Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to IEC/EN 62061
System Design According to IEC/EN 62061
| System Design According to IEC/EN 62061 |  |
Subsystem Design: IEC/EN 62061 | |
Transition Methodology for Categories | |
IEC/EN 62061 Terminology Overview | |
Diagnostic Coverage (DC) | |
| Management of Functional Safety | |
Probability of Dangerous Failure (PFHD) | |
Proof Test Interval | |
Safe Failure Fraction (SFF) | |
Systematic Failure | |
If a system designer uses components ready “packaged” into subsystems according to IEC/EN 62061 life becomes much easier because the specific requirements for the design of subsystems do not apply. These requirements will, in general, be covered by the device (subsystem) manufacturer and are much more complex than those required for system level design.
IEC/EN 62061 requires that complex subsystems such as safety PLCs comply with IEC 61508. This means that, for devices using complex electronic or programmable components, the full rigor of IEC 61508 applies. This can be a very difficult and involved process. For example, the evaluation of the PFHD achieved by a complex subsystem can be a very complicated process using techniques such as Markov modeling, reliability block diagrams or fault tree analysis.
IEC/EN 62061 does give requirements for the design of lower complexity subsystems. Typically this would include relatively simple electrical components such as interlock switches and electromechanical safety monitoring relays. The requirements are not as involved as those in IEC 61508 but can still be very complicated.
IEC/EN 62061 supplies four subsystem logical architectures with accompanying formulae that can be used to evaluate the PFHD achieved by a low complexity subsystem. These architectures are purely logical representations and should not be thought of as physical architectures. The four subsystem logical architectures with accompanying formulae are shown in Figures 150 through 153.
|
| Figure 150: Subsystem logical architecture A |
lDssB = (1-ß)2 x lDe1 x lDe2 x T1 + ß x (lDe1 + lDe2) / 2
PFHDssB = lDssB x 1h
For a basic subsystem architecture shown in Figure 150, the probability of dangerous failures are simply added together.
l, Lambda is used to designate the failure rate. The units of the failure rate are failures per hour. lD, is the dangerous failure rate. lDssA is the dangerous failure rate of subsystem A. lDssA is the sum of the failure rates of the individual elements, e1, e2, e3, up to and including en. The probability of dangerous failure is multiplied by 1 hour to create a unitless probability of failure.
Figure 151 shows a single fault tolerant system without a diagnostic function. When the architecture includes single fault tolerance, the potential for common cause failure exists and must be considered. The derivation of the common cause failure is briefly described later in this chapter.
|
| Figure 151: Subsystem logical architecture B |
lDssB = (1-ß)2 x lDe1 x lDe2 x T1 + ß x (lDe1 + lDe2) / 2
PFHDssB = lDssB x 1h
The formulae for this architecture takes into account the parallel arrangement of the subsystem elements and adds the following two elements from Table 11:
ß – the susceptibility to common cause failures (Beta)
T1 – the proof test interval or lifetime, whichever is smaller. The proof test is designed to detect faults and degradation of the safety subsystem so that the subsystem can be restored to an operating condition.
As an example, assume the following values:
ß = 0.10
lDe1 = 1 x 10 -6 failures/hour
lDe2 = 1 x 10 -6 failures/hour
T1 = 87600 hours (10 years)
The failure rate for the system is 1.70956E-07 failures per hour (SIL2).
Affect of the Proof Test Interval
Let’s look at the affect the proof test interval has on the system. Assume the proof test interval was reduced to twice a year. This reduces T1 to 4380 hours, and the dangerous failure rate improves to 1.03548E-07 failures per hour. This is still only SIL2. If the proof test were reduced to a monthly interval (730 hours), the dangerous failure rate improves to 1.0059E-07 failures per hour. This is still only SIL2. Additional improvement in failure rate, proof test interval, or common cause failure is needed to achieve a SIL3 rating. In addition, the designer must keep in mind that this subsystem must be combined with other subsystems to calculate the overall dangerous failure rate.
Affect of Common Cause Failure Analysis
Let’s look at the affect the common cause failures have on the system. Suppose we take additional measures and our beta value improves to its best level of 1% (0,01), while the proof test interval remains at 10 years. The dangerous failure rate improves to 9.58568E-08. The system now meets SIL3.
Figure 152 shows the functional representation of a zero fault tolerant system with a diagnostic function. Diagnostic coverage is used to decrease the probability of dangerous hardware failures. The diagnostic tests are performed automatically. Diagnostic coverage is the ratio of the rate of detected dangerous failures compared to the rate of all dangerous failures. The type or number of safe failures is not considered when calculating diagnostic coverage; it is only the percentage of detected dangerous failures.
|
| Figure 152: Subsystem logical architecture C |
lDssC = lDe1 (1-DC1)+ . . . + lDen (1-DCn)
PFHDssC = lDssC x 1h
This formulae includes the diagnostic coverage, DC, for each of the subsystem elements. The failure rates of each of the subsystems are reduced by the diagnostic coverage of each subsystem.
The fourth example of a subsystem architecture is shown in Figure 153. This subsystem is single-fault tolerant and includes a diagnostic function. The potential for common cause failure must also be considered with single-fault tolerant systems.
|
| Figure 153: Subsystem logical architecture D |
If the subsystem elements are the same, the following formulae is used:
lDssD = (1-ß)2 {lDe2 x 2 x DC x T2/2 + lDe2 x (1-DC) x T1 }+ ß x lDe
PFHDssD = lDssD x 1h
If the subsystem elements are the different, the following formulae is used:
lDssD = (1-ß)2 { lDe1 x lDe2 x (DC1+ DC2) x T2/2 +
lDe1 x lDe2 x (2- DC1 - DC2) x T1/2 } +
ß x ( lDe1 + lDe2 ) / 2
PFHDssD = lDssD x 1h
Notice that both formulas use one additional parameter, T2 the diagnostic interval.
As an example, assume the following values for the example where the subsystem elements are different:
ß = 0.10
lDe1 = 1 x 10 -6 failures/hour
lDe2 = 2 x 10 -6 failures/hour
T1 = 87600 hours (10 years)
T2 = 876 hours
DC1 = 0,8
DC2 = 0,6
PFHDssD = 2.36141E-07 dangerous failures per hour