View
35
Download
1
Category
Preview:
DESCRIPTION
A 2-Hours Course In Gas Detection. PART 4 – Gas Detection Systems and Functional Safety Lübeck, 9.10.2008 Dr. Wolfgang Jessel. Sensor Transmitter. Controller System. Actuator. But - what is the probability that in case of a need. - PowerPoint PPT Presentation
Citation preview
1 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
A 2-Hours Course In Gas Detection
PART 4 – Gas Detection Systems and Functional Safety
Lübeck, 9.10.2008
Dr. Wolfgang Jessel
2 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
SensorTransmitter
Controller System
Actuator
SE - Sensing element
The gas detection transmitter detects the potential dangerous condition
LS - Logic Solver
The controller reacts to the potential dangerous condition and activates countermeasures
FE - Final Element
The activated solenoid valve averts the dangerous condition by closing the gas pipe reliably
But - what is the probability that in case of a need
the gas detection system will fail to activate the safety function?
Safety FunctionSafety IntegritySafety System
Safety SystemConsidering a single channel safety system
3 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
Any electric, electronic or programmable electronic system (E/E/PES) might have failures.
Failures which cause the safety function to fail are called dangerous.
Most of the hardware failures however are not dangerous or at least detectable.
Detectable failures, dangerous or not, can force the safety system into the safe state.
Problem: What about failures that are dangerous and cannot be detected?
If a dangerous undetectable failure occurs, the safety system will not respond to a demand, it is not able to perform the safety function, and we are not even aware of it!
What is the probability that this will happen??? Probability of Failure on Demand - PFD
Electronic SystemsFailures Are Everywhere
4 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
As failures may occur seldom, but anytime and anywhere, a safety system needs to be designed and operated such that
failures are avoided
failure detection
If they cannot be avoided they at least must be detectable ...
failure tolerance
and / or the system must be immune to these failures:
How to do this?
ReliabilityFailures
5 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
The reliability of electronics is depending on failures,
systematic failures in hardware and system configuration
systematic failures in the system’s controlling software
accidental failures of the hardware
wear-out failures of the hardware
Systematic failures can widely be excluded by a safety orientated development.
Accidental failures are a typical statistical based property of electronic compounds.
Wear-out failures must be excluded by preventive maintenance and periodic renewal. Wear-out failures (consumables) are not considered in the safety integrity assessment.
Their occurrence can statistically be described by failure rates . Failure Rate
ReliabilityFailures and Failure Types
6 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
SD(Safe)
(Dangerous)
(Detectable) (Undetectable)
DD
SU
DU
Depending on the kind of evaluation safe and detectable failures can force a safety related system to go into the safe state.
The Dangerous Undetectable failure (failure rate λDU) is in the main focus of the SIL-consideration.
Signal cable to transmitter cut, Signal is 0 mA, central controller detects it: Safe!
SD
Output transistor becomes defective, signal 20 mA, central controller triggers (maintaining) gas alarm: Safe!
SU
Dangerous RAM-failure, being detected during automatic cyclic RAM-test, controller detects failure: Safe!
DDLoss of measuring function without indication: Unsafe – dangerous!DU
Safe and Dangerous FailuresThe DU-Failure
7 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
fail
safe
time t
time t
safe
fail
time t
safe
fail
A DD-failure must be repaired promptly after detection.MTTR = Mean Time To Restore (mostly 8 hours)
DD-failure is repaired
DD-failure occurs but is detected
MTTR
safe failure occurs, system however maintains safe
DU-failure occurs
DU-failure is repaired
DU-failure revealed during test
Test interval TP
MTTR
no safety!
Organisational measures!
System FailuresHow System Safety Is Affected
8 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
time t
safe
DU-failure is repaired
DU-failure revealed during test
Test interval TP
MTTR
The statistical mean of the system‘s down-time is half the test interval TP.
A periodically performed system-test (safety check with proof test interval TP) is intended to reveal undetected failures!
The probability that in case of demand the safety function cannot be performed because of a dangerous undetected failure is
PDUavg T2
1PFD
PFDavg is Average Probability of Failure on Demand, the mean probability that the system will fail just at the time when being required.
PT2
1
Systems FailuresThe Probability of Failures on Demand
9 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
failure means: In case of demand the safety related system cannot perform therequired safety function.
demand means: Protection systems such as gas detection systems are continuouslymonitoring systems, but rarely needed to perform safety functions (operating mode acc. to EN 61508: „Low Demand Mode“)
The dangerous probability of failure on demand can be calculated:
Rule of thumb: low demand is once a year
Example:
DU = 10-6 h-1 (1 failure in 114 years), TP = 8760 h (proof test yearly)
00438.08760105.0T2
1PFD 6
PDUavg
Probability of Failure ... on Demand
10 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
The PFD of the system is obtained by adding the individual PFDs of the subsystems sensor with interface, evaluating system and actuator with interface:
SensorTransmitter
PFD1
Controller System
PFD2
Actuator
PFD3
PFDsystem = PFD1 + PFD2 + PFD3
If PFDsystem < 0.01 then this is sufficient for Safety Integrity Level 2 - SIL 2
The target is to make sure that the PFD of the SIS is sufficiently low to achieve the required SIL.
Safety SystemSIL-Rating by Using the PFDs of Subsystems
11 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
The PFDavg is the most important criterion in the safety assessment and reliability study of a system.
Safety Integrity Level
EN 61 508
SIL 1
SIL 2
SIL 3
SIL 4
Average probability not to perform the safety function on demand
PFDavg
0.01 to < 0.1
0.001 to < 0.01
0.0001 to < 0.001
0.00001 to < 0.0001
System fails once of ... demands
11 to 100
101 to 1000
1001 to 10 000
10 001 to 100 000
When requiring a certain Safety Integrity Level SIL for a safety system, the PFDavg must not exceed a given value:
Example: For SIL 2 the safety system’s PFDavg must be less than 0.01.
ReliabilityPFD and Safety Integrity Level SIL
12 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
A Safety Instrumented System (SIS) consists of the following subsystems:
For each of these subsystems a
FMEDA (Failure Mode, Effects, and Diagnostic Analysis)
can be made, resulting especially in the failure rates of several failure types:SD , SU , DD , and DU .
These failure rates are necessary to calculate the share of the dangerous undetected failure in proportion to the total failure rate. This is the so-called Safe Failure Fraction, calculated as
DUDDSUSD
DDSUSDSFF
SensorTransmitter
Controller System
Actuator
SubsystemsThe Safe Failure Fraction SFF
13 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
Type A: simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined.
Type B: complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined.
Example: relays, relay modules,Polytron channel module
Example: transmitters, digital controllers,etc.
SIL 3 SIL 2
not allowed
SIL 3 99%
90% to < 99%
SIL 160% to < 90%
1oo1
Single channel systemType BSFF
< 60%
SIL 3 99%
90% to < 99%
SIL 2
SIL 1
60% to < 90%
1oo1
Single channel systemType ASFF
< 60%
Hardware Failure ToleranceThe Single Channel System
14 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
SIL 4SIL 4SIL 3 99%
SIL 4SIL 4SIL 390% to < 99%
SIL 4SIL 3SIL 2
SIL 3SIL 2SIL 1
60% to < 90%
1oo31oo21oo1
ArchitectureType ASFF
< 60% *)
SIL 4SIL 4SIL 3 99%
SIL 4SIL 3SIL 290% to < 99%
SIL 3SIL 2SIL 1
SIL 2SIL 1
60% to < 90%
1oo31oo21oo1
ArchitectureType BSFF
< 60%
*) not allowed
Type A: simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined.
Type B: complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined.
Example: relays, relay modules,Polytron channel module
Example: transmitters, digital controllers,etc.
Hardware Failure ToleranceDifferent System Architectures
15 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
1 out of 1 to activate the safety function
Redundant Safety SystemHFT = 0 – No Channel Allowed to Fail
16 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
1 out of 2 to activate the safety function
Redundant Safety SystemHFT = 1 – One Channel Allowed to Fail
17 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
1 out of 3 to activate the safety function
Redundant Safety SystemHFT = 2 – Two Channels Allowed to Fail
18 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
noExida GmbH0.0004751.08E-07 h-192.0 %B2Polytron Pulsar 4/60 m
noExida GmbH0.0004751.08E-07 h-191.0 %B2Polytron Pulsar 30/120and 100/200 m
yesExida GmbH0.0001282.92E-08 h-196.5 %B2Polytron IR Typ 334and Typ 340
yesExida GmbH0.001794.10E-07 h-195.91 %B2Polytron 7000 withpump- and relay-module
yesExida GmbH0.001503.42E-07 h-190.43 %B2Polytron 7000with relay-module
yesExida GmbH0.001834.18E-07 h-195.99 %B2Polytron 7000with pump module
yesExida GmbH0.001563.57E-07 h-190.88 %B2Polytron 7000
noDräger, with Exida FMEDA-Tool
0.001944.43E-07 h-164.88 %B1Polytron 3000 withEC-Sensor
yesDräger, with Exida FMEDA-Tool
0.0005261.20E-07 h-191.5 %A2Polytron Ex and Ex Rwith Ex-Sensor PR M
yesDräger, with Exida FMEDA-Tool
0.0005561.27E-07 h-190.4 %B2PEX 3000 withEx-Sensor PR M
Performance appr.
Assessment by ...PFDavgDUSFFTypeSIL-CTransmitter
yesExida GmbH, certi-fied by TÜV
0.0002044.70E-08 h-194.99 %B2Dräger PIR 7000 / 7200
Dräger Gas Detection TransmittersSIL Capabilities
19 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
SensorTransmitter
TransmitterλDU = 5.71·10-7 h-1
TP = 4380 h (6-monthly)
PFD = 0.5·4380·5.71·10-7
= 0.00125
Controller System
ControllerλDU = 4.06·10-6 h-1
TP = 4380 h (6-monthly)
PFD = 0.5·4380·4.06·10-6
= 0.0089
Actuator
Shut-Down RelayλDU = 2.25·10-6 h-1
TP = 4380 h (6-monthly)
PFD = 0.5·4380·2.25·10-6
= 0.00493
PFDsystem = 0.00125 + 0.0089 + 0.00493 = 0.01508 > 0.01 → not SIL 2
Reducing the proof test interval TP to 3 months (2190 hours):
PFDsystem = 0.000625 + 0.00445 + 0.00247 = 0.007545 < 0.01 → yes SIL 2
Provided that the SFFs are above 90% for type B and above 60% for type A!
Probability of Failure on DemandAn Applied Example
20 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
DU = 3.57·10-7 h-1
SFF = 90.88%
PFD = 1.56·10-3 at TP = 1 year
SIL2-Budget: = 15.6%
FMEDA by Exida GmbH
Device PFD (TP = 1 year)Transmitter 4-20 mA 0.00156Transmitter 4-20 mA, with pump 0.00183Transmitter without 4-20 mA, with Relay-Output 0.00150Transmitter without 4-20 mA, with Relay-Output and pump 0.00179
VERY SUITABLE for SIL2-applications with sufficient margin for the further
safety relevant devices needed for the complete system.
Even at yearly maintenance the average PFD values are considerably lower than 0.01.
Polytron 7000SIL Capability
21 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
DU = 1.09·10-7 h-1
SFF = 91.9%
PFD = 4.75·10-4 at TP = 1 year
SIL2-Budget: = 4.8%
FMEDA by Exida GmbH
Even at yearly maintenance the average PFD values are considerably lower than 0.01.
VERY SUITABLE for SIL2-applications with sufficient margin for the further
safety relevant devices needed for the complete system.
PulsarSIL Capability
22 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
DU = 2.92·10-8 h-1
SFF = 96.5%
PFD = 1.28·10-4 at TP = 1 year
SIL2-Budget: = 1.3%
FMEDA by Exida GmbH
VERY SUITABLE for SIL2-applications with sufficient margin for the further
safety relevant devices needed for the complete system.
Even at yearly maintenance the average PFD values are considerably lower than 0.01.
Polytron IRSIL-Capability
23 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
DU = 4.7·10-8 h-1
SFF = 94.9%
PFD = 2.04·10-4 at TP = 1 year
SIL2-Budget: = 2%
FMEDA by Exida GmbH
VERY SUITABLE for SIL2-applications with sufficient margin for the further
safety relevant devices needed for the complete system.
Even at yearly maintenance the average PFD values are considerably lower than 0.01.
Dräger PIR 7000 / 7200SIL-Capability and Certificate
24 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
DU = 4.7·10-8 h-1
SFF = 94.9%
PFD = 2.04·10-4 at TP = 1 year
SIL2-Budget: = 2%
FMEDA by Exida GmbH
VERY SUITABLE for SIL2-applications with sufficient margin for the further
safety relevant devices needed for the complete system.
Even at yearly maintenance the average PFD values are considerably lower than 0.01.
Dräger PIR 7000 / 7200SIL-Capability and Certificate
25 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
SIL-Standard does not consider consumables, so, the periodically maintenance (proof test interval TP) is addressed to electrics and electronics.Consumables must be renewed (preventive replacement).
Electrochemical and catalytic sensors e.g. have to be tested concerning to the manufacturer‘s recommendations or – considering the actual requirements – in reduced intervals to ensure measuring function including alarm triggering, and that the target gas can freely penetrate into the sensor.
The manufacturer not only issues the declaration of SIL-conformity but also safety instructions, which e.g. also describe the scope of periodic proof tests.
The customer must establish organisational measures, so that during the entire operational time of the safety related system all the safety relevant requirements are met, especially:
Periodic maintenance and function tests Management conc. replacement parts
Modifications of the safety system Commissioning and decommissioning
Safety for the whole life cycle!
Gas Detection SystemsResponsibility of the Customer
26 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008
Electronics may have failures – only undetectable dangerous failures cause problems.
By periodic proof tests a safety system can be virtually renewed.
The average PFD can be calculated for subsystems and complete safety systems.
PFD must be lower than a given limit for a given SIL.
The Safe Failure Fraction can be calculated and must be higher than a given percentage for a given SIL, depending on type of subsystem and HFT.
Complete operation from commission to decommission needs to fulfil special safety requirements depending on the Safety Integrity Level.
Safety for the whole Life Cycle!
SummaryWhat Did We Learn?
Recommended