Safety Integrity Improvement Methods

Abstract

When designing a safety-related system, and especially its safety functions, we use a combination of components that exhibit certain reliability properties. Those properties limit the final safety integrity metrics and often disable the achievement of the targets required by the functional safety standards (e.g., reliability required for a certain ASIL). In this chapter, we discuss various methods which are at our disposal to improve the safety integrity of our safety designs. Some of the methods we would analyze include burn-in testing, component derating, respecification, static and dynamic redundancy, and component diversification.

Appendices

Exercise 9

Given is the following block diagram of a safety-related system (SRS) for monitoring the fill level of a water tank:

The objective of the SRS is defined by the following informal functional description: “A water tank T, which is supplied by a reservoir R, is monitored by two identical fill level sensors: S_A and S_B. The signals of the sensors are evaluated by a logic L that controls two identical stop valves V_A and V_B. When at least one of the sensors signals a dangerously high fill level of the tank, and hence a possible overflow, the logic shall command both valves to close, thereby putting the system into a safe state.” The following information was extracted from the data sheets of the individual components, assuming a constant failure rate for each component:

$$ {S}_A,{S}_B\dots \kern0.5em {\textrm{MTTF}}_{\textrm{sensors}}=134\ 000\ \textrm{h} $$

$$ Logic\ L\dots {\lambda}_L=8600\ FIT $$

$$ {V}_A,{V}_B\dots \kern0.5em {B}_{10d}=38\ 000\ \textrm{h} $$

Your Tasks for the Exercise

• Draw an RBD for the SRS according to the functional description (exclude the tank and the reservoir, as they are EUC!).

• Calculate the reliability of the complete system at the runtime t = 118 000 h.

• Pinpoint the hazard which can be actuated by the failure of the SRS. Is the risk acceptable according to MEM?

• Improve the reliability by:

• Diversifying the sensor types through voting; the final configuration shall have three voting outputs: one from the existing sensors and two from additional sensors (sensor C which has 30% longer MTTF and sensor D which has 10% shorter MTTF than sensors A and B).

• Add a hot spare component for the logic, including the common cause failures with a beta factor of 30%.

• Discuss the achieved improvements.

• Bonus task (optional): try to diversify the sensor configuration so that you have all sensors as voters (four voters in total, three required for the majority).

To-Do List

• Perform the exercise with the help of your peers. Select one facilitator to perform the calculation.

• Compare the results with other peer groups and discuss.

Exercise 9 Solution

Note: The solution is available as digital spreadsheet at sfs9.ex.nit-institute.com.

Our original system can be depicted with an RBD as shown below:

The system after the applied improvements is shown below (note that the voter is considered ideal, that is, voting is performed as a part of the logic):

The calculation sheet excerpt from on the following page shows the following:

• For each of the components (fill level sensors A and B, valves A and B) based on the available parameters (MTTF or B10 or failure rate – lambda), the failure rate is calculated using the appropriate relations (lambda = 1/MTTF = ln(0.9)/B10).

• Based on the failure rate, reliability at the runtime of 118,000 hours is calculated assuming an e-system (R = e^{− lambda * t}).

• For the parallel configuration of sensors A and B, reliability is calculated using the composite formula: 1-(1-R_A(t))(1-R_B(t)).

• The final reliability of the original system is a simple multiplication of individual component reliabilities and the reliability of the parallel sensor configuration at the requested runtime.

• For the improvement system, additional fill level sensors C and D are also specified.

• Reliability of the voting configuration at the requested runtime is calculated as R_Sa||R_Sb * R_C + R_Sa||R_Sb * R_D + R_C * R_D – 2 * R_Sa||R_Sb * R_C * R_D.

• Reliability of the logic configuration with one hot spare including the common cause failure can be expressed as:

$$ \left(1-\textrm{POWER}\left(\left(1-\textrm{EXP}\left(-\left(1-\upbeta \right)\ast {\uplambda_{\textrm{logic}}}^{\ast }t\right)\right),2\right)\right)\ast \textrm{EXP}\left(-{\uplambda_{\textrm{logic}}}^{\ast }{\upbeta}^{\ast }t\right) $$

• Finally, to decide if the risk is acceptable according to M, the overall failure rate of each configuration needs to be estimated as Ln(R(t=118000 h))/118000 and then converted to the failure rate per year which results in the death of a worker as (λ_{per hour} *24*365)/24/30*3. Failure of SRS may lead to a spillage hazard. In the case of harmful substances, we assume the death of three maintenance workers, which are present near the tank once per month (not every hour!), therefore the adaptation of the formula.

• If the obtained result is lower than 10⁻⁵, we conclude MEM requirement is fulfilled (marked as OK); otherwise, it is not fulfilled (marked as NOK).

It is interesting to observe the reliability functions of the original and improved system both as a whole and split per various components/configurations:

Key Recap Questions

Considering the project you finalized within Chap. 6, now try to increase safety integrity for your system by the following:

• Employing redundancy.

  

• Employing diversity with voting.

• What about common cause failures?

• Discuss technical means of providing the above concepts.

Self-assessment

Now take the time to self-assess your knowledge by taking the quiz below. Each listed statement is either correct or incorrect. Please mark your answer and then check in the key at the end of the book.

1. 1.

   It is always possible to increase the safety integrity of the safety function by selecting and integrating components of higher quality.

2. 2.

   Component derating may increase the reliability of the system.

3. 3.

   Common cause failures are less common in diverse configurations than the configurations using redundant replicas.

4. 4.

   Diversification through voting (as in NMR systems) always increases the reliability of the final system when compared to the use of a single component.

5. 5.

   Redundant configuration with a hot spare, by itself, allows us to detect failures in the primary component.

6. 6.

   In a beta-factor model, the common cause failure block which shall be added to the RBD always has a failure rate that is lower than the original failure rate of components exhibiting common cause failures.

7. 7.

   Dynamic redundancy can be modeled via RBDs.

8. 8.

   Configuration with a hot spare is modeled as a parallel connection in the RBD.

9. 9.

   If employing the majority voting safety integrity improvement method, the MTTF of the voting component (voter) is always shorter than the MTTF of the least reliable component that participates in voting.

10. 10.

    Common cause failures can be due to the sharing of power supply among the components.

Self-assessment Key

1. 1.

   False

2. 2.

   True

3. 3.

   True

4. 4.

   False

5. 5.

   False

6. 6.

   True

7. 7.

   False

8. 8.

   True

9. 9.

   False

10. 10.

    True