Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen

Similar documents
Quantitative Reliability Analysis

Reliability Analysis of Electronic Systems using Markov Models

Common Cause Failure (CCF)

Evaluating Safety Integrity Level in presence of uncertainty

Risk Analysis of Highly-integrated Systems

Safety Instrumented Systems & Functional safety of safety-related systems. A substantial new opportunity for Pfannenberg Signaling products

Commissioning and Testing of AVR and PSS

Reliability of Technical Systems

Facing the winter challenges for railways in Europe - Winter & Railways Fact Sheet Root Causes Rolling Stock and Infrastructure UIC Survey Evaluation

ELE 491 Senior Design Project Proposal

Overview of Control System Design

Chapter 12. Spurious Operation and Spurious Trips

Joint work with Marie-Aude Esteve, Joost-Pieter Katoen, Bart Postma and Yuri Yushtein.

Terminology and Concepts

Reliability Engineering I

STATIC GAS MONITOR Type SGM/DEW Revision A of 20 aprile 2016

Cooling Water Flow Regulator

Reliability Analysis of Hydraulic Steering System with DICLFL Considering Shutdown Correlation Based on GO Methodology

DESIGN STANDARD. Micro-debris Impact Survivability Assessment Procedure

Chapter 5. System Reliability and Reliability Prediction.

Reliability of sequential systems using the causeconsequence diagram method

Mean fault time for estimation of average probability of failure on demand.

24 volts (0.25 amps current-limited)

Development of Multi-Unit Dependency Evaluation Model Using Markov Process and Monte Carlo Method

B.H. Far

RELIABILITY ANALYSIS OF PISTON MANUFACTURING SYSTEM

Fail-Safe Testing of Safety-Critical Systems

ATTACHMENT Mitigating Systems

12 - The Tie Set Method

of an algorithm for automated cause-consequence diagram construction.

Safety and Reliability of Embedded Systems

Quantification of the safety level of a safety-critical control system K. Rástočný 1, J. Ilavský 1

ISO 9906 INTERNATIONAL STANDARD. Rotodynamic pumps Hydraulic performance acceptance tests Grades 1 and 2

Chapter X: Radiation Safety Audit Program

Operating instructions Magnetic-inductive flow sensor SM6004 SM7004 SM / / 2014

F F FAULT CURRENT Prospective. 1. Introduction. 2. Types of fault conditions

FAULT-TOLERANT CONTROL OF CHEMICAL PROCESS SYSTEMS USING COMMUNICATION NETWORKS. Nael H. El-Farra, Adiwinata Gani & Panagiotis D.

Installation guide 862 MIT / MIR

r. Matthias Bretschneider amburg - Dept. Safety Fehleranalyse mit Hilfe von Model Checkern

TOSHIBA CMOS Digital Integrated Circuit Silicon Monolithic TC7SG02FU IN A GND

Windchill Quality Solutions 2011 (formerly Relex 2011) Curriculum Guide

SAFETY GUIDED DESIGN OF CREW RETURN VEHICLE IN CONCEPT DESIGN PHASE USING STAMP/STPA

DS 300. Electronic Pressure Switch. with IO-Link interface. Stainless Steel Sensor. accuracy according to IEC 60770: 0.35 % FSO.

At Terms and Definitions

TC74VCX14FT, TC74VCX14FK

MAINTENANCE EVALUATION CHECKLIST HYDRAULIC ELEVATORS

Module No. # 03 Lecture No. # 11 Probabilistic risk analysis

Lamp and Control Panel (Lamp Panel)

12 Moderator And Moderator System

TECHNICAL MANUAL 820 LX / 910 LX / 1300 LX

Chapter 18 Section 8.5 Fault Trees Analysis (FTA) Don t get caught out on a limb of your fault tree.

Reliability of fluid systems

List of Legislative Regulations Dealing with Nuclear Energy and Ionizing Radiation and Related Documents

Compact Orifice FlowMeter

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets

Causal & Frequency Analysis

6.1 Dependability Modeling. General Rules. Analysis

Chapter 6. a. Open Circuit. Only if both resistors fail open-circuit, i.e. they are in parallel.

Operating instructions Magnetic-inductive flow meter SM6x04 SM7x04 SM8x04

Electrical safety testing Checklist

Risk Analysis HOW DID WE GET HERE AND WHERE ARE WE GOING? Steven G. Vick

Periodic Inspection and Testing of Electrical Installations Sample Test ( ) Version 1.3 July 2018

Page 1 of 16 Issue No. 0 of IECEx TUN X

PHOENIX CONTACT - 04/2016. Features

Reliability of Technical Systems

ISO Radiological protection Sealed radioactive sources General requirements and classification

Mixed Criticality in Safety-Critical Systems. LS 12, TU Dortmund

Evaluating the Core Damage Frequency of a TRIGA Research Reactor Using Risk Assessment Tool Software

Quality assurance for sensors at the Deutscher Wetterdienst (DWD)

INTERNATIONAL STANDARD

Safety and Reliability of Embedded Systems. (Sicherheit und Zuverlässigkeit eingebetteter Systeme) Fault Tree Analysis Obscurities and Open Issues

6 Securing of the delivery and acceptance

The Applications of Inductive Method in the Construction of Fault Trees MENG Qinghe 1,a, SUN Qin 2,b

B.H. Far

Infrared thermography as a tool to elaborate procedures for predictive maintenance of ball mills equipment

Reliability of Beam Loss Monitors System for the Large Hadron Collider

Norm Hann Performance Manager, Performance Management Department Hydro One Networks Inc.

Derogation Criteria for the Requirements for Generators Network Code

QUALIFICATION SPECIFICATION

ISM Evolution. Elscolab. Nederland BV

WM 07 Conference, February 25 March 01, 2007, Tucson, AZ

Reliability of Beam Loss Monitors System for the Large Hadron Collider

Overview of Control System Design

Reliability of Technical Systems

STATE OF COLORADO DESIGN CRITERIA FOR POTABLE WATER SYSTEMS WATER QUALITY CONTROL DIVISION. Price: $5.00. Revised March 31, 1997

R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.

Analyzing system changes with importance measure pairs: Risk increase factor and Fussell-Vesely compared to Birnbaum and failure probability

Measurement Uncertainty in Mechanical Testing

Eutelsat practice & views on long term sustainability. COPUOS/SCST - LTS Workshop Vienna, 14 February 2013

ANALYSIS OF DISTILLATION FLASK EXPLOSION AT X LABORATORY, FACULTY OF ABC YZ UNIVERSITY ZULKIFLI DJUNAIDI

Request Ensure that this Instruction Manual is delivered to the end users and the maintenance manager.

Robustness and vulnerability assessment of water networks by use of centrality metrics

Time-varying failure rate for system reliability analysis in large-scale railway risk assessment simulation

Investigation #2 TEMPERATURE VS. HEAT. Part I

Common-cause failures as major issue in safety of control systems

RADIATION-METER TM-91/TM-92

PUMP PERFORMANCE MEASUREMENTS Jacques Chaurette p. eng. April 2003

I.CHEM.E. SYMPOSIUM SERIES NO. 110

An Introduction to Insulation Resistance Testing

Integrating Reliability into the Design of Power Electronics Systems

Transcription:

Industrial Automation Automation Industrielle Industrielle Automation 9.6 Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann & Dr. B. Eschermann ABB Research Center, Baden, Switzerland 2010 05 10 HK&BE

Overview Dependability Analysis 9.6.1 Qualitative Evaluation Failure Mode and Effects Analysis (FMEA) Fault Tree Analysis (FTA) Example: Differential pressure transmitter 9.6.2 Dependability Standards and Certification Standardization Agencies Standards 2011 June HK&BE 2

Failure Mode and Effects Analysis (FMEA) Analysis method to identify component failures which have significant consequences affecting the system operation in the application considered. identify faults (component failures) that lead to system failures. effect on system? component 1 component n failure mode 1 failure failure mode k mode 1 failure mode k FMEA is inductive (bottom-up). 2011 June HK&BE 3

FMEA: Purpose (overall) There are different reasons why an FMEA can be performed: Evaluation of effects and sequences of events caused by each identified item failure mode ( get to know the system better) Determination of the significance or criticality of each failure mode as to the system s correct function or performance and the impact on the availability and/or safety of the related process ( identify weak spots) Classification of identified failure modes according to their detectability, diagnosability, testability, item replaceability and operating provisions (tests, repair, maintenance, logistics etc.) ( take the necessary precautions) Estimation of measures of the significance and probability of failure ( demonstrate level of availability/safety to user or certification agency) 2011 June HK&BE 4

FMEA: Critical decisions Depending on the exact purpose of the analysis, several decisions have to be made: For what purpose is it performed (find weak spots demonstrate safety to certification agency, demonstrate safety compute availability) When is the analysis performed (e.g. before after detailed design)? What is the system (highest level considered), where are the boundaries to the external world (that is assumed fault-free)? Which components are analyzed (lowest level considered)? Which failure modes are considered (electrical, mechanical, hydraulic, design faults, human/operation errors)? Are secondary and higher-order effects considered (i.e. one fault causing a second fault which then causes a system failure etc.)? By whom is the analysis performed (designer, who knows system best third party, which is unbiased and brings in an independent view)? 2011 June HK&BE 5

FMEA and FMECA FMEA only provides qualitative analysis (cause effect chain). FMECA (failure mode, effects and criticality analysis) also provides (limited) quantitative information. each basic failure mode is assigned a failure probability and a failure criticality if based on the result of the FMECA the system is to be improved (to make it more dependable) the failure modes with the highest probability leading to failures with the highest criticality are considered first. Coffee machine example: If the coffee machine is damaged, this is more critical than if the coffee machine is OK and no coffee can be produced temporarily If the water has to be refilled every 20 cups and the coffee has to be refilled every 2 cups, the failure mode coffee bean container too full is more probable than water tank too full. 2011 June HK&BE 6

Example: tea dispenser cold water S1 L Tis S2 The controller fills the tank up to the high water mark given by sensor L. it then heats the liquid until the desired temperature Tsol (entered by a potentiometer). When the user presses the button, it opens the exit valve and fills a volume of water given by the aperture time. heater 100 W SW B Tsol 220 V~ What is the consequence of the failure of each of these elements: - on the availability? - on the safety? (flooding, burning.) 2011 June HK&BE 7

FMEA: Tea dispenser example component failure mode effect on system inlet valve closed no production open flooding outlet valve closed no production open flooding temperature sensor stuck on high cold water stuck on low burning button closed flooding open no production level indicator stuck on high burning stuck on low flooding 2011 June HK&BE 8

Criticality Grid Criticality levels I II III IV very low low medium high Probability of failure 2011 June HK&BE 9

Failure Criticalities IV: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and causes the loss of life III: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and negligible hazards to life II: Any event which degrades system performance function(s) without appreciable damage to either system, environment or lives I: Any event which could cause degradation of system performance function(s) resulting in negligible damage to either system or environment and no damage to life 2011 June HK&BE 10

FMEA/FMECA: Result Depending on the result of the FMEA/FMECA, it may be necessary to: change design, introduce redundancy, reconfiguration, recovery etc. introduce tests, diagnoses, preventive maintenance focus quality assurance, inspections etc. on key areas select alternative materials, components change operating conditions (e.g. duty cycles to anticipate/avoid wear-out) adapt operating procedures (e.g. allowed temperature range) perform design reviews monitor problem areas during testing, check-out and use exclude liability for identified problem areas 2011 June HK&BE 11

FMEA: Steps (1) 1) Break down the system into components. 2) Identify the functional structure of the system and how the components contribute to functions. f1 f2 f3 f4 f5 f6 f7 2011 June HK&BE 12

FMEA: Steps (2) 3) Define failure modes of each component new components: refer to similar already used components commonly used components: base on experience and measurements complex components: break down in subcomponents and derive failure mode of component by FMEA on known subcomponents other: use common sense, deduce possible failures from functions and physical parameters typical of the component operation 4) Perform analysis for each failure mode of each component and record results in table: component name/id function failure mode failure cause failure effect local global failure detection other provision remark 2011 June HK&BE 13

Example (Generic) Failure Modes - fails to remain (in position) - fails to open - fails to close - fails if open - fails if closed - restricted flow - fails out of tolerance (high) - fails out of tolerance (low) - inadvertent operation - intermittent operation - premature operation - delayed operation - false actuation - fails to stop - fails to start - fails to switch - erroneous input (increased) - erroneous input (decreased) - erroneous output (increased) - erroneous output (decreased) - loss of input - loss of output - erroneous indication - leakage 2011 June HK&BE 14

Other FMEA Table Entries Failure cause: Why is it that the component fails in this specific way? To identify failure causes is important to - estimate probability of occurrence - uncover secondary effects - devise corrective actions Local failure effect: Effect on the system element under consideration (e.g. on the output of the analyzed component). In certain instances there may not be a local effect beyond the failure mode itself. Global failure effect: Effect on the highest considered system level. The end effect might be the result of multiple failures occurring as a consequence of each other. Failure detection: Methods to detect the component failure that should be used. Other provisions: Design features might be introduced that prevent or reduce the effect of the failure mode (e.g. redundancy, alarm devices, operating restrictions). 2011 June HK&BE 15

Common Mode Failures (CMF) In FMEA all failures are analyzed independent of each other. Common mode failures are related failures that can occur due to a single source such as design error, wrong operation conditions, human error etc. failure mode x no problem common source & serious consequence failure mode y no problem Example: Failure of power supply common to redundant units causes both redundant units to fail at the same time. 2011 June HK&BE 16

Example: Differential Pressure Transmitter (1) Functionality: Measure difference in pressures p1 p2. diaphragm pressure p1 pressure p2 coil with inductivity L1 i1(t) iron core i2(t) coil with inductivity L2 u1(t) u2(t) p1 p2 = f1 (inductivity L1, temperature T, static pressure p) p1 p2 = f2 (inductivity L2, temperature T, static pressure p) 2011 June HK&BE 17

Example: Differential Pressure Transmitter (2) acquisition of sensor inputs sensor data preparation sensor data processing output data generation p 1 L 1 p 2 L 2 p static different failure effects processing 1 processing 2 watchdog = safe output (e.g. upscale) Temp sens Temp elec checking (limits, consistency) = A/D conversion power supply controlled current generator output current generator 4..20 ma 2011 June HK&BE 18

FMEA for Pressure Transmitter I D - N r F u n c t i o n F a i l u r e M o d e L o c a l E f f e c t D e t e c t i o n M e c h a n i s m F a i l u r e H a n d l i n g G l o b a l E f f e c t C o m m e n t s 1. 1. 1 p 1 m e a s u r e - m e n t o u t o f f a i l - s a f e a c c u r a c y r a n g e p r e s s u r e i n p u t v i a L 1 w r o n g l i m i t c h e c k a n d c o n s i s t e n c y c h e c k ( c o m p a r i s o n w i t h p 2 ) i n s o f t w a r e o f s e n s o r d a t a p r o c e s s i n g g o t o s a f e s t a t e o u t p u t d r i v e n t o u p / d o w n s c a l e d i a p h r a g m f a i l u r e ( b o t h p 1 a n d p 2 w r o n g ) d e t e c t e d b y c o m p a r i s o n w i t h p s t a t i c, r e q u i r e s t h a t s e p a r a t e s e n s o r i s u s e d f o r p s t a t i c 1. 1. 2 w r o n g b u t w i t h i n f a i l - s a f e a c c u r a c y r a n g e p r e s s u r e i n p u t v i a L 1 s l i g h t l y w r o n g c o n s i s t e n c y c h e c k ( c o m p. w i t h p 2 ), d e t e c t i o n o f s m a l l f a i l u r e s n o t g u a r a n t e e d ( a l l o w e d d i f f e r e n c e p 1 - p 2 ) n o t a p p l i c a b l e ( n / a ) o u t p u t v a l u e s l i g h t l y w r o n g, b u t w i t h i n f a i l - s a f e a c c u r a c y r a n g e 1. 2. 1 p 2 m e a s u r e - m e n t o u t o f f a i l - s a f e a c c u r a c y r a n g e p r e s s u r e i n p u t v i a L 2 w r o n g l i m i t c h e c k a n d c o n s i s t e n c y c h e c k ( c o m p a r i s o n w i t h p 1 ) i n s o f t w a r e o f s e n s o r d a t a p r o c e s s i n g g o t o s a f e s t a t e o u t p u t d r i v e n t o u p / d o w n s c a l e 1. 2. 2 w r o n g b u t w i t h i n f a i l - s a f e a c c u r a c y r a n g e p r e s s u r e i n p u t v i a L 2 s l i g h t l y w r o n g continue on your own... c o n s i s t e n c y c h e c k ( c o m p. w i t h p 1 ), d e t e c t i o n o f s m a l l f a i l u r e s n o t g u a r a n t e e d ( a l l o w e d d i f f e r e n c e p 1 - p 2 ) n / a o u t p u t v a l u e s l i g h t l y w r o n g, b u t w i t h i n f a i l - s a f e a c c u r a c y r a n g e 2011 June HK&BE 19

Fault Tree Analysis (FTA) In contrast to FMEA (which is inductive, bottom-up), FTA is deductive (top-down). FMEA failures of system FTA system state to avoid failure modes of components possible causes of the state The main problem with both FMEA and FTA is to not forget anything important. Doing both FMEA and FTA may help to become more complete (2 different views). 2011 June HK&BE 20

Example Fault Tree Analysis coffee machine burns 1 empty tank heat on & heater can t be stopped undeveloped event: analyzed elsewhere heater short circuit basic event: not further developed 2011 June HK&BE 21

IEC 60300 Dependability management IEC 60204 Safety of machinery Standards for safety IEC 61508 (VDE 0801) Functional safety of E/E/PES safety related systems International standard (7 parts) IEC 61511 Functional safety of E/E/PES safety related systems Functional safety: safety instrumented systems for the process industry sector IEC 61784- Safety communication in field busses IEC 62061 Safety of machinery - functional safety Electrical, electronic and programmable electronic control systems ISO/IEC 13849 (EN 954) IEC 62278 RAMS in railways Safety of machinery Safety-related parts of control systems IEC 62279 system issues on the widest scale EN 50126 (VDE 0115) Railways applications - Specification and demonstration of reliability, availability, maintainability and safety (RAMS) general guidelines EN 50129 Railways applications - Safety-related electronic systems for signaling EN 50128 Railways applications - Software for railway control and protection systems EN 50159 Requirements for safety-related communication in closed/open transmission systems (VDE 0116) Elektrische Ausrüstung von Feuerungsanlagen IEC 880 Software for computers in the safety systems of nuclear power stations 2011 June HK&BE 22

Safety Issues How to demonstrate that a plant operation is safe? How to demonstrate that the equipment is safe? How to demonstrate that the safety and protective systems protect against hazards? => By demonstrating the compliance with Industry Safety Standards 2011 June HK&BE 23

Functional Safety Standard IEC61508 Generic Standard supported by many sectors Guidance on use of Electrical, Electronic and Programmable Electronic System which perform safety functions Consider the entire safety critical loop Comprehensive approach involving concepts of Safety Lifecyle and all elements of protective system Risk-based approach leading to determination of Safety Integrity Levels (SIL) 2011 June HK&BE 24

Applications Sector Standards IEC61523 Nuclear Sector IEC61508 IEC61511 Process Sector IEC62061 Machinery Sector 2011 June HK&BE 25

Cradle-to-grave reliability (IEC 61508) 1 2 3 4 5 concept overall scope definition hazard and risk analysis overall safety requirements safety requirements allocation overall 6 operation and safety installation and 9 7 8 maintenance planning overall planning overall validation planning overall commissioning planning safety-related systems: E/E/PES realisation 10 safety-related systems: other technology realisation 11 external risk reduction facilities realisation 12 overall installation and commissioning 13 overall safety validation 14 overall operation, maintenance and repair 15 overall modifications and retrofit 16 decommissioning and disposal 2011 June HK&BE 26

IEC standard 61508 for safety-related systems Specifies four safety integrity levels, or SILs (with specified max. failure rates): safety integrity level control systems [per hour] protection systems [per operation] 4 10-9 to < 10-8 10-5 to < 10-4 3 10-8 to < 10-7 10-4 to < 10-3 2 10-7 to < 10-6 10-3 to < 10-2 1 10-6 to < 10-5 10-2 to < 10-1 most safety-critical systems (e.g. railway signalling) < 1 failure every 10 000 years For each of the safety integrity levels it specifies requirements. 2011 June HK&BE 27

Methods for SIL Determination Safety Layer Matrix Risk Graphs Layer of Protection Analysis For each initiating cause, calculate which layers provide protection Fault Tree Analysis 2011 June HK&BE 28

Risk Graph 2011 June HK&BE 29

Software safety integrity and the development lifecycle (V-model) 2011 June HK&BE 30

2011 June HK&BE 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback