bd120 fmea and sil assessment r06-151(w)c

Lee-Dickens Ltd.

FMEA and SIL Assessment of the BD120 Dual Level Trip Amplifier

RMC Ref: R06-151(W) Date: November 2006 Prepared By: RM Consultants Ltd Genesis Centre Birchwood Science Park Risley Warrington Cheshire WA3 7BH

RMC DOCUMENT: R06-151(W) CLIENT REF: 13239

CLIENT NAME: Lee-Dickens Ltd. FILE NO: J4102

PROJECT: Instrument FMEA and SIL Assessment

TITLE: FMEA and SIL Assessment of the BD120 Dual Level Trip Amplifier

REVISION RECORD

ISSUE

DATE AUTHOR CHECKED BY APPROVED BY

A R I Wright J Jones R I Wright

August

2006

B R I Wright J Jones R I Wright

September

2006

C November

2006

R I Wright A Fox R I Wright

D

FORM RM 11A

( H:\Product Information\FMEDA Reports\BD Series Reports\PDF Files\FMEA and SIL Assessment Reports\Assessments with Datasheets Added\BD120 R06-151(W)C With Datasheet.doc)

30 November 2006

SUMMARY: A Failure Modes and Effects Analysis has been performed for the Lee-Dickens BD120 dual level trip

amplifier. This has been used to determine the overall rate of failure of the unit, the dangerous failure

rate, the Safe Failure Fraction, the probability of failure on demand and the corresponding Safety

Integrity Level.

The analysis was performed on the basis (i) that the unit trips on high level and (ii) that the unit trips on

low level. In both cases, the analysis assumed that the output relay de-energises on trip (fail safe with

regard to power failure). The results for the output relay contact opening on trip and closing on trip were

derived. In addition, two versions of the trip amplifier have been analysed – the unit without the “header”

used for an input range of 4-20mA, and the unit with a header used for thermocouple, resistance

thermometer, potentiometer, voltage and other current range inputs.

It is concluded that the BD120 achieves SIL2 with a proof test interval of 1 year or less, except when the

instrument with the header is used in the trip on low input mode. In this case only SIL1 is achieved, a 9

month or less proof test interval being required to achieve SIL2.

DISTRIBUTION: Gyles Dickens, Lee-Dickens Ltd Lawrence Woolgar, Lee-Dickens Ltd FORM RM 11B


30 November 2006

Revision Sheet

Issue No Date Change/Reference Documents A

August 2006

Issued to client for review.

B

September 2006

Approved by client

C

November 2006

RV4 added to FMEA of Block A as some failure modes affect other channel.

FORM RM 11C


30 November 2006

Dual Level Trip Amplifier BD120 Iss 3

IEC61508: Typically, SIL2. (Please contact Sales Office for details). Function: Dual Level Trip Amplifier from a single process signal input. The trip action can be arranged so that the Alarm conditions can be above (High Trip) or below (Low Trip) the set points, and that the relays can be either normally energised to de-energise in the Alarm condition (Fail-Safe), or normally de-energised to energise in the Alarm condition (Non Fail-Safe). Options on 4 to 20mA input versions, Upscale Drive on loss of input signal.

Apr 08

SPECIFICATIONS Please note that the following are typical ranges. Other ranges available, please contact sales office. INPUTS: D C Current 0-1mA into 100 ohms 0-10mA into 10 ohms 4-20mA into 10 ohms Option: Upscale drive on loss of 4 to 20mA input signal Other current inputs as required Minimum current 10μA, Maximum current 100mA D C Voltage Range: -250 and +250 Volts DC Minimum voltage span 5mV Maximum voltage span 500V Input Impedance: 1MΩ or greater A C Current 0 to 1A A C Voltage 0 to 250 V Resistance (2 wire) Between 0 and 20K ohms Minimum span 5 ohms Maximum span 20K ohms

Potentiometers (3 wire) Between 0 and 10K ohms Minimum span 10 ohms Maximum span 10K ohms Resistance Thermometers (RTDs, PT100s) 2 or 3 wire 100 or 130 ohms at 0°C Minimum temperature span 10°C Maximum temperature span 600°C Input is linearised Thermocouples Type B, E, J, K, N, R, S & T Temperature covered: Type Range MinTemp Change B 600 to 1800°C 400°C E -260 to 1000°C 65°C J -200 to 1200°C 80°C K -260 to 1370°C 100°C N 0 to 1300°C 150°C R 50 to 1760°C 400°C S 80 to 1760°C 400°C T -260 to 400°C 100°C Automatic cold junction compensation Open circuit thermocouple monitoring upscale or downscale drive

OUTPUTS: Relay - Contacts Two SPCO relay contacta Response Time 30mS or better Contact Ratings Max current 2A Max voltage 220V dc / 250V ac Maxi load 60W 62.5VA Switching Differential 0.5% of span approx Switching Mode Relay energises or de-energises on rising or falling signal as required Set Points 270° screw driver potentiometer through front panel Relay State Indication Bi-colour red/green LED Green = Stable State Red = Alarm State

SUPPLY: Power Supply Voltage 115 Volt AC ±15% 50/60 Hz or 230 Volt AC ±15% 50/60 Hz (To be specified at time of order) Power Required 3VA Maximum GENERAL: Temperature Coefficient ±0.1% of span/_ 10°C (for inputs > 100mV) + Cold junction error, for thermocouple inputs Operating / Storage Temperature Range 0 to +45°C / -20 to +60°C Operating / Storage Humidity Range 0 to 95% RH non-condensing Weight 145 gms

TERMINATION DETAILS Terminal 1 Power Supply Neutral 2 Power Supply Live 3 Power Supply Earth

Terminal 7 Relay N/O 8 Common Top Trip 9 Relay N/C 10 Relay N/O 11 Common Lower Trip 12 Relay N/C

MECHANICAL DETAILS

AC AC DC DC 2 Wire 3 Wire Resistance Inputs Current Volts mA mV/V T/Cs Slidewire Pot Thermometer 4 5 6

~ ~ -ve -ve -ve 0% 0% ~ ~ +ve +ve +ve 100% Wiper 100%

ORDERING DETAILS a) Give identification code, i.e. BD120 b) Give power supply voltage, i.e. 230 Volt AC 50/60 Hz c) Give details of input signal, i.e. input type (as listed above) and range. If thermocouple input please specify upscale or downscale drive for open circuit protection d) Give details of Options required: For thermocouple input please specify upscale or downscale drive for open circuit protection. For 4 to 20mA input, please specify if upscale drive required on loss of input signal. e) Give details of trip action required, i.e.

- HHNF = High High Non Fail Safe - LLFS = Low Low Fail Safe - HLNF = High Low Non Fail Safe - HLFS = High Low Fail Safe H = High Trip = Alarm condition above the set point L = Low Trip = Alarm condition below the set point FS = Fail Safe = Relay normally energised to de-energise in the alarm condition NF = Non Fail Safe = Relay normally de-energised to energise in the alarm condition

LEE-DICKENS LTD, Rushton Road, Desborough, Kettering, Northants, NN14 2QW Tel: 01536-760156

( H:\Product Information\FMEDA Reports\BD Series Reports\PDF Files\FMEA and SIL Assessment Reports\Assessments with Datasheets Added\BD120 R06-151(W)C

With Datasheet.doc) i 30 November 2006

CONTENTS

Page No

1. INTRODUCTION 1

2. METHODOLOGY 1

2.1 Scope 1

2.2 FMEA 2

2.3 PFD and SFF 3

2.4 Safety Integrity Level 3

3. FAILURE RATE DATA 4

4. RESULTS 5

4.1 Total Failure Rates 5

4.2 Circuit Block FMEA 5

4.3 System Level FMEA (Trip on High Level) 5

4.4 System Level FMEA (Trip on Low Level) 6

4.5 PFD and SIL – Each Channel 7

4.6 PFD and SIL – Dual Redundant Channels 7

5. CONCLUSIONS 8

6. REFERENCES 9

Tables 1-9 10

1. INTRODUCTION

The Lee-Dickens BD120 is a trip amplifier with a dual trip threshold. It can be configured by

means of internal links for the output relays to energise or de-energise on the input exceeding

the trip level. The unit can therefore be configured for either channel to trip on high input or

trip on low input with the option to fail safe or non-fail safe on power failure. Normally open

and normally closed relay contacts are available.

This report details the FMEA study performed on the BD120. The FMEA study has calculated

the system failure rate, identified potential failure modes and their likely effect upon the

system, categorised the failure effects into a number of failure types and used this data to

determine the Safe Failure Fraction (SFF), Probability of Failure on Demand (PFD) and the

corresponding BS EN 61508 Safety Integrity Level (SIL).

2. METHODOLOGY

2.1 Scope

Two analyses have been performed – firstly assuming that the unsafe state results in a high

input (trip on high) and secondly that the unsafe state results in a low input (trip on low).

Results are derived both for the output relay contacts opening on trip (which would be the

normal mode of operation in safety-related applications) and for the output relay contacts

closing on trip. It has been assumed that in safety-related applications the instrument will be

configured so that the final output relay de-energises when an unsafe state is reached.

In addition, two versions of the BD120 have been analysed, with and without the header. The

version without the header is used for 4-20mA inputs. The version with the header is used for

thermocouple, resistance thermometer, potentiometer, voltage and other current range inputs

according to what components are fitted in the header block and their values. As there are

many variations according to the input type and range, the analysis has been performed for

just one variant, chosen as being the most complex i.e. that for an R Type thermocouple with

range 0-500°C.

The analysis considers hardware reliability with respect to random hardware failures and the

architectural constraints when determining the SIL of the instrument. Measures for the

avoidance and control of systematic failures are not considered.


2.2 FMEA

The FMEA has been carried out using the circuit diagrams References 3-5. The circuit of the

BD100 has been divided into the following functional blocks:

Block A – Threshold setting and comparator;

Block B – Power supply;

Block D – Input (header version);

Block E – Input (non-header version).

(Block C is not used in this instrument.)

Each functional block has been subjected to FMEA using the following process. Each

component has been considered in turn. The potential failure modes of the component have

been identified (e.g. open circuit, short circuit) and the effect on the output of the functional

block has been described. Each failure effect has been classified using a set of categories

appropriate to that functional block. For example, an amplifier may have the following failure

categories:

• High gain;

• Low gain;

• Output stuck high;

• Output stuck low.

Each component has been allocated a failure rate (see Section 3) and the proportion of the

total failure rate due to each failure mode has been estimated. In general, all failure modes of

a component are considered equally probable. However, for resistors, open-circuit is

considered to be responsible for 80% of all failures with short-circuit comprising the remainder.

The frequency of each failure mode was calculated by summing the component failure mode

frequencies resulting in each functional block failure category. This process was repeated for

each functional block.

Finally, the effect of each functional block failure category on the unit as a whole was deduced

and categorised into system effect categories. For the variant which trips on high level, the

categories are:

• Fails to trip;

• Trips at too high level;

• Spurious trip;

• Trips at too low level;

• No or little effect.


These may be categorised into safe or dangerous failures. Taking the trip on high level

variant, the effects “Fails to trip” and “Trips at too high level” are considered to be dangerous

with the remaining failure modes being considered safe. In this instrument, all dangerous

failures are “undetected” i.e. they would only be detected by a proof test of the instrument.

2.3 PFD and SFF

The PFD is calculated from the frequency of dangerous, undetected failures (λdu) and the

interval between proof tests (T) using the formula:

2TPFD duλ

=

The SFF is calculated from the frequency of safe failures (λs), the frequency of dangerous

detected failures (λdd) and the total system failure rate (λ) as follows:

λλ+λ

= ddsSFF

2.4 Safety Integrity Level

In order to achieve a certain SIL as defined by BS-EN 61508 (Reference 1), various aspects

must be satisfied. The aspects covered here are the PFD and the architectural constraints.

The PFD requirements for systems operated in an “on demand” mode of operation where the

demand rate is low is:

Safety Integrity Level

PFD

≥10-5 < 10-44 ≥10-4 < 10-33 ≥10-3 < 10-22 ≥10-2 < 10-11

In addition, there are constraints on the SIL which can be achieved by a given degree of

redundancy (fault tolerance) and SFF. The constraints depend on whether the sub-system

can be considered to by “Type A” or “Type B”.

In order to be considered to be a Type A system the following requirements must be met:

a) the failure modes of all constituent components are well defined;

b) the behaviour of the subsystem under fault conditions can be completely determined and


c) there is sufficient dependable failure data from field experience to support claimed rates of

failure for detected and undetected failures.

Requirement (a) is met as the instrument is inherently simple, uses discrete component or

simple IC circuitry and contains no software. That the behaviour of the instrument under fault

conditions can be completely determined, Requirement (b), is demonstrated by the FMEA

contained in this report. Failure rate data is taken from MIL-HDBK-217F (Reference 2) which

is an industry accepted data source for electronic components. It is generally accepted to be

conservative. It is therefore considered that Requirement (c) is also met and the unit can be

considered to be a Type A sub-system.

The architectural constraints for a system comprising components of Type A are as shown

below:

Hardware Fault Tolerance Safe Failure Fraction 0 1 2

<60% SIL1 SIL2 SIL3

60% - <90% SIL2 SIL3 SIL4

90% - <99% SIL3 SIL4 SIL4

≥ 99% SIL3 SIL4 SIL4

Thus, for a single monitor (Fault Tolerance = 0), in order to achieve SIL2, the SFF must be

>60% and in order to achieve SIL3 the SFF must be >90%.

3. FAILURE RATE DATA

Failure rates have been taken from the MIL-HDBK-217 handbook of electronic reliability data

(Reference 2). This reference gives reliability data for a large number of electronic

components for a number of operational conditions and environments. For this analysis the

“parts count” methodology from Reference 2 was used. This type of analysis makes a number

of assumptions about the operational conditions of the components and is acceptable for use

in this type of analysis. It is generally more conservative than using the “parts stress” method

which requires significant data regarding operational conditions of components. For this

calculation it has been assumed that the operational environment of the monitors will be that of

a “ground fixed” environment as defined in Reference 2. This will be appropriate for the

industrial environment to which these monitors will be exposed. The overall failure rate of the

system is determined from the summation of the failure rates of the components.


4. RESULTS

As described in Section 2, the FMEA has been carried out in sections. Tables 1-4 show the

calculation of component failure rates and the FMEA for the following blocks respectively:

Block A – Threshold setting and comparator;

Block B – Power supply;

Block D – Input (header version);

Block E – Input (non-header version).

The results for the header and non-header versions of the instrument are then derived from

the analysis of the blocks.

4.1 Total Failure Rates

The total failure rate for the header and non-header versions are calculated from the block

failure rates as follows:

Block Failure Rate y-1 (header version)

Failure Rate y-1 (non-header version)

A (x2) 5.12E-02 5.12E-02 B 1.82E-02 1.82E-02 D 3.60E-02 -

1.65E-02E - TOTALS 1.05E-01 8.59E-02

4.2 Circuit Block FMEA

Tables 1 to 5 show the FMEAs for Blocks A (trip on high level), Block A (trip on low level), B, D

and E. The FMEAs for Block A distinguishes between those failures affecting the normally

open relay contacts, the normally closed relay contacts or both. In addition, the FMEAs for

Block A indicates whether failures are revealed by the front panel red or green LEDs. Failures

in Blocks B, D or C will affect both the normally open and the normally closed relay contacts

and will not be detected by operation of the LEDs. Therefore, the relevant columns are

omitted from the FMEA.

4.3 System Level FMEA (Trip on High Level)

Tables 6 and 7 show the overall FMEA for the non-header and header versions respectively

for applications which trip on a high level.


The results of the FMEA for a single channel are summarised below. The dangerous,

undetected failure rate is the sum of the failure rates for the failure modes for failure to trip on

high level or trips at a higher level. The SFF has also been calculated.

Without header With header Failure mode n/o relay

contact n/c relay contact

n/o relay contact

n/c relay contact

Fails to trip on high input 4.36E-03 4.16E-03 1.13E-02 1.11E-02

Trips at higher level 3.31E-03 3.31E-03 3.31E-03 3.31E-03

Dangerous undetected failure rate λdu 7.67E-03 7.47E-03 1.46E-02 1.44E-02

Spurious trip 2.79E-02 2.81E-02 2.79E-02 2.81E-02

Trips at lower level 3.14E-03 3.14E-03 1.02E-02 1.02E-02

Little or no effect 2.15E-02 2.15E-02 2.68E-02 2.68E-02

Safe failure rate λs 5.25E-02 5.27E-02 6.50E-02 6.52E-02

Total failure rate λ 6.01E-02 6.01E-02 7.96E-02 7.96E-02

SFF 87.3% 87.6% 81.7% 81.9%

4.4 System Level FMEA (Trip on Low Level)

Tables 8 and 9 show the overall FMEA for the non-header and header versions respectively

for applications which trip on a low level.

The results of the FMEA for a single channel are summarised below.

Without header With header Failure mode n/o relay

contact n/c relay contact

n/o relay contact

n/c relay contact

Fails to trip on low input 1.39E-02 1.37E-02 1.39E-02 1.37E-02

Trips at lower level 3.14E-03 3.14E-03 1.02E-02 1.02E-02

Dangerous undetected failure rate λdu 1.70E-02 1.68E-02 2.42E-02 2.40E-02


Trips at higher level 3.31E-03 3.31E-03 3.31E-03 3.31E-03

Little or no effect 1.86E-02 1.86E-02 2.40E-02 2.40E-02

Safe failure rate λs 4.31E-02 4.33E-02 5.54E-02 5.56E-02

Total failure rate λ 6.01E-02 6.01E-02 7.96E-02 7.96E-02

SFF 71.7% 72.0% 69.6% 69.9%


4.5 PFD and SIL – Each Channel

The PFD and corresponding SIL for a single channel of the trip amplifier are given in the table

below for various proof test intervals. As there is little difference between the n/o and the n/c

relay contact outputs, only the n/o relay contact outputs are considered.

Probability of Failure on Demand (PFD)

Dangerous Undetected Failure Rate

(/y) 1 year

PTI 6 month PTI 3 month PTI 1 month PTI

3.83E-03 1.92E-03 9.58E-04 3.19E-04Trip on high level (without header)

7.67E-03 SIL2 SIL2 SIL3* SIL3*

7.28E-03 3.64E-03 1.82E-03 6.07E-04Trip on high level (with header)

1.46E-02 SIL2 SIL2 SIL2 SIL3*

8.52E-03 4.26E-03 2.13E-03 7.10E-04Trip on low level (without header)


1.21E-02 6.04E-03 3.02E-03 1.01E-03Trip on low level (with header)


* Limited to SIL 2 by the architectural constraints.

It can be seen that the instrument generally has a PFD consistent with SIL 2 for a proof test

interval of 3, 6 or 12 months. A PFD consistent with SIL 3 is achieved with a proof test interval

of 1 month or less. However, as the SFF is in the range 60%-90%, from Section 2.4, the

architectural constraints limit the SIL which can be claimed to SIL 2 for a single instrument.

The exception is if the instrument with the header is used in the trip on low input mode. This

only provides SIL 1 with a 1 year proof test. A proof test interval of 9 months or less is

required to achieve SIL 2.

4.6 PFD and SIL – Dual Redundant Channels

This section considers an application in which both channels must fail in a dangerous manner

to constitute a dangerous failure. For example, the trip amplifier may be used to generate a

high and a high high alarm and operation of either would result in a safe state. The PFD and

corresponding SIL are given in the table below for various proof test intervals. As there is little

difference between the n/o and the n/c relay contact outputs, only the n/o relay contact outputs

are considered.


Probability of Failure on Demand (PFD)

Dangerous Undetected Failure Rate

(/y) 1 year

PTI 6 month PTI 3 month PTI 1 month PTI

1.85E-03 9.25E-04 4.63E-04 1.54E-04 Trip on high level (without header) 3.70E-03

SIL2 SIL3* SIL3* SIL3*

5.30E-03 2.65E-03 1.32E-03 4.42E-04 Trip on high level (with header) 1.06E-02

SIL2 SIL2 SIL2 SIL3*

3.85E-03 1.93E-03 9.64E-04 3.21E-04 Trip on low level (without header) 7.71E-03

SIL2 SIL2* SIL3* SIL3*

7.41E-03 3.71E-03 1.85E-03 6.18E-04 Trip on low level (with header) 1.48E-02

SIL2 SIL2 SIL2 SIL3*

* Limited to SIL 2 by the architectural constraints.

In this case, the instrument has a PFD consistent with SIL 2 for a proof test interval of 12

months. SIL 3 is achieved by some combinations but it can be seen from Tables 6-9 that the

SFF for this mode of operation is also in the range 60%-90% and so the architecture limits the

SIL which can be achieved to SIL 2.

5. CONCLUSIONS

FMEA studies have been performed for the BD120 dual level trip amplifier when used in the

trip on high input mode and when used in the trip on low input mode. The versions with and

without the header have both been analysed. This has predicted the rate of failure of the

instrument, the dangerous undetected failure rate and Safe Failure Fraction. From these

parameters, the Probability of Failure on Demand, and the Safety Integrity Level (SIL) has

been determined.

It is concluded that the BD120 achieves SIL 2 with a proof test interval of 1 year or less,

except when the instrument with the header is used in the trip on low input mode. In this case

only SIL 1 is achieved, a 9 month or less proof test interval being required to achieve SIL 2.

Note that is has been assumed that the instrument is configured to de-energise the output

relays when the trip condition occurs, i.e. fails safe on loss of power.


6. REFERENCES

Circuit Diagrams

( H:

4. Drg No 9075RSRS22 BD120 Circuit Diagram Circuit Diagram, Issue A

5. Drg No 6594/RT1, Alphamini Thermocouple Type R Inputs, Issue 4.

3. Drg No 9074, SM BD120 Circuit Diagram, Issue A

2. Military Handbook: Reliability Prediction of Electronic Equipment, MIL-HDBK-217F, US

Department of Defence, December 1991.

1. BS EN 61508, Functional safety of electrical/electronic/programmable electronic safety-

related systems, Parts 1 & 2, 2002.

\Product Information\FMEDA Reports\BD Series Reports\PDF Files\FMEA and SIL Assessment Reports\Assessments with Datasheets Added\BD120 R06-151(W)C With Datasheet.doc)

Table 1: Component Failure Rate Calculation and FMEA for Block A (Trip on High Level)

Facilities Affected Detected by Component

Reference

Component Type Component

Size/Rating λg πQ λEQUIP (/106

hours)

λEQUIP (/y) Failure

Mode

Effect Failure Class

n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

C09 Capacitor, plastic 1nf 8.40E-03 10 8.40E-02 7.36E-04 2.82% o/c Probably little effect Little or no

effect 50.0% 3.68E-04

s/c Effect uncertain. Assume

50% spurious trip

Spurious trip 25.0% 1.84E-04


50% fail to trip

Fails to trip on

high input 25.0% 1.84E-04

C10 Capacitor, plastic 10nf 8.40E-03 10 8.40E-02 7.36E-04 2.82% o/c IC1 switches faster and

may "ring". Probably little

effect

Little or no

effect 50.0% 3.68E-04

s/c IC1 has low gain. O/P

voltage = setpoint. TR1

can't turn on.


C13 Capacitor,

electrolyic

10uf 1.90E-02 10 1.90E-01 1.66E-03 6.38% o/c Faster response but

unclean switching near

threshold.

Little or no

effect 50.0% 8.32E-04

s/c TR1 turns off Spurious trip 50.0% 8.32E-04

D01 Diode, switching 7.50E-03 8 6.00E-02 5.26E-04 2.02% o/c Protects TR1 against

voltage spikes on

collector. Assume TR1

fails 50% s/c c/e

Fails to trip on


( H:\Product Information\FMEDA Reports\BD Series Reports\PDF Files\FMEA and SIL Assessment Reports\Assessments with Datasheets Added\BD120 R06-151(W)C With Datasheet.doc) 10 30 November 2006


Reference



hours)


Mode


n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

o/c Protects TR1 against

voltage spikes on

collector. Assume TR1

fails 50% o/c c/e


s/c Relay RLY1-a de-

energised


LE1 LED, dual 2.30E-04 8 1.84E-03 1.61E-05 0.06% Green

LED fails

Green LED fails to light in

untripped condition

Little or no

effect 50.0% 8.06E-06

Red LED

fails

Red LED fails to operate

on trip.

Little or no

effect 50.0% 8.06E-06

IC01 MC33171D

Operational

amplifier

2.40E-02 10 2.40E-01 2.10E-03 8.06% o/p high o/p of IC1 stays high. Fails to trip on


o/p low o/p of IC1 goes low. Spurious trip 50.0% 1.05E-03

R03 Resistor 100k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR2 can't turn off. Loss of

hysteresis. Red LED

permanently on.

Little or no

effect 80.0% 1.12E-03

s/c TR2 can't turn on. Loss of

hysteresis. Red LED fails

to operate on trip.

Little or no

effect 20.0% 2.80E-04

R04 Resistor 100k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR2 can't turn on. Loss of

hysteresis. Red LED fails

to operate on trip.

Little or no

effect 80.0% 1.12E-03



Reference



hours)


Mode


n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

s/c TR2 can't turn off. Loss of

hysteresis. Red LED

permanently on.

Little or no

effect 20.0% 2.80E-04

R05 Resistor 100k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c Loss of hysteresis - poor

switching near threshold.

Little or no

effect 80.0% 1.12E-03

s/c TR1 permanently on. Fails to trip on


R06 Resistor 5k1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR1 slow to turn off. Little or no

effect 80.0% 1.12E-03

s/c TR1 turns off Spurious trip 20.0% 2.80E-04

R07 Resistor 5k1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR1 turns off Spurious trip 80.0% 1.12E-03

s/c Loss of hysteresis - poor


Little or no

effect 20.0% 2.80E-04

R08 Resistor 5k1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR1 turns off Spurious trip 80.0% 1.12E-03

s/c Reduced response time.

Little effect.

Little or no

effect 20.0% 2.80E-04

R09 Resistor 10M 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c Increased gain and IC1

acts as integrator. Slow

recovery from trip.

Little or no

effect 80.0% 1.12E-03



can't turn on.




Reference



hours)


Mode


n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

R10 Resistor 5K1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c o/p of IC1 goes low. Spurious trip 80.0% 1.12E-03

s/c Slight changes in setpoint

with temperature. No

significant effect.

Little or no

effect 20.0% 2.80E-04

R11 Resistor 5K1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c o/p of IC1 stays high. Fails to trip on


s/c Slight changes in setpoint


significant effect.

Little or no

effect 20.0% 2.80E-04

R23 Resistor 7k5 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c Red LED brightness

reduced.

Little or no

effect 80.0% 1.12E-03

s/c Red LED brightness

increased.

Little or no

effect 20.0% 2.80E-04

R24 Resistor 10k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c Red LED brightness

reduced.

Little or no

effect 80.0% 1.12E-03


increased.

Little or no

effect 20.0% 2.80E-04

R27 Resistor 1k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c 15V supply to op amp

fails. TR1 turns off.


s/c ZD1 takes high current.

Fuse blows. Relay de-

energises


RLY01-a Relay 1.20E-02 10 1.20E-01 1.05E-03 4.03% Coil o/c

or s/c

Relay de-energised Spurious trip 25.0% 2.63E-04



Reference



hours)


Mode


n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

n/o

contact 1

s/c

Contact can't open Fails to trip on


n/o

contact 1

o/c

No effect as in parallel

with n/o contact 2

Little or no

effect 9.4% 9.86E-05

n/c

contact 1

s/c

Contact can't open. Spurious trip 9.4% 9.86E-05

n/c

contact 1

o/c


with n/c contact 2

Little or no

effect 9.4% 9.86E-05

n/o

contact 2

s/c

Contact can't open Fails to trip on


n/o

contact 2

o/c


with n/o contact 1

Little or no

effect 9.4% 9.86E-05

n/c

contact 2

s/c

Contact can't open. Spurious trip 9.4% 9.86E-05

n/c

contact 2

o/c


with n/c contact 1

Little or no

effect 9.4% 9.86E-05



Reference



hours)


Mode


n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

RV03 Wirewound

potentiometer

10k 1.00E-02 10 1.00E-01 8.76E-04 3.36% o/c top Reference voltage

decreases.

Trips at lower

level 10.0% 8.76E-05

o/c bot Reference voltage

increases.

Trips at higher

level 10.0% 8.76E-05

o/c slider o/p of IC1 goes high. Fails to trip on


RV04 Wirewound

potentiometer


increases

Trips at higher

level 10.0% 8.76E-05


increases.

Trips at higher

level 10.0% 8.76E-05

o/c slider No effect on this channel Little or no

effect 80.0% 7.01E-04

TR01 Transistor 1.10E-03 8 8.80E-03 7.71E-05 0.30% o/c c-e Relay de-energises Spurious trip 50.0% 3.85E-05

s/c c-e Relay can't de-energise Fails to trip on


TR02 Transistor 1.10E-03 8 8.80E-03 7.71E-05 0.30% o/c c-e Loss of hysterisis. Red

LED fails to operate on

trip.

Little or no

effect 50.0% 3.85E-05

s/c c-e Loss of hysteresis. Red

LED permanently on

Little or no

effect 50.0% 3.85E-05

2.56E-02 100.00% 2.56E-02



Reference



hours)


Mode


n/o relay

contact

n/c relay

contact

Green

LED

Red

LED

Percentage

for Mode

Frequency

for Mode

(/y)

TOTALS

Fails to trip on

high input

3.70E-03 3.51E-03

Trips at higher

level

2.63E-04 2.63E-04


Trips at lower

level

8.76E-05 8.76E-05

Little or no

effect

1.28E-02 1.28E-02 1.44E-03


Table 2 Component Failure Rate Calculation and FMEA for Block A (Trip on Low Level)


Reference

Component

Type

Component

Size/Rating λg

Frequency

for Mode

(/y)

πQ

λEQUIP

(/106

hours)


Mode Effect Failure Class n/o relay

contact

n/c relay

contact

Green

LED Red LED

Percentage

for Mode

C09 Capacitor,

plastic

1nf 8.40E-03 10 8.40E-02 7.36E-04 2.82% o/c Probably little effect Little or no effect 50.0% 3.68E-04


50% spurious trip



50% fail to trip

Fails to trip on low

input

25.0% 1.84E-04

C10 Capacitor,

plastic

10nf 8.40E-03 10 8.40E-02 7.36E-04 2.82% o/c IC1 switches faster and

may "ring". Probably little

effect

Little or no effect

50.0% 3.68E-04



can't turn on.


input 50.0% 3.68E-04

C13 Capacitor,

electrolyic

10uf 1.90E-02 10 1.90E-01 1.66E-03 6.38% o/c Faster response but

unclean switching near

threshold.

Little or no effect

50.0% 8.32E-04

s/c TR1 turns off Fails to trip on low

input 50.0% 8.32E-04

D01 Diode,

switching

7.50E-03 8 6.00E-02 5.26E-04 2.02% o/c Protects TR1 against

voltage spikes on collector.

Assume TR1 fails 50% s/c

c/e



Facilities Affected Detected by Frequency

for Mode

(/y)

Component

Reference

Component

Type

Component

Size/Rating λg πQ

λEQUIP

(/106

hours)



contact

n/c relay

contact

Green

LED Red LED

Percentage

for Mode

o/c Protects TR1 against

voltage spikes on collector.

Assume TR1 fails 50% o/c

c/e


input 25.0% 1.31E-04

s/c Relay RLY1-a de-

energised


LE1 LED, dual 2.30E-04 8 1.84E-03 1.61E-05 0.06% Green

LED fails

Green LED fails to light in

untripped condition

Little or no effect 50.0% 8.06E-06

Red

LED fails

Red LED fails to operate

on trip.


IC01 MC33171D

Operational

amplifier

2.40E-02 10 2.40E-01 2.10E-03 8.06% o/p high o/p of IC1 high. Spurious trip 50.0% 1.05E-03

o/p low o/p of IC1 low. Fails to trip on low

input 50.0% 1.05E-03

R03 Resistor 100k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR2 can't turn off. Fails to trip on low

input 80.0% 1.12E-03

s/c TR2 can't turn on. Spurious trip 20.0% 2.80E-04

R04 Resistor 100k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR2 can't turn on. Spurious trip 80.0% 1.12E-03

s/c TR2 can't turn off. Fails to trip on low

input 20.0% 2.80E-04

R05 Resistor 100k 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c Loss of hysteresis - poor





Reference Red LED

Percentage

for Mode

Frequency

for Mode

(/y)

πQ

λEQUIP

(/106

hours)



contact

n/c relay

contact

Component

Type

Component

Size/Rating λg Green

LED

s/c TR1 permanently on. Spurious trip 20.0% 2.80E-04

R06 Resistor 5k1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c TR1 slow to turn off. Little or no effect 80.0% 1.12E-03

s/c TR1 turns off Fails to trip on low

input 20.0% 2.80E-04

R07 Resistor 5k1 1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c TR1 turns off Fails to trip on low

input 80.0% 1.12E-03

s/c Loss of hysteresis - poor



R08 Resistor 5k1 1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c TR1 turns off Fails to trip on low

input 80.0% 1.12E-03

s/c Reduced response time.

Little effect.


R09 Resistor 10M

1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c

Increased gain and IC1

acts as integrator. Slow

recovery from trip.


s/c

IC1 has low gain. O/P


can't turn on.


input

20.0% 2.80E-04

R10 Resistor 5K1 1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c o/p of IC1 goes low. Fails to trip on low

input 80.0% 1.12E-03

s/c

Slight changes in setpoint


significant effect.




for Mode

(/y)

Component

Reference

Component

Type

Component

Size/Rating λg πQ

λEQUIP

(/106

hours)



contact

n/c relay

contact

Green

LED Red LED

Percentage

for Mode

R11 Resistor 5K1 1.60E-02 10 1.60E-01 1.40E-03 5.37% o/c o/p of IC1 stays high. Spurious trip 80.0% 1.12E-03

s/c

Slight changes in setpoint


significant effect.


R23 Resistor 7k5 1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c Red LED brightness

reduced.



increased.


R24 Resistor 10k 1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c Red LED brightness

reduced.



increased.


R27 Resistor 1k 1.60E-02 10 1.60E-01 1.40E-03 5.37%

o/c 15V supply to op amp fails.

TR1 turns off.


input 80.0% 1.12E-03

s/c

ZD1 takes high current.

Fuse blows. Relay de-

energises


RLY01-a Relay 1.20E-02 10 1.20E-01 1.05E-03 4.03% Coil o/c

or s/c

Relay de-energised Spurious trip 25.0% 2.63E-04

n/o

contact

1 s/c

Contact can't open Fails to trip on low

input 9.4%

9.86E-05

n/o

contact

No effect as in parallel with

n/o contact 2




for Mode

(/y)

Component

Reference

Component

Type

Component

Size/Rating λg πQ

λEQUIP

(/106

hours)



contact

n/c relay

contact

Green

LED Red LED

Percentage

for Mode

1 o/c

n/c

contact

1 s/c

Contact can't open. Spurious trip 9.4%

9.86E-05

n/c

contact

1 o/c


n/c contact 2

Little or no effect 9.4%

9.86E-05

n/o

contact

2 s/c

Contact can't open Fails to trip on low

input 9.4%

9.86E-05

n/o

contact

2 o/c


n/o contact 1


9.86E-05

n/c

contact

2 s/c

Contact can't open. Spurious trip 9.4%

9.86E-05

n/c

contact

2 o/c


n/c contact 1


9.86E-05

RV03 Wirewound

potentiomet

er


decreases.

Trips at lower level 10.0% 8.76E-05


increases.

Trips at higher

level 10.0% 8.76E-05



for Mode

(/y)

Component

Reference

Component

Type

Component

Size/Rating λg πQ

λEQUIP

(/106

hours)



contact

n/c relay

contact

Green

LED Red LED

Percentage

for Mode

o/c slider o/p of IC1 goes high. Spurious trip 80.0% 7.01E-04

RV04 Wirewound

potentiomet

er


increases.

Trips at higher

level

10.0% 8.76E-05


increases.

Trips at higher

level 10.0% 8.76E-05

o/c slider No effect on this channel Little or no effect 80.0% 7.01E-04

TR01 Transistor 1.10E-03 8 8.80E-03 7.71E-05 0.30% o/c c-e Relay de-energises Spurious trip 50.0% 3.85E-05

s/c c-e Relay can't de-energise Fails to trip on low

input 50.0% 3.85E-05

TR02 Transistor 1.10E-03 8 8.80E-03 7.71E-05 0.30% o/c c-e Loss of hysterisis. Red

LED fails to operate on trip.


s/c c-e Loss of hysteresis. Red

LED permanently on


2.56E-02 100.00% 2.56E-02


TOTALS


input

9.25E-03 9.05E-03 0.00E+00 0.00E+00

Trips at lower level 8.76E-05 8.76E-05 0.00E+00 0.00E+00


Trips at higher level 2.63E-04 2.63E-04 0.00E+00 0.00E+00

Little or no effect 1.00E-02 1.00E-02 0.00E+00 3.85E-05


Table 3: Component Failure Rate Calculation and FMEA for Block B

Component

Reference



hours)


Mode

Effect Failure Class Percentage

for Mode

Frequency for

Mode (/y)

C14 Capacitor,

electrolyic

100uf 1.90E-02 10 1.90E-01 1.66E-03 9.13% o/c Large ripple on power rails. Threshold

drops to low value.

Large ripple on output 50.0% 8.32E-04

s/c Fuse blows. No output. Zero output voltage 50.0% 8.32E-04

D3 Diode Power

rectifier

2.20E-02 9 1.98E-01 1.73E-03 9.51% o/c Half wave rectifies. Increase in ripple

but probably little effect.



D4 Diode Power

rectifier





D5 Diode Power

rectifier





D6 Diode Power

rectifier





F1 Fuse 2.00E-02 1 2.00E-02 1.75E-04 0.96% o/c No power output Zero output voltage 100.0% 1.75E-04


Component

Reference



hours)


Mode


for Mode

Frequency for

Mode (/y)

P1-P2 Link Reflow

solder

1.40E-04 1 1.40E-04 1.23E-06 0.01% o/c No power output Zero output voltage 100.0% 1.23E-06

TX1 Power transformer 3.60E-01 3 1.08E+00 9.46E-03 51.87% any No power output Zero output voltage 100.0% 9.46E-03

1.82E-02 100.00% 1.82E-02

TOTALS

Zero output voltage 1.39E-02

Large ripple on output 8.32E-04

Little or no effect 3.47E-03


Table 4: Component Failure Rate Calculation and FMEA for Block D

Component

Reference



hours)


Mode


for Mode

Frequency for

Mode (/y)

C01 Capacitor, plastic 10nF 8.40E-03 10 8.40E-02 7.36E-04 2.05% o/c Possible noise on the output. No

significant effect on trip function


s/c No output signal. Output zero 50.0% 3.68E-04

C02 Capacitor, plastic 10nf 8.40E-03 10 8.40E-02 7.36E-04 2.05% o/c Possible noise on the output. No












C05 Capacitor, plastic 0.1uf 8.40E-03 10 8.40E-02 7.36E-04 2.05% o/c Probably little effect Little or no effect 50.0% 3.68E-04

s/c Reference voltage drops to zero. Reference zero 50.0% 3.68E-04

C08 Capacitor, plastic 0.1uf 8.40E-03 10 8.40E-02 7.36E-04 2.05% o/c Possible common mode noise on the

output. No significant effect on trip

function


s/c Input not floating. Increased

susceptibility to common mode noise.

No significant effect.




Component

Reference



hours)


Mode


for Mode

Frequency for

Mode (/y)

s/c 15V supply to Blocks A fails. +15VSupply to Block A

fails

50.0% 3.68E-04

H1-C01 Capacitor, plastic 0.1uf 8.40E-03 10 8.40E-02 7.36E-04 2.05% o/c Possible noise on the output. No




H1 - R01 Resistor 13K 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Output voltage increases Output too high 80.0% 1.12E-03

s/c Output voltage permanently zero Output zero 20.0% 2.80E-04

H1 - R02 Resistor 110R 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Output voltage permanently zero Output zero 80.0% 1.12E-03

s/c Small increase in output voltage but not

significant


H1 - R03 Resistor 110R 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Very low gain. Output near zero. Output zero 80.0% 1.12E-03

s/c No significant effect Little or no effect 20.0% 2.80E-04

H1 - R04 Resistor SOT 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c No significant effect Little or no effect 80.0% 1.12E-03


H1 - R05 Resistor SOT 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c No significant effect Little or no effect 80.0% 1.12E-03

s/c Output voltage permanently high Output too high 20.0% 2.80E-04

H1 - R06 Resistor 30R 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Output voltage permanently zero Output zero 80.0% 1.12E-03

s/c Output voltage high Output too high 20.0% 2.80E-04

H1 - R07 Resistor 8K2 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Output voltage high Output too high 80.0% 1.12E-03


H1 - R08 Resistor 8K2 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c H1-R9 forces output to maximum Output too high 80.0% 1.12E-03


H1 - R09 Resistor 6M8 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Upscale drive on t/c o/c fails. No effect

unless coincident fault.



Component

Reference



hours)


Mode


for Mode

Frequency for

Mode (/y)


H1 - R10 Resistor Not fitted Not fitted. Assumed upscale drive on t/c

o/c


H1 - RV01 Cermet trimmer 10K 2.00E-02 10 2.00E-01 1.75E-03 4.87% o/c top Output voltage permanently zero Output zero 10.0% 1.75E-04

o/c bot Output voltage permanently high Output too high 10.0% 1.75E-04

o/c slider Output voltage permanently high Output too high 80.0% 1.40E-03

IC03 ZRB500 voltage

reference

5V 2.40E-02 10 2.40E-01 2.10E-03 5.85% o/c Common mode voltage may exceed

allowable limits. Unlikely to cause

failure.



susceptibility to common mode noise.

No significant effect.


IC04 Operational

amplifier

OP07 2.40E-02 10 2.40E-01 2.10E-03 5.85% o/p high Output too high Output too high 50.0% 1.05E-03

o/p low Output zero Output zero 50.0% 1.05E-03

IC05 ZRB500 voltage

reference

5V 2.40E-02 10 2.40E-01 2.10E-03 5.85% o/c Reference voltage rail increases to 15V Reference too high 25.0% 5.26E-04

s/c Reference voltage drops to zero Reference zero 25.0% 5.26E-04

o/p high Reference voltage increases. Reference too high 25.0% 5.26E-04

o/p low Reference voltage decreases. Reference too low 25.0% 5.26E-04

R01 Resistor 30k 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Increased output voltage Output too high 80.0% 1.12E-03


R28 Resistor 13k 1.60E-02 10 1.60E-01 1.40E-03 3.90% o/c Reference voltage drops to zero Reference zero 80.0% 1.12E-03


Component

Reference



hours)


Mode


for Mode

Frequency for

Mode (/y)

s/c Reference voltage increases. Reference too high 20.0% 2.80E-04


s/c Absolute max forward current for IC5

exceeded. If IC5 goes o/c reference

voltage rail increases to 15V

Reference too high 10.0% 1.40E-04

s/c Absolute max forward current for IC5

exceeded. If IC5 goes s/c reference

voltage drops to zero

Reference zero 10.0% 1.40E-04

RV01 Cermet trimmer 2k 2.00E-02 10 2.00E-01 1.75E-03 4.87% o/c top No effect Little or no effect 10.0% 1.75E-04

o/c bot Reference voltage increases to 15V Reference too high 10.0% 1.75E-04

o/c slider Reference voltage increases. Reference too high 80.0% 1.40E-03

RV02 Cermet trimmer 10k 2.00E-02 10 2.00E-01 1.75E-03 4.87% o/c top Reference voltage drops to zero Reference zero 10.0% 1.75E-04

o/c bot No effect Little or no effect 10.0% 1.75E-04

o/c slider Reference voltage decreases. Reference too low 80.0% 1.40E-03

ZD01 Zener diode 15V 2.40E-02 8 1.92E-01 1.68E-03 4.68% o/c 15V supply to Blocks A increases to 30V

approx.

+15VSupply to Block A

too high

50.0% 8.41E-04

s/c 15V supply to Blocks A fails. +15VSupply to Block A

fails

50.0% 8.41E-04

3.60E-02 100.00% 3.60E-02


TOTALS

Output too high 8.23E-03

Output zero 7.55E-03

Reference too high 3.05E-03

Reference too low 1.93E-03

Reference zero 3.45E-03


too high

8.41E-04


fails

1.21E-03


Total 3.60E-02


Table 5: Component Failure Rate Calculation and FMEA for Block E

Component

Reference

Component Type Component Size/Rating λg πQ λEQUIP (/106

hours)


Mode


for Mode

Frequency

for Mode (/y)

C01 Link Reflow solder 1.40E-04 1 1.40E-04 1.23E-06 0.01% o/c Two input connectors in parallel.

No effect






C03 Link Reflow solder 1.40E-04 1 1.40E-04 1.23E-06 0.01% o/c No output signal. Output zero 100.0% 1.23E-06


s/c Reference voltage drops to zero. Reference zero 50.0% 3.68E-04

C08 Capacitor, plastic 0.1uf 8.40E-03 10 8.40E-02 7.36E-04 4.45% o/c Possible common mode noise on

the output. No significant effect on

trip function



susceptibility to common mode

noise. No significant effect.



s/c 15V supply to Blocks A fails. +15VSupply to Block

A fails

50.0% 3.68E-04

IC03 ZRB500 voltage

reference

5V 2.40E-02 10 2.40E-01 2.10E-03 12.71% o/c Common mode voltage may

exceed allowable limits. Unlikely to

cause failure.



Component

Reference


hours)


Mode


for Mode

Frequency

for Mode (/y)


susceptibility to common mode

noise. No significant effect.


IC05 ZRB500 voltage

reference

5V 2.40E-02 10 2.40E-01 2.10E-03 12.71% o/c Reference voltage rail increases to

15V


s/c Reference voltage drops to zero Reference zero 25.0% 5.26E-04

o/p high Reference voltage increases. Reference too high 25.0% 5.26E-04

o/p low Reference voltage decreases. Reference too low 25.0% 5.26E-04

R01 Link Reflow solder 1.40E-04 1 1.40E-04 1.23E-06 0.01% o/c No output signal. Output zero 100.0% 1.23E-06


s/c Absolute max forward current for

IC5 exceeded. If IC5 goes o/c

reference voltage rail increases to

15V


s/c Absolute max forward current for

IC5 exceeded. If IC5 goes s/c

reference voltage drops to zero

Reference zero 10.0% 1.40E-04


s/c Reference voltage increases. Reference too high 20.0% 2.80E-04

R29 Resistor 62R 1.60E-02 10 1.60E-01 1.40E-03 8.47% o/c Increased output voltage Output too high 80.0% 1.12E-03


R30 Link Reflow solder 1.40E-04 1 1.40E-04 1.23E-06 0.01% o/c No output signal. Output zero 100.0% 1.23E-06

RV01 Cermet trimmer 2k 2.00E-02 10 2.00E-01 1.75E-03 10.59% o/c top No effect Little or no effect 10.0% 1.75E-04

o/c bot Reference voltage increases to

15V



Component

Reference


hours)


Mode


for Mode

Frequency

for Mode (/y)

o/c slider Reference voltage increases. Reference too high 80.0% 1.40E-03

RV02 Cermet trimmer 10k 2.00E-02 10 2.00E-01 1.75E-03 10.59% o/c top Reference voltage drops to zero Reference zero 10.0% 1.75E-04

o/c bot No effect Little or no effect 10.0% 1.75E-04

o/c slider Reference voltage decreases. Reference too low 80.0% 1.40E-03

ZD01 Zener diode 15V 2.40E-02 8 1.92E-01 1.68E-03 10.17% o/c 15V supply to Blocks A increases

to 30V approx.

+15VSupply to Block

A too high

50.0% 8.41E-04

s/c 15V supply to Blocks A fails. +15VSupply to Block

A fails

50.0% 8.41E-04

1.65E-02 100.00% 1.65E-02

TOTALS

Output too high 1.12E-03

Output zero 6.52E-04

Reference too high 3.05E-03

Reference too low 1.93E-03

Reference zero 3.45E-03

+15VSupply to Block

A too high

8.41E-04

+15VSupply to Block

A fails

1.21E-03


Total 1.65E-02


Table 6: Top Level FMEA (Trip on high level, non-header version)

Outputs Affected Detected by Component

Reference Failure Mode Effect Failure Class

Output 1 Output 2 Both Green LED Red LED

Total

Frequency

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

Block A1 Fails to trip on high

input Fails to trip on high input

Fails to trip on high input 3.70E-03 3.51E-03 2.47E-02

Trips at higher level Trips at higher level Trips at higher level 2.63E-04 2.63E-04

Spurious trip Spurious trip Spurious trip 8.46E-03 8.65E-03 8.46E-03 8.46E-03

Trips at lower level Trips at lower level Trips at lower level 8.76E-05 8.76E-05

Little or no effect Little or no effect Little or no effect 1.28E-02 1.28E-02 1.44E-03

Block A2 Fails to trip on high

input Fails to trip on high input

Fails to trip on high input 3.70E-03 3.51E-03 2.47E-02





Block B Zero output voltage Relay de-energises. Spurious

trip.

Spurious trip 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.82E-02


Outputs Affected Detected by Total

Frequency

Component



n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

Large ripple on output Effect uncertain but will tend to

reduce trip threshold and/or

de-energise relay therefore

spurious trip likely.

Spurious trip 8.32E-04 8.32E-04 8.32E-04 8.32E-04 8.32E-04 8.32E-04 8.32E-04 8.32E-04

Little or no effect Little or no effect Little or no effect 3.47E-03 3.47E-03 3.47E-03 3.47E-03 3.47E-03 3.47E-03

1.65E-02Block E Output too high Tends to trip too early Trips at lower level 1.12E-03 1.12E-03 1.12E-03 1.12E-03 1.12E-03 1.12E-03

Output zero Fails to trip at all Fails to trip on high input 6.52E-04 6.52E-04 6.52E-04 6.52E-04 6.52E-04 6.52E-04

Reference too high Trips at too high level Trips at higher level 3.05E-03 3.05E-03 3.05E-03 3.05E-03 3.05E-03 3.05E-03

Reference too low Trips at too low level Trips at lower level 1.93E-03 1.93E-03 1.93E-03 1.93E-03 1.93E-03 1.93E-03

Reference zero Trips at any input Spurious trip 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03


too high

No absolute max ratings

exceeded.

Little or no effect 8.41E-04 8.41E-04 8.41E-04 8.41E-04 8.41E-04 8.41E-04


fails

Output of comparator low.

Spurious trip



8.69E-02





Total

Frequency

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

TOTALS

Fails to trip on high input 4.36E-03 4.16E-03 4.36E-03 4.16E-03 6.52E-04 6.52E-04

Trips at higher level 3.31E-03 3.31E-03 3.31E-03 3.31E-03 3.05E-03 3.05E-03

λdu 7.67E-03 7.47E-03 7.67E-03 7.47E-03 3.70E-03 3.70E-03


Trips at lower level 3.14E-03 3.14E-03 3.14E-03 3.14E-03 3.05E-03 3.05E-03

Little or no effect 2.15E-02 2.15E-02 2.15E-02 2.15E-02 8.60E-03 8.60E-03 2.88E-03

λs 5.25E-02 5.27E-02 5.25E-02 5.27E-02 3.11E-02 3.11E-02

ltotal 6.01E-02 6.01E-02 6.01E-02 6.01E-02 3.48E-02 3.48E-02

SFF 87.3% 87.6% 87.3% 87.6% 89.4% 89.4%


Table 7: Top Level FMEA (Trip on high level, header version)




Total

Frequency

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

Block A1 Fails to trip on high input Fails to trip on high input Fails to trip on high input 3.70E-03 3.51E-03 2.47E-02





Block A2 Fails to trip on high input Fails to trip on high input Fails to trip on high input 3.70E-03 3.51E-03 2.47E-02





Block B Zero output voltage Relay de-energises. Spurious trip. Spurious trip 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.82E-02


reduce trip threshold and/or de-

energise relay therefore spurious

trip likely.


Little or no effect Little or no effect Little or no effect 3.47E-03 3.47E-03 3.47E-03 3.47E-03 3.47E-03 3.47E-03 3.60E-02



Frequency

Component



n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

Block D Output too high Tends to trip too early Trips at lower level 8.23E-03 8.23E-03 8.23E-03 8.23E-03 8.23E-03 8.23E-03

Output zero Fails to trip at all Fails to trip on high input 7.55E-03 7.55E-03 7.55E-03 7.55E-03 7.55E-03 7.55E-03



Reference zero Trips at any input Spurious trip 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03


too high


exceeded.



fails


Spurious trip



1.06E-01





Total

Frequency

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

TOTALS

Fails to trip on high input 1.13E-02 1.11E-02 1.13E-02 1.11E-02 7.55E-03 7.55E-03


ldu 1.46E-02 1.44E-02 1.46E-02 1.44E-02 1.06E-02 1.06E-02




λs 6.50E-02 6.52E-02 6.50E-02 6.52E-02 4.36E-02 4.36E-02

λtotal 7.96E-02 7.96E-02 7.96E-02 7.96E-02 5.42E-02 5.42E-02

SFF 81.7% 81.9% 81.7% 81.9% 80.4% 80.4%


Table 8: Top Level FMEA (Trip on low level, non-header version)



Output 1 Output 2 Both Green

LED Red LED

Total

Frequency

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

Block A1 Fails to trip on low input Fails to trip on low input Fails to trip on low input 9.25E-03 9.05E-03 2.47E-02





Block A2 Fails to trip on low input Fails to trip on low input Fails to trip on low input 9.25E-03 9.05E-03 2.47E-02





Block B Zero output voltage Relay de-energises. Spurious trip. Spurious trip 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.82E-02


reduce trip threshold and/or de-

energise relay therefore spurious

trip likely.





Frequency

Component



LED Red LED

Block E Output too high Tends to trip too late Trips at lower level 1.12E-03 1.12E-03 1.12E-03 1.12E-03 1.12E-03 1.12E-03 1.65E-02

Output zero Spurious trip Spurious trip 6.52E-04 6.52E-04 6.52E-04 6.52E-04 6.52E-04 6.52E-04 6.52E-04 6.52E-04



Reference zero Never trips Fails to trip on low input 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03


too high

No absolute max ratings exceeded. Little or no effect 8.41E-04 8.41E-04 8.41E-04 8.41E-04 8.41E-04 8.41E-04


fails

Output of comparator low. No trip Fails to trip on low input 1.21E-03 1.21E-03 1.21E-03 1.21E-03 1.21E-03 1.21E-03


8.69E-02





LED Red LED

Total

Frequency

TOTALS

Fails to trip on low input 1.39E-02 1.37E-02 1.39E-02 1.37E-02 4.66E-03 4.66E-03 3.45E-03 3.45E-03


λdu 1.70E-02 1.68E-02 1.70E-02 1.68E-02 7.71E-03 7.71E-03




λs 4.31E-02 4.33E-02 4.31E-02 4.33E-02 2.71E-02 2.71E-02

λtotal 6.01E-02 6.01E-02 6.01E-02 6.01E-02 3.48E-02 3.48E-02

SFF 71.7% 72.0% 71.7% 72.0% 77.8% 77.8%


Table 9: Top Level FMEA (Trip on low level, header version)



Total

Frequency Output 1 Output 2 Both Green LED Red LED

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

Block A1 Fails to trip on low

input

Fails to trip on low input Fails to trip on low input 9.25E-03 9.05E-03 2.47E-02





Block A2 Fails to trip on low

input

Fails to trip on low input Fails to trip on low input 9.25E-03 9.05E-03 2.47E-02





Block B Zero output voltage Relay de-energises.

Spurious trip.

Spurious trip 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.39E-02 1.82E-02

Large ripple on output Effect uncertain but will

tend to reduce trip

threshold and/or de-

energise relay therefore




Frequency

Component



n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

spurious trip likely.


Block D Output too high Tends to trip too late Trips at lower level 8.23E-03 8.23E-03 8.23E-03 8.23E-03 8.23E-03 8.23E-03 3.60E-02

Output zero Spurious trip Spurious trip 7.55E-03 7.55E-03 7.55E-03 7.55E-03 7.55E-03 7.55E-03 7.55E-03 7.55E-03



Reference zero Never trips Fails to trip on low input 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03 3.45E-03

+15VSupply to Block

A too high


exceeded.


+15VSupply to Block

A fails


No trip

Fails to trip on low input 1.21E-03 1.21E-03 1.21E-03 1.21E-03 1.21E-03 1.21E-03


1.06E-01





Total

Frequency

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

n/o relay

contact

n/c relay

contact

TOTALS

Fails to trip on low input 1.39E-02 1.37E-02 1.39E-02 1.37E-02 4.66E-03 4.66E-03 3.45E-03 3.45E-03


λdu 2.42E-02 2.40E-02 2.42E-02 2.40E-02 1.48E-02 1.48E-02




λs 5.54E-02 5.56E-02 5.54E-02 5.56E-02 3.94E-02 3.94E-02

λtotal 7.96E-02 7.96E-02 7.96E-02 7.96E-02 5.42E-02 5.42E-02

SFF 69.6% 69.9% 69.6% 69.9% 72.6% 72.6%

1.39E-02 1.37E-02 1.39E-02 1.37E-02 4.66E-03 4.66E-03 3.45E-03 3.45E-03
