SECTION 2 Exercises D EngineeringTech Engineers & ConsultantsS EngineeringTech Engnoors& Consultants Functional Safety Engineering Il Application Exercise Set 1 — Constant Failure Rate 1. A system has a probability of failure (all modes) for each one-year mission time of 0.1. What is the probability of a failure for a ten-year mission time? (No wear out, etc.) 2. Unreliability for a system with one failure mode is given as 0.001. What is the reliability? 3. A module has an MTTF of 80 years for all failure modes. Assuming a constant failure rate, what is the total failure rate for all failure modes? 4. A module has an MTTF of 80 years. What is the reliability of this module for a time period of six months? 5. A transmitter has a total failure rate of 0.006 failures per year. What is the MTTF? ‘Supplemental Material Page 1g EngineeringTech Enpree & Cones Functional Safety Engineering I ion Exercise Set 2 — Reliability and Availability . APLC has a failure rate of 0.01 failures per year. What is the unreliability for a five year mission? . A PLC has a failure rate of 0.01 failures per year. All failures are immediately detectable. The repair time average is 24 hours. What is the steady state unavailability? APLC has a failure rate of 0.01 failures per year. Failures are detected only when a periodic inspection is done once per year, Assuming that the periodic inspection is perfect and detects all failures, what is the PFavg? . A valve has a failure rate of 0.01 failures per year. A periodic inspection done once a year can detect 60% of the failures. The valve is operated for ten years before it is removed from service and overhauled. What is PFavg for the ten year operational interval? . APLC is programmed to protect against a dangerous condition that occurs once every ten years on average. The PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH DEMAND MODE or CONTINUOUS DEMAND MODE? APLC is programmed to protect against a dangerous condition that occurs once every month on average. Automatic diagnostics inside the PLC run to completion every 60 seconds. The PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH DEMAND MODE or CONTINUOUS DEMAND MODE? ‘Supplemental Material Page 2G EngineeringTech Engnear & Consus Functional Safety Engineering Il Application Exercise Set 3 - Multiple Failure Modes and Common Cause 1. A valve stem is stuck when “cold-welding” occurs between the O-Rings and the stem. If the valve must close to provide the automatic protection function, what is the failure mode, fail-safe or fail-dangerous? 2. A solenoid valve has a failure rate of 0.00003 failures per hour in the dangerous mode. What is the approximate PFD for a mission time of 2000 hours? What is the PFDavg for a mission time of 2000 hours? A solenoid valve has a failure rate of 0.000013 failures per hour in the dangerous mode and 0.0005 failures per hour in the safe mode. What is the approximate PFDavg for a mission time of 8000 hours? A temperature transmitter is used to sense an abnormal process condition. ‘Two transmitters are arranged in a one-out-of-two voting arrangement. The transmitter has a failure rate of 2 = 0.05 failures per year, and a beta factor of 10%. What is the PFDavg of this subsystem if a periodic inspection is done once a year that detects 90% of the failures. The transmitter subsystem is operated for ten years between major overhauls. ‘Supplemental Material Page 3S EngineeringTech Engnoors& Consultants Functional Safety Engineering Il Application Exercise Set 4 - Safe F: Factors 1. ire Fraction, Failure Rates, Coverage Atransmitter has a failure rate of 500 * E-9 failures per hour. 62% of the failures are fail-safe. What is Lambda S? What is Lambda D? A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of the failures are fail-safe. The coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is Lambda SD? What is Lambda SU? What is Lambda DD? What is Lambda DU? A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of the failures are fail-safe. The coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is the Safe Failure Fraction for this transmitter? A.smart transmitter has a failure rate of 500 * E-9 failures per hour. 62% of the failures are fail-safe. The coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. With a hardware fault tolerance of 0, this transmitter is qualified for use in what SIL level? Supplemental Material Page 4G EngineeringTech Engnoors& Consultants Functional Safety Engineering Il Applic: 1. Based on IEC61508, which of the following statements about the required competency of individuals performing safety litecycle tasks are true: ion Exercise Set 5 - Functional Safety Management 1. Must have a degree in engineering from an accredited university 2. Must be certified by an independent third party organization 3. The manager of the project must ascertain that the person is competent in all phases of the safety lifecycle a) 1 and 2are true, 3is false b) 1 and 3 are true, 2s false c) 2and3are true, 1 is false d) 1, 2and 8 are true e) None of the above statements are true 2. Which of the following information items are required to be maintained throughout the lifecycle of an SIS: 1. The results of the hazard and risk analysis and related assumptions 2. Information regarding the equipment items used for safety instrumented functions together with the function's safety requirements 3. The procedures necessary to maintain functional safety a) 1 and 2 are required, 3 is not b) 1 and 3 are required, 2 is not c) 2and 3are required, 1 is not d) 1,2and 3 are required e) None of the information items listed above are required ‘Supplemental Material Page 5G EngineeringTech Engnoors& Consultants 3. Which of the following statements about the documentation required for safety planning are true: 1. Safety Planning documentation can be included as a section in the quality plan entitled “safety plan’. 2. Safety Planning must be documented in a separate document entitled “safety plan”. 3. Safety Planning can be documented in a series of documents that may include other company procedures or working practices, such as corporate standards. a) 1 and 2 are true, 3is false b) 1 and 3 are true, 2is false ©) 2is true, 1 and 3 are false d) 1,2and 8 are true e) None of the above statements are true 4. Which of the following statements about safety planning are true: 1. Safety planning does not need to consider activities done by outside vendors or suppliers. 2. Safety planning must designate how and when functional safety will be assessed. 3. Safety planning does not need to specifically designate the level of independence of any functional safety assessment team. a) 1 and 2 are true, is false b) 2 and 3 are true, 1 is false ¢) 2istrue, 1 and 3 are false d) 1,2and 3 are true e) None of the above statements are true ‘Supplemental Material Page 6S EngineeringTech rarer &conubrts 5. When is functional safety assessed according to 61511? a) Usually before the hazard is present but always after a safety function trips. b) Always following system commissioning and validation but often after the safety requirements specification is complete as well. ©) Itcan be assessed at any time as long as it is assessed at least once. ) It must be assessed after all system modifications. e) None of the above statements are true i. Which safety lifecycle roles and responsibilities must be designated? a) Those required for each phase of the safety lifecycle and its associated activities. b) Functional safety assessment activities c) Functional safety management activities d) Decommissioning activities. e) All of the above statements are correct Supplemental Material Page 7S EngineeringTech rarer &conubrts Functional Safety Engineering I! Application Exercise Set 6 - Redundant Architectures 1, Rank the following redundancy schemes from highest probability of failure on demand to lowest probability of failure on demand. Highest —-----Lowest + a) 2002 — 1002 - 2003 b) 2003 - 1002 - 2002 +) 2003 - 2002 - 1002 d) 2002 - 2003 - 1002 €) 1002 - 2003 - 2002 2. A 1002 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511) of: a) 0 b) 1 ) 2 3. A 2008 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511) of: ‘Supplemental Material Page 8G EngineeringTech Engnoors& Consultants Functional Safety Engineering Il API ion Exercise Set 7 - SIL 3 Pressure Protection Loop Group Exercise — do a SIL3 design and verify with PFDavg calculations, SFF calculations and a MTTFS calculation. Design the SIL3 loop using SiLver to calculate PFDavg and AC SIL. Target 5 year test interval and MTTFS > 10 years. ‘Supplemental Material Page 9G EngineeringTech Engnear & Consus Functional Safety Engineering II Application Exercise Set 8 - Periodic Inspection and Test Plans 1. Name effective inspection and test techniques that should be considered for a pressure transmitter. 2. Name effective inspection and test techniques that should be considered for a solenoid. ‘Supplemental Material Page 10S EngineeringTech Engioos & Consults Functional Safety Engineering I Post Test 1. Two power supplies are used in a redundant configuration. Assume one failure mode, lost power. Each power supply has a failure rate of 0.0005 failures per year. Based on close physical mounting and identical power supplies, a beta factor of 0.1 is assigned. What is the system unreliability for a two-year mission time? Draw a fault tree for the system including common cause. Which of the following best describes the difference between verification and validation, as defined in IEC 61508 and IEC 61511. a) There are no differences. Verification and validation have the same meaning b) Verification describes review tasks that are performed by independent assessment teams. Validation describes review tasks that are performed by the design team. ©) Validation is the activity of demonstrating that the SIS meets the safety requirements specifications. Verification is the activity of demonstrating that for each safety lifecycle phase the requirements of the safety lifecycle model have been met. 4) Validation is the process of creating a “V"-diagram of the tasks that are required to complete that safety lifecycle. Verification is the process of ensuring that competent individuals have completed those tasks. ) None of the above answers are correct. . If the user of a product that was designed under the IEC 61508 standard is required to perform manual tests at a periodic interval to achieve the SIL that is listed in the product certification, the information regarding the necessity of the test, and the frequency the test is required to be performed must be provided in: a) Product safety manual b) Product Specification sheets c) Sales and marketing literature 4) Equipment installation guides ) None of the above, the vendor is not required to share this information with the customer Supplemental Material Page 11S EngineeringTech rarer &conubrts Post-Test Safety Engineering I! 4. Acontrol valve is used in an SIS. The valve has a constant safe failure rate of 0.02 failures per year and a constant dangerous failure rate of 0.05 failures per year. The valve is tested on a one-year interval where 85% of the failures are detected by the periodic inspection and test. The valve is operated for fifteen years until it is removed from service and overhauled. What is the average probability of failure on demand? 5. Two different types of solenoid valves are used to block fuel flow to a burner in a SIS. The valves are piped in series. Both valves are energized and open in normal operation of the system. Both valves should close when a dangerous condition is detected, Both valves have one failure mode, fail-danger, with a failure rate of 0.0009 failures per year. Both valves are tested once every year and all failures are found during that test. Based on the differences between the valves, a common cause beta factor of 0.001 is assigned. What is the PFDavg of the valve subsystem including common cause? 6. Draw a Markov model for the situation in problem 5. 7. A“smart’ transmitter has a failure rate of 0.05 failures/year. The safe failures ratio is 70%, and the diagnostic coverage of dangerous failures is 60%. The diagnostic coverage for safe failures is 70%. What is the Safe Failure Fraction? With hardware fault tolerance of 0, what SIL is allowed? ‘Supplemental Material Page 12FSE Il, 4.1 - Solutions to Exercises Application Exercise Set 1 - Constant Failure Rate Question 1 A system has a probability of failure (all modes) for each one-year mission time of 0.1. What is the probability of a failure for a ten-year mission time? (No wear out, etc.) Solution 1 This type of problem contains a trap for the unwary - If this problem is approached as a discrete independent event each year, the probability of failure would be the sum of the probability of failure for each one-year mission (fails in year 1 OR fails in year 2 OR ... fails in year 10). The solution for a 10 year period would be PF(10 year mission) = Ay + Az-+As + Ast As +As + Ar+ he + Ao + Ato 140.1401 40.1401 +0.1+0.140.1 40.1401 =1 And for an 11 year mission? PF(11 year mission) = 1.1 (not a valid probability) Clearly this is NOT the approach to use. This type of problem is best approached from the probability of success (PS) for each one year mission, finding the probability of success for the 10 year mission, and then using the one’s complement of suecess to determine failure. PS(1 year mission) = 1 - PF(1 year mission) 1-01 09 The probability of success for a 10 year mission is the probability of success in the first year AND the probability of success in the second year AND probability of success in the third year AND .... probability of success in the tenth year. PS(10 year mission) 0.9" 0.9"... *0.9 (ten times) (a9) 0.3487 PF(10 year mission) = 1 ~PS(10 year mission) =1~0.3487 0.6513 ‘The probability of a failure for a ten-year mission time = 0.6513, FSE I~ Solutions to Exercises Page 1 of 23FSE Il, 4.1 — Solutions to Exercises Question 2 Unreliabilty for a system with one failure mode is given as 0.001. What is the reliability? Solution 2 Reliability is the one’s complement of Unreliablity Reliability = 1 —Unreliability =1-0.001 = 0.999 ‘The Reliability of the system is 0.999 Question 3 ‘A module has an MTTF of 80 years for all failure modes. Assuming a constant failure rate, what is the total failure rate for all failure modes? Solution 3 MTTF =1/A A =1/ MTTF failures per year = 1/80 failures per year 0.0125 failures per year = 0.0125 / 8760 failures per hour = 1.427 E-06 failures per hour The total failure rate for all failure modes = 1.427 E-06 failures per hour Question 4 ‘A module has an MTTF of 80 years. What is the reliability of this module for a time period of six months? Solution 4 Reliability = &*" » 1/ MTTF failures per year = 1/80 failures per year = 0.0125 failures per year Tl = -=0.5 years Reliability = @ 60185708) = 0.9938, ‘The Reliability of this module over a six month period = 0.9938 FSE II- Solutions to Exercises Page 20123FSE Il, 4.1 — Solutions to Exercises Question 5 A transmitter has a total failure rate of 0.008 failures per year. What is the MTTF? Solution 5 A = 0.005 failures per year MITF =1/A MTTF = 170.005 failures per year = 200 years The MTTF = 200 years FSE II~ Sohiions to Exercises Page 3.01 23,FSE ll, 4.1 — Solutions to Exercises Application Exercise Set 2 - Reliability and Availability Question 1 ‘APLC has a failure rate of 0.01 failures per year. What is the unreliability fora five year mission? Solution 1 Unreliabilty is the probability of failure (PF) an PE - » = 0.01 failures per year Tl =Syears PF _ gor" =1-6%% 0.95128 .0488 ‘The unreliability for a five year mission = 0.0488 Question 2 A PLC has a failure rate of 0.01 failures per year. All failures are immediately detectable. The repair time average is 24 hours. What is the steady state unavailability? Solution 2 Unavailability = MTTR / (MTTF + MTTR) MITE =1/A A = 0.01 failures per year MTTF = 170.01 failures per year }00 years 776,000 hours Unavail = 24 / (876,000 + 24) 7.4 E-06 ‘The steady state Unavailabilty = 27.4 E-06 FSE I~ Solutions to Exercises Page 4 of 23,FSE Il, 4.1 - Solutions to Exercises Question 3 APLC has a failure rate of 0.01 failures per year. Failures are detected only when a periodic inspection is done once per year. Assuming the periodic inspection is perfect, what is the PFavg? Solution 3 PFavg =A*(TI/2) a (01 failures per year T year PFavg =0.01°05 = 0.005 ‘The PFavg = 0.005 (assumes a perfect test with all failures repaired to original condition) Question 4 ‘Avalve has a failure rate of 0.01 failures per year. A periodic inspection done once a year can detect 60% of the failures. The valve is operated for ten years before itis removed from service and overhauled. What is PFavg for the ten year operational interval? Solution 4 PFavg =[Cpr*A* (TU2)] + [(1-Cer) *A* (LT/2)] Cer = 0.6 (60%) a (01 failures per year 1 years LT =10years PFavg =[0.6 * 0.01 * 0.5] + [0.4 * 0.01 * 5] 003 + 0.02 .023 ‘The PFavg for the ten year operational interval = 0.023 ‘This translates into a Risk Reduction Factor (RF) of 43.5 Lets see what happens if all faults are found and repaired each time (perfect test)... PFavg =A*(TI/2) This translates into a Risk Reduction Factor (RAF) of 200 Lets see what happens if there is no testing during the 10 year period... PFavg =A*(LT/2) 015 .05 This translates into a Risk Reduction Factor (RRF) of 20 SE II Solutions to Exercises Page Sof 23FSE ll, 4.1 — Solutions to Exercises Question 5 APLC is programmed to protect against a dangerous condition that occurs once every ten years on average. ‘The PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH DEMAND MODE or CONTINUOUS DEMAND MODE? Solution 5 The demand rate is once every ten years on average. The periodic test and inspection is done once a year, clearly several times more rapidly than the demand condition. Therefore credit can be taken in the PF modelling and this s classified as low demand, Question 6 ‘APLC is programmed to protect against a dangerous condition that occurs once every month on average. The PLC is tested and inspected every year. Should this situation be modeled as LOW DEMAND MODE, HIGH DEMAND MODE or CONTINUOUS DEMAND MODE? Solution 5 The demand rate is once every month on average. The periodic test and inspection is done once a year so itis unlikely that this testing would detect a failure in time to prevent an accident. ‘The automatic diagnostics run fast therefore this is classified as high demand. FSE lI~ Solutions to Exercises Page 6.0123FSE Il, 4.1 - Solutions to Exercises Apr Question 1 tion Exercise Set 3 - Multiple Failure Modes and Common Cause Avvalve stem is stuck when “cold-welding” occurs between the O-Rings and the stem. If the valve must close to provide the automatic protection function, what is the failure mode, fail-safe or fail-dangerous?? Solution 1 The valve will not perform the protection function if it cannot close. Therefore this is classified as fail-danger. Question 2 ‘A solenoid valve has a failure rate of 0.00003 failures per hour in the dangerous mode. What is the approximate PFD for a mission time of 2000 hours? What is the PFDavg for a mission time of 2000 hours? Solution 2 Using the complete equation: PF =1-e™" = 1 — @(0.0003* 2009 1-e' =1-0.9418 = 0.0582 PFavg = 1-(1/A'TI)*(1- €*T) = 1 ~(1/0.00003"2000)"(1-69%"729™) = 1-(1/0.06)"(1-6°*) =1-0.9706 = 0.0294 Using the approximation: PFO =ATTI (00003 * 2000 06 *(mi/2) .00003 * (2000 / 2) .03 FSE I~ Soutions to Exercises Page 7 of 23,FSE Il, 4.1 - Solutions to Exercises Question 3 A solenoid vaive has a failure rate of 0.000013 failures per hour in the dangerous mode and 0.0006 failures per hour in the safe mode. What is the approximate PFDavg for a mission time of 8000 hours? Solution 3 Using the complete equation: Using the approximation: PFavg =1-(WUNTI)*(1-e*") PFavg =A‘ (TI/2) = (1/0.000013*8000)*(1-e'°°%'S" 99) = 0.000013 * (8000 / 2) = (110.104)"(1-8 4) 0.000013 * 4000 0.9498 0.052 0.0502 FE II~ Solutions to Exercises Page 8 of 23Boercise 4 2 rere 0,08598 ; MeGr4=01 X(J05= Q 04S pooss (0, nrll- B),,=(-21)0.045200108 yaar A . 1B Ne 011x009 0001S dw tlle )\zl-ooos= 00S Droz B) 4, -(-0))0005=00015 Moot Poke = 0.lx 0005+ 0.0005 AT. 2000250FSE ll, 4.1 - Solutions to Exercises Question 4 ‘A temperature transmitter is used to sense an abnormal process condition. Two transmitters are arranged in ‘a one-out-of-two voting arrangement. The transmitter has a fallure rate of 4 = 0.05 failures per year, and a beta factor of 10%. What is the PFDavg of this subsystem if a periodic inspection is done once a year that detects 90% of the failures? The transmitter subsystem is operated for ten years between major overhauls. Solution 4 This problem is complicated and it is best to break it down into parts to solve it. To consider the partial coverage testing itis worth remembering that the overall system can fail because of a fault that is covered by the annual test, OR a fault that is not found until the major overhaul after 10 years. These two contributions to the PDFavg are added together because the two different kinds of faults are mutually exclusive Yew! = 0.05 failures per year B — =0.1 (10%) Tl =1year Cer = 0.9 (90%) fraction of failures covered by the one year test LT = 10 years Contribution to PFDavg from faults covered by 1 year test interval In considering the contribution of the faults corrected in the annual test, we need to make sure we use the proper part of the overall failure rate. Since the coverage factor for the test Crr= 90%, we can look at the effective rate of failures of interest as acta (1 YF) = Cor X Aro 0.9.x 0.05 Then because there is a second level of complexity with the common cause failures, we need to split this 1 year lambda total into a Acc(1 yr) and a Au(1 yr) by use of the beta factor. rata (1 Yt) = haat * Cer .05°0.9 = 0.045 oo (1 yr) = hea (1 yt) * B =0.045"0.1 = 0.0045 Au(t ye) = hea (1 yt) * (1- B) 1.045 °0.9 = 0.0405 Now, because the normal independent failure mode is a 1002 voting system, we use the integrated formula for PFDavg due to normal mode failure. Then we add this to the common mode failure component for the 1 year part since the system either fails in normal independent mode OR by common mode. PFDavg N (1 yt) =Dau(1 yn x THI/ 3 =[0.0405x 11/3 = 0.00055 PFDavg CC (1 yr) = [hee (1 yr) x TH/2 0045 x 1]/2 = 0.00225 PFDavg SYS (1 yr) = PFDavg N (1 yr) + PFDavg CC (1 yr) = 0.00055 + 0.00225 = 0. Contribution to PFDavg from faults covered by 10 year overhaul ‘We now do the same thing for the 10 year overall faults contribution. Again we need to make sure we use the proper part of the overall failure rate. Since the coverage factor for the test Cer = 90%, we can look at the effective rate of failures of interest as: Yew (10yt) = ea * (1-Con) = 0.05 *(1-0.9) = 0.005 Then because there is a second level of complexity with the common cause failures, we again need to split this 10 year lambda total into a Acc (10 yr) and a Ay (10 yr) by use of the beta factor. Acta (10 yt) = Reta * (1-Cer) = 0.05 * (1-0.9) = 0.005 Acc (10 yr) = Aa (10 yr) °B 005°0.1 = 0.0005 Aw (10 yt) = oui (10 yr) * (1-8) = 0.005*0.9 = 0.0045 SE II~ Solutions to Exercises Page 9 0f 23,FSE Il, 4.1 - Solutions to Exercises ‘As before, because the normal independent failure mode is a 1002 voting system, we use the integrated formula for PFDavg due to normal mode failure. Then we add this to the common mode failure component for the 10 year part since the system either fails in normal independent mode OR by common mode. PFDavg N (10 yr) [Av (10 yr®x TP]/3 = [0.0045"x 10°]/3 = 0.00068 PFDavg CC (10 yr) (hoc (10 yr) x TH] / 2 0005 10]/2 = 0.00250 PFDavg SYS (10 yr) =PFDavgN(10yr)+PFDavg CC (10 yr) = 0.00068 + 0.00250 0.00318 ‘Summing up the overall PFDavg Finally, we add the 1 year tested failure contribution to the 10 year overall corrected failure contribution to get the total PFDavg for the system considering all of the pathways. Total PFDavg = PFDavg SYS (1 year) + PFDavg SYS (10 year) = 0.00280 + 0.00318 = 0.00598, Total RRF = 1 /Total PFDavg = 1672 SE II Solutions to Exercises Page 10 0f 23,FSE Il, 4.1 — Solutions to Exercises Application Exercise Set 4 — Safe Failure Fraction, Failure Rates, Coverage Factors Question 1 A transmitter has a failure rate of 500 * E-09 failures per hour. 62% of the failures are fail-safe. What is As? What is Ao? Solution 1 Yew! = 500 E-09 failures per hour (FIT) %Sale =0.62 (62%) As = Aaa * %Sate 500E-09°0.62 = 310 E-09 failures per hour (FIT) Yo = Ra * (1-968afe) 500E-09°0.98 = 190 E-09 failures per hour (FIT) Question 2 A transmitter has a failure rate of 500 * £-09 failures per hour. 62% of the failures are fail-safe. The coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. What is Aso? What is Asu? What is Apo? What is Aou? Solution 2 ‘The approach to this problem is to split the failure rate into safe and dangerous failures, then split safe failures into safe (detected) and safe (undetected), and split dangerous failures into dangerous (detected) ‘and dangerous (undetected). Aw! = 500 E-09 failures per hour (FIT) %Safe = 0.62 (62%) Cy = 74% Co = 96% ds = Aaa * SSafe =500E-09°0.62 = 310 E-09 failures per hour (FIT) ro = Ae * (1-%Safe) 500E-09°0.38 = 190 E-09 failures per hour (FIT) Aso =As*Cs 310 E-09°0.74 9.4 FIT Au = Ag" (1-Cs) = 310 E-09* 0.26 = 80.6 FIT roo =o" = 190 E-09°0.96 82.4 FIT Rov =Ao*(1-Co) = 190 E-09*0.04 6 FIT Question 3 A transmitter has a failure rate of 500 * E-9 failures per hour. 62% of the failures are fail-safe. The coverage factor for sate failures is 74%. The coverage factor for dangerous failures is 96%. What is the Safe Failure Fraction for this transmitter? Solution 3 Use the results from Question 2 SFF = [Aso + Agu + Aool / At = [229.4 + 80.6 + 182.4]/500 = 0.9848 FSE II ~ Solutions to Exercises Page 11 023FSE Il, 4.1 — Solutions to Exercises Question 4 transmitter has a failure rate of 500 * E-9 failures per hour. 62% of the failures are fail-safe. The coverage factor for safe failures is 74%. The coverage factor for dangerous failures is 96%. With a hardware fault tolerance of 0, this transmitter is qualified for use in what SIL level? Solution 4 TYPE A - “A subsystem can be regarded as type A if, for the components required to achieve the safety function a) the failure modes of all constituent components are well defined; and ») the behavior of the subsystem under fault conditions can be completely determined; and ©) there is sufficient dependable failure data from field experience to show that the claimed rates of failure for detected and undetected dangerous failures are met.” TYPE B - everything else! IEC 61508, Part 2, Section 7.4.3.1.2 ‘As we can't determine whether the transmitter can satisty the requirements of Type A, we choose Type B. ‘The Safe Failure Fraction (from Question 3) = 98.48% There is no hardware fault tolerance, so looking at the intersection of the ‘0’ column and the 90% - 99% row we find that the transmitter is qualified for use at SIL 2 level. Type A Safe Failure Hardware Fault Fraction Tolerance 0 1 2 < 60% sii | se | sis 60% <90% | Sit2 | sus | SiLa 9% <00% | siL3 | SiL4 | SiL4 > 99% sua | sia | sita Type B Safe Failure Hardware Fault Fraction Tolerance 0 1 2 < 60% na | sit | SLB co%<90% | sit |'sika | siLs 90% <99% | SL2 | sus | SiL4 > 99% si3 | Sa siL4 FSE II~ Solutions to Exercises Page 1201 23,FSE Il, 4.1 — Solutions to Exercises Application Exercise Set 5 - Functional Safety Management Question 1 Based on IEC61508, which of the following statements about the required competency of individuals performing safety lifecycle tasks are true: 1. Must have a degree in engineering from an accredited university “Must be certified by an independent third party organization ‘The manager of the project must ascertain that the person is competent in all phases of the safety lifecycle a) 1 and2 are true, 3 is false b) 1and3 are true, 2 is false ©) 2and3 are true, 1 is false d) 1,2and3 are true e) None of the above statements are true Solution 1 Addressed specifically in Annex A, IEC61508 Ensure that staff “involved in any of the overall or software SLC activities are competent” Training, experience, and qualifications should all be assessed and documented ‘+ System engineering knowledge + Safety engineering knowledge + Legal and regulatory requirements knowledge + More critical for novel systems or high SIL requirements From the above - ‘A person does not need to have a degree, or be certified by an independent third party. ‘A person must be competent in the part of the Safety Lifecycle they are involved with, Therefore the correct answer is €) FSE II Solutions to Exercises Page 19.1 23FSE Il, 4.1 — Solutions to Exercises Question 2 ‘Which of the following information items are required to be maintained throughout the lifecycle of an SIS: The results of the hazard and risk analysis and related assumptions 2. Information regarding the equipment items used for safety instrumented functions together with the function's safety requirements 3. The procedures necessary to maintain functional safety a) 1 and 2 are required, 3 is not b) 1 and 3 are required, 2 is not ©) 2and 3 are required, 1 is not d) 1,2and3 are required €) None of the information items listed above are required Solution 2 Al of the documents mentioned are required to be maintained throughout the lifecycle of an SIS. Therefore the correct answer is d) Question 3 ‘Which of the following statements about the documentation required for safety planning are true: 1. Safety planning documentation can be included as a section in the quality plan entitled “safety plan’. Safety planning must be documented in a separate document entitled “safety plan”. Safety planning can be documented in a series of documents that may include other company procedures or working practices, such as corporate standards. a) 1 and2 are true, 3is false b) 1and3are true, 2 is false ©) 2is true, 1 and 3 are false 0) 1,2and3 are true €) None of the above statements are true Solution 3 Safety planning must be documented, but there is no specific requirement to create a separate document entitled ‘Safety plan’. ‘Therefore statement 2 is not correct, and the correct choice is b) FSE II Solutions to Exercises, Page 14 023FSE Il, 4.1 - Solutions to Exercises Question 4 Which of the following statements about safety planning are true: 1. Safety planning does not need to consider activities done by outside vendors or suppliers. 2. Safety planning must designate how and when functional safety will be assessed. Safety planning does not need to specifically designate the level of independence of any functional safety assessment team. a) 1 and2are true, 3is false b) 2and3are true, 1 is false ©) 2istrue, 1 and3 are false @) 1,2and3 are true 2) None of the above statements are true Solution 4 Safety planning does need to consider activities done by outside vendors or suppliers. Safety planning does need to specifically designate the level of independence of any functional safety assessment team. Therefore statements 1 and 3 are not true, and the correct answer is c) Question 5 When is functional safety assessed according to 61511? a) Usually before the hazard is present but always after a safety function trips. b) Always following system commissioning and validation but often after the safety requirements ‘specification is complete as well. ©) Itcan be assessed at any time as long as itis assessed at least once. 4d) Itmust be assessed after all system modifications. €) None of the above statements are true Solution 5 Functional safety is always assessed following system commissioning and validation, but often after the safety requirements specification is complete as well. Therefore the correct answer is b) FSE II ~ Solutions to Exercises Page 15.0123FSE Il, 4.1 - Solutions to Exercises Question 6 Which safety lifecycle roles and responsibilities must be designated? a) b) °) d 8) ‘Those required for each phase of the safety lifecycle and its associated activities. Functional safety assessment activities Functional safety management activities Decommissioning activites. All of the above statements are correct Solution 6 All of the statements above are true. ‘Therefore the correct answer is e) FSE II— Solutions to Exercises Page 16 of 23FSE ll, 4.1 — Solutions to Exercises Application Exercise Set 6 - Redundant Architectures Question 1 Rank the following redundancy schemes from highest probability of failure on demand to lowest probability of failure on demand Lowest Highest a) 2002 - 1002 - 2003 b) 2008 - 1002 ~ 2002 ©) 2003 - 2002 ~ 1002 d) 2002 - 2003 - 1002 @) 1002 - 2003 - 2002 Solution 1 ‘The lowest probability of failure on demand is achieved by a 1002 configuration. ‘The next lowest probability of failure on demand is achieved by a 2003 configuration. ‘The highest probability of failure on demand of the three configurations is found in the 2002 configuration. Therefore the redundancy schemes PFDavg are ranked 2002 > 2003 > 1002, and the answer is d) Question 2 A 1002 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511) of: a) 0 by 4 °) 2 Solution 2 ‘A 1002 architecture has a hardware fault tolerance of 1. ‘Therefore the correct answer is b) Question 3 ‘A 2008 architecture has a hardware fault tolerance per IEC 61508 (IEC 61511) of: a) 0 b) 1 0) 2 d) 3 Solution 3 ‘A 2008 architecture has a hardware fault tolerance of 1 ‘Therefore the correct answer is b) FSE I~ Solulions to Exercises Page 17 of 23FSE Il, 4.1 - Solutions to Exercises Application Exercise Set 7 — SIL 3 Pressure Protection Loop Question 1 Group Exercise — Design a SIL3 loop and verify with PFDavg calculations, SFF calculations and a MTTFS calculation, Design the SIL3 loop using SiLver to calculate PFDavg and AC SIL. ‘Target 5 year test interval and MTTFS > 10 years. Solution 1 This is a class exercise and will be answered during the class. FSE II- Solutions to Exerclses Pago 18 of 23FSE Il, 4.1 — Solutions to Exercises Application Exercise Set 8 - Periodic Inspection and Test Plans Question 1 Name effective inspection and test techniques that should be considered for a pressure transmitter. Solution 1 Full-scale analog signal shift 10% to +110% Check (and clean) impulse lines Visually inspect for corrosion Consider interface aspects with controller open/short Question 2 Name effective inspection and test techniques that should be considered for a solenoid. Solution 2 Check speed of response when cycling Listen for abnormal sounds when cycling Check air quality Check voltage losses due to resistance Check fully closed and fully open Clean vent ports Check for force variations ereeaogep FSE II Solutions fo Exercises Page 1901 23,FSE Il, 4.1 — Solutions to Exercises FSE Il - Post-Test Question 1 ‘Two power supplies are used in a redundant configuration. Assume one failure mode, lost power. Each power supply has a failure rate of 0.0005 failures per year. Based on close physical mounting and identical power supplies, a beta factor of 0.1 is assigned. What is the system unreliability for a two-year mission time? Draw a fault tree for the system including common cause. Solution 1 Unreliabily is the probability of failure (PF) (TxA * TxB) + CC a 0005 failures per year 1 T years (mission time) : 3] TxA" TXB deo = AB = 0.0005 * 0.1 = 0.00008 failures per year A =AT(1-B) = 0.0005*0.9 = 0.00045 failures per year Uce = 0.00005" 2 = 0.0001 as es cc u =0,00045"2 = 0.0009 Ux =U? 0.0009 * 0.0009 0,81 E-06 (TxA falls AND TxB fails) Utotal =Unc+ Uc = 0.0001 + 0.81 E-06 = 0.00010081 ‘The unreliability for a two year mission = 0,00010081 Question 2 Which of the following best describes the difference between verification and validation, as defined in IEC 61508 and IEC 61511 a) There are no differences. Verification and validation have the same meaning. ) Verification describes review tasks that are performed by independent assessment teams. Validation describes review tasks that are performed by the design team. ©) Validation is the activity of demonstrating that the SIS meets the safety requirements specifications. Verification is the activity of demonstrating that for each safety lifecycle phase the requirements of the safety lifecycle mode! have been met. 4) Validation is the process of creating a “V"-diagram of the tasks that are required to complete that safety lifecycle. Verification is the process of ensuring that competent individuals have completed those tasks. ) None of the above answers are correct. Solution 2 Validation is the activity of demonstrating that the SIS meets the safety requirements specifications. Vertication is the activity of demonstrating that for each safety lifecycle phase the requirements of the safety lifecycle model have been met. ‘Therefore the correct answer is c) FSE II Solutions to Exercises Page 20 0 28FSE Il, 4.1 - Solutions to Exercises Question 3 If the user of a product that was designed under the IEC 61508 standard is required to perform manual tests at a periodic interval to achieve the SIL that is listed in the product certification, the information regarding the necessity of the test, and the frequency the test is required to be performed must be provided in: a) Product safety manual b) Product Specification sheets ©) Sales and marketing literature 4) Equipment installation guides €) None of the above, the vendor is not required to share this information with the customer Solution 3 The information regarding the necessity of the test, and the frequency the test is required to be performed must be provided in the product safety manual. Therefore the correct answer is a) Question 4 ‘A control valve is used in an SIS. The valve has a constant safe failure rate of 0.02 failures per year and a ‘constant dangerous failure rate of 0.05 failures per year. The valve is tested on a one-year interval where £85% of the failures are detected by the periodic inspection and test. The valve is operated for fifteen years nti itis removed from service and overhauled. What is the average probability of failure on demand? Solution 4 ds 0.02 failures per year (note that this is not used in the solution) Yo 0.05 failures per year 1 tyear Cer = 0.85 (85%) uw 16 years PFDavg =[Crr*do* TH/2 + [(1-Cpr) “Ao *LT]/2 (0.85°0.05°1]/2 + [0.15"0.05* 15]/2 = 0.02128 + 0.05625 = 0.0775 FSE II~ Solutions to Exercises, Page 21 of 23,FSE Il, 4.1 - Solutions to Exercises Question 5 ‘Two different types of solenoid valves are used to block fuel flow to a bumer in a SIS. The valves are piped in series. Both valves are energized and open in normal operation of the system. Both valves should close when a dangerous condition is detected. Both valves have one failure mode, fail-danger, with a failure rate of 0.0009 failures per year. Both valves are tested once every year and all failures are found during that test. Based on the differences between the valves, a common cause beta factor of 0.001 is assigned. What is the PFDavg of the valve subsystem including common cause? Solution 5 Ao = 0.0009 failures per year Tl 1 year 8 01 Doce ho = 0.001 * 0.0009 = 0.9 E-06 failures per year or -B)*Ap = 0.999 * 0.0009 000898 failures per year PFDavg = Do? TH/3 + Poco" TH/2 = 0.269 E-06 + 0.45 E-06 = 0.719 £-06 Question 6 Draw a Markov model for the situation in problem 5. Solution 6 To be discussed and developed in class. FSE II Solutions to Exercises Page 22 of 23,FSE Il, 4.1 - Solutions to Exercises Question 7 ‘A “smart” transmitter has a failure rate of 0.05 failures per year. The safe failure ratio is 70%, and the diagnostic coverage of dangerous failures is 60%. The diagnostic coverage for safe failures is 70%. What is the Safe Failure Fraction? With hardware fault tolerance of 0, what SIL is allowed? Solution 7 Aer = 0.05 failures per year %Sate =0.7 (70%) Co = 0.6 (60%) As =Aoui* %Safe =0.05°0.7 = 0.035 safe failures per year Ao = Aat-As--= 0.05" 0.035 = 0.015 dangerous failures per year doo =Ao "Cp 0.015" 0.6 = 0.009 dangerous detected failures per year SFF = [Aso + Asu+ Aco] / Aut Tas + ool / Pres Type B = [0.035 + 0.009] / 0.05 ‘Safe Failure Hardware Fault 0.88 Fraction Tolerance BB% 0 1 2 The hardware fault tolerance = 0 =e wo _| 60% <90% | sit | Sik2| sia From the table on the right, looking at the intersection of the ‘0’ column and the 60% < 90% row we find that the | 90%<90% | Sik2 | Sis | Sika transmitter is qualified for use at SIL 1 level. > 99% sis | sia | Sika FSE Il - Solutions to Exercises Page 29 of 28[Guosion 4A temparalure wanemifer used fo senso an abnormal process condion. [Betaod sotiion i Gueston 4af [Two transmiters are aangedin a one-out oo voting arrangement. The ransmiter Exercise Sot 3 Ihas a alure rate of Lambda = 0.05 fallures per year, and a beta factor of 10%, Functional Satety Engineering 2 |wnat isthe PFDavg of his subsystem i periodic inspection Is done once a year lexda August 2003 ‘hat detects 99% ofthe falures. The transmitter subsystem is operated for ten years between major overhaus. Initial data and calculation of specific relevant failure rates: Total Lambda 0.05 fauresiyear Bota 04 TI 1 year partial coverage tetinterval opr (0.9 Fracton of faiures covered by 1 year test ur 10 year total mission time [Fis problem is compicated and ls best conadered in several pat {To consider the partial coverage testing and the total coverage testing, itis woth Jromebering tat the overall system can fall because of a fault that is covered by the annual test OF by a fault thats only feed during the major overhaul tthe end of 10 years. These lwo contrbutons to the PFDavg are added together because the two diferent kinds of faut are mutually exclusive, With ths in mind.we can calouate each contibuton separatoly 1 year test interval faults" contribution to the overall PFDavg In considering the contin ofthe fautscorected inthe annual est, we need to make sure we use the proper part ofthe overall allure rate. Since the coverage factor forthe test |Cpts90%, we can look atthe effective rate of falues of interest as |Cptx Total Lambda = 0.9 x 0.05 = 0.045 = Lambada Total (t yea. [Then because there isa second level of complexty withthe common cause fallses, We need to sp this 1 year lambda toa ino a LambdaCC( year) end a LamibdaN(t year) by use ofthe beta factor. Lambda Total (1 year) Lambda. Common Cause (1 year) ‘Lambda Normal (1 year) Now, Because he noma independent Talure mode a Te02 votng System, wo use He integrated formula for PFDavg due to normal made flue. Then we add tis to the common mode falure component forthe 1 year pat sine the system either fls in normal Independent mode OR by common mode PFDavgN, (f year) PFDavg CC (1 year) PFDavg SYS (1 year) 0.045 = (Lambda total) x Opt = 0.05 x09 0.0045 = (Lambda total (1 Year) x Beta = 0.045 x0.1 0.0406 = (Lamba total (1 Year) x (1-Beta) = 0.045 x (1-01) ‘0.00055 = (LambdaN(] year" x TH2)/ = 0.08052 x 192), (0.00226 « (LambdaCO(1 year) x TH = (0.0048 x 12 (0.00280 = PFDavg N, (1 year) + PFDavg CC, (1 year) 10 year test interval faults’ contribution to the overall PFDavg [We then do the same thing forthe 10 year overall faults contibution.Agaln we need to make sure wo uso the proper part of the oveal falure rao. Since the coverage factor for tho test Cpt=80%, we can look atthe efoctve rate of alures of intorestas(1-Cpt) x Total Lambda = 0,1 x 0,05 = 0.008 = Lambda Tota (10 yea. [Then because there isa second level of complexity withthe common cause fllses, we lags need to spit tis 10 year lambda total into @ LambdaCC(10 year) anda LamidaN(10 year) by use ofthe beta facto. Lambda Total (10 year) (0.008 = (Lambda total) x (1-Cpt) = 0.05 x (1-09) Lambda Common Cause (10 year) 0, 0008 = (Lamia total (10 Year) x Beta = 0.005 x 0.1 Lambda Noenal (10 year) 0.0045 = (Lamia total (10 Year) x (1-Beta) = 0.005 x (1-0.1) [As before, because the normal independent falure mode sa 1002 vobng system. we use te integrated formula for PFDavg due to normal mode falure. Then we add this othe |common mode falure component or the 10 year pat since the system ether fl in normal independent mode OR by common mode. PFDavgN, (10 yea!) PFDavg OC (10 year) PFDaug SYS (10 year) (LambdaN(10 yeary’2 x TH) (0.0045%2 x 1072) ‘Summing up the overall PFDavg [Finally we acd the 1 year tosted fare contibuon fo the 10 year overall corecied flare contribution 1 get he total PFDavg forthe system considering al ofthe pathways. Total PFDavg 0.00507 Total ARF 167 =PFDavg SYS (1 year) + PFOavg SYS (10 year) = 20% \ov2e0 + 0.00918