Extension to Chapter 2. Architectural Constraints

Similar documents
Hardware safety integrity (HSI) in IEC 61508/ IEC 61511

Products Solutions Services. Functional Safety. How to determine a Safety integrity Level (SIL 1,2 or 3)

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Mobrey Hydratect 2462

Point Level Transmitters. Pointek CLS200 (Standard) Functional Safety Manual 02/2015. Milltronics

Hardware Safety Integrity. Hardware Safety Design Life-Cycle

Evaluation Process for the Hardware Safety Integrity Level

Failure Modes, Effects and Diagnostic Analysis

What functional safety module designers need from IC developers

Functional safety manual RB223

FUNCTIONAL SAFETY ASSESSMENT: AN ISSUE FOR TECHNICAL DIAGNOSTICS

FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator

FUNCTIONAL SAFETY CERTIFICATE

The evolution of the cookbook

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

The ApplicATion of SIL. Position Paper of

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Safety Manual. Vibration Control Type 663. Standard Zone-1-21 Zone Edition: English

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

FUNCTIONAL SAFETY CERTIFICATE

FUNCTIONAL SAFETY CHARACTERISTICS

New developments about PL and SIL. Present harmonised versions, background and changes.

Analysis on the Application of On-chip Redundancy in the Safety-critical System

SAFETY MANUAL SIL Switch Amplifier

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

Failure Modes, Effects and Diagnostic Analysis

FMEDA and Prior-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

HART Temperature Transmitter for up to SIL 2 applications

Proline Prowirl 72, 73

Functional Example AS-FE-I-013-V13-EN

Rosemount Functional Safety Manual. Manual Supplement , Rev AG March 2015

IQ Pro SIL option TÜV Certified for use in SIL 2 & 3 applications

Failure Modes, Effects and Diagnostic Analysis

Type Switching repeater. Safety manual

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Low voltage switchgear and controlgear functional safety aspects

Failure Modes, Effects and Diagnostic Analysis

MANUAL Functional Safety

Functional Safety Processes and SIL Requirements

DK32 - DK34 - DK37 Supplementary instructions

HART Temperature Transmitter for up to SIL 2 applications

ida Certification Services IEC Functional Safety Assessment Project: Masoneilan Smart Valve Interface, SVI II ESD Customer: GE Energy

TABLE OF CONTENTS Executive summary...3 Introduction...5 The PDS method for safety quantification...6 Alternative quantification methods...

OPTISWITCH 5300C. Safety Manual. Vibrating Level Switch. Relay (2 x SPDT) With SIL qualification

Soliphant M with electronic insert FEM54

FMEDA and Proven-in-use Assessment. G.M. International s.r.l Villasanta Italy

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis

Certificate of Compliance No

Safety manual for Fisher FIELDVUE DVC6200 SIS Digital Valve Controller, Position Monitor, and LCP200 Local Control Panel

Intelligent Valve Controller NDX. Safety Manual

Safety Manual VEGASWING 61, 63. Relay (DPDT) With SIL qualification. Document ID: 52082

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

Safe & available...vigilant!

Analysis on the application of on-chip redundancy in the safety-critical system

Application of Functional Safety in All-Electric Control Systems. Dr. Carsten Mahler Prof. Dr. Markus Glaser 24 October 2018

ProductDiscontinued. Rosemount TankRadar Rex. Safety Manual For Use In Safety Instrumented Systems. Safety Manual EN, Edition 1 June 2007

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

PLUS+1 SC Controller SC0XX-1XX Controller Family

Quartz Valve Position Indicator Rev. 1.1

Vibrating Switches SITRANS LVL 200S, LVL 200E. Relay (DPDT) With SIL qualification. Safety Manual. Siemens Parts

Service & Support. Functional Safety One Position switch. Safe Machine Concepts without Detours. benefit from the Safety Evaluation Tool.

MANUAL Functional Safety

T57 - Process Safety and Critical Control What Solution Best Meets Your Needs?

Safety modules. 8/4 inputs PROFIsafe S20-PSDI8/4

Study and Design on Self-diagnostic Based Safety Pressure Transmitter

Soliphant M with electronic insert FEM57 + Nivotester FTL325P

T72 - Process Safety and Safety Instrumented Systems

Commissioning and safety manual SIL2

Technical Report Reliability Analyses

Hytork XL Pneumatic Actuator

Failure Modes, Effects and Diagnostic Analysis

Hytork XL Pneumatic Actuator

Table of Content: 1 Objective of assessment Abbreviations and glossary System Overview... 6

Micropilot M FMR230/231/232/233/240/244/245

Safety Manual. VEGABAR series ma/hart - two-wire and slave sensors With SIL qualification. Document ID: 48369

itemp HART TMT122 with ma output signal

SIL Declaration of Conformity

It s a safe world after all

Safe and Fault Tolerant Controllers

High Performance Guided Wave Radar Level Transmitter

SIL Safety Manual DOC.SILM.EF.EN, Rev. 0 March EL-O-Matic F-Series Pneumatic Actuator SIL Safety Manual

Energize to Trip Requirement for SIL 3 according to IEC 61511

PLUS+1 Safety Controllers SC0XX-1XX Safety Controller Family

Systematic Capability for Elements

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL COMMISSION

Version 5.53 TECHNICAL REFERENCE GUIDE

SIL Safety Manual DOC.SILM.EF.EN Rev. 0 March EL-O-Matic F-Series Pneumatic Actuator SIL Safety Manual

Removal of Hardware ESD, Independent of Safety Logic Solver

Safety Instrumented Systems: Can They Be Integrated But Separate?

IQ SIL Option. IQ actuators for use in applications up to SIL 3. sira CERTIFICATION

ED17: Architectures for Process Safety Applications

Applications & Tools. Technology CPU 317TF-2 DP: Example for determining the Safety Integrity Level (SIL) according to IEC

Safety Manager. Safety Manual. EP-SM.MAN.6283 Issue June Release 145

TWO CHANNELS REDUNDANT SAFETY ARCHITECTURE SINGLE CHANNEL NON-REDUNDANT SAFETY ARCHITECTURE

Transcription:

Extension to Chapter 2. Architectural Constraints Mary Ann Lundteigen Marvin Rausand RAMS Group Department of Mechanical and Industrial Engineering NTNU (Version 0.1) Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 1 / 21

Learning Objectives Learning objectives The main learning objectives associated with these slides are to: To become familiar with motivation for having requirements about architectural design To become familiar with key concepts in relation to architectural constraints Be able to use the rules for architectural constraints in IEC 61508 Be able to identify some pros and cons of applying architectural constraints The slides provide additional information on some selected topics in Chapter 2 in Reliability of Safety-Critical Systems: Theory and Applications. DOI:10.1002/9781118776353. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 2 / 21

Learning Objectives Outline of Presentation 1 Introduction 2 Learning Objectives 3 Background for Architectural Constraints 4 Key terms 5 Routes for Implementation 6 Critique Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 3 / 21

Background for Architectural Constraints Safety Integrity Recall that safety integrity (and associated SIL requirements) is split into three categories: Hardware safety integrity, which relates to the safety integrity after having considered system architecture and failure probability due to physical degradation. Systematic safety integrity, which relates to the safety integrity achieved after having considered measures to avoid and control mistakes in design, installation, and use. Software safety integrity, which relates to the safety integrity achieved by having adapted restrictions for application programming methods, tools, and associated procedures. A system cannot meet a SIL requirement without fulfilling requirements associted with ALL THREE categories. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 4 / 21

Background for Architectural Constraints Weakest Link Principle That the system cannot meet a SIL requirement without fulfilling requirements associted with ALL THREE categories can be seen as the weakest link principle. SIL2 Hardware Safety Integrity SIL1 Software Safety Integrity SIL2 Systematic Safety Integrity In the model above, we see that the SIF or the product can only claim SIL 1, since software safety integrity is demonstrated for this level only. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 5 / 21

Background for Architectural Constraints Hardware Safety Integrity Hardware safety integrity: Part of the safety integrity of a safety-related system relating to random hardware failures in a dangerous mode of failure [IEC 61508] Hardware safety integrity requirements are split into two parts: Demonstrating that the target failure measure (PFD or PFH) is within the specified range of the SIL requirement Demonstrating that the hardware is configured according to thearchitectural constraints BOTH need to be demonstrated to fulfil a SIL requirement with respect to hardware safety integrity. The weakest link principle applies here as well. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 6 / 21

Background for Architectural Constraints Weakest Link Principle The weakest link principle applies also to hardware safety integrity. Even if the effects of random hardware failures (as PFD or PFH) indicate SIL 3, the hardware safety integrity is limited to SIL 2 due to the architectural constraints complying to SIL 2. SIL3 SIL2 SIL1 Effects of Random Harware Failrues Hardware Safety Integrity Architectural Constraints Software Safety Integrity SIL2 Systematic Safety Integrity Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 7 / 21

Background for Architectural Constraints What is Architectural Constraints Architectural constraints is about: Limiting the freedom in selecting hardware configuration in light of the SIL requirement and properties of the involved components. The purpose of these constraints is to avoid that overly optimistic values of PFD or PFH are used as arguments for selecting too simplistic architectures. There are two routes (or options) for how to determine the architectural constraints in IEC 61508: Route 1 H. Route 2 H. A variant of these routes has been adapted by IEC 61511 for use in process industry sector. We will first focus on route 1 H. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 8 / 21

Key terms Important Parameters) There are three important parameters to consider: Minimum hardware fault tolerance (minimum HFT) Category A and B Safe failure fraction (SFF) Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 9 / 21

Key terms Application of Archtectural Constraints Architectural constraints are applied at the subsystem level, one by one, so that in the end the whole SIF is covered. Calculation of effect of random hardware failures (PFD og PFH) for the SIF Logic solver Sensor systems Final elements Check for architectural constraints (one subsystem at a time) Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 10 / 21

Minimum HFT Key terms Recall the definition of HFT: Hardware fault tolerance (HFT): Number of dangerous failures tolerated before the sub-system looses its safety function. HFT for a koon voted system is equal to n k. A 2oo4 voted system tolerates 2 dangerous failures so that HFT = 2. The minimum HFT specifies (as the name reads) the minimum of what is acceptable in light of the SIL requirement. Minimum HFT: The HFT mandated by the architectural constraints in light of the SIL requirement Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 11 / 21

Key terms Safe Failure Fraction (SFF) Safe failure fraction (SFF) is a measure of how safe the component respond in the presence of faults. Safe failure fraction (SFF): λs + λ DD SFF = λs + λ DD + λ DU Notations: λ is the failure rate, and the subscripts give the failure category: S for safe, DU for dangerous undetected, and DD for dangerous detected. The SFF has two interpretations: 1. The fraction of all failures that are safe, meaning that they are either safe per definition in IEC 61508 or dangerous detected (DD). 2. The probability that a failure is safe, given that a failure has occured. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 12 / 21

Type A and Type B Key terms Type A or type B are two categories used to distinguish proven/low-compexity components from unproven/more complex components An component is classified as type A if ALL the following criteria are fulfilled: 1. Failure modes of the element (and all its constituent components) are well defined 2. The behavior of the element under fault conditions can be completely determined 3. There is sufficient dependable failure data to show that the claimed rates of failure for DD and DU failures are met An element is type B if one or more of the above criteria are not met. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 13 / 21

Key terms Discussion of Classification In what category would you place: A shutdown valve? A solenoid valve? A pressure transmitter A push button? A circuit braker? A logic solver? Explain why. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 14 / 21

Routes for Implementation Route 1H and 2H There are two routes or options to how architectural constraints are applied: Route 1 H : Determining minimum HFT with SFF This route is explained in more detail on the following slides. Route 2 H : Determining minimum HFT without SFF. This route can only be applied when extensive field data is available. The approach does not allow only point-values for PFD or PFH, but requires also that the confidence level is determined. Route 1 H is focused in this presentation. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 15 / 21

Routes for Implementation Route 1 H Route 1 H defines the minimum HFT with basis in the: The SIL requirement The safe failure fraction (SFF) of subsystem component(s)/elements. The component category, type A or type B, defined on the basis of system complexity and maturity It is assumed first that each subsystem with redundancy has identifical components. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 16 / 21

Routes for Implementation Route 1 H The following minimum HFT-SFF-SIL relationship is proposed for subsystems of identifical components: minimum HFT with type A minimum HFT with type B SFF 0 1 2 0 1 2 <60% SIL1 SIL2 SIL3 - SIL1 SIL2 60%, <90% SIL2 SIL3 SIL4 SIL1 SIL2 SIL3 90%, <99% SIL3 SIL4 SIL4 SIL2 SIL3 SIL4 99% SIL3 SIL4 SIL4 SIL3 SIL4 SIL4 Example A smart sensor is often classified as type B. Assume that the SFF has been calculated to 85%. If a SIL 2 requirement is specified, it is necessary to select an architecture with minimum HFT of 1. This could be a 1oo2 architecture or a 2oo3. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 17 / 21

Routes for Implementation What if Non-Identical Components? The HFT table cannot be used directly if the subsystem consist of non-identical components. In this situation, IEC 61508 suggests the following approach (by us called merging rules ): 1. Study each channel separately: Decide what SIL to claim for each channel as single, considering the principle of weak links if the channel has more than one component 2. Calculate the SIL level of the subsystem by using merging rules : Merging rule: The maximum SIL that can be claimed for at subsystem is determined by the highest SIL level claimed by one of the channels + HFT of the configuration. 3. The merging rules are more easily illustrated in a practical example. Remark.The same approach applies to route 2 H, but then the SIL-level of each element is determined without the SFF. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 18 / 21

Routes for Implementation Route 1 H Example of using merging rules This channel achieves SIL 2 (restricted by the lowest SIL of elements in series) Element 1 SIL 3 (as single) Element 1 SIL 2 (as single) Element 1 SIL 2 (as single) Element 1 SIL 3 (as single) Element 1 SIL 1 (as single) This channel achieves SIL 1 (same argument) This subsystem achieves SIL 3 (highest SIL +1, if voted 1oo2) This system achieves SIL 2 (restricted by the lowest SIL of series subsystems) Remark: General rule for redundant channels is highest SIL + X, where X is the HFT of the subsystem. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 19 / 21

Critique I Critique Is the SFF a good measure? Is a DD failure safe and under what conditions? SFF is a relative measure, and it can be problematic to use SFF as a measure for comparing two products Further reading: See this article: http://dx.doi.org/10.1016/j.ress.2008.06.003 Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 20 / 21

Critique II Critique On what basis has the minimum HFT-SFF-SIL relationship been established? Can such prescriptive rules be a false comfort? What would be the alternative(s)? After all, it seems like architectural constraints is a useful concept as a preservation of best practise rules. Lundteigen& Rausand Extension to Chapter 2.Architectural Constraints (Version 0.1) 21 / 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback