When designing
safety instrumented functions (SIFs) for a process operation, it is not unusual
to find devices such as electrical motors, contactors, heaters and other
electrical equipment constituting the ‘final element part’ of the SIF end-to-end
configuration. The IEC 61511 standard requires that devices selected for safety
instrumented systems (SIS) shall be in accordance with IEC 61508 and / or
comply with prior-use requirements (See also the Machinery Directive
requirements linking ISO 13849-1 to IEC 61508 via IEC 62061 and IEC 61800-5-2).
Usually
safety engineers prefer the device manufacturer to provide a certificate of IEC
61508 compliance, safety manual and associated failure rates for SIL
verification calculation. However, for the types of electrical devices in
question, such documentation is often unavailable.
So, what
is the best way to handle this lack of information? Here we provide some further
observations regarding this subject with a focus on motor drive units which are
usually contained in one or more SIFs.
Functional safety standards require the safety designer to consider
three basic categories for a device to be used in a SIS, namely: Systematic
Capability, Hardware Fault Tolerance and Random Hardware Failure.
Device Systematic
Capability
If the IEC 61508 certificate is not available, then we should
consider the prior-use route. Here we need to collect evidence of successful device
performance in both safety and non-safety applications in the targeted
operating environment. This should cover functionality and integrity of the
installed device. The evidence will need to include consideration of the manufacturer’s
quality, management and volume of operating experience. The end user vendor
list should be used in this regard. If the information can be satisfactorily pieced
together, then it can be turned into a documented ‘Justification for use’ and included in the SIS design and
engineering documentation.
Hardware Fault
Tolerance
IEC 61511 allows for a single channel arrangement for SIL 1 and
SIL 2 low demand mode applications. For SIL 3, we will need a dual architecture
to be designed, something which may be challenging for many electrical devices
such as middle and high voltage DOL motor schemes. Here, the safe action for SIL
3 functionality for the motor may be realised by acting on multiple independent
components, such as the motor contactor in conjunction with the motor in-coming
feeder module and / or overload and safety relay units where fitted. The increasing
use of modern variable speed drive units can also assist in this matter where
such systems can be supplied with SIL 3 capable motor control features as
standard. The ABB SIL 3 FSO safety module is designed to operate in conjunction
with the in-coming feeder module and power electronics for exactly this
purpose.
Modelling
of Hardware Reliability
When assessing the likelihood of a random hardware failure, the
de-energise to trip (DTT) concept should generally be used wherever possible. For
middle and high voltage systems, it is common to apply an energise to trip
(ETT) functionality, or ideally a mixture of DTT and ETT. Reliability modelling
for this type of architecture can be difficult. First it necessitates a deep
understanding of the functionality of a motor control unit, which may not be
possessed by people who have an instrumentation-only background for example.
In addition, the need to include circuit integrity into the
calculation may necessitate factoring in a wide variety of devices, including trip
coil interposing relays, circuit breakers, contactors and different types of
motor protection programmable units, for which failure rates might not be
readily available. Difficulties in obtaining device specific reliability data can
result in a high level of data uncertainty and can complicate the modelling of
the overall system architecture.
Where can we
find guidelines on design?
One of the main failure modes for switching components is the welding
together of contacts. This fault can be effectively reduced through oversizing,
which is addressed by IEC 61508 by applying a de-rating technique. De-rating is
the practice of ensuring that under all normal operating circumstances,
components are operating below their maximum stress levels. For example, the
current conducted via the switch should be less than half the rated current
value.
Another perspective on the usage of electrical devices in the design
of safety applications can be found in ISO 13849-2. This standard provides so-called
‘proven safety principles’ for devices used in safety functions such as
mechanically connected contacts and the distances between electrical conductors
and provides a balance between complexity and simplification. The standard also
includes a requirement for ensuring that the device can be tested at regular
intervals.
In addition, we should also consider the useful lifetime of such
electrical devices, specifically the period when the failure rates are
constant. Surprisingly, service life may be considerably shortened if the device
is overloaded or short-circuited, with devices needing to be replaced or their
service life time re-evaluated.
The safety designer may also refer to NAMUR NE 142 recommendations,
which provide the user with a code of practice to the implementation of functional
safety with electrical devices. Again, this can be used as a source of
justification in the final selection of electrical devices.
Takeaway
In
summary, the safety designer should take extra care when considering the
contribution afforded by a SIF implementing electrical devices and components.
If the devices are not certified or substantiated by prior-use justifications,
then this should be identified early in the design of the SIS and alternative
engineering applied once the Functional Design Specification (FDS) and device
selection is underway.
Leaving the SIL verification exercise late in the day
could have a significant impact, incurring higher SIL requirements if the SIF
does not meet the target SIL, thereby leading to expensive re-work, re-design
or non-compliance impact discovered at the Site Assessment Test (SAT).
Need help? Contact us if you want to talk through what this could look like for your facility.
Need help? Contact us if you want to talk through what this could look like for your facility.
0 comments :
Post a Comment