SIL of a Safety Fuzzy Logc Controller 1oo usng Fault Tree Analyss (FAT and realablty Block agram (RB r.-ing Mohammed Bsss 1, Fatma Ezzahra Nadr, Prof. Amam Benassa 3 1,,3 Faculty of Scence and Technology, 90 000 BP, Tanger, Marocco epartment of Computer Scence Systems and Telecommuncatons (LIST Keywords: Safety Fuzzy Logc Controller (SFLC, Safety Integrty Level (SIL, Mean me To Falure (MTTF, Safe Falure Fracton (SFF, Relablty Block agram (RB, Fault Tree Analyss (FTA, Average Probablty of angerous Falure on emand (PFavg, Feld Programmable Gate Array (FPGA. Abstract: Ths paper nvestgates how s processed the modelng of hardware falures. The target of ths modelng s to assess the average probablty of dangerous falure on demand of safety fuzzy logc controller [1] mplemented n FPGA. Two evaluaton methods are appled. The frst method of evaluaton uses the relablty block dagram []; the second s based on the fault tree analyss [] and [3].We wll demonstrate how to calculate the average probablty of dangerous falure on demand. Consequently we ll able to determne the safety ntegrty level [6] for a SFLC. The man characterstcs parameters for determnng ths SIL are rate of dangerous detected and undetected falure [4], the dagnostc coverage [5], proof test nterval and other parameters I. INTROCTION The desgn and mplementaton of a safety fuzzy logc controller wth a safety ntegrty level of SIL3 requres a qualtatve and quanttatve analyss of the components mplemented n the feld programmable gate array. ue to ther usage n crtcal applcatons, the SFLC have a very strngent average probablty of falure on demand requrement. Ths requrement s usually determned by ndustry standards, such as the safety ntegrty level (SIL rankngs defned n the IEC 61508 standard. The relablty block dagram and the fault tree analyss we ll be used to calculate an average probablty of dangerous falure on demand PFavg for a SFLC and therefore determne what SIL rankng apples to the functon of the SFLC. The FPGA chp s accordng to [7] from B-Type. That means the behavor and falure modes are very complex. The frst step of qualtatve analyss s to determne the value of the safe falure fracton [7], whch allows us to evaluate the consequences of a dangerous falure. A falure s called safe f t doesn t put the SFLC n a dangerous state when a fault occurs. A dangerous falure puts the safety fuzzy logc controller n a potentally dangerous state and makes the system noperatve. The safe falure fracton s defned by the rato of average falures of safe λs plus dangerous detected falures λ and safe plus dangerous detected and undetected λ falures. The calculaton s based on the archtecture of SFLC and on a functonal analyss by carryng out a FMEA, Falure Modes Effects and agnostc Analyss. @IJMTER-015, All rghts Reserved 383
Internatonal Journal of Modern Trends n Engneerng and Research (IJMTER Volume 0, Issue 08, [August 015] ISSN (Onlne:349 9745 ; ISSN (Prnt:393-8161 λ λ λ S Fgure 1: SFF of 99% means that 1% of the falures are dangerous and undetected We have got 99% for the value of SFF usng falure rates (table 1. The SFLC must have accordng to [7] a redundant archtecture wth safety ntegrty level of SIL3. Table 1: Falure rate of SFLC λs (h-1 λ (h-1 λ (h-1,977e-9 9,93E-1 9,83E-07 In ths sense, several methods for the analyss of falure modes have been developed. The possbltes are the falure analyss by the fault tree analyss [8], the relablty block dagram and markov process [9] and [10]. These methods don t allow only the calculaton of the PFavg but also the quantfcaton of the system by determnng the safety ntegrty level. II. ARCHITECTURE OF SFLC The SFLC conssts of two Fuzzy Logc Controller (FLC wth the fuzzfcaton process; rule evaluaton process and defuzzfcaton process n a redundant archtecture 1out-of. Fgure shows a basc model for a fuzzy logc controller. Maquette Spartan 3e Xlnx FPGA SIF Rule base R(1 : maxmum(mnmum(ute(1,ute/dt(3, mnmum(ute(1,ute/dt(... Fuzzfcaton Fuzzfer Te error Fuzzfer Te/dt Inference Mamdan (Mn-Max defuzzfcaton 3 1 y ( * R ( R ( agnostcs Fgure : Basc model for a fuzzy logc controller In ths knd of redundancy, the falure of one channel does not prevent the executon of the safety functon. Ths archtecture wll be n dangerous state when both FLC have dangerous falures. The man advantage of ths archtecture s hs low probablty of falure on demand. Each FLC has dagnostc tests and the results of both FLC are controlled by the comparson module (Fgure 3. The safety functon performed by the SFLC mantans a safe state of the system relatve to specfc hazardous falures. The safety functon s therefore the power loss for the analog outputs (de- @IJMTER-015, All rghts Reserved 384
Internatonal Journal of Modern Trends n Engneerng and Research (IJMTER Volume 0, Issue 08, [August 015] ISSN (Onlne:349 9745 ; ISSN (Prnt:393-8161 energze to trp of the system n case of dangerous falures n the materal. These falures can be nterconnect faults, stuck-at-fault, transton faults, the clock phase shft or a devaton of the value obtaned respectvely from the FLC1 and FLC. Fgure 3 shows a basc model for a safety fuzzy logc controller wth redundancy archtecture. Spartan 3E Starter Board CLK_MASTER CLK_W1 CLK_W Clock Control CLK_AC CLK_AC CLK_FLC1 CLK_FLC CLK_W1 CLK_W watchdog 1 watchdog W1 W FPGA AI0 AI1 13Bt Regster AI0 CLK_FLC1 W1 CLK_AC W1 A/ AC W Compare Module Fuzzy logc controller FLC1 CLK_FLC Fuzzy 13Bt Regster logc AI1 W controller FLC W1 W 1Bt Regster Output_FLC1 AC Compare Module 1Bt Regster Output_FLC CLK_AC /A AO0 AO1 AO AO3 Fgure 3: The Safety Fuzzy Logc Controller of 1oo archtecture III. SAFETY INTEGRIT LEVEL OF SFLC USING RB AN FAILURE TREE ANALYSIS III.1 Relablty Block agram The relablty block dagram s a graphcal representaton of the system. Each component s represented by a functon block (Fgure 4 All the elements come together to acheve the calculaton of average probablty of dangerous falure on demand. We take n consderaton that the components have only two operatng states (correct or faulty operaton. Fgure 4: ecomposton of the SFLC n 5 functonal blocks The probablty PFavg [11] s calculated by summng the probablty of falure of all the functonal blocks of a SFLC. The formulas used to calculate the probablty PFavg of a SFLC depend on the component archtecture. The power supply module, the clock of the FPGA [1], the analog-dgtal converter [13] and the dgtal-analog converter has a smple archtecture 1oo1. The calculaton of PFavg lke followng [11]: @IJMTER-015, All rghts Reserved 385
Internatonal Journal of Modern Trends n Engneerng and Research (IJMTER Volume 0, Issue 08, [August 015] ISSN (Onlne:349 9745 ; ISSN (Prnt:393-8161 PF avg t ( CE t CE The system down tme tce s gven by t CE T1 MTTR MTTR The mean down tme tce s calculated by addng the ndvdual down tmes from both components, (T1/ +MTTR and (MTTR. On other hand, the watchdog and fuzzy logc controller component have redundant structures 1oo. The calculaton lke followng: PF avg The system down tme tce s gven by t GE 1 1 MTTR T1 MTTR 3 t CE t GE T1 MTTR MTTR The probablty PFavg s calculated for dfferent proof test ntervals ( = 3 years, 5 years and 10 years wth MTTR (mean tme to repar s equal MTTR = 8 hours Table : Probablty PFavg [1/h] for dfferent proof test ntervals Proof test nterval [year] 3 5 10 PFavg 3.44E-04 5.73E-04 1.15E-03 For a three-year msson tme the value of the average probablty of falure s 3.44 10-04, that s sgnfcantly smaller as the value calculated wth a ten years msson tme that s 1.15 10-03. The safety ntegrty level of a SFLC has been removng from a SIL 3 of a SIL, f the proof test nterval takes place n 10 years. III. Fault Tree Analyss The basc events typcally represent component falures or other hazards or events that can contrbute to the TOP event hazard. If the falure rate for the base events are known, boolean algebra and probablty laws ca be appled to calculate an average probablty of dangerous falure for the TOP event. In ths way, fault tree analyss s also quanttatve. The FTA of SFLC, descrbes n Fgure 5, conssts of two watchdog module W1 and W, two fuzzy logc controllers FLC1 and FLC, a supply voltage, an AC converter, a AC converter and a FPGA. The falure of any one of these subsystems wll cause a dangerous falure of SFLC, the basc template wll have an OR gate as the TOP gate, wth each of those sx subsystems as nputs, as Fgure 5. @IJMTER-015, All rghts Reserved 386
Internatonal Journal of Modern Trends n Engneerng and Research (IJMTER Volume 0, Issue 08, [August 015] ISSN (Onlne:349 9745 ; ISSN (Prnt:393-8161 angerous Falure >=1 Supply Voltage AC converter FPGA clock AC converter & & FLC1 FLC W1 W Fgure 5: Falure Tree analyss of SFLC The analyss by fault tree s performed by two phases; whch s a qualtatve, where determnng the logcal functon of the system n terms of all ts mnmum falure (Fgure 5 and the other s quantfed by the calculaton of probablty of occurrence of the adverse event PFavg. For an archtecture at 1 out of 1(1oo1, the average probablty of dangerous falure s expressed by the followng formula accordng to [08]. PF avg ( For an archtecture at 1 out of (1oo, the average probablty of dangerous falure s expressed by the followng formula accordng to [08]. PFavg ((1 (1 3 MTTR T The common mode falure refers to the smultaneous falure that can appear n the both FLC. The ntroducton of common-mode falures s generally represented by a beta factor β. The values for the factors beta are generally between 0.5% and 5%. For a beta factor of a value β = %, respectvely, representng the proporton of detectng common cause falures related to C dagnostc coverage, and from each component falure rates, the probablty of falure on demand by fault tree s calculated from formulas as mentoned above, and defned as follows: @IJMTER-015, All rghts Reserved 387
Internatonal Journal of Modern Trends n Engneerng and Research (IJMTER Volume 0, Issue 08, [August 015] ISSN (Onlne:349 9745 ; ISSN (Prnt:393-8161 PF ( SI FS ( ( AC T ( (1 MTTR T CLK _ FPGA SI F (((1 (1 MTTR T W ALI ( (((1 T 3 T 3 The probablty of PFavg s calculated by the combnaton of the average probablty dangerous of falure on demand of all the elements ensurng the entre safety functon. For usng the calculated probablty PFavg the numercal values of characterstc parameters of components such as the falure rate, the C coverage and the common cause falure factor. The probablty PFavg s represented for dfferent proof test nterval ( = 3 years, 5 years and 10 years wth an mean tme to repar equal MTTR = 8 hours Table 3: Probablty PFavg [1/h] for dfferent proof test nterval Proof test nterval [year] 3 5 10 PFavg 7.17E-4 1.19E-4.39E-3 For a three-year msson tme the value of the average probablty of falure s 7.17 10-04, that s sgnfcantly smaller as the value calculated for a ten year msson tme that s.39 10-03. The safety ntegrty level of A SFLC has been removng from a SIL 3 of a SIL, f the proof test nterval n 10 years takes place IV. CONCLUSIONS Both approaches nclude Boolean technques representng the logc functon lnkng the falures of ndvdual components n the overall system falure. We perceve that the method of relablty block dagrams models the system block dagram of the blocks and allows a system archtecture vew. As aganst the method of fault tree requres n addton to the functonal analyss the determnaton of dangerous falures and events that may be assocated that cause the loss of the safety functon. The results of both methods are almost smlar f we consder that the β factor and the coverage C are accurate. The PFavg value resultng from the FT analyss s 7, 17 10-03 for a proof test nterval = 3 years, s wdely small for a msson tme of = 10 years wth a value of, 39 10-0, gvng a varaton of the safety ntegrty level of the SIF studed, a level of SIL 3 at a level of SIL n a 5 year msson tme nstead of 10 years obtaned by the method of Relablty Block agram. REFERENCES [1] M. Bsss, I. H Baraka, A. Benassa,. Quantfed Safety Analyss for Safety Fuzzy Logc Controller 1oo Relablty Block agrams, IEEE Internatonal Conference on Control Systems Computng and Engneerng, 3-5 Nov. 01 Penang, Malaysa. AC @IJMTER-015, All rghts Reserved 388
Internatonal Journal of Modern Trends n Engneerng and Research (IJMTER Volume 0, Issue 08, [August 015] ISSN (Onlne:349 9745 ; ISSN (Prnt:393-8161 [] IEC, "61508-6:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.166-168. [3] W.M.Goble, «Control Systems Safety Evaluaton and relablty,» Research Trangle Park, NC 7709, Internatonal Socety of Automaton, 3 Edton 010, pp 103-116 [4] IEC, "61508-6:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.193 Annex C [5] IEC, "61508-4:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.43. [6] IEC, "61508-:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.34 table 3. [7] IEC, "61508-:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.7 table 3. [8] ISA TR84.0.0..Safety nstrumented System, Safety ntegrty Level, Evaluaton technques. Part 1 Introducton, verson 4, North Carolna, 1997 [9] Guo, H. and Yang, X. (008. Automatc creaton of markov models for relablty assessment of safety nstrumented systems. Relablty Engneerng and System Safety, 93:807815 [10] IEC, "61508-6:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.57-68 [11] IEC, "61508-6:010 Functonal Safety of Electrcal/Electronc/Programmable Electronc Safety-related Systems (E/E/PE, or E/E/PES," e.0d, pp.143-144 [1] XILINX, Spartan-3E FPGA Starter Kt Board User Gude, UG30: XILINX, January 0, 011. [13] L. T. Lmted, atasheet of LTC 604 famly, LT. @IJMTER-015, All rghts Reserved 389