Dr Hassan El-Sayed Functional Safety Certification Manager Sira Test & Certification ( a CSA s company) Functional Safety Department hassan.el-sayed@siracertification.com Tel: 00441244670900 Multaqa 12 th Dec. 2011, Abu Dhabi 1
Part -1 Definition of terms - Definition of Reliability R (t) = e λt R( t) e t (1) - Availability Availability (A) = Availability (A) = Mean up time Mean up time + Mean down time MTBF MTBF + MDT 2
Applied MTBF calculation Both P. conditioners active H1 1 MTBF sys = ( λ1a+ λ2b) λ1 MDT MTBF sys = 1 λ1 2 MDT T1 Device coupler T2 UA sys = λ 2 MDT * MDT 2 24V A sys = 1-0.5 λ 2 MDT 2 3
Applied MTBF calculation Primary active, 2 ndry warm H1 1 MTBF sys = (λ1a + λ2b) λ1 MDT MTBF sys = 1 1.1 λ1 2 MDT T1 Device coupler T2 UA sys = 1.1 λ 2 MDT * MDT 2 24V A sys = 1-1.1 λ 2 MDT * MDT 2 4
Applied MTBF calculation Primary active, 2 ndry cold H1 MTBF sys = MTBF sys = 1 λ1 λ1 MDT 1 λ1 2 MDT T1 Device coupler T2 UA sys = λ 2 MDT * MDT 2 24V A sys = 1 - λ 2 MDT * MDT 2 5
Applied MTBF calculation Both P. conditioners active H1 MTBF figures of components are extracted from articles 1&2, published in Measurement 54 yrs, λ=2.11e-06 and Control Vol 44/3 April 2011. www.instmc.org.uk 360 yrs, λ=3.17e-07; CCF=1.06E-07 Bkplane = 2.11E-07 ;λ T = 3.17E-07 Unavailability = 80 sec/year T1 Device coupler T2 Cable = 1.5E-06; DVC cplr (50 yrs (4 spurs)) = 2.28E-06 24V λ T = 4.1E-06 ; MTBF = 28 yrs Unavailability = 17 min/year 6
Single fault tolerant -both conditioners active H1 T1 54 yrs, λ=2.11e-06 Bkplane = 2.11E-07 Cable = 1.50E-06 CCF=1.86E-07 λ T = 1.86E-07; MTBF= 613 Unavailability = 0 sec/year Device coupler 54 yrs, λ=2.11e-06 T2 Bkplane = 2.11E-07 Cable = 1.50E-06 CCF=1.86E-07 Dvc cplr = 2.28E-06 λ T = 2.47E-06; MTBF= 46 Unavailability = 10 min/year 7
Table 1: Single Segment, Redundant F.PC, no field cable and no device coupler, MTBF of F.PC = 54 yrs. See references in slide 6 Power Cond. Power Cond. Common Cause System Failure Backplane Single Redundant 5% Rate 2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07 2.11E-06 3.93E-11 1.06E-07 2.11E-07 3.17E-07 2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07 System MTBF (hrs) System MTBF (yrs) Availability Un availability Redundant Repairable 3153244.48 359.96 0.999997463 0.00000254 Active share FF power hub FMEA summary 3153208.94 359.96 0.999997463 0.00000254 Warm Standby 3153244.48 359.96 0.999997463 0.00000254 Cold Standby Unavailability = 80 seconds / year 8
Table 2: Single Segment, Redundant F.PC, including field cable and device coupler, MTBF of F.PC = 54 yrs. See references in slide 6 Power Cond. Power Cond. Common Single Redundant Cause 5% Backplane Field Device System Cable Coupler Failure Rate 2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06 2.11E-06 3.93E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06 2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06 System MTBF (hrs) System MTBF (yrs) Availability Un availability Redundant Repairable 243888.24 27.84 0.999967199 0.000033 Active share 243888.03 27.84 0.999967199 0.000033 Warm Standby 243888.24 27.84 0.999967199 0.000033 Cold Standby Unavailability = 17minutes / year FF power hub FMEA summary 9
Power Cond. Single Table 3: Redundant Segments, Single F.PC per trunk, Excluding Device Coupler ; MTBF of F.PC = 54 yrs. See references in slide 6 Backplane Field Cable Single Segment Redudant segment Unavailability = 0 Sec. / year FF Fault tolerant FMEA summary Common Cause 5% System Failure Rate 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91398E-07 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07 System MTBF System MTBF Redundant Availability Un availability (hrs) (yrs) Repairable 5225034.23 596.47 0.9999999999999 0.0000000000001 Active share 5224714.65 596.43 0.9999999999999 0.0000000000001 Warm Standby 5225034.23 596.47 0.9999999999999 0.0000000000001 Cold Standby 10
Table 4: Redundant Segments, Single F.PC per trunk, including Device Coupler MTBF of F.PC = 54 yrs. See references in slide 6 FF Fault tolerant FMEA summary Power Cond. Single Backplane Field Cable Single Segment Redudant segment Common Cause 5% single seg. Redundant Device Coupler 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91E-07 2.28E-06 2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06 System Failure Rate System MTBF (hrs) System MTBF (yrs) Availability Unavailability = 10 minutes / year Un availability 2.47449E-06 404123.46 46.13 0.999980204 0.00001980 2.4745E-06 404121.55 46.13 0.999980204 0.00001980 2.47449E-06 404123.46 46.13 0.999980204 0.00001980 11
FF FMEA summary Table 5: Summary of the MTBF and Availability of Single Segment with F.PC, and Fault Tolerance Redundant Segment. See references in slide 6 Redundant Configuration R. Power Cond. Single Segment Fault Tolerance MTBF (yrs) Field cable out MTBF (yrs) Field cable in MTBF (yrs) Coupler in Unavailability Cable out Unavailability Cable in Unavailability Coupler in Unavailability replaceable spur 359.96 63.00 27.84 80 sec. 7.6 min 17 min 10min 54.00 596.47 46.13 9 min. 0 sec. 10 min 3 min Note: Replaceable spur approach has no disturbance to the rest of the segment 12
Summary Fieldbus PC must have high MTBF, this can be achieved by an individual power conditioner in order to achieve very high Availability. The device coupler must have high MTBF. This can be achieved by : 1- Duplicate common cause single fault circuits. 2- Independent single spur module. For critical applications in FF-SIF where safety depends on availability, a complete fault tolerant topology taking into account the points above for high availability is highly recommended. 13
Part -2 Understanding FF-SIF SIL Certification 14
Role of certification? An independent Functional Safety Assessment (FSA) is required for all overall, E/E/PES and software lifecycle phases (IEC 61508-1, 7) Certification = FSA (with a specified scope) Particularly relevant for mass produced instruments Certificates should be trusted documents (contents/process used) Is it saying functional safety has been achieved (for a specified scope)? No Is it saying compliance with the standard (for a specified scope)? Yes Who is the certificate primarily intended for the supplier, purchaser, user? A technical document (certificate holder may have a marketing motive) 15
Real example no. 1 Certificate Real example no. 2 Solenoid Valve Achieves SIL4 per IEC 61508 In accordance λ D = 2.3 x 10 with -10 per 7.4.4.3 hour (m) ; PFD the = highest 2.0 x 10-7 Safety Integrity Level (SIL) that can be claimed for a safety function using this sub system MTTF in a (dangerous) single channel = 500,000 is SIL yrs 3. ;MTBF (total) = 5,000 yrs Is this information good enough to select product for SIL 4 capability? pg7 16
Real example no. 3 Type B IEC 61511-1 scope 17
Real example no. 4 SIL 1 wrong SFF = SD + SU + DD SD + SU + SU + DD wrong 18
Applying SIL to a device The SIL-capability of an instrument is certainly an important parameter but: there are dangers in putting a SIL <no.> as a headline on the certificate once a SIL is stated, tendency to ignore the rest of the certificate Remember, the SIL is a parameter of the safety function performed by a SIS (sensor to final element), not the individual elements. So, what should be certified on an instrument? 19
Scope of certification In order to engineer a safety function, what does the system designer need to know about the constituent elements? Is the failure data defined for the instrument, for the mode in which the system designer intends to use the instrument? Has the instrument been developed with an appropriate degree of rigour in relation to its use in safety functions, i.e., in order to decide an instruments SIL capability, we need to know certain details about its: hardware safety integrity (numerical failure data/hft/sff/type) systematic safety integrity (define the compliance route, e.g Route 1 S, 2 S, 3 S ) Both have to be achieved (at the specified SIL) for the device to be capable 20
What does safe and dangerous mean? Terms safe failure, dangerous failure and hence the safe failure fraction for an instrument are only relevant with respect to the specific application safety mode For example, if: λ TO OPEN = 50 FITS; λ TO CLOSE = 500 FITS Then: SFF is either 50/(50+500) = 9% or 500/(50+500) = 91% (depending on which failure mode is applicable) Don t reject a certificate for an instrument where the specific safety context is not defined and hence no SFF is given this might be totally appropriate! 21
FMEA product data open mode 22
FMEA product data close mode 23
Hardware fault tolerance (HFT) Where devices have internal HFT, is the certificate clear about: Product condition under fault in one channel should be detected and reported MDT should be stated (which must not be exceeded) for the failure data to be valid Proof test method needs to exercise each channel independently Some certificates use HFT=0 (1) meaning it is reduced to 0 due to prior use. Check that??? Lack of independence between channels should be accounted for (βfactor) 24
Probability of Failure on Demand (PFD) If PFD is quoted for an instrument, remember this is actually a SIF parameter and is also governed by the proof test. Simplified equation is: PFD AVG = λ DU.T / 2 (T = proof test interval) PFD T Time Is T used in the instrument FMEA the same as that used by the end-user? The same is true for MTTR (mean time to repair, for λ DD failures) 25
Embedded software For devices that include software, expect to see an explicit statement of conformity in the certificate SIL does not apply in the same way as hardware (i.e., not probabilistic rate) Certificate is a statement that the software has been developed: according to a compliant process (IEC 61508-3, clause 7) using appropriate techniques and measures (IEC 61508-3, Annexes) Assessment should include justification for the development tool chain If sufficient valid data is available (millions of operational hours) it is possible to use a statistical approach (IEC 61508-7, Annex D) 26
An example certification scheme Conformity Assessment of Safety-related Systems Open/transparent methodology and framework for assessment to IEC 61508 (and sector standards) by accredited certification bodies. Unique! Requirements are all in the public domain so there are no hidden surprises Originally a UK government funded initiative (yr 2000), designed by industry for industry Sira s UKAS accreditation requires the use of the CASS Scheme CASS is a collective interpretation of IEC 61508 (etc) this ensures the assessor s ego is kept in check! (About 60 companies contributed) 27
Summary Certificate: Contain all information the reader/user requires (or else gives references) Scope is clear: hardware/systematic safety integrity/fs management Any conditions/restrictions in use Report: Structure and contents largely governed by the scheme used (e.g., proprietary, CASS) Conformity to every relevant 61508 clause can be traced (so it is auditable) 28
wonder what have you got in mind?