mean down time mtbf mtbf + mdt - · pdf filefieldbus pc must have high mtbf, this can be...
TRANSCRIPT
© 1999 – 2006 Fieldbus Foundation 1
Dr Hassan El-Sayed
Functional Safety Certification Manager
Sira Test & Certification ( a CSA „s company)
Functional Safety Department
Tel: 00441244670900
Multaqa 12th Dec. 2011, Abu Dhabi
© 1999 – 2006 Fieldbus Foundation 2
Part -1
Definition of terms
- Definition of Reliability
R (t) = e –λt
Availability (A) = Mean up time
Mean up time + Mean down time
- Availability
Availability (A) = MTBF
MTBF + MDT
)1()( tetR
© 1999 – 2006 Fieldbus Foundation 3
MTBFsys = ( λ1a+ λ2b) λ1 MDT
1
MTBFsys = λ12 MDT
1
UAsys = λ2 MDT * MDT
2
Asys = 1- 0.5 λ2 MDT2
H1
T1 Device coupler T2
24V
Applied MTBF calculation
Both P. conditioners active
© 1999 – 2006 Fieldbus Foundation 4
MTBFsys = (λ1a + λ2b) λ1 MDT
1
MTBFsys = 1.1 λ12 MDT
1
UAsys = 1.1 λ2 MDT * MDT
2
Asys = 1 - 1.1 λ2 MDT * MDT
2
H1
T1 Device coupler T2
24V
Applied MTBF calculation
Primary active, 2ndry warm
© 1999 – 2006 Fieldbus Foundation 5
MTBFsys = λ1 λ1 MDT
1
MTBFsys = λ12 MDT
1
UAsys = λ2 MDT * MDT
2
Asys = 1 - λ2 MDT * MDT
2
H1
T1 Device coupler T2
24V
Applied MTBF calculation
Primary active, 2ndry cold
© 1999 – 2006 Fieldbus Foundation 6
H1
T1 Device coupler T2
24V
54 yrs, λ=2.11E-06
360 yrs, λ=3.17E-07; CCF=1.06E-07
Bkplane = 2.11E-07 ;λT = 3.17E-07
Unavailability = 80 sec/year
Cable = 1.5E-06;
DVC cplr (50 yrs (4 spurs)) = 2.28E-06
λT = 4.1E-06 ; MTBF = 28 yrs
Unavailability = 17 min/year
Applied MTBF calculation
Both P. conditioners active
MTBF figures of components are extracted
from articles 1&2, published in Measurement
and Control Vol 44/3 April 2011.
www.instmc.org.uk
© 1999 – 2006 Fieldbus Foundation 7
H1
T1 T2
Device coupler
54 yrs, λ=2.11E-06
Bkplane = 2.11E-07
Cable = 1.50E-06
CCF=1.86E-07
λT = 1.86E-07; MTBF= 613
Unavailability = 0 sec/year
54 yrs, λ=2.11E-06
Bkplane = 2.11E-07
Cable = 1.50E-06
CCF=1.86E-07
Dvc cplr = 2.28E-06
λT = 2.47E-06; MTBF= 46
Unavailability = 10 min/year
Single fault tolerant -both
conditioners active
© 1999 – 2006 Fieldbus Foundation 8
Table 1: Single Segment, Redundant
F.PC, no field cable and no device
coupler, MTBF of F.PC = 54 yrs. See
references in slide 6
Power Cond. Single
Power Cond. Redundant
Common Cause 5%
Backplane System Failure
Rate
2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07
2.11E-06 3.93E-11 1.06E-07 2.11E-07 3.17E-07
2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07
System MTBF (hrs)
System MTBF (yrs)
Availability Un availability Redundant Repairable
3153244.48 359.96 0.999997463 0.00000254 Active share
3153208.94 359.96 0.999997463 0.00000254 Warm Standby
3153244.48 359.96 0.999997463 0.00000254 Cold Standby
Unavailability = 80 seconds / year
FF power hub FMEA
summary
© 1999 – 2006 Fieldbus Foundation 9
Table 2: Single Segment, Redundant
F.PC, including field cable and device
coupler , MTBF of F.PC = 54 yrs. See
references in slide 6
Power Cond. Single
Power Cond. Redundant
Common Cause 5%
Backplane Field Cable
Device Coupler
System Failure Rate
2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06
2.11E-06 3.93E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06
2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06
System MTBF (hrs)
System MTBF (yrs)
Availability Un availability Redundant Repairable
243888.24 27.84 0.999967199 0.000033 Active share
243888.03 27.84 0.999967199 0.000033 Warm Standby
243888.24 27.84 0.999967199 0.000033 Cold Standby
Unavailability = 17minutes / year
FF power hub FMEA
summary
© 1999 – 2006 Fieldbus Foundation 10
Table 3: Redundant Segments, Single
F.PC per trunk, Excluding Device
Coupler ; MTBF of F.PC = 54 yrs. See
references in slide 6
Unavailability = 0 Sec. / year
Power Cond. Single
Backplane Field Cable Single
Segment Redudant segment
Common Cause 5%
System Failure Rate
2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07
2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91398E-07
2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07
System MTBF (hrs)
System MTBF (yrs)
Availability Un availability Redundant Repairable
5225034.23 596.47 0.9999999999999 0.0000000000001 Active share
5224714.65 596.43 0.9999999999999 0.0000000000001 Warm Standby
5225034.23 596.47 0.9999999999999 0.0000000000001 Cold Standby
FF Fault tolerant FMEA
summary
© 1999 – 2006 Fieldbus Foundation 11
Table 4: Redundant Segments, Single
F.PC per trunk, including Device Coupler
MTBF of F.PC = 54 yrs. See references in
slide 6
Unavailability = 10 minutes / year
Power Cond. Single
Backplane Field Cable
Single Segment
Redudant segment
Common Cause 5%
single seg. Redundant
Device Coupler
2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06
2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91E-07 2.28E-06
2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06
System Failure Rate
System MTBF (hrs) System MTBF
(yrs) Availability Un availability
2.47449E-06 404123.46 46.13 0.999980204 0.00001980
2.4745E-06 404121.55 46.13 0.999980204 0.00001980
2.47449E-06 404123.46 46.13 0.999980204 0.00001980
FF Fault tolerant FMEA
summary
© 1999 – 2006 Fieldbus Foundation 12
Table 5: Summary of the MTBF and
Availability of Single Segment with F.PC, and
Fault Tolerance Redundant Segment. See
references in slide 6
FF FMEA summary
Redundant Configuration
MTBF (yrs) Field cable out
MTBF (yrs) Field cable in
MTBF (yrs) Coupler in
Unavailability Cable out
Unavailability Cable in
Unavailability Coupler in
Unavailability replaceable
spur
R. Power Cond. Single
Segment 359.96 63.00 27.84 80 sec. 7.6 min 17 min 10min
Fault Tolerance
54.00 596.47 46.13 9 min. 0 sec. 10 min 3 min
Note: Replaceable spur approach has no
disturbance to the rest of the segment
© 1999 – 2006 Fieldbus Foundation 13
Fieldbus PC must have high MTBF, this can be achieved by an
individual power conditioner in order to achieve very high
Availability.
The device coupler must have high MTBF. This can be achieved
by :
1- Duplicate common cause single fault circuits.
2- Independent single spur module.
For critical applications in FF-SIF where safety depends on
availability, a complete fault tolerant topology taking into account
the points above for high availability is highly recommended.
Summary
© 1999 – 2006 Fieldbus Foundation 14
Understanding FF-SIF
„SIL‟ Certification
Part -2
© 1999 – 2006 Fieldbus Foundation 15
An independent Functional Safety Assessment (FSA) is required
for all overall, E/E/PES and software lifecycle phases (IEC 61508-
1, 7)
Certification = FSA (with a specified scope)
Particularly relevant for mass produced instruments
Certificates should be trusted documents (contents/process used)
Role of certification?
Is it saying “functional safety has been achieved” (for a specified scope)?
Is it saying “compliance with the standard” (for a specified scope)?
Who is the certificate primarily intended for – the supplier, purchaser, user?
A technical document (certificate holder may have a marketing motive)
No
Yes
© 1999 – 2006 Fieldbus Foundation 16
Real example no. 2
pg7
Is this information good enough to select product for SIL 4 capability ?
Certificate
Solenoid Valve “Achieves SIL4” per IEC 61508
λD = 2.3 x 10-10 per hour ; PFD = 2.0 x 10-7
MTTF (dangerous) = 500,000 yrs ;MTBF (total) = 5,000 yrs
Real example no. 1
In accordance with 7.4.4.3 (m) the highest Safety Integrity Level
(SIL) that can be claimed for a safety function using this sub
system in a single channel is SIL 3.
© 1999 – 2006 Fieldbus Foundation 17
Real example no. 3
IEC 61511-1 scope
Type B
© 1999 – 2006 Fieldbus Foundation 18
Real example no. 4
SIL 1
wrong
wrong
SD + SU + SU + DD
SD + SU + DD SFF =
© 1999 – 2006 Fieldbus Foundation 19
The SIL-capability of an instrument is certainly an important parameter but:
there are dangers in putting a SIL <no.> as a “headline” on the certificate
once a SIL is stated, tendency to ignore the rest of the certificate
Applying ‘SIL’ to a
device
Remember, the SIL is a parameter of the safety function performed by a SIS (sensor to final element), not the individual elements.
So, what should be certified on an instrument?
© 1999 – 2006 Fieldbus Foundation 20
In order to engineer a safety function, what does the system designer
need to know about the constituent elements?
Is the failure data defined for the instrument, for the mode in which the
system designer intends to use the instrument?
Has the instrument been developed with an appropriate degree of rigour
in relation to its use in safety functions, i.e., in order to decide an
instruments SIL capability, we need to know certain details about its:
hardware safety integrity (numerical failure data/HFT/SFF/type)
systematic safety integrity (define the compliance route, e.g Route 1S, 2S, 3S)
Scope of certification
Both have to be achieved (at the specified SIL) for the device to be “capable”
© 1999 – 2006 Fieldbus Foundation 21
Terms “safe failure”, “dangerous failure” and hence the “safe failure
fraction” for an instrument are only relevant with respect to the specific
application safety mode
For example, if: λTO OPEN = 50 FITS; λTO CLOSE = 500 FITS
Then: SFF is either 50/(50+500) = 9% or 500/(50+500) = 91%
(depending on which failure mode is applicable)
Don‟t reject a certificate for an instrument where the specific safety
context is not defined and hence no SFF is given – this might be totally
appropriate!
What does ‘safe’ and
‘dangerous’ mean?
© 1999 – 2006 Fieldbus Foundation 22
FMEA product data
‘open mode’
© 1999 – 2006 Fieldbus Foundation 23
FMEA product data
‘close mode’
© 1999 – 2006 Fieldbus Foundation 24
Where devices have internal HFT, is the certificate clear about:
Product condition under fault in one channel should be detected and
reported
MDT should be stated (which must not be exceeded) for the failure data
to be valid
Proof test method needs to exercise each channel independently
Some certificates use HFT=0(1) meaning it is reduced to 0 due to prior
use. Check that???
Lack of independence between channels should be accounted for (β-
factor)
Hardware fault tolerance
(HFT)
© 1999 – 2006 Fieldbus Foundation 25
If PFD is quoted for an instrument, remember this is actually a SIF
parameter and is also governed by the proof test. Simplified equation is:
PFDAVG = λDU .T / 2 (T = proof test interval)
Probability of Failure on
Demand (PFD)
Time
T
PFD
Is „T‟ used in the instrument FMEA the same as that used by the end-user?
The same is true for „MTTR‟ (mean time to repair, for λDD failures)
© 1999 – 2006 Fieldbus Foundation 26
Embedded software
For devices that include software, expect to see an
explicit statement of conformity in the certificate
SIL does not apply in the same way as hardware
(i.e., not probabilistic rate)
Certificate is a statement that the software has been developed:
according to a compliant process (IEC 61508-3, clause 7)
using appropriate techniques and measures (IEC 61508-3,
Annexes)
Assessment should include justification for the development tool chain
If sufficient valid data is available (millions of operational hours) it is
possible to use a statistical approach (IEC 61508-7, Annex D)
© 1999 – 2006 Fieldbus Foundation 27
“Conformity Assessment of Safety-related Systems”
Open/transparent methodology and framework for assessment to IEC
61508 (and sector standards) by accredited certification bodies.
Unique!
Requirements are all in the public domain so there are no hidden
surprises
Originally a UK government funded initiative (yr 2000), designed by
industry for industry
Sira‟s UKAS accreditation requires the use of the CASS Scheme
CASS is a collective interpretation of IEC 61508 (etc) – this ensures the
assessor‟s ego is kept in check! (About 60 companies contributed)
An example certification scheme
© 1999 – 2006 Fieldbus Foundation 28
Certificate:
Contain all information the reader/user requires (or else gives references)
Scope is clear: hardware/systematic safety integrity/FS management
Any conditions/restrictions in use
Report:
Structure and contents largely governed by the scheme used (e.g.,
proprietary, CASS)
Conformity to every relevant 61508 clause can be traced (so it is auditable)
Summary
wonder what have you got in mind?