300 likes | 496 Views
A 2-Hours Course In Gas Detection. PART 4 – Gas Detection Systems and Functional Safety Lübeck, 9.10.2008 Dr. Wolfgang Jessel. Sensor Transmitter. Controller System. Actuator. But - what is the probability that in case of a need.
E N D
A 2-Hours Course In Gas Detection PART 4 – Gas Detection Systems and Functional Safety Lübeck, 9.10.2008 Dr. Wolfgang Jessel
SensorTransmitter Controller System Actuator But - what is the probability that in case of a need the gas detection system will fail to activate the safety function? Safety System Considering a single channel safety system SE - Sensing element The gas detection transmitter detects the potential dangerous condition LS - Logic Solver The controller reacts to the potential dangerous condition and activates countermeasures FE - Final Element The activated solenoid valve averts the dangerous condition by closing the gas pipe reliably Safety System Safety Integrity Safety Function
Most of the hardware failures however are not dangerous or at least detectable. Detectable failures, dangerous or not, can force the safety system into the safe state. Problem: What about failures that are dangerous and cannot be detected? If a dangerous undetectable failure occurs, the safety system will not respond to a demand, it is not able to perform the safety function, and we are not even aware of it! What is the probability that this will happen??? Electronic Systems Failures Are Everywhere Any electric, electronic or programmable electronic system (E/E/PES) might have failures. Failures which cause the safety function to fail are called dangerous. Probability of Failure on Demand - PFD
If they cannot be avoided they at least must be detectable ... failure detection and / or the system must be immune to these failures: failure tolerance Reliability Failures As failures may occur seldom, but anytime and anywhere, a safety system needs to be designed and operated such that failures are avoided How to do this?
systematic failures in hardware and system configuration systematic failures in the system’s controlling software accidental failures of the hardware wear-out failures of the hardware Systematic failures can widely be excluded by a safety orientated development. Wear-out failures must be excluded by preventive maintenance and periodic renewal. Wear-out failures (consumables) are not considered in the safety integrity assessment. Accidental failures are a typical statistical based property of electronic compounds. Their occurrence can statistically be described by failure rates . Reliability Failures and Failure Types The reliability of electronics is depending on failures, Failure Rate
Signal cable to transmitter cut, Signal is 0 mA, central controller detects it: Safe! SU Dangerous RAM-failure, being detected during automatic cyclic RAM-test, controller detects failure: Safe! Output transistor becomes defective, signal 20 mA, central controller triggers (maintaining) gas alarm: Safe! SD DD DU Loss of measuring function without indication: Unsafe – dangerous! Safe and Dangerous Failures The DU-Failure (Detectable) (Undetectable) SD SU (Safe) DD DU (Dangerous) Depending on the kind of evaluation safe and detectable failures can force a safety related system to go into the safe state. The Dangerous Undetectable failure (failure rate λDU) is in the main focus of the SIL-consideration.
safe failure occurs, system however maintains safe safe fail time t DD-failure occurs but is detected safe DD-failure is repaired fail time t MTTR DU-failure occurs DU-failure revealed during test safe DU-failure is repaired fail Test interval TP time t MTTR System Failures How System Safety Is Affected A DD-failure must be repaired promptly after detection.MTTR = Mean Time To Restore (mostly 8 hours) Organisational measures! no safety!
DU-failure revealed during test safe DU-failure is repaired Test interval TP time t MTTR Systems Failures The Probability of Failures on Demand A periodically performed system-test (safety check with proof test interval TP) is intended to reveal undetected failures! The statistical mean of the system‘s down-time is half the test interval TP. The probability that in case of demand the safety function cannot be performed because of a dangerous undetected failure is PFDavg is Average Probability of Failure on Demand, the mean probability that the system will fail just at the time when being required.
Example: DU = 10-6 h-1 (1 failure in 114 years), TP = 8760 h (proof test yearly) Probability of Failure ... on Demand The dangerous probability of failure on demand can be calculated: failure means: In case of demand the safety related system cannot perform the required safety function. demand means: Protection systems such as gas detection systems are continuously monitoring systems, but rarely needed to perform safety functions (operating mode acc. to EN 61508: „Low Demand Mode“) Rule of thumb: low demand is once a year
SensorTransmitter Controller System Actuator PFD1 PFD2 PFD3 Safety System SIL-Rating by Using the PFDs of Subsystems The target is to make sure that the PFD of the SIS is sufficiently low to achieve the required SIL. The PFD of the system is obtained by adding the individual PFDs of the subsystems sensor with interface, evaluating system and actuator with interface: PFDsystem = PFD1 + PFD2 + PFD3 If PFDsystem < 0.01 then this is sufficient for Safety Integrity Level 2 - SIL 2
Average probability not to perform the safety function on demandPFDavg 0.01 to < 0.1 0.001 to < 0.01 0.0001 to < 0.001 0.00001 to < 0.0001 System fails once of ... demands 11 to 100 101 to 1000 1001 to 10 000 10 001 to 100 000 Safety Integrity Level EN 61 508 SIL 1 SIL 2 SIL 3 SIL 4 Reliability PFD and Safety Integrity Level SIL The PFDavg is the most important criterion in the safety assessment and reliability study of a system. When requiring a certain Safety Integrity Level SIL for a safety system, the PFDavg must not exceed a given value: Example: For SIL 2 the safety system’s PFDavg must be less than 0.01.
SensorTransmitter For each of these subsystems a FMEDA (FailureMode, Effects, and DiagnosticAnalysis) Controller System Actuator can be made, resulting especially in the failure rates of several failure types: SD, SU,DD, and DU . Subsystems The Safe Failure Fraction SFF A Safety Instrumented System (SIS) consists of the following subsystems: These failure rates are necessary to calculate the share of the dangerous undetected failure in proportion to the total failure rate. This is the so-called SafeFailureFraction, calculated as
Single channel system Single channel system Type A SFF Type B SFF 1oo1 1oo1 < 60% SIL 1 < 60% not allowed 60% to < 90% SIL 2 60% to < 90% SIL 1 90% to < 99% 90% to < 99% SIL 2 99% SIL 3 99% SIL 3 Type A:simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined. Type B:complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined. Example: relays, relay modules,Polytron channel module Example: transmitters, digital controllers, etc. Hardware Failure Tolerance The Single Channel System SIL 3
Architecture Type B SFF Architecture Type A SFF 1oo1 1oo2 1oo3 1oo1 1oo2 1oo3 < 60% *) SIL 1 SIL 2 < 60% SIL 1 SIL 2 SIL 3 60% to < 90% SIL 1 SIL 2 SIL 3 60% to < 90% SIL 2 SIL 3 SIL 4 90% to < 99% SIL 2 SIL 3 SIL 4 90% to < 99% SIL 3 SIL 4 SIL 4 SIL 4 99% SIL 3 SIL 4 SIL 4 99% SIL 3 SIL 4 *) not allowed Type A:simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined. Type B:complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined. Example: relays, relay modules,Polytron channel module Example: transmitters, digital controllers, etc. Hardware Failure Tolerance Different System Architectures
Redundant Safety System HFT = 0 – No Channel Allowed to Fail 1 out of 1 to activate the safety function
Redundant Safety System HFT = 1 – One Channel Allowed to Fail 1 out of 2 to activate the safety function
Redundant Safety System HFT = 2 – Two Channels Allowed to Fail 1 out of 3 to activate the safety function
Dräger PIR 7000 / 7200 2 B 94.99 % 4.70E-08 h-1 0.000204 Exida GmbH, certi-fied by TÜV yes Dräger Gas Detection Transmitters SIL Capabilities Transmitter SIL-C Type SFF DU PFDavg Assessment by ... Performance appr. PEX 3000 withEx-Sensor PR M 2 B 90.4 % 1.27E-07 h-1 0.000556 Dräger, with Exida FMEDA-Tool yes Polytron Ex and Ex Rwith Ex-Sensor PR M 2 A 91.5 % 1.20E-07 h-1 0.000526 Dräger, with Exida FMEDA-Tool yes Polytron 3000 withEC-Sensor 1 B 64.88 % 4.43E-07 h-1 0.00194 Dräger, with Exida FMEDA-Tool no Polytron 7000 2 B 90.88 % 3.57E-07 h-1 0.00156 Exida GmbH yes Polytron 7000with pump module 2 B 95.99 % 4.18E-07 h-1 0.00183 Exida GmbH yes Polytron 7000with relay-module 2 B 90.43 % 3.42E-07 h-1 0.00150 Exida GmbH yes Polytron 7000 withpump- and relay-module 2 B 95.91 % 4.10E-07 h-1 0.00179 Exida GmbH yes Polytron IR Typ 334and Typ 340 2 B 96.5 % 2.92E-08 h-1 0.000128 Exida GmbH yes Polytron Pulsar 30/120and 100/200 m 2 B 91.0 % 1.08E-07 h-1 0.000475 Exida GmbH no Polytron Pulsar 4/60 m 2 B 92.0 % 1.08E-07 h-1 0.000475 Exida GmbH no
Transmitter λDU = 5.71·10-7 h-1 TP = 4380 h (6-monthly) PFD = 0.5·4380·5.71·10-7 = 0.00125 Controller λDU = 4.06·10-6 h-1 TP = 4380 h (6-monthly) PFD = 0.5·4380·4.06·10-6 = 0.0089 Shut-Down Relay λDU = 2.25·10-6 h-1 TP = 4380 h (6-monthly) PFD = 0.5·4380·2.25·10-6 = 0.00493 SensorTransmitter Controller System Actuator Reducing the proof test interval TP to 3 months (2190 hours): PFDsystem = 0.000625 + 0.00445 + 0.00247 = 0.007545 Probability of Failure on Demand An Applied Example PFDsystem = 0.00125 + 0.0089 + 0.00493 = 0.01508 > 0.01 → notSIL 2 < 0.01 → yesSIL 2 Provided that the SFFs are above 90% for type B and above 60% for type A!
DU = 3.57·10-7 h-1 SFF = 90.88% PFD = 1.56·10-3atTP = 1 year SIL2-Budget: = 15.6% FMEDA by Exida GmbH Polytron 7000 SIL Capability Device PFD (TP= 1 year) Transmitter 4-20 mA 0.00156 Transmitter 4-20 mA, with pump 0.00183 Transmitter without 4-20 mA, with Relay-Output 0.00150 Transmitter without 4-20 mA, with Relay-Output and pump 0.00179 Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.
DU = 1.09·10-7 h-1 SFF = 91.9% PFD = 4.75·10-4atTP = 1 year SIL2-Budget: = 4.8% FMEDA by Exida GmbH Pulsar SIL Capability VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system. Even at yearly maintenance the average PFD values are considerably lower than 0.01.
DU = 2.92·10-8 h-1 SFF = 96.5% PFD = 1.28·10-4atTP = 1 year SIL2-Budget: = 1.3% FMEDA by Exida GmbH Polytron IR SIL-Capability Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.
DU = 4.7·10-8 h-1 SFF = 94.9% PFD = 2.04·10-4atTP = 1 year SIL2-Budget: = 2% FMEDA by Exida GmbH Dräger PIR 7000 / 7200 SIL-Capability and Certificate Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.
DU = 4.7·10-8 h-1 SFF = 94.9% PFD = 2.04·10-4atTP = 1 year SIL2-Budget: = 2% FMEDA by Exida GmbH Dräger PIR 7000 / 7200 SIL-Capability and Certificate Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.
Electrochemical and catalytic sensors e.g. have to be tested concerning to the manufacturer‘s recommendations or – considering the actual requirements – in reduced intervals to ensure measuring function including alarm triggering, and that the target gas can freely penetrate into the sensor. The manufacturer not only issues the declaration of SIL-conformity but also safety instructions, which e.g. also describe the scope of periodic proof tests. Periodic maintenance and function tests Management conc. replacement parts Modifications of the safety system Commissioning and decommissioning Safety for the whole life cycle! Gas Detection Systems Responsibility of the Customer SIL-Standard does not consider consumables, so, the periodically maintenance (proof test interval TP) is addressed to electrics and electronics.Consumables must be renewed (preventive replacement). The customer must establish organisational measures, so that during the entire operational time of the safety related system all the safety relevant requirements are met, especially:
The Safe Failure Fraction can be calculated and must be higher than a given percentage for a given SIL, depending on type of subsystem and HFT. Complete operation from commission to decommission needs to fulfil special safety requirements depending on the Safety Integrity Level. Safety for the whole Life Cycle! Summary What Did We Learn? Electronics may have failures – only undetectable dangerous failures cause problems. By periodic proof tests a safety system can be virtually renewed. The average PFD can be calculated for subsystems and complete safety systems. PFD must be lower than a given limit for a given SIL.