Fault avoidance

A complete lEC 61508 assessment includes a FMEDA, a study of Prior Use and adds an assessment of all fault avoidance and fault control measures during hardware and software development as well as detail study of the testing, modification, user documentation and manufacturing processes. The objective of all this effort is to provide a high level of assurance that an instrument has sufficient quality and integrity for a safety instrumented system application. This is clearly more important for products containing software as many end users have the strong opinion that software is "bad... 

Many of the requirements of lEC 61508 focus on the elimination of systematic faults. In order to demonstrate compliance with all requirements of lEC 61508, the design and development process used to create an instrument must show extensive use of many techniques for "fault control" and "fault avoidance." The lEC 61508 standard defines a set of practices that represent good software and hardware engineering. Most experts believe that these methods are the best techniques available to provide high design quality. 

Common-cause failures may be reduced during design, using appropriate fault avoidance measures. Consider using the following methods ... 

There are two strands in reliability-fault avoidance and fault tolerance. Fault avoidance consists ofbuilding high-quality components and designing systems in a conservative manner. Fault tolerance takes the point of view that, despite all our efforts, components will fail and highly rehable systems must function in the presence of these failed components. These systems attempt achieving rehabihty beyond the reach of any single component by using redundancy. 

Fault avoidance The techniques and procedures which aim to avoid the introduction of faults during any phase of the safety life cycle of a safety instrumented system. 

The multicore processor (ASIC) is developed taking fault avoidance measures required for the targeted SIL (as described in IEC-61508-2 Annex E/F) into account. 

IEC-61508 based safety critical embedded systems must be developed with a safety life-cycle that aims to reduce the probability of systematic errors and ensure that sufficient fault avoidance and fault control techniques are implemented. Regarding temporal independence, this means that independence needs... 

Extended defects range from well characterized dislocations to grain boundaries, interfaces, stacking faults, etch pits, D-defects, misfit dislocations (common in epitaxial growth), blisters induced by H or He implantation etc. Microscopic studies of such defects are very difficult, and crystal growers use years of experience and trial-and-error teclmiques to avoid or control them. Some extended defects can change in unpredictable ways upon heat treatments. Others become gettering centres for transition metals, a phenomenon which can be desirable or not, but is always difficult to control. Extended defects are sometimes cleverly used. For example, the smart-cut process relies on the controlled implantation of H followed by heat treatments to create blisters. This allows a thin layer of clean material to be lifted from a bulk wafer [261. 

ETA breaks down an accident iato its contributing equipment failures and human errors (70). The method therefore is a reverse-thinking technique, ie, the analyst begias with an accident or undesirable event that is to be avoided and identifies the immediate cause of that event. Each of the immediate causes is examined ia turn until the analyst has identified the basic causes of each event. The fault tree is a diagram that displays the logical iaterrelationships between these basic causes and the accident. 

Avoid equipment/systems subject to covert (unannounced) faults... 

Note To avoid unnecessary wear and lear of Ihe machine, ihe blades arc braked when ihe machine is not in operation. In fact the main protection to the iiiachinc is through the brakes only. During an overloading or system fault condition the blades are braked and the machine ceases to generate. The control panel monitors closely all the operating... 

High set instantaneous overcun-ent through the positive sequence network. An initial delay of a few cycles is introduced to avoid a trip during a start, whereas it will trip instantly on a phase fault, cable fault or a short-circuit. 

Even the grounding of the generators can be monitored through this scheme, so that only one machine is grounded at a time, to avoid circulation of fault currents (Section 20.10.1). 

Manufacturers of large generators, 200 MW and above, recommend the ground fault current, /g to be limited in the range of 5-15 A and a fault clearing time of the order of 5-30 seconds to protect the machine and avoid overheating of the grounded steel frame. It is also... 

Shell rupture protection is a vital consideration in externally protected capacitor units. Since there is no control over small internal faults until they become major fault, protection can be provided only for the whole unit and the entire unit has to be dismantled after such a fault. In fact, the capacitor bank may have lo be shut down completely to replace the lost unit with a new one lo avoid an imbalance, besides making up for the lost capacitance. 

Frequency Phase 3 Use Branch Point Estimates to Develop a Ere-quency Estimate for the Accident Scenarios. The analysis team may choose to assign frequency values for initiating events and probability values for the branch points of the event trees without drawing fault tree models. These estimates are based on discussions with operating personnel, review of industrial equipment failure databases, and review of human reliability studies. This allows the team to provide initial estimates of scenario frequency and avoids the effort of the detailed analysis (Frequency Phase 4). In many cases, characterizing a few dominant accident scenarios in a layer of protection analysis will provide adequate frequency information. 

In the event that eertain faults oeeur in the eleetrieal equipment of the generator, the load eireuit breaker must be opened immediately. The result is that the maehine train is aeeelerated with the full power of the expander. Only if the inlet valves are elosed within 0.6 see ean exeessive overspeed be avoided. Eor this reason, both inlet valves must be able to elose within this time window in the event of an emergeney trip. 

The simplicity of the final result is the mincut representation (sum of products Section 2.2) depicted as a fault tree in Figure 3.4.4-9. If the single double, and so on to higher redundancy components had been identified, the complex and awkward tree of Figure 3.4.4-S would have been avoided. Some systems are so complex that this cannot be done by observation, but computer analv. is will show simplicities if they exist. 

To ensure that plant is not subject to breakdown, it is important that there are no unnecessary failures to safety , that is, that correctly operating safety equipment only operates because of exceptional circumstances, not avoidable faults. Safety shutdown will occur for various reasons, i.e. ... 

Mounts should be installed so that the whole machine is isolated from the structure. Services (e.g. power, hydraulics, etc.) should also be mounted flexibly. Bridging is the most common fault when providing vibration isolation to machines and building stmctures, and should be carefully avoided. Services should be designed to withstand the degree of movement permitted by the anti-vibration mounts without suffering damage. 

---