Appendix 1 of the SAFEC project - guidelines for functional safety

APPENDIX 1

DETAILED GUIDELINES FOR TESTING, VALIDATION AND CERTIFICATION

A1.1    Scope

This certification scheme applies to safety devices as defined by the ATEX Directive (1) and which are a part of electrical equipment for use in potentially explosive atmospheres. It does not apply to the certification of “equipment” as defined by the ATEX Directive.

A1.2    Overview

The method of certification depends on the complexity of the safety device. Three cases are identified:

  1. For electrical equipment and safety devices, which are fully specified within CENELEC or other standards, certification should be against the provisions of the relevant standard.
  2. For electrical equipment incorporating simple safety devices, the safety devices should be specified in terms of the relevant EN 954-1 category. Simple safety devices are those for which the failure modes are known. Certification that the device achieves this category should be against the requirements of EN 954.
  3. For electrical equipment incorporating complex/programmable safety devices, the safety function should be specified in terms of the IEC 61508 SIL. The necessary risk reduction can then be allocated between available safety systems, including the safety device. Certification that the safety device achieves its required level of risk reduction should be against the requirements of IEC 61508.

Table A1 has been developed to indicate which types of safety device may fall under which of the three cases above. This will depend on the function of the safety device, the type of electrical equipment in which it is used and the technology of implementation. The first step in the certification is to determine which of the three cases apply.

For case 1, certification should be directly against the requirements of the CENELEC standard which applies. This is identified by a “X” in the column “EN 50014ff” in Table A1.

For case 2, certification should be against the requirements of EN 954 (which are not detailed here). However, the allowable EN 954 categories of safety device for use in different applications are covered in A1.3 below. This is identified by a “X” in the column “EN 954-1” in Table A1.

For case 3, certification is covered in A1.4 below. This is identified by a “X” in the column “IEC 61508” in Table A1.

Table A1    Safety devices defined in the existing European Standards for explosion protection

 

Standard

Clause

 Safety Device

Component

Equipment

Protective Systems

EN 50014ff

Possible other Standards

EN 954-1

IEC  61508

EN 1127-1

6.2.2.2

Gas-warning devices

 

E

 

X

EN

X

X

 

6.2.2.2

Flow-control devices

 

E

 

X

 

X

X

 

6.4.8

Lightning protection

C

 

 

X

 

 

 

 

6.5.3

Explosion pressure relieve devices

 

 

P

 

prEN

 

 

 

6.5.4

Explosion suppression devices

 

 

P

 

prEN

X

X

 

6.5.5

Flame barriers (various systems)

 

 

P

 

prEN

 

 

 

6.5.5.2.1

Deflagration arrester

 

 

P

 

prEN

 

 

 

6.5.5.2.2

Flame arrester

 

 

P

 

prEN

 

 

 

6.5.5.2.3

Detonation arrester

 

 

P

 

prEN

 

 

 

6.5.5.2.4

Flashback preventer

 

 

P

 

prEN

 

 

 

6.5.5.3.2

Rapid-action valves

 

 

P

 

prEN

 

 

 

6.5.5.3.3

Rotary valves

 

 

P

 

prEN

 

 

 

6.5.5.3.5

Double valves with its controls

 

 

P

 

prEN

X

X

 

 

 

 

 

 

 

 

 

 

EN 50014

10.

Interlocking devices

 

 

 

X

 

 

 

 

18.2

Electrically or mechanically interlocked disconnectors with a suitable load breaking device

C

 

 

X

 

 

 

 

18.3

an interlock for disconnectors in switchgears

 

 

 

X

 

 

 

 

18.5

Short-circuit and earth fault relays

 

E

 

X

EN

 

 

 

18.6

doors and covers Interlocked with a disconnector

 

 

 

X

 

 

 

 

19.

Interlocking for enclosures containing fuses

 

 

 

X

 

 

 

 

20.1

plugs and sockets shall be interlocked

C

 

 

X

 

 

 

 

20.2

plugs and sockets witch breaks the rated current with delayed release

 

E

 

X

 

 

 

 

21.2

luminaries interlocked with automatically disconnecting all poles

C

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50015 (Ex o)

4.3.1

Pressure relieve device (for sealed devices)

 

 

 

X

 

 

 

 

4.3.2

Breathing device

 

 

 

X

 

 

 

 

4.4

Devices to indicate the liquid level

 

 

 

X

 

 

 

 

4.5

Liquid level indicating device

 

 

 

X

 

 

 

 

4.9

Devices for draining the liquid

 

 

 

X

 

 

 

 

4.11

Manually only resettable protective device which causes interruption of the supply current

 

E

 

X

EN

X

X

 

 

 

 

 

 

 

 

 

 

EN 50016 (Ex p)

3.3

A safety device to limit the maximum internal overpressure

C

 

 

X

 

 

 

 

3.6.1

Interlocking devices disconnecting the power supply

C

 

 

X

 

 

 

 

3.6.2

Similar to 3.6.1

C

 

 

X

 

 

 

 

4.2

By bringing an auxiliary ventilation system into operation

 

E

 

X

 

X

X

 

5.6

Safety devices such as time-delay relays and devices for monitoring the flow of protective gas

 

E

 

X

 

X

X

 

5.7

The protection gas is air. Not exceed 25% of the LEL (it could be monitored with a gas analyser)

 

 

 

X

 

 

 

 

5.7

The protection gas is other than air. Not exceed 2% by volume (an oxygen analyser could be used)

 

 

 

X

 

 

 

 

5.7

The purging flow rate shall be monitored

 

E

 

X

 

X

X

 

5.8

One or more automatic safety devices shall be provided to operate when the overpressure falls below the minimum value specified by the manufacturer

 

E

 

X

 

X

X

 

6.2

Oxygen analysers

 

E

 

X

EN

X

X

 

6.5

Two automatic safety devices shall be provided to operate when the overpressure falls below the prescribed value

 

E

 

X

 

X

X

 

7

Supply of protective gas

 

 

 

 

 

 

 

 

10.2

The flow limiting device

C

 

 

X

 

 

 

 

12.

Flame arrestors

C

 

 

X

 

 

 

 

13.

Safety devices

 

E

 

X

 

X

X

 

Annex A.A.1

Two independent firedamp detectors.

Arranged to disconnect automatically the electricity supply.

 

 

P

X

 

X

X

 

Annex A.A.2

Fitting of barriers

C

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50017 (Ex q)

11.2

Electrical or thermal protective device for temperature limitation, non self-resetting

C

 

 

X

 

 

 

 

11.3

Current limiting device (resistor)

 

 

 

X

 

 

 

 

14.

associated power supply with limited ratings

 

E

 

X

 

 

 

 

10.

Protected against fault conditions such as short-circuit or thermal overload

 

E

 

X

 

 

 

 

11.2

Temperature limitation shall be achieved by an internal or external, electrical or thermal, protective device

 

E

 

X

 

X

 

 

11.2

When fuses are used as protective devices

C

 

 

X

 

 

 

 

11.3

Current limiting device

C

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50018 (Ex d)

12.6

Suitable detection device enables the power supply to the enclosure to be disconnected, on the supply side, before possible decomposition of the insulating materials leads to dangerous conditions.

C

 

 

X

 

 

 

 

17.2.1

Quick acting doors or covers shall be mechanically interlocked with an isolator

 

 

 

X

 

 

 

 

18.1

Quick-acting switch in a flameproof enclosure, which breaks all poles of the lamp circuit before contact separation

 

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50019 (Ex e)

4.7.4

Appropriate devices for winding protection

 

E

 

X

 

X

X

 

5.1.4.3

Current dependent safety devices

 

E

 

X

EN

X

X

 

5.1.4.4

Protection against overloads (e.g. motor stalled) with temperature sensors

 

E

 

X

EN

X

X

 

5.1.4.5

Frequency and voltage converter, with the protecting device incorporated

 

E

 

X

 

X

X

 

5.3

Electrically or mechanically interlocked in order to avoid the separation of contacts in a hazardous zone

 

 

 

X

 

 

 

 

5.4

Current transformer

C

 

 

X

 

 

 

 

5.6.2.3

level indicating device

 

 

 

X

 

 

 

 

5.8.3

Electrical protecting device, limiting the heating effect due to abnormal earth fault and earth leakage currents:

- for TT and TN systems a residual current protective device

- for  TI an insulator monitoring device

 

E

 

X

EN

 

 

 

5.8.8

Isolate all energized parts of the resistance heating device or unit

 

 

 

X

 

 

 

 

5.8.9

Sensing the temperature.

Sensing that temperature and other parameters.

Measuring one or more parameters other than temperature.

 

E

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50020 (Ex i)

8.4

Resistors

 

 

 

X

 

 

 

 

8.5

Blocking capacitor

 

 

 

X

 

 

 

 

8.6 / 7.5.2

shunt safety assemblies

 

 

 

X

 

 

 

 

9.

diode safety barriers

 

E

 

X

 

 

 

 

7.5.3

series blocking diodes

 

 

 

X

 

 

 

 

8.

Transformers and damping windings

C

 

 

X

 

 

 

 

7.3

Fuses

C

 

 

X

 

 

 

 

6.6

Earth conductors

 

 

 

X

 

 

 

 

6.3.2

Plugs and sockets

C

 

 

X

 

 

 

 

6.4.12

Relays

C

 

 

X

 

 

 

 

8.8

Galvanically separating components

C

 

 

X

 

 

 

 

8.7/ 6.4.11

Wiring and connections

 

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50021 (Ex n)

10.9.2.1

Supplied at varying frequency and voltage by a converter.

Supply other than that derived from a converter.

Non sinusoidal load (e.g. thyristors).

 

E

 

 

X

X

X

 

11.

Fuses and fuse assemblies

 

 

 

X

 

 

 

 

12.1

Fuses and fuse assemblies

 

 

 

X

 

 

 

 

12.2.5.2

Glow type starters

 

 

 

X

 

 

 

 

12.2.5.3

Electronic starters and ignitors

C

 

 

X

 

 

 

 

12.2.5.5

Ballasts (electronic ballasts)

C

 

 

X

 

 

 

 

15.1.

Interlocked mechanically or electrically

 

 

 

X

 

 

 

 

16.3.2

Interlocked mechanically or electrically

 

 

 

X

 

 

 

 

16.4.2

Chargers for type 2 cells and batteries

 

E

 

X

 

 

 

 

21.2

Reliable means of limiting the voltage and current available to energy storing components or at any normally sparking contact, e.g. by the use of zener diodes and series resistors

 

 

 

X

 

 

 

 

21.7

Polarity reversal

 

 

 

X

 

 

 

 

21.8.2

Fuses

 

 

 

X

 

 

 

 

21.8.3

Shunt safety components such as diodes or voltage limiting devices

 

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50028 (Ex m)

4.1.3

Fuse

 

 

 

X

 

 

 

 

4.1.5

wire wound resistor

 

 

 

X

 

 

 

 

4.1.5

plastic foil capacitor

 

 

 

X

 

 

 

 

4.1.5

paper capacitor

 

 

 

X

 

 

 

 

4.1.5

ceramic capacitor

 

 

 

X

 

 

 

 

4.1.5

opto-coupler

 

 

 

X

 

 

 

 

4.1.5

transformer

 

 

 

X

 

 

 

 

4.1.5

coil

 

 

 

X

 

 

 

 

4.1.5

motor windings

 

 

 

X

 

 

 

 

4.4

Temperature limitation: this can be achieved by a non self-resetting internal or external, electrical or thermal, protecting device.

 

 

 

X

 

 

 

 

4.2.3

Use of a duplicated, non self-resetting thermal protection devices, positioned as necessary throughout the circuit.

 

 

 

 

 

 

 

 

4.2.3

Other apparatus or associated apparatus having control over voltage and current limitation equivalent of that of a category “ib” circuit according to EN 50020, though not necessary at the same levels of voltage, current or power.

 

E

 

X

 

 

 

 

4.2.5

Mechanical separation element.

Separation elements consist of a partition wall, possibly combined with a flameproof joint or an air gap with natural ventilation.

 

 

 

X

 

 

 

 

4.5

The mechanical connection to the boundary shall be flameproof

 

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50053-1

5.3.1

An exhaust ventilation system

C

 

 

X

 

 

 

 

5.3.2

The exhaust ventilation system shall be interlocked

 

 

 

X

 

 

 

 

5.4.5

Earthing and bonding

 

 

 

X

 

 

 

 

6.1.1

The high voltage supply shall be switched off in such a manner that it cannot be re-energised

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50053-2

5.3.3

Explosion suppression system, an explosion relief, explosion barriers, or other explosion protection systems

 

 

P

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50053-3

5.3.1

Ventilation system.

Exhaust ventilation system.

C

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50177

5.1.2.2

Device which automatically switches off the high voltage

 

 

 

 

 

 

 

 

5.1.3.2

Voltage discharges

 

 

 

 

 

 

 

 

5.2.1

An exhaust ventilation system

C

 

 

X

 

 

 

 

5.2.2

Interlocked with other equipment. Devices shall be installed to monitor the actual flow of the exhaust ventilation system air and arranged to interrupt immediately the high voltage supply if the volumetric flow falls ...

 

 

 

 

 

 

 

 

5.2.4

Explosion suppression or explosion relief venting

 

 

P

X

 

 

 

 

5.2.6

Interlocked so that the high voltage supply system will be switched off

 

 

 

 

 

 

 

 

5.2.10

Automatic local fire extinguishing systems.... switched off by automatic means

 

 

P

X

 

 

 

 

5.3.1

Interlocking shall be provided to prevent the high voltage being applied

 

 

 

 

 

 

 

 

5.5

Earthing measures

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50281-1-1

4.3

Fasteners

 

 

 

X

 

 

 

 

4.4

Interlocking devices

 

 

 

X

 

 

 

 

5.2.2

Interlocked with a suitable load breaking device

C

 

 

X

 

 

 

 

5.2.3

Any interlock

 

 

 

X

 

 

 

 

5.2.4

Interlocked with a disconnector

 

 

 

X

 

 

 

 

5.3

Enclosures containing fuses

 

 

 

X

 

 

 

 

5.4.1

Shall be interlocked

 

 

 

X

 

 

 

 

5.4.2

Breaks the rated current with delayed release

 

E

 

X

 

 

 

 

5.5.2

Automatically disconnecting all poles

C

 

 

X

 

 

 

 

6.3

Fasteners

 

 

 

X

 

 

 

 

6.4

Interlocking devices

 

 

 

X

 

 

 

 

7.2.2

Interlocked with a suitable load breaking device

 

 

 

X

 

 

 

 

7.2.3

Any interlock

 

 

 

X

 

 

 

 

7.3

Enclosures containing fuses shall be interlocked

 

 

 

X

 

 

 

 

7.4.1

Shall be interlocked

 

 

 

X

 

 

 

 

7.4.2

Breaks the rated current with delayed release

C

 

 

X

 

 

 

 

7.5.2

Automatically disconnecting all poles

 

 

 

X

 

 

 

 

 

 

 

 

 

 

 

 

 

EN 50281-1-2

7.

System power limitation

 

E

 

X

EN

X

X

 

 

 

 

 

 

 

 

 

 

EN 50284

4.2.2

Associated apparatus

e.g. Ex ia power supply

 

E

 

X

 

 

 

 

4.2.3

thermal protective devices, non self-resetting

C

 

 

X

 

 

 

 

4.2.3

associated power supply with limited ratings, similar to Ex ib, (safe with one fault)

 

E

 

X

 

 

 

 

4.2.3

Non self-resetting thermal protection devices, positioned as necessary throughout the circuit.

 

 

 

X

 

 

 

 

4.2.3

Apparatus or associated apparatus having control over voltage and current limitation equivalent of that of a category “ib” circuit according to EN 50020, though not necessary at the same levels of voltage, current or power

 

 

 

X

 

 

 

 

4.2.5

Mechanical separation element.

Separation elements consist of a partition wall, possibly combined with a flameproof joint or an air gap with natural ventilation.

 

 

 

X

 

 

 

 

4.5

Mechanical connection to the boundary shall be flameproof

 

 

 

X

 

 

 

 

A1.3    Conformity assessment procedure according to EN 954-1

The allowable categories of safety device for any given application are defined by Table A1.2.

Table A1.2   Definition of allowable EN 954 categories for safety devices

 

Hazardous Area

Zone 0

Zone 20

Zone 1

Zone 21

Zone 2

Zone 22

Fault tolerance requirement of ATEX Directive

2

1

0

Equipment

(EUC)

fault tolerance

2

1

0

1

0

-1

0

-1

EN 954 category of the monitoring or control unit

-

B, 1, 2, 3 or 4

3 or 4

-

B, 1, 2, 3 or 4

3 or 4

-

B, 1, 2, 3 or 4

Resulting equipment category (under ATEX) of the combination

 

ATEX category 1

 

ATEX category 2

 

ATEX category 3

Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device

Assessment of whether a particular device meets the requirements for a particular category should be carried out according to EN 954.

A1.4    Conformity assessment procedure according to IEC 61508

This follows the overall lifecycle given in Figure A1 (IEC 61508 Part 1 Figure 2).

A1.4.1            Conditions

For a conformity assessment procedure based on IEC 61508 minor changes have to be made for the application to safety devices.

  • The boxes 1 - 4 are already fulfilled by existing standards for explosion protection and the work in Task 1 and Task 2  of the SAFEC project.
  • The box 5 is mainly defined by existing standards for explosion protection (function) and Task 2 (safety integrity level).

The required safety integrity requirements for the overall safety function of preventing an explosion (box 4), depending on the hazardous zone, is defined by Table A3 (based on Table 9 in the main text).

Table A3   Proposed overall risk reduction requirements

 

Hazardous Zone

ATEX equipment categories

Target SIL requirement

0 or 20

1

SIL 3

1 or 21

2

SIL 2

2 or 22

3

SIL 1

 

If the safety requirements allocation (box 5) is such that the requirements are allocated between the fault tolerance of the equipment (without the safety device) and the safety device, then the SIL requirement for the safety device is as defined in Table A4 (based on Table 10 in the main text of this report).

 

Figure A1   The safety lifecycle from IEC 61508

 

Table A4    Proposed target risk reduction requirements for safety functions

 

Hazardous Area

Zone 0

Zone 20

Zone 1

Zone 21

Zone 2

Zone 22

Fault tolerance requirement of ATEX Directive

2

1

0

Equipment

(EUC)

fault tolerance

2

1

0

1

0

-1

0

-1

SIL of the safety function that the monitoring or control unit is providing

-

SIL 2

SIL 3

-

SIL 1

SIL 2

-

SIL 1 

Resulting equipment category (under ATEX) of the combination

 

category 1

 

category 2

 

category 3

Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device

 

In addition, the fault tolerance requirements of the ATEX Directive shall be met. These are defined by Table A5 (same as Table 3)

Table A5   Fault tolerance requirements of the safety device as required by the ATEX Directive

 

ATEX category

Fault tolerance requirement

1

2

2

1

3

0

 

In any cases where more safety systems are available for safety requirement allocation, the manufacturer and the notified body would have to do the safety requirement allocation according to IEC 61508, Part 1, 7.6.

 

A1.4.2 Validation process

  • The certification scheme itself is based on box 9, for electric / electronic or programmable electronic safety devices or on box 10, together with box 11 for other technologies.

Figures A2 and A3 (Figures 3 and 4 of IEC 61508 part 1) show the lifecycle realization phase including validation process.

  • The notified bodies have to carry out the conformity assessment procedure according to boxes 9.1 to 9.6 for hardware and software. The assessment can include less or more the point 9.1 to 9.5. This is depending on the safety devices. The most important step is 9.6.

The tasks included in realization phase relate to the description in IEC 61508 Part 1. The objective of the requirements of this sub clause is to create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements.

The specific demands are contained in IEC 61508 Part 2 and 3. Further information can be obtained from IEC 61508 parts 2 and 3.  A possible methodology for determining SIL for E/E/EP systems is given in the Informative Annex below.

Figure A2      E/E/PES safety lifecycle (in realization phase)

 

Figure A3    Software safety lifecycle (in realization phase)

A1.4.3        Validation process for other technologies and external risk reduction facilities

The validation for other technologies can be led by using EN 954-1. Specification of the validation process may use PrEN 954-2. Other standards are possible (for example DIN EN 61496-1 06/98).

The lack of information e.g. about proof intervals has to be covered by special procedures. The validation of an electrical / electronic or programmable electronic device with  EN 954-1 needs separate calculation of reliability for circuits responsible for the validated safety function. The reliability of external risk reduction facilities should be handled similarly. The reliability calculations suggested by the Informative Annex will be appropriate.

A1.4.4   Validation of instructions for use

The notified bodies should ensure that, when particular maintenance procedures or proof test intervals are required to achieve the necessary safety integrity of the safety devices, that these are detailed in the instructions for use.

A1.5    Independence for validation / conformity assessment procedures

Tables A6 and A7 define the levels of independence which are changed by the ATEX Directive (1) to the two groups "notified bodies" and "manufacturers".

Table A6 - Responsibility for conformity assessment procedure of safety devices in use with electrical equipment or internal combustion engines

 

Zone of intended use (overall equipment category)

Safety integrity level

1

2

3

4

0 (1, M1)

-

Notified Body

Notified Body

Notified Body

1 (2, M2)

-

Notified Body

Notified Body

-

2 (3)

-

-

-

-

 

Table A7 - Responsibility for conformity assessment procedure of safety devices in use with non-electrical equipment

 

Zone of intended use (overall equipment category)

Safety integrity level

1

2

3

4

0 (1, M1)

-

Notified Body

Notified Body

Notified Body

1 (2, M2)

-

Manufacturer

Manufacturer

-

2 (3)

-

-

-

-

 

 

A1.6    INFORMATIVE ANNEX TO CERTIFICATION SCHEME

METHODOLOGY FOR DETERMINING THE SIL OF  A SAFETY DEVICE

The system's safety integrity level is assessed in accordance with the following procedure that breaks down the assessment into the five following stages with logical links :

  • 1st stage :                functional analysis,
  • 2nd stage :               failure rate prediction
  • 3rd stage :               failure modes, effects and criticality analysis,
  • 4th stage :               modelling of the system's various states,
  • 5th stage :               system safety integrity level assessment.

It should be noted that this assessment does not take into account :

  • common mode failures,
  • systematic errors,
  • connection failures,
  • errors linked to cabling,
  • human errors.

1.6.1   First stage : functional analysis

The purpose of the functional analysis is to identify the functions to be fulfilled by the system. It is also intended to explain the system's operation by establishing a link between the hardware and software functions. This stage is the assessment's input point. It needs to be sufficiently accurate to identify failures with an impact on the system's safety.

Several functional analysis procedures may be used to explain the operation of automatic systems :

  • functional block diagram procedure,
  • SADT procedure,
  • SA_RT procedure,
  • etc.

A1.6.2            Second stage : failure rate prediction

The purpose of the failure rate prediction is not to assess the system's reliability. Calculations are only conducted for the components with a risk in relation to safety, in order to quantify the dangerous failure rate. To that end, a calculation makes it possible to assess an equivalent failure rate of the system. This calculation comprises : component failure rates, component stress, climatic environment, component quality, etc.

The failure rate prediction allows us to quantify the FMECA (Failure Modes Effects and Criticality Analysis - See 3rd stage) and to identify the contribution of the various failure modes to the system's unsafe situation.

Failure rate calculations are grounded on databases that supply a basic failure rate for each type of component. This basic failure rate is modulated according to corrective factors according to the environment and component.

A1.6.3            Third stage  : failure modes effects and criticality analysis (FMECA)

After identifying the components fulfilling the functions (hardware and software), identified by the functional analysis, the failure modes and their effects on the system's operation must be analysed in the scope of this study. The purpose of this stage is to analyse the failures to identify “ dangerous ” failure modes, and to quantify the probability of failure occurrence.

The Failure Modes Effects and Criticality Analysis (FMECA) is conducted at electronic component detail level for the safety device. The purpose of this analysis is :

  •  to identify the “ dangerous ” failure modes to assess the “ dangerous ” failure rates leading to the hazardous event, while assessing a coverage rate for the various tests;
  • to identify the possible preventive maintenance provisions to be integrated to guarantee a safety integrity level in compliance with the defined goals.

Failures are classified in 4 classes  :

  • dangerous detected failures whose effects are on safety and availability (λDD),
  • dangerous un-detected failures whose effects are only on safety (λDU),
  • non-dangerous detected failures whose effects are only on availability (λSD),
  • non-dangerous and undetected failures whose effects are only on availability (λSU).

λDU λ Dangerous, Undetected ; λS = λ  Safe).

λS = Safe failure : i.e. a failure that results in system fallback (safe situation for safety).

λDU = Unsafe failure : failure whose consequence leads to a dangerous state from the standpoint of safety.

The following diagram (Figure A4) gives further details of this notion of distribution of failures according to their effect. The objective of this stage is to define the unsafe failure modes. References (28) and (29) are examples of sources of data for the failure mode distribution for various components.

 

Figure A4  : Failure distribution according to their effect

A1.6.4            Fourth stage : modelling of the system's various states

There are three system types according to the various encountered systems :

[1]  Failsafe systems

[2]  Non-redundant systems

[3]  Redundant systems

The system's dangerous failure probability calculation is different according to the various types of system.

Failsafe systems

Failsafe systems are systems in which the failure modes of all components of the system lead to a « safe state » in relation to safety. For these systems, there is no use in calculating the dangerous failure probability as the λDU dangerous failure rate does not exist

Non-redundant systems

Non-redundant systems are “ simple ” systems in which the safety function can be lost in the event of failure. Two states are possible : safe state or dangerous state. The calculation of the dangerous failure probability for the systems comes down to a specific reliability calculation depending on the dangerous failure rate (λDU - identified in FMECA) and with the same duration as the preventive maintenance operations.

Redundant systems

In the event of redundant systems, the safety function can be lost due to combinations of failures depending on the logic implemented within the safety system. There are several safety integrity level quantitative assessment procedures for such systems. The main drawback of the more traditional procedures such as the analysis by fault tree system, or the analysis by reliability block diagram, is that they do not always take into account the time aspect, test periodicity, coverage levels, as well as the repair rate.

The various failure and operating states can be modelled with MARKOV graphs, by integrating the time aspect of the preventive maintenance tests, the autotests as well as the coverage rate, as the electronic systems are subject to a failure law of exponential form with a constant failure rate.

A1.6.4.1         Influence of testability on safety

For safety purposes, the state of the resources must be known on a permanent basis to see if hidden (or dormant or latent) failures liable to mask the safety function exist. These dormant failures are only detected during periodic tests voluntarily conducted by the user.

A test policy is useless for failsafe systems as each failure leads to a “ safe ” position in relation to safety.

On the contrary, for systems that are neither failsafe nor autotestable and on which dangerous failures exist, a test policy to detect the “ dangerous failures ” (with a risk for safety) is required.

These tests must be conducted according to a periodicity grounded on the characteristics of the various elements constituting the system. Dangerous failures can be detected in two ways :

  • Either by the test and autotests system of the safety system for detectable failures (lDD),
  • Or during verification operations for non-detectable failures (lDU).

The PLC's reliability level is not increased by testability. It just makes it possible to ensure that resources are still available  : to read the inputs and control the outputs, on the one hand, and to make sure that the processing modules are still functional, on the other hand. Only dangerous failure detection comes into play. It is possible to detect and switch to safe position in the event of failure, thanks to this test, and therefore to better guarantee safety. The following diagram shows the impact of testability on safety, and the impact of a state changeover test policy conducted every 24 hours or every 6 months on safety.

Figure A5  : Testability impact on safety

A1.6.4.2         Graph establishment

IEC 61508 (18) and reference (30) stipulate the procedure and various stages of system modelling. State graphs are represented below for each safety function. Modelling is achieved with “ states ” that the system is liable to enter. There are 3 states in  most cases :

State 2            represented as follows : (2)

This state corresponds to the modelling of redundancy. In this state, all implemented resources are present and operate in a nominal manner.

State 1            represented as follows : (1)

This state corresponds to the modelling of redundancy downgraded by the dangerous failure of a hardware element on one of two channels. In this state, all implemented resources are not present. It is an undetected dangerous failure state. Safety is still guaranteed.

State 0            represented as follows : (0)

This state corresponds to the modelling of the loss of redundancy due to the dangerous failure of several hardware elements from the channels. In this state, safety is no longer guaranteed and in the event that the safety function is called upon, the system will not go to safe position.

The “ P ” probability of being in “ 0 ” state is designated by PFD(t) in the IEC 61508 standard. The meaning of PFD(t) value is the value defined in the previous paragraph.

A1.6.4.3         Assumptions

MARKOV graph modelling for the studied systems by INERIS was grounded on the following assumptions :

[1]  failure rates (l) and repair rates (m) are assumed constant to make it possible to model and calculate the safety level with MARKOV graphs.

[2]  The mission time (TI) corresponds to the intervals between the OFF LINE periodic test times. All test rates concerning the aptitude to detect state changeovers (mPTi) are stated for each arc of each graph.

[3]  Inputs and outputs do not go to the safe state if the power supply is cut off.

[4]  The common failure modes, and the systematic errors are assumed equal to those defined in reference (28). lD common mode failures or faults have the specificity of affecting all lines at the same time. The selected values are those defined in the same document.

A1.6.4.4         System modelling example

Two active redundancy systems are modelled as follows

Figure A6  : Redundant system state modelling

 

This graph is equivalent to the following graph :

Figure A7  : Redundant system state reduced modelling

The “ P ” probability of being in a “ 0 ” state therefore depends on a failure rate that in turn depends on time T : P = L(t) x T.

This example shows that the more time T increases and the more the probability of being at “ 0 ” state increases.

A1.6.5            Fifth stage : Safety integrity level assessment

The system's various states were modelled with the fourth stage. This stage consists of resolving the mathematical calculation and comparing the level achieved by the system with the classifications of the IEC 61508 standard.

The dangerous failure probability calculation (PFD) is a function of a system failure rate (function variable over time) and of a duration, in most cases. Therefore, the safety integrity level calculation is a specific reliability calculation in which safety is equal : either to the reliability during a time equal to that of the auto-test's overall time, or to that of the preventive maintenance intervals.