|
|
|
|
|
|
|
According to SIL standard EN 61508, the
average probability of failure on demand
within a defined proof test interval and
the proportion of undetectable dangerous
failures are the key parameters of protective
systems. In order to create gas detection
systems that can be classified as, for
example, SIL 2, their designers have to
give particular consideration when selecting
which subsystems to use to certain
numerical limits which apply to these reliability
parameters, while at the same time
complying with measurement performance
regulations.
Whenever combustible gases or liquids are
stored, filled, processed or transported, it
must always be assumed that such substances
will ignite if process failures occur
and cause considerable damage to people
and property. If not detected, the release of
pressurized or cryogenically liquefied gases,
leakages in pipeline systems, or escaping
combustible liquid vapours as a result of
damaged valves or insufficiently leak-tight
seals can result in explosions with serious
consequences or major fires which are difficult
to control. In this sense, gas detection
systems serve as early-warning systems to
detect such potentially hazardous situations
in sufficient time for counteraction to be
initiated and damage to installations to be
either avoided or at least minimized.
Measurement performance standards
Such gas detection systems are not only
required to conform to Directive 94/9/EC
(ATEX 95) because they naturally have
to feature an explosion-proof design, but
above all because they are capable of
detecting potentially explosive atmospheres
at an early stage and, by allowing counteraction
to be taken, can even prevent these
from occurring in the first place. As such, a
gas detection system forms an integral part
of a safety chain and must be additionally
tested for suitability for use in such safety
applications by a Notified Body (Directive
94/9/EC, Annex II, 1.5.5 "Measuring function
for explosion protection“). The standards
upon which this testing is based,
EN 50054 ff, have been harmonized within
Directive 94/9/EC, but are now replaced
by the EN 61779 series of standards.
Based on EN 1127-1, another standard
which has been harmonized, gas detection
systems tested in this manner are regarded
as active systems for concentration limitation
(Section 6.2.2.2), a fundamental explosion
protective measure of such high
priority that the term "primary explosion
protection", which was coined some decades
ago, has remained in common usage.
A lesser known fact is that the use of
performance-tested gas detection systems
can actually significantly reduce the size of
potentially hazardous areas ("Ex zones")
and, as such, not only simplify operational
processes but ultimately save costs.
Equally, gas detection systems for oxygen
measurement also come within the scope
of the Directive if they monitor the limitation
of oxygen in inertization processes. The
harmonized measurement performance
testing standard in this context is the EN
50104.
The measurement performance standards
are complemented – to the extent that the
gas detection instruments contain digital
electronics – by the EN 50271. Testing in
accordance with this standard assesses in
particular the software structure and stability,
possible special conditions, internal
diagnosis facilities and, of course, the hardware,
the interaction between the individual
electronic components and the reliability of
the functional concept.
Functional safety was the main aim during
revision of EN 50271, and it comes as no
surprise that some of the requirements of
the "SIL standard", EN 61508, have already
been incorporated into this standard.
Safety Integrity Level
In this section we will be looking at a further
aspect of EN 61508 which enables
system designers, assuming certain conditions
are met, to demonstrate the reliability
of a safety-oriented system by means
of a numerical evaluation. According to
EN 61508, a protective system used to
avoid damage to persons, the environment
and assets must meet certain reliability
requirements – depending on the extent
of the damage likely to occur – which are
defined on the basis of the so-called Safety
Integrity Level (SIL). The concept of reliability
is founded on statements of probability
such as "How likely is it that a protective
system will fail at just the moment it
is supposed to be carrying out its safety
function?“
Dangerous failures
Safety-oriented systems, therefore, need to
be designed such that any failures which
could have a negative effect on functional
safety will be recognized, dealt with and
reported by appropriate self-diagnostic facilities
and test routines and that the system
will be brought into a safe condition. Such
detectable dangerous failures must be
remedied immediately. This is also in the
interest of the operator, as a system in a
safe condition, though it is of course safe,
may not always be ready for operation at
the same time.
However, even diagnostic systems have
their limits. To a certain extent, there will
always also be undetectable dangerous failures,
i.e. failures which remain undetected
and result in failure of the safety function,
or Safety Integrity Function (SIF). The only
chance of uncovering such failures is to
conduct routine system checks. This is the
reason why the time between two tests of
this kind, the proof test interval TP, plays
such an important role in safety analyses.
The number of safe failures (i.e. failures
which, though they impair the safety function,
are detectable, or failures which have
no effect on the safety function) as a proportion
of the total number of failures is
termed the Safe Failure Fraction (SFF).
For SIL 2 systems, the SFF must exceed
90% - i.e. the proportion of undetectable
dangerous failures must not be greater than
10%.
This alone, however, is not enough. If such
undetectable dangerous failures do exist,
then, the probability of their occurring within
the proof test interval TP must also be assessed,
i.e. determining how likely it is that
the protective system will fail at the precise
moment the safety function is needed.
Probability of Failure on Demand
The statistical parameter which describes
the undetectable dangerous failure and the
proof test interval is known as the average
probability of failure on demand PFDAVG
and, depending on the required SIL, must
not exceed certain limits. For systems conforming
to SIL 2, for example, steps must
be taken to ensure that the PFDAVG is less
than 0.01, i.e. the protective system is only
allowed to fail once every 100 times the
safety function is required. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
However, the functional safety and, therefore,
the average probability of failure on
demand PFDAVG, relates to the system as a
whole, which can be split into the following
subsystems:
- sensor (SE, probability of failure on
demand PFDSE),
- logic solver (LS, probability of failure
on demand PFDLS) and
- final elements (FE, probability of failure
on demand PFDFE).
For the system as a whole, the probability
of failure on demand is calculated by adding
together these three probabilities, as
follows:
PFDAVG = PFDSE + PFDLS + PFDFE
To calculate the PFDSE of a sensor, for
example, a very detailed evaluation of every
conceivable type of failure and its effects
on every level, right down to the component
level, needs to be performed (FMEDA,
Failure modes, effects and diagnostic analysis),
which is virtually impossible without
the assistance of experts specialized in
such analyses. The outcome of the FMEDA
is a list of different failure types and their
calculated failure rates π (in hr-1), on the
basis of which in particular the failure rate
πDU of the undetectable dangerous failure
can be calculated (DU stands for dangerous
undetected). Such a failure would occur,
for example, if due to an internal failure
a 4-20-mA-transmitter for gas detection
showed a measurement signal of 4 mA
("no gas“) despite the presence of dangerously
high gas concentrations. If this type of
rare failure condition occurs, it will remain
undetected until the next routine test is
conducted (proof test interval TP), at which
point it will of course be discovered immediately
and remedied within a very
short time (MTTR, Mean time to restore).
Statistically speaking, this failure remains
undetected for half of the proof test interval
TP. During this same period, plus the time
needed for repair, the system will of course
also not be able to perform its safety function.
Correspondingly, in this case the average
probability of failure on demand can be
calculated as follows:
PFDAVG= 1/2*λDU*(TP+MTTR)= 1/2*λDU*TP
The approximation is permissible since repairs
generally take only a few hours, while
the proof test interval covers a period of several
months.
Dangerous failures detected by diagnostic
facilities (failure rate λDD, DD stands for
dangerous detected), of course, also have
an effect – even if a lesser one – on the
PFD, since the safety function is not available
during the repair time MTTR. The
MTTR is generally calculated as being
8 hours, though this naturally assumes
sufficient stocks of spare parts and a repair
service that is initiated without delay. Here
too, the safety engineer is responsible, as
for compliance with the required proof test
intervals TP.
If system parts are of redundant design or
subjected to voting (e.g. a two-out-of-three
decision), the rules which apply are different
from in the above formula, e.g. for
a two-fold redundancy the probability of
failure on demand is
PFDAVG = 1/3 *(λDU *TP)2
Although the figures which result are very
small (on the basis of the above givens,
PFDAVG = 2.6·10-5), consideration must
realistically also be given to failures which
influence both subsystems simultaneously,
thereby removing the redundancy again;
these are known as common cause failures.
The proportion of these is stated by a
β-factor which is usually assumed to be
0.05 or 0.1.
PFDAVG = 1/3 *(λDU *TP)2 + β*λDU *TP
In practice, the second term is usually the
larger even in the case of a small β-factor.
System design
The PFDAVG of the system as a whole,
therefore, is determined by
- the failure rate of the undetectable
dangerous failure λDU
- the choice of proof test intervals TP
- the architecture (linear, redundant,
voting).
In the case of the subsystem, the failure
rate λDU is determined by conducting an
FMEDA and is usually certified by independent
testing institutes and ensured by
quality assurance measures. The system
designer, therefore, is able to define the
proof test interval and the architecture of
the system as a whole. There are, however,
practical limits: companies are not keen for
proof test intervals to be too short, as this
can result in more frequent downtime, and
redundancies and voting incur considerable
costs.
It is therefore the system designer's goal
to use subsystems which, if subjected to
testing just once every year and provided
with no redundancies whatsoever, will fall
as far below the maximum permissible PFD
as possible.
For a system classified as SIL 2, for
example, the designer will achieve the
aforementioned goal by using a sensor with
PFDSE = 0.002 and a logic solver with
PFDLS = 0.001, each based on annual proof
testing.
To ensure the PFDAVG < 0.01 that is requir
ed for SIL 2, the final elements still to be
procured must have a PFDFE of less than
0.007 if they are also to be tested only
once a year.
HFT and redundancies
The hardware failure tolerance HFT describes
the behaviour of a complex system
or subsystem in a failure condition. In the
case of linear architecture, i.e. a system
without redundancies, the safety function
is no longer guaranteed if just one failure
(HFT = 0) occurs, while a redundant
architecture continues to remain operational
even when a failure occurs (HFT = 1 or
higher, table 1).
As can be seen from the above table
(see EN 61508, Section 7.4.3.1.4), SIL 2
classification can only be achieved for
linear architecture (HFT = 0) if the SFF
is greater than 90%, i.e. the proportion of
undetectable dangerous failures must be
below 10%. If, on the other hand, the SFF
is only 80%, SIL 2 can only be achieved by
means of redundancy (HFT = 1).
The functional safety of a subsystem (e.g.
of a sensor), therefore, can only be fully
specified if the PFD with the respective
proof test interval TP, the SFF and the HFT
are stated.
Sensor for SIL 2
By way of 4-20-mA-transmitters for gas
detection, Dräger Safety presents three
instruments assessed by an independent
institute (table 2).
As can be seen from the relevant figures
given in the table for the Polytron transmitters,
these sensors are ideally suited for
creating a gas detection system classified
as SIL 2.
In the interests of clarity and ease of
comprehension, the fact that EN 61508
requires the complete life cycle of a protective
system to be taken into consideration,
especially aspects of operation and maintenance,
has been ignored in this article.
Instead, the focus was on familiarizing the
reader with the relevant terms and definitions
contained in this standard relating to
protective systems.
Dr. Wolfgang Jessel
Dräger Safety AG & Co. KGaA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
Dräger Safety AG & Co. KGaA |
|
|
Revalstrasse 1 |
|
|
23560 Luebeck, Germany |
|
|
|
Tel +49 451 882 0
Fax +49 451 882 2080
|
|
|
|
