Hardware Safety Integrity. Hardware Safety Design Life-Cycle

Similar documents
Functional safety manual RB223

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

The ApplicATion of SIL. Position Paper of

Products Solutions Services. Functional Safety. How to determine a Safety integrity Level (SIL 1,2 or 3)

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Failure Modes, Effects and Diagnostic Analysis

Hardware safety integrity (HSI) in IEC 61508/ IEC 61511

The evolution of the cookbook

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

Failure Modes, Effects and Diagnostic Analysis

HART Temperature Transmitter for up to SIL 2 applications

Mobrey Hydratect 2462

Type Switching repeater. Safety manual

Failure Modes, Effects and Diagnostic Analysis

HART Temperature Transmitter for up to SIL 2 applications

New developments about PL and SIL. Present harmonised versions, background and changes.

Soliphant M with electronic insert FEM54

SAFETY MANUAL SIL Switch Amplifier

Safety Manual. Vibration Control Type 663. Standard Zone-1-21 Zone Edition: English

MANUAL Functional Safety

Point Level Transmitters. Pointek CLS200 (Standard) Functional Safety Manual 02/2015. Milltronics

MANUAL Functional Safety

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

FMEDA and Proven-in-use Assessment. G.M. International s.r.l Villasanta Italy

Low voltage switchgear and controlgear functional safety aspects

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Extension to Chapter 2. Architectural Constraints

FMEDA and Prior-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

Functional Example AS-FE-I-013-V13-EN

Safety Manual VEGASWING 61, 63. Relay (DPDT) With SIL qualification. Document ID: 52082

FUNCTIONAL SAFETY CERTIFICATE

FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Vibrating Switches SITRANS LVL 200S, LVL 200E. Relay (DPDT) With SIL qualification. Safety Manual. Siemens Parts

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Failure Modes, Effects and Diagnostic Analysis

IQ Pro SIL option TÜV Certified for use in SIL 2 & 3 applications

MANUAL Functional Safety

Proline Prowirl 72, 73

Safe & available...vigilant!

Failure Modes, Effects and Diagnostic Analysis

Soliphant M with electronic insert FEM57 + Nivotester FTL325P

OPTISWITCH 5300C. Safety Manual. Vibrating Level Switch. Relay (2 x SPDT) With SIL qualification

DK32 - DK34 - DK37 Supplementary instructions

INTERNATIONAL STANDARD

2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

Removal of Hardware ESD, Independent of Safety Logic Solver

Rosemount Functional Safety Manual. Manual Supplement , Rev AG March 2015

ProductDiscontinued. Rosemount TankRadar Rex. Safety Manual For Use In Safety Instrumented Systems. Safety Manual EN, Edition 1 June 2007

Service & Support. Functional Safety One Position switch. Safe Machine Concepts without Detours. benefit from the Safety Evaluation Tool.

Safety Manual. VEGABAR series ma/hart - two-wire and slave sensors With SIL qualification. Document ID: 48369

Evaluation Process for the Hardware Safety Integrity Level

FUNCTIONAL SAFETY CERTIFICATE

Sense it! Connect it! Bus it! Solve it! SAFETY MANUAL SWITCHING AMPLIFIERS

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL COMMISSION

FUNCTIONAL SAFETY ASSESSMENT: AN ISSUE FOR TECHNICAL DIAGNOSTICS

TABLE OF CONTENTS Executive summary...3 Introduction...5 The PDS method for safety quantification...6 Alternative quantification methods...

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis

Functional Safety Processes and SIL Requirements

Safety Manual. PROTRAC series ma/hart - four-wire With SIL qualification. Document ID: 49354

Version 5.53 TECHNICAL REFERENCE GUIDE

Using ControlLogix in SIL2 Applications

ISO INTERNATIONAL STANDARD. Safety of machinery Safety-related parts of control systems Part 1: General principles for design

Report. Certificate Z Rev. 00. SIMATIC Safety System

What functional safety module designers need from IC developers

FUNCTIONAL SAFETY CHARACTERISTICS

Using smart field devices to improve safety system performance

Commissioning and safety manual SIL2

Applications & Tools. Technology CPU 317TF-2 DP: Example for determining the Safety Integrity Level (SIL) according to IEC

Intelligent Valve Controller NDX. Safety Manual

ida Certification Services IEC Functional Safety Assessment Project: Masoneilan Smart Valve Interface, SVI II ESD Customer: GE Energy

Achieving Safety Integrity With User Configurable Safety Interlocks

Technical Report Reliability Analyses

LABEL. Invest in Confidence. SIL Actuators

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

Additional Operating Instructions SITRANS F. Vortex flowmeters. Functional Safety for SITRANS FX330.

SIRIUS Safety Integrated. Modular safety system 3RK3

Table of Content: 1 Objective of assessment Abbreviations and glossary System Overview... 6

Safety-related controls SIRIUS Safety Integrated

High Performance Guided Wave Radar Level Transmitter

D5090S INSTRUCTION MANUAL. D A SIL 3 Relay Output Module for NE Load. DIN-Rail and Termination Board, Model D5090S

Special Documentation Liquicap M FMI51, FMI52

Safety manual for Fisher FIELDVUE DVC6200 SIS Digital Valve Controller, Position Monitor, and LCP200 Local Control Panel

Foundation Fieldbus Safety Instrumented System (FF SIS) FF-SIS Meeting. Hannover. April 21, 2004

SIL Declaration of Conformity

Report. Certificate Z SIMATIC S7 F/FH Systems

Executive summary. by Michel Bonnet, Maximilien Laforge, and Jean-Baptiste Samuel

MACX MCR-SL-(2)I-2)I-ILP(-SP)

Special Documentation Soliphant M with electronic insert FEM57 + Nivotester FTL325P

Safety Instrumented System- Requirements for Successful Operation and Maintenance

Controller CMXH. Description STO. Safe Torque Off (STO) [ ]

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

Loop-powered Transmitter for Thermocouple Type K (NiCr-Ni)

Safety Instrumented Systems: Can They Be Integrated But Separate?

Using ControlLogix in SIL 2 Applications

Transcription:

Hardware Safety Integrity Architecture esign and Safety Assessment of Safety Instrumented Systems Budapest University of Technology and Economics epartment of Measurement and Information Systems Hardware Safety esign Life-Cycle

input interface output interface Fundamental Concepts Risk Reduction and Risk Reduction Factor (RRF) Safety Lifecycle Safety Integrity Level (SIL) Safety Instrumented System (SIS) Safe Failure Fraction (SFF) Independence Levels and consequences Proof Test Interval between two proof tests (T[Proof]) Probability of Failure on emand (PF) Failure Rate (λ) Failure In Time (FIT) Reliability Availability Mean Time To Failure (MTTF) Mean Time Between Failure (MTBF) Mean Time To Repair (MTTR) According to IEC 61508 and IEC 61511 Sensor subsystem Safety Instrumented System (SIS) (sensors and input interface) Logic subsystem (output interface and final elements) Final element subsystem S 1 S F 1 F Process

Basic Notation T 1» Proof-test interval (h) MTTR» Mean time to restoration (hour) C» iagnostic coverage o expressed as a fraction in the equations and as a % elsewhere β» The fraction of undetected failures that have a common cause o expressed as a fraction in the equations and as a % elsewhere β» Of those failures that are detected by the diagnostic tests, the fraction that have a common cause o expressed as a fraction in the equations and as a % elsewhere o tables assume β = β λ» Failure rate (per hour) of a channel in a subsystem angerous and Safe Failure Rates λ» angerous failure rate (per hour) of a channel in a subsystem, equal to 0,5 λ o assumes 50 % dangerous failures and 50 % safe failures λ» etected dangerous failure rate (per hour) of a channel in a subsystem o the sum of all the detected dangerous failure rates within the channel of the subsystem λ» Undetected dangerous failure rate (per hour) of a channel in a subsystem o the sum of all the undetected dangerous failure rates within the channel of the subsystem λ S» etected safe failure rate (per hour) of a channel in a subsystem o the sum of all the detected safe failure rates within the channel of the subsystem 5 6 S S SU

Probability of Failure on emand PF SYS» Average probability of failure on demand of a safety function for the E/E/PE safety-related system o PF G» Average probability of failure on demand for the group of voted channels If the sensor, logic or final element subsystem comprises of only one voted group, then PF G is equivalent to PF S, PF L or PF FE respectively o PF S» Average probability of failure on demand for the sensor subsystem o PF L» Average probability of failure on demand for the logic subsystem o PF FE» Average probability of failure on demand for the final element subsystem Probability of Failure per Hour PFH SYS» Probability of failure per hour of a safety function for the E/E/PE safety-related system o PFH G» Probability of failure per hour for the group of voted channels if the sensor, logic or final element subsystem comprises of only one voted group, then PFH G is equivalent to PFH S, PFH L or PFH FE respectively o PFH S» Probability of failure per hour for the sensor subsystem o PFH L» Probability of failure per hour for the logic subsystem o PFH FE» Probability of failure per hour for the final element subsystem 7 8

and Group Equivalent own Time t CE» equivalent mean down time (hour) for 1oo1, 1oo, oo and oo3 architectures o the combined down time for all the components in the channel of the subsystem t GE» Voted group equivalent mean down time (hour) for 1oo and oo3 architectures o the combined down time for all the channels in the voted group t CE» equivalent mean down time (hour) for 1oo architecture o the combined down time for all the components in the channel of the subsystem t GE» Voted group equivalent mean down time (hour) for 1oo architecture o the combined down time for all the channels in the voted group Safety integrity level (SIL) SIL levels (Safety Integrity Level) RRF (Risk Reduction Factor) PF avg (Average Probability of Failure on emand) 9 Safety integrity level (SIL) Probability of Failure on emand (PF) Risk Reduction Factor (RFF) 4 10-5 to < 10-4 100000 to 10000 3 10-4 to < 10-3 10000 to 1000 10-3 to < 10-1000 to 100 1 10 - to < 10-1 100 to 10 PF avg Tolerable frequency of the accident Frequency of the accident without protection 1 Risk Reduction Factor 10

SFF (Safe Failure Fraction) SFF summarizes the fraction of failures that o lead to a safe state or o will be detected by a diagnostic measure and lead to a defined safety action A hardware fault tolerance of N means that N + 1 faults could cause a loss of the safety function SFF Safe failure fraction S S Hardware fault tolerance 0 1 < 60% SIL 1 SIL SIL 3 60% to < 90% 90% to < 99% SIL SIL 3 SIL 4 SIL 3 SIL 4 SIL 4 99% SIL 3 SIL 4 SIL 4 Type A and Type B Subsystems A subsystem can be regarded as type A if a) the failure modes of all components are well defined; and b) the behavior of the subsystem under fault conditions can be completely determined; and c) there is sufficient dependable failure data from field experience to show that the claimed rates of failure for detected and undetected dangerous failures are met A subsystem shall be regarded as type B if a) the failure mode of at least one component is not well defined; or b) the behavior of the subsystem under fault conditions cannot be completely determined; or c) there is insufficient dependable failure data from field experience to support claims for rates of failure for detected and undetected dangerous failures 1

Type A and Type B Architectural Constraints Type A Safe failure fraction Hardware fault tolerance 0 1 < 60% SIL 1 SIL SIL 3 60% to < 90% 90% to < 99% SIL SIL 3 SIL 4 SIL 3 SIL 4 SIL 4 99% SIL 3 SIL 4 SIL 4 well defined failure modes; and completely determined behavior under fault; and sufficient dependable failure data Type B Safe failure fraction < 60% 60% to < 90% 90% to < 99% Hardware fault tolerance 0 1 Not allowed SIL 1 SIL 3 SIL SIL 3 SIL 4 SIL 3 SIL 4 SIL 4 99% SIL 3 SIL 4 SIL 4 at least one component failure mode is not well defined; or not completely determined behavior under fault; or insufficient dependable failure data Example: Multiple s of Subsystems Subsystems implementing safety function 1 Type B SIL 3 Type A SIL 3 Type A SIL 4 Type B SIL 5 Type B SIL 1 14

Example: Multiple s of Subsystems Architecture reduces to If a safety function is implemented through a single channel, the maximum hardware SIL that can be claimed for the safety function shall be determined by the subsystem that has met the lowest hardware SIL requirements 1 and 4 and 5 SIL SIL 1 3 Type A SIL 15 Multiple s of Subsystems In E/E/PE safety-related systems where a safety function is implemented through multiple channels of subsystems, the maximum hardware SIL that can be claimed for the safety function under consideration shall be determined by a) assessing each subsystem against the requirements of the Type A or Type B SFF table b) grouping the subsystems into combinations; and c) analyzing those combinations to determine the overall hardware safety integrity level 16

Example: Multiple s of Subsystems Architecture reduces to 1,, 4 and 5 3 Type A SIL 3 SIL In the event of a fault occurring in the combination of subsystems 1 and, the safety function could be performed by the combination of subsystems 4 and 5 To take account of this effect, the hardware fault tolerance achieved by the combination of subsystems 1 and is increased by 1 Increasing the hardware fault tolerance by 1 has the effect of increasing the hardware safety integrity level by 1 (see SFF Table) Common Cause Failures The failures of a system arise from two causes: o random hardware failures o systematic failures Common cause failures result from a single cause, but (may) affect more than one channel o may result from a systematic fault (e.g. a design or specification mistake) o from external stress leading to an early random hardware failure (e.g. excessive temperature due to the failure of a common cooling fan) o or a combination of both They do not (necessarily) all manifest themselves simultaneously in all channels 17 18

Model and Means to Reduce Probability of CCF Failures of channel 1 Common cause failures affecting both channels Failures of channel Three avenues that reduce the probability of potentially dangerous common cause failures: a) Reduce the number of random hardware and systematic failures overall b) Maximize the independence of the channels c) Reveal non-simultaneous common cause failures while only one, and before a second, channel has been affected, i.e. use diagnostic tests Using the β-factor to calculate PF due to CCF The probability of dangerous common cause failures without self-diagnosis λ β where o λ is the probability of dangerous random hardware failures for each individual channel and o β is the fraction of single-channel failures that affect all channels The overall probability of failure due to dangerous CCF with self-diagnosis λ β + λ β where o λ is the probability of an undetected failure of a single channel o β is the common cause failure factor for undetectable dangerous faults, which is equal to the overall β-factor in the absence of diagnostic testing o λ is the probability of a detected failure of a single channel o β is the common cause failure factor for detectable dangerous faults. As the rate of diagnostic testing is increased, value of β falls increasingly below β 19 0

Secondary Subsystem SIL Rating Secondary Subsystem SIL Rating Secondary Subsystem SIL Rating Secondary Subsystem SIL Rating SIL Ratings for Combined Subsystems 0.5% Common Cause Failures Primary Subsystem SIL Rating SIL 1 SIL SIL 3 SIL 1 SIL 1 SIL SIL 3 SIL SIL SIL 3 SIL 4 SIL 3 SIL 3 SIL 4 > SIL 4 1% Common Cause Failures Primary Subsystem SIL Rating SIL 1 SIL SIL 3 SIL 1 SIL 1 SIL SIL 3 SIL SIL SIL 3 SIL 4 SIL 3 SIL 3 SIL 4 SIL 4 5% Common Cause Failures Primary Subsystem SIL Rating SIL 1 SIL SIL 3 SIL 1 SIL 1 SIL SIL 3 SIL SIL SIL 3 SIL 4 SIL 3 SIL 3 SIL 4 SIL 4 10% Common Cause Failures Primary Subsystem SIL Rating SIL 1 SIL SIL 3 SIL 1 SIL 1 SIL SIL 3 SIL SIL SIL 3 SIL 3 SIL 3 SIL 3 SIL 3 SIL 3 Avoidance of Systematic Faults 1

Assumptions the hardware failure rates used as inputs to the calculations and tables are for a single channel of the subsystem the channels in a voted group all have the same failure rates and diagnostic coverage for each safety function, there is perfect proof testing and repair the proof test interval is at least an order of magnitude greater than the diagnostic test interval for each subsystem there is a single proof test interval and mean time to restoration the expected interval between demands is at least an order of magnitude greater than the mean time to restoration Average Probability of Failure on emand The average probability of failure on demand (PF avg ) of a safety function is determined by calculating and combining the PF avg for all the subsystems which together provide the safety function PF SYS = PF S + PF L + PF FE where o PF SYS is the average probability of failure on demand of a safety function for the E/E/PE safety-related system o PF S is the average probability of failure on demand for the sensor subsystem; o PF L is the average probability of failure on demand for the logic subsystem; and o PF FE is the average probability of failure on demand for the final element subsystem 4 5

etermining the PF avg for Each Subsystem a) raw the block diagram showing the subsystems b) For each voted group in the subsystem, select from the relevant table o the architecture (e.g. oo3) o the diagnostic coverage of each channel (e.g. 60%) o the λ failure rate (per hour) of each channel (e.g. 5 10-6 ) o the common cause failure β-, β and β factors (e.g. % and 1% respectively) c) Obtain, from the relevant table the average probability of failure on demand for the voted group d) If the safety function depends on more than one voted group of sensors or actuators, the combined average probability of failure on demand is PF PFGi PFFE S ; i 1oo1 Architecture 6 j PF Gj λ iagnostics t c λ λ T1 MTTR t MTTR 1 c t CE t CE t c1 T1 tc MTTR 1 C; C tce PF 1e tce since tce PF G t CE 1 MTTR

1oo Architecture λ iagnostics 1oo λ λ CCF t GE channel equivalent mean down time t CE system equivalent down time t GE PF t t CE GE T1 MTTR T1 MTTR 3 MTTR MTTR T (1 ) (1 ) t t MTTR MTTR 1 CE GE oo Architecture iagnostics oo λ λ t CE λ λ λ λ t CE channel equivalent mean down time t CE average probability of failure on demand PF G t CE PF T1 MTTR tce CE G t MTTR

1oo Architecture t CE PF G iagnostics iagnostics channel equivalent mean down time t CE system equivalent down time t GE 1oo t t CE' GE' T1 T1 3 λ λ S t GE MTTR S MTTR 1 (1 ) (1 ) t t MTTR MTTR λ 1 S CE GE S λ S MTTR S T CCF MTTR oo3 Architecture iagnostics λ λ t CE λ oo3 oo3 CCF t GE channel equivalent mean down time t CE system equivalent down time t GE PF t t CE GE T1 MTTR T1 MTTR 3 MTTR MTTR T (1 ) (1 ) t t MTTR MTTR 1 6 CE GE

Recommended Reading on Calculation of PF Tieling Zhang, Wei Long and Yoshinobu Sato: Availability of systems with self-diagnostic components applying Markov model to IEC 61508-6 Reliability Engineering & System Safety Volume 80, Issue, May 003, Pages 133-141 doi:10.1016/s0951-830(03)00004-8 Received 11 ecember 000; accepted 19 ecember 00; available online 7 February 003 3 Case Study: Pressure Relief System Illustration of how IEC 61508 may be applied in a practical case

The Equipment Under Control The EUC is a pressure vessel, used in a batch process that has a weekly cycle o It is brought, in a controlled manner, to a prescribed pressure using a control loop o The perceived hazard is that the control system might fail, subjecting the vessel to overpressure The final safeguard is a bursting disc, which discharges to a stack, releasing the contents of the vessel into the atmosphere o It is considered to be 100% reliable but its operation is undesirable for environmental and public relations reasons An acceptable level of risk is a 10% probability of a release once in the plant s expected life of ten years Pressure Relief System Installation 34 35

Risk Assessment An acceptable level of risk is a 10% probability of a release once in the plant s expected life of ten years, or once per 10 6 hours The Equipment Under Control risk (EUC risk) is once per year, or once per 10 4 hours The required average probability of failure on demand (PF avg ) of the safety function is 10 - Risk reduction factor is 100: SIL Pressure Relief System Scheme 36 Actuator system Isolator Trip amplifier Isolator Trip amplifier Pressure transmitter 37

Safety Function Realization Pressure transmitter Isolator Trip amplifier Trip amplifier Isolator Actuator system Pressure transmitter Isolator Trip amplifier Isolator Actuator system Architecture 1oo1 1oo1 1oo 1oo1 1oo1 Undetected 1 x 10 dangerous failure -5 rate, λ per year 1. x 10-4 per year 1. x 10-5 per year 0 1 x 10-3 per year Proof test interval 1 year 1 year 1 year 1 week Probability of failure on demand 0.5 x 10-5 6 x 10-5 0.6 x 10-5 0 1 x 10-5 Subsystem type Type A Type A Type B Type A Type A SIL rating > SIL SIL x SIL 1 SIL 3 SIL 4 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback