.46% 99.27% 1 T8431C TMR Analogue Input 99.46% 99.27% 1 T8432C Dual Analogue Input 99.47% 99.24% 1 T8451C TMR 24Vdc Digital Output 99.49% 99.01% 1 T8461C TMR 48Vdc Digital Output 99.49% 99.01% 1 T8480C TMR Analogue Output 99.49% 99.01% 1 Rockwell Automation Publication ICSTT-TD002B-EN-P Page 5

6 System Configurations See IEC :2010 for explanations of PFH and PFD calculations. 1.1 Example 1 System with 1 input and 1 output with a manual test interval of 20 years and MTTR = 24 hours, configured as 1oo2 de-energise to trip Series B System PFDavg = PFDavg (ip) + PFDavg (processor) + PFDavg (op) = 2.21E E E Example 2 System with 2 inputs on the same module and 1 output with a manual test interval of 20 years and MTTR = 24 hours, configured as 1oo2 de-energise to trip. s Series B System PFDavg = PFDavg (ip) + PFDavg (processor) + PFDavg (op) = 2.21E E E Example 3 System with 2 inputs on different input modules and 1 output with a manual test interval of 20 years and MTTR = 24 hours, configured as 1oo2 de-energise to trip. s Series B System PFDavg = 2 x (PFDavg (ip)) 2 + PFDavg (processor) + PFDavg (op) = 2 x (2.21E-5) E E-5 Rockwell Automation Publication ICSTT-TD002B-EN-P Page 6

7 1.4 Example 4 System with 1 input and 2 outputs with a manual test interval of 20 years and MTTR = 24 hours, configured as 1oo2 de-energise to trip Series B System PFDavg = PFDavg (ip) + PFDavg (processor) + PFDavg (op) = 2.21E E E-5 Common cause factor of 0.5 % for output modules to be taken into consideration. 1.5 Example 5 System with 1 input in the local chassis and 1 output in an expander chassis with a manual test interval of 20 years (MTI of 2 years for the Expander Bus) and MTTR = 24 hours, configured as 1oo2 de-energise to trip. Expander Interface Module (T8311C) Expander Processor Module (T8310C) 8000 Series B System PFDavg = PFDavg (ip) + PFDavg (processor) + PFDavg (Exp Interface) + PFDavg (Exp Processor) + PFDavg (op) + PFDavg (op residual error) = 2.21E E E E E E-6 Rockwell Automation Publication ICSTT-TD002B-EN-P Page 7

8 1.6 Example 6 System with 1 input in the local chassis and a total of 3 outputs in multiple expansion chasses - 1 output in the first expander chassis and 2 outputs in the second expander chassis - with a manual test interval of 20 years (MTI of 2 years for the Expander Bus) and MTTR = 24 hours, configured as 1oo2 de-energise to trip. Expander Interface Module (T8311C) 1 st Expander Processor Module (T8310C) 1 st 2 nd Expander Processor Module (T8310C) 2 nd 3 rd ` 8000 Series B System PFDavg = PFDavg (ip) + PFDavg (processor) + PFDavg (Exp Interface) + PFDavg (Exp Processor 1) + PFDavg (op 1) + PFDavg (op 1 residual error) + PFDavg (Exp Processor 2) + PFDavg (op 2) + PFDavg (op 2 residual error) + PFDavg (op 3) + PFDavg (op 3 residual error) = 2.21E E E E E E E E E E E-6 Common cause factor of 0.5 % for output modules to be taken into consideration. Rockwell Automation and Trusted are trademarks of Rockwell Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies. Rockwell Automation Publication ICSTT-TD002B-EN-P Page 8