Achieving Safety Integrity With User Configurable Safety Interlocks

Transcription

1 Achieving Safety Integrity With User Configurable Safety Interlocks Ania Zemlerub, Moshe Yotam and Chris Ambrozic, MKS Instruments Inc. INTRODUCTION Technical operations such as those performed in semiconductor, solar and photovoltaic device fabrication have inherent risks. For example, the equipment employed in these industries may operate at high temperatures, under vacuum conditions and can employ high electrical voltage/ currents and/or extremely hazardous, often pyrophoric and frequently corrosive chemicals. The failure of a critical system component with any of these system characteristics can produce unsafe conditions that can lead to severe injury or death of the operators, not to mention catastrophic damage to costly equipment. Other industrial settings have similar or greater levels of risk. Operational safety is thus of paramount importance in industrial semiconductor and other chemical processing systems. Because of this, a great deal of effort has been expended over the past decades into efforts to establish reliable metrics for the prediction of safe operational conditions for process equipment and to implement designs that meet the acceptable risk level without compromising costs and programmability. Operational safety is of paramount importance in OEM designs and the question of hard-wired safety solutions vs. programmable hardware-based safety solutions must be considered for these designs. In the past, safety engineers have typically resolved this question in favor of hard-wired interlocks in which the logic was wired directly onto the PCB. As an example, consider the semiconductor industry. Semi S2, the Safety Guideline for Semiconductor Manufacturing Equipment, is often cited as the gold standard of interlock safety and it recommends the use of electro-mechanical components for safety interlocks. However, it is commonly overlooked that the Semi S2 guidance also permits the use of solid state devices in a safety system, as long as they can be proven to be safe (cf. S2-93 SEMATECH Application Guide). The question confronting OEMs thus becomes: are operational safety solutions achieved through the use of programmable hardware-based interlocks as safe, or indeed more safe than hard-wired solutions. Since it is often the case that safety is best implemented using hard coded safety in one instance while another is more suited to programmable hardware safety, solution providers must offer safety interlocks in the form of both hardware based, and programmable hardware-based interlock safety boards. Knowing that both options exist, with the required level of safety criteria, is beneficial to the engineer who needs to make a decision about their safety solution. This paper discusses the science underlying programmable hardware safety solutions, express metrics to judge overall safety, and in the end, conclude that the programmable safety board s reliability, is in fact equal to, or greater than that of a traditional hardware interlock solution. PREDICTING SYSTEM SAFETY Mean Time Between Failures () has been used as a metric for the prediction of a system s ability to operate reliably. is described analytically by the following relationships: = 1 λ n λ = λ i i where λ i = failure rate of i th system component and n = number of components in the system. If the failure rate is expressed as per hour then the is in hours. Unfortunately, while is an excellent overall metric for assessing system reliability, it is not a metric that is specific for evaluating system safety. The problem with using as a safety metric is characterized in the following discussion: In any attempt to predict the safety characteristics of a given system, the most important failure rate is that associated with dangerous failures rather than the overall rate of failure of the system, as is the case for. Therefore, in evaluating safety, λ needs to be subdivided into the components that reflect the impact of the type of failure on the system safety (i.e.): λ = λ S + λ DD + λ DU λ S = the rate of safe failures having no impact on safety (The system may cease function but no safety issue will exist); λ DD = the rate of dangerous failures that are detected by the system safety design (Hence the system safety design can avoid a safety issue); λ DU = the rate of dangerous failures that are not detected by the system safety design (Such failures may cause a safety issue). Using these definitions, it can be seen that two systems having the same value can differ significantly in terms of the λ DU value. Thus, serious inequalities in the safety of such systems are not predictable using just the metric. More reliable concepts for the prediction of system safety have emerged in recent years. Specifically, the concept of Safety Integrity Levels (SILs) has evolved for the design of safety critical systems such as those employed in the chemical and semiconductor process industries. Developed over the last two decades, the SIL concept has emerged from efforts to improve the safety of such systems. The concept has been developed with the purpose of moving away from the consideration of safety as an either/or characteristic of a system. Rather than considering a system as safe or unsafe, the SIL concept views safety as a continuous spectrum with a system s position on the spectrum directly related to the level of risk of entering an unsafe state. Risk definition and analysis becomes a critical exercise in the development of safe systems.

2 Page 2 The dominance of electronic control systems and integrated electronic circuitry in modern process technology, coupled with the vastly improved reliability of electronic components, has prompted the development of the international safety standard: IEC61508, Functional Safety of Electrical/ Electronic/Programmable Electronic Safety-related Systems. This standard codifies the requirements for the use and design of electronic and programmable safety functional systems and is commonly used as a method of proving that system safety is at a level sufficient for Semi S2 compliance and certification. Developed using the SIL concept, IEC61508 requires that risk analysis for each determined hazardous event be performed for each functional system within the Equipment Under Control (EUC) to establish functional safety in the entire system. IEC61508 defines risk as a function of the likelihood of an event and the severity of the consequences of that event. The system is considered safe if the risk can be acceptably reduced by applying either electronic circuits and programmable components or the traditional combination of traces and relays. IEC61508 defines four distinct Safety Integrity Levels; Safety Integrity Level 1 (SIL1) is the lowest level and Safety Integrity Level 4 (SIL4) the highest. Under IEC61508, safety systems are sorted into two categories: Continuous (high demand) Mode and On (low) Demand Mode. For example, in a car the braking system constitutes a functional safety system that works in Continuous Mode. The system must be ready to work at all times. On the other hand, the air-bag system is an On Demand functional safety system. It is needed (hopefully!) very rarely and preferably never. But when it is needed, it must work. User configurable safety interlocks, such as those being addressed in this paper, are On Demand functional safety systems. In On Demand systems, the accident rate is defined as a combination of the frequency of demands and the probability that the function will fail on demand (PFD). In Continuous Mode systems, the accident rate is the. Table 1 shows how the SIL levels are defined for On Demand and Continuous Mode safety functional systems. The PFD or Probability of Failure on Demand metric determines the SIL category (1-4) of the system. For example, in Table 1 above, a PFD value in the range 10-4 to 10-3 (e.g. SIL3 for On Demand Mode of Operation) means that for one out of 1000 to 10,000 demands most of the systems will fail. The lower the PFD number, the better the SIL. The relation between SIL and PFD is taken from the IEC standard. SIL On Demand Mode of Operation (Probability of failure to perform its design function on demand) Number of Treated Demands High Demand or Continuous Mode of Operation 1-α = α = 0.95 (Probability of a dangerous failure per hour) Hours of Operation in Total 1-α = α = to < x x to < x x to < x x to < x x to < x x to < x x to < x x to < x x 10 6 Table 1 - Numbers for Continuous Mode of Operation and PFD Numbers (Note - 1-α represents the confidence level; Source - IEC ) USER CONFIGURED SAFETY INTERLOCKS WITH MKS ECM2 Because of the importance of safety, system interlocks that prevent unsafe conditions have traditionally been implemented using hardware-based relay logic solutions locked in at the board level. Typically, when an OEM develops a new piece of equipment for device fab, there will be 2-3 iterations of these board level hardware solutions before the final interlock configuration is achieved. The use of configurable interlocks represents a significant potential for savings in terms of both time and costs. By using this approach to eliminate the need for hardware iterations, the time-to-market or time-tooperation for a new piece of equipment can be significantly reduced with concomitant savings to the commissioning costs of the equipment. For OEMs in the semiconductor industry, these savings translate to a reduction of 8-18 weeks in the time-to-market for new products and a cost saving of $20-60K USD per project. The MKS Ethernet Control Module (ECM2) provides the OEM with user configured safety through the inclusion of a board with configurable interlocks that can be changed through software rather than hardware modifications. This is achieved through the use of a 1oo2 architecture such as is shown in Figure 1. In the Figure 1, F1a and F1b are soft programmable Boolean functions in which each function can include a combination of all available inputs and/or outputs. Program logic is configurable through either a web page or through a control bus on power up. The logic is implemented by creating.csv files through either a Truth Table or a Visim MS-Visio based application and downloaded over main communication channels (i.e. EtherCAT, DeviceNet ).

3 Page 3 Figure 1 - The MKS ECM2 safety subsystem design concept. Figure 2a shows the user interface of the truth table employed for on-line input of the interlock logic; Figure 2b shows a Visim MS-Visio based logic implementation file created off-line to be compiled into a.csv file that is downloaded to the product. The system has a Safe Logic Implementation mode that provides for independent simulations of the inputs and outputs of the programmable unit. The compiled logic can be both uploaded and downloaded. Inputs and outputs are monitored using the software and are viewable through a webpage or over a control network. Several Network Interfaces are available for the status read back, including DeviceNet, Ethernet and EtherCAT. The system has been awarded a SIRA functional safety certification as a SIL3 system under IEC61508 (Figure 3). SIRA is the UK s leading Notified Body for Ex Product Certification (ATEX and IECEx) that sets the standard for IEC61508 Functional Safety certification. Figure 2a - The user interface for Truth Table Figure 2b - The user interface for Visim Figure 3 - SIRA Functional Safety Certification

4 Page 4 RELIABLE FUNCTIONAL SAFETY Using MKS ECM2 User Configurable Interlocks The best way to consider reliable functional safety using the MKS ECM2 user configurable safety logic is to compare it with the level of safety achievable through the use of conventional hardware interlocks. For this comparison, we have had reliability tests performed by an independent testing laboratory on the MKS ECM2 user-configurable interlock system and compared the results with those of similar tests on the MKS ISAC integrated system for automation and control, that includes a benchmark hardware interlock system used in applications comparable to those in which the ECM2 is applied. The SIL value determined for the MKS ECM2 userconfigurable interlock system has been compared with that determined for the hardware interlocked system to establish the relative ranking in terms of safety. MKS ECM2 User Programmable Interlock Evaluations The study examined an interlock board with two FPGA channels. The two channels were subject to a comparator which announced an unhealthy state if the two outputs did not agree. The comparator applies at two levels: logic storage and logic output. The interlock matrix consisted of 64 inputs and 32 outputs. Each output controlled a set of normally open contacts. The architecture of the test is shown schematically in Figure 4. It consists of two channels connected in parallel, such that either channel can process the safety function. There would therefore need to be a dangerous failure in both channels in order for the safety function to fail On Demand. Figure 4 - The block diagrams of the architecture used in testing the MKS User Programmable Safety Interlock. The user configurable interlock system was tested using two failure modes: Mode 1: Safety Related: Failure to provide a relay open circuit contact output in response to defined combinations of 64 digital inputs. Mode 2: Operations related: A spurious loop disconnect output despite no defined combinations of 64 24v digital inputs. and two configurations were assessed: One normally energized output relay offering a break contact in response to an executive action demand. Note: In this configuration, 32 output functions were available. Two normally energized output relays each offering a break contact in response to an executive action demand whereby the user was at liberty to vote the two outputs (e.g. wire them in series). The test established a predicted Failure Rate and Safe Failure Fraction by means of a Failure Mode and Effects Analysis (FMEA); this information is used to assess the system design against a SIL 3 target. Since the Interlock is a risk reduction (trip) function, the test examines an On Demand scenario. The market requirement for SIL 3 functions places a <10-3 PFD requirement on the safety related fail to respond mode. Table 1 provides detail on the relationship between SIL and PFD values.

5 Page 5 There were certain general assumptions in the test: Reliability assessment is a statistical process for applying historical failure data to proposed designs and configurations. It therefore provides a credible target/ estimate of the likely reliability of equipment assuming manufacturing, design and operating conditions identical to those under which the data was collected. The actual predicted values cannot be guaranteed as forecasting the precise number of field failures which will actually occur, since this depends on many factors outside the control of a predictive exercise. Failure rates (λ), for the purpose of this prediction, are assumed to be constant with time. Both early and wear out related failures would decrease the reliability, but are assumed to be removed by burn in and preventive replacement, respectively. Each single component failure that caused system failure was described as a Series Element. This was represented, in fault tree notation, as an or gate whereby any failure causes the event. The system failure rate contribution from this source was obtained from the sum of the individual failure rates. There were specific assumptions as well: The mission was taken as 365 days per year and thus calendar failure rates were applicable. Unrevealed failures those that are not detected by built in system diagnostic - were initially assumed to be subject to a 12 month proof test interval. Revealed failures were assumed to be dealt with within 24 hours. Power supply failure was outside of the scope of this failure model. Pessimistically, any one of the 64 input levels read in error was treated as a failure. Components having no effect other than for factory set up and test were not included. The most usual method of modeling common cause failures (known as the partial BETA method) was to multiply the failure rate of one of the individual items in a redundant configuration by a number known as the β factor. Configuration One relay used as output (Annual Proof Test) One relay used as output (10 Year Proof Test) Two relays used as output (Annual Proof Test) Two relays used as output (10 Year Proof Test) PFD On Demand SFF SIL Claim 1 x % 2 1 x % 2 5 x % 3 6 x % 3 Spurious Response 180 Years 180 Years 175 Years 175 Years Table 2 - The results of the Safety Integrity Assessment for the MKS ECM2 User Programmable Safety Interlock system. The results of the test are shown in Table 2. The PFD values in Table 2 were calculated according to the IEC61508 standard (as defined in IEC {ed1.0}b) using T CE λ = λ DU D T1 3 λ + MTTR + λ MTTR Where T CE is the channel equivalent downtime and MTTR is the Mean Time to Replacement. The average probability of failure on demand for the user configurable interlock is then calculated according to: T1 PFD0 = 2 D DD DU CE GE D DD βλdu MTTR 2 2 (( 1- β ) λ + ( 1- β ) λ ) T T + β λ MTTR + + These test results show that the random hardware failures and safe failure fraction of the configuration meet the requirement of the SILs indicated in the Table. These data show that the MKS User Programmable Interlock is suitable for use in applications up to SIL3 when configured such that two voted output relays are used for the safety function. The Interlock is suitable for applications up to SIL2 when configured such that a single relay is used for the safety function. DD D

6 Page 6 MKS ISAC Hardware Interlock Evaluations To clearly delineate the safety functional options available to the design engineer, it is necessary to compare the SIL3- compliant programmable hardware described above with an example of Semi S2 compliant hardware-only approach and to confirm that the two methods can provide equivalent safety. To accomplish this, we will consider the MKS ISAC, an integrated system that includes a safety circuit. The circuit consists of multiple interlock functions implemented by means of relays and PCB traces. The reliability prediction for the ISAC was performed in accordance with the Telcordia Technologies Special Report SR-332 Reliability Prediction Procedure for Electronic Equipment. The method of prediction employed was Parts Stress Analysis. The reliability prediction was performed for a temperature of 25 C and an environmental condition classed G B. The temperature rise of 10 C above the module ambient temperature was taken for the cards components. General assumptions for the test were: Failure rates of components are constant during equipment life period. The failures of different components are considered statistically independent. The assembly reliability model is a series one failure in any component causes an assembly failure. Only hardware failures were taken into consideration in the reliability prediction. The module was calculated as described in the introduction to the paper. The architecture (1oo1) for the test is described by the block diagrams shown in Figure 5. This 1oo1 architecture is common for hardware interlocking based Semi S2 compliant solutions. It consists of a single channel where any dangerous failure leads to a failure of the safety function when a demand arises. Prediction Method Environment Telcordia Technologies Special Report SR-332, Issue 1 Ambient Temperature 25 C Product λ [FIT] [hours] ISAC Product 10,963 91,216 G B Figure 5 - The block diagrams of the architecture used in testing the MKS ISAC Hardware Interlock The ISAC reported failure rate of a relay was (3006/47) x 10-9 per hour = 64 x 10-9 per hour. Assuming 50% of these failures are safe failures (contact is stuck open) and 50% are dangerous failures (contact is stuck closed) then λdu = 32 x 10-9 per hour. If we assume that there is no diagnostic feature for a contact stuck closed: λdd = 0 Assuming MTTR = 8 hr and Proof Test Interval T1 = 8760 h (one year) T CE = T 1/2 + MTTR = 4388 hr PFD = N x λ DU x T CE where N is the number of relays in the specific interlock function implementation. This is equivalent to the number of inputs to the function. Using this approach to evaluate the ISAC, safety logic that employs up to 7 relays have acceptable SIL values i.e. for N = 7, PFD = 0.98 x 10-3 which just falls within the SIL3 category. Figure 6 shows an example of the hardware implementation of such logic. Logic that requires more than 7 conditions for a single output will have a lower SIL rating. Table 3 - Presents the reliability testing results for the MKS ISAC Hardware Interlock

7 Page 7 Figure 6 - Safe Logic Storage and Load Safe Logic Storage and Load While not specifically included in the Semi S2 requirements, differentiation between different interlock logic versions has been identified as having potential to cause dangerous failures. In the traditional hardware interlock the approach that is used for design of the logic is also used for version identification (hard-coding in traces or relays). A simple ID inquiry over diagnostic channel is used for version verification prior to enabling the logic. No verification of the logic integrity exists in this type of implementation which, in terms of safety, fully relies on PCB MTTR (mean time to replacement). For the MKS ISAC (the HW interlock implementation) based on the study described above, the probability to identify the version correctly was 50 x For a configurable interlock, the logic is stored in non-volatile memory and corruption of this data would lead to an undetectable failure (for the MKS programmable interlock this probability was estimated to be 0.03 x 10-9 ). This would contribute to a reduction in the reliability of the system unless additional, redundant verification is implemented to reduce the risk. The MKS programmable interlock solution stores the logic in two independent locations (one per FPGA channel) and a checksum for each location is stored in a physically separated location. Additionally, a product ID unrelated to the logic is hardcoded (similar to the hardware only solution). Due to lower number of interconnections involved, the failure risk for this is calculated to be only 0.02 x In order for logic to activate while in operational mode, the two logic locations must agree and the product code needs to match that which is sent through a diagnostic channel. This approach to design in configurable interlocks not only provides the same level of protection as hardware interlock (by including hardcoded logic code), it is superior in that it adds a redundant verification for the logic and reduces the number of traces involved in the logic identification. This results in an order of magnitude reduction in the probability of implementing incorrect logic.

8 Page 8 CONCLUSION User Configurable vs. Hardware Interlock The independent testing described in this report proves that the MKS ECM2 User Configurable Interlock achieves SIL3. As summarized in Table 4 the comparison of the ECM2 with the MKS ISAC hardware interlock showed that, while both the traditional hardware and the field configurable approaches achieve SIL3 requirements, the MKS ECM2 User Configurable Interlock is superior in that it maintains the safety rating for significantly larger numbers of inputs to the safety system while imposing no limitation on the number of logical elements used in a safety chain. As well, it is superior in the safe management of logic versions. The MKS ECM2 provides an alternative to the traditional Semi S2 compliant safety solutions that has been proven to be their equivalent, or in some cases, superior. Furthermore, this alternative can be implemented without adding cost and complexity to the logic design (i.e. splitting interlock chains, separating power layers, adding fusing and complicating troubleshooting) while providing the added benefits of a user (in this case - system designer) configurable product. Finally, the pre-certified configurable version of the ECM2 can also help in the prevention of design errors due to any failure to observe the ratio of relays used, their reliability and the number of inputs in the logic chain. REFERENCES EtherCAT is a registered trademark of EtherCAT Technology Group. DeviceNet is a trademark of the Open DeviceNet Vendor Association. Ethernet is a registered trademark of Xerox Corporation. Maximum number of inputs for a single output Probability of failure on demand Probability to identify version correctly Time to configuration change Table 4 - Comparison Summary ISAC interlock SIL3 compliant ECM2 interlock SIL 3 compliant x x x x weeks 2 min