A 2-Hours Course In Gas Detection

1 | A 2-Hours Course In Gas Detection | Dr. Wolfgang Jessel | 08.10.2008

A 2-Hours Course In Gas Detection

PART 4 – Gas Detection Systems and Functional Safety

Lübeck, 9.10.2008

Dr. Wolfgang Jessel


SensorTransmitter

Controller System

Actuator

SE - Sensing element

The gas detection transmitter detects the potential dangerous condition

LS - Logic Solver

The controller reacts to the potential dangerous condition and activates countermeasures

FE - Final Element

The activated solenoid valve averts the dangerous condition by closing the gas pipe reliably

But - what is the probability that in case of a need

the gas detection system will fail to activate the safety function?

Safety FunctionSafety IntegritySafety System

Safety SystemConsidering a single channel safety system


Any electric, electronic or programmable electronic system (E/E/PES) might have failures.

Failures which cause the safety function to fail are called dangerous.

Most of the hardware failures however are not dangerous or at least detectable.

Detectable failures, dangerous or not, can force the safety system into the safe state.

Problem: What about failures that are dangerous and cannot be detected?

If a dangerous undetectable failure occurs, the safety system will not respond to a demand, it is not able to perform the safety function, and we are not even aware of it!

What is the probability that this will happen??? Probability of Failure on Demand - PFD

Electronic SystemsFailures Are Everywhere


As failures may occur seldom, but anytime and anywhere, a safety system needs to be designed and operated such that

failures are avoided

failure detection

If they cannot be avoided they at least must be detectable ...

failure tolerance

and / or the system must be immune to these failures:

How to do this?

ReliabilityFailures


The reliability of electronics is depending on failures,

systematic failures in hardware and system configuration

systematic failures in the system’s controlling software

accidental failures of the hardware

wear-out failures of the hardware

Systematic failures can widely be excluded by a safety orientated development.

Accidental failures are a typical statistical based property of electronic compounds.

Wear-out failures must be excluded by preventive maintenance and periodic renewal. Wear-out failures (consumables) are not considered in the safety integrity assessment.

Their occurrence can statistically be described by failure rates . Failure Rate

ReliabilityFailures and Failure Types


SD(Safe)

(Dangerous)

(Detectable) (Undetectable)

DD

SU

DU

Depending on the kind of evaluation safe and detectable failures can force a safety related system to go into the safe state.

The Dangerous Undetectable failure (failure rate λDU) is in the main focus of the SIL-consideration.

Signal cable to transmitter cut, Signal is 0 mA, central controller detects it: Safe!

SD

Output transistor becomes defective, signal 20 mA, central controller triggers (maintaining) gas alarm: Safe!

SU

Dangerous RAM-failure, being detected during automatic cyclic RAM-test, controller detects failure: Safe!

DDLoss of measuring function without indication: Unsafe – dangerous!DU

Safe and Dangerous FailuresThe DU-Failure


fail

safe

time t

time t

safe

fail

time t

safe

fail

A DD-failure must be repaired promptly after detection.MTTR = Mean Time To Restore (mostly 8 hours)

DD-failure is repaired

DD-failure occurs but is detected

MTTR

safe failure occurs, system however maintains safe

DU-failure occurs

DU-failure is repaired

DU-failure revealed during test

Test interval TP

MTTR

no safety!

Organisational measures!

System FailuresHow System Safety Is Affected


time t

safe

DU-failure is repaired

DU-failure revealed during test

Test interval TP

MTTR

The statistical mean of the system‘s down-time is half the test interval TP.

A periodically performed system-test (safety check with proof test interval TP) is intended to reveal undetected failures!

The probability that in case of demand the safety function cannot be performed because of a dangerous undetected failure is

PDUavg T2

1PFD

PFDavg is Average Probability of Failure on Demand, the mean probability that the system will fail just at the time when being required.

PT2

1

Systems FailuresThe Probability of Failures on Demand


failure means: In case of demand the safety related system cannot perform therequired safety function.

demand means: Protection systems such as gas detection systems are continuouslymonitoring systems, but rarely needed to perform safety functions (operating mode acc. to EN 61508: „Low Demand Mode“)

The dangerous probability of failure on demand can be calculated:

Rule of thumb: low demand is once a year

Example:

DU = 10-6 h-1 (1 failure in 114 years), TP = 8760 h (proof test yearly)

00438.08760105.0T2

1PFD 6

PDUavg

Probability of Failure ... on Demand


The PFD of the system is obtained by adding the individual PFDs of the subsystems sensor with interface, evaluating system and actuator with interface:

SensorTransmitter

PFD1

Controller System

PFD2

Actuator

PFD3

PFDsystem = PFD1 + PFD2 + PFD3

If PFDsystem < 0.01 then this is sufficient for Safety Integrity Level 2 - SIL 2

The target is to make sure that the PFD of the SIS is sufficiently low to achieve the required SIL.

Safety SystemSIL-Rating by Using the PFDs of Subsystems


The PFDavg is the most important criterion in the safety assessment and reliability study of a system.

Safety Integrity Level

EN 61 508

SIL 1

SIL 2

SIL 3

SIL 4

Average probability not to perform the safety function on demand

PFDavg

0.01 to < 0.1

0.001 to < 0.01

0.0001 to < 0.001

0.00001 to < 0.0001

System fails once of ... demands

11 to 100

101 to 1000

1001 to 10 000

10 001 to 100 000

When requiring a certain Safety Integrity Level SIL for a safety system, the PFDavg must not exceed a given value:

Example: For SIL 2 the safety system’s PFDavg must be less than 0.01.

ReliabilityPFD and Safety Integrity Level SIL


A Safety Instrumented System (SIS) consists of the following subsystems:

For each of these subsystems a

FMEDA (Failure Mode, Effects, and Diagnostic Analysis)

can be made, resulting especially in the failure rates of several failure types:SD , SU , DD , and DU .

These failure rates are necessary to calculate the share of the dangerous undetected failure in proportion to the total failure rate. This is the so-called Safe Failure Fraction, calculated as

DUDDSUSD

DDSUSDSFF

SensorTransmitter

Controller System

Actuator

SubsystemsThe Safe Failure Fraction SFF


Type A: simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined.

Type B: complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined.

Example: relays, relay modules,Polytron channel module

Example: transmitters, digital controllers,etc.

SIL 3 SIL 2

not allowed

SIL 3 99%

90% to < 99%

SIL 160% to < 90%

1oo1

Single channel systemType BSFF

< 60%

SIL 3 99%

90% to < 99%

SIL 2

SIL 1

60% to < 90%

1oo1

Single channel systemType ASFF

< 60%

Hardware Failure ToleranceThe Single Channel System


SIL 4SIL 4SIL 3 99%

SIL 4SIL 4SIL 390% to < 99%

SIL 4SIL 3SIL 2

SIL 3SIL 2SIL 1

60% to < 90%

1oo31oo21oo1

ArchitectureType ASFF

< 60% *)

SIL 4SIL 4SIL 3 99%

SIL 4SIL 3SIL 290% to < 99%

SIL 3SIL 2SIL 1

SIL 2SIL 1

60% to < 90%

1oo31oo21oo1

ArchitectureType BSFF

< 60%

*) not allowed

Type A: simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined.

Type B: complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined.

Example: relays, relay modules,Polytron channel module

Example: transmitters, digital controllers,etc.

Hardware Failure ToleranceDifferent System Architectures


1 out of 1 to activate the safety function

Redundant Safety SystemHFT = 0 – No Channel Allowed to Fail



Redundant Safety SystemHFT = 1 – One Channel Allowed to Fail



Redundant Safety SystemHFT = 2 – Two Channels Allowed to Fail


noExida GmbH0.0004751.08E-07 h-192.0 %B2Polytron Pulsar 4/60 m

noExida GmbH0.0004751.08E-07 h-191.0 %B2Polytron Pulsar 30/120and 100/200 m

yesExida GmbH0.0001282.92E-08 h-196.5 %B2Polytron IR Typ 334and Typ 340

yesExida GmbH0.001794.10E-07 h-195.91 %B2Polytron 7000 withpump- and relay-module

yesExida GmbH0.001503.42E-07 h-190.43 %B2Polytron 7000with relay-module

yesExida GmbH0.001834.18E-07 h-195.99 %B2Polytron 7000with pump module

yesExida GmbH0.001563.57E-07 h-190.88 %B2Polytron 7000

noDräger, with Exida FMEDA-Tool

0.001944.43E-07 h-164.88 %B1Polytron 3000 withEC-Sensor

yesDräger, with Exida FMEDA-Tool

0.0005261.20E-07 h-191.5 %A2Polytron Ex and Ex Rwith Ex-Sensor PR M

yesDräger, with Exida FMEDA-Tool

0.0005561.27E-07 h-190.4 %B2PEX 3000 withEx-Sensor PR M

Performance appr.

Assessment by ...PFDavgDUSFFTypeSIL-CTransmitter

yesExida GmbH, certi-fied by TÜV

0.0002044.70E-08 h-194.99 %B2Dräger PIR 7000 / 7200

Dräger Gas Detection TransmittersSIL Capabilities


SensorTransmitter

TransmitterλDU = 5.71·10-7 h-1

TP = 4380 h (6-monthly)

PFD = 0.5·4380·5.71·10-7

= 0.00125

Controller System

ControllerλDU = 4.06·10-6 h-1


PFD = 0.5·4380·4.06·10-6

= 0.0089

Actuator

Shut-Down RelayλDU = 2.25·10-6 h-1


PFD = 0.5·4380·2.25·10-6

= 0.00493

PFDsystem = 0.00125 + 0.0089 + 0.00493 = 0.01508 > 0.01 → not SIL 2

Reducing the proof test interval TP to 3 months (2190 hours):

PFDsystem = 0.000625 + 0.00445 + 0.00247 = 0.007545 < 0.01 → yes SIL 2

Provided that the SFFs are above 90% for type B and above 60% for type A!

Probability of Failure on DemandAn Applied Example


DU = 3.57·10-7 h-1

SFF = 90.88%

PFD = 1.56·10-3 at TP = 1 year

SIL2-Budget: = 15.6%

FMEDA by Exida GmbH

Device PFD (TP = 1 year)Transmitter 4-20 mA 0.00156Transmitter 4-20 mA, with pump 0.00183Transmitter without 4-20 mA, with Relay-Output 0.00150Transmitter without 4-20 mA, with Relay-Output and pump 0.00179

VERY SUITABLE for SIL2-applications with sufficient margin for the further

safety relevant devices needed for the complete system.

Even at yearly maintenance the average PFD values are considerably lower than 0.01.

Polytron 7000SIL Capability


DU = 1.09·10-7 h-1

SFF = 91.9%

PFD = 4.75·10-4 at TP = 1 year

SIL2-Budget: = 4.8%

FMEDA by Exida GmbH




PulsarSIL Capability


DU = 2.92·10-8 h-1

SFF = 96.5%

PFD = 1.28·10-4 at TP = 1 year

SIL2-Budget: = 1.3%

FMEDA by Exida GmbH




Polytron IRSIL-Capability


DU = 4.7·10-8 h-1

SFF = 94.9%

PFD = 2.04·10-4 at TP = 1 year

SIL2-Budget: = 2%

FMEDA by Exida GmbH




Dräger PIR 7000 / 7200SIL-Capability and Certificate


DU = 4.7·10-8 h-1

SFF = 94.9%

PFD = 2.04·10-4 at TP = 1 year

SIL2-Budget: = 2%

FMEDA by Exida GmbH




Dräger PIR 7000 / 7200SIL-Capability and Certificate


SIL-Standard does not consider consumables, so, the periodically maintenance (proof test interval TP) is addressed to electrics and electronics.Consumables must be renewed (preventive replacement).

Electrochemical and catalytic sensors e.g. have to be tested concerning to the manufacturer‘s recommendations or – considering the actual requirements – in reduced intervals to ensure measuring function including alarm triggering, and that the target gas can freely penetrate into the sensor.

The manufacturer not only issues the declaration of SIL-conformity but also safety instructions, which e.g. also describe the scope of periodic proof tests.

The customer must establish organisational measures, so that during the entire operational time of the safety related system all the safety relevant requirements are met, especially:

Periodic maintenance and function tests Management conc. replacement parts

Modifications of the safety system Commissioning and decommissioning

Safety for the whole life cycle!

Gas Detection SystemsResponsibility of the Customer


Electronics may have failures – only undetectable dangerous failures cause problems.

By periodic proof tests a safety system can be virtually renewed.

The average PFD can be calculated for subsystems and complete safety systems.

PFD must be lower than a given limit for a given SIL.

The Safe Failure Fraction can be calculated and must be higher than a given percentage for a given SIL, depending on type of subsystem and HFT.

Complete operation from commission to decommission needs to fulfil special safety requirements depending on the Safety Integrity Level.

Safety for the whole Life Cycle!

SummaryWhat Did We Learn?


Thank you for your attention.

Documents

A 2-Hours Course In Gas Detection