Fieldbus Foundation

Similar documents
Logic Solver for Tank Overfill Protection

Safety Manual VEGATOR 121, 122. With SIL qualification. Document ID: 49221

Safety Manual VEGATOR 121, 122. With SIL qualification. Document ID: 49221

Safety Manual VEGATOR 111, 112. With SIL qualification. Document ID: 49220

SITRANS SCSC, TCSC. With SIL qualification. Safety Manual

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. Transistor (NPN/PNP) With SIL qualification

TPS 49 EDITION 2 JUNE 2009

Liquiphant M/S with electronic insert FEL57 + Nivotester FTL325P

Functional Safety Manual Memosens Cable CYK10

Signal conditioner - MACX MCR-UI-UI-NC

MACX MCR-UI-UI-UP(-SP)(-NC)

Level Limit Measuring System liquiphant M/S with electronic insert FEL 52

User and Safety Manual ProLine P224xx P1

Level Limit Measuring System liquiphant M/S with FEL 56 + nivotester FTL 325 N

FUNCTIONAL SAFETY CHARACTERISTICS

Criteria for the Application of IEC 61508:2010 Route 2H

Model R86 26 GHz Pulse Burst Radar Level Transmitter

MACX MCR-EX-SL-RPSSI-I-UP(-SP)

MACX MCR-EX-SL-RPSSI-I

EUROPEAN GUIDANCE MATERIAL ON CONTINUITY OF SERVICE EVALUATION IN SUPPORT OF THE CERTIFICATION OF ILS & MLS GROUND SYSTEMS

Isolators A3/1. Temperature Transmitter Field Circuit Non-Ex i Series

C-Band Redundant LNA Systems

X-Band Redundant LNA Systems

Clause 71 10GBASE-KX4 PMD Test Suite Version 0.2. Technical Document. Last Updated: April 29, :07 PM

40 AND 100 GIGABIT ETHERNET CONSORTIUM

GIGABIT ETHERNET CONSORTIUM

2.5G/5G/10G ETHERNET Testing Service

Commissioning and safety manual

MCR-FL-TS-LP-I-EX SIL IEC Programmable Intrinsically Safe Loop-Powered Temperature Measuring Transducer With HART Protocol

Commissioning and safety manual. Version history Date Index Initial version 05/07/18 00

10GECTHE 10 GIGABIT ETHERNET CONSORTIUM

Fault-Tolerant Computing

Isolators A3/1.

40 AND 100 GIGABIT ETHERNET CONSORTIUM

09746E00. ATEX / IECEx NEC 505 NEC 506 NEC 500 Class I Class I Class II Class III Zone Zone Division Ex i

Special Documentation 2-channel temperature transmitter itemp TMT82

Quality Systems, Accreditation and the Food Sector

(Non-legislative acts) DECISIONS

Safety of programmable machinery and the EC directive

Instruction MI November Channel Temperature Transmitter RTT80, HART Protocol

BACKPLANE ETHERNET CONSORTIUM

Level Limit Switch nivotester FTL 325 P

Installation Instructions

ANSI/ RIA R15.06 (Robot Safety Standard) Update. Acknowledgements

LED Driver Constant voltage

10 GIGABIT ETHERNET CONSORTIUM

LED Driver Constant voltage

Introduction Identification Implementation identification Protocol summary. Supplier 1

Foundation Fieldbus Control in the Field (CIF)

Integrity of safety-related systems in the gas industry

RECOMMENDATION ITU-R M * Definition of availability for radiocommunication circuits in the mobile-satellite service

Fieldbus Solutions & Network Topologies. ISA Exhibition Toronto May 12, 2004

Co-ordination of the Group of Notified Bodies for the Construction Products Directive 89/106/EEC. GNB-CPD Conference on CPR

NEMA Standards Publication ICS Adjustable Speed Electrical Power Drive Systems

Availability objective for radio-relay systems over a hypothetical reference digital path

INSTRUCTION & SAFETY MANUAL

INTEGRITY AND CONTINUITY ANALYSIS FROM GPS JULY TO SEPTEMBER 2016 QUARTERLY REPORT

Schedule of Accreditation issued by United Kingdom Accreditation Service 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK

Fault-Tolerant Computing

FIBRE CHANNEL CONSORTIUM

Reliability Aspects on Power Supplies

GIGABIT ETHERNET CONSORTIUM

SAFE TORQUE OFF FUNCTION - Application Manual -

Guide on Implementation of Requirements of the Common EPS

LED Driver Constant voltage

How To Create The Right Collaborative System For Your Application. Corey Ryan Manager - Medical Robotics KUKA Robotics Corporation

Functional safety for semiconductor IP

DeltaV SIS Logic Solver

Pressure transmitter SIL-2 DST P92S

Your Global Automation Partner. IMX12-DI01 Isolating Switching Amplifier. Safety Manual

Predictive Intelligence in Foundation Fieldbus

LED Driver Constant voltage

Fieldbus Foundation India Committee & ISA South India Section

AUTOMOTIVE ETHERNET CONSORTIUM

Using MIL-STD-882 as a WHS Compliance Tool for Acquisition

AHRI Standard Standard for Performance Rating of Modulating Positive Displacement Refrigerant Compressors

White Paper. Requirements for fieldbus equipment installed in a Zone 2 and Division 2 hazardous area environment. March 24, 2005

SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,

Faculty of Science and Technology MASTER S THESIS. Faculty supervisor: Prof. Eirik Bjorheim Abrahamsen (University of Stavanger)

Validation of ultra-high dependability 20 years on

Lorenza Jachia Secretary, Working Party on Regulatory Cooperation and Standardization Policies, UN Economic Commission for Europe

INTERNATIONAL TELECOMMUNICATION UNION. Timing requirements of slave clocks suitable for use as node clocks in synchronization networks

Proportional amplifier type EV22K5

Technical Data. General specifications. Rated operating distance s n 3 mm

40 AND 100 GIGABIT ETHERNET CONSORTIUM

Galileo as an instrument of unification of the European railway transport

4 th Grade Mathematics Learning Targets By Unit

Characterization of SPDT RF Switch (Mini-circuits MSP2TA )

Limits to Dependability Assurance - A Controversy Revisited (Or: A Question of Confidence )

Technical Specifications for Portable 3-Ø Power Analyzer

Combining field failure data with new instrument design margins to predict failure rates for SIS Verification. Abstract

By-Product Fish Fishery Assessment Interpretation Document

The Dark Art and Safety Related Systems

AMEC s Statement on Panbo (2017/11/11)

Description. Annexe to: IECEx CML X Issue 1. Isolating Amplifier D461

8000 SERIES PRECISION MULTIMETER VERIFICATION AND ADJUSTMENT GUIDE

A FRAMEWORK FOR PERFORMING V&V WITHIN REUSE-BASED SOFTWARE ENGINEERING

RELIABILITY OF NETWORKED CONTROL SYSTEM USING THE NETWORK RECONFIGURATION STRATEGY

Seeking Obsolescence Tolerant Replacement C&I Solutions for the Nuclear Industry

SPECIFICATION REDUNDANT POWER SUPPLY HOT-SWAPPABLE 370W+370W

Transcription:

Dr Hassan El-Sayed Functional Safety Certification Manager Sira Test & Certification ( a CSA s company) Functional Safety Department hassan.el-sayed@siracertification.com Tel: 00441244670900 Multaqa 12 th Dec. 2011, Abu Dhabi 1

Part -1 Definition of terms - Definition of Reliability R (t) = e λt R( t) e t (1) - Availability Availability (A) = Availability (A) = Mean up time Mean up time + Mean down time MTBF MTBF + MDT 2

Applied MTBF calculation Both P. conditioners active H1 1 MTBF sys = ( λ1a+ λ2b) λ1 MDT MTBF sys = 1 λ1 2 MDT T1 Device coupler T2 UA sys = λ 2 MDT * MDT 2 24V A sys = 1-0.5 λ 2 MDT 2 3

Applied MTBF calculation Primary active, 2 ndry warm H1 1 MTBF sys = (λ1a + λ2b) λ1 MDT MTBF sys = 1 1.1 λ1 2 MDT T1 Device coupler T2 UA sys = 1.1 λ 2 MDT * MDT 2 24V A sys = 1-1.1 λ 2 MDT * MDT 2 4

Applied MTBF calculation Primary active, 2 ndry cold H1 MTBF sys = MTBF sys = 1 λ1 λ1 MDT 1 λ1 2 MDT T1 Device coupler T2 UA sys = λ 2 MDT * MDT 2 24V A sys = 1 - λ 2 MDT * MDT 2 5

Applied MTBF calculation Both P. conditioners active H1 MTBF figures of components are extracted from articles 1&2, published in Measurement 54 yrs, λ=2.11e-06 and Control Vol 44/3 April 2011. www.instmc.org.uk 360 yrs, λ=3.17e-07; CCF=1.06E-07 Bkplane = 2.11E-07 ;λ T = 3.17E-07 Unavailability = 80 sec/year T1 Device coupler T2 Cable = 1.5E-06; DVC cplr (50 yrs (4 spurs)) = 2.28E-06 24V λ T = 4.1E-06 ; MTBF = 28 yrs Unavailability = 17 min/year 6

Single fault tolerant -both conditioners active H1 T1 54 yrs, λ=2.11e-06 Bkplane = 2.11E-07 Cable = 1.50E-06 CCF=1.86E-07 λ T = 1.86E-07; MTBF= 613 Unavailability = 0 sec/year Device coupler 54 yrs, λ=2.11e-06 T2 Bkplane = 2.11E-07 Cable = 1.50E-06 CCF=1.86E-07 Dvc cplr = 2.28E-06 λ T = 2.47E-06; MTBF= 46 Unavailability = 10 min/year 7

Table 1: Single Segment, Redundant F.PC, no field cable and no device coupler, MTBF of F.PC = 54 yrs. See references in slide 6 Power Cond. Power Cond. Common Cause System Failure Backplane Single Redundant 5% Rate 2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07 2.11E-06 3.93E-11 1.06E-07 2.11E-07 3.17E-07 2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07 System MTBF (hrs) System MTBF (yrs) Availability Un availability Redundant Repairable 3153244.48 359.96 0.999997463 0.00000254 Active share FF power hub FMEA summary 3153208.94 359.96 0.999997463 0.00000254 Warm Standby 3153244.48 359.96 0.999997463 0.00000254 Cold Standby Unavailability = 80 seconds / year 8

Table 2: Single Segment, Redundant F.PC, including field cable and device coupler, MTBF of F.PC = 54 yrs. See references in slide 6 Power Cond. Power Cond. Common Single Redundant Cause 5% Backplane Field Device System Cable Coupler Failure Rate 2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06 2.11E-06 3.93E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06 2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06 System MTBF (hrs) System MTBF (yrs) Availability Un availability Redundant Repairable 243888.24 27.84 0.999967199 0.000033 Active share 243888.03 27.84 0.999967199 0.000033 Warm Standby 243888.24 27.84 0.999967199 0.000033 Cold Standby Unavailability = 17minutes / year FF power hub FMEA summary 9

Power Cond. Single Table 3: Redundant Segments, Single F.PC per trunk, Excluding Device Coupler ; MTBF of F.PC = 54 yrs. See references in slide 6 Backplane Field Cable Single Segment Redudant segment Unavailability = 0 Sec. / year FF Fault tolerant FMEA summary Common Cause 5% System Failure Rate 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91398E-07 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07 System MTBF System MTBF Redundant Availability Un availability (hrs) (yrs) Repairable 5225034.23 596.47 0.9999999999999 0.0000000000001 Active share 5224714.65 596.43 0.9999999999999 0.0000000000001 Warm Standby 5225034.23 596.47 0.9999999999999 0.0000000000001 Cold Standby 10

Table 4: Redundant Segments, Single F.PC per trunk, including Device Coupler MTBF of F.PC = 54 yrs. See references in slide 6 FF Fault tolerant FMEA summary Power Cond. Single Backplane Field Cable Single Segment Redudant segment Common Cause 5% single seg. Redundant Device Coupler 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91E-07 2.28E-06 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06 System Failure Rate System MTBF (hrs) System MTBF (yrs) Availability Unavailability = 10 minutes / year Un availability 2.47449E-06 404123.46 46.13 0.999980204 0.00001980 2.4745E-06 404121.55 46.13 0.999980204 0.00001980 2.47449E-06 404123.46 46.13 0.999980204 0.00001980 11

FF FMEA summary Table 5: Summary of the MTBF and Availability of Single Segment with F.PC, and Fault Tolerance Redundant Segment. See references in slide 6 Redundant Configuration R. Power Cond. Single Segment Fault Tolerance MTBF (yrs) Field cable out MTBF (yrs) Field cable in MTBF (yrs) Coupler in Unavailability Cable out Unavailability Cable in Unavailability Coupler in Unavailability replaceable spur 359.96 63.00 27.84 80 sec. 7.6 min 17 min 10min 54.00 596.47 46.13 9 min. 0 sec. 10 min 3 min Note: Replaceable spur approach has no disturbance to the rest of the segment 12

Summary Fieldbus PC must have high MTBF, this can be achieved by an individual power conditioner in order to achieve very high Availability. The device coupler must have high MTBF. This can be achieved by : 1- Duplicate common cause single fault circuits. 2- Independent single spur module. For critical applications in FF-SIF where safety depends on availability, a complete fault tolerant topology taking into account the points above for high availability is highly recommended. 13

Part -2 Understanding FF-SIF SIL Certification 14

Role of certification? An independent Functional Safety Assessment (FSA) is required for all overall, E/E/PES and software lifecycle phases (IEC 61508-1, 7) Certification = FSA (with a specified scope) Particularly relevant for mass produced instruments Certificates should be trusted documents (contents/process used) Is it saying functional safety has been achieved (for a specified scope)? No Is it saying compliance with the standard (for a specified scope)? Yes Who is the certificate primarily intended for the supplier, purchaser, user? A technical document (certificate holder may have a marketing motive) 15

Real example no. 1 Certificate Real example no. 2 Solenoid Valve Achieves SIL4 per IEC 61508 In accordance λ D = 2.3 x 10 with -10 per 7.4.4.3 hour (m) ; PFD the = highest 2.0 x 10-7 Safety Integrity Level (SIL) that can be claimed for a safety function using this sub system MTTF in a (dangerous) single channel = 500,000 is SIL yrs 3. ;MTBF (total) = 5,000 yrs Is this information good enough to select product for SIL 4 capability? pg7 16

Real example no. 3 Type B IEC 61511-1 scope 17

Real example no. 4 SIL 1 wrong SFF = SD + SU + DD SD + SU + SU + DD wrong 18

Applying SIL to a device The SIL-capability of an instrument is certainly an important parameter but: there are dangers in putting a SIL <no.> as a headline on the certificate once a SIL is stated, tendency to ignore the rest of the certificate Remember, the SIL is a parameter of the safety function performed by a SIS (sensor to final element), not the individual elements. So, what should be certified on an instrument? 19

Scope of certification In order to engineer a safety function, what does the system designer need to know about the constituent elements? Is the failure data defined for the instrument, for the mode in which the system designer intends to use the instrument? Has the instrument been developed with an appropriate degree of rigour in relation to its use in safety functions, i.e., in order to decide an instruments SIL capability, we need to know certain details about its: hardware safety integrity (numerical failure data/hft/sff/type) systematic safety integrity (define the compliance route, e.g Route 1 S, 2 S, 3 S ) Both have to be achieved (at the specified SIL) for the device to be capable 20

What does safe and dangerous mean? Terms safe failure, dangerous failure and hence the safe failure fraction for an instrument are only relevant with respect to the specific application safety mode For example, if: λ TO OPEN = 50 FITS; λ TO CLOSE = 500 FITS Then: SFF is either 50/(50+500) = 9% or 500/(50+500) = 91% (depending on which failure mode is applicable) Don t reject a certificate for an instrument where the specific safety context is not defined and hence no SFF is given this might be totally appropriate! 21

FMEA product data open mode 22

FMEA product data close mode 23

Hardware fault tolerance (HFT) Where devices have internal HFT, is the certificate clear about: Product condition under fault in one channel should be detected and reported MDT should be stated (which must not be exceeded) for the failure data to be valid Proof test method needs to exercise each channel independently Some certificates use HFT=0 (1) meaning it is reduced to 0 due to prior use. Check that??? Lack of independence between channels should be accounted for (βfactor) 24

Probability of Failure on Demand (PFD) If PFD is quoted for an instrument, remember this is actually a SIF parameter and is also governed by the proof test. Simplified equation is: PFD AVG = λ DU.T / 2 (T = proof test interval) PFD T Time Is T used in the instrument FMEA the same as that used by the end-user? The same is true for MTTR (mean time to repair, for λ DD failures) 25

Embedded software For devices that include software, expect to see an explicit statement of conformity in the certificate SIL does not apply in the same way as hardware (i.e., not probabilistic rate) Certificate is a statement that the software has been developed: according to a compliant process (IEC 61508-3, clause 7) using appropriate techniques and measures (IEC 61508-3, Annexes) Assessment should include justification for the development tool chain If sufficient valid data is available (millions of operational hours) it is possible to use a statistical approach (IEC 61508-7, Annex D) 26

An example certification scheme Conformity Assessment of Safety-related Systems Open/transparent methodology and framework for assessment to IEC 61508 (and sector standards) by accredited certification bodies. Unique! Requirements are all in the public domain so there are no hidden surprises Originally a UK government funded initiative (yr 2000), designed by industry for industry Sira s UKAS accreditation requires the use of the CASS Scheme CASS is a collective interpretation of IEC 61508 (etc) this ensures the assessor s ego is kept in check! (About 60 companies contributed) 27

Summary Certificate: Contain all information the reader/user requires (or else gives references) Scope is clear: hardware/systematic safety integrity/fs management Any conditions/restrictions in use Report: Structure and contents largely governed by the scheme used (e.g., proprietary, CASS) Conformity to every relevant 61508 clause can be traced (so it is auditable) 28

wonder what have you got in mind?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback