“Functional safety of safety-related automated industrial valves” was initiated at CEN level with the participation of manufacturers, end users and certification bodies. The project’s aim is to establish a European standard that will provide manufacturers with clear guidance for the evaluation of their safety-related products. Ultimately, a standard will help to define test criteria in a uniform way which would benefit all supply chain actors.
By Dr.-Ing. Jan Schumacher and Dr. Jörg Isenberg
System integrators and plant operators will benefit from comparable assessment results. The resulting new standard will also represent added value for the testing and certification bodies, as it will define the test criteria in a uniform manner and require less self-interpretation. Functional safety deals with components and systems that often includes emergency shutdown systems that shut off a medium flow, release pressure or stop a movement in the event of a hazard.
The scope of consideration is always a so-called safety loop, which in the simplest case consists of a sensor, a logic unit and a final element. Over the last few years, the valve industry has become increasingly competent in this area and it has become generally accepted that all the components used in such a safety loop – including valves and actuators – have to be evaluated according to the rules of IEC 61508, the basic international standard for functional safety.
Interpretation of IEC 61508
The challenge lies in transferring the various prop-erties and safety-related parameters of IEC 61508 into the semantics of mechanics and mechanical engineering. In this article we will demonstrate how to do this using the demand mode as an example.
IEC 61508 distinguishes between two operating modes: “low demand” and “high demand”. The normative limit is one demand per year, which at first glance sounds like a simple rule. However, difficulties begin as soon as we ask which mode applies when we have exactly one demand per year (nop = 1 /year) (close study of paragraphs IEC 61508-4, 3.5.16 reveals that this still counts as low demand mode). And do demands arising from testing or from normal process operations count towards the total as well? The answer is “no”, but this clear answer raises further questions:
• With a demand rate of nop = 2 /year, both demands possibly taking place in quick succes-sion, is it really necessary to class the application as high demand mode, possibly requiring time consuming and costly lifetime tests?
• How do I deal with valves and actuators that perform basic process control functions in addition to their safety function?
Tested to death
www.valve-world.net
Tested to death To answer these questions, we should first be aware of what could be the cause of a failure. With extremely few demands per year, a valve or actuator will likely fail due to aging effects. Metal components may corrode, and plastics degrade. If the demand rate is high, on the other hand, wear effects will be the dominant cause of failure.
The component does not care whether a demand originates from the safety instrumented function, a test, or a basic process control operation. Even in low demand mode, a valve or actuator can therefore fail due to too-frequent actuation. In the past, valves were sometimes “tested to death” by means of frequent partial stroke tests. In the same way, a valve or actuator classed as high demand mode can fail due to aging effects if it operates only twice a year (= “high demand mode”).
Utilization rate supplements demand mode
To resolve these problems, we propose introducing a parameter named “utilization rate” when evaluating mechanical components for functionally safe applications. In contrast to the demand mode, the utilization rate considers not just the number of demands from a safety instrumented function, but the total number of movements of a mechanical component per year. This includes, among other things, actuations due to:
• requests from safety instrumented functions,
• tests of the safety instrumented functions, and
• movements due to requests by the basic process control system (BPCS), in the case of components used for both safety func-tions and basic process control.
The utilization rate is thus a better measure for assessing whether a mechanical component is primarily subject to wear or to aging, and for defining appropriate ways to take account of this (avoidance of systematic failures). In the case of aging, for instance, the question of whether strokes are performed completely or partially plays only a minor role.
As when considering the demand mode, we distinguish between low and high utilization rates. A high utilization rate exists if the causes of component failure are dominated by wear, and aging plays only a subordinate role. Conversely, a low utilization rate exists if failures would be dominated by aging and wear plays a subordinate role.
It can usually be assumed that aging dominates when the component operates less than once a year, and thus a low utilization rate applies. If the component operates more than once a day, on the other hand, aging plays only a minor role and the application should be assigned a high utilization rate. The range in between must be assessed on the basis of the particular component and application in question.
Use cases and examples
The concept of utilization rate is not intended to replace the demand mode of IEC 61508, but to supplement it in a meaningful way for me-chanical components. This results in a total of four cases (see Table 1):
• High demand mode and high utilization rate:
Typical examples are applications in factory automation, e.g. robots. The components are usually subject almost exclusively to wear and must be designed accordingly. The rules for high demand mode must be observed.
• High demand mode and low utilization rate:
A typical example is a moveable steel structure used for flood protection. Typi-cally, water levels requiring the protection function to be triggered often occur two to five times per year, corresponding to high demand mode according to IEC 61508. However, some of the requirements of IEC 61508 for high demand mode are questionable in this case and may even be counterproductive in terms of safety.
In high demand mode, IEC 61508 specifies that online diagnostics must be per-formed at least 100 times more frequently than the demand rate of the safety func-tion. In this example, this would result in 200–500 diagnostics per year. Since mechanical components can often only be diagnosed via a (partial) valve stroke test, this would mean approximately one test run per day. For large torques, the relevant standards (e.g. ISO 22153 for electric actuators and ISO 22109 for gearboxes) stipulate a useful lifetime of only 2,500 or 1,000 cycles. It quickly becomes clear that the requirements of IEC 61508 would amount to “testing to death” of the actuators or gearboxes; safety would not increase, but would actually be systemati-cally reduced, for example through wear. We therefore propose that the requirements of IEC 61508 for low demand mode should generally apply to diagnostics for mechanical components that operate at a low utilization rate.
• Low demand mode and high utilization rate:
Typical examples are applications in the process industries where components have both a safety instrumented function and a basic process control function. The causes of component failure are dominated by wear (otherwise there would be a low utilization rate) and must be considered accordingly. The rules of IEC 61508 for low demand mode must be observed.
• Low demand mode and low utilization rate:
Typical examples are applications in the process industries where components are used exclusively for safety instrumented functions. The main cause of failure is aging, which must be considered when designing the components. The rules of IEC 61508 for low demand mode must be observed.
Summary and outlook
The demand mode defined in IEC 61508 considers the demand rate only in terms of the safety instrumented function. This is not sufficient for mechanical components, since here the total number of operations per year is often more relevant for correct design and evaluation.
We therefore propose the utilization rate as a further evaluation criterion for mechanical components. This considers all actuations of the component, regardless of the actuation reason and source, and is thus an important measure for the correct design of mechanical components in terms of systematic capability for functional safety. The utilization rate supplements IEC 61508 to facilitate a safe design of safety systems and to avoid “testing to death” of mechanical components, as would be required by today’s IEC 61508 in certain cases.
About the Authors
Dr.-Ing. Jan Schumacher is Product Manager Functional Safety of Valves and Actuators at TÜV Rheinland Industrie Service GmbH.
Dr. Jörg Isenberg is Product Specialist Functional Safety, at AUMA Riester GmbH & Co. KG.
