Failure Modes, Effects and Diagnostic Analysis Project: ASCO Series 327 Solenoid Valves FMEDA Customer: ASCO Numatics Scherpenzeel, The Netherlands Contract No.: Q09/04-59 Report No.: ASC 09/04-59 R001 Version V1, Revision R3, September 15, 2010 Steven Close The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.
Management summary This report summarizes the results of the Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the ASCO Series 327 Solenoid Valves. A Failure Modes, Effects, and Diagnostic Analysis is one of the steps to be taken to achieve functional safety certification per IEC 61508 of a device. From the FMEDA, failure rates and Safe Failure Fraction are determined. The FMEDA that is described in this report concerns the hardware of the ASCO Series 327 Solenoid Valves. For full functional safety certification purposes all requirements of IEC 61508 must be considered. The Series 327 Solenoid Valves are 3/2 solenoid valves that are direct operated with a balanced poppet. The Models 327B are basic flow models with ¼ inch pipe connections. The Models 327A are high flow models with ¼ and ½ inch pipe connections. The Models 327B are available in a redundant configuration. The Series 327 Solenoid Valves are offered in four coil power levels. Table 1 lists the model numbers and coil versions for the Series 327 Solenoid Valves covered by this FMEDA. Table 1 Coil Options Basic Model Number Coil Power 327B0/8327G Basic Power (10.0 to 14 W) 327B1 Medium Power (5.7 5.8 W) 327B2 Reduced Power (3.6 3.7 W) 327B3 Low Power (1.8 W) 327A6 Basic Power (10.0 to 14 W) Table 2 gives an overview of the different versions that were considered in the FMEDA of the ASCO Series 327 Solenoid Valves. Table 2 Version Overview Model 327B0/8327G 327B1 327B2 327B3 327A6 Redundant 327B0 Redundant 327B1 Redundant 327B2 Redundant 327B3 MO 1 (Manual Operator) NVR 2 (Manual Operator) Configuration to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed to trip / to trip, Normally Closed to trip / to trip, Normally Closed to trip / to trip, Normally Closed to trip to trip 1 The MO manual operator option is used to reset the solenoid manually. It is not part of the safety function of the solenoid valve but does contribute to the failure rates of the solenoid valve. 2 The NVR manual operator option is used to reset the solenoid manually. It is not part of the safety function of the solenoid valve but does contribute to the failure rates of the solenoid valve. Steven Close Page 2 of 25
to trip applications failure rates do not take into account the loss of power to the solenoid. Failure rates for the Series 327 Solenoid Valves are listed in Table 3, Table 4 and Table 5. Failures rates are listed both with and without partial valve stroke tests (PVST). See section 6 for a definition of PVST. The failure rates for the manual operators are also listed in Table 5. Table 3 Failure Rates in FIT for Series 327B Solenoid Valves Failure Category 327B0/8327G 327B1 & 2 327B3 Fail Safe Detected 0 0 0 0 0 0 Fail Safe Undetected 516 86 216 86 141 86 Detected 0 0 0 0 0 0 Undetected 188 568 188 268 188 193 Residual 248 298 248 298 248 298 Failure Category w/pvst Fail Safe Detected 516 86 216 86 141 86 Fail Safe Undetected 0 0 0 0 0 0 Detected 186 562 186 265 186 191 Undetected 2 6 2 3 2 2 Residual 248 298 248 298 248 298 Steven Close Page 3 of 25
Table 4 Failure Rates in FIT for Series 327B Solenoid Valves (Redundant) 327B0 Redundant 327B1&2 Redundant 327B3 Redundant Failure Category Fail Safe Detected 0 0 0 0 0 0 Fail Safe Undetected 612 171 312 171 237 171 Detected 0 0 0 0 0 0 Undetected 356 661 356 361 356 286 Residual 456 597 456 597 456 597 Failure Category w/pvst Fail Safe Detected 612 171 312 171 237 171 Fail Safe Undetected 0 0 0 0 0 0 Detected 352 654 352 357 352 283 Undetected 4 7 4 4 4 3 Residual 456 597 456 597 456 597 Table 5 Failure Rates in FIT for Series 327A6 Solenoid Valves and Manual Operators Failure Category to 327A6 MO NVR To to to Fail Safe Detected 0 0 0 0 Fail Safe Undetected 549 121 104 107 Detected 0 0 0 0 Undetected 214 640 50 70 Residual 409 411 123 318 Failure Category w/pvst to To to to Fail Safe Detected 549 121 104 107 Fail Safe Undetected 0.0 0.0 0 0 Detected 212 634 49 69 Undetected 2.0 6.0 1 1 Residual 409 411 123 318 Steven Close Page 4 of 25
Table 6 lists the failure rates for the Series 327 Solenoid Valves according to IEC 61508. Table 6 Failure Rates in FIT According to IEC 61508 Model Failure Category λ sd λ su 3 327B0/8327G 327B1&2 327B3 327B0 Redundant 327B1&2 Redundant 327B3 Redundant 327A6 MO NRV λ dd λ du SFF 4 0 764 0 188 80.3% 0 384 0 568 40.3% W/PVST 516 248 186 2 99.8% W/PVST 86 298 562 6 99.4% 0 464 0 188 71.2% 0 384 0 268 58.9% W/PVST 216 248 186 2 99.7% W/PVST 86 298 265 3 99.6% 0 389 0 188 67.4% 0 384 0 193 66.6% W/PVST 141 248 186 2 99.7% W/PVST 86 298 191 2 99.7% 0 1067 0 356 75.0% 0 768 0 661 53.7% W/PVST 612 456 352 4 99.8% W/PVST 171 597 655 7 99.5% 0 767 0 356 68.3% 0 768 0 361 68.0% W/PVST 312 456 352 4 99.7% W/PVST 171 597 358 4 99.7% 0 692 0 356 66.1% 0 768 0 286 72.8% W/PVST 237 456 352 4 99.7% W/PVST 171 597 283 3 99.7% 0 958 0 214 81.8% 0 532 0 640 45.4% W/PVST 549 409 211 2 99.8% W/PVST 121 411 634 6 99.5% 0 226 0 51 81.9% W/PVST 104 123 50 0 99.8% 0 425 0 70 85.9% W/PVST 107 318 69 1 99.9% When using the MO or NRV options the failure rates for these options must be added to the failure rates of the Solenoid Models they are used with. 3 It is important to realize that the Residual failures are included in the safe undetected failure category according to IEC 61508. Note that these failures on their own will not affect system reliability or safety, and should not be included in spurious trip calculations 4 The SFF must be calculated for the complete final element. These values are only valid when the solenoid valve constitutes the entire final element. Steven Close Page 5 of 25
The ASCO Series 327 Solenoid Valves are classified as a Type A 5 devices according to IEC 61508, having a hardware fault tolerance of 0. The Safe Failure Fracture must be calculated for the entire final element assembly of which the ASCO Series 327 Solenoid Valves are typically a component of. If the ASCO Series 327 Solenoid Valves are the complete final element then Safe Failure Fractions listed in Table 6 can be used. The failure rates listed in this report do not include failures due to wear-out of any components. They reflect random failures and include failures due to external events, such as unexpected use, see section 4.2.2. These failure rates are valid for the useful lifetime of the ASCO Series 327 Solenoid Valves, see Appendix A: Lifetime of critical components. A user of the Series 327 Solenoid Valves can utilize these failure rates in a probabilistic model of a safety instrumented function (SIF) to determine suitability in part for safety instrumented system (SIS) usage in a particular safety integrity level (SIL). A full table of failure rates is presented in section 4 along with all assumptions. 5 Type A component: Non-Complex component with well-defined failure modes, for details see 7.4.3.1.2 of IEC 61508-2 Steven Close Page 6 of 25
Table of Contents Management summary... 2 1 Purpose and Scope... 8 2 Project management... 9 2.1 exida... 9 2.2 Roles of the parties involved... 9 2.3 Standards / Literature used... 9 2.4 Reference documents... 10 2.4.1 Documentation provided by ASCO Numatics... 10 2.4.2 Documentation generated by exida... 10 3 Product Description... 11 4 Failure Modes, Effects, and Diagnostics Analysis... 13 4.1 Description of the failure categories... 13 4.2 Methodology FMEDA, Failure rates... 13 4.2.1 FMEDA... 13 4.2.2 Failure rates... 14 4.3 Assumptions... 15 4.4 Results... 15 5 Using the FMEDA results... 20 5.1 Air quality failures... 20 5.2 PFD AVG calculation Series 327 Solenoid Valves... 20 6 Terms and Definitions... 22 7 Status of the document... 23 7.1 Liability... 23 7.2 Releases... 23 7.3 Future Enhancements... 23 7.4 Release Signatures... 23 Appendix A: Lifetime of critical components... 24 Appendix B: Proof tests to reveal dangerous undetected faults... 25 B.1 Proof test... 25 Steven Close Page 7 of 25
1 Purpose and Scope Generally three options exist when doing an assessment of sensors, interfaces and/or final elements. Option 1: Hardware assessment according to IEC 61508 Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s) like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault behavior and the failure rates of the device, which are then used to calculate the Safe Failure Fraction (SFF) and the average Probability of Failure on Demand (PFD AVG ). When appropriate, fault injection testing will be used to confirm the effectiveness of any selfdiagnostics. This option provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511. This option does not include an assessment of the development process. Option 2: Hardware assessment with proven-in-use consideration per IEC 61508 / IEC 61511 Option 2 extends Option 1 with an assessment of the proven-in-use documentation of the device including the modification process. This option for pre-existing programmable electronic devices provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511. When combined with plant specific proven-in-use records, it may help with prior-use justification per IEC 61511 for sensors, final elements and other PE field devices. Option 3: Full assessment according to IEC 61508 Option 3 is a full assessment by exida according to the relevant application standard(s) like IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1. The full assessment extends Option 1 by an assessment of all fault avoidance and fault control measures during hardware and software development. This option provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device. This assessment shall be done according to option 1. This document shall describe the results of the hardware assessment in the form of the Failure Modes, Effects and Diagnostic Analysis carried out on the ASCO Series 327 Solenoid Valves. From this, failure rates, Safe Failure Fraction (SFF) and example PFD AVG values are calculated. The information in this report can be used to evaluate whether a final element subsystem meets the average Probability of Failure on Demand (PFD AVG ) requirements and the architectural constraints/minimum hardware fault tolerance requirements per IEC 61508/IEC 61511. Steven Close Page 8 of 25
2 Project management 2.1 exida exida is one of the world s leading knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a partnership with offices around the world. exida offers training, coaching, project oriented consulting services, internet based safety engineering tools, detail product assurance and certification analysis and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved ASCO Numatics exida Manufacturer of the ASCO Series 327 Solenoid Valves Project leader of the FMEDA ASCO Numatics contracted exida in October 2009 with the FMEDA of the above-mentioned device. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508-2: 2000 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems [N2] [N3] Electrical & Mechanical Component Reliability Handbook, 2nd Edition, 2008 Safety Equipment Reliability Handbook, 3rd Edition, 2007 exida L.L.C, Electrical & Mechanical Component Reliability Handbook, Second Edition, 2008, ISBN 978-0- 9727234-6-6 exida L.L.C, Safety Equipment Reliability Handbook, Third Edition, 2007, ISBN 978-0-9727234-9-7 [N4] Goble, W.M. 1998 Control Systems Safety Evaluation and Reliability, ISA, ISBN 1-55617-636-8. Reference on FMEDA methods [N5] IEC 60654-1:1993-02, second edition [N6] Goble, W.M. and Cheddie, H., 2005 [N7] Electrical & Mechanical Component Reliability Handbook, 2nd Edition, 2008 Industrial-process measurement and control equipment Operating conditions Part 1: Climatic condition Safety Instrumented Systems Verification, Practical Probabilistic Calculations, ISA, ISBN 1-55617-909-X Section 6: Reliability Data Mechanical Components [N8] O Brien, C & Bredemeyer, L 2009 exida L.L.C, Final Elements & the IEC 61508 and IEC 61511 Functional Safety Standards, 2009, ISBN-13: 978-1-934977-01-9. Steven Close Page 9 of 25
2.4 Reference documents 2.4.1 Documentation provided by ASCO Numatics [D1] PIC-12-10-GB Solenoid Valves - Redundant, Direct Operated basic flow, balanced poppet [D2] PIC-6-50-GB Solenoid Valves - Direct Operated, for linear actuators (VDE 3845) 1/4, Direct Mount [D3] PIC-6-20-GB Solenoid Valves - Redundant, Direct Operated, NAMUR [D4] PIC-11-20-GB Solenoid Valves - no voltage release (tamperproof) manual reset construction [D5] PIC-2-50-GB Solenoid Valves - Direct Operated basic flow, balanced poppet 1/4 [D6] 123650 3/2 Direct Operated Universal Construction [D7] 132075 Reduced Power Construction [D8] 117600 3/2 Universal Direct Operated [D9] PIC-2-55-GB Solenoid Valves - Direct Operated high flow, balanced poppet 1/4 to 1/2 [D10] PIC-11-25-GB Solenoid Valves - no voltage release (tamperproof) manual reset construction [D11] 3/2 Series 8327 High Flow Direct acting valves [D12] 131222 [D13] 131223 [D14] No date or Revision 327, MO & NVR 2.4.2 Documentation generated by exida 327 DN6, NVR Tamperproof 3/2 Series 8327 High Flowing Direct Acting Valves [R1] ASCO_090459_327_FMED A_R5.xls [R2] ASC 090459_327_FMEDA R001 V1R3.doc, 9/15/2010 Failure Modes, Effects and Diagnostic Analysis, Series 327 Solenoid Valves (internal document) FMEDA report, Series 327 Solenoid Valves (this report) Steven Close Page 10 of 25
3 Product Description The Series 327 Solenoid Valves are 3/2 solenoid valves that are direct operated with a balanced poppet. The Models 327B are basic flow models with ¼ inch pipe connections. The Models 327A are high flow models with ¼ and ½ inch pipe connections. The Models 327B are available in a redundant configuration. The Series 327 Solenoid Valves are offered in four coil power levels. The Series 327 Solenoid Valves are available with manual operators that are used to reset the solenoid to the energized position after a trip. The manual operators do not serve a safety function. Table 7 lists the model numbers and coil versions of the Series 327 Solenoid Valves covered by this FMEDA. Table 7 Coil Options Basic Model Number Coil Power 327B0/8327G Basic Power (10.0 to 14 W) 327B1 Medium Power (5.7 5.8 W) 327B2 Reduced Power (3.6 3.7 W) 327B3 Low Power (1.8 W) 327A6 Basic Power (10.0 to 14 W) Figure 1 shows a direct operated, basic flow, balanced poppet Series 327 Solenoid Valve. Figure 1: Series 327 Solenoid Valve Steven Close Page 11 of 25
Table 8 gives an overview of the different versions that were considered in the FMEDA of the ASCO Series 327 Solenoid Valves. Table 8 Version Overview Model 327B0/8327G 327B1 327B2 327B3 327A6 Redundant 327B0 Redundant 327B1 Redundant 327B2 Redundant 327B3 MO 6 (Manual Operator) NVR 7 (Manual Operator) Configuration to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed / Normally Open to trip / to trip, Normally Closed to trip / to trip, Normally Closed to trip / to trip, Normally Closed to trip / to trip, Normally Closed to trip to trip to trip applications failure rates do not take into account the loss of power to the solenoid. The Series 327 Solenoid Valves are classified as a Type A 8 devices according to IEC 61508, having a hardware fault tolerance of 0. 6 The MO manual operator option is used to reset the solenoid manually. It is not part of the safety function of the solenoid valve but does contribute to the failure rates of the solenoid valve. 7 The NVR manual operator option is used to reset the solenoid manually. It is not part of the safety function of the solenoid valve but does contribute to the failure rates of the solenoid valve. 8 Type A component: Non-Complex component with well-defined failure modes, for details see 7.4.3.1.2 of IEC 61508-2. Steven Close Page 12 of 25
4 Failure Modes, Effects, and Diagnostics Analysis The Failure Modes, Effects, and Diagnostic Analysis was performed based on documentation obtained from ASCO Numatics and is documented in [R1]. 4.1 Description of the failure categories In order to judge the failure behavior of the Series 327 Solenoid Valves, the following definitions for the failure of the transmitter were considered. Fail-Safe State Fail Safe State where solenoid is de-energized and spring is extended. State where solenoid is energized and spring is compressed. Failure that causes the valve to go to the defined fail-safe state without a demand from the process. Failure that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state). Undetected Failure that is dangerous and that is not being diagnosed by an automatic diagnostic such as partial valve stroke testing. Detected Residual Failure that is dangerous but is detected by an automatic diagnostic such as partial valve stroke testing. Failure of a component that is part of the safety function but that has no effect on the safety function. The failure categories listed above expand on the categories listed in IEC 61508, Edition 2000, which are only safe and dangerous, both detected and undetected. In IEC 61508 the No Effect failures are defined as safe undetected failures even though they will not cause the safety function to go to a safe state. Therefore they need to be considered in the Safe Failure Fraction calculation. 4.2 Methodology FMEDA, Failure rates 4.2.1 FMEDA A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. It is a technique recommended to generate failure rates for each important category (safe detected, safe undetected, dangerous detected, dangerous undetected, fail high, fail low) in the safety models. The format for the FMEDA is an extension of the standard FMEA format from MIL STD 1629A, Failure Modes and Effects Analysis. Steven Close Page 13 of 25
4.2.2 Failure rates The failure rate data used by exida in this FMEDA is from the Electrical and Mechanical Component Reliability Handbook which was derived using field failure data from multiple sources and failure data from various databases. The rates were chosen in a way that is appropriate for safety integrity level verification calculations. The rates were chosen to match exida Profile 3, see Table 9. It is expected that the actual number of field failures due to random events will be less than the number predicted by these failure rates. Table 9 exida Environmental Profiles EXIDA ENVIRONMENTAL PROFILE 1 2 3 4 Cabinet Mounted Equipment Low Power /Mechanical Field Products General Field Equipment Unprotected Mechanical Field Products GENERAL DESCRIPTION Cabinet mounted equipment typically has significant temperature rise due to power dissipation but is subjected to only minimal daily temperature swings Mechanical / low power electrical (twowire) field products have minimal self heating and are subjected to daily temperature swings General (four-wire) field products may have moderate self heating and are subjected to daily temperature swings Unprotected mechanical field products with minimal self heating, are subject to daily temperature swings and rain or condensation. PROFILE PER IEC 60654-1 AMBIENT TEMPERATURE [ C] AVERAGE (EXTERNAL) MEAN (INSIDE BOX) TEMP CYCLE [ C / 365 DAYS] B2 30 60 5 C3 25 30 25 C3 25 45 25 D1 25 30 35 For hardware assessment according to IEC 61508 only random equipment failures are of interest. It is assumed that the equipment has been properly selected for the application and is adequately commissioned such that early life failures (infant mortality) may be excluded from the analysis. Failures caused by external events however should be considered as random failures. Examples of such failures are loss of power, physical abuse, or problems due to intermittent instrument air quality. The assumption is also made that the equipment is maintained per the requirements of IEC 61508 or IEC 61511 and therefore a preventative maintenance program is in place to replace equipment before the end of its useful life. Corrosion, erosion, coil burnout etc. are considered age related (late life) or systematic failures, provided that materials and technologies applied are indeed suitable for the application, in all modes of operation. The user of these numbers is responsible for determining their applicability to any particular environment. Accurate plant specific data may be used for this purpose. If a user has data collected from a good proof test reporting system that indicates higher failure rates, the higher numbers shall be used. Some industrial plant sites have high levels of stress. Under those conditions the failure rate data is adjusted to a higher value to account for the specific conditions of the plant. Steven Close Page 14 of 25
4.3 Assumptions The following assumptions have been made during the Failure Modes, Effects, and Diagnostic Analysis of the Series 327 Solenoid Valves. Only a single component failure will fail the entire solenoid valve Failure rates are constant, wear out mechanisms are not included. Propagation of failures is not relevant. All components that are not part of the safety function and cannot influence the safety function (feedback immune) are excluded. The stress levels are average for an industrial environment and can be compared to the Ground Fixed classification of MIL-HNBK-217F. Alternatively, the assumed environment is similar to: o IEC 60654-1, Class Dx (outdoor location) with temperature limits within the manufacturer s rating. Other environmental characteristics are assumed to be within manufacturer s rating. If Partial Valve Stroke Testing is claimed as a diagnostic it must be automatically executed. Partial Valve Stroke testing of the Safety Instrumented Function provides a timed full cycle test of the solenoid valve The solenoid valves are generally applied in relatively clean gas, therefore no severe service has been considered in the analysis. Solenoid valves are used with clean, dry air or inert gas filtered to 50 micrometers or better. Materials are compatible with process conditions The solenoid valves are installed per manufacturer s instructions. Failure rates do not include loss of power to the solenoid. 4.4 Results Using reliability data extracted from the exida component reliability database, the following failure rates resulted from the ASCO Numatics Series 327 Solenoid Valves FMEDA. Failure rates for the Series 327 Solenoid Valves are listed in Table 10, Table 11, and Table 12. Failures rates are listed both with and without partial valve stroke tests (PVST). See section 6 for a definition of PVST. The failure rates for the manual operators are also listed in Table 12. Steven Close Page 15 of 25
Table 10 Failure Rates in FIT for Series 327B Solenoid Valves Failure Category 327B0/8327G 327B1 & 2 327B3 Fail Safe Detected 0 0 0 0 0 0 Fail Safe Undetected 516 86 216 86 141 86 Detected 0 0 0 0 0 0 Undetected 188 568 188 268 188 193 Residual 248 298 248 298 248 298 Failure Category w/pvst Fail Safe Detected 516 86 216 86 141 86 Fail Safe Undetected 0.0 0.0 0.0 0.0 0.0 0.0 Detected 186 562 186 265 186 191 Undetected 2.0 6.0 2.0 3.0 2.0 2.0 Residual 248 298 248 298 248 298 Table 11 Failure Rates in FIT for Series 327B Solenoid Valves (Redundant) 327B0 Redundant 327B1&2 Redundant 327B3 Redundant Failure Category Fail Safe Detected 0 0 0 0 0 0 Fail Safe Undetected 612 171 312 171 237 171 Detected 0 0 0 0 0 0 Undetected 356 661 356 361 356 286 Residual 456 597 456 597 456 597 Failure Category w/pvst Fail Safe Detected 612 171 312 171 237 171 Fail Safe Undetected 0 0 0 0 0 0 Detected 352 654 352 357 352 283 Undetected 4 7 4 4 4 3 Residual 456 597 456 597 456 597 Steven Close Page 16 of 25
Table 12 Failure Rates in FIT for Series 327A6 Solenoid Valves Failure Category to 327A6 MO NVR To to to Fail Safe Detected 0 0 0 0 Fail Safe Undetected 549 121 104 107 Detected 0 0 0 0 Undetected 213 640 50 70 Residual 409 410 123 318 Failure Category w/pvst to To to to Fail Safe Detected 549 121 104 107 Fail Safe Undetected 0.0 0.0 0 0 Detected 211 634 49 69 Undetected 2.0 6.0 1 1 Residual 409 410 123 318 The failure rates that are derived from the FMEDA for the Series 327 Solenoid Valves are in a format different from the IEC 61508 format. Table 13 lists the failure rates for Series 327 Solenoid Valves according to IEC 61508. According to IEC 61508 [N1], the Safe Failure Fraction (SFF) of the Series 327 Solenoid Valves should be calculated. The Safe Failure Fraction is the fraction of the overall failure rate of a device that results in either a safe fault or a diagnosed unsafe fault. This is reflected in the following formulas for SFF: SFF = 1 λdu / λtotal Note that according to IEC61508, Edition 2000, definition the No Effect failures are classified as safe and therefore need to be considered in the Safe Failure Fraction calculation and are included in the total failure rate. Steven Close Page 17 of 25
Table 13 Failure Rates in FIT According to IEC 61508 Model Failure Category λ sd λ su 9 327B0/8327G 327B1&2 327B3 327B0 Redundant 327B1&2 Redundant 327B3 Redundant 327A6 MO NRV λ dd λ du SFF 10 0 764 0 188 80.3% 0 384 0 568 40.3% W/PVST 516 248 186 2 99.8% W/PVST 86 298 562 6 99.4% 0 464 0 188 71.2% 0 384 0 268 58.9% W/PVST 216 248 186 2 99.7% W/PVST 86 298 265 3 99.6% 0 389 0 188 67.4% 0 384 0 193 66.6% W/PVST 141 248 186 2 99.7% W/PVST 86 298 191 2 99.7% 0 1067 0 356 75.0% 0 768 0 661 53.7% W/PVST 612 456 352 4 99.8% W/PVST 171 597 655 7 99.5% 0 767 0 356 68.3% 0 768 0 361 68.0% W/PVST 312 456 352 4 99.7% W/PVST 171 597 358 4 99.7% 0 692 0 356 66.1% 0 768 0 286 72.8% W/PVST 237 456 352 4 99.7% W/PVST 171 597 283 3 99.7% 0 958 0 213 81.8% 0 531 0 640 45.3% W/PVST 549 409 211 2 99.8% W/PVST 121 411 634 6 99.5% 0 226 0 51 81.9% W/PVST 104 123 50 0 99.8% 0 425 0 70 85.9% W/PVST 107 318 69 1 99.9% When using the MO or NRV options the failure rates for these options must be added to the failure rates of the Solenoid Models they are used with. 9 It is important to realize that the no effect failures are included in the safe undetected failure category according to IEC 61508. Note that these failures on their own will not affect system reliability or safety, and should not be included in spurious trip calculations 10 The SFF must be calculated for the complete final element. These values are only valid when the solenoid valve constitutes the entire final element. Steven Close Page 18 of 25
The ASCO Series 327 Solenoid Valves are classified as a Type A 11 devices according to IEC 61508, having a hardware fault tolerance of 0. The Safe Failure Fracture must be calculated for the entire final element assembly of which the ASCO Series 327 Solenoid Valves are typically a component of. If the ASCO Series 327 Solenoid Valves are the complete final element then Safe Failure Fractions listed in Table 6 can be used. The failure rates listed in this report do not include failures due to wear-out of any components. They reflect random failures and include failures due to external events, such as unexpected use, see section 4.2.2. These failure rates are valid for the useful lifetime of the ASCO Series 327 Solenoid Valves, see Appendix A: Lifetime of critical components. A user of the Series 327 Solenoid Valves can utilize these failure rates in a probabilistic model of a safety instrumented function (SIF) to determine suitability in part for safety instrumented system (SIS) usage in a particular safety integrity level (SIL). A full table of failure rates is presented in section 4 along with all assumptions. The architectural constraint type for the Series 327 Solenoid Valves is A. The hardware fault tolerance of the device is 0. The SFF and required SIL determine the level of hardware fault tolerance that is required per requirements of IEC 61508 [N1] or IEC 61511. The SIS designer is responsible for meeting other requirements of applicable standards for any given SIL as well. 11 Type A component: Non-Complex component with well-defined failure modes, for details see 7.4.3.1.2 of IEC 61508-2 Steven Close Page 19 of 25
5 Using the FMEDA results 5.1 Air quality failures The product failure rates that are displayed in section 4.4 are failure rates that reflect the situation where the device is used with clean filtered air. Additionally, contamination from poor control air quality may affect the function or air flow in the device. For applications where these assumptions do not apply, the user must estimate the failure rates due to contaminated air and add this failure rate to the product failure rates. 5.2 PFD AVG calculation Series 327 Solenoid Valves An average Probability of Failure on Demand (PFD AVG ) calculation is performed for a single (1oo1) Series 327 Solenoid Valve. The failure rate data used in this calculation is displayed in section 4.4. A mission time of 10 years has been assumed and a Mean Time To Restoration of 24 hours. Table 14 lists the proof test coverage, PFD AVG, and percent of SIL range for the various configurations when the proof test interval equals 1 year (see Appendix B). For SIL 2 applications, the PFD AVG value needs to be 10-3 and < 10-2. It is the responsibility of the Safety Instrumented Function designer to do calculations for the entire SIF. exida recommends the accurate Markov based exsilentia tool for this purpose. Table 14 Sample Results for a proof test interval of 1 year. Device Proof Test Coverage PFD AVG % of SIL 2 Range 327B0/8327G 99% 8.98E-04 8.98% 327A6 99% 1.02E-03 10.2% 327B0 Redundant 99% 1.70E-03 17.0% Figure 2 shows the PFD AVG for various proof test intervals for the Series 327 Solenoid Valves. PFD AVG vs. Proof Test Interval 1.80E-02 327B0/8327G 327A6 327B0 Redundant 1.60E-02 1.40E-02 1.20E-02 PFDAVG 1.00E-02 8.00E-03 6.00E-03 4.00E-03 2.00E-03 0.00E+00 1 2 3 4 5 6 7 8 9 10 Years Figure 2: PFD AVG (t) vs, Proof Test Interval for the Series 327 Solenoid Valves When performing partial valve stroke testing at regular intervals, the Series 327 Solenoid Valves minimally contributes to the overall PFD AVG of the Safety Instrumented Function. Steven Close Page 20 of 25
These results must be considered in combination with PFD AVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). It is the responsibility of the Safety Instrumented Function designer to do calculations for the entire SIF. exida recommends the accurate Markov based exsilentia software tool for this purpose. Steven Close Page 21 of 25
6 Terms and Definitions FIT FMEDA HFT Low demand mode PVST PFD AVG SFF SIF SIL SIS Type A component Type B component Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the frequency of demands for operation made on a safetyrelated system is no greater than one per year and no greater than twice the proof test frequency. Partial Valve Stroke Test It is assumed that the Partial Stroke Testing, when performed, is performed at least an order of magnitude more frequent than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption the Partial Stroke Testing also has an impact on the Safe Failure Fraction. Average Probability of Failure on Demand Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Non-Complex component (using discrete elements); for details see 7.4.3.1.2 of IEC 61508-2 Complex component (using micro controllers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2 Steven Close Page 22 of 25
7 Status of the document 7.1 Liability exida prepares FMEDA reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: V1 Revision: R3 Version History: V1; R3 Added 8327G, S. Close Sep 15, 2010. V1; R2: Revised failure rates for 327A, S. Close, Dec 11, 2009. V1; R1: Released to Customer V0; R1 Initial Draft; Nov 20, 2009 Authors: Steven Close Review: V0; R1: Chris O Brien Release status: Released 7.3 Future Enhancements At request of client. 7.4 Release Signatures Steven Close, Safety Engineer Chris O Brien Partner Steven Close Page 23 of 25
Appendix A: Lifetime of critical components Although a constant failure rate is assumed by the probabilistic estimation method (see section 4.2) this only applies provided that the useful lifetime of components is not exceeded. Beyond their useful lifetime the result of the probabilistic calculation method is therefore meaningless, as the probability of failure significantly increases with time. The useful lifetime is highly dependent on the subsystem itself and its operating conditions. This assumption of a constant failure rate is based on the bathtub curve. Therefore it is obvious that the PFD AVG calculation is only valid for components that have this constant domain and that the validity of the calculation is limited to the useful lifetime of each component. According to section 7.4.7.4 of IEC 61508-2, a useful lifetime, based on experience, should be assumed. Major factors influencing useful life are the air quality, ambient temperature and the air circulation around the solenoid. If the Series 327 Solenoid Valves are used with clean air in an ambient with air circulation (draft air) and an ambient temperature average of 40ºC, then a useful life of 30,000 hours for the coil and 10 years is expected for the assembly. Table 15 lists the useful life for the Series 327 Solenoid Valves. Table 15 Useful Life Component Coil Valve Assembly Valve Assembly Useful Life 30,000 hours 10 years 200,000 cycles It is the responsibility of the end user to establish a preventative maintenance process to replace all solenoids before the end of the useful life. Steven Close Page 24 of 25
Appendix B: Proof tests to reveal dangerous undetected faults According to section 7.4.3.2.2 f) of IEC 61508-2 proof tests shall be undertaken to reveal dangerous faults which are undetected by diagnostic tests. This means that it is necessary to specify how dangerous undetected faults which have been noted during the FMEDA can be detected during proof testing. B.1 Proof test The Proof test consists of a full stroke of the solenoid, as described in Table 16. This test will detect >99% of possible DU failures in the Series 327 Solenoid Valves. Table 16 Steps for Proof Test Step Action 1 Bypass the safety function and take appropriate action to avoid a false trip. 2 Send a signal to the solenoid to perform a full stroke and verify that this is achieved within the specified time. 3 Inspect the solenoid for any visible damage or contamination. 4 Remove the bypass and otherwise restore normal operation. Steven Close Page 25 of 25