iec61508 and applications for protection of … functional safety...sensonics keeping industry...
TRANSCRIPT
SENSONICS
IEC61508 and Applications for Protection of Rotating Machinery.
Presented by
Russell King
SENSONICS
KEEPING INDUSTRY TURNING
Overview
• About Sensonics
• What is IEC 61508?
• Safety Integrity Levels
• Protection of Rotating Machines
• Life Cycle Activities
SENSONICS
Situated in the UK and founded in 1978, SENSONICS has nearly 30 years experience in
the design, manufacture and installation of Condition Monitoring & Protection equipment.
SENSONICS
Products & Competencies
• Turbine Supervisory Systems
• Machine Condition Monitoring
• Plant Protection Systems
• Nuclear Infrastructure Protection
• Structural Monitoring Solutions
• Accelerometer, Displacement & Seismic Transducers
• Turn-Key Design, Manufacture Installation and Commissioning & Project Support
SENSONICS
KEEPING INDUSTRY TURNING
Overview
• About Sensonics
• What is IEC 61508?
• Safety Integrity Levels
• Protection of Rotating Machines
• Life Cycle Activities
SENSONICS
KEEPING INDUSTRY TURNING
IEC61508 Definition
“Functional safety of electrical / electronic & programmable electronic safety – related systems”
• Prevention and control of dangerous failures
• Provides a risk based process for determining the required performance
• The standard can be used across all industries and applications
• Internationally recognised
IEC61511 is specific to the process industry
• Utilises simplified Life-cycle model
• Process Industry Based Terminology
SENSONICS
KEEPING INDUSTRY TURNING
What is a safety – related system?
Purpose :-
• To prevent injury and loss of life
• To protect and minimise damage to plant assets
Safety Instrumented Systems will typically consist of the following elements:-
• Sensors
• Signal Processing
• Logic Resolvers
• Communication Interface
• Actuators
SENSONICS
KEEPING INDUSTRY TURNING
Example Safety – Related Systems
• Railway signalling system
• Crane safe load indicator
• Turbine Overspeed protection system
• Anti-Lock brakes
• Machine Guard Interlocks
• Emergency shutdown systems
SENSONICS
KEEPING INDUSTRY TURNING
What is a dangerous failure?
• Incorrect or weak equipment specification
• Random failures in hardware
• Systematic failures of hardware and software
• Human error
• Environmental influences
• Supply system disturbances
The Safety Integrity Level dictates the approach and level of design mitigation against the known failures of the system
SENSONICS
KEEPING INDUSTRY TURNING
Overview
• About Sensonics
• What is IEC 61508?
• Safety Integrity Levels
• Protection of Rotating Machines
• Life Cycle Activities
SENSONICS
KEEPING INDUSTRY TURNING
Safety Integrity Levels
System is specified to a Safety Integrity Level
• SIL 1 – 4
Note : A SIL can only apply to a the safety function of a system – and not a standalone piece of equipment.
• SIL – 1, injury to persons or damage to property
• SIL – 2, serious injury or damage resulting in shutdown
• SIL – 3, life – threatening or extensive operational shutdown
• SIL – 4, Multiple loss of life or plant destruction
Applies for loss of revenue scenarios
SENSONICS
KEEPING INDUSTRY TURNING
SIL Relationship to Failure
1. Continuous Safety Process (High Demand System)
2. Low Demand Safety Related System
IEC61508 specifies the following integrity ratings
PFD = Probability of Failure on Demand (=Risk Reduction)
>=10-5 to <10-4>=10-5 to <10-4SIL 4
>=10-2 to <10-1>=10-2 to <10-1SIL 1
>=10-3 to <10-2>=10-3 to <10-2SIL 2
>=10-4 to <10-3>=10-4 to <10-3SIL 3
High DemandFailure Rate p.a.
Low Demand PFD
SENSONICS
KEEPING INDUSTRY TURNING
SIL Relationship to Redundancy and SFF
IEC61508 specifies the following redundancy & SFF requirements
SFF – Safe Failure Fraction (Determined From FMEA)
(Ratio of safe plus detected dangerous failures to total failure rate)
HFT – Hardware Fault Tolerance or Redundancy
SIL3
SIL2
SIL1
-
HFT=0 (B)Single Channel
SIL2 SIL1<60%
SIL4SIL4>99%
SIL4SIL390-99%
SIL3SIL260-90%
HFT=2 (B)Dual Redundancy
HFT=1 (B) Redundant Channel
SFF
SENSONICS
KEEPING INDUSTRY TURNING
SIL Relationship to Redundancy and SFF
Safety Related Subsystems are categorised in to Type A and B.
• Type A – Failure modes and behaviour fully understood plus dependable field failure data
• Type B – Doubt in any of the above
SIL3
SIL3
SIL2
SIL1
HFT=0 (A)Single Channel
SIL3 SIL2<60%
SIL4SIL4>99%
SIL4SIL490-99%
SIL4SIL360-90%
HFT=2 (A)Dual Redundancy
HFT=1 (A) Redundant Channel
SFF
SENSONICS
KEEPING INDUSTRY TURNING
Overview
• About Sensonics
• What is IEC 61508?
• Safety Integrity Levels
• Protection of Rotating Machines
• Life Cycle Activities
SENSONICS
KEEPING INDUSTRY TURNING
Protection of Rotating Machines
Sensonics experience is in safe shutdown through vibration, expansion and speed measurements.
Two main outcomes to consider
• Failure to Trip (Safety)
• Spurious Trip (Process / Financial)
Consider the following instrumentation set up.
Shutdown Level
SENSONICS
KEEPING INDUSTRY TURNING
Failure Mode and Effect Analysis
Shutdown Level
Breakdown System to key sub-systems
For each subsystem component determine the following for required ‘Effects’ (i.e. Fail to Trip & Spurious Trip):-
• Failure rate including environmental factors
• Failure Mode
• Diagnostic Coverage of Failure Mode
SENSONICS
KEEPING INDUSTRY TURNING
Vibration Transducer Analysis
Failure Mode And Effect Analysis Considerations
C1 - O/C
Fail to Trip
C2/C3 - O/C
Spurious Trip
TR1 - All
Fail to TripC6 - O/C
Fail to Trip
SENSONICS
KEEPING INDUSTRY TURNING
Vibration Transducer Analysis
FMEA Analysis – MTBF’s calculated for
• Safe Failures
• Unsafe Failures Detected
• Unsafe Failures Undetected
PZS4 Accelerometer
• Failure to Trip (MTBF) 298 years
• Diagnostic Cover 22.5%
• SFF 32.5%
• Spurious Trip (MTBF) >5000 years
Overall Component MTBF – 260 years
SENSONICS
KEEPING INDUSTRY TURNING
Protection Monitor Analysis
Failure Mode And Effect Analysis Considerations
Monitor
Personality Display Interface
Fail to MoveRelay
SpuriousRelay Trip
Fail to BreakContact
SENSONICS
KEEPING INDUSTRY TURNING
Protection Monitor Analysis
Monitor consists of three assemblies – analysis is carried out on each –individual results are combined.
DN2611 Protection Monitor
FMEA Analysis Results
Failure to Trip (MTBF) 200 years
Diagnostic Cover 19%
SFF 79%
Spurious Trip 185 years
Overall MTBF – 53 years
SENSONICS
Hardware Configurations
The SFF’s, Diagnosed and Undiagnosed failure rates have now been calculated for the key system elements. Now consider the following simplex hardware configuration (HFT=0).
PFDs = λ1 MTTR + λ2 T/2
λ1 = Diagnosed Failures, λ2 = Undiagnosed Failures
MTTR = Repair Time, T = Proof test interval
PFDs = 0.16E-6 x 24hrs + 0.58E-6 x 8760hrs / 2
= 2.6 x 10-3 with SFF of 68%
MonitorTransducer
SENSONICS
KEEPING INDUSTRY TURNING
SIL Relationship to PFD, Redundancy and SFF
SIL3
SIL2
SIL1
-
HFT=0 (B)Single Channel
SIL2 SIL1<60%
SIL4SIL4>99%
SIL4SIL390-99%
SIL3SIL260-90%
HFT=2 (B)Dual Redundancy
HFT=1 (B) Redundant Channel
SFF
>=10-5 to <10-4>=10-5 to <10-4SIL 4
>=10-2 to <10-1>=10-2 to <10-1SIL 1
>=10-3 to <10-2>=10-3 to <10-2SIL 2
>=10-4 to <10-3>=10-4 to <10-3SIL 3
High DemandFailure Rate p.a.
Low Demand PFD
SENSONICS
Hardware Configurations
Duplex Hardware configuration (HFT=1).
PFDd = (PFDs)2 + 10%PFDs
= (2.6 x 10-3 )2 + 0.1x2.6 x 10-3
PFDd = 2.7 x 10-4 with SFF of 68%
MonitorTransducer
Transducer Monitor
SENSONICS
KEEPING INDUSTRY TURNING
SIL Relationship to PFD, Redundancy and SFF
SIL3
SIL2
SIL1
-
HFT=0 (B)Single Channel
SIL2 SIL1<60%
SIL4SIL4>99%
SIL4SIL390-99%
SIL3SIL260-90%
HFT=2 (B)Dual Redundancy
HFT=1 (B) Redundant Channel
SFF
>=10-5 to <10-4>=10-5 to <10-4SIL 4
>=10-2 to <10-1>=10-2 to <10-1SIL 1
>=10-3 to <10-2>=10-3 to <10-2SIL 2
>=10-4 to <10-3>=10-4 to <10-3SIL 3
High DemandFailure Rate p.a.
Low Demand PFD
SENSONICS
TMR Protection Systems
Triple Modular Redundancy utilising 2 of 3 voting.
Applications include:-
• Overspeed Protection
• Valve Position Control
PFDt = 3x(PFDd)
HFT = 2
Significantly reduces risk
of spurious trip!
(MTBF)2 /(6x MTTR)
SENSONICS
KEEPING INDUSTRY TURNING
SIL Relationship to PFD, Redundancy and SFF
SIL3
SIL2
SIL1
-
HFT=0 (B)Single Channel
SIL2 SIL1<60%
SIL4SIL4>99%
SIL4SIL390-99%
SIL3SIL260-90%
HFT=2 (B)Dual Redundancy
HFT=1 (B) Redundant Channel
SFF
>=10-5 to <10-4>=10-5 to <10-4SIL 4
>=10-2 to <10-1>=10-2 to <10-1SIL 1
>=10-3 to <10-2>=10-3 to <10-2SIL 2
>=10-4 to <10-3>=10-4 to <10-3SIL 3
High DemandFailure Rate p.a.
Low Demand PFD
SENSONICS
Field Data Effect
An established product with several years of field reliability statistics in a broad range of applications can enhance the SIL rating.
PZS4 accelerometer - Calculated MTBF of 260 years.
This product has a large field installation and returns indicate a failure rate of 0.22 failures per Mhrs. The FMEA predicted 0.38 failures per Mhrs.
DN2611 has a demonstrated failure rate of 1.5 failures per Mhrs. The FMEA predicted 2.16 failures per MHrs.
Established field data of this kind can enhance system from Type B to Type A and therefore increase SIL rating by ONE
SENSONICS
KEEPING INDUSTRY TURNING
Overview
• About Sensonics
• What is IEC 61508?
• Safety Integrity Levels
• Protection of Rotating Machines
• Life Cycle Activities
SENSONICS
Life Cycle Activities
“The necessary activities involved in the implementation of safety critical systems”
Note: - Its starts at the concept and finishes after system decommissioning
• Quality System Enhancements
• Capture of requirements in overall business process
• Project Requirements
• Activities specific to project
SENSONICS
Quality System Enhancements
Achieved through extending the existing ISO9001-2000 quality management system.
• Contract and Project review processes
• External Safety Authority
• Internal Competency Register
• Change Control & Corrective Action
• Vendor / Subcontract Management
• Internal Audit Program
SENSONICS
Project Specific Tasks
Project operated under the extended quality system with structured set of activities.
• Hazard and Risk Assessment (SIL Targeting)
• Functional Design Specification to meet above Targeting
• Quality and Safety Plan
• Independent Assessment Reports
• Hardware FMEA
• Software Analysis
Assessed byRating
Independent OrgSIL 4
Independent DeptSIL 3
Independent PerSIL 2
Independent PerSIL 1
SENSONICS
Project Specific Tasks (Cont)
• Validation Plan
• Test Specifications (User Interface!)
• Environmental
• EMC Directive
• Installation and Commissioning
• Operations and Maintenance Strategy
• Functional Safety Audit
SENSONICS
Thank you for your time
Any questions?
Please contact Sensonics