IEC 61508 Where do the lambda values originate?

IEC 61508 Where do the lambda values originate? Introduction Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Why to ask this question? IEC 61508 SIL PFD / PFH SFF Calculate λ safe, λ dd, λ du Calculate FMEDA Failure rate λ, failure modes, failure mode distribution Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

What is Lambda? It s the 11th letter of the Greek alphabet. It s a failure rate expressing the probability that a component fails in time. It is expressed in failures per hour (normally: failures / 10 9 hours = FIT). A constant failure rate is assumed by the probabilistic estimation method. The useful lifetime of components must not be exceeded. The reference conditions must be known. The failure rate must be divided into the following classified failure rates: λ safe (Failure rate of all safe failures) λ dangerous (Failure rate of all dangerous failures) λ dd (Failure rate of all dangerous detected failures) λ du (Failure rate of all dangerous undetected failures) Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Where do the lambda values originate? From the manufacturer of a subsystem! From the assessor / certification body! Question to the end-user??? From data books! From the FMEDA! Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Sources of failure rates SN 29500 IEC 62380 Ed.1 /TR (formerly known as UTE C 80-810) RAC FMD-91 and RAC FMD-97 Bellcore (Telcordia) standards TR-332 Issue 6 and SR-332 Issue 1 MIL HDBK 217F exida Electrical & Mechanical Component Reliability Handbook NSWC-98/LE1 Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Sources of failure modes and failure mode distribution RAC FMD-91 and RAC FMD-97 IEC 62061 EN 954-2 (failure modes only) IEC 61496-1 (failure modes only) EN 298 (failure modes only) IEC 62380 Ed.1 /TR (formerly known as UTE C 80-810) exida Electrical & Mechanical Component Reliability Handbook Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

How to harmonize failure rates and failure mode distribution data Compare available sources of failure rates and failure mode distribution data and agree on a set of data for clearly specified reference conditions. Compare public sources with real field data and adjust if needed. Field Failure Data Product λ Compare FMEDA Product λ MECHANICAL COMPONENT DATABASE Industry Database YES Significant Difference? Update Component Database NO Finish Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Why are lambda values needed? To calculate the probability that a certain safety function fails λ safe λ dd λ du λ safe λ dd λ du λ safe λ dd λ du Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

IEC 61508 Where do the lambda values originate? The Sensor Point of View Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Sources of Failures in Sensors Main electronics + terminal block (simple + complex electronic components) Sensor electronics (simple + complex electronic components) Sensor element + process connection (mechanical components) λ Three cases: λ simple electronic λ complex electronic λ mechanical One analysis method! Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

FMEDA Failure Modes, Effects and Diagnostic Analysis Systematic Way to identify and evaluate the effects of different component failure modes determine what could eliminate or reduce the chance of a failure document a system in consideration Single Fault Analysis! Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

What is relevant for the safe function of a subsystem? safety-related output signal (e.g. 4..20 ma) + accuracy diagnostics and monitoring safety-related signal path not part of the safety function safety-related not safety-related input signal (e.g. pressure) Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

FMEDA for simple components simple component failure rate λ failure modes + probabilities impact on safety-related output signal failure classification example: resistor λ from databases, tables etc. short circuit (10 %) open circuit (60 %) drift (0,5x/2x) (15 %/15 %) safe or dangerous? detected or undetected? λ safe λ dd λ du Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Comparison of different databases example: resistor FIT = Failure In Time 1 FIT = 10-9 /h Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

FMEDA for complex components (e.g. ASIC, µc) complex component λ available? no yes failure types + probabilities impact on safety-related output signal failure classification no. of transistors λ for similar type from database λ values for complex components up to 200 FIT! Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

ASIC evaluation influence of diagnostic coverage 50 % safe 50 % dangerous Diagnostic Coverage DC safe dd (25 %) du (25 %) unknown safe dd (30 %) du (20 %) DC = 60 % safe dd (45 %) du (5 %) safe dd (49,5 %) du (0,5 %) DC = 90 % DC = 99 % Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Mechanical Components Example: Pressure Sensor Element No. possible fault consequence fault classification Fxx Process seal failure penetration of process medium Fxy DU λ see next talk! Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

IEC 61508 Where do the lambda values originate? Actuators and actuator controls Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Our Focus DCS-System Safety PLC Sensor Actuator and actuator controls Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Electronics and mechanics Electronic part via generic data according IEC 61508 Mechanical part via field data and generic data Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Electronic FMEDA 4x 6x 2x 2x K1/K2 Wendeschütz A58 Netzteil A52 Relaisplatine A2 Logik A1 Interface A9 Ortssteuerstelle XK Elektroanschluß Kunde XA Schnittstelle Antrieb Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Why we also have to consider mechanics for the analysis of the safety function? In the European standard EN 61508-2 C.1 it is described as follows:..the analysis used to determine the diagnostic coverage and the safe failure fraction shall include all of the components, including electronical, electrical, electromechanical, mechanical, etc Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Field experience data Data from generic handbooks Determination of Functional Safety Parameters Lambda values FMEDA Failure rates λ safe, λ dd, λ du Functional Safety Parameters (e.g. SFF, PFD av, PFH) Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Mechanical FMEDA Motor coupling Actuator gearing with hollow shaft/worm wheel Worm shaft with springs, worm, bearings, etc. Motor Via field experience data Control unit Seals Via generic data from Exida handbook Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Reported failures from AUMA RBS-System for the motor Failure code Failure categorie Year 2001 Year 2002 Year 2003 Year 2004 Year 2005 Year 2006 Total 303 Motor coupling 2 0 1 4 3 3 13 204 Rotor blocked 1 1 2 1 1 2 8 206 Motor windings 30 17 19 21 34 20 141 208 Motor connector 5 4 8 13 13 8 51 Motor complete 213 Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Lambda values based on field data λ UCL 2 χα, ν = with ν = 2 f 2T + 1 Data Comment Number of Failures 213 failures reported Total Operating Hours 6126446160 # devices x # years x 8760 hours/year % Reported Failures 70% expensive device, warranty period Estimate Actual Failures 305 Point Estimate - Failure Rate 4,97E-08 Complexity Factor 1 new versus old design if applicable Estimate New Actual Failures 305 estimated failures of new design New Point Estimate - Failure Rate 4,98E-08 per hour Confidence Interval 0,7 IEC 61508, Part 2, 7.4.7.9 Upper Confidence Limit failure rate 5,14E-08 per hour Lower Confidence Limit MTTF 2220,7 years Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

FMEDA for components safety function Safe Close Component Motor Failure Mode Blocked rotor Failure Effect Lb Distrib. DC Behavior SD SU DD DU Actuator sticks in position 5,1E-08 30% 0% D 0 0 0 5,1E-08 motor windings Actuator sticks in position 5,1E-08 60% 0% D 0 0 0 5,1E-08 Motor connector Actuator sticks in position 5,1E-08 10% 0% D 0 0 0 5,1E-08 Actuator shaft Shaft break Actuator sticks in position 1,8E-08 20% 0% D 0 0 0 1,8E-08 etc. Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Test report with lambda values, SFF, etc. Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

IEC 61508 Where do the lambda values originate? The Logic Solver Point of View Bernard Mysliwiec, Siemens AG, A&D AS

The different parts of SN29500 Bernard Mysliwiec, Siemens AG, A&D AS

Electronic modules for dedicated functions: The design is depending on the function Qualitative considerations to select one architecture Systematic failure Quantitative considerations to select one architecture Life cycle management Bernard Mysliwiec, Siemens AG, A&D AS

Electronic module example of wiring: Bernard Mysliwiec, Siemens AG, A&D AS

Example of FMEDA results: 231 232 233 R R R 1k R461 1k R462 1k R463 Entkopplungs w iderstand in serieller Kopplung beider µcs Entkopplungs w iderstand in serieller Kopplung beider µcs Entkopplungs w iderstand in serieller Kopplung beider µcs 233 Bauelemente 0,10 Unterbrechung Synchronisation gestört, Fehlfunktion nicht auszuschließen (dangerous) 0,60 0 1 0 0,000 0,060 0,000 Synchronisationsüberw achung (DC-Nr. = 7) 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00 0,10 Änderung des Wertes auf 0,5R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Änderung des Wertes auf 2R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Unterbrechung Synchronisation gestört, Fehlfunktion nicht auszuschließen (dangerous) 0,60 0 1 0 0,000 0,060 0,000 Synchronisationsüberw achung (DC-Nr. = 7) 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00 0,10 Änderung des Wertes auf 0,5R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Änderung des Wertes auf 2R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Unterbrechung Synchronisation gestört, Fehlfunktion nicht auszuschließen (dangerous) 0,60 0 1 0 0,000 0,060 0,000 Synchronisationsüberw achung (DC-Nr. = 7) 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00 0,10 Änderung des Wertes auf 0,5R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Änderung des Wertes auf 2R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 777 340 95 258,06 272,89 281,68 99,998 99,998 99,998 1,20E-06 1,20E-06 1,20E-06 6,00E-02 6,00E-02 6,00E-02 0,0408 272,8496 Bisher aktuelle Werte 1 d-fehler auf 2,98 ges. Fehler 1212 Σλ s 258,06 fit 246,94 1 du-fehler auf 6.696 d-fehler Σλ dd 272,85 fit 266,77 1 du-fehler auf 19.941 ges. Fehler Σλ du 0,0408 fit 0,0407 Σλ 281,68 fit 279,68 Σλ ges 812,63 fit MTBF 1,23E+06 h tot. s afe failure rate (s+dd) tot. failure rate (s+dd+du) dc for dangerous failures dd / (dd + du) safe failure fraction (s + dd) / (s + dd + du) 140,48 a 530,91 fit 530,95 fit 99,985% 99,992% Bernard Mysliwiec, Siemens AG, A&D AS

1300 IEC 61508 Wo kommen die Lambda-Werte her? Example of Markov model: F-DI, F-DO, PM-EF, PM-D F PROFIsafe ok ok 2500 1400 4 400 300 2200 200 3 1 2 1 00 2 1 0 0 ok du ok dd ok su ok sd 2400 2700 1100 800 2300 2600 1200 900 600 500 700 1000 du su sd dd dd sd su su du du du du dd su su dd 14 11 8 13 12 6 9 10 Impossible states 5 sd sd, 7 sd dd Bernard Mysliwiec, Siemens AG, A&D AS

Some points about evaluation results: Device Life cycle Change in the design leads to new values Results degradation after exchange (spare parts) Management of device releases Mission Time Devices with different Proof Test interval Description of related proof test Proof Test Coverage Proof test has to be performed and documented If not use of conservative values Proof test through end user Bernard Mysliwiec, Siemens AG, A&D AS

Type of possible evaluations: Pre evaluation Estimation of possible SIL Sum of PFDs Detailled calculation By use of own or simplified formulas ISA 84 VDI/VDE2180 Use of certified tools Independent Manufacturer specific Bernard Mysliwiec, Siemens AG, A&D AS

Recommendation for complex modules: PFD/PFH SIL capability SIL Eignung PFH PFD Proof-Test- Interval PFD Proof-Test- Interval IM151-7 F-CPU 6ES7151-7FA01-0AB0 SIL 3 3,62E-10 1,59E-05 10 Jahre 3,18E-05 20 Jahre CPU 315F DP 6ES7315-6FF01-0AB0 SIL 3 5,42E-10 2,38E-05 10 Jahre 4,76E-05 20 Jahre CPU 315F PN/DP 6ES7315-2FH10-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 317F DP 6ES7317-6FF00-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 317F PN/DP 6ES7317-2FJ10-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 416F-2 DP 6ES7416-2FK04-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 414H 6ES7414-4HJ00-0AB0 SIL 3 1,42E-09 1,24E-04 10 Jahre 2,48E-04 20 Jahre CPU 414H 6ES7414-4HJ04-0AB0 SIL 3 4,29E-09 1,88E-04 10 Jahre 3,76E-04 20 Jahre CPU 417H 6ES7417-4HL01-0AB0 SIL 3 1,42E-09 1,24E-04 10 Jahre 2,48E-04 20 Jahre CPU 417H 6ES7417-4HL04-0AB0 SIL 3 4,29E-09 1,88E-04 10 Jahre 3,76E-04 20 Jahre ET200M SM326 F-DI24 6ES7326-1BK01-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre SM326 F-DI24 6ES7326-1BK01-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM326 F-DO10 6ES7326-2BF01-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM326 F-DO8 6ES7326-2BF40-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM326 F-DI 8 Namur 6ES7326-1RF00-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre SM326 F-DI 8 Namur 6ES7326-1RF00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM336 F-AI 6 6ES7336-1HE00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre ET200S EM138 4/8 F-DI 6ES7138-4FA02-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre EM138 4/8 F-DI 6ES7138-4FA02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 4 F-DO 6ES7138-4FB02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 PM-E F pm 6ES7138-4CF02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 PM-E F pm 6ES7138-4CF41-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 4 F-DI/3 F-DO 6ES7 138-4FC00-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre ET200eco BM148 4/8 F-DI 6ES7148-3FA00-0XB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre BM148 4/8 F-DI 6ES7148-3FA00-0XB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre ET200pro EM148 8/16 F-DI 6ES7148-4FA00-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre EM148 8/16 F-DI 6ES7148-4FA00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre EM148 4/8 F-DI/ 4 F-DO 6ES7148-4FC00-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre EM148 4/8 F-DI/ 4 F-DO 6ES7148-4FC00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre sicherheitsgerichte Kommunikation F-CPU <-> F-I/O SIL 3 <1,00E-09 <1,00E-05 10/20 Jahre Bernard Mysliwiec, Siemens AG, A&D AS

IEC 61508 Where do the lambda values originate? from the point of view of the mechanics and the electronics Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Everything is pure chance! Failure of equipment is a random incident Characterisation by means of random variables Source: istockphoto Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Bath tub curve Probability of a failure is given by the so called bath tub curve Probability of a failure depends on the operating time Failure Rate versus Time @ Room Temperature 1,60E-04 1,40E-04 1,20E-04 Failure Rate [1/h] 1,00E-04 8,00E-05 6,00E-05 4,00E-05 2,00E-05 0,00E+00 0 2 4 6 8 10 12 14 Time [years] Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Characterising the bath tub curve You need at least two values to characterise the curve Where is the bottom of the bath tub? When will wear out become significant? Failure Rate versus Time @ Room Temperature 1,60E-04 Failure Rate [1/h] 1,40E-04 1,20E-04 1,00E-04 8,00E-05 6,00E-05 4,00E-05 2,00E-05 Constant Failure Rate Wear Out 0,00E+00 0 2 4 6 8 10 12 14 Time [years] Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Electronics versus mechanics Electronic technicians are interested in the constant failure rate (λ) Mechanists are dealing with life time (MTBF) Failure Rate versus Time @ Room Temperature 1,60E-04 Failure Rate [1/h] 1,40E-04 1,20E-04 1,00E-04 8,00E-05 6,00E-05 4,00E-05 2,00E-05 Electronic technician Mechanists 0,00E+00 0 2 4 6 8 10 12 14 Time [years] Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Common fault Both are making the same wrong calculation MTBF = 1 λ Nonsense! Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Where is the problem? Bath tub curve of a man "Badewannenkurve" des Menschen (Deutschland) 0,07 0,06 Mechanists: MTBF = 75,6 years λ 1,3 10-2 Ausfallrate [1 / Jahr] 0,05 0,04 0,03 0,02 Electronic technician: λ 7,7 10-4 MTBF = 1300 years Männer Frauen 0,01 0,00 0 10 20 30 40 50 60 70 80 Statistisches Bundesamt, Wiesbaden, 2004 Lebensalter [Jahre] Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Both are partly wrong! The failure rate of a middle-aged man is fortunately significantly less than 1,3% The MTBF of a man is (fortunately?) not 1300 years To do proper calculations you need two information: - How big is the (constant) failure rate λ - How long is this value valid (MTBF, B 10 ) (in accordance with the IEC / EN 61508 this is 8 to 12 years under normal operating conditions) Don t t misinterpret MTBF and λ Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH