IEC Where do the lambda values originate?

IEC 61508 –

Where do the

lambda values originate?

Introduction

IEC 61508

–

Wo kommen die Lambda-Werte her?

Why to ask this question?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

IEC 61508 SIL

PFD / PFH SFF

FMEDA

λ_safe, λ_dd, λ_du

Failure rate λ, failure modes, failure mode distribution

Ca lc ul at e Calc ulat e

What is Lambda?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

„ It‘s the 11th letter of the Greek alphabet.

„ It’s a failure rate expressing the probability that a component fails in time.

„ It is expressed in failures per hour (normally: failures / 109 _{hours = FIT).}

„ A constant failure rate is assumed by the probabilistic estimation method.

„ The useful lifetime of components must not be exceeded.

„ The reference conditions must be known.

„ The failure rate must be divided into the following classified failure rates:

„ λ_safe(Failure rate of all safe failures)

„ λ_dangerous (Failure rate of all dangerous failures)

λ_dd(Failure rate of all dangerous detected failures)

Where do the lambda values originate?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

From the manufacturer of a subsystem ! Question to the end-user ??? From the assessor / certification body ! From the From data

Sources of failure rates

„

SN 29500

„

IEC 62380 Ed.1 /TR

(formerly known as UTE C 80-810)

„

RAC FMD-91 and RAC FMD-97

„

Bellcore (Telcordia)

standards TR-332 Issue 6 and SR-332 Issue 1

„

MIL HDBK 217F

„

exida

Electrical & Mechanical Component

Reliability Handbook

„

NSWC-98/LE1

IEC 61508

–

Wo kommen die Lambda-Werte her?

Sources of failure modes and failure mode distribution

„

RAC FMD-91 and RAC FMD-97

„

IEC 62061

„

EN 954-2

(failure modes only)

„

IEC 61496-1

(failure modes only)

„

EN 298

(failure modes only)

„

IEC 62380 Ed.1 /TR

(formerly known as UTE C 80-810)

„

exida

Electrical & Mechanical Component

Reliability Handbook

IEC 61508

–

Wo kommen die Lambda-Werte her?

How to harmonize failure rates and failure mode distribution data

„ Compare available sources of failure rates and failure mode distribution data and agree on a set of data for clearly specified reference conditions.

„ Compare public sources with real field data and adjust if needed.

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Field Failure Data FMEDA Product λ MECHANICAL COMPONENT DATABASE Product λ Compare Industry Database Update Component Database Significant Difference? Finish NO YES

Why are lambda values needed?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

„ To calculate the probability that a certain safety function fails

λ_safe λ_dd λ_du λ_safe λ_dd λ_du λ_safe λ_dd λ_du

IEC 61508 –

Where do the

lambda values originate?

The Sensor Point of View

IEC 61508

–

Wo kommen die Lambda-Werte her?

Sources of Failures in Sensors

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Main electronics

+

terminal

block

(simple + complex electronic components)

Sensor electronics

(simple + complex electronic components)

Sensor element

+

process

connection

(mechanical components)

Three

cases:

λ

_{simple electronic}

λ

_complex

_electronic

λ

_mechanical

One analysis

method!

λ

FMEDA –

Failure Modes, Effects and Diagnostic Analysis

Systematic Way to

„

identify and evaluate the effects of different component

failure modes

„

determine what could eliminate or reduce the chance of a

failure

„

document a system in consideration

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

What is relevant for the safe function of a subsystem?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

safety-related not safety-related safety-related signal path diagnostics and monitoring safety-related output signal (e.g. 4..20 mA) + accuracy

input signal (e.g. pressure)

not part of the safety function

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

FMEDA for simple components

failure classification impact on safety-related output signal failure modes + probabilities failure rate

λ

simple component safe or dangerous? short circuit (10 %) open circuit (60 %) drift (0,5x/2x) (15 %/15 %) detected or undetected?

λ

from databases, tables etc.

λ

_safe

λ

_dd

λ

_du example: resistor

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Comparison of different databases –

example: resistor

FIT = Failure In Time

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

FMEDA for complex components (e.g. ASIC, µC)

complex

component

λ

available? _{classification}failure

impact on safety-related output signal failure types + probabilities

λ

for similar type from database no. of transistors yes no

λ

values for complex components up to 200 FIT!

ASIC evaluation –

influence of diagnostic coverage

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

safe

dd

(25 %)

safe

dd

(30 %)

du

(25 %)

du

(20 %)

safe

dd

(45 %)

du

(5 %)

safe

dd

(49,5 %)

du

(0,5 %) Diagnostic Coverage DC unknown DC = 60 % DC = 90 % DC = 99 % 50 % safe 50 % dangerous

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Mechanical Components –

Example: Pressure Sensor Element

No. possible fault consequence fault

classification Fxx Process seal failure penetration of process medium DU Fxy … … … … … … …

see next talk!

IEC 61508 –

Where do the

lambda values originate?

Actuators and

actuator controls

IEC 61508

–

Wo kommen die Lambda-Werte her?

Our Focus

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

DCS-System Sensor Safety PLC

Actuator

and

actuator

controls

Electronics and mechanics

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Electronic part via generic data according IEC 61508

Mechanical part via field data and generic data

Electronic FMEDA

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

4x 6x 2x 2x A9 Ortssteuerstelle A1 Interface A2 Logik A52 Relaisplatine A58 Netzteil K1/K2 Wendeschütz

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Why we also have to consider mechanics for the

analysis of the safety function?

In the European standard EN 61508-2 C.1 it is described as

follows:

“..The analysis used to determine the diagnostic coverage and

the safe failure fraction shall include all of the components,

including electronical, electrical,

electromechanical,

Determination of

Functional Safety

Parameters

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

FMEDA Failure rates

λ_safe, λ_dd, λ_du

Functional Safety Parameters

(e.g. SFF, PFD_av, PFH)

Field experience data Data from

generic handbooks Lambda values

Mechanical FMEDA

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Motor coupling

Control unit

Worm shaft with springs, worm, bearings, etc.

Actuator gearing with hollow shaft/worm wheel

Motor

Seals

Reported failures from AUMA RBS-System for the motor

Failure

code Failure categorie

Year 2001 Year 2002 Year 2003 Year 2004 Year 2005 Year 2006 Total 303 Motor coupling 2 0 1 4 3 3 13 204 Rotor blocked 1 1 2 1 1 2 8 206 Motor windings 30 17 19 21 34 20 141 208 Motor connector 5 4 8 13 13 8 51 Motor complete 213

IEC 61508

–

Wo kommen die Lambda-Werte her?

Lambda values based on field data

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

1

2

2

2 ,

=

+

=

with

f

T

UCL

ν

χ

λ

α ν Data Comment

Numberof Failures 213 failuresreported

Total OperatingHours 6126446160 # devicesx # yearsx 8760 hours/year

% ReportedFailures 70% expensivedevice, warrantyperiod

EstimateActualFailures 305

Point Estimate-FailureRate 4,97E-08

ComplexityFactor 1 newversusolddesignifapplicable

EstimateNew ActualFailures 305 estimatedfailuresof newdesign

New Point Estimate-FailureRate 4,98E-08 per hour

ConfidenceInterval 0,7 IEC 61508, Part 2, 7.4.7.9

Upper ConfidenceLimit failurerate 5,14E-08 per hour LowerConfidenceLimit MTTF 2220,7 years

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

FMEDA for components –

safety function “Safe Close”

Component Failure Mode

Failure Effect Lb Distrib. DC Behavior _{SD SU DD DU}

Motor Blocked rotor Actuator sticks in position 5,1E-08 30% 0% D 0 0 0 5,1E-08 motor windings Actuator sticks in position 5,1E-08 60% 0% D 0 0 0 5,1E-08 Motor connector Actuator sticks in position 5,1E-08 10% 0% D 0 0 0 5,1E-08 Actuator shaft Shaft break Actuator sticks in position 1,8E-08 20% 0% D 0 0 0 1,8E-08 etc. … …

Test report

with lambda

values, SFF,

etc.

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508 –

Where do the

lambda values originate?

The Logic Solver Point of View

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Electronic modules for dedicated functions:

ƒThe design is depending on the function

ƒQualitative considerations to select one architecture Systematic failure

ƒQuantitative considerations to select one architecture

ƒLife cycle management

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

0,10 Unterbrechung Synchronisation gestört, Fehlfunktion nicht _{auszuschließen (dangerous)} 0,60 0 1 0 0,000 0,060 0,000Synchronisations-_{überw achung (DC-Nr. = 7)}

99,998

1,20E-06 6,00E-02 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00 0,10 Änderung des _{Wertes auf 0,5R} keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Änderung des _{Wertes auf 2R} keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00

0,10 Unterbrechung Synchronisation gestört, Fehlfunktion nicht _{auszuschließen (dangerous)} 0,60 0 1 0 0,000 0,060 0,000Synchronisations-_{überw achung (DC-Nr. = 7)}

99,998

1,20E-06 6,00E-02 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00 0,10 Änderung des

Wertes auf 0,5R keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Änderung des _{Wertes auf 2R} keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00

0,10 Unterbrechung Synchronisation gestört, Fehlfunktion nicht _{auszuschließen (dangerous)} 0,60 0 1 0 0,000 0,060 0,000Synchronisations-_{überw achung (DC-Nr. = 7)}

99,998

1,20E-06 6,00E-02 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00 0,10 Änderung des _{Wertes auf 0,5R} keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00 0,10 Änderung des _{Wertes auf 2R} keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erforderlich 0,00E+00 0,00E+00

233 Bauelemente ₇₇7 ₃₄0 95

258,06 272,89 281,68

0,0408 272,8496 Bisher aktuelle _Werte

1 d-Fehler auf 2,98 ges. Fehler

121

2

Σ λs 258,06 fit 246,94

1 du-Fehler auf 6.696 d-Fehler _{Σ λdd} 272,85 fit 266,77

1 du-Fehler auf 19.941 ges. Fehler _{Σ λdu} 0,0408 fit 0,0407

Σ λ ∗ 281,68 fit 279,68

Σ λge s 812,63 fit

MTBF 1,23E+06 h 140,48 a

tot. safe failure rate

(s+dd) 530,91 fit tot. failure rate

(s+dd+du) 530,95 fit

dc for dangerous failures

dd / (dd + du) 99,985%

safe failure fraction

(s + dd) / (s + dd + du) 99,992% 231 R 1k _R461 Entkopplungs w iderstand in serieller Kopplung beider µCs Entkopplungs w iderstand in serieller Kopplung beider µCs 233 R 1k _R463 Entkopplungs w iderstand in serieller Kopplung beider µCs 232 R 1k R4 62

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

s u d d d d d u o k d d s d d u d d d d o k o k o k s d o k s u o k d u s d s u s u s u s u d u d u d u 3 1 2 4 2 100 Im p o s s ib le s ta te s 1 2 1 0 1 4 1 1 8 1 3 6 9 s d s d 5 s d d d , 7 F -D I, F -D O , P M -E F , P M -D F P R O F Is a fe 2 5 0 0 1 00 200 220 0 300 400 1400 12 00 1000 900 11 00 2400 800 1 30₀ 2 60₀ 23 00 70 0 60₀ 50₀ 270 0

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Some points about evaluation results:

ƒ

Device Life cycle

ƒChange in the design leads to new values

ƒResults degradation after exchange (spare parts)

ƒManagement of device releases

ƒMission Time

ƒ

Devices with different Proof Test interval

ƒDescription of related proof test

ƒProof Test Coverage

ƒProof test has to be performed and documented

ƒIf not use of conservative values

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Type of possible evaluations:

ƒPre evaluation

ƒEstimation of possible SIL

ƒSum of PFDs

ƒDetailled calculation

ƒBy use of own or simplified formulas

ƒISA 84

ƒVDI/VDE2180

ƒUse of certified tools

ƒIndependent

SIL Eignung PFH PFD

Proof-Test-Interval PFD

Proof-Test-Interval IM151-7 F-CPU 6ES7151-7FA01-0AB0 SIL 3 3,62E-10 1,59E-05 10 Jahre 3,18E-05 20 Jahre CPU 315F DP 6ES7315-6FF01-0AB0 SIL 3 5,42E-10 2,38E-05 10 Jahre 4,76E-05 20 Jahre CPU 315F PN/DP 6ES7315-2FH10-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 317F DP 6ES7317-6FF00-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 317F PN/DP 6ES7317-2FJ10-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 416F-2 DP 6ES7416-2FK04-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre CPU 414H 6ES7414-4HJ00-0AB0 SIL 3 1,42E-09 1,24E-04 10 Jahre 2,48E-04 20 Jahre CPU 414H 6ES7414-4HJ04-0AB0 SIL 3 4,29E-09 1,88E-04 10 Jahre 3,76E-04 20 Jahre CPU 417H 6ES7417-4HL01-0AB0 SIL 3 1,42E-09 1,24E-04 10 Jahre 2,48E-04 20 Jahre CPU 417H 6ES7417-4HL04-0AB0 SIL 3 4,29E-09 1,88E-04 10 Jahre 3,76E-04 20 Jahre ET200M

SM326 F-DI24 6ES7326-1BK01-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre SM326 F-DI24 6ES7326-1BK01-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM326 F-DO10 6ES7326-2BF01-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM326 F-DO8 6ES7326-2BF40-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM326 F-DI 8 Namur 6ES7326-1RF00-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre SM326 F-DI 8 Namur 6ES7326-1RF00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre SM336 F-AI 6 6ES7336-1HE00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre ET200S

EM138 4/8 F-DI 6ES7138-4FA02-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre EM138 4/8 F-DI 6ES7138-4FA02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 4 F-DO 6ES7138-4FB02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 PM-E F pm 6ES7138-4CF02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 PM-E F pm 6ES7138-4CF41-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre EM138 4 F-DI/3 F-DO 6ES7 138-4FC00-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre ET200eco

BM148 4/8 F-DI 6ES7148-3FA00-0XB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre BM148 4/8 F-DI 6ES7148-3FA00-0XB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre ET200pro

EM148 8/16 F-DI 6ES7148-4FA00-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre EM148 8/16 F-DI 6ES7148-4FA00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre EM148

4/8 F-DI/ 4 F-DO 6ES7148-4FC00-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre EM148

4/8 F-DI/ 4 F-DO 6ES7148-4FC00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Recommendation for complex modules:

PFD/PFH

IEC 61508 –

Where do the

lambda values originate?

… from the point of view of the mechanics

and the electronics

IEC 61508

–

Wo kommen die Lambda-Werte her?

Everything is pure chance!

„ Failure of equipment is a random incident

„ Characterisation by means of random variables

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Bath tub curve

„ Probability of a failure is given by the so called “bath tub curve”

„ Probability of a failure depends on the operating time

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Failure Rate versus Time @ Room Temperature 0,00E+00 2,00E-05 4,00E-05 6,00E-05 8,00E-05 1,00E-04 1,20E-04 1,40E-04 1,60E-04 0 2 4 6 8 10 12 14 F a ilu re R a te [ 1 /h ]

Characterising the bath tub curve

„ You need at least two values to characterise the curve

„ Where is the “bottom” of the bath tub?

„ When will wear out become significant?

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Failure Rate versus Time @ Room Temperature 0,00E+00 2,00E-05 4,00E-05 6,00E-05 8,00E-05 1,00E-04 1,20E-04 1,40E-04 1,60E-04 0 2 4 6 8 10 12 14 Time [years] F a ilu re R a te [ 1 /h ]

Constant Failure Rate

Electronics versus mechanics

„ Electronic technicians are interested in the constant failure rate (λ)

„ Mechanists are dealing with life time (MTBF)

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Failure Rate versus Time @ Room Temperature 0,00E+00 2,00E-05 4,00E-05 6,00E-05 8,00E-05 1,00E-04 1,20E-04 1,40E-04 1,60E-04 0 2 4 6 8 10 12 14 F a il u re R a te [ 1 /h ] Electronic technician Mechanists

Common fault

„ Both are making the same wrong calculation

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

λ

=

1

MTBF

Where is the problem?

„ Bath tub curve of a man

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

"Badewannenkurve" des Menschen (Deutschland)

0,00 0,01 0,02 0,03 0,04 0,05 0,06 0,07 0 10 20 30 40 50 60 70 80 A u sf al lr at e [ 1 / Jah r] Männer Frauen Electronic technician: λ ≈7,7·10-4 ⇒ _{MTBF = 1300 years} Mechanists: MTBF = 75,6 years ⇒ λ ≈1,3·10-2

Both are partly wrong!

„ The failure rate of a middle-aged man is fortunately significantly less than 1,3%

„ The MTBF of a man is (fortunately?) not 1300 years

„ To do proper calculations you need two information: - How big is the (constant) failure rate λ

- How long is this value valid (MTBF, B₁₀)

(in accordance with the IEC / EN 61508 this is 8 to 12 years under normal operating conditions)

IEC 61508

–

Wo kommen die Lambda-Werte her?

IEC 61508

–

Where do the lambda values originate?

Don