Upload
ecisgroup
View
546
Download
0
Embed Size (px)
DESCRIPTION
Common cause of failure - Beta estimation according to IEC61508 ANNEX D,by carlo lebrun
Citation preview
SENSOR or FINAL ELEMENT
Manufacturer
Separation/segregation
Are all signal cables for the channels routed separately at all positions?
Diversity/redundancy
Complexity/design/application/maturity/experience
β ESTIMATION SHEETref. IEC61508-6 Annex D
Item
If the sensors/final elements have dedicated control electronics, is the electronics for each channel on separate printed-circuit boards?
If the sensors/final elements have dedicated control electronics, is the electronics for each channel indoors and in separate cabinets?
Do the devices employ different physical principles for the sensing elements for example, pressure and temperature, vane anemometer and Doppler transducer, etc?
Do the devices employ different electrical principles/designs for example, digital and analogue, different manufacturer (not re-badged) or different technology?
Do the channels employ enhanced redundancy with MooN architecture, where N > M + 2 ?
Do the channels employ enhanced redundancy with MooN architecture, where N = M + 2 ?
Are separate test methods and people used for each channel during commissioning?
Is maintenance on each channel carried out by different people at different times?
Assessment/analysis and feedback of data
Procedures/human interface
Competence/training/safety culture
Does cross-connection between channels preclude the exchange of any information other than that used for diagnostic testing or voting purposes?
Is the design based on techniques used in equipment that has been used successfully in the field for > 5 years?
Is there more than 5 years experience with the same hardware used in similar environments?
Are inputs and outputs protected from potential levels of over-voltage and over-current?
Are all devices/components conservatively rated (for example, by a factor of 2 or more)?
Have the results of the failure modes and effects analysis or fault-tree analysis been examined to establish sources of common cause failure and have predetermined sources of common cause failure been eliminated by design?
Were common cause failures considered in design reviews with the results fed back into the design? (Documentary evidence of the design review activity is required.)
Are all field failures fully analyzed with feedback into the design? (Documentary evidence of the procedure is required.)
Is there a written system of work to ensure that all component failures (or degradations) are detected, the root causes established and other similar items inspected for similar potential causes of failure?
Are procedures in place to ensure that: maintenance (including adjustment or calibration) of any part of the independent channels is staggered, and, in addition to the manual checks carried out following maintenance, the diagnostic tests are allowed to run satisfactorily between the completion of maintenance on one channel and the start of maintenance on another?
Do the documented maintenance procedures specify that all parts of redundant systems (for example, cables, etc.) intended to be independent of each other, are not to be relocated?
Is all maintenance of printed-circuit boards, etc. carried out off-site at a qualified repair centre and have all the repaired items gone through a full pre-installation testing?
Does the system diagnostic tests report failures to the level of a field-replaceable module?
Environmental control
Are all signal and power cables separate at all positions?
Environmental testing
Total X
Total Y
X / Y ratio
Diagnostic Coverage
What is the estimated diagnostic coverage?
Whast is the diagnostic test interval (hours/days/weeks)?Z
Score S
Score SD
RESULTβ
βD
Have designers been trained (with training documentation) to understand the causes and consequences of common cause failures?
Have maintainers been trained (with training documentation) to understand the causes and consequences of common cause failures?
Is personnel access limited (for example locked cabinets, inaccessible position)?
Is the system likely to operate always within the range of temperature, humidity, corrosion, dust, vibration, etc., over which it has been tested, without the use of external environmental control?
Has the system been tested for immunity to all relevant environmental influences (for example EMC, temperature, vibration, shock, humidity) to an appropriate level as specified in recognized standards?
MODEL REV
e.g. Emerson Rosemount Source
VALUE
CATEGORY TOTAL 7.0
NO 0.0
YES 4.0
YES 3.0
CATEGORY TOTAL 0.0
NO 0.0
NO 0.0
NO 0.0
NO 0.0
NO 0.0
NO 0.0
CATEGORY TOTAL 10.0
e.g. Rosemount 2088 Pressure Transmitter
YES / NO (select choice)
YES 1.0
YES 2.0
YES 3.0
YES 2.0
YES 2.0
CATEGORY TOTAL 10.0
YES 3.0
YES 3.0
YES 4.0
CATEGORY TOTAL 4.0
NO 0.0
NO 0.0
NO 0.0
YES 2.0
YES 2.0
CATEGORY TOTAL 0.0
NO 0.0
NO 0.0
CATEGORY TOTAL 7.0
YES 3.0
YES 4.0
NO 0.0
CATEGORY TOTAL 20.0
YES 20.0
27.0
31.0
0.9
>= 60 %< 2h
1.0
58.0
85.0
5.02.0
DATE
ddMMMYYYY
NOTES on MOTIVATION
Not guaranteed
Transmitters are separate
Transmitters are in different housings
Low value, improvement is recommended
No - transmitters are identical
No - transmitters are identical
No - 2oo3
No - 2oo3
No - impractical
No - impractical
e.g. EXIDA FMEDAROS 06/10-18 R001 V1 R1
No cross channel information between transmitters
2088 Pressure Transmitter based on well proven design
Extensive experience in process control
Transient voltage and current protection provided
Design has conservative rating factors proven by field reliability
FMEDA done by third party - exida. No common cause issues
Design review is part of the development process. Results are always fed back into the design
Field failure feedback procedure reviewed by third party - exida. Results are fed back into the design.
Proof test procedures are provided but they cannot insure root cause failure analysis.
Procedures are not sufficient to ensure staggered maintenance.
MOC procedures require review of proposed changes, but relocation may inadvertently be done.
Repair is done by returning product to the factory, therefore this requirement is met.
Logic solver is programmed to detect current out of range and report the specific transmitter.
Low value, improvement is recommended
Control system designers have not been trained.
Maintenance personnel have not been trained.
A tool is required to open the transmitter therefore this requirement is met.
Environmental conditions are checked at installation.
No
Complete testing of all environmental stress variables and run-in during production testing.
=351*(351+126)=73%
about 1 sec cycle
MODEL REV DATE
LOGIC SOLVER model x ddMMMYYYY
Manufacturer Source
VALUE NOTES on MOTIVATION
Separation/segregation Low value, improvement is recommended
Are all signal cables for the channels routed separately at all positions? 50% 1.5
Are the logic subsystem channels on separate printed-circuit boards? 50% 2.0
Are the logic subsystem channels in separate cabinets? 50% 1.5
Diversity/redundancy CATEGORY TOTAL 14.8
50% 3.5
50% 2.5
50% 1.3
50% 0.8
50% 1.5
50% 2.3
50% 1.0
50% 0.8
50% 1.3
Complexity/design/application/maturity/experience CATEGORY TOTAL 5.0
50% 0.5
50% 0.8
50% 1.3
50% 0.5
50% 1.0
50% 1.0
Assessment/analysis and feedback of data CATEGORY TOTAL 5.0
50% 1.5
50% 1.5
50% 2.0
Procedures/human interface CATEGORY TOTAL 6.5
50% 0.8
50% 1.0
50% 0.5
50% 0.8
50% 0.3
50% 1.3
50% 2.0
Competence/training/safety culture CATEGORY TOTAL 5.0
β ESTIMATION SHEETref. IEC61508-6 Annex D
Item YES / NO (select choice)
Do the channels employ different electrical technologies for example, one electronic or programmable electronic and the other relay?
Do the channels employ different electronic technologies for example, one electronic, the other programmable electronic?
Do the channels employ enhanced redundancy with MooN architecture, where N > M + 2 ?
Do the channels employ enhanced redundancy with MooN architecture, where N = M + 2 ?
Is low diversity used, for example hardware diagnostic tests using the same technology?
Is medium diversity used, for example hardware diagnostic tests using different technology?
Were the channels designed by different designers with no communication between them during the design activities?
Are separate test methods and people used for each channel during commissioning?
Is maintenance on each channel carried out by different people at different times?
Does cross-connection between channels preclude the exchange of any information other than that used for diagnostic testing or voting purposes?
Is the design based on techniques used in equipment that has been used successfully in the field for > 5 years?
Is there more than 5 years experience with the same hardware used in similar environments?
Is the system simple, for example no more than 10 inputs or outputs per channel?
Are inputs and outputs protected from potential levels of over-voltage and over-current?
Are all devices/components conservatively rated (for example, by a factor of 2 or more)?
Have the results of the failure modes and effects analysis or fault-tree analysis been examined to establish sources of common cause failure and have predetermined sources of common cause failure been eliminated by design?
Were common cause failures considered in design reviews with the results fed back into the design? (Documentary evidence of the design review activity is required.)
Are all field failures fully analyzed with feedback into the design? (Documentary evidence of the procedure is required.)
Is there a written system of work to ensure that all component failures (or degradations) are detected, the root causes established and other similar items inspected for similar potential causes of failure?
Are procedures in place to ensure that: maintenance (including adjustment or calibration) of any part of the independent channels is staggered, and, in addition to the manual checks carried out following maintenance, the diagnostic tests are allowed to run satisfactorily between the completion of maintenance on one channel and the start of maintenance on another?
Do the documented maintenance procedures specify that all parts of redundant systems (for example, cables, etc.) intended to be independent of each other, are not to be relocated?
Is all maintenance of printed-circuit boards, etc. carried out off-site at a qualified repair centre and have all the repaired items gone through a full pre-installation testing?
Does the system have low diagnostic coverage (60 % to 90 %) and report failures to the level of a field-replaceable module?
Does the system have medium diagnostics coverage (90 % to 99 %) and report failures to the level of a field-replaceable module?
Does the system have high diagnostics coverage (>99 %) and report failures to the level of a field-replaceable module?
50% 2.5
50% 2.5
Environmental control CATEGORY TOTAL 5.0
50% 1.5
50% 2.0
Are all signal and power cables separate at all positions? 50% 1.5
Environmental testing CATEGORY TOTAL 0.0 Low value, improvement is recommended
NO 0.0
Total X 52.5
Total Y 40.0
X / Y ratio 1.3
Diagnostic Coverage
What is the estimated diagnostic coverage? >= 90 %Whast is the diagnostic test interval in minutes? 1 < x < 5Z 0.5
Score S 92.5
Score SD 118.8
RESULT
β 1.0βD 1.0
Have designers been trained (with training documentation) to understand the causes and consequences of common cause failures?
Have maintainers been trained (with training documentation) to understand the causes and consequences of common cause failures?
Is personnel access limited (for example locked cabinets, inaccessible position)?
Is the system likely to operate always within the range of temperature, humidity, corrosion, dust, vibration, etc., over which it has been tested, without the use of external environmental control?
Has the system been tested for immunity to all relevant environmental influences (for example EMC, temperature, vibration, shock, humidity) to an appropriate level as specified in recognized standards?