A Case Study on an Evaluation Procedure of Hardware SIL for Fire Detection System

Similar documents
SAFETY MANUAL SIL RELAY MODULE

Failure Modes, Effects and Diagnostic Analysis

Hardware safety integrity Guideline

Final Element Architecture Comparison

Version: 1.0 Latest Edition: Guideline

Value Paper Author: Edgar C. Ramirez. Diverse redundancy used in SIS technology to achieve higher safety integrity

IEC Functional Safety Assessment. Project: K-TEK Corporation AT100, AT100S, AT200 Magnetostrictive Level Transmitter.

SAFETY MANUAL SIL Switch Amplifier

SAFETY MANUAL SIL SMART Transmitter Power Supply

Selecting Sensors for Safety Instrumented Systems per IEC (ISA )

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

FUNCTIONAL SAFETY CERTIFICATE

Understanding Safety Integrity Levels (SIL) and its Effects for Field Instruments

Basic Fundamentals Of Safety Instrumented Systems

Machineontwerp volgens IEC 62061

IEC Functional Safety Assessment. ASCO Numatics Scherpenzeel, The Netherlands

Effective Compliance. Selecting Solenoid Valves for Safety Systems. A White Paper From ASCO Valve, Inc. by David Park and George Wahlers

MXa SIL Guidance and Certification

Using a Failure Modes, Effects and Diagnostic Analysis (FMEDA) to Measure Diagnostic Coverage in Programmable Electronic Systems.

SIL manual. Structure. Structure

SAFETY MANUAL SIL SWITCH AMPLIFIER

Certification Report of the STT25S Temperature Transmitter

Safety manual for Fisherr ED,ES,ET,EZ, HP, or HPA Valves with 657 / 667 Actuator

IEC Functional Safety Assessment. United Electric Controls Watertown, MA USA

Overview of IEC Design of electrical / electronic / programmable electronic safety-related systems

Reliability Block Diagram RBD

,g) rrrs {fd fi. f il'ltdä. Failure Modes, Effects and Diagnostic Analysis. ABB Automation Products GmbH Alzenau Germany

Reducing Steps to Achieve Safety Certification

A methodology For the achievement of Target SIL

Viewpoint on ISA TR Simplified Methods and Fault Tree Analysis Angela E. Summers, Ph.D., P.E., President

Vetting Smart Instruments for the Nuclear Industry

IEC Overview Report

Safety Requirements Specification Guideline

Design of automatic testing tool for railway signalling systems software safety assessment

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

TÜV Rheinland Functional Safety Program Functional Safety Engineer Certification

FMEA FMEA basic concept Rigorous FMEA - State Explosion This talk introduces Failure Mode Effects Analysis, and the different ways it is applied. Thes

TÜV FS Engineer Certification Course Being able to demonstrate competency is now an IEC requirement:

Frequently Asked Questions

IEC Where do the lambda values originate?

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL

Safety Manual BT50(T) Safety relay / Expansion relay

Automation, Software and Information Technology. Test report of the type approval safety-related automation devices

PABIAC Safety-related Control Systems Workshop

SAFETY LIFE-CYCLE HOW TO IMPLEMENT A

SAFETY LIFECYCLE WORKBOOK FOR THE PROCESS INDUSTRY SECTOR

Safety controls, alarms, and interlocks as IPLs

WELLHEAD FLOWLINE PRESSURE PROTECTION USING HIGH INTEGRITY PROTECTIVE SYSTEMS (HIPS)

I requisiti delle Norme IEC EN Ed 2: 2010 e IEC EN Ed. 2: 2016

Frequently Asked Questions

Mobrey Magnetic Level Switches

Safe Torque Off Option (Series B) for PowerFlex 40P and PowerFlex 70 Enhanced Control AC Drives

Controlling Risks Safety Lifecycle

ABB industrial drives. Application guide ACS800-01/U1/04/04LC/04M/U4/11/U11/14/31/U31/104/104LC Safe torque off function (+Q967)

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. March Valves

The SISTEMA Cookbook 4

ISO Introduction

Why SIL3? Josse Brys TUV Engineer

Logic solver application software and operator interface

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Testing of safety-critical software some principles

A PROCESS ENGINEERING VIEW OF SAFE AUTOMATION

How to design safe machine control systems a guideline to EN ISO

Mitigating safety risk and maintaining operational reliability

Mary Ann Lundteigen. Doctoral theses at NTNU, 2009:9 Mary Ann Lundteigen. Doctoral theses at NTNU, 2009:9

Safety Integrity Levels

What is CFSE? What is a CFSE Endorsement?

A New Programmable RF System for System-on-Chip Applications

ABB PSPS Erich Steinmann; Generator control-2013

Design and Development of SMS Based Wireless Home Appliance Control and Security System

High Availability and Safety solutions for Critical Processes

SILs and Software. Introduction. The SIL concept. Problems with SIL. Unpicking the SIL concept

SuperIOr Controller. Digital Dynamics, Inc., 2014 All Rights Reserved. Patent Pending. Rev:

Kurz Instruments Inc. Document AV Document Title: MFTB Event Code Definitions. MFT B-Series Event Codes

An Introduction to. Metrics. used during. Software Development

CASS TEMPLATES FOR SOFTWARE REQUIREMENTS IN RELATION TO IEC PART 3 SAFETY FUNCTION ASSESSMENT Version 1.0 (5128)

ISO 26262:2011 Functional Safety Assessment Report. Texas Instruments Richardson, TX USA. Project: TDA2X ADAS SoC. Customer:

Service & Support. Higher-level safe switch-off of the power supply of functionally nonsafe standard modules? Wiring Examples.

Tele Radio Tiger BASIC INSTRUCTIONS FOR 10-BUTTONS TRANSMITTER

D7024 Fire Alarm Control Panels Software Version V2.06


Safety Integrity Level (SIL) Studies Germanischer Lloyd Service/Product Description

An Agent-Based Concept for Problem Management Systems to Enhance Reliability

PLL frequency synthesizer

Application Requirement

Is your current safety system compliant to today's safety standard?

GuardLogix Controller Systems

SOFTWARE-IMPLEMENTED SAFETY LOGIC Angela E. Summers, Ph.D., P.E., President, SIS-TECH Solutions, LP

INSIDE THIS ISSUE KUWAIT SECTION. December NEWSLETTER 2009 FROM SECTION PRESIDENT S DESK TECHNICAL WINDOW MEMBERS AREA PRODUCT REVIEW

Performance Based Gas Detection System Design for Hydrocarbon Storage Tank Systems

Valves and Solenoid Valves testet and certified byrheinhold & Mahla according to IEC 61508/61511

Functional safety in process instrumentation with SIL rating Questions, examples, background

Disturbance Recoder SPCR 8C27. Product Guide

Data Acquisition Using NI-DAQmx

Programming Logic controllers

SOFTWARE VERIFICATION RESEARCH CENTRE SCHOOL OF INFORMATION TECHNOLOGY THE UNIVERSITY OF QUEENSLAND. Queensland 4072 Australia TECHNICAL REPORT

High Availability Design Patterns

SISTEMA - Sicherheit von Steuerungen an Maschinen

FVSU REPAIR & UPGRADE FIBER OPTIC SECTION FIRE ALARM SYSTEM CONNECTIVITY

Transcription:

A Case Study on an Evaluation Procedure of Hardware SIL for Fire Detection System Sung Kyu Kim Department of Industrial and Management Engineering, Kyonggi University Graduate School, Gyeonggi 16227, Republic of Korea. Yong Soo Kim * Department of Industrial and Management Engineering, Kyonggi University, Gyeonggi 16227, Republic of Korea. Abstract Safety integrity is a core concept at the standards to indicate credibility and reliability levels of safety-related functions. It is measured based on that the function being able to perform when demanded. Several requirements in the IEC 61508 should be satisfied to evaluate hardware SIL of safety related system. Especially, probability measures and architectural constraints should be achieved at the same time to meet target SIL. This study presented evaluation procedure for the hardware SIL and performed the case study about evaluating the hardware SIL of the fire detection system. Consequently, the PFD and the architectural constraints of all safety functions were calculated and decided. The final outcomes which achieved SIL 2 were drawn. Keywords: Hardware Safety integrity level, Safety related System, Fire Detection System, Safety function. INTRODUCTION Functional safety is a concept to prevent and control risks which cause accidents by systematic dangerous failures for product life cycle. Since functional safety standards was established, IEC 61508 [1] have been a general standard as that presents concepts, requirements, and approaches for functional safety of electrical/electronic/programmable electronic safety related systems. Safety integrity is a core concept at the standards to indicate credibility and reliability levels of safety-related functions. It is measured based on that the function being able to perform when demanded. In addition, safety integrity is divided to three categories which are hardware, software, and systematic safety integrity. Hardware safety integrity among the categories deal with the random hardware failure in a dangerous mode of failure. Safety integrity levels (SILs) are defined to four grades (between 1 and 4). The highest level of SILs is SIL 4, and it should be qualified to meet all requirements [1, 2]. Thus, this paper describes evaluation procedure of hardware SIL and performs a case study for a safety related system. Particularly, the case study is to demonstrate that a fire detection system (FDS) is capable of achieving target SIL in terms of hardware safety integrity. EVALUATION PROCEDURE Probability criteria for hardware SIL Several requirements in the IEC 61508 should be satisfied to evaluate hardware SIL of safety related system. Especially, probability measures and architectural constraints should be achieved at the same time to meet target SIL. Figure 1 shows two measures on probability and architecture of safety system (and/or function) and required values during SIL evaluation analysis. Figure 1: An analysis process for hardware SIL verification 359

In this paragraph, probability measures and criteria to evaluate hardware SIL were described based on IEC 61508 standards. The probability measures are classified to probability of failure on demand (PFD) or probability (or frequency) of failure per hour (PFH) by frequency of demands. The PFD is applied for low demand operation mode in case of the frequency of demands less than once per year. On the other hand, the PFH is adopted to calculate the probability measure for hardware SIL evaluation [1]. In this paper, the PFD and PFH formulations are presented for a case that system architecture consists of single-channel as follows. TP PFD DU MRT DD MTTR 2 (1) PFH DU (2) where DD is the dangerous detected failure rate, DU is the dangerous undetected failure rate, T P is the proof-test interval time (hours), MRT is the mean repair time (hours), and MTTR is the mean time to restoration (hours) [1]. The SIL in term of probability measures is decided by calculated PFD or PFH value of target safety related system. MRT and/or MTTR can be assumed by 8 hours, if their values cannot be procured. Table 1 shows criteria of SIL based on the PFD and PFH. Table 1: Definitions of the safety integrity levels based on operating mode of safety related system [1]. SIL Probability measure PFD PFH SIL 4 10 5 to <10 4 10 9 to <10 8 SIL 3 10 4 to <10 3 10 8 to <10 7 SIL 2 10 3 to <10 2 10 7 to <10 6 SIL 1 10 2 to <10 1 10 6 to <10 5 Architectural constraints for hardware SIL Architectural constraints are a one of measures to evaluate the hardware SIL with above probability measures. In IEC 61508, the Architectural constraints are decided by values of safe failure fraction (SFF) and hardware fault tolerance (HFT). In addition, the Architectural constraints of each safety function (or subsystem) are determined for the SIL of target safety system. First, SFF means a ratio of total failure rates to the failure rates without dangerous undetected failure rates. It is formulated as below [1, 3]. SFF 1 where, DU T T is the total failure rate. (3) A level of hardware redundancy which how many failures the system (or subsystem) can tolerate, is required for determination of HFT. Thus, HFT n is that the system and safety function should continue to work normally until occurrence of n 1and more failures. In addition, component type is determined to `A` or `B` based on IEC 61508. To classify type A, expected risks as well as all failure modes and effects of components are well defined. And if not, component type is determined as `B` [1, 2]. Thus, the Architectural constraints are evaluated as follows (See Table 2). Table 2: The architectural constraints by safe failure fraction and hardware fault tolerance [1]. SFF HFT Type A Type B 0 1 2 0 1 2 < 60% SIL 1 SIL 2 SIL 3 - SIL 1 SIL 2 60 to < 90% SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SIL 3 90 to < 99% SIL 3 SIL 4 SIL 4 SIL 2 SIL 3 SIL 4 99% SIL 4 SIL 4 SIL 4 SIL 3 SIL 4 SIL 4 An approach to evaluate hardware SIL According to the IEC 61508, several failure rates which are divided by safe mode (safety or dangerous failure) and detectability (detected or undetected failure) are required to evaluate hardware SIL. Thus, failure rates should be classified into safe detected failure rate ( ), safe undetected failure rate ( SU ), dangerous detected failure rate, and dangerous undetected failure rate to calculate the formulations mentionedabove. A failure modes, effects, and diagnostic analysis (FMEDA) is that failure modes and effects analysis (FMEA) is extended. In addition, it also deals with all possible failure modes of components are listed and drawn with respect to their effects on the safety functions of the system. Studies that the FMEDA was applied have performed as one of the useful approaches when failure rates are separated [4-6]. The FMEDA sheet consists of several columns that include the component ID, type of component, quantity of component, failure mode, failure distribution, failure effect (local and final), safe mode (SM), detectability (DE), diagnostic coverage (DC), diagnostic method (DM), and the four failure rates. Each step of analysis process is summarized to fill in the blanks of the sheet (See Table 3). Table 3: The FMEDA analysis process and activity for each step Step Activity 1 Involved examining the parts list, bill of materials, and schematic drawing of target system, and creating a block diagram that matched the system functions to modules and components. SD 360

2 The failure rate was assigned based on failure rate data books such as MIL-HDBK-217, Telcordia SR-332 [7], and the specification of each component. 3 Assigned the failure mechanism distribution based on failure mechanism and distribution data book such as the Reliability Information Analysis Center (RIAC) FMD- 2013 [8], defined as the ratio of the probability of each failure mode to the total failure probability. 4 Failure effects were identified separately for local and final effects (via interviews and workshops between engineers and experts) 5 Determined the SM and DE by either referencing IEC- 61508 or engineering judgment. Each failure mode was classified as either Safe or Dangerous. Further, the failure mode can be either Detected or Undetected. In case the failure mode is detectable, the DM should be specified. 6 The DC was determined by reviewing the installed fault detection methods and attempting to match them to those in the IEC-61508. A CASE STUDY: FIRE DETECTION SYSTEM The FDS of this case study is a safety related system in maritime industry to prevent accident risks such as fire and a gas leak that cause huge losses of both life and property. It consists of main and sub-panels, detectors, loops, and interface subsystems and performs consistent detection functions (See Figure 2). Figure 2: Functional block diagram of the FDS For evaluating hardware SIL of the FDS, safety-related functions are classified after all of functions were defined by interviewing related engineers and experts. Thus, four safety functions were selected among all basic functions of the system (Step 1). In addition, all components of each defined function were listed and then, generic failure rates ( G ), modes and distribution were allocated to suitable components (Step 2 and 3). In Step 4, we drawn local and final failure effects of each failure mode by interviewing development engineers. Table 4 shows a part of the FMEDA sheet which was filled through the analysis process. 361

Subsystem/ Module Main Processing Function Table 4: A part of the FMEDA sheet of the FDS by the step 1-4 [7, 8] component Failure Failure Qty. Local Effect G Mode Distribution (FIT) Capacitor Drift 65.55 6 0.10 No effect on signal processing function Final effect Shorted 28.17 No signal processing System down Opened 6.28 No effect on signal processing function Capacitor Drift 65.55 1 0.10 Signal processing error loss of detecting function of fire Shorted 28.17 No signal processing System down Opened 6.28 No signal processing System down Capacitor Drift 65.55 2 0.10 Occurrence of firmware error Shorted 28.17 Occurrence of firmware error Opened 6.28 Occurrence of firmware error Occurrence of wrong signal Occurrence of wrong signal Occurrence of wrong signal In this study, Telcordia SR-332 as failure rate data book was applied to allocate failure rate for each component. The following assumptions have been made in this study, during allocation of failure rates. i. Failure rates are constant (failure distribution of all components is assumed as exponential distribution), wearout and early (or initial) failure mechanisms are not included ii. Failure rates of non-safety related subsystems and/or functions are not included; iii. Failure rate of each component is applied as steady-state failure rate, it is calculated by black box technique (BBT) of Telcordia SR-332 issue 3. iv. Quality factor and environment factor of BBT are respectively designate 1.0 and 1.5. v. Failure in time (FIT) that 1 FIT equals one failure per 10 9 hours is used as unit of failure rate. (4) SS G S T Q E where, SS is steady-state failure rate, G is mean generic steady-state failure rate for component, S is electrical stress factor (1.0 at 50 % electrical stress), is Temperature factor (1.0 at 40 ), Q is quality factor, E is environment factor [7]. All generic failure rates of components were adjusted by the BBT. To do this, we measured temperature and electrical stresses such as applied DC voltage, contact current, etc. based on the Telcordia SR-332. In addition, SM, DE, DM, and DC the detection methods and diagnostic coverages were defined to the four failure rate categories. Table 5 and 6 show a part of results of step 5-6 and defined failure detection methods, respectively. T Table 5: A part of the FMEDA sheet of the FDS by the step 5-6 Subsystem/ Module component Final effect SM DE DC DM SD SU DD DU Main Processing Function Capacitor 1 0 0.00 0.10 0.00 0.00 System down 0 0 0.00 0.00 0.00 0.04 Capacitor loss of detecting function of fire 1 0 0.00 0.01 0.00 0.00 0 1 99 DM-02 0.00 0.00 0.01 0.00 362

System down 0 0 0.00 0.00 0.00 0.01 System down 0 0 0.00 0.00 0.00 0.00 Capacitor Occurrence of wrong signal 0 1 99 DM-01 0.00 0.00 0.03 0.00 Occurrence wrong signal Occurrence wrong signal of of 0 1 99 DM-01 0.00 0.00 0.01 0.00 0 1 99 DM-01 0.00 0.00 0.00 0.00 Table 6: A part of defined failure detection methods for the case study ID DC (%) Description DM in IEC-61508 DM-01 99 Possible to monitor the fire and gas signal from the display DM-02 99 Fire alarm is output to Sound and Light DM-03 60 Possible to see the LED status with the naked eye Monitoring Multi-channel parallel output Analog signal monitoring As the HFT is 0 and all the type of each function is classified as B according to the IEC 61508, the architectural constraints of each safety function of the FDS is determined as in Table 2. In addition, the architectural constraints of the FDS were decided by that minimum level among the architectural constraints of all functions was adopted depending on merging rule in IEC 61508. Table 7 shows the calculated SFF and the architectural constraints of the FDS and each safety function. In Table 8, the PFD from the evaluation procedure for the target safety system were calculated based on several proof test intervals. Furthermore, the MRT and MTTR were assumed by 8 hours. Therefore, the final SIL of the FDS was determined as SIL 2 by the PFD and the architectural constraints. Table 7: Determination of the architectural constraints of the FDS and each safety function System/Function Total failure rate (FIT) SFF Architectural constraints Fire detection system 5289.79 95.82 SIL 2 Main processing 1973.65 90.89 SIL 2 function Main interface and 507.17 97.09 SIL 2 power supply function Detector loop function 2728.40 99.05 SIL 3 External relay function 80.56 99.55 SIL 3 Table 8: Calculation of the PFD based on proof test intervals PFD Proof test interval ( T P ) Determination of SIL by probability measure 1.11 10 4 One month (730 h) SIL 3 5.14 10 4 Six month (4380 h) SIL 3 9.98 10 4 One year (8760 h) SIL 3 1.97 10 3 Two years (17520 h) SIL 2 9.71 10 3 Ten years (87600 h) SIL 2 CONCLUSIONS This study presented evaluation procedure for the hardware SIL and performed the case study about evaluating the hardware SIL of the FDS. In addition, several measures for the hardware SIL were effectively drawn using the FMEDA. All failure modes and effects of all included components should be examined from filling the FMEDA sheet. In addition, failure rates were adjusted based on operation environment such as operating temperature and electrical stress to be close to the realistic analysis. Consequently, the PFD and the architectural constraints of all safety functions were calculated and decided. The final outcomes which achieved SIL 2 were drawn. We are expecting that this study will be usefully applied for evaluating and verifying the hardware SIL of safety related systems. 363

ACKNOWLEDGEMENT This work was supported by Kyonggi University`s Graduate Research Assistantship 2017. REFERENCES [1] Functional safety of electrical/electronic/programmable electronic safety-related systems; IEC 61508; IEC: Geneva, Switzerland, April 2010. [2] Kosmowski, K. T., 2005, Functional safety concept for hazardous systems and new challenges, Journal of Loss Prevention in the Process Industries, 19(2-3), pp.298-305. [3] Yoshimura, I., and Sato, Y., 2008, Safety achieved by the safe failure fraction (SFF) in IEC 61508, IEEE Transactions on Reliability, 57, pp.662-669. [4] Goble, W. M., and Brombacher, A. C., 1999, Using a failure modes, effects and diagnostic analysis (FMEDA) to measure diagnostic coverage in programmable electronic systems, Reliability Engineering and System Safety, 66, pp.145-148. [5] Catelani, M., Ciani, L., and Luongo, V., 2010, The FMEDA approach to improve the safety assessment according to the IEC61508, Microelectronics Reliability, 50, pp.1230-1235. [6] Kim, S. K., and Kim, Y. S., 2013, An evaluation approach using a HARA & FMEDA for the hardware SIL, Journal of Loss Prevention in the Process Industries, 26, pp.1212-1220. [7] Reliability prediction procedure for electronic equipment; Telcordia SR-332 Issue 3; Telcordia Technologies, Inc.: New Jersey, USA, 2011. [8] Failure mode/ mechanism distributions; FMD-2013; Reliability Information Analysis Center (RIAC): New York, USA, 2013. 364

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information