Probability of Failure on Demand – The Why and the

How

Jens Braband1, Rüdiger vom Hövel2, and Hendrik Schäbe2

1
Siemens AG, Industry Sector, Mobility Division, Rail Automation,
Research & Development, I MO RA R&D R, Ackerstr. 22,
38126 Brunswick, Germany
2
TÜV Rheinland InterTraffic GmbH, Assessment & Certification Rail, Am Grauen Stein,
51105 Cologne, Germany

Abstract. In the paper, we will study the PFD and its connection with the prob-
ability of failure per hour and failure rates of equipment using very simple
models. We describe the philosophies that are standing behind the PFD and the
THR. A comparison shows, how the philosophies are connected and which
connections between PFH and PFD are implied. Depending on additional pa-
rameters, there can be deviations between safety integrity levels that are derived
on the basis of the PFD and the PFH. Problems are discussed, which can arise
when working with the PFD. We describe, how PFD and PFH in IEC 61508 are
connected with the THR defined in the standard EN 50129.
We discuss arguments that show, why care is needed when using the PFD.
Moreover, we present a reasoning, why a probability of failure on demand
(PFD) might be misleading.

Keywords: Probability of failure on demand, rate of dangerous failures, safety

integrity level.

1 The Problem
The standard IEC 61508 defines the following numerical characteristics per safety
integrity level:
• PFD, average probability of failure to perform its design function on demand
[1] (average probability of dangerous failure on demand of the safety func-
tion according to [2]), i.e. the probability of unavailability of the safety func-
tion leading to dangerous consequences
• PFH, the probability of a dangerous failure per hour (average frequency of
dangerous failure of the safety function), which, until now, has been referred
to as a failure rate. According to the most recent proposal [2] of IEC 61508,
this is now interpreted as a frequency.
The numerical requirements are applied for the low-demand mode of operation (prob-
ability of failure on demand) and the high-demand or continuous mode of operation
(probability of failure per hour), i.e. for continuous-run systems.

B. Buth, G. Rabe, T. Seyfarth (Eds.): SAFECOMP 2009, LNCS 5775, pp. 46–54, 2009.
© Springer-Verlag Berlin Heidelberg 2009
 PFD – The Why and the How 47

In many cases, analogous systems are used as well in continuous (in the standard
called “high demand mode”) as well as in demand mode (in the standards called “low
demand mode”). Therefore, both concepts must be consistent. Note that, the terms in
the standard (high demand mode and low demand mode) are misleading.
In EN 50129 [3], only one numerical characteristic is defined per safety integrity
level. This is
• tolerable hazard rate per hour and function (THR).
In some cases, there are different approaches in both standards and differences in the
various language versions. In addition to these differences, for the user the question
arises why PFD (average probability of failure to perform its design function on de-
mand) is not used in EN 50129 any more. Note that, in earlier draft versions of EN
50126 and EN 50129, PFD was still defined and used. A simple answer to this ques-
tion would be the explanation that all control command and signalling systems in
railway systems are continuously used or used according to high demand rates. This
argument holds mainly true, but distracts attention from a deeper view of the PFD
approach, its problems and its background.
Another formal but substantial difference is that EN 50126 considers a system
function, whereas IE 61508 distinguishes the following equipment (see Figure 1):
• the equipment / machine itself, carrying out a certain task (Equipment Under
Control (EUC))
• the EUC control system, which controls the EUC
• the programmable electronic system (PES), which is responsible for the
safety of the EUC and the EUC operating device.
IEC 61508 has its origin in process industry. Traditionally, only the PES is considered
there, whereas in railway technology the entire system is in focus.

Fig. 1. System definition according to IEC 61508