Tuesday, 15 May 2018

When designing safety instrumented functions (SIFs) for a process operation, it is not unusual to find devices such as electrical motors, contactors, heaters and other electrical equipment constituting the ‘final element part’ of the SIF end-to-end configuration. The IEC 61511 standard requires that devices selected for safety instrumented systems (SIS) shall be in accordance with IEC 61508 and / or comply with prior-use requirements (See also the Machinery Directive requirements linking ISO 13849-1 to IEC 61508 via IEC 62061 and IEC 61800-5-2).

Usually safety engineers prefer the device manufacturer to provide a certificate of IEC 61508 compliance, safety manual and associated failure rates for SIL verification calculation. However, for the types of electrical devices in question, such documentation is often unavailable.

So, what is the best way to handle this lack of information? Here we provide some further observations regarding this subject with a focus on motor drive units which are usually contained in one or more SIFs.

Functional safety standards require the safety designer to consider three basic categories for a device to be used in a SIS, namely: Systematic Capability, Hardware Fault Tolerance and Random Hardware Failure.

Device Systematic Capability
If the IEC 61508 certificate is not available, then we should consider the prior-use route. Here we need to collect evidence of successful device performance in both safety and non-safety applications in the targeted operating environment. This should cover functionality and integrity of the installed device. The evidence will need to include consideration of the manufacturer’s quality, management and volume of operating experience. The end user vendor list should be used in this regard. If the information can be satisfactorily pieced together, then it can be turned into a documented ‘Justification for use’ and included in the SIS design and engineering documentation.

Hardware Fault Tolerance
IEC 61511 allows for a single channel arrangement for SIL 1 and SIL 2 low demand mode applications. For SIL 3, we will need a dual architecture to be designed, something which may be challenging for many electrical devices such as middle and high voltage DOL motor schemes. Here, the safe action for SIL 3 functionality for the motor may be realised by acting on multiple independent components, such as the motor contactor in conjunction with the motor in-coming feeder module and / or overload and safety relay units where fitted. The increasing use of modern variable speed drive units can also assist in this matter where such systems can be supplied with SIL 3 capable motor control features as standard. The ABB SIL 3 FSO safety module is designed to operate in conjunction with the in-coming feeder module and power electronics for exactly this purpose.

Modelling of Hardware Reliability
When assessing the likelihood of a random hardware failure, the de-energise to trip (DTT) concept should generally be used wherever possible. For middle and high voltage systems, it is common to apply an energise to trip (ETT) functionality, or ideally a mixture of DTT and ETT. Reliability modelling for this type of architecture can be difficult. First it necessitates a deep understanding of the functionality of a motor control unit, which may not be possessed by people who have an instrumentation-only background for example.

In addition, the need to include circuit integrity into the calculation may necessitate factoring in a wide variety of devices, including trip coil interposing relays, circuit breakers, contactors and different types of motor protection programmable units, for which failure rates might not be readily available. Difficulties in obtaining device specific reliability data can result in a high level of data uncertainty and can complicate the modelling of the overall system architecture.

Where can we find guidelines on design?
One of the main failure modes for switching components is the welding together of contacts. This fault can be effectively reduced through oversizing, which is addressed by IEC 61508 by applying a de-rating technique. De-rating is the practice of ensuring that under all normal operating circumstances, components are operating below their maximum stress levels. For example, the current conducted via the switch should be less than half the rated current value.

Another perspective on the usage of electrical devices in the design of safety applications can be found in ISO 13849-2. This standard provides so-called ‘proven safety principles’ for devices used in safety functions such as mechanically connected contacts and the distances between electrical conductors and provides a balance between complexity and simplification. The standard also includes a requirement for ensuring that the device can be tested at regular intervals.

In addition, we should also consider the useful lifetime of such electrical devices, specifically the period when the failure rates are constant. Surprisingly, service life may be considerably shortened if the device is overloaded or short-circuited, with devices needing to be replaced or their service life time re-evaluated.

The safety designer may also refer to NAMUR NE 142 recommendations, which provide the user with a code of practice to the implementation of functional safety with electrical devices. Again, this can be used as a source of justification in the final selection of electrical devices.

In summary, the safety designer should take extra care when considering the contribution afforded by a SIF implementing electrical devices and components. If the devices are not certified or substantiated by prior-use justifications, then this should be identified early in the design of the SIS and alternative engineering applied once the Functional Design Specification (FDS) and device selection is underway. 

Leaving the SIL verification exercise late in the day could have a significant impact, incurring higher SIL requirements if the SIF does not meet the target SIL, thereby leading to expensive re-work, re-design or non-compliance impact discovered at the Site Assessment Test (SAT).

Need help? Contact us if you want to talk through what this could look like for your facility.

This is the most recent post.
Older Post


Post a Comment