Professional Documents
Culture Documents
Calculation of PFD-values For A Safety Related System: J. Börcsök & P. Holub
Calculation of PFD-values For A Safety Related System: J. Börcsök & P. Holub
CH042.tex
17/5/2007
9: 24
Page 339
ABSTRACT: The standard IEC/EN61508 provides the developer with guidelines to develop and implement
safety related systems according to the international standard. The standard supplies qualitative and quantitative
criteria to evaluate safety related systems, in order to apply it in safety critical applications. This paper details
the criterion Probability of Failure on Demand (PFD). The authors derive the necessary equations and calculate
the PFD-values for different system architectures.
INTRODUCTION
Table 1.
Chapter
1.1
IEC 61508
Content
IEC/EN 61508-1
IEC/EN 61508-2
IEC/EN 61508-3
IEC/EN 61508-4
IEC/EN 61508-5
General requirements
Hardware requirements
Software requirements
Notation and abbreviations
Example to calculate the different
safety integrity levels (SIL)
IEC/EN 61508-6 Application guidelines for
IEC/EN 61508-2 and IEC/EN 61508-3
IEC/EN 61508-7 Overview of techniques and actions
Electrical
Electronic and
Programmable electronic Systems
for safety related function and usability. This standard
provides the basis of all safety related electrical, electronic and programmable electronic systems. The standard enables a systematic and risk based methodology
for safety related problems.
IEC/EN 61508.
339
Aven
CH042.tex
17/5/2007
9: 24
Page 340
105
104
103
102
to < 104
to < 103
to < 102
to < 101
to < 108
to < 107
to < 106
to < 105
safety function once per year or more seldom. However, if a system is operating in a high demand mode or
continuous mode and a safety function has to be executed more than once per year, then the probability of
failure is specified with the PFH (probability of failure
per hour). Its dimension or unit is (1/h) [Brcsk2004],
[IEC61508_2000], [Storey1996].
Part 6 of the IEC/EN 61508 details the specifications for quantitative estimations of a system. The
calculations are split into the following steps:
Identify the block diagrams according the selected
structure
Estimate the failure rate
Determine the -factor applying the tables stated
in the IEC 61508
Estimate the diagnostic coverage (DC)
Determine the safe failure fraction (SFF)
Calculate the PFD values of a subsystem and sum
up all values of the subsystems
Determine the SIL-values using the PFD, SFF and
failure tolerance of the hardware.
2
2.1
340
Aven
CH042.tex
17/5/2007
9: 24
Page 341
PARAMETERS ESTIMATION
This section details with different parameters necessary for the estimation of the PFD-values and
SIL-values.
The total number of failures is defined as:
Identified dangerous failures (with diagnoses parameter DC), are called dangerous detected failures:
The exact equation (5) with = D is used to calculate the PFD-value (PFD: Probability of Failure
on Demand) of a 1001 system. This results in the
following equation for the 1001 system:
For the 1001 system the MacLaurin series can be developed and is stated below. The first three terms plus the
remaining term R3 are sufficient for the calculation of
the PFDavg values.
The description of the remaining term R3 is chosen
as follows [Brcsk2004]:
R3 is the remaining term to the third order,
which belongs to the exponential function with failure
rate D .
341
Aven
CH042.tex
17/5/2007
9: 24
Page 342
For the 1001 system the first three terms are needed
to be developed. The remaining term R3 converges for
T = 0 to the value 0 and can be neglected compared to
the third term when developed towards the limit value
at T = 0 [Brcsk2004]:
With
The last section derived the equations necessary to calculate the PFD-value for a 1001-architecture. Now,
two further hardware architectures, 1002- and 2003architecture, are examined and the PFD-equation for
each structure is presented. There are common cause
failures in both architectures. Therefore the failure
probability is calculated for dangerous undetectable
and dangerous detectable common cause failures PDUC
and PDDC .
5.1 PFD calculation of common cause failures
Common cause failures are those failures that occur
in all system channels at the same time and
which have a common cause. When determining
the PFDavg this kind of failure is rated for a multi
channel system through the -factor [Brcsk2001,
Goble1995,Brcsk2004]. One differentiates between
the -factor for dangerous undetectable failures, with
the weight , and the -factor for dangerous detectable
failures, with the weight D .
These failure probabilities can be derived for a 1001
system with:
With:
And
With
Here, is the mean repair time of a channel:
A 1002 architecture possesses two channels in parallel. Each channel is able to execute the safety function.
Therefore, a 1002 system will fail dangerously if
342
Aven
CH042.tex
17/5/2007
9: 24
Page 343
With
can be developed in a MacLaurin series. For the calculation of the PFDavg value of a 1002 system it
is sufficient to develop the first four terms of the
MacLaurin serie plus the corresponding remaining
terms R4A and R4B because, as the calculation shows,
only the fourth term contributes to the result. The
remaining terms R4A and R4B converge at T = 0 to
the value 0 and are negligible small compared to the
fourth term when building the limit value at T = 0
[Brcsk2004].
With this results in the following equation for the
probability of failure of a 1002 system under the
condition that no common cause failures apply:
If in Equation (43) the times tCE , representing the channel equivalent mean down time, and tGE , representing
the group channel equivalent mean down time, are
used according IEC 61508 [IEC61508_2000] with:
The result from Equation (38) is used in order to determine the PFDavg value of a 1002 system for normal
failures and to derive the following equation
The PFDavg equation for a 1002 system is calculated by adding to the probability of a normal failure
Equation (48) the part of the common cause failure
Equation (31):
The functions
The last hardware system presented is a 2003 architecture. The safety system consists of three parallel
channels with a facility to do a majority decision.
343
Aven
CH042.tex
17/5/2007
9: 24
Page 344
8.415E-08 8.5E-10
0.02 0.01
with tCE and tGE see Equation (45) and Equation (46).
Therefore, the PFDavg equation, taking into account
common cause failures and single failures, results in
safety related system. The user or developer can calculate the probability of failure of a safety related
system and can proof mathematically that the system
stays within the required limits of the probability of
failure. The paper detailed the relationship of failure
rates, reliability function, MTTF, PFD. Calculations of
the probability of failure in low demand mode (PFD)
consider only failure rates of dangerous failures. Not
only the failure rates of each subsystem are important,
but also the selected proof-test interval influences the
PFD-value significantly. If the required rates are low,
then the standard IEC/EN 61508 specifies for a prooftest interval values between 6 months to 10 years. The
lower the proof-test-interval, the lower the operation
time between two test-intervals, therefore probability
of failures is low as well. The PFDavg is calculated, by
taking the average value of the PFD-function over all
proof-test-intervals. The paper presents a method that
uses MacLaurin series to determine the PFD equation. A 1001 architecture is used to demonstrate the
PFD equation is determined by the MacLaurin series.
Finally, different architecture are presented with their
PFD equations.
REFERENCES
NUMERICAL EXAMPLE
CONCLUSIONS
344