Failure Modes, Effects, And Diagnostic Analysis; Description Of The Failure Categories; Methodology - Fmeda, Failure Rates; Fmeda - turck IM1-12-R Handbuch

Sicherheitshandbuch – Trennschaltverstärker

4 Failure Modes, Effects, and Diagnostic Analysis

The Failure Modes, Effects, and Diagnostic Analysis was done together with Werner Turck
GmbH & Co. KG and is documented in [R2] to [R10]. Failures can be classified according to the
following failure categories.

4.1 Description of the failure categories

In order to judge the failure behavior of the Isolating Switching Amplifiers IM1-**(Ex)-* and
MK13-R-Ex0, the following definitions for the failure of the product were considered.
Fail-Safe State
Fail Safe
Fail Dangerous
No Effect
Not part
The "no effect" failures are provided for those who wish to do reliability modeling more detailed
than required by IEC 61508. In IEC 61508 the "no effect" failures are defined as safe
undetected failures even though they will not cause the safety function to go to a safe state.
Therefore they need to be considered in the Safe Failure Fraction calculation.
4.2 Methodology – FMEDA, Failure rates

4.2.1 FMEDA

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the
effects of different component failure modes, to determine what could eliminate or reduce the
chance of failure, and to document the system in consideration.
A FMEDA (Failure Modes, Effects, and Diagnostic Analysis) is a FMEA extension. It combines
standard FMEA techniques with extension to identify online diagnostics techniques and the
failure modes relevant to safety instrumented system design. It is a technique recommended to
generate failure rates for each important category (safe detected, safe undetected, dangerous
detected, dangerous undetected, fail high, fail low) in the safety models. The format for the
FMEDA is an extension of the standard FMEA format from MIL STD 1629A, Failure Modes and
Effects Analysis.
© exida.com GmbH
Stephan Aschenbrenner
28
The fail-safe state is defined as the output being de-energized.
This corresponds to an input signal of less than 1.4mA (NAMUR
signal).
Failure that causes the module / (sub)system to go to the defined
fail-safe state without a demand from the process.
Failure that does not respond to a demand from the process (i.e.
being unable to go to the defined fail-safe state).
Failure of a component that is part of the safety function but that
has no effect on the safety function. For the calculation of the SFF
it is treated like a safe undetected failure.
Failures of a component which is not part of the safety function
but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into
account. It is also not part of the total failure rate.
TURCK 04-07-14 R002 V3R0.doc; February 21, 2014
Hans Turck GmbH & Co. KG • Tel. +49 208/4952-0 • Fax +49 208/4952-264
Page 10 of 25