A 2-Hours Course In Gas Detection PART 4 – Gas Detection Systems and Functional Safety Lübeck, 9.10.2008 Dr. Wolfgang Jessel

Considering a single channel safety system Sensor Transmitter Controller System Actuator SE - Sensing element The gas detection transmitter detects the potential dangerous condition LS - Logic Solver The controller reacts to the potential dangerous condition and activates countermeasures FE - Final Element The activated solenoid valve averts the dangerous condition by closing the gas pipe reliably But - what is the probability that in case of a need the gas detection system will fail to activate the safety function? Safety System Safety Integrity Safety Function

Probability of Failure on Demand - PFD Electronic Systems Failures Are Everywhere Any electric, electronic or programmable electronic system (E/E/PES) might have failures. Failures which cause the safety function to fail are called dangerous. Most of the hardware failures however are not dangerous or at least detectable. Detectable failures, dangerous or not, can force the safety system into the safe state. Problem: What about failures that are dangerous and cannot be detected? If a dangerous undetectable failure occurs, the safety system will not respond to a demand, it is not able to perform the safety function, and we are not even aware of it! What is the probability that this will happen??? Probability of Failure on Demand - PFD

Reliability Failures As failures may occur seldom, but anytime and anywhere, a safety system needs to be designed and operated such that  failures are avoided  failure detection If they cannot be avoided they at least must be detectable ...  failure tolerance and / or the system must be immune to these failures: How to do this?

Failures and Failure Types Reliability Failures and Failure Types The reliability of electronics is depending on failures,  systematic failures in hardware and system configuration  systematic failures in the system’s controlling software  accidental failures of the hardware  wear-out failures of the hardware Systematic failures can widely be excluded by a safety orientated development. Accidental failures are a typical statistical based property of electronic compounds. Wear-out failures must be excluded by preventive maintenance and periodic renewal. Wear-out failures (consumables) are not considered in the safety integrity assessment. Their occurrence can statistically be described by failure rates . Failure Rate

SD SU DD DU SD SU DD DU Safe and Dangerous Failures The DU-Failure (Detectable) (Undetectable) SD SU (Safe) DD DU (Dangerous) Depending on the kind of evaluation safe and detectable failures can force a safety related system to go into the safe state. Signal cable to transmitter cut, Signal is 0 mA, central controller detects it: Safe! SD Output transistor becomes defective, signal  20 mA, central controller triggers (maintaining) gas alarm: Safe! SU Dangerous RAM-failure, being detected during automatic cyclic RAM-test, controller detects failure: Safe! DD Loss of measuring function without indication: Unsafe – dangerous! DU The Dangerous Undetectable failure (failure rate λDU) is in the main focus of the SIL-consideration.

How System Safety Is Affected System Failures How System Safety Is Affected safe failure occurs, system however maintains safe fail safe time t A DD-failure must be repaired promptly after detection. MTTR = Mean Time To Restore (mostly 8 hours) DD-failure occurs but is detected time t safe fail DD-failure is repaired Organisational measures! MTTR DU-failure revealed during test Test interval TP DU-failure occurs time t safe fail DU-failure is repaired no safety! MTTR

DU-failure revealed during test Systems Failures The Probability of Failures on Demand A periodically performed system-test (safety check with proof test interval TP) is intended to reveal undetected failures! time t safe DU-failure is repaired DU-failure revealed during test Test interval TP MTTR The statistical mean of the system‘s down-time is half the test interval TP. The probability that in case of demand the safety function cannot be performed because of a dangerous undetected failure is PFDavg is Average Probability of Failure on Demand, the mean probability that the system will fail just at the time when being required.

Rule of thumb: low demand is once a year Probability of Failure ... on Demand The dangerous probability of failure on demand can be calculated: Example: DU = 10-6 h-1 (1 failure in 114 years), TP = 8760 h (proof test yearly) failure means: In case of demand the safety related system cannot perform the required safety function. demand means: Protection systems such as gas detection systems are continuously monitoring systems, but rarely needed to perform safety functions (operating mode acc. to EN 61508: „Low Demand Mode“) Rule of thumb: low demand is once a year

SIL-Rating by Using the PFDs of Subsystems Safety System SIL-Rating by Using the PFDs of Subsystems The target is to make sure that the PFD of the SIS is sufficiently low to achieve the required SIL. The PFD of the system is obtained by adding the individual PFDs of the subsystems sensor with interface, evaluating system and actuator with interface: Sensor Transmitter PFD1 Controller System PFD2 Actuator PFD3 PFDsystem = PFD1 + PFD2 + PFD3 Die eben gemachte Aussage betrifft das gesamte sicherheitsrelevante System. Meistens kommen die Komponenten für ein solches System jedoch von unterschiedlichen Herstellern und werden erst von einem Planungsingenieur zusammengestellt. Dann benötigt der Planungsingenieur die individuellen PFD der einzelnen Komponenten, addiert sie und hinterfragt, ob die Summe der PFDs der SIL-Anforderung entspricht. Falls da nicht der Fall ist, muss er sich nach anderen Komponenten mit niedrigeren PFDs umsehen, die Prüfintervalle verkürzen oder das System (oder Teile des Systems) redundant auslegen. If PFDsystem < 0.01 then this is sufficient for Safety Integrity Level 2 - SIL 2

Safety Integrity Level EN 61 508 System fails once of ... demands Reliability PFD and Safety Integrity Level SIL The PFDavg is the most important criterion in the safety assessment and reliability study of a system. When requiring a certain Safety Integrity Level SIL for a safety system, the PFDavg must not exceed a given value: Safety Integrity Level EN 61 508 SIL 1 SIL 2 SIL 3 SIL 4 Average probability not to perform the safety function on demand PFDavg  0.01 to < 0.1  0.001 to < 0.01  0.0001 to < 0.001  0.00001 to < 0.0001 System fails once of ... demands 11 to 100 101 to 1000 1001 to 10 000 10 001 to 100 000 Example: For SIL 2 the safety system’s PFDavg must be less than 0.01.

The Safe Failure Fraction SFF Subsystems The Safe Failure Fraction SFF A Safety Instrumented System (SIS) consists of the following subsystems: Sensor Transmitter Controller System Actuator For each of these subsystems a FMEDA (Failure Mode, Effects, and Diagnostic Analysis) can be made, resulting especially in the failure rates of several failure types: SD , SU , DD , and DU . These failure rates are necessary to calculate the share of the dangerous undetected failure in proportion to the total failure rate. This is the so-called Safe Failure Fraction, calculated as

Hardware Failure Tolerance The Single Channel System SIL 3  99% 90% to < 99% SIL 2 SIL 1 60% to < 90% 1oo1 Single channel system Type A SFF < 60% SIL 2 not allowed SIL 3  99% 90% to < 99% SIL 1 60% to < 90% 1oo1 Single channel system Type B SFF < 60% SIL 3 Type A: simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined. Type B: complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined. Example: relays, relay modules, Polytron channel module Example: transmitters, digital controllers, etc.

Hardware Failure Tolerance Different System Architectures SIL 4 SIL 3  99% 90% to < 99% SIL 2 SIL 1 60% to < 90% 1oo3 1oo2 1oo1 Architecture Type A SFF < 60% *) SIL 4 SIL 3  99% SIL 2 90% to < 99% SIL 1 60% to < 90% 1oo3 1oo2 1oo1 Architecture Type B SFF < 60% *) not allowed Type A: simple device with failure mode of all constituent components well defined and behaviour under fault conditions completely determined. Type B: complex device with failure mode of at least one constituent component not well defined or behaviour under fault conditions not completely determined. Example: relays, relay modules, Polytron channel module Example: transmitters, digital controllers, etc.

Redundant Safety System HFT = 0 – No Channel Allowed to Fail 1 out of 1 to activate the safety function

Redundant Safety System HFT = 1 – One Channel Allowed to Fail 1 out of 2 to activate the safety function

Redundant Safety System HFT = 2 – Two Channels Allowed to Fail 1 out of 3 to activate the safety function

Dräger Gas Detection Transmitters SIL Capabilities Type SFF DU PFDavg Assessment by ... Performance appr. PEX 3000 with Ex-Sensor PR M 2 B 90.4 % 1.27E-07 h-1 0.000556 Dräger, with Exida FMEDA-Tool yes Polytron Ex and Ex R with Ex-Sensor PR M 2 A 91.5 % 1.20E-07 h-1 0.000526 Dräger, with Exida FMEDA-Tool yes Polytron 3000 with EC-Sensor 1 B 64.88 % 4.43E-07 h-1 0.00194 Dräger, with Exida FMEDA-Tool no Polytron 7000 2 B 90.88 % 3.57E-07 h-1 0.00156 Exida GmbH yes Polytron 7000 with pump module 2 B 95.99 % 4.18E-07 h-1 0.00183 Exida GmbH yes Polytron 7000 with relay-module 2 B 90.43 % 3.42E-07 h-1 0.00150 Exida GmbH yes Polytron 7000 with pump- and relay-module 2 B 95.91 % 4.10E-07 h-1 0.00179 Exida GmbH yes Polytron IR Typ 334 and Typ 340 2 B 96.5 % 2.92E-08 h-1 0.000128 Exida GmbH yes Polytron Pulsar 30/120 and 100/200 m 2 B 91.0 % 1.08E-07 h-1 0.000475 Exida GmbH no Polytron Pulsar 4/60 m 2 B 92.0 % 1.08E-07 h-1 0.000475 Exida GmbH no yes Exida GmbH, certi-fied by TÜV 0.000204 4.70E-08 h-1 94.99 % B 2 Dräger PIR 7000 / 7200

Probability of Failure on Demand An Applied Example Sensor Transmitter Transmitter λDU = 5.71·10-7 h-1 TP = 4380 h (6-monthly) PFD = 0.5·4380·5.71·10-7 = 0.00125 Controller System Controller λDU = 4.06·10-6 h-1 TP = 4380 h (6-monthly) PFD = 0.5·4380·4.06·10-6 = 0.0089 Actuator Shut-Down Relay λDU = 2.25·10-6 h-1 TP = 4380 h (6-monthly) PFD = 0.5·4380·2.25·10-6 = 0.00493 PFDsystem = 0.00125 + 0.0089 + 0.00493 = 0.01508 > 0.01 → not SIL 2 Bei halbjährlicher Wartung (TP = 4380 Stunden) errechnet sich die PFD für einen Polytron2-Transmitter zu 0.00125, die eines Regard-Auswertesystems zu 0.089 und die eines Abschalt-Relais zu 0.00493. Die Summe dieser PFDs ist jedoch größer als 0.01, eine SIL2-Anwendung also nicht möglich. Verkürzt man aber das Prüfintervall TP auf 3 Monate, ist eine SIL2-Anwendung möglich. Reducing the proof test interval TP to 3 months (2190 hours): PFDsystem = 0.000625 + 0.00445 + 0.00247 = 0.007545 < 0.01 → yes SIL 2 Provided that the SFFs are above 90% for type B and above 60% for type A!

Polytron 7000 SIL Capability DU = 3.57·10-7 h-1 SFF = 90.88% Device PFD (TP = 1 year) Transmitter 4-20 mA 0.00156 Transmitter 4-20 mA, with pump 0.00183 Transmitter without 4-20 mA, with Relay-Output 0.00150 Transmitter without 4-20 mA, with Relay-Output and pump 0.00179 Even at yearly maintenance the average PFD values are considerably lower than 0.01. DU = 3.57·10-7 h-1 SFF = 90.88% PFD = 1.56·10-3 at TP = 1 year SIL2-Budget: = 15.6% FMEDA by Exida GmbH VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.

Pulsar SIL Capability DU = 1.09·10-7 h-1 SFF = 91.9% PFD = 4.75·10-4 at TP = 1 year SIL2-Budget: = 4.8% FMEDA by Exida GmbH VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system. Even at yearly maintenance the average PFD values are considerably lower than 0.01.

Polytron IR SIL-Capability DU = 2.92·10-8 h-1 SFF = 96.5% PFD = 1.28·10-4 at TP = 1 year SIL2-Budget: = 1.3% FMEDA by Exida GmbH Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.

SIL-Capability and Certificate Dräger PIR 7000 / 7200 SIL-Capability and Certificate DU = 4.7·10-8 h-1 SFF = 94.9% PFD = 2.04·10-4 at TP = 1 year SIL2-Budget: = 2% FMEDA by Exida GmbH Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.

SIL-Capability and Certificate Dräger PIR 7000 / 7200 SIL-Capability and Certificate DU = 4.7·10-8 h-1 SFF = 94.9% PFD = 2.04·10-4 at TP = 1 year SIL2-Budget: = 2% FMEDA by Exida GmbH Even at yearly maintenance the average PFD values are considerably lower than 0.01. VERY SUITABLE for SIL2-applications with sufficient margin for the further safety relevant devices needed for the complete system.

Responsibility of the Customer Gas Detection Systems Responsibility of the Customer SIL-Standard does not consider consumables, so, the periodically maintenance (proof test interval TP) is addressed to electrics and electronics. Consumables must be renewed (preventive replacement). Electrochemical and catalytic sensors e.g. have to be tested concerning to the manufacturer‘s recommendations or – considering the actual requirements – in reduced intervals to ensure measuring function including alarm triggering, and that the target gas can freely penetrate into the sensor. The manufacturer not only issues the declaration of SIL-conformity but also safety instructions, which e.g. also describe the scope of periodic proof tests. The customer must establish organisational measures, so that during the entire operational time of the safety related system all the safety relevant requirements are met, especially: Periodic maintenance and function tests Management conc. replacement parts Modifications of the safety system Commissioning and decommissioning Safety for the whole life cycle!

Summary What Did We Learn? Electronics may have failures – only undetectable dangerous failures cause problems. By periodic proof tests a safety system can be virtually renewed. The average PFD can be calculated for subsystems and complete safety systems. PFD must be lower than a given limit for a given SIL. The Safe Failure Fraction can be calculated and must be higher than a given percentage for a given SIL, depending on type of subsystem and HFT. Complete operation from commission to decommission needs to fulfil special safety requirements depending on the Safety Integrity Level. Safety for the whole Life Cycle!

Thank you for your attention.