Aug 24, 2017

[:en][vc_row][vc_column][vc_column_text]This is a question I often get asked when I’m teaching our FSE100 course on Functional Safety, when we discuss the purpose of Proof Testing and coverage. It’s amazing how many end users assume perfect proof testing (i.e. 100% coverage), that is capable of finding, all the potential dangerous undetected failures. It just isn’t the case. There is no such thing as a perfect proof test for a SIF, despite what some manufacturers would have you believe.

To illustrate this, let’s consider our SIF, which is made up of sensor(s), Logic Solver(s) and Final Element(s), including, any, and all, interface/signal conditioning devices.

Using simplified equations, we know that:

**PFDavg (SIF) = PFDavg (Sensor Subsystem) + PFDavg (Logic Solver) + PFDavg (Final Element subsystem)**

Therefore, using our simplified approximation formula and assuming a single element system (ie. HFT =0):

This simplified equation assumes 100% proof test coverage, so what happens when we don’t have 100%? Now our simplified equation has to be changed to include the coverage factor, but we also now have to consider Mission Time.

Mission Time is the name given to the period of time over which the SIF has to function, without requiring a major overhaul and/or replacement of its equipment. Mission Time is not the same as Useful Life (the time specified by the manufacturer for its product to function before requiring replacement). Since a SIF has different equipment with each piece of equipment having different Useful Life, choosing the Mission Time is very important, especially with regards to the target SIL. With imperfect Proof Testing, Mission Time now plays a crucial role in determining the effective SIL of the SIF.

**The following equation and diagram illustrates this further:**

Every time a proof test is executed it will only find a portion of the dangerous faults (indicated by Cpt), therefore, Mission Time becomes relevant since it will compound the likelihood of a dangerous fault causing a failure on demand over the Mission Time of the SIF.

**Let’s consider the following example:**

A SIF has a proof test interval of every 10,000 Hrs (1E4 hrs) and a dangerous failure rate of 100 FITs (100 E-9/hr or 1E-7/hr), with a Mission Time of 200,000 hrs (2E5 hrs)) and a Proof Test Coverage of 80%. What is the resulting PFDavg assuming a) a Perfect Proof Test and b) using the 80% coverage.

From this we can clearly see the effect of incomplete proof testing and mission time from b), which achieves a SIL level lower than the assumed perfect proof test. What this translates into is illustrated below:

Over time, with incomplete proof testing, we can see that our PFDavg will continue to worsen until it moves from one SIL boundary to another. This is why we have to consider Useful Life, Proof Test frequency, Proof Test coverage and Mission Time. Of course, there are many other variables that need to be considered when calculating the achieved SIL of a SIF but these simple equations help illustrate the effect imperfect proof testing has on the PFDavg.

The goal, therefore, is to design a strategic proof test that can achieve the highest possible coverage factor. Most manufacturers of SIL-rate equipment will include a suggested proof test and proof test coverage in their safety manual. If using a tool such as exSILentia to perform SIL verification calculations, exSILentia can determine the coverage factor for each sub-elements of a SIF, based upon the manufacturers’ recommended proof test and coverage.

If this blog has stimulated your interest then please check out the webinars on this subject.[/vc_column_text][/vc_column][/vc_row][:zh][vc_row][vc_column][vc_column_text]No! They are not Inherently Safe!

A collaborative robot is intended to work “collaboratively” with a person. i.e. share a common workspace. It is force and speed limited by design to minimize any potential hazard. Collaborative robots fit the application where the task cannot be easily or cost effectively automated. They are easy to deploy, program and repurpose. Collaborative robots are new to everyone including the standards agencies.

A hazard and risk assessment is required that assesses the robot and the environment that it is deployed in. Just as any other robot, things such as collisions, speed, type of end effector and worksite need to be evaluated. Collaborative robots have their own sorts of collisions and hazards. They may not be as severe, but they still exist.

This all comes down to risk and the amount of risk that you are willing to accept! The diagram below shows the high-level steps for doing a Hazard and Risk Assessment. When following the steps, if you assess the risk and find it to be acceptable (your companies acceptable risk norms) then you are done. No need to add any risk reduction.

The next best approach is to determine if protective measures other than a Safety Function can reduce the risk to an acceptable level. If not, then you must assign a SIL and implement a safety function that will provide the required risk reduction.

exida can effectively train your team to perform machine hazard and risk assessments to identify all possible hazards and estimate the risk for each hazard. Specifically, exida coaches you through the process of evaluating the risk, developing and implementing risk reduction options. exida can also educate your team in multiple approaches to SIL target selection. These are just some of the things exida does to ensure you are on the right path![/vc_column_text][/vc_column][/vc_row] [:]