logging in or signing up AI 960 Safety Evaluation Melinda Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1245 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: January 07, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: pinlee (16 month(s) ago) Dear Sir, It's really a good presentation about the safety analysis. I'm exciting to learned much more from it. Would you mind send this ppt to me for further study. Your kindly sharing would be highly appreciated. My e-mail is robinleegood@gmail.com Thanks again. Saving..... Post Reply Close Saving..... Edit Comment Close By: prashant143 (19 month(s) ago) sir please send me this ppt to prashant.singer.r@orkut.com Saving..... Post Reply Close Saving..... Edit Comment Close By: prashant143 (19 month(s) ago) sir please mail me this prasentaion to myt mail prashant.singer.r@gmail.com...... Saving..... Post Reply Close Saving..... Edit Comment Close By: arsmah (42 month(s) ago) It is a wonderful presentation. I was not able to read a few slides due to the small text size. I'll highly appreciate if you could allow me to download this presentation. Thank you. Dr Arshad ahmood Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide1: Safety analysis and standards Sicherheitsanalyse und Normen Analyse de sécurité et normes 9.6 Dr. B. Eschermann ABB Research Center, Baden, Switzerland Industrial Automation Automation Industrielle Industrielle AutomationOverview Dependability Analysis: Overview Dependability Analysis 9.6.1 Qualitative Evaluation Failure Mode and Effects Analysis (FMEA) Fault Tree Analysis (FTA) Example: Differential pressure transmitter 9.6.2 Quantitative Evaluation Combinational Evaluation Markov Chains Example: Bus-bar Protection 9.6.3 Dependability Standards and Certification Standardization Agencies StandardsFailure Mode and Effects Analysis (FMEA): Failure Mode and Effects Analysis (FMEA) Analysis method to identify component failures which have significant consequences affecting the system operation in the application considered. ® identify faults (component failures) that lead to system failures. component 1 component n failure mode 1 failure mode k failure mode 1 failure mode k • • • • • • • • • effect on system ? FMEA is inductive (bottom-up).FMEA: Coffee machine example: FMEA: Coffee machine example component failure mode effect on system water tank empty no coffee produced too full electronics damaged coffee bean container empty no coffee produced too full coffee mill gets stuck coffee grounds container too full coffee grounds spilled ……… FMEA: Purpose (overall): FMEA: Purpose (overall) There are different reasons why an FMEA can be performed: Evaluation of effects and sequences of events caused by each identified item failure mode (® get to know the system better) Determination of the significance or criticality of each failure mode as to the system’s correct function or performance and the impact on the availability and/or safety of the related process (® identify weak spots) Classification of identified failure modes according to their detectability, diagnosability, testability, item replaceability and operating provisions (tests, repair, maintenance, logistics etc.) (® take the necessary precautions) Estimation of measures of the significance and probability of failure (® demonstrate level of availability/safety to user or certification agency)FMEA: Critical decisions: FMEA: Critical decisions Depending on the exact purpose of the analysis, several decisions have to be made: For what purpose is it performed (find weak spots « demonstrate safety to certification agency, demonstrate safety « compute availability) When is the analysis performed (e.g. before « after detailed design)? What is the system (highest level considered), where are the boundaries to the external world (that is assumed fault-free)? Which components are analyzed (lowest level considered)? Which failure modes are considered (electrical, mechanical, hydraulic, design faults, human/operation errors)? Are secondary and higher-order effects considered (i.e. one fault causing a second fault which then causes a system failure etc.)? By whom is the analysis performed (designer, who knows system best « third party, which is unbiased and brings in an independent view)?FMEA and FMECA: FMEA and FMECA FMEA only provides qualitative analysis (cause effect chain). FMECA (failure mode, effects and criticality analysis) also provides (limited) quantitative information. each basic failure mode is assigned a failure probability and a failure criticality if based on the result of the FMECA the system is to be improved (to make it more dependable) the failure modes with the highest probability leading to failures with the highest criticality are considered first. Coffee machine example: If the coffee machine is damaged, this is more critical than if the coffee machine is OK and no coffee can be produced temporarily If the water has to be refilled every 20 cups and the coffee has to be refilled every 2 cups, the failure mode “coffee bean container too full” is more probable than “water tank too full”.Criticality Grid: Criticality Grid Criticality levels I II III IV Probability of failure very low low medium highFailure Criticalities: Failure Criticalities IV: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and causes the loss of life III: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and negligible hazards to life II: Any event which degrades system performance function(s) without appreciable damage to either system, environment or lives I: Any event which could cause degradation of system performance function(s) resulting in negligible damage to either system or environment and no damage to lifeFMEA/FMECA: Result: FMEA/FMECA: Result Depending on the result of the FMEA/FMECA, it may be necessary to: change design, introduce redundancy, reconfiguration, recovery etc. introduce tests, diagnoses, preventive maintenance focus quality assurance, inspections etc. on key areas select alternative materials, components change operating conditions (e.g. duty cycles to anticipate/avoid wear-out failures) adapt operating procedures (allowed temperature range etc.) perform design reviews monitor problem areas during testing, check-out and use exclude liability for identified problem areasFMEA: Steps (1): FMEA: Steps (1) 1) Break down the system into components. 2) Identify the functional structure of the system and how the components contribute to functions. f1 f2 f3 f4 f5 f6 f7FMEA: Steps (2): FMEA: Steps (2) 3) Define failure modes of each component new components: refer to similar already used components commonly used components: base on experience and measurements complex components: break down in subcomponents and derive failure mode of component by FMEA on known subcomponents other: use common sense, deduce possible failures from functions and physical parameters typical of the component operation 4) Perform analysis for each failure mode of each component and record results in table: component name/ID function failure mode failure cause failure effect local global failure detection other provision remark Example (Generic) Failure Modes: Example (Generic) Failure Modes - fails to remain (in position) - fails to open - fails to close - fails if open - fails if closed - restricted flow - fails out of tolerance (high) - fails out of tolerance (low) - inadvertent operation - intermittent operation - premature operation - delayed operation - false actuation - fails to stop - fails to start - fails to switch - erroneous input (increased) - erroneous input (decreased) - erroneous output (increased) - erroneous output (decreased) - loss of input - loss of output - erroneous indication - leakageOther FMEA Table Entries: Other FMEA Table Entries Failure cause: Why is it that the component fails in this specific way? To identify failure causes is important to - estimate probability of occurrence - uncover secondary effects - devise corrective actions Local failure effect: Effect on the system element under consideration (e.g. on the output of the analyzed component). In certain instances there may not be a local effect beyond the failure mode itself. Global failure effect: Effect on the highest considered system level. The end effect might be the result of multiple failures occurring as a consequence of each other. Failure detection: Methods to detect the component failure that should be used. Other provisions: Design features might be introduced that prevent or reduce the effect of the failure mode (e.g. redundancy, alarm devices, operating restrictions). Common Mode Failures (CMF): Common Mode Failures (CMF) In FMEA all failures are analyzed independent of each other. Common mode failures are related failures that can occur due to a single source such as design error, wrong operation conditions, human error etc. Example: Failure of power supply common to redundant units causes both redundant units to fail at the same time. failure mode x no problem failure mode y no problem common source & serious consequenceExample: Differential Pressure Transmitter (1): Example: Differential Pressure Transmitter (1) coil with inductivity L1 iron core diaphragm pressure p1 pressure p2 Functionality: Measure difference in pressures p1 – p2. coil with inductivity L2 i1(t) u1(t) i2(t) u2(t) p1 – p2 = f1 (inductivity L1, temperature T, static pressure p) p1 – p2 = f2 (inductivity L2, temperature T, static pressure p)Example: Differential Pressure Transmitter (2): Example: Differential Pressure Transmitter (2) safe output (e.g. upscale) p 1 ® L 1 p 2 ® L 2 p static Temp sens Temp elec power supply controlled current generator 4..20 mA output current generator proces- sing 1 proces- sing 2 checking (limits, consis- tency) = acquisition of sensor inputs sensor data preparation sensor data processing A/D conversion different failure effects output data generation watch- dogFMEA for Pressure Transmitter: FMEA for Pressure Transmitter continue on your own ...Fault Tree Analysis (FTA): Fault Tree Analysis (FTA) In contrast to FMEA (which is inductive, bottom-up), FTA is deductive (top-down). FMEA failure modes of components failures of system FTA system state to avoid possible causes of the state The main problem with both FMEA and FTA is to not forget anything important. Doing both FMEA and FTA may help to become more complete (2 different views).Example Fault Tree Analysis: Example Fault Tree Analysis coffee machine doesn’t work ³ 1 water tank empty power switch off basic event: not further developed no coffee beans undeveloped event: analyzed elsewhere &Example: Protection System: Example: Protection System overfunctions reduced Potot = Po tripping algorithm 1 tripping algorithm 2 & 2 underfunctions increased Putot = 2Pu - Pu 2 tripping algorithm 1 tripping algorithm 2 & comparison dynamic modeling necessary inputs inputs trip signal trip signal repairFTA: IEC Standard : FTA: IEC Standard defines basic principles of FTA provides required steps for analysis identifies appropriate assumptions, events and failure modes provides identification rules and symbolsMarkov Model: Markov Model OK latent overfunction 1 chain, n. detectable detectable error 1 chain, repair latent underfunction not detectable latent underfunction 2 chains, n. detectable overfunction underfunction (l1+l2)(1- c ) l3(1- c ) (l1+l2+l3) c m s1+l1(1- c ) s2 s2 l1(1- c ) l1+l2+l3 c (l1+l2) c +l3 l2(1- c ) (l1+l2) c +l3 l1=0.01, l2=l3=0.025, s1=5, s2=1, m=365, c =0.9 [1/ Y ]Analysis Results: Analysis Results mean time to overfunction [Y] mean time to underfunction [Y] 200 300 400 assumption: SW error-free 5000 500 50 weekly test permanent comparison (red. HW) permanent comparison (SW) 2-yearly testExample: IEC 61508: Example: IEC 61508 integrity level control systems protection systems 4 ³ 10 -9 to < 10 -8 ³ 10 -5 to < 10 -4 3 ³ 10 -8 to < 10 -7 ³ 10 -4 to < 10 -3 2 ³ 10 -7 to < 10 -6 ³ 10 -3 to < 10 -2 1 ³ 10 -6 to < 10 -5 ³ 10 -2 to < 10 -1 [per hour] [per operation] safety For each of the safety integrity levels it specifies requirements (see copy out of standard). Generic standard for safety-related systems. Specifies 4 safety integrity levels, or SILs (with specified max. failure rates):Cradle-to-grave reliability (IEC 61508): 6 9 16 14 13 12 5 4 3 2 1 Cradle-to-grave reliability (IEC 61508) concept overall scope definition hazard and risk analysis overall safety requirements safety requirements allocation overall operation and maintenance planning overall safety validation planning overall installation and commissioning planning safety-related systems: E/E/PES overall installation and commissioning overall safety validation overall operation, maintenance and repair decommissioning and disposal realisation 7 8 15 overall modifications and retrofit safety-related systems: other technology 10 external risk reduction facilities 11 overall planning realisation realisation IEC 61580: IEC 61580Software safety integrity and the development lifecycle (V-model): Software safety integrity and the development lifecycle (V-model) You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
AI 960 Safety Evaluation Melinda Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1245 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: January 07, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: pinlee (16 month(s) ago) Dear Sir, It's really a good presentation about the safety analysis. I'm exciting to learned much more from it. Would you mind send this ppt to me for further study. Your kindly sharing would be highly appreciated. My e-mail is robinleegood@gmail.com Thanks again. Saving..... Post Reply Close Saving..... Edit Comment Close By: prashant143 (19 month(s) ago) sir please send me this ppt to prashant.singer.r@orkut.com Saving..... Post Reply Close Saving..... Edit Comment Close By: prashant143 (19 month(s) ago) sir please mail me this prasentaion to myt mail prashant.singer.r@gmail.com...... Saving..... Post Reply Close Saving..... Edit Comment Close By: arsmah (42 month(s) ago) It is a wonderful presentation. I was not able to read a few slides due to the small text size. I'll highly appreciate if you could allow me to download this presentation. Thank you. Dr Arshad ahmood Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide1: Safety analysis and standards Sicherheitsanalyse und Normen Analyse de sécurité et normes 9.6 Dr. B. Eschermann ABB Research Center, Baden, Switzerland Industrial Automation Automation Industrielle Industrielle AutomationOverview Dependability Analysis: Overview Dependability Analysis 9.6.1 Qualitative Evaluation Failure Mode and Effects Analysis (FMEA) Fault Tree Analysis (FTA) Example: Differential pressure transmitter 9.6.2 Quantitative Evaluation Combinational Evaluation Markov Chains Example: Bus-bar Protection 9.6.3 Dependability Standards and Certification Standardization Agencies StandardsFailure Mode and Effects Analysis (FMEA): Failure Mode and Effects Analysis (FMEA) Analysis method to identify component failures which have significant consequences affecting the system operation in the application considered. ® identify faults (component failures) that lead to system failures. component 1 component n failure mode 1 failure mode k failure mode 1 failure mode k • • • • • • • • • effect on system ? FMEA is inductive (bottom-up).FMEA: Coffee machine example: FMEA: Coffee machine example component failure mode effect on system water tank empty no coffee produced too full electronics damaged coffee bean container empty no coffee produced too full coffee mill gets stuck coffee grounds container too full coffee grounds spilled ……… FMEA: Purpose (overall): FMEA: Purpose (overall) There are different reasons why an FMEA can be performed: Evaluation of effects and sequences of events caused by each identified item failure mode (® get to know the system better) Determination of the significance or criticality of each failure mode as to the system’s correct function or performance and the impact on the availability and/or safety of the related process (® identify weak spots) Classification of identified failure modes according to their detectability, diagnosability, testability, item replaceability and operating provisions (tests, repair, maintenance, logistics etc.) (® take the necessary precautions) Estimation of measures of the significance and probability of failure (® demonstrate level of availability/safety to user or certification agency)FMEA: Critical decisions: FMEA: Critical decisions Depending on the exact purpose of the analysis, several decisions have to be made: For what purpose is it performed (find weak spots « demonstrate safety to certification agency, demonstrate safety « compute availability) When is the analysis performed (e.g. before « after detailed design)? What is the system (highest level considered), where are the boundaries to the external world (that is assumed fault-free)? Which components are analyzed (lowest level considered)? Which failure modes are considered (electrical, mechanical, hydraulic, design faults, human/operation errors)? Are secondary and higher-order effects considered (i.e. one fault causing a second fault which then causes a system failure etc.)? By whom is the analysis performed (designer, who knows system best « third party, which is unbiased and brings in an independent view)?FMEA and FMECA: FMEA and FMECA FMEA only provides qualitative analysis (cause effect chain). FMECA (failure mode, effects and criticality analysis) also provides (limited) quantitative information. each basic failure mode is assigned a failure probability and a failure criticality if based on the result of the FMECA the system is to be improved (to make it more dependable) the failure modes with the highest probability leading to failures with the highest criticality are considered first. Coffee machine example: If the coffee machine is damaged, this is more critical than if the coffee machine is OK and no coffee can be produced temporarily If the water has to be refilled every 20 cups and the coffee has to be refilled every 2 cups, the failure mode “coffee bean container too full” is more probable than “water tank too full”.Criticality Grid: Criticality Grid Criticality levels I II III IV Probability of failure very low low medium highFailure Criticalities: Failure Criticalities IV: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and causes the loss of life III: Any event which could potentially cause the loss of primary system function(s) resulting in significant damage to the system or its environment and negligible hazards to life II: Any event which degrades system performance function(s) without appreciable damage to either system, environment or lives I: Any event which could cause degradation of system performance function(s) resulting in negligible damage to either system or environment and no damage to lifeFMEA/FMECA: Result: FMEA/FMECA: Result Depending on the result of the FMEA/FMECA, it may be necessary to: change design, introduce redundancy, reconfiguration, recovery etc. introduce tests, diagnoses, preventive maintenance focus quality assurance, inspections etc. on key areas select alternative materials, components change operating conditions (e.g. duty cycles to anticipate/avoid wear-out failures) adapt operating procedures (allowed temperature range etc.) perform design reviews monitor problem areas during testing, check-out and use exclude liability for identified problem areasFMEA: Steps (1): FMEA: Steps (1) 1) Break down the system into components. 2) Identify the functional structure of the system and how the components contribute to functions. f1 f2 f3 f4 f5 f6 f7FMEA: Steps (2): FMEA: Steps (2) 3) Define failure modes of each component new components: refer to similar already used components commonly used components: base on experience and measurements complex components: break down in subcomponents and derive failure mode of component by FMEA on known subcomponents other: use common sense, deduce possible failures from functions and physical parameters typical of the component operation 4) Perform analysis for each failure mode of each component and record results in table: component name/ID function failure mode failure cause failure effect local global failure detection other provision remark Example (Generic) Failure Modes: Example (Generic) Failure Modes - fails to remain (in position) - fails to open - fails to close - fails if open - fails if closed - restricted flow - fails out of tolerance (high) - fails out of tolerance (low) - inadvertent operation - intermittent operation - premature operation - delayed operation - false actuation - fails to stop - fails to start - fails to switch - erroneous input (increased) - erroneous input (decreased) - erroneous output (increased) - erroneous output (decreased) - loss of input - loss of output - erroneous indication - leakageOther FMEA Table Entries: Other FMEA Table Entries Failure cause: Why is it that the component fails in this specific way? To identify failure causes is important to - estimate probability of occurrence - uncover secondary effects - devise corrective actions Local failure effect: Effect on the system element under consideration (e.g. on the output of the analyzed component). In certain instances there may not be a local effect beyond the failure mode itself. Global failure effect: Effect on the highest considered system level. The end effect might be the result of multiple failures occurring as a consequence of each other. Failure detection: Methods to detect the component failure that should be used. Other provisions: Design features might be introduced that prevent or reduce the effect of the failure mode (e.g. redundancy, alarm devices, operating restrictions). Common Mode Failures (CMF): Common Mode Failures (CMF) In FMEA all failures are analyzed independent of each other. Common mode failures are related failures that can occur due to a single source such as design error, wrong operation conditions, human error etc. Example: Failure of power supply common to redundant units causes both redundant units to fail at the same time. failure mode x no problem failure mode y no problem common source & serious consequenceExample: Differential Pressure Transmitter (1): Example: Differential Pressure Transmitter (1) coil with inductivity L1 iron core diaphragm pressure p1 pressure p2 Functionality: Measure difference in pressures p1 – p2. coil with inductivity L2 i1(t) u1(t) i2(t) u2(t) p1 – p2 = f1 (inductivity L1, temperature T, static pressure p) p1 – p2 = f2 (inductivity L2, temperature T, static pressure p)Example: Differential Pressure Transmitter (2): Example: Differential Pressure Transmitter (2) safe output (e.g. upscale) p 1 ® L 1 p 2 ® L 2 p static Temp sens Temp elec power supply controlled current generator 4..20 mA output current generator proces- sing 1 proces- sing 2 checking (limits, consis- tency) = acquisition of sensor inputs sensor data preparation sensor data processing A/D conversion different failure effects output data generation watch- dogFMEA for Pressure Transmitter: FMEA for Pressure Transmitter continue on your own ...Fault Tree Analysis (FTA): Fault Tree Analysis (FTA) In contrast to FMEA (which is inductive, bottom-up), FTA is deductive (top-down). FMEA failure modes of components failures of system FTA system state to avoid possible causes of the state The main problem with both FMEA and FTA is to not forget anything important. Doing both FMEA and FTA may help to become more complete (2 different views).Example Fault Tree Analysis: Example Fault Tree Analysis coffee machine doesn’t work ³ 1 water tank empty power switch off basic event: not further developed no coffee beans undeveloped event: analyzed elsewhere &Example: Protection System: Example: Protection System overfunctions reduced Potot = Po tripping algorithm 1 tripping algorithm 2 & 2 underfunctions increased Putot = 2Pu - Pu 2 tripping algorithm 1 tripping algorithm 2 & comparison dynamic modeling necessary inputs inputs trip signal trip signal repairFTA: IEC Standard : FTA: IEC Standard defines basic principles of FTA provides required steps for analysis identifies appropriate assumptions, events and failure modes provides identification rules and symbolsMarkov Model: Markov Model OK latent overfunction 1 chain, n. detectable detectable error 1 chain, repair latent underfunction not detectable latent underfunction 2 chains, n. detectable overfunction underfunction (l1+l2)(1- c ) l3(1- c ) (l1+l2+l3) c m s1+l1(1- c ) s2 s2 l1(1- c ) l1+l2+l3 c (l1+l2) c +l3 l2(1- c ) (l1+l2) c +l3 l1=0.01, l2=l3=0.025, s1=5, s2=1, m=365, c =0.9 [1/ Y ]Analysis Results: Analysis Results mean time to overfunction [Y] mean time to underfunction [Y] 200 300 400 assumption: SW error-free 5000 500 50 weekly test permanent comparison (red. HW) permanent comparison (SW) 2-yearly testExample: IEC 61508: Example: IEC 61508 integrity level control systems protection systems 4 ³ 10 -9 to < 10 -8 ³ 10 -5 to < 10 -4 3 ³ 10 -8 to < 10 -7 ³ 10 -4 to < 10 -3 2 ³ 10 -7 to < 10 -6 ³ 10 -3 to < 10 -2 1 ³ 10 -6 to < 10 -5 ³ 10 -2 to < 10 -1 [per hour] [per operation] safety For each of the safety integrity levels it specifies requirements (see copy out of standard). Generic standard for safety-related systems. Specifies 4 safety integrity levels, or SILs (with specified max. failure rates):Cradle-to-grave reliability (IEC 61508): 6 9 16 14 13 12 5 4 3 2 1 Cradle-to-grave reliability (IEC 61508) concept overall scope definition hazard and risk analysis overall safety requirements safety requirements allocation overall operation and maintenance planning overall safety validation planning overall installation and commissioning planning safety-related systems: E/E/PES overall installation and commissioning overall safety validation overall operation, maintenance and repair decommissioning and disposal realisation 7 8 15 overall modifications and retrofit safety-related systems: other technology 10 external risk reduction facilities 11 overall planning realisation realisation IEC 61580: IEC 61580Software safety integrity and the development lifecycle (V-model): Software safety integrity and the development lifecycle (V-model)