.. _fsd203: FSD203: Estimation of hardware common cause failures #################################################### .. list-table:: Header :header-rows: 0 * - Title - FSD203: Estimation of hardware common cause failures * - Version - V4 * - Products - Safety Simplifier * - Requirements - EN 61508-2:2010, clause 7.4.5.2 * - Purpose - * - Input - :ref:`FSD113` * - Output - Estimation of hardware related common cause failures Table of contents ***************** .. contents:: 61508-6 Table D.1 - Scoring programmable electronics or sensors/final elements ------------------------------------------------------------------------------ .. flat-table:: Table D.1 - Scoring programmable electronics or sensors/final elements :widths: 4 1 1 1 1 4 :header-rows: 2 * - Item - :cspan:`1` Logic subsystem - :cspan:`1` Sensors and final elements * - - XLS - YLS - XSF - YSF - Comment * - **Seperation/segregation** - - - - * - Are all signal cables for the channels routed separately at all positions? YES - 1.5 - 1.5 - 1 - 2 - Refer to the layout of PCB018, where this can be seen. * - Are the logic subsystem channels on separate printed-circuit boards? NO - - - - * - Are the logic subsystems physically separated in an effective manner? For example, in separate cabinets. YES - 2.5 - 0.5 - - - As seen in FSD115, there is only one logic subsystem per Simplifier, but Simplifiers can work together in a system. Then, the logic units are in separate cabinets, as every Simplifier is in its own cabinet. * - If the sensors/final elements have dedicated control electronics, is the electronics for each channel on separate printed-circuit boards? NO - - - - * - If the sensors/final elements have dedicated control electronics, is the electronics for each channel indoors and in separate cabinets? NO - - - - * - **Diversity/redundancy** - - - - * - Do the channels employ different electrical technologies for example, one electronic or programmable electronic and the other relay? NO - - - - * - Do the channels employ different electronic technologies for example, one electronic, the other programmable electronic? NO - - - - * - Do the devices employ different physical principles for the sensing elements for example, pressure and temperature, vane anemometer and Doppler transducer, etc? NO - - - - * - Do the devices employ different electrical principles/designs for example, digital and analogue, different manufacturer (not re-badged) or different technology? YES - - - 6.5 - - * The logic uses two different CPUs, with different software in them. * The input element uses different sensing for the two channels (different resistive divider, and CPU1 have a component that changes the input voltage if the output goes high). * For transistor outputs, one channel is the main transistor with its own diagnostics and checking, the other channel which is controlled by CPU1 is a different kind of transistor and driver. * Relay output control uses a main power control unit high side driver for one channel, while a relay individual low side driver is used for the other channel. * - Is low diversity used, for example hardware diagnostic tests using the same technology? YES - 2 - 1 - - - Refer to the circuit diagram of PCB018. For the logic, some diagnostic tests are the same for the two channels. Ie, monitor of the individual CPU power supply, feedback from relay diagnostics. There are also different technologies used for some parts (ADC mux checking, crystal reference time base), but as the standard doesn't support a mix, we have to use the lower level. * - Is medium diversity used, for example hardware diagnostic tests using different technology? NO - - - - * - Were the channels designed by different designers with no communication between them during the design activities? NO - - - - * - Are separate test methods and people used for each channel during commissioning? YES - 1 - 0.5 - 1 - 2 - Refer to FSD303 where there are separate tests for the different channels. * - Is maintenance on each channel carried out by different people at different times? NO - - - - * - **Complexity/design/application/maturity/experience** - - - - * - Does cross-connection between channels preclude the exchange of any information other than that used for diagnostic testing or voting purposes? YES - 0.5 - 0.5 - 0.5 - 0.5 - Refer to SRC002-021 and SRC002-022, where there is dedicated data in the cpu2cpu communication for the diagnostic tests. * - Is the design based on techniques used in equipment that has been used successfully in the field for > 5 years? YES - 0.5 - 1 - 1 - 1 - The principles used in Simplifier 2025 is used successfully in the field with Simplifier 2019. * - Is there more than 5 years experience with the same hardware used in similar environments? YES - 1.0 - 1.5 - 1.5 - 1.5 - The hardware has not changed since Simplifier 2019, which is more than 5 years in the field. * - Is the system simple, for example no more than 10 inputs or outputs per channel? YES - - 1 - - - The architecture of Simplifier is very clean and simple. Refer to System Architecture. * - Are inputs and outputs protected from potential levels of over-voltage and over-current? YES - 1.5 - 0.5 - 1.5 - 0.5 - Refer to the circuit diagram of PCB018: * I/O have a TVS to protect them. * Inputs are through very high resistors - thus, high voltages can be handled. * output transistor is rated for 100V (check FDS89161LZ datasheet). This is much higher than the rated max voltage of 36V. * Relays are rated for 4kV, again much higher than rated max voltage of 50V. * Output transistor have two over current detector circuits which protect from short circuits. * - Are all devices/components conservatively rated (for example, by a factor of 2 or more)? YES - 2 - - 2 - - Refer to the PCB018 circuit diagram and the BOM. Critical components: * output transistor is rated for 100V. * Power supply is rated for 60V * Power supply is designed in a two stage design. * Relay is rated for 4kV and 6A, compared to the rated 50VDC and 2A. * - **Assessment/analysis and feedback of data** - - - - * - Have the results of the failure modes and effects analysis or fault-tree analysis been examined to establish sources of common cause failure and have predetermined sources of common cause failure been eliminated by design? NO - - - - * - Were common cause failures considered in design reviews with the results fed back into the design? (Documentary evidence of the design review activity is required.) NO - - - - * - Are all field failures fully analyzed with feedback into the design? (Documentary evidence of the procedure is required.) NO - - - - * - **Procedures/human interface** - - - - * - Is there a written system of work to ensure that all component failures (or degradations) are detected, the root causes established and other similar items inspected for similar potential causes of failure? NO - - - - * - Are procedures in place to ensure that: maintenance (including adjustment or calibration) of any part of the independent channels is staggered, and, in addition to the manual checks carried out following maintenance, the diagnostic tests are allowed to run satisfactorily between the completion of maintenance on one channel and the start of maintenance on another? YES - 1.5 - 0.5 - 2 - 1 - The diagnostic tests are almost all run continuously, and are designed to be independent of each other. The few diagnostic tests that are only run at startup are guaranteed to be run properly as any maintenance requires a restart. * - Do the documented maintenance procedures specify that all parts of redundant systems (for example, cables, etc.) intended to be independent of each other, are not to be relocated? NO - - - - * - Is all maintenance of printed-circuit boards, etc. carried out off-site at a qualified repair centre and have all the repaired items gone through a full pre-installation testing? YES - 0.5 - 1 - 0.5 - 1.5 - All maintenance of PCBs are handled by the ISO9001 certified production facility. Refer to :download:`ISO9000 <../resources/JT/1. ISO9001-2015-certificate.pdf>`. * - Does the system have low diagnostic coverage (60 % to 90 %) and report failures to the level of a field-replaceable module? NO - - - - * - Does the system have medium diagnostics coverage (90 % to 99 %) and report failures to the level of a field-replaceable module? NO - - - - * - Does the system have high diagnostics coverage (>99 %) and report failures to the level of a field-replaceable module? YES - 2.5 - 1.5 - - - refer to FSD212. * - Do the system diagnostic tests report failures to the level of a field-replaceable module? NO - - - - * - **Competence/training/safety culture** - - - - * - Have designers been trained (with training documentation) to understand the causes and consequences of common cause failures? YES - 2 - 3 - 2 - 3 - Yes, refer to EN-61508-1 clause 6.2.13 requirement and motivation. * - Have maintainers been trained (with training documentation) to understand the causes and consequences of common cause failures? YES - 0.5 - 4.5 - 0.5 - 4.5 - As SSPN is a small organization, maintainers are basically the same people as the designers. * - **Environmental control** - - - - * - Is personnel access limited (for example locked cabinets, inaccessible position)? YES - 0.5 - 2.5 - 0.5 - 2.5 - Refer to the safety manual which dictates personnel access requirements. * - Is the system likely to operate always within the range of temperature, humidity, corrosion, dust, vibration, etc., over which it has been tested, without the use of external environmental control? YES - 3 - 1 - 3 - 1 - Refer to the safety manual which dictates environmental requirements. * - Are all signal and power cables separate at all positions? YES - 2 - 1 - 2 - 1 - Refer to the safety manual which dictates how to connect cables. * - **Environmental testing** - - - - * - Has the system been tested for immunity to all relevant environmental influences (for example EMC, temperature, vibration, shock, humidity) to an appropriate level as specified in recognized standards? YES - 10 - 10 - 10 - 10 - Refer to the environmental testing reports supplied to RISE as part of the certification process. * - **Total** - **35** - **33** - **35.5** - **32** .. note:: Refer to FSD115 and circuit diagram for the hardware elements: Sensor elements are Analogue/Digital input elements, and communication black channels. Logic element is represented by CPU1 and CPU2 plus supporting components. This is marked in the circuit diagram. Final element are represented by digital output, relays and communication black channels. Table D.2 - Value Z - programmable electronics ----------------------------------------------- Diagnostic coverage is >=99% and diagnostic test interval is continuous (less than 1min) **Z = 2** Table D.3 - Value Z - sensors or final elements ------------------------------------------------ Diagnostic coverage is >=99% and diagnostic test interval is continuous (less than 1min) **Z = 2** Calculation of b-factor - programmable electronics -------------------------------------------------- .. list-table:: :widths: 4 1 :header-rows: 0 * - Total X (table D.1) - 34 * - Total Y (table D.1) - 31.5 * - Diagnostic coverage, Z (table D.2) - 2 * - Score S - 65.5 * - :math:`{\beta}` (table D.4) - 2% * - Score :math:`{S_D}` - 133.5 * - :math:`{\beta_D}` (table D.4) - 0.5% Calculation of b-factor - sensors or final elements --------------------------------------------------- .. list-table:: :widths: 4 1 :header-rows: 0 * - Total X (table D.1) - 34 * - Total Y (table D.1) - 30.5 * - Diagnostic coverage, Z (table D.3) - 2 * - Score S - 64.5 * - :math:`{\beta}` (table D.4) - 5% * - Score :math:`{S_D}` - 132.5 * - :math:`{\beta_D}` (table D.4) - 1% Revision History **************** .. list-table:: :header-rows: 1 * - Date - By - Version - Description * - 2017-02-14 - Jesper Ribbe - V1 - Based on FSD113v01 * - 2023-09-15 - Nils Odén - V2 - Copied over old document to new structure, no changes in the documents content. * - 2023-10-02 - William Forsdal - V3 - Update table D.1, now more than 5 years experience, adds to total 1.0, 1.5, 1.5, 1.5. * - 2025-08-20 - Jesper Ribbe - V4 - Added comments to Table D.1 to clarify the assessment criteria.