Industrial Automation Automation Industrielle Industrielle Automation

9.6

Safety analysis and standards Analyse de scurit et normes Sicherheitsanalyse und Normen

Prof Dr. Hubert Kirrmann & Dr. B. Eschermann ABB Research Center, Baden, Switzerland
2006 June HK&BE

Overview Dependability Analysis

9.6.1 Qualitative Evaluation Failure Mode and Effects Analysis (FMEA) Fault Tree Analysis (FTA) Example: Differential pressure transmitter 9.6.2 Quantitative Evaluation Combinational Evaluation Markov Chains Example: Bus-bar Protection 9.6.3 Dependability Standards and Certification Standardization Agencies Standards

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

Failure Mode and Effects Analysis (FMEA)

Analysis method to identify component failures which have significant consequences affecting the system operation in the application considered. identify faults (component failures) that lead to system failures.

effect on system ?

component 1

component n

failure mode 1

failure mode k

failure mode 1

failure mode k

FMEA is inductive (bottom-up).

EPFL - Industrial Automation
2006 June HK&BE

9.6 Dependability Analysis

Example: tea dispenser cold water The controller fills the tank up to the high water mark given by sensor L. it then heats the liquid until the desired temperature Tsol (entered by a potentiometer). When the user presses the button, it opens the exit valve and fills a volume of water given by the aperture time.

S1

Tis

S2 L
100 W

heater
B

SW
220 V~ Tsol What is the consequence of the failure of each of these elements: -on the availability ? -on the safety ? (flooding, burning.)

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

FMEA: Tea dispenser example

component inlet valve outlet valve temperature sensor button level indicator

failure mode closed open closed open stuck on high stuck on low closed open stuck on high stuck on low

effect on system no production flooding no production flooding cold water burning flooding no production burning flooding

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

FMEA: Purpose (overall)

There are different reasons why an FMEA can be performed: Evaluation of effects and sequences of events caused by each identified item failure mode ( get to know the system better) Determination of the significance or criticality of each failure mode as to the systems correct function or performance and the impact on the availability and/or safety of the related process ( identify weak spots) Classification of identified failure modes according to their detectability, diagnosability, testability, item replaceability and operating provisions (tests, repair, maintenance, logistics etc.) ( take the necessary precautions) Estimation of measures of the significance and probability of failure ( demonstrate level of availability/safety to user or certification agency)

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

FMEA: Critical decisions

Depending on the exact purpose of the analysis, several decisions have to be made: For what purpose is it performed (find weak spots demonstrate safety to certification agency, demonstrate safety compute availability) When is the analysis performed (e.g. before after detailed design)? What is the system (highest level considered), where are the boundaries to the external world (that is assumed fault-free)? Which components are analyzed (lowest level considered)? Which failure modes are considered (electrical, mechanical, hydraulic, design faults, human/operation errors)? Are secondary and higher-order effects considered (i.e. one fault causing a second fault which then causes a system failure etc.)? By whom is the analysis performed (designer, who knows system best third party, which is unbiased and brings in an independent view)?

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

FMEA and FMECA

FMEA only provides qualitative analysis (cause effect chain). FMECA (failure mode, effects and criticality analysis) also provides (limited) quantitative information. each basic failure mode is assigned a failure probability and a failure criticality if based on the result of the FMECA the system is to be improved (to make it more dependable) the failure modes with the highest probability leading to failures with the highest criticality are considered first. Coffee machine example: If the coffee machine is damaged, this is more critical than if the coffee machine is OK and no coffee can be produced temporarily If the water has to be refilled every 20 cups and the coffee has to be refilled every 2 cups, the failure mode coffee bean container too full is more probable than water tank too full.

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

Criticality Grid

Criticality levels

II

III

IV

very low

low

medium

high

Probability of failure

EPFL - Industrial Automation

2006 June HK&BE

9.6 Dependability Analysis

Failure Criticalities

IV: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and causes the loss of life III: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and negligible hazards to life II: Any event which degrades system performance function(s) without appreciable damage to either system, environment or lives I: Any event which could cause degradation of system performance function(s) resulting in negligible damage to either system or environment and no damage to life

EPFL - Industrial Automation

2006 June HK&BE

10

9.6 Dependability Analysis

FMEA/FMECA: Result

Depending on the result of the FMEA/FMECA, it may be necessary to: change design, introduce redundancy, reconfiguration, recovery etc. introduce tests, diagnoses, preventive maintenance focus quality assurance, inspections etc. on key areas select alternative materials, components change operating conditions (e.g. duty cycles to anticipate/avoid wear-out) adapt operating procedures (e.g. allowed temperature range) perform design reviews monitor problem areas during testing, check-out and use exclude liability for identified problem areas

EPFL - Industrial Automation

2006 June HK&BE

11

9.6 Dependability Analysis

FMEA: Steps (1)

1) Break down the system into components.

2) Identify the functional structure of the system and how the components contribute to functions.

f1
EPFL - Industrial Automation

f2

f3

f4
12

f5

f6

f7
9.6 Dependability Analysis

2006 June HK&BE

FMEA: Steps (2)

3) Define failure modes of each component new components: refer to similar already used components commonly used components: base on experience and measurements complex components: break down in subcomponents and derive failure mode of component by FMEA on known subcomponents other: use common sense, deduce possible failures from functions and physical parameters typical of the component operation 4) Perform analysis for each failure mode of each component and record results in table: component function name/ID failure mode failure cause failure effect local global failure other detection provision remark

EPFL - Industrial Automation

2006 June HK&BE

13

9.6 Dependability Analysis

Example (Generic) Failure Modes

- fails to remain (in position) - fails to open - fails to close

- false actuation - fails to stop - fails to start - fails to switch - erroneous input (increased) - erroneous input (decreased)

- fails if open
- fails if closed - restricted flow - fails out of tolerance (high) - fails out of tolerance (low) - inadvertent operation - intermittent operation

- erroneous output (increased)

- erroneous output (decreased) - loss of input - loss of output - erroneous indication - leakage

- premature operation
- delayed operation
EPFL - Industrial Automation

2006 June HK&BE

14

9.6 Dependability Analysis

Other FMEA Table Entries

Failure cause: Why is it that the component fails in this specific way? To identify failure causes is important to - estimate probability of occurrence - uncover secondary effects - devise corrective actions Local failure effect: Effect on the system element under consideration (e.g. on the output of the analyzed component). In certain instances there may not be a local effect beyond the failure mode itself. Global failure effect: Effect on the highest considered system level. The end effect might be the result of multiple failures occurring as a consequence of each other. Failure detection: Methods to detect the component failure that should be used. Other provisions: Design features might be introduced that prevent or reduce the effect of the failure mode (e.g. redundancy, alarm devices, operating restrictions).

EPFL - Industrial Automation

2006 June HK&BE

15

9.6 Dependability Analysis

Common Mode Failures (CMF) In FMEA all failures are analyzed independent of each other. Common mode failures are related failures that can occur due to a single source such as design error, wrong operation conditions, human error etc.

failure mode x
common source

no problem

&
failure mode y

serious consequence no problem

Example: Failure of power supply common to redundant units causes both redundant units to fail at the same time.
EPFL - Industrial Automation

2006 June HK&BE

16

9.6 Dependability Analysis

Example: Differential Pressure Transmitter (1)

Functionality: Measure difference in pressures p1 p2. diaphragm pressure p1

coil with inductivity L1

pressure p2
iron core i2(t) coil with inductivity L2

i1(t) u1(t)

u2(t)

p1 p2 = f1 (inductivity L1, temperature T, static pressure p) p1 p2 = f2 (inductivity L2, temperature T, static pressure p)

EPFL - Industrial Automation

2006 June HK&BE

17

9.6 Dependability Analysis

Example: Differential Pressure Transmitter (2)

sensor data preparation sensor data processing output data generation

acquisition of sensor inputs

p1 L1

different failure effects

processing 1 processing 2

watchdog safe output (e.g. upscale)

p2 L2 pstatic Temp sens Temp elec

checking (limits, consistency)

A/D conversion power supply controlled current generator output current generator 4..20 mA

EPFL - Industrial Automation

2006 June HK&BE

18

9.6 Dependability Analysis

FMEA for Pressure Transmitter

I D - N r F un c t i o n 1. 1. 1 p1 meas uremen t F a i l ure M o de o ut o f fai l s afe accuracy ran g e Lo c a l Ef f e c t p res s ure i n p ut v i a L1 wro n g De t e c t i o n Me c h an i s m l i mi t ch eck an d co n s i s t en cy ch eck (co mp ari s o n wi t h p 2 ) i n s o ft ware o f s en s o r dat a p ro ces s i n g co n s i s t en cy ch eck (co mp . wi t h p 2 ), det ect i o n o f s mal l fai l ures n o t g uaran t eed (al l o wed di fferen ce p 1 p2) l i mi t ch eck an d co n s i s t en cy ch eck (co mp ari s o n wi t h p 1 ) i n s o ft ware o f s en s o r dat a p ro ces s i n g co n s i s t en cy ch eck (co mp . wi t h p 1 ), det ect i o n o f s mal l fai l ures n o t g uaran t eed (al l o wed di fferen ce p 1 p2) F a i l ure Ha n dl i n g g o t o s afe s t at e Gl o b a l Ef f e c t o ut p ut dri v en t o up / do wn s cal e Co mme n t s di ap h rag m fai l ure (b o t h p 1 an d p 2 wro n g ) det ect ed b y co mp ari s o n wi t h p s t at i c, requi res t h at s ep arat e s en s o r i s us ed fo r p s t at i c

1. 1. 2

wro n g b ut p res s ure i n p ut v i a wi t h i n fai l - L1 s l i g h t l y wro n g s afe accuracy ran g e p2 meas uremen t o ut o f fai l s afe accuracy ran g e p res s ure i n p ut v i a L2 wro n g

n o t ap p l i cab l e (n / a)

o ut p ut v al ue s l i g h t l y wro n g , b ut wi t h i n fai l s afe accuracy ran g e

1. 2. 1

g o t o s afe s t at e

o ut p ut dri v en t o up / do wn s cal e

1. 2. 2

wro n g b ut p res s ure i n p ut v i a wi t h i n fai l - L2 s l i g h t l y wro n g s afe accuracy ran g e

n/a

o ut p ut v al ue s l i g h t l y wro n g , b ut wi t h i n fai l s afe accuracy ran g e

continue on your own ...

EPFL - Industrial Automation
2006 June HK&BE

19

9.6 Dependability Analysis

Fault Tree Analysis (FTA)

In contrast to FMEA (which is inductive, bottom-up), FTA is deductive (top-down). FMEA failures of system FTA system state to avoid

failure modes of components

possible causes of the state

The main problem with both FMEA and FTA is to not forget anything important. Doing both FMEA and FTA may help to become more complete (2 different views).

EPFL - Industrial Automation

2006 June HK&BE

20

9.6 Dependability Analysis

Example Fault Tree Analysis

coffee machine burns

empty tank heat on

heater cant be stopped

heater short circuit

&

undeveloped event: analyzed elsewhere

2006 June HK&BE

basic event: not further developed

EPFL - Industrial Automation

21

9.6 Dependability Analysis

Standards for redundancy

IEC/EN 62061 IEC/EN 61511 Safety of machinery - functional safety Electrical, electronic and programmable electronic control systems Functional safety of E/E/PES safety related systems Functional safety: safety instrumented systems for the process industry sector

IEC 61508 (VDE 0801) Functional safety of E/E/PES safety related systems International standard (7 parts) IEC 60300 Dependability management ISO/IEC 13849 (EN 954) Safety of machinery Safety-related parts of control systems EN 50159 EN 50129 EN 50128 EN 50126 (VDE 0115) Requirements for safety-related communication in closed/open transmission systems Railways applications - Safety-related electronic systems for signaling Railways applications - Software for railway control and protection systems Railways applications - Specification and demonstration of reliability, availability, maintainability and safety (RAMS) general guidelines

(VDE 0116)
DIN V 19250 IEC 880

Elektrische Ausrstung von Feuerungsanlagen

Grundlegende Sicherheitsbetrachtungen fr MSR-Schutzeinrichtungen (wird durch EN 61508 abgelst) Software for computers in the safety systems of nuclear power stations

EPFL - Industrial Automation

2006 June HK&BE

22

9.6 Dependability Analysis

IEC standard 61508 for safety-related systems Specifies four safety integrity levels, or SILs (with specified max. failure rates):

safety integrity level 4 3 2 1

control systems [per hour]

10 10 10 10
-9 -8 -7 -6

protection systems [per operation]

-8 -7 -6 -5

to < 10 to < 10 to < 10 to < 10

10 10 10 10

-5 -4 -3 -2

to < 10 to < 10 to < 10 to < 10

-4 -3 -2 -1

most safety-critical systems (e.g. railway signalling)

< 1 failure every 10 000 years

For each of the safety integrity levels it specifies requirements.

EPFL - Industrial Automation
2006 June HK&BE

23

9.6 Dependability Analysis

Cradle-to-grave reliability (IEC 61508) 1 2 3

concept overall scope definition hazard and risk analysis overall safety requirements safety requirements allocation

4
5
overall planning

overall operation and maintenance planning

overall safety validation planning

overall installation and commissioning planning

safety-related systems: E/E/PES realisation

overall installation and commissioning

10

safety-related systems: other technology

11

external risk reduction facilities

realisation

realisation

12

13
14 16
EPFL - Industrial Automation
2006 June HK&BE

overall safety validation

overall operation, maintenance and repair decommissioning and disposal

15

overall modifications and retrofit

24

9.6 Dependability Analysis

IEC 61508

provides required steps for analysis identifies appropriate assumptions, events and failure modes provides identification rules and symbols

EPFL - Industrial Automation

2006 June HK&BE

25

9.6 Dependability Analysis

Software safety integrity and the development lifecycle (V-model)

EPFL - Industrial Automation

2006 June HK&BE

26

9.6 Dependability Analysis

EPFL - Industrial Automation

2006 June HK&BE

27

9.6 Dependability Analysis