8/19/16

Safe Failures Arent Always Your

Best Friend
Audio is provided via internet. Please enable
your speaker (in all places) and mute your
microphone.

Safe Failures Arent Always Your Best Friend

Audio is provided via internet. Please enable your speaker

(in all places).
Please type any questions you may have at any time into the
Questions tab on the panel. Questions will be read and
answered at the end of the webinar.
All registrants will receive a print out of slides and a link to a
recording of this webinar.

Copyright exida.com LLC 2000-2016 2

Copyright exida.com LLC 2000-2014 1

 8/19/16

Abstract
It is important that a plant does not encounter spurious trips,
therefore disrupting process and losing time and money. Even
more important is preventing the occurrence of an accident that
could result in a loss of a plant, damage to the environment, or
even loss of life.

This webinar will discuss how calculating the spurious trip rate
is important and what can be done with that number (saving
time and money). It will also cover dangerous detected failures,
and how those play a part in the Safe Failure Fraction
calculation and how they are compared to spurious trips. How
simple mechanical devices and/or final elements can still
partake in SIL ratings by means of the 2H method of evaluation
without adding additional safe failures will also be presented.

Copyright exida.com LLC 2000-2016 3

Loren Stewart, CFSP

Loren Stewart graduated from Virginia
Tech with a BSME.
She has over 8 years of professional
experience originating in custom design
and manufacturing. She currently
works for exida consulting as a safety
engineer, focusing on the mechanical
aspects of their customers. Along with
assessing the safety of products and
certifications, she continually
researches and published reports on
stiction and Mechanical Failure Rates
and created a database for the 2H
initiative according to IEC 61508.

August 19, 2016 Copyright exida.com LLC 2000-2016 4

Copyright exida.com LLC 2000-2014 2

 8/19/16

exida Worldwide Locations

5
Copyright exida.com LLC 2000-2016

Main Product / Service Categories

Consulting Engineering Product Training Reference Professional

Tools Certification Materials Certification
Process Safety Process Safety
(IEC 61511, IEC exSILentia Functional Databases CFSE
Control
62061, ISO (PHAx, Safety (IEC CFSP
System Tutorials
26262) SIL Selection 61508) Includes:
Security Textbooks
Alarm LOPAx Control -Automotive
Onsite
Management SRS System Cyber- Reference
Offsite Books -CACE/CACS
SIL Verification) Security
Safety Case -Hardware
Control Network Security Market
FMEDA Development Studies -Machinery
System Robustness
Security (ISA SILAlarm (Achilles) Alarm -Process
S99) SILStat Management -Software
CyberPHAx

Processes - Products - People

Copyright exida.com LLC 2000-2016 6

Copyright exida.com LLC 2000-2014 3

 8/19/16

exida Certification
exida has established schemes for
functional safety and cybersecurity
certification of Systems, Products,
Components, and Personnel.
Functional Safety Certification
involves a detailed analysis of both
the engineering process and design
margins resulting in random failure
rate in all failure modes.
Cybersecurity Certification involves a
detailed analysis of the engineering
process, cyber defense mechanisms,
and network robustness.

Copyright exida.com LLC 2000-2016 7

Reference Materials

exida authored most industry

references for automation
safety and reliability
exida authored industry data
handbook on equipment failure
data
exida authored the most
comprehensive book on
functional safety in the market.

Copyright exida.com LLC 2000-2016 8

Copyright exida.com LLC 2000-2014 4

 8/19/16

Safe Failures Arent Always

Your Best Friend

Copyright exida.com LLC 2000-2016 9

Topics
Safe failures: Friend of Foe?
How to use the safe failure rates to your benefit
How Dangerous Detected Failures effect your plant
Calculations using Safe and Dangerous Detected Failure
rates
How simple mechanical devices or final elements can still
participate in SIL with low or no safe failures
2H: What is it, who should use it and how?

Copyright exida.com LLC 2000-2016 10

Copyright exida.com LLC 2000-2014 5

 8/19/16

Safe failures: friend or foe?

Pros: Cons:
Helps your Safe Shuts your process
Failure Fraction down
Shows your Loses time and
system is working money
properly You have to
Better than a document and
dangerous or investigate why it
undiscovered happened
failure

Copyright exida.com LLC 2000-2016 11

How to use safe failure rates to your

benefit
By calculating the safe failures S a company can:
lower the safe failures by changing the systems
architecture to a 2oo3 architecture, ect.
find and lower the Mean Time to Fail Safe (MTTFS)

Copyright exida.com LLC 2000-2016 12

Copyright exida.com LLC 2000-2014 6

 8/19/16

Dangerous detected failures DD

Great! You detected a dangerous failure! But..

Your process is still down
You are losing time and money being down
You must document the failure and investigate why is
happened
You now need to how this will not happen again

This is just as bad (actually worse) than a spurious trip

Copyright exida.com LLC 2000-2016 13

Dangerous detected failures DD

Dangerous detected failures are not only used in the safe

failure fraction, but also the PFDAVG calculation
PFDAVG calculation includes the system architecture
Complex modeling can be done in software such as
ExSILentia

Copyright exida.com LLC 2000-2016 14

Copyright exida.com LLC 2000-2014 7

 8/19/16

Actuator Certificate Data

D=4.12E-08

Where is the safe

failure rate?

Copyright exida.com LLC 2000-2014 15

What does the standard say?

Design process must show sufficient steps to
achieve design integrity against systematic design
faults or proven in use.
Hardware must show compliance via:
Architectural constraints on hardware safety integrity
or (meet SFF or route 2H)
Requirements for the probability of dangerous random
hardware failures (low DU failure rate)
Requirements for the system behavior on a detection of
a fault

Copyright exida.com LLC 2000-2016 16

Copyright exida.com LLC 2000-2014 8

 8/19/16

HW Compliance Routes
7.4.4 the highest safety integrity level that can be claimed for a safety function is limited by
the hardware safety integrity constraints which shall be achieved by implementing one of two
possible routes:
Route 1H based on hardware fault tolerance and safe failure fraction concepts
(as in the previous release)
or What is this safe failure fraction metric?
Route 2 H based on component reliability data from feedback from end users, increased
confidence levels and hardware fault tolerance (similar to IEC 61511) for specified
safety integrity levels;
SIL4: HFT = 2; Type B : DC >= 60%
SIL3: HFT = 1; Type B : DC >= 60%
SIL2: High demand and continuous mode : HFT = 1; Type B : DC >= 60%
SIL2: Low demand : HFT = 0; Type B : DC >= 60%

7.4.4.3.3 If route 2 H is selected, then the reliability data uncertainties shall be taken into
account when calculating the target failure measure (i.e. PFD avg or PFH) and the system shall
be improved until there is a confidence greater than 90 % that the target failure measure is
achieved.

Copyright exida.com LLC 2000-2016

17

IEC61508 Safe Failure Fraction

SD + SU + DD
SFF = SD
+ SU + DD + DU
SFF is defined as the ratio of (the rate of safe failures plus
dangerous failures detected by automatic diagnostics) to
(the total average failure rate) of the subsystem. It is the %
of failures that can be considered safe. It is defined for a
single channel (no redundancy, 1oo1).

How do we get these numbers to calculate a safe failure fraction?

The best method is called an FMEDA.

Copyright exida.com LLC 2000-2016

18

Copyright exida.com LLC 2000-2014 9

 8/19/16

What about simple mechanical devices? What

about final elements?

SD + SU + DD
SFF = SD
+ SU + DD + DU

Where can I have safe failures in a simple mechanical devise?

What if I am doing everything right: proof testing when I should be,
including leak detection, partial valve stroke testing and I still can
make SIL 3 or even SIL 2 because of the SFF?

Copyright exida.com LLC 2000-2016 19

Product Types

TYPE A A subsystem can be regarded as type A if, for the

components required to achieve the safety function
a) the failure modes of all constituent components are well
defined; and
b) the behavior of the subsystem under fault conditions can be
completely determined; and
c) there is sufficient dependable failure data from field
experience to show that the claimed rates of failure for
detected and undetected dangerous failures are met.
TYPE B everything else!
IEC 61508, Part 2, Section 7.4.3.1.2
Copyright exida.com LLC 2000-2016 20

Copyright exida.com LLC 2000-2014 10

 8/19/16

Two Alternative Means for HFT

Requirements
Route 1H Safe Failure Fraction is calculated and
two Tables are used to determine minimum
Hardware Fault Tolerance (minimum redundancy)
for a given SIL level for each Element.

Route 2H Failure rates are based on a method

that gives 90% confidence in the results. No SFF is
calculated. Minimum Hardware Fault Tolerance is
determined by a set of rules.

Copyright exida.com LLC 2000-2016 21

IEC 61508: 2010 - Route 2H

Reduce Architectural Constraint

based on high confidence (90%)
in the quality of the failure data SILStat

90% Confidence is more than a

statistical analysis. High quality
data collection system is required.
Application and environmental
conditions must be similar

Copyright exida.com LLC 2000-2016

22

Copyright exida.com LLC 2000-2014 11

 8/19/16

2H Route

Copyright exida.com LLC 2000-2016

2H Route continued

Copyright exida.com LLC 2000-2016

Copyright exida.com LLC 2000-2014 12

 8/19/16

IEC 61508 Route 2H Architecture

Constraints
Minimum
SIL Hardware Fault Tolerance

1 0
2 0

3 1

No SFF 4 2

Identical to IEC 61508 Type B table for SFF 90%-

99% and Type A table for SFF 60%-90%
Same as IEC 61511-2003 with proven in use for
field devices.
Copyright exida.com LLC 2000-2016 25

IEC 61511 Architecture Constraints

field equipment
PRIOR USE
Minimum
SIL Hardware Fault Tolerance

1 0
2 0

3 1
4 Special requirements apply (see IEC 61508)

No Type A vs. Type B

No SFF
Identical to IEC 61508 Type B table for SFF 90%-
99% and Type A table for SFF 60-90%
Copyright exida.com LLC 2000-2016 26

Copyright exida.com LLC 2000-2014 13

 8/19/16

Route 2H e ida Criteria

100,000,000 unit operating hours
per product type
Documented, traceable field
failure studies
SILStat
Field operation for 1 year or
longer
FMEDA done per 2H components

Copyright exida.com LLC 2000-2016

exidas 2H database
Summarizing all data collected to date through assessments.
1B + hours on about 50% of the components on the mechanical database
Total of 100 B operating hours collected

Met with magazines to discuss editorial on engineering ethics and responsibility.

28 Copyright exida.com LLC 2000-2016

Copyright exida.com LLC 2000-2014 14

 8/19/16

ExSILentia Example

Final Element
main
contributor

1311 FITS
87 years MTTF Improve reliability
by implementing
diagnostics

Copyright exida.com LLC 2000-2016

Safe Failures Arent Always Your Best

Friend
Safe failures arent always a good thing, but calculating
them can provide very useful to your company
Dangerous Detected Failures effect your plant just as much
as spurious trips
Simple mechanical devices or final elements can still
participate in SIL with low or no safe failures by use of Route
2H
exida does not want you to get spurious trips almost as
much as you do not want them, but if you do get one, please
do not bypass the safety system. There are much better
ways to solve the problem!

Copyright exida.com LLC 2000-2016 30

Copyright exida.com LLC 2000-2014 15

 8/19/16

excellence in dependable automation

Further questions? Email me: lstewart@exida.com

Copyright exida.com LLC 2000-2016 31

Copyright exida.com LLC 2000-2014 16