Partial stroke tests as a procedure for the extension of the proof test interval

Size: px

Start display at page:

Download "Partial stroke tests as a procedure for the extension of the proof test interval"

Justin Russell
5 years ago
Views:

1 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, Partial stroke tests as a procedure for the extension of the proof test interval J. BÖRCÖK, 2,. MACHMUR 2 HIMA Paul Hildebrt GmbH + Co KG Albert-Bassermann-tr. 28 Bruehl, Germany University of Kassel 2 epartment of Computer Architecture ystem Programming Wilhelmshoeher Allee 73 Kassel, Germany Abstract: This paper describes a procedure to reduce the probability of failure on dem () for systems to extend the proof test interval by using partial stroke test (). The goal of partial stroke tests is to discover a part of the dangerous undetected failures at an earlier time. The difference between a partial stroke test a proof test () is that a component is only partially tested by a. However, after carrying out a, the system has a residual of dangerous undetected failures. This residual can be eliminated by a proof test. The probability of failure can be improved with the diagnostic coverage factor for partial stroke tests. It is important to know the difference between probability of failure the average probability of failure avg. The values of both s with partial stroke test are lower than the probability of failure without partial stroke test. The factor B shows the improvement between a system with without partial stroke tests at the time of the proof test. The larger the factor B is the larger is the system s improvement. Key-words: IEC/EN 68, I, failure rates,, proof test, partial stroke test, system improvement, extension of I afety Instrumented ystems A safety instrumented system (I) consists of a sensor, a logic unit an actuator. With these three components a lot of different architectures can be created. The (probability of failure on dem) is the probability that a system fails in a time in which it is needed. The smaller the value is the better the system becomes. In order to calculate the value of a system, only the dangerous failures are important. The system goes into the fault state, if a dangerous failure is not discovered. afe failures dangerous detected failures do not harm the system so the system goes into the safe state. A periodical manual test can reduce the maximum of allowed dangerous failures of a I. This test-mode is called proof test (). According to the international stard IEC 68, part 4, a proof test is defined as a fully executed proof-test. The definition according to IEC 68 is []: periodic test performed to detect failures in a safetyrelated system so that, if necessary, the system can be restored to an as new condition or as close as practical to this condition. 2 Failure rates of proof tests To calculate the failure rate, the safe failures λ dangerous failures λ have to be analyzed. The basis failure rate λ B is the sum of both failure rates. The safe failure rate λ is divided into the safe detected failure rate λ the safe undetected failure rate λ U. Both safe failures do not harm the system. The dangerous failure value λ can lead to a safety critical loss. uch dangerous failures are divided into the dangerous detected failure rate λ the dangerous undetected failure rate λ U. The equations of the different failure rates are shown in Equations, 2 3 () B (2) U (3) U The following conditions describe important details for further calculations. If there exists a system with a complete proof test there is an online diagnosis, then we get the following failure rates: safe failure rate λ dangerous detected failure rate dangerous undetected failure rate The dangerous detected failure rate λ, online λ λ is diagnosed, online over an online diagnostic coverage C online in time interval ranges of milliseconds to seconds [7]. The graphic in Fig. explains the allocation of the failure rates with a full proof test. angerous undetected failures λ will be eliminated with a proof test. Afterwards, the system is considered as failure free. It is assumed that all errors are eliminated the system is considered as new.

2 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, λ λ - λ λ, Online λ λ λ, λ, Online Fig. Allocation of failure rates without As shown in Fig. the dangerous failures are: = λ U U, + λ, online λ C λ (4) online = online (), λu C λ = ( online ) (6), It is widely accepted that the C online factor has a value larger than 99 [4]. 3 Failure rates with partial stroke test The difference between a partial stroke test () a is that examines a component only partially. A detects a smaller part of dangerous undetected failures but earlier in comparison to a. However, after carrying out a, the system has a residual of dangerous undetected failures. This residual can be eliminated by a. For dangerous failure rates the following notations are selected: safe failure rate λ (is the same safe failure rates like a proof test) online test detected failure rate λ, Online partial stroke test detected dangerous undetected failure rates λ, only by a proof test eliminated dangerous undetected failure rates λ U, Fig. 2 shows the allocation of failure rates for a partial stroke test in comparison to a proof test. After a, the system is not considered as new. o, the system is not error free, because no complete proof test is accomplished. The following equations describe the failure rates of partial stroke tests according to Fig. 2. λ = λ + λ + (7), λ, online Fig. 2 Allocation of failure rates with λ is equal to a system with without,online λ online = Conline λ (8), for a system with λ λ + (9) U =, λu, with λ, = C λu () λ = ( C λ, ) U The diagnostic coverage factor of a, called C, is the ratio of λ, λ U. The relationship between the dangerous undetected failure rates in a system with without is given in Equation below. λ = λ + () U, U, λ, And with Equation 6, it results in ( C online) λ = λ + λ (2), Without online diagnostic the Equation 2 can be simplified to: λ = λ + (3) λ, 4 calculation for a oo system with without 4. oo system without partial stroke test If an exponential distribution of failures is assumed, then the failure rate λ is constant related to the time t. The Reliability R(t) is the probability that a component identifies its dem for a predefined time. λ t R( t) = e (4) The probability of failure P(t) is given by Equation.

3 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, P λ t ( t) = R( t) = e () With this approximation of: λ t << (6) The probability of failure P(t) is: P( t) (7) In a safety related system, the probability of failure on dem () is an important safety parameter. It is defined in the international stard IEC 68. With Equation, the value can be determined as: λ t ( t) = e (8) This equation calculates the exact probability of failure under the condition that the failure rate is constant [6]. ystem aging wear out is not considered. Next, the approximation of λ t << is used to obtain the value, as presented below. P( t) (9) The average probability of failure on dem avg is given with approximation of λ t << [, 4, ]: avg ( t = T ) = λ T (2) 2 The proof test is executed at the time t =t. Only the dangerous failures λ are relevant for the calculation. λ, online λ are defined according to the international stard IEC 68 as follow []: the dangerous detected failures λ are detected with the online diagnostic the dangerous undetected failures, online λ are detected after a Taking these conditions into account, Equations 9 2 are changing to Equation t) = ( λ + ) t (2) (, online λu, = λ ) T (22) 2 avg ( T ) (, online + λu, As shown, the advantage of a system with compared to a system without is that the online diagnostic is negligible. To simplify the equations above the online diagnostic is not considered anymore Equations 9 2 become: ( t) λ t (23) avg = U, ( T ) = λ U, T (24) 2 Table without partial stroke test 438 3,4 (t) without.e+.3e E E-4 7,2 2,9 26,28 (t) without.26e-4 6.7E E-4 Table 2 avg without partial stroke test to 26,28 (t) without 3.94E-4,E without avg without Fig. 3 (full-line) avg (dashed line) without partial stroke test. 4.. Application set-up for the calculation of avg A oo system is assumed which has a dangerous failure rate of: 8 λ = λu, = 3 (2) h This assumption is the same for all calculations: there is no online diagnostic the dangerous failure rate is equal to the dangerous undetected failure rate For the proof test interval it is assumed that T = 3 years. With Equations the probability of failure the average probability of failure avg over the time t = to t =T =3 years is shown in Table Table 2. The table shows that over time t the avg value is constant. The results are shown in Fig. 3. Table 2 shows the results of avg. 4.2 oo system with partial stroke test is an incomplete proof test. With a compared to one only discovers a small part of dangerous undetected failures. Equation 26 shows the value without ( wo. ). ( t λ t (26) wo. ) = U, A value for a system with partial stroke tests ( w. ) possesses a part of dangerous detected failures

4 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, λ a part of dangerous undetected failures, λ. ( λ λ t (27) w. t) =, t A + The time t A is the time between the first (t st ). The time t B is the time between the first proof test t. If one has a periodical partial stroke test after given time, then Equation 27 is a function of t st t. w. ( t) = f ( tst, t) (28) + λ t, st B U, Equation 28 consists of two linear functions. The first function defined on the time interval [... t st ] the second function on the time interval [... t]. The following assumptions are considered: The first partial stroke test is accomplished at the time t st = T st. The proof test is executed much later than the first. Therefore, the first part of Equation 28 becomes constant the second is a linear function of the time t. The value of a at time T st is shown in Equation 29. w. ( t. ) =, ( Tst, λ, ) (29) + ( t, λ ) U, U, The value for the first consists of,., is the probability of failure of the failure rate λ the time t st. uch, failures are detected by a partial stroke test estimate the value for the,. The second term gives the probability of failure for the failure rate λ at the time t. The failures λ are only detected after a. To get the value for the first one has to accomplish an imaginary proof test at the time t =t st. With the diagnostic coverage factor C Equations 28, it results in t) = λ [ C t + ( C ) ] (3) w. ( U st t Table 3 with without partial stroke test 7,2 (t) without.e+ 6.3E E-3 (t) with.e+ 6.3E-4 2.4E-4 8.8E-4 7,2 26,28 (t) without E-3 (t) with 4.9E-4.E-3 With a only dangerous detected failures can be identified. angerous undetected failures are only detectable with a [, 4]. After a a residual failure rate remains, which can only be detected by a therefore the probability of failure after a ( a. ) is equal to. a. ( t) = U, (3) = ( C ) λ t U 4.2. Application set-up for the calculation A oo system is assumed with the same dangerous detected failure rate as in the previous case. The proof test interval is T = 3 years the partial stroke test interval is T st = year. The diagnostic coverage factor for the is C = 6. The with is calculated by Equation 3 the is calculated by Equation 3. The values are shown in Table 3. Fig. 4 shows the value with (line 2) without a (line ). The values of the characteristic line without are represented in Table. Up to the first, the values are equal. After the first, the lines differ, because a system with partial stroke tests possesses a residual probability of failure a.. After three years a complete proof test is carried out the system is regarded as new. The advantage of a system with compared with a system without is the reduction of the probability of failure on dem. The reduction is marked in Fig. 4 with the parameter B. The Factor B is the difference between the values with without at the time t = t. Factor B can be calculated with Equation 26, 3 t = t : B( t = T ) = wo. ( t = t ) w. ( t = t ) (32) = λ C ( t t ) st Assuming factor B, first t = t st the proof test interval t = t are given, then the C value can be calculated by reorganizing Equation 32: B( t) C = λ ( t tst ) (33),E w ithout w ith Fig. 4 without with partial stroke test

5 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, 27 4 Partial stroke test proof test As mentioned a system with partial stroke test () the dangerous undetected failure rate consists of two terms: a failure rate λ which is detected by a a, failure rate λ which is detected only through a proof test () [Börcsök & Machmur 27]: λ λ + (34) U =, λ U, with λ, = C λu (3) λ = ( C λ, ) U The diagnostic coverage factor of a, called C, is the ratio of λ, λ U. The objective of a system with compared with a system without a is to reduce the probability of failure. In an application set-up the is executed every 6 months the proof test interval is set to three years. In order to observe how the values are changing, the interval is set to 2 8 months to compare the three s. The following graphs show the intervals t st of 438 /or 34 hours. For the calculations below, a oo system is assumed which has a dangerous failure rate: 8 λ = λ = 3 U, h No online diagnostic is implemented the dangerous failure rate is equal to the dangerous undetected failure rate. The proof test interval ist set to t = 3 years the diagnostic coverage factor C to 6.. oo system with partial stroke test, w. In the following, the probability of failure w. is tested by different intervals... First after 438 hours The value for the first consists of,., is the probability of failure of the failure rate λ the time t, st. uch failures are detected by a estimate the value for the,. The second term gives the probability of failure for the failure rate λ at the time t. The failures λ are only detected after a. To get the value for the first one has to accomplish an imaginary proof test at time t = t st. With the diagnostic coverage factor C, it results in: w. ( t) = f ( tst, t) (36) + λ t, st U, After a is carried out Equation 37 becomes valid for the residual dangerous undetected failures. a. ( t) = U, (37) = ( C ) λ t U The derivation of these equations can be found in [2, 3]. The probability of failure for a system with without a from the time t = to t = t =3 years is shown in Table 4. Fig. shows the values with (line ) without a partial stroke test (line ). Up to the first the values are identical. After the first, the lines differ, because a system with partial stroke test possesses only a residual probability of failure, a.. After three years a complete proof test is accomplished the system is regarded as new.,e w ithout w ith, 6 Fig. with without a every six months with a proof test interval of three years. Table 4 with without partial stroke test without.e+.3e E-4 with.e+.3e-4.36e-4.84e-4 3,4 3,4 7,2 without E E-4 with.e E-4.8E E-4 7,2 2,9 2,9 26,28 without E E-4 with 2.E E E E-4..2 First after 3,4 hours The probability of failure for a system with without a after 3,4 hours is shown in Table below. All other conditions are the same. Fig. 6 shows the values with (line 3) without a partial stroke test (line ). Again, up to the first the values are identical. After the first the characteristic lines differ, because a system with partial

6 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, 27 4 stroke test possesses only residual probability of failure a....3 comparison between different intervals of 438, 3,4 hours The value for a proof test after three years with a every six months is smaller than the value for the same proof test interval with a every twelve or eighteen months. Table 6 Fig. 7 show this. Now, the values for different intervals at the time of the proof test (here: after three years) are going to be compared. Table 7 shows the values. Fig. 8 shows the three values for different intervals. All values are in IL 3 level. Table with without partial stroke test 3,4 3,4 26,28 without.e+ 3.94E E-4 with.e+ 3.94E-4.8E-4.2E-4 Table 6 with without partial stroke test for several s without.e+.3e E-4 with =438 h.e+.3e-4.26e-.84e-4 with = h.e E-4 w. =34 h.e ,4 3,4 7,2 without E E-4 with =438 h.e E-4.8E E-4 with = h.e E-4 w. =34 h E-4.8E ,2 2,9 2,9 26,28 without E E-4 with =438 h 2.E E E E-4 with = h 2.E E-4 w. =34 h E-4,E w ithout w ith Fig. 6 with without a every 8 months with a proof test interval of three years.2 Extension of the interval values for systems with partial stroke tests are smaller than systems without. o it is possible to extend the proof test interval by using the from three to five years, with the same application set-up. Fig 9 shows the values for a proof test at three (full line) five years (dashed line). The value for the proof test after five years has to be reduced, so that the value of the interval of five years is within the IL 3 level. In order to achieve this, a partial stroke test is accomplished (vertical line) for example every 2 months as shown in Fig. 9. Fig. shows the results for a selected interval of year a interval of years. The value for years is clearly within the IL 3 level. The value is reduced IL 3 level is achieved. Finally, the proof test interval is extended from 3 to years. 3,E w ithout w ith w ith w ith Fig. 7 Comparison of for every 6, 2, 8 months with a proof test interval of three years 6 Conclusions Risk reduction of a afety Integrity Function is determined by using the average probability of failure ( avg ). The most common method to classify a IF is done by estimating the afety Integrity Level (IL), based on the stard IEC 68. A proof test is a repeated inspection of safety related systems to detect failures in the system. After suitable procedures are carried out, the system is considered as new. In some cases, proof testing can reduce the total operation costs caused by a required IF. But it has to be mentioned that the costs of carried out proof tests might balance the cost advantage. To execute proof tests it is not always easy in practice it is not always possible to do complete repair after a failure occurred.

7 7th WEA International Conference on APPLIE COMPUTER CIENCE, Venice, Italy, November 2-23, Table 7 with without partial stroke test at the time of the proof test 26,28 without 7.88E-4 with =438 h 3.94E-4 with = h 4.73E-4 w. =3,4 h.2e-4 The theoretical research is nearly completed for a oo- system will be examined on practical industrial systems but currently field data are not available.,e-2,e-3,e-4,e- for 6 months ifference between intervals 3,94E-4 for 2 months 4,73E-4,2E-4 for 8 months Proof test after three years 7,88E [h] Fig. 8 maximum for every 6, 2 8 months Therefore, partial stroke tests are a good possibility to reduce the probability of failure. The paper demonstrates that a system with partial stroke tests provides a smaller probability of failures in comparison to a system without. Additionally, the proof test interval can be extended if partial stroke tests are carried out. The extended interval depends on the selected C factor the point in time of the first partial stroke test.,4e-3,2e-3,e w ithout w ith Fig. Proof test for years with every 2 months 3,3 4 6,83 References: [] Börcsök, J. 27. Functional safety systems. Hüthig Verlag. [2] Börcsök J., Machmur. 27. Influence of partial stroke tests diagnostic measures of the proof test interval. afety Reliability for Managing Risk, afety Reliability Conference - EREL27, ERA: tavanger, Norway. [3] Börcsök J., Machmur. 27. Examination of repetitive proof test for safety related systems. afety Reliability for Managing Risk, afety Reliability Conference - EREL27, ERA: tavanger, Norway. [4] Börcsök J. 24. Electronic safety systems. Heidelberg: Hüthig. [] IEC/EN Internat. stard 68 functional safety: afety-related ystem, Inter.Elec.Com. Geneva. [6] Lewis, E Introduction to reliability engineering. 2nd edition. New York: John Wiley [7] Goble W.M. 99. afety of programmable electronic systems Critical Issues, iagnostic Common Cause trength In Proceedings of the IchemE ymposium, Rugby. Proof test for three five years,e-2 proof test after years,e-3,e-4 proof test after 3 years IL 3,E _3 years _ years Fig. 9 values for a proof test after 3 years

Calculation of MTTF values with Markov Models for Safety Instrumented Systems

7th WEA International Conference on APPLIE COMPUTE CIENCE, Venice, Italy, November -3, 7 3 Calculation of MTTF values with Markov Models for afety Instrumented ystems BÖCÖK J., UGLJEA E., MACHMU. University