IEC 61508 - Where Do The Lambda Values Originate?

IEC 61508 – Wo kommen die Lambda-Werte her?
IEC 61508 – Where do the lambda values originate?
IEC 61508 – Where do the

lambda values originate?
Introduction
Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Why to ask this question?

IEC 61508
SIL
PFD / PFH SFF

a te
at
e
l cul
l cul Ca
λsafe, λdd, λdu

Ca
FMEDA
Failure rate λ, failure modes, failure mode distribution

What is Lambda?
It‘s the 11th letter of the Greek alphabet.
It’s a failure rate expressing the probability that a component fails in time.
It is expressed in failures per hour (normally: failures / 109 hours = FIT).
A constant failure rate is assumed by the probabilistic estimation method.
The useful lifetime of components must not be exceeded.
The reference conditions must be known.
The failure rate must be divided into the following classified failure rates:
λsafe (Failure rate of all safe failures)
λdangerous (Failure rate of all dangerous failures)
λdd (Failure rate of all dangerous detected failures)
λdu (Failure rate of all dangerous undetected failures)

Where do the lambda values originate?
From the
From the assessor /
manufacturer of certification
a subsystem ! body !
Question to the
end-user ???
From data From the

books ! FMEDA !

Sources of failure rates
SN 29500
IEC 62380 Ed.1 /TR (formerly known as UTE C 80-810)
RAC FMD-91 and RAC FMD-97
Bellcore (Telcordia) standards TR-332 Issue 6 and SR-332 Issue 1
MIL HDBK 217F
exida Electrical & Mechanical Component
Reliability Handbook
NSWC-98/LE1

Sources of failure modes and failure mode distribution
RAC FMD-91 and RAC FMD-97

IEC 62061
EN 954-2 (failure modes only)
IEC 61496-1 (failure modes only)
EN 298 (failure modes only)
IEC 62380 Ed.1 /TR (formerly known as UTE C 80-810)
exida Electrical & Mechanical Component
Reliability Handbook

How to harmonize failure rates and failure mode distribution data

Compare available sources of failure rates and failure mode distribution
data and agree on a set of data for clearly specified reference conditions.
Compare public sources with real field data and adjust if needed.
Field MECHANICAL
FMEDA
Failure Product λ Compare COMPONENT
Product λ
Data DATABASE
Industry
Database YES Update
Significant
Difference?
Component
Database
NO
Finish

Why are lambda values needed?

To calculate the probability that a certain safety function fails
λsafe
λdd
λdu
λsafe
λsafe
λdd
λdd
λdu
λdu


The Sensor Point of View
Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Sources of Failures in Sensors

Main electronics +
terminal block Three cases:
(simple + complex
electronic components) λ λsimple electronic
λcomplex electronic
Sensor electronics
(simple + complex λmechanical
electronic components)
Sensor element +
process connection One analysis
(mechanical components) method!

FMEDA – Failure Modes, Effects and Diagnostic Analysis

Systematic Way to
identify and evaluate the effects of different component
failure modes
determine what could eliminate or reduce the chance of a
failure
document a system in consideration
Single Fault Analysis !

What is relevant for the safe function of a subsystem?

safety-related
output signal
(e.g. 4..20 mA) +
accuracy not part of the
safety function
diagnostics and safety-related
monitoring signal path
safety-related
not safety-related
input signal (e.g. pressure)

FMEDA for simple components
failure rate impact on

simple failure modes failure
safety-related
component λ + probabilities
output signal
classification
example: short circuit safe

resistor (10 %) or
λ dangerous? λsafe
from open circuit
(60 %)
λdd
databases, detected
tables etc. λdu
drift (0,5x/2x) or
(15 %/15 %) undetected?

Comparison of different databases – example: resistor
FIT = Failure In Time

1 FIT = 10-9/h

FMEDA for complex components (e.g. ASIC, µC)
complex
component
yes impact on
failure types failure
λ available? + probabilities
safety-related
classification
output signal
no
no. of
λ for λ values for complex components
transistors similar type up to 200 FIT!
from database

ASIC evaluation – influence of diagnostic coverage

50 % 50 % Diagnostic
safe dangerous Coverage DC
safe dd (25 %) du (25 %) unknown
safe dd (30 %) du (20 %) DC = 60 %
safe dd (45 %) du DC = 90 %
(5 %)
safe dd (49,5 %) du DC = 99 %
(0,5 %)

Mechanical Components – Example: Pressure Sensor Element

No. possible fault consequence fault
classification
Fxx Process seal penetration of DU
failure process medium
Fxy … … …
… … … …
see next talk!


Actuators and
actuator controls
Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Our Focus
DCS-System
Safety PLC
Actuator
Sensor and
actuator controls

Electronics and mechanics Electronic part via generic

data according IEC 61508
Mechanical part via field data

and generic data

Electronic FMEDA
4x
6x
2x
2x
K1/K2 Wendeschütz
A58 Netzteil
A52 Relaisplatine
A2 Logik
A1 Interface
A9 Ortssteuerstelle
XK Elektroanschluß Kunde XA Schnittstelle Antrieb

Why we also have to consider mechanics for the

analysis of the safety function?
In the European standard EN 61508-2 C.1 it is described as

follows:
“..The analysis used to determine the diagnostic coverage and
the safe failure fraction shall include all of the components,
including electronical, electrical, electromechanical,
mechanical, etc…”

Data from
Field experience data
generic handbooks
Lambda values
Determination of
Functional Safety FMEDA
Parameters
Failure rates
λsafe, λdd, λdu
Functional Safety Parameters

(e.g. SFF, PFDav, PFH)

Mechanical FMEDA Actuator gearing with

hollow shaft/worm wheel
Worm shaft with springs, worm,
Motor coupling bearings, etc.
Motor
Control unit Seals

Via field experience data
Via generic data from Exida handbook

Reported failures from AUMA RBS-System for the motor

Failure Year Year Year Year Year Year
Failure categorie Total
code 2001 2002 2003 2004 2005 2006
303 Motor coupling 2 0 1 4 3 3 13
204 Rotor blocked 1 1 2 1 1 2 8
206 Motor windings 30 17 19 21 34 20 141
208 Motor connector 5 4 8 13 13 8 51
Motor complete 213

Lambda values based on field data χ α2 ,ν

λUCL = with ν = 2 f + 1
2T
Data Comment
Number of Failures 213 failures reported
Total Operating Hours 6126446160 # devices x # years x 8760 hours/year
% Reported Failures 70% expensive device, warranty period
Estimate Actual Failures 305
Point Estimate - Failure Rate 4,97E-08
Complexity Factor 1 new versus old design if applicable
Estimate New Actual Failures 305 estimated failures of new design
New Point Estimate - Failure Rate 4,98E-08 per hour
Confidence Interval 0,7 IEC 61508, Part 2, 7.4.7.9
Upper Confidence Limit failure rate 5,14E-08 per hour
Lower Confidence Limit MTTF 2220,7 years

FMEDA for components – safety function “Safe Close”

Component Failure Failure Effect Lb Distrib. DC Behavior SD SU DD DU
Mode
Motor Blocked Actuator sticks 5,1E-08 30% 0% D 0 0 0 5,1E-08
rotor in position
motor Actuator sticks 5,1E-08 60% 0% D 0 0 0 5,1E-08

windings in position
Motor Actuator sticks 5,1E-08 10% 0% D 0 0 0 5,1E-08

connector in position
Actuator Shaft Actuator sticks 1,8E-08 20% 0% D 0 0 0 1,8E-08

shaft break in position
etc. … …

Test report
with lambda
values, SFF,
etc.


The Logic Solver Point of View
Bernard Mysliwiec, Siemens AG, A&D AS

The different parts of SN29500

Electronic modules for dedicated functions:

The design is depending on the function
Qualitative considerations to select one architecture
Systematic failure
Quantitative considerations to select one architecture
Life cycle management
…

Electronic module example of wiring:

Example of FMEDA results:
99,998
Synchronisation gestört, Fehlf unktion nicht Synchronisations-
0,10 Unterbrechung 0,60 0 1 0 0,000 0,060 0,000 1,20E-06 6,00E-02
auszuschließen (dangerous) überw achung (DC-Nr. = 7)
Entkopplungs
w iderstand in 0,10 Kurzschluß Fehlerausschluß siehe Kommentar 0,00 0 0 0 0,000 0,000 0,000 0,00E+00 0,00E+00
R461
1k
231
R serieller Kopplung
0,10
Ä nderung des
keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erf orderlich 0,00E+00 0,00E+00
beider µCs Wertes auf 0,5R
Ä nderung des
0,10 keine Wirkung 0,20 1 0 0 0,020 0,000 0,000 nicht erf orderlich 0,00E+00 0,00E+00
Wertes auf 2R
99,998
Entkopplungs
R462
1k
232
R
serieller Kopplung Ä nderung des

Ä nderung des
Wertes auf 2R
99,998
Entkopplungs
R463
1k
233
R
serieller Kopplung Ä nderung des

Ä nderung des
Wertes auf 2R
258,06
272,89
281,68
Bisher aktuelle
777
340
Bauelemente 0,0408 272,8496
95
233
Werte
1212
1 d-Fehler auf 2,98 ges. Fehler Σλs 258,06 f it 246,94
1 du-Fehler auf 6.696 d-Fehler Σ λ dd 272,85 f it 266,77
1 du-Fehler auf 19.941 ges. Fehler Σ λ du 0,0408 f it 0,0407
Σλ ∗ 281,68 f it 279,68
Σ λ ge s 812,63 f it
MTBF 1,23E+06 h
140,48 a
tot. s afe failure rate
530,91 f it
(s +dd)
tot. failure rate
530,95 f it
(s +dd+du)
dc for dangerous failures

99,985%
dd / (dd + du)
safe failure fraction

99,992%
(s + dd) / (s + dd + du)

Example of Markov model:
F -D I, F -D O , P M -E F , P M -D F P R O F Is a fe
ok 2500
ok
0 210
40 0
00
14
2200
300
20 100
4 3 0 1
2
ok ok ok
ok
du dd sd
su
0
2 40
2700
23
0
11 80
00
2600
00
1200
1000
5 00
60
70
90
1300
0
0
0
du su sd dd dd sd su su
du du du du dd su su dd
14 11 8 13 12 6 9 10
sd sd
5 , 7
Im p o s s ib le s ta te s
sd dd

Some points about evaluation results:

Device Life cycle
Change in the design leads to new values
Results degradation after exchange (spare parts)
Management of device releases
Mission Time
Devices with different Proof Test interval

Description of related proof test
Proof Test Coverage
Proof test has to be performed and documented
If not use of conservative values
Proof test through end user

Type of possible evaluations:

Pre evaluation
Estimation of possible SIL
Sum of PFDs
Detailled calculation
By use of own or simplified formulas
ISA 84
VDI/VDE2180
Use of certified tools
Independent
Manufacturer specific

Recommendation for complex modules:

Proof-Test- Proof-Test-
PFD/PFH
SIL Eignung PFH PFD Interval PFD Interval
IM151-7 F-CPU 6ES7151-7FA01-0AB0 SIL 3 3,62E-10 1,59E-05 10 Jahre 3,18E-05 20 Jahre
CPU 315F DP 6ES7315-6FF01-0AB0 SIL 3 5,42E-10 2,38E-05 10 Jahre 4,76E-05 20 Jahre
CPU 315F PN/DP 6ES7315-2FH10-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre
CPU 317F DP 6ES7317-6FF00-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre
SIL capability
CPU 317F PN/DP 6ES7317-2FJ10-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre
CPU 416F-2 DP 6ES7416-2FK04-0AB0 SIL 3 1,09E-09 4,76E-05 10 Jahre 9,52E-05 20 Jahre
CPU 414H 6ES7414-4HJ00-0AB0 SIL 3 1,42E-09 1,24E-04 10 Jahre 2,48E-04 20 Jahre
CPU 414H 6ES7414-4HJ04-0AB0 SIL 3 4,29E-09 1,88E-04 10 Jahre 3,76E-04 20 Jahre
CPU 417H 6ES7417-4HL01-0AB0 SIL 3 1,42E-09 1,24E-04 10 Jahre 2,48E-04 20 Jahre
CPU 417H 6ES7417-4HL04-0AB0 SIL 3 4,29E-09 1,88E-04 10 Jahre 3,76E-04 20 Jahre
ET200M
SM326 F-DI24 6ES7326-1BK01-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre
SM326 F-DI24 6ES7326-1BK01-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre
SM326 F-DO10 6ES7326-2BF01-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre
SM326 F-DO8 6ES7326-2BF40-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre
SM326 F-DI 8 Namur 6ES7326-1RF00-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre
SM326 F-DI 8 Namur 6ES7326-1RF00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre
SM336 F-AI 6 6ES7336-1HE00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre
ET200S
EM138 4/8 F-DI 6ES7138-4FA02-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre
EM138 4 F-DO 6ES7138-4FB02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre
EM138 PM-E F pm 6ES7138-4CF02-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre
EM138 PM-E F pm 6ES7138-4CF41-0AB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre
EM138 4 F-DI/3 F-DO 6ES7 138-4FC00-0AB0 SIL 2 < 1,00E-08 < 1,00E-04 10/20 Jahre
ET200eco
BM148 4/8 F-DI 6ES7148-3FA00-0XB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre
BM148 4/8 F-DI 6ES7148-3FA00-0XB0 SIL 3 < 1,00E-10 < 1,00E-05 10/20 Jahre
ET200pro
EM148
4/8 F-DI/ 4 F-DO 6ES7148-4FC00-0AB0 SIL 2 < 1,00E-08 < 1,00E-03 10/20 Jahre
EM148
4/8 F-DI/ 4 F-DO 6ES7148-4FC00-0AB0 SIL 3 < 1,00E-09 < 1,00E-05 10/20 Jahre
sicherheitsgerichte

Kommunikation
F-CPU <-> F-I/O SIL 3 <1,00E-09 <1,00E-05 10/20 Jahre

… from the point of view of the mechanics
and the electronics
Dr. Andreas Hildebrandt, Pepperl + Fuchs GmbH

Everything is pure chance!

Failure of equipment is a random incident
Characterisation by means of random variables
Source: iStockphoto

Bath tub curve

Probability of a failure is given by the so called “bath tub curve”
Probability of a failure depends on the operating time
Failure Rate versus Time
@ Room Temperature
1,60E-04
1,40E-04
1,20E-04
Failure Rate [1/h]
1,00E-04
8,00E-05
6,00E-05
4,00E-05
2,00E-05
0,00E+00
0 2 4 6 8 10 12 14
Time [years]

Characterising the bath tub curve

You need at least two values to characterise the curve
Where is the “bottom” of the bath tub?
When will wear out become significant?
@ Room Temperature
1,60E-04
1,40E-04
1,20E-04 Wear Out

Failure Rate [1/h]
1,00E-04
8,00E-05
Constant Failure Rate
6,00E-05
4,00E-05
2,00E-05
0,00E+00
0 2 4 6 8 10 12 14
Time [years]

Electronics versus mechanics

Electronic technicians are interested in the constant failure rate (λ)
Mechanists are dealing with life time (MTBF)
@ Room Temperature
1,60E-04
1,40E-04
Mechanists
1,20E-04
Failure Rate [1/h]
1,00E-04
Electronic technician
8,00E-05
6,00E-05
4,00E-05
2,00E-05
0,00E+00
0 2 4 6 8 10 12 14
Time [years]

Common fault
Both are making the same wrong calculation
1
MTBF =
λ
Nonsense!

Where is the problem?

Bath tub curve of a man
"Badewannenkurve" des Menschen (Deutschland)
0,07
0,06
Mechanists:
MTBF = 75,6 years ⇒ λ ≈ 1,3·10-2
0,05
Ausfallrate [1 / Jahr]
Electronic technician:
λ ≈ 7,7·10-4 ⇒ MTBF = 1300 years
0,04
Männer
Frauen
0,03
0,02
0,01
0,00
0 10 20 30 40 50 60 70 80
© Statistisches Bundesamt, Wiesbaden, 2004 Lebensalter [Jahre]

Both are partly wrong!

The failure rate of a middle-aged man is fortunately
significantly less than 1,3%
The MTBF of a man is (fortunately?) not 1300 years
To do proper calculations you need two information:
- How big is the (constant) failure rate λ
- How long is this value valid (MTBF, B10)
(in accordance with the IEC / EN 61508 this is
8 to 12 years under normal operating conditions)
Don’t misinterpret MTBF and λ

IEC 61508 - Where Do The Lambda Values Originate?

Uploaded by

Copyright:

Available Formats

IEC 61508 - Where Do The Lambda Values Originate?

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IEC 61508 - Where Do The Lambda Values Originate?

Uploaded by

Copyright:

Available Formats

IEC 61508 – Wo kommen die Lambda-Werte her?

IEC 61508 – Where do the lambda values originate?

IEC 61508 – Where do the

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Why to ask this question?

PFD / PFH SFF

λsafe, λdd, λdu

Failure rate λ, failure modes, failure mode distribution

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Where do the lambda values originate?

From data From the

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Sources of failure rates

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Sources of failure modes and failure mode distribution

 RAC FMD-91 and RAC FMD-97

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

How to harmonize failure rates and failure mode distribution data

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

Why are lambda values needed?

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, exida.com GmbH

IEC 61508 – Where do the

The Sensor Point of View

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Sources of Failures in Sensors

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

FMEDA – Failure Modes, Effects and Diagnostic Analysis

Single Fault Analysis !

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

What is relevant for the safe function of a subsystem?

input signal (e.g. pressure)

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

FMEDA for simple components

failure rate impact on

example: short circuit safe

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Comparison of different databases – example: resistor

FIT = Failure In Time

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

FMEDA for complex components (e.g. ASIC, µC)

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

ASIC evaluation – influence of diagnostic coverage

safe dd (25 %) du (25 %) unknown

safe dd (30 %) du (20 %) DC = 60 %

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

Mechanical Components – Example: Pressure Sensor Element

see next talk!

Dr. Arno Götz, Endress+Hauser Messtechnik GmbH+Co. KG

IEC 61508 – Where do the

Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Electronics and mechanics Electronic part via generic

Mechanical part via field data

Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

XK Elektroanschluß Kunde XA Schnittstelle Antrieb

Dipl. Ing. (FH) Peter Malus AUMA Riester GmbH&Co.KG

Why we also have to consider mechanics for the

In the European standard EN 61508-2 C.1 it is described as

RAC FMD-91 and RAC FMD-97

Devices with different Proof Test interval