Criteria for the Application of IEC 61508:2010 Route 2H

Transcription

1 Criteria for the Application of IEC 61508:2010 Route 2H Abstract Dr. William M. Goble, CFSE exida Sellersville, PA 18960, USA Dr. Julia V. Bukowski Villanova University Villanova, PA December 2016 This paper explains how exida applies the requirements of IEC61508:2010 Route 2H to its process of certifying devices for use in safety applications. White Paper, Criteria for the Application of IEC 61508:2010 Route 2H, Copyright 2016 exida. Page 1

2 Introduction Rather than having specific designs and a long list of specific rules that become obsolete, the IEC standard [1] allows any safety instrumented function (SIF) design to be implemented. The standard allows the design to use old products or new technology. The standard allows innovation and good engineering. However, any SIF design must be verified with documented performance metrics which must match risk reduction requirements in the form of safety integrity levels (SIL). In order to verify that a design meets the needed risk reduction, the designer must check three performance criteria [2]. This paper is devoted to one of those performance criteria, viz., minimal architectural constraints which, per IEC 61508, may be met in one of two ways, i.e., via Route 1H or Route 2H. Furthermore, this paper deals exclusively with Route 2H because, for practical purposes, Route 2H produces a realistic SIL level for a given design and does not impose artificial redundancy. This paper Describes the requirements of IEC 61508:2010 Route 2H, Discusses how exida s component failure rate and failure modes databases meet or exceed the data requirements of IEC 61508:2010 Route 2H, Delineates the criteria exida uses in applying Route 2H to certify devices in a given environment, Discusses the common situation of needing to certify a device, with a significant operational history that was previously certified in one environment, which will now be deployed in a new environment, and delineates the criteria exida uses to accomplish this certification. Requirements of IEC for Route 2H IEC Clause states that: In the context of hardware safety integrity, the highest safety integrity level that can be claimed for a safety function is limited by the hardware safety integrity constraints which shall be achieved by implementing one of two possible routes... Route 2H [is] based on component reliability data from feedback from end users, increased confidence levels and hardware fault tolerance for specified safety integrity levels. Clause specifies the minimum hardware fault tolerance (HFT) required for a SIF under Route 2H for the various SIL levels accounting for the SIF mode of operation, i.e., low, high or continuous demand mode. These requirements are summarized in Table 1 below. Table 1. IEC Route 2H HFT requirements. White Paper, Criteria for the Application of IEC 61508:2010 Route 2H, Copyright 2016 exida. Page 2

3 Clause clarifies the concept of reliability data from feedback from end users. It permits the use of field feedback at the element level, in addition to the use of data at the component level (per Clause ). An element may be an individual device or a collection of devices. Reliability data is reasonably interpreted as component/element failure rates. Clause requires that the failure rates take into account field feedback from components/elements in a similar environment and application, collected according to international standards, and evaluated according to the amount of field feedback, the exercise of expert judgement, and, possibly, the undertaking of specific tests. It is reasonable to assume that field feedback relates to field failure data (FFD) from end users. Confidence in the component/element failure rates increases with increasing amounts of FFD, i.e., number of hours of component/equipment operation. Note that IEC does not specify any minimum number of unit operating hours of FFD required. Thus, the IEC data requirements for applying Route 2H may be summarized as follows: Reliability data, i.e., failure rate data, from either components or elements in specific application environments Taking into account end user FFD, expert judgement and, perhaps, specific tests. How exida Meets or Exceeds the Data Requirements for Applying IEC Route 2H exida uses FMEDA techniques [3] to predict device failure rates (by failure mode) based on the failure rates and failure modes of the components comprising the device. The required component failure rates and failure modes databases have been constructed based on a combination of expert judgement and FFD [4]. The databases are periodically recalibrated and revalidated by comparison to FFD from end users [5, 6]. The component failure rates and failure modes databases include six different environmental profiles and contain data based on 100,000,000 hours or more of component operation. This is significantly more hours (and hence greater confidence) than can realistically be achieved by collecting data based on element failures and operating times and certainly exceeds the confidence levels intended to be achieved under IEC Certifying a Device via IEC 61508:2010 Route 2H SIL Mode Minimum HFT 1 Any 0 2 Low Demand 0 2 High or Continuous 1 3 Any 1 4 Any 2 White Paper, Criteria for the Application of IEC 61508:2010 Route 2H, Copyright 2016 exida. Page 3

4 When a device is submitted for certification under IEC 61508:2010 Route 2H, exida applies the following criteria: A device is certified by exida per IEC 61508:2010 Route 2H if and only if: the device is constructed entirely of components each of which has failure rate verified under IEC 61508:2010 Route 2H in the appropriate environment/application, each device component has a minimum of 100,000,000 recorded operational hours in the appropriate environment/application, the device has at least 2 units in field operation for a minimum of 1 calendar year each in the appropriate environment/application, expert engineering judgement concludes the device design is sound. If the device contains any new or unusual components, it will not be certified under Route 2H. Typically this concern arises in sensor devices, e.g., the incorporation of new technologies for gas detection. Certifying a Previously Certified Device for a New Environment via IEC 61508:2010 Route 2H In the oil and gas industry, it is common to have a device certified via Route 2H for a topside environment which is now to be deployed in a subsea environment. In the topside environment the device may have significant operational hours and accumulated FFD. However, this alone will not be sufficient for certification via Route 2H in a subsea environment. This situation of topside vs. subsea environment is not the only example of seeking certification for a previously certified device now deployed in a new environment but it is among the most common. The biggest concern in this type of situation is that the new environment may have an impact on the failure rates and modes of the device. Now, a lot is known about the impacts of environmental changes on the failure rates and modes of the device s components. Based on that knowledge, an expert can be asked to identify what impacts need to be considered. However, there is still the possibility that a previously unknown impact may arise. An example of a previously unknown impact arose with a stainless steel spool valve with a phosphor bronze sleeve which had previously been tested and certified while running in a dry air environment. A number of these spool valves were placed in service in a nitrogen only environment. After several months all the valves failed. Investigation of the failures revealed that the proper functioning of the stainless steel spool relied on an oxide coating which was depleted as the valve moved but was replenished by the oxygen in the air environment. In the nitrogen only environment there was no oxygen to replenish the oxide coating. Depletion of the oxide coating led to galling of the spool then binding then seizing of the valve. The addition of a lubricant solved the problem. White Paper, Criteria for the Application of IEC 61508:2010 Route 2H, Copyright 2016 exida. Page 4

5 It is possible that unknown impacts to component reliabilities will exist when the operating environment or application changes. It is possible that these effects will not be seen for long periods of time. However, exida s experience to date suggests that unanticipated problems due to environmental changes tend to appear in the shorter term. Consequently, a device with existing Route 2H certification that is deployed in a new environment is certified by exida per IEC 61508:2010 Route 2H if and only if: after expert engineering examination, it is determined that the known impacts of environmental changes on component failure rates still qualify all components in the device for 2H certification and to account for unknown impacts, the device has a minimum of 2 units (with 10 or more units preferred) in field operation in the new environment for a minimum of 1 calendar year each. References 1. IEC 61508, Functional Safety of electrical / electronic / programmable electronic safety related systems, Geneva: Switzerland, Safety Instrumented Function Verification: The Three Barriers, White Paper, PA: Sellersville, exida, Goble, W.M. and Brombacher, A.C., Using a Failure Modes, Effects and Diagnostic Analysis (FMEDA) to Measure Diagnostic Coverage in Programmable Electronic Systems, Reliability Engineering and System Safety, Vol. 66, No. 2, November Goble, W.M. and Bukowski, J.V., Development of a Mechanical Component Failure Database, Proceedings of the 2007 Annual Reliability and Maintainability Symposium, Orlando, FL, January 2007, pp Bukowski, J.V. and Goble, W.M., "Validation of a Mechanical Component Constant Failure Rate Database," 2009 Proceedings Annual Reliability and Maintainability Symposium, Fort Worth, TX, January 2009, Goble, W.M., Bukowski, J.V. and Stewart, L.L., Comparing FMEDA Predicted Failure Rates to OREDA Estimated Failure Rates for Sensor and Valve Assemblies, exida White Paper, exida, PA: Sellersville, April White Paper, Criteria for the Application of IEC 61508:2010 Route 2H, Copyright 2016 exida. Page 5