Appendix 3
BETAPLUS CCF Model, Scoring Criteria
Checklist for Equipment Containing Programmable Electronics
A scoring methodology converts this checklist into an estimate of Beta. This is available as the BETAPLUS software package.
(1). Separation/segregation
Are all signal cables separated at all positions?
Are the programmable channels on separate printed circuit boards?
OR are the programmable channels in separate racks
OR in separate rooms or buildings?
(2). Diversity
Do the channels employ diverse technologies?
1 electronic + 1 mechanical/pneumatic
OR 1 electronic or CPU + 1 relay based
OR 1 CPU + 1 electronic hardwired?
Were the diverse channels developed from separate requirements from separate people with no communication between them?
Were the two design specifications separately audited against known hazards by separate people and were separate test methods and maintenance applied by separate people?
(3). Complexity/design/application/maturity/experience
Does cross-connection between CPUs preclude the exchange of any information other than the diagnostics?
Is there >5 years experience of the equipment in the particular environment?
Is the equipment simple, that is <5 PCBs per channel?
OR <100 lines of code
OR <5 ladder logic rungs
OR <50 I/O and <5 safety functions?
(4). Assessment/analysis and feedback of data
Has a combination of detailed FMEA, fault tree analysis, and design review established potential CCFs in the electronics?
Is there documentary evidence that field failures are fully analyzed with feedback to design?
(5). Procedures/human interface
Is there a written system of work on site to ensure that failures are investigated and checked in other channels? (including degraded items which have not yet failed)
Is maintenance of diverse/redundant channels staggered at such an interval as to ensure that any proof tests and cross-checks operate satisfactorily between the maintenance?
Do written maintenance procedures ensure that redundant separations such as, for example, signal cables, are separated from each other and from power cables and should not be re-routed?
Are modifications forbidden without full design analysis of CCF?
Is diverse equipment maintained by different staff?
(6). Competence/training/safety culture
Have designers been trained to understand CCF?
Have installers been trained to understand CCF?
Have maintainers been trained to understand CCF?
(7). Environmental control
Is there limited personnel access?
Is there appropriate environmental control (e.g., temperature, humidity)?
(8). Environmental testing
Has full EMC immunity or equivalent mechanical testing been conducted on prototypes and production units (using recognized standards)?
Checklist and Scoring for Nonprogrammable Equipment
Only the first three categories have different questions as follows:
(1). Separation/segregation
If the sensor/actuator has some intermediate electronics or pneumatics, are the channels on separate PCBs and screened?
OR if the sensor/actuator has some intermediate electronics or pneumatics, are the channels indoors in separate racks or rooms?
(2). Diversity
Do the redundant units employ different technologies?
e.g., 1 electronic or programmable + 1 mechanical/pneumatic
OR 1 electronic, 1 relay based
OR 1 PE, 1 electronic hardwired?
Were separate test methods and maintenance applied by separate people?
(3). Complexity/design/application/maturity/experience
Does cross-connection preclude the exchange of any information other than the diagnostics?
Is there >5 years experience of the equipment in the particular environment?
Is the equipment simple, e.g., non-programmable-type sensor or single actuator field device?
Are devices protected from overvoltage and overcurrent and rated >2:1 or mechanical equivalent?
(4). Assessment/analysis and feedback of data
As for Programmable Electronics (see above).
(5). Procedures/human interface
As for Programmable Electronics (see above).
(6). Competence/training/safety culture
As for Programmable Electronics (see above).
(7). Environmental control
As for Programmable Electronics (see above).
(8). Environmental testing
The diagnostic interval is shown for each of the two (programmable and nonprogrammable) assessment lists. The (C) values have been chosen to cover the range 1–3 in order to construct a model which caters for the known range of BETA values.
| Diagnostic coverage | Interval <1 min | Interval 1–5 min | Interval 5–10 min | Interval >10 min |
| 98% | 3 | 2.5 | 2 | 1 |
| 90% | 2.5 | 2 | 1.5 | 1 |
| 60% | 2 | 1.5 | 1 | 1 |
| Diagnostic coverage | Interval <2 hrs | Interval 2 hrs–2 days | Interval 2 days–1 week | Interval >1 week |
| 98% | 3 | 2.5 | 2 | 1 |
| 90% | 2.5 | 2 | 1.5 | 1 |
| 60% | 2 | 1.5 | 1 | 1 |
In view of the comments, in Section 5.2.2, concerning conjecture there is no justification for more than single figure accuracy. The following table is used in BETAPLUS 4.0 and in the Institution of Gas Engineers and Managers Guidance SR/15 Edition 5 amendments.
Values for MooN configurations outside the above table are also a matter of conjecture and never likely to be demonstrated. Thus, the user is encouraged to use his/her own judgment.
The BETAPLUS model is available, as a software package, from [email protected].
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.