mean down time mtbf mtbf + mdt - · pdf filefieldbus pc must have high mtbf, this can be...

© 1999 – 2006 Fieldbus Foundation 1

Dr Hassan El-Sayed

Functional Safety Certification Manager

Sira Test & Certification ( a CSA „s company)

Functional Safety Department

[email protected]

Tel: 00441244670900

Multaqa 12th Dec. 2011, Abu Dhabi

mailto:[email protected]




Part -1

Definition of terms

- Definition of Reliability

R (t) = e –λt

Availability (A) = Mean up time

Mean up time + Mean down time

- Availability

Availability (A) = MTBF

MTBF + MDT

)1()( tetR


MTBFsys = ( λ1a+ λ2b) λ1 MDT

1

MTBFsys = λ12 MDT

1

UAsys = λ2 MDT * MDT

2

Asys = 1- 0.5 λ2 MDT2

H1

T1 Device coupler T2

24V

Applied MTBF calculation

Both P. conditioners active


MTBFsys = (λ1a + λ2b) λ1 MDT

1

MTBFsys = 1.1 λ12 MDT

1

UAsys = 1.1 λ2 MDT * MDT

2

Asys = 1 - 1.1 λ2 MDT * MDT

2

H1


24V


Primary active, 2ndry warm


MTBFsys = λ1 λ1 MDT

1

MTBFsys = λ12 MDT

1

UAsys = λ2 MDT * MDT

2

Asys = 1 - λ2 MDT * MDT

2

H1


24V


Primary active, 2ndry cold


H1


24V

54 yrs, λ=2.11E-06

360 yrs, λ=3.17E-07; CCF=1.06E-07

Bkplane = 2.11E-07 ;λT = 3.17E-07

Unavailability = 80 sec/year

Cable = 1.5E-06;

DVC cplr (50 yrs (4 spurs)) = 2.28E-06

λT = 4.1E-06 ; MTBF = 28 yrs

Unavailability = 17 min/year


Both P. conditioners active

MTBF figures of components are extracted

from articles 1&2, published in Measurement

and Control Vol 44/3 April 2011.

www.instmc.org.uk


H1

T1 T2

Device coupler

54 yrs, λ=2.11E-06

Bkplane = 2.11E-07

Cable = 1.50E-06

CCF=1.86E-07

λT = 1.86E-07; MTBF= 613

Unavailability = 0 sec/year

54 yrs, λ=2.11E-06

Bkplane = 2.11E-07

Cable = 1.50E-06

CCF=1.86E-07

Dvc cplr = 2.28E-06

λT = 2.47E-06; MTBF= 46

Unavailability = 10 min/year

Single fault tolerant -both

conditioners active


Table 1: Single Segment, Redundant

F.PC, no field cable and no device

coupler, MTBF of F.PC = 54 yrs. See

references in slide 6

Power Cond. Single

Power Cond. Redundant

Common Cause 5%

Backplane System Failure

Rate

2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07

2.11E-06 3.93E-11 1.06E-07 2.11E-07 3.17E-07

2.11E-06 3.58E-11 1.06E-07 2.11E-07 3.17E-07

System MTBF (hrs)

System MTBF (yrs)

Availability Un availability Redundant Repairable

3153244.48 359.96 0.999997463 0.00000254 Active share

3153208.94 359.96 0.999997463 0.00000254 Warm Standby

3153244.48 359.96 0.999997463 0.00000254 Cold Standby

Unavailability = 80 seconds / year

FF power hub FMEA

summary


Table 2: Single Segment, Redundant

F.PC, including field cable and device

coupler , MTBF of F.PC = 54 yrs. See


Power Cond. Single

Power Cond. Redundant

Common Cause 5%

Backplane Field Cable

Device Coupler

System Failure Rate

2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06

2.11E-06 3.93E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06

2.11E-06 3.58E-11 1.06E-07 2.11E-07 1.50E-06 2.28E-06 4.10E-06

System MTBF (hrs)

System MTBF (yrs)


243888.24 27.84 0.999967199 0.000033 Active share

243888.03 27.84 0.999967199 0.000033 Warm Standby

243888.24 27.84 0.999967199 0.000033 Cold Standby

Unavailability = 17minutes / year

FF power hub FMEA

summary


Table 3: Redundant Segments, Single

F.PC per trunk, Excluding Device

Coupler ; MTBF of F.PC = 54 yrs. See


Unavailability = 0 Sec. / year

Power Cond. Single

Backplane Field Cable Single

Segment Redudant segment

Common Cause 5%

System Failure Rate

2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07

2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91398E-07

2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91386E-07

System MTBF (hrs)

System MTBF (yrs)


5225034.23 596.47 0.9999999999999 0.0000000000001 Active share

5224714.65 596.43 0.9999999999999 0.0000000000001 Warm Standby

5225034.23 596.47 0.9999999999999 0.0000000000001 Cold Standby

FF Fault tolerant FMEA

summary


Table 4: Redundant Segments, Single

F.PC per trunk, including Device Coupler

MTBF of F.PC = 54 yrs. See references in

slide 6

Unavailability = 10 minutes / year

Power Cond. Single

Backplane Field Cable

Single Segment

Redudant segment

Common Cause 5%

single seg. Redundant

Device Coupler

2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06

2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.29E-10 1.91E-07 1.91E-07 2.28E-06

2.11E-06 2.11E-07 1.50E-06 3.83E-06 1.17E-10 1.91E-07 1.91E-07 2.28E-06

System Failure Rate

System MTBF (hrs) System MTBF

(yrs) Availability Un availability

2.47449E-06 404123.46 46.13 0.999980204 0.00001980

2.4745E-06 404121.55 46.13 0.999980204 0.00001980

2.47449E-06 404123.46 46.13 0.999980204 0.00001980

FF Fault tolerant FMEA

summary


Table 5: Summary of the MTBF and

Availability of Single Segment with F.PC, and

Fault Tolerance Redundant Segment. See


FF FMEA summary

Redundant Configuration

MTBF (yrs) Field cable out

MTBF (yrs) Field cable in

MTBF (yrs) Coupler in

Unavailability Cable out

Unavailability Cable in

Unavailability Coupler in

Unavailability replaceable

spur

R. Power Cond. Single

Segment 359.96 63.00 27.84 80 sec. 7.6 min 17 min 10min

Fault Tolerance

54.00 596.47 46.13 9 min. 0 sec. 10 min 3 min

Note: Replaceable spur approach has no

disturbance to the rest of the segment


Fieldbus PC must have high MTBF, this can be achieved by an

individual power conditioner in order to achieve very high

Availability.

The device coupler must have high MTBF. This can be achieved

by :

1- Duplicate common cause single fault circuits.

2- Independent single spur module.

For critical applications in FF-SIF where safety depends on

availability, a complete fault tolerant topology taking into account

the points above for high availability is highly recommended.

Summary


Understanding FF-SIF

„SIL‟ Certification

Part -2


An independent Functional Safety Assessment (FSA) is required

for all overall, E/E/PES and software lifecycle phases (IEC 61508-

1, 7)

Certification = FSA (with a specified scope)

Particularly relevant for mass produced instruments

Certificates should be trusted documents (contents/process used)

Role of certification?

Is it saying “functional safety has been achieved” (for a specified scope)?

Is it saying “compliance with the standard” (for a specified scope)?

Who is the certificate primarily intended for – the supplier, purchaser, user?

A technical document (certificate holder may have a marketing motive)

No

Yes


Real example no. 2

pg7

Is this information good enough to select product for SIL 4 capability ?

Certificate

Solenoid Valve “Achieves SIL4” per IEC 61508

λD = 2.3 x 10-10 per hour ; PFD = 2.0 x 10-7

MTTF (dangerous) = 500,000 yrs ;MTBF (total) = 5,000 yrs

Real example no. 1

In accordance with 7.4.4.3 (m) the highest Safety Integrity Level

(SIL) that can be claimed for a safety function using this sub

system in a single channel is SIL 3.


Real example no. 3

IEC 61511-1 scope

Type B


Real example no. 4

SIL 1

wrong

wrong

SD + SU + SU + DD

SD + SU + DD SFF =


The SIL-capability of an instrument is certainly an important parameter but:

there are dangers in putting a SIL <no.> as a “headline” on the certificate

once a SIL is stated, tendency to ignore the rest of the certificate

Applying ‘SIL’ to a

device

Remember, the SIL is a parameter of the safety function performed by a SIS (sensor to final element), not the individual elements.

So, what should be certified on an instrument?


In order to engineer a safety function, what does the system designer

need to know about the constituent elements?

Is the failure data defined for the instrument, for the mode in which the

system designer intends to use the instrument?

Has the instrument been developed with an appropriate degree of rigour

in relation to its use in safety functions, i.e., in order to decide an

instruments SIL capability, we need to know certain details about its:

hardware safety integrity (numerical failure data/HFT/SFF/type)

systematic safety integrity (define the compliance route, e.g Route 1S, 2S, 3S)

Scope of certification

Both have to be achieved (at the specified SIL) for the device to be “capable”


Terms “safe failure”, “dangerous failure” and hence the “safe failure

fraction” for an instrument are only relevant with respect to the specific

application safety mode

For example, if: λTO OPEN = 50 FITS; λTO CLOSE = 500 FITS

Then: SFF is either 50/(50+500) = 9% or 500/(50+500) = 91%

(depending on which failure mode is applicable)

Don‟t reject a certificate for an instrument where the specific safety

context is not defined and hence no SFF is given – this might be totally

appropriate!

What does ‘safe’ and

‘dangerous’ mean?


FMEA product data

‘open mode’


FMEA product data

‘close mode’


Where devices have internal HFT, is the certificate clear about:

Product condition under fault in one channel should be detected and

reported

MDT should be stated (which must not be exceeded) for the failure data

to be valid

Proof test method needs to exercise each channel independently

Some certificates use HFT=0(1) meaning it is reduced to 0 due to prior

use. Check that???

Lack of independence between channels should be accounted for (β-

factor)

Hardware fault tolerance

(HFT)


If PFD is quoted for an instrument, remember this is actually a SIF

parameter and is also governed by the proof test. Simplified equation is:

PFDAVG = λDU .T / 2 (T = proof test interval)

Probability of Failure on

Demand (PFD)

Time

T

PFD

Is „T‟ used in the instrument FMEA the same as that used by the end-user?

The same is true for „MTTR‟ (mean time to repair, for λDD failures)


Embedded software

For devices that include software, expect to see an

explicit statement of conformity in the certificate

SIL does not apply in the same way as hardware

(i.e., not probabilistic rate)

Certificate is a statement that the software has been developed:

according to a compliant process (IEC 61508-3, clause 7)

using appropriate techniques and measures (IEC 61508-3,

Annexes)

Assessment should include justification for the development tool chain

If sufficient valid data is available (millions of operational hours) it is

possible to use a statistical approach (IEC 61508-7, Annex D)


“Conformity Assessment of Safety-related Systems”

Open/transparent methodology and framework for assessment to IEC

61508 (and sector standards) by accredited certification bodies.

Unique!

Requirements are all in the public domain so there are no hidden

surprises

Originally a UK government funded initiative (yr 2000), designed by

industry for industry

Sira‟s UKAS accreditation requires the use of the CASS Scheme

CASS is a collective interpretation of IEC 61508 (etc) – this ensures the

assessor‟s ego is kept in check! (About 60 companies contributed)

An example certification scheme


Certificate:

Contain all information the reader/user requires (or else gives references)

Scope is clear: hardware/systematic safety integrity/FS management

Any conditions/restrictions in use

Report:

Structure and contents largely governed by the scheme used (e.g.,

proprietary, CASS)

Conformity to every relevant 61508 clause can be traced (so it is auditable)

Summary

wonder what have you got in mind?

mean down time mtbf mtbf + mdt - · pdf filefieldbus pc must have high mtbf, this can be...

Documents