Professional Documents
Culture Documents
Reliability Analysis of Safety-Instrumen
Reliability Analysis of Safety-Instrumen
a r t i c l e i n f o a b s t r a c t
Article history: The international standards IEC 61508 and IEC 61511 give safety integrity requirements to safety-
Received 27 January 2014 instrumented systems (SISs) that are used in the process industry. A SIS performs one or more safety-
Received in revised form instrumented functions (SIFs). IEC 61508 distinguishes between SIFs operated in low-demand and
17 September 2014
high-demand/continuous mode, whereas IEC 61511 distinguishes between demanded and continuous
Accepted 17 September 2014
Available online 18 September 2014
mode of operation. In the past, almost all attention has been paid to low-demand SIFs, and this is re-
flected in IEC 61511, the available guidelines, and the scientific literature. Recently, however, suppliers of
SISs to the process industry have been met with safety requirements to SIFs operated in high-demand
Keywords:
Safety-instrumented systems
and continuous mode. This paper intends to help suppliers and reliability analysts who are familiar
Reliability with the mathematical formulas in IEC 61508-6 for safety integrity assessment of low-demand SIFs to
High-demand verify the safety integrity of SIFs in high-demand and continuous mode. This is done by highlighting the
PFH similarities and differences between the required approaches and by presenting two new sets of
approximation formulas for the PFH of general koon:G voted groups. One set of PFH formulas extends the
IEC formulas for PFH based on the ideas applied in IEC 61508-6. The other set of PFH formulas is derived
considering the risk contribution also from DD-failures when the demand rate is high. The results of the
IEC formulas of PFH and the two new sets of PFH formulas are compared and discussed.
© 2014 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.jlp.2014.09.007
0950-4230/© 2014 Elsevier Ltd. All rights reserved.
Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264 255
in this case? The approach outlined in IEC 61508-6 does not solve
this challenge, since we may get different SILs depending on which
safety performance measure we choose.
The objectives of this paper are to (i) compare the requirements
to risk assessment and safety requirements for low-demand and
high-demand/continuous SIFs in IEC 61508, IEC 61511, and IEC
62061, (ii) explore the consistency of PFDavg and PFH in deter-
mining the SIL of a SIF, and (iii) derive two sets of approximated PFH
formulas based on different assumptions, and discuss their
strengths and weaknesses.
Fig. 1. Bow-tie diagram for a hazardous event with proactive and reactive safety
barriers. The rest of the paper is organized as follows. The hazard and risk
assessment of the protected system which aims at deriving safety
requirements of SIS is discussed in Section 2. In Section 3, the
achieved by one or more SISs. Accordingly, the safety requirements specified functional requirements and safety integrity re-
of the SIS, including safety functional requirements and safety quirements in low-demand and high-demand (continuous) mode
integrity requirements, are derived to achieve the necessary risk are compared. In Section 4, the available modeling approaches to
reduction. The safety functional requirements specify which SIFs evaluate safety performance are listed and discussed to find
are to be performed by the SIS, and the associated safety integrity whether the two performance measures have consistency in
requirements specify the required reliability performance of the SIF leading to the same SIL by using the approximated formulas pre-
in terms of a SIL. A SIS may perform one or more SIFs to achieve the sented by IEC 61508-6. In Section 5 and Section 6, two sets of
required functional safety. SIFs are classified according to how often approximated PFH formulas are derived, respectively. The results of
they are demanded. IEC 61508 distinguishes between low-demand, these two sets of formulas are compared with the IEC formulas and
high-demand, and continuous mode safety functions, where the discussed in Section 7. Finally, concluding remarks are given.
boundary between low-demand and high-demand/continuous
mode is the demand rate of once per year. 2. Hazard and risk assessment
IEC 61511 distinguishes between two modes of operation:
demanded mode and continuous mode. SIFs operating in deman- IEC 61508 and its sector-specific standards are risk-based, which
ded mode are mainly reactive barriers, while SIFs operating in means that reliability requirements to the SIFs have to be deduced
continuous mode are mainly proactive barriers, see Fig. 1. from the results of a risk assessment of the process.
In the process industry, most attention has been paid to In the process industry, a hazard and risk assessment must be
demanded SIFs, and especially low-demand SIFs. This is reflected in carried out to determine the safety requirements of each SIF. The
the available publications where the vast majority treat problems hazards, non-hazardous operability problems, and potential de-
related to low-demand SIFs (Dutuit et al., 2008; Hokstad and mands are commonly identified through a hazard and operability
Corneliussen, 2004; Innal et al., 2010; Jin et al., 2011, 2012; (HAZOP) study, and the process risk is determined by a quantitative
Langeron et al., 2008; Liu and Rausand, 2013; Lundteigen and or semi-quantitative risk assessment (IEC 61511, 2003; Rausand,
Rausand, 2009; Rausand, 2011; Rausand and Høyland, 2004). The 2011) to derive the necessary risk reduction. Based on the evalu-
same focus is also reflected in the standards and IEC 61511 treats ated process risk, the safety integrity requirements are determined
only demanded SIFs with the main focus on the low-demand mode and allocated to each SIF.
of operation. For machinery applications, the standard ISO 12100 (ISO 12100,
Recently, suppliers of SISs to the offshore oil and gas industry 2010) gives guidance on risk assessment of machinery systems.
have been met with requirements to document the safety integrity The risk analysis is initiated by defining the physical and opera-
of SIFs in high-demand and continuous mode, for example for tional boundaries of the machinery system. The potential hazards,
machinery systems. Many suppliers have procedures and compe- hazardous situations, and hazardous events are identified by using
tence related to safety integrity assessment of low-demand SIFs, the checklists provided by the standard. For each hazardous sit-
but limited experience with high-demand SIFs (IEC 61511, 2003). uation, the risk is estimated through preliminary hazard analysis,
IEC 61511 does not provide much help on SIFs operated in high failure modes, effects, or criticality analysis (FMECA), and/or fault
demand mode, but this topic is treated in slightly more detail in IEC tree analysis (FTA). Based on the results from the risk estimation,
62061 for machinery systems. Recently, some attention has been the risk is evaluated to decide which hazardous situation requires
paid to high-demand systems in scientific publications (Innal, further risk reduction. The terminology used in the sector-specific
2008; Innal et al., 2010; Jin et al., 2013; Rausand, 2014), but this standard IEC 62061 for machinery systems is different from the
field is still immature. one used in IEC 61511; a SIS is called a safety-related control
Several reliability analysts find it difficult to follow the recom- system (SRECS) and a SIF is called a safety-related control function
mendations of IEC 61508 when the demand rate is close to the (SRCF).
boundary-point (i.e., once per year) between low-demand and The approaches to hazard and risk assessment in IEC 61511 and
high-demand mode. By using the approximation formulas sug- IEC 62061 are comparable and we may use approximately the same
gested in IEC 61508-6, they may be able to meet the reliability re- methods to identify hazards and allocate SIL requirements to the
quirements for a specified SIL by using the PFDavg, but may not be various SIFs (SRCFs).
able to meet the same requirements if using PFH (or vice versa).
PFDavg is the average probability of a dangerous failure on demand 3. Safety requirements
of the SIF, and PFH is the average frequency of dangerous failures of
the SIF per hour (IEC 61508, 2010; Rausand, 2014). Both reliability Based on the hazard and risk assessment, safety requirements
measures are further discussed in the current paper. It is therefore a are determined and allocated to one or more SIFs and other risk
reason to question whether the requirements are appropriate when reduction measures. The safety requirements to a SIF consist of two
the demand rate approaches once per year e or, maybe the parts e the functional requirements and the associated safety
approximation formulas in IEC 61508-6 are not sufficiently accurate integrity requirements to be achieved.
256 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
at a random time due to natural degradation mechanism in the extensive with 37 questions, some of which may be difficult to
channel. A systematic failure is related to a specific cause, such as answer. A more simple checklist for machinery systems is given in
errors in the design and implementation of hardware or software, IEC 62061. For subsystems with the same voting configuration, the
or errors in the specification of the SIS. Systematic failures may lead checklists in IEC 61508 and IEC 62061 may give slightly different
to failures of multiple channels, give rise to common-cause failures values of b.
(CCFs), and become a dominating factor in the system reliability The standard beta-factor model is simple and widely used in
quantification. Such failures can only be corrected by a modification practice, but does not distinguish between different voting con-
of the design or the selection of components, manufacturing pro- figurations. b is the same for any koon:G voted group, which may
cess, operating procedures, and the changes of documentation. The not be realistic for groups with a high level of redundancy. Due to
PDS-method (Hauge et al., 2013) classifies systematic failures into this limitation, a modified CCF-model is proposed by the PDS-
five categories, including software faults, design related faults, method (Hauge et al., 2013). In the PDS approach, a configuration
installation errors, excessive stress failures, and operational fail- factor Ckoon is assigned to b for different voting configurations. For a
ures. Systematic failures may be detected by tests or be hidden till a group voted koon:G, the beta-factor is bCkoon, where b is the frac-
true demand occurs. For high demand SIFs, systematic failures may tion of CCFs between any two redundant channels.
be more likely to occur due to human errors during operation. The
flaws in design specification, combined with failures introduced 4. Modeling approaches
during the manufacturing and installation process, may lead the
system to operate under excessive stress and generate more sys- The IEC-standards require reliability quantification to be per-
tematic failures. formed, but do not give any requirements related to methods.
The reliability related to random hardware failures may be Several methods are presented in IEC 61508-6, but this part is only
quantified based on failure rates, while the reliability related to informative. The approaches presented in IEC 61508-6 are
systematic failures cannot be precisely estimated, as causes leading
to such failures are not easy to determine. In current practices, only IEC formulas based on reliability block diagrams (i.e., the
random hardware failures are fully considered in the reliability approximation formulas presented in IEC 61508-6);
quantification of a SIF. The IEC-standards give qualitative re- Fault tree analysis (IEC 61508, 2010; Innal, 2008; Lundteigen and
quirements to prevent and control systematic failures. Rausand, 2009; Rausand, 2014);
If disregarding systematic failures, the predicted unavailability Markov approach (IEC 61508, 2010; Jin et al., 2011; Liu and
will be lower and less conservative compared with the actual un- Rausand, 2011; Rausand, 2014; Rausand and Høyland, 2004);
availability. However, systematic failures are not totally disregarded Petri net approach (IEC 61508, 2010; IEC 62551, 2012; Innal et al.,
in the reliability quantification since they enter as causes of CCFs. 2010; Liu and Rausand, 2013).
The PDS-method (Hauge et al., 2013) adds the contribution of
systematic failures by incorporating CCFs and test-independent All these approaches can be used to analyze SIFs operated in
failures (TIFs). Some data sources, such as OREDA (OREDA, 2009), both low-demand and high-demand/continuous modes. The
partly include systematic failures in the failure rate estimation. It different approaches have their own pros and cons. The first two
also has been argued whether or not systematic failures should be approaches assume that the SIS is static with no dynamic proper-
included in the reliability quantification. The causes of such failures ties. The reliability block diagram (RBD) represents a success-
are hard to identify, and if identified and corrected, this kind of oriented logic system structure. Each block in the RBD represents
failures may not occur again. If systematic failures are included, to the function that must be performed in order for the SIS to perform
what degree is it possible to add them into the model is also a specific SIF. The sequence of the functional blocks in the RBD is
necessary to consider. often set up to be similar to the sequence the SIS elements are
activated. Since the RBD is success-oriented, the analyst will focus
3.2.4. Common-cause failures on functions rather than failures, and may thereby fail to identify all
To enhance the reliability of a SIF, redundancy is often imple- the possible failure modes. Fault tree analysis (FTA) is a failure-
mented in the system configuration (Lundteigen and Rausand, oriented approach, which focuses on how a SIF may fail rather
2007). A general k-out-of-n:G (koon:G) voted group means that at than how the SIF can be achieved. Using a top-down analysis, it is
least k of its n elements need to perform the required safety func- easier to define the system failure (top-event) and reveal all the
tion upon demand [i.e., be “good” (G)]. CCFs may cause two or more possible individual channel and element failure modes that may
channels to fail simultaneously or within a short time interval, and lead to system failure. The FTA approach will therefore often give a
hence reduce the effect of redundancy. IEC 61508 therefore requires more complete reliability model than the RBD approach. When the
CCFs to be incorporated in the SIF reliability quantification. model is established, a fault tree with only OR-gates and AND-gates
For CCF modeling, lack of data is always a challenge for can always be transferred to a RBD, and vice versa. As explained in
parameter estimation, as the causes of a CCF are often sector- IEC 61508-6, both fault trees and RBDs are Boolean models and are
specific and rarely the same. Hence, choosing a plant-specific more suitable for static systems than for dynamic systems.
CCF-factor based on generic data may not give adequate results. The Markov approach and Petri nets, on the other hand, are
Without sufficient data, the parameters have to be determined by state-based methods that are suitable for analyzing systems with
other methods. dynamic features. The Markov approach is based on a Markov
The beta-factor model is suggested in IEC 61508-6 as an process with a finite number of states where the distribution of
adequate approach for modeling CCFs, but several other ap- future states only depends on the present state. The method pro-
proaches are also mentioned. The beta-factor b is the fraction of vides a range of performance measures for the system, but is
CCFs among all failures of a channel. It is often estimated with the limited to items with constant failure rates and repair actions with
checklist approach suggested in IEC 61508-6. The checklist has two constant repair rate. The number of states and the complexity of the
scoring tables, one for logic solvers and another for sensors and state transition diagram explode exponentially when the number
final elements. Each table assesses the operating environment and of items of the system increases. As a result, the calculation will be
various defense measures against CCFs, and thereby determine the cumbersome and difficult to perform. Therefore, the Markov
susceptibility to CCFs. The checklist in IEC 61508-6 is rather approach is mainly suitable for analysis of rather small systems
258 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
with dynamic properties. A Petri net is a graphical and mathe- channel. IEC 62061 requires that if the component is neither proof-
matical tool for modeling and analysis of discrete event systems. It tested nor overhauled, the mission time should be set to 20 years.
is flexible and can model the system failure with any distribution,
but it also has limitations in modeling capacity when the system 4.2. SIL requirements
becomes large and complex. The language to develop the Petri net
model is sometimes hard to understand for analysts. The SIL requirement is always related to a SIF and not to the
Reliability quantification of SISs is always associated with un- subsystems of the safety loop (of the SIS) performing the SIF. In the
certainty. Any model can capture only the most important system design phase, it is necessary to allocate specific SIL requirements to
characteristics and should be sufficiently simple to be handled by the various subsystems. This is sometimes called a SIL budget for
available mathematical and statistical methods. The analyst must the safety loop. This budget will obviously depend on the tech-
understand the system behavior to select the most suitable nology, the configuration, and especially the possibility of self-
modeling approach for the reliability assessment. testing of the sensors and logic solvers. More advanced systems
for self-testing has lead to a very high operational reliability of
these items, especially the logic solvers. The same possibilities for
4.1. The IEC formulas self-testing do not, however, exist for final elements such as valves
and circuit breakers. Several authors (Hoekstra, 2005) suggest that
IEC 61508-6 provides approximation formulas of PFDavg and PFH 35% of the budget is used for the sensor subsystem, 15% for the logic
for voted groups with up to three channels. More general PFDavg solver subsystem, and 50% for the final element subsystem. With
formulas for low-demand systems are given by Oliveira and Abra- the development of more advanced smart sensors and logic solvers,
movitch (Oliveira and Abramovitch, 2010) and Rausand (Rausand, the percentage of the budget that must be allocated to the final
2014). The IEC formulas are obtained based on the frequency of element subsystem. More recent investigations (e.g., (Baradits,
dangerous SIF failures and the associated SIF mean downtime. The 2010)) suggest that, when the final element subsystem is a valve,
SIF mean downtime is determined based on the channel-equivalent it will consume as much as 80e85% of the SIL budget.
mean downtime, tCE, and the voted group-equivalent mean downtime, The IEC 61508 gives ranges of PFDavg and PFH for four SILs
tGE. The channel-equivalent mean downtime is given by. shown in Table 1. Based on this table, a SIS performing a low de-
mand SIF with a SIL 3 requirement must, for example, fulfill
lDU t l
PFDavg < 103 for the whole SIF. With the suggested SIL budget, this
tCE ¼ þ MRT þ DD MTTR (1)
lD 2 lD means that the sensor (S) subsystem must fulfill
PFDavg,S < 3.5$104.
where MRT is the mean repair time related to a DU-failure, and
MTTR is the mean time to restoration related to a DD-failure (IEC
61508, 2010). For a D-failure, MTTR encompasses the time to 4.3. Boundary point challenge
detect the failure and the mean repair time. In the Table B.1 listed in
IEC 61508-6, MTTR is equal to MRT based on the assumption that When the demand rate is equal or close to the boundary point
the mean time to detect a DD-failure is negligible because of the (i.e., once per year), the SIF unavailability can be quantified by
self-testing features. When a D-failure occurs, the probability that either PFDavg or PFH using the IEC formulas. These formulas may,
this failure is a DU-failure is lDU/lD. DU-failures are only revealed in however, lead to different results. To illustrate the boundary point
a proof test. The associated downtime of the channel has two parts, problem, a sensor subsystem consisting of a 1oo2:G voted group of
an unknown downtime with mean length t/2 where it is not identical sensors is considered. We use the same SIL budget as
known that the channel is down, and a known downtime, MRT, indicated above (i.e., with 35% of the SIL budget to the sensor
where the channel is restored. The probability that the D-failure is a subsystem), and assume the SIF implemented is supposed to fulfill
DD-failure is lDD/lD. Equation (1) is obtained by combining these the SIL 4 requirement. The hardware failure data of the elements is
two parts. sufficient, and the operational experience of the elements is
For a koon:G voted group of identical channels, the group- extensive. This means around the boundary point, the safety loop
equivalent mean downtime is derived in the same way as (1) and must fulfill PFDavg < 104 or PFH < 108 for the whole SIF. Therefore,
is expressed as the sensor subsystem must fulfill PFDavg,S < 3.5$105 when using
PFDavg, or PFHS < 3.5$109 if using PFH.
lDU t l The IEC 61508-6 has presented several tables to given example
tGE ¼ þ MRT þ DD MTTR (2)
lD n k þ 2 lD values of PFDavg,S and PFH for different voting groups performing
low/high-demand SIFs. Here we also use the IEC formulas to
where t/(n k þ 2) is the unknown downtime of the koon:G voted calculate PFDavg and PFH, and the results are presented in Table 2.
group in the proof test interval (Rausand, 2014). It should be noted The input parameters including D-failure rate, diagnostic cover-
that the IEC formulas do not distinguish between known and un- age(DC), CCF-factor are extracted from Tables B.10 in IEC 61508-6.
known downtime. In practice, it is sometimes possible to take CCF-factor for DD-failures denoted by bD is distinguished from the
special precautions when it is known that a SIF or a channel is CCF-factor for DU-failures denoted by b. Due to the automatic
down, and hence making the known downtime less dangerous detection features of a SIS, multiple DD-failures need to occur very
than the unknown downtime. closely in time to be a CCF. Otherwise, one failure will be repaired
The fraction of dangerous failures revealed by diagnostic testing
is called the diagnostic coverage, DC, and is expressed as. Table 1
Range of PFDavg and PFH for each SIL.
lDD lDD
DC ¼ ¼ (3) SIL PFDavg PFH
lD lDD þ lDU
4 105e<104 109e108
When a channel is periodically proof-tested, t is the length of 3 104e103 108e107
the proof test interval. If the element is not proof-tested, the time 2 103e102 107e106
1 102e101 106e105
interval (0,t) is either the overhaul, or the mission time of the
Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264 259
Table 2 mode, an extra channel failure will lead to a SIF failure. This final
PFDavg,S and PFHS of a 1oo2:G group by IEC formulas (t ¼ 1 month). channel failure could be either a DD- or DU-failure. In this section,
lD DC b bD PFDavg,S PFHS we apply the idea of the PFH formulas in IEC 61508-6, and derive
0:5,106 per hour 0.6 0.1 0.05 9:6,106 2:0,108
extended PFH formulas for voted groups with more than three
0:5,106 per hour 0.9 0.1 0.05 2:0,106 5:0,109 channels. The following assumptions are initially made:
0:5,106 per hour 0.9 0.2 0.1 4:0,106 1:0,108
The channels of the voted group are identical and independent.
The group is exposed to both independent dangerous failures
before the next failure occurs. Therefore, bD is often assumed to be
and CCFs.
lower than b (IEC 61508, 2010), and is here set to be half of the value
A channel failure is detected either by diagnostic test, or a proof
of b. With DC equal to 0.6 and b equal to 0.1, the resulting PFDavg,S is
test.
equal to 9.6$106 and less than 3.5$105, while the PFHS is 2.0$108
The CCFs may be either all DD-failures or DU-failures. A com-
and greater than 3.5$109. This means the allocated SIL require-
bination of DD-CCF and DU-CCF is not considered.
ment is fulfilled when using PFDavg,S instead of using PFHS. When
A DD-failure and a DU-failure cannot occur on the same channel
increasing the DC to 0.9, the resulting PFDavg,S decreases to
at the same time.
2.0$106, and the calculated PFHS is still greater than 3.5$109. Now
The EUC is immediately brought to a safe state when a
if we keep DC of 0.9 unchanged and increase the b value to 0.2, the
dangerous failure of the group is detected.
obtained PFDavg,S still makes the SIF fulfills the allocated SIL
The group is studied in a proof test interval (0,t), and the proof
requirement while the resulting PFHS can not again.
test is perfect and will reveal all DU-failures.
It is confusing that around the “boundary point”, these two
performance measures may lead to different SILs with the same
The standard beta-factor model is used to model CCFs. The in-
voted architecture and the same input data. The IEC 61508 gives
dividual failure rates are: lDU,i ¼ (1 b)lDU for DU-failures and
two SIL tables for low-demand mode and high-demand/continuous
lDD,i ¼ (1 bDD)lDD for DD-failures, such that the total individual D-
mode SIFs, but does not explain how the boundary points of the
failure rate becomes lD,i ¼ (1 bDD)lDD þ (1 b)lDU.
PFDavg and PFH for each are selected.
For a koon:G voted group in low-demand mode, the PFDavg of
5.1. koon:G voted group
the group can be calculated as.
PFDavg;G ¼ lD;G $tGE (4) For a koon:G voted group, the hardware fault tolerance, HFT, is
n k. In the following, we determine the PFH for voted groups with
where G denotes the voted group, and tGE is the equivalent-group different HFT.
mean downtime in (2). lD,G is the frequency of dangerous group
failures and should be the same concept as the PFH of the group. If 5.1.1. HFT ¼ 0
this relationship were correct, the PFH of the voted group would be When HFT ¼ 0, the voted group is a series structure with noon:G
voting and a dangerous group failure occurs as soon as a channel
PFDavg;G gets a D-failure. If a channel DD-failure occurs, it is a detected
PFHG ¼ (5)
tGE dangerous SIF failure, and the EUC is immediately brought to a safe
state. DD-failures can therefore be disregarded and we may
If we compare the IEC formulas for PFDavg and PFH for a single consider only DU-failures when calculating the average PFH. Since
channel (i.e., a 1oo1:G voted group) in IEC 61508-6, the Equation (5) the group is assumed to be as-good-as-new after each proof test,
is not correct. A possible reason may be that the IEC formulas for we may consider only the proof test interval (0,t), and since only
PFDavg and PFH are not derived under the same assumptions. When DU-failures are considered, the number, N(0,t), of dangerous group
presenting the IEC formulas for PFH, the IEC 61508-6 makes the failure in the interval must be either zero or one. The mean number
assumption that, once a dangerous failure of the SIF is detected, the of dangerous group failures in (0,t) is therefore.
EUC is immediately brought to a safe state. This “stop” action is
h i
assumed to take so short time that the detected dangerous SIF
E Nð0; tÞ ¼ 0$PrðNð0; tÞ ¼ 0Þ þ 1$PrðNð0; tÞ ¼ 1Þ
failure is not “dangerous” for the EUC, and shall therefore not be
included in the calculation of PFH. The same assumption is, how- ¼ 1 enlDU t znlDU t
ever, not made when determining the PFDavg in IEC 61508-6. In the
calculation of PFDavg, all the dangerous failures that terminate the The average frequency of dangerous group failures per hour, that
ability of the SIS to perform the required SIF are incorporated. This is, PFH, is the mean number of dangerous group failures in a time
means the PFDavg includes more failure types than the PFH, and interval divided by the length of the interval, such that the resulting
may therefore give a more “conservative” result than PFH around average PFH of the noon:G voted group in (0,t) is.
the boundary point. Another issue of concern is how the two SIL-
tables in IEC 61508 are calibrated. Do the boundary values for the 1 enlDU t
PFHnoon:G ¼ znlDU (6)
SIL intervals correspond? t
The approximation in (6) is considered to be adequate when
5. Extended PFH formulas based on the ideas of the IEC nlDU 0.10. It is here important that the time must be measured in
formulas hours.
The current IEC formulas for PFH are only available for voted 5.1.2. HFT ¼ 1
groups with up to three channels. An underlying assumption for When HFT ¼ 1, the group is voted (n 1)oon:G and a dangerous
these PFH formulas is that the SIF is allowed to operate in a group failure occurs when at least two of the n channels get D-
degraded mode with one or more channel failures in the voted failures. In this case, we split the total PFH of the group into the
group, but the EUC has to be closed down immediately when a contributions from two combinations of dangerous channel
dangerous failure of the SIF is detected. In a critically degraded failures.
260 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
(i) An independent D-failure occurs first in one of the n chan- first calculate the PFH of the 1oo3:G voted group, which is pre-
nels, and then a second independent failure occurs in one of sented in IEC 61508-6 as.
the remaining n 1 channels. To be a dangerous group
failure, the second failure must be a DU-failure. The contri- PFH1oo3:G ¼ 6½ð1 bD ÞlDD þ ð1 bÞlDU 2 ð1 bÞlDU tCE tGE
bution to the PFH from this combination of failures is
þ blDU
therefore
(11)
The channel-equivalent mean downtime, tCE, is.
PFHðn1Þoon:G;a ¼ nlD;i 1 eðn1ÞlDU;i tCE (7)
ð1 bÞlDU t
where tCE is the mean downtime of the channel. tCE ¼ þ MRT
ð1 bD ÞlDD þ ð1 bÞlDU 2
ð1 bD ÞlDD
(ii) A DU-CCF occurs, and this is also an undetected dangerous þ MTTR
ð1 bD ÞlDD þ ð1 bÞlDU
SIF failure. The CCF contribution to the PFH is therefore
ð1 bÞlDU t
By summing the PFH contributions from these two types of
tGE ¼ þ MRT
dangerous group failures, the total PFH of the (n 1) oon:G voted ð1 bD ÞlDD þ ð1 bÞlDU 4
group is. ð1 bD ÞlDD
þ MTTR
ð1 bD ÞlDD þ ð1 bÞlDU
PFHðn1Þoon:G ¼ PFHðn1Þoon:G;a þ PFHðn1Þoon:G;C
With the parameter values in Table 3, the total PFH of 1oo3:G
¼ nlD;i 1 eðn1ÞlDU;i tCE þ blDU
voted group becomes.
zn ð1 bD ÞlDD þ ð1 bÞlDU ðn 1Þð1 bÞlDU tCE
PFH1oo3:G ¼ 3:35$1013 þ 2:00$108 z2:00$108
n According to the above result, the PFH contribution from inde-
þ blDU ¼ 2 ð1 bD ÞlDD þ ð1 bÞlDU
2 pendent channel failures can be totally negligible compared to the
ð1 bÞlDU tCE þ blDU contribution from CCFs. With HFT 2, this contribution is even
(9) more negligible. Therefore, for a koon:G voted group with HFT 2,
the PFH contribution from independent dangerous group failures
when (n 1)lDU,itCE 0.10. can be disregarded. The total PFH is thus approximately.
Consider a 1oo2:G voted group of two identical channels and
apply the data presented in Table 3, which is extracted from PFHkoon:G zblDU (12)
Table B.13 in IEC 61508-6. With the input data, the extended PFH The above extended PFH formulas apply the same idea in PFH
formula for (n 1)oon:G group gives formulas in IEC 61508-6, which tacitly assumes that the final
channel failure causing a dangerous group failure must be a DU-
PFH1oo2:G ¼ PFH1oo2:G;a þ PFH1oo2:G;C
failure. However, to disregard the detected dangerous failures is
¼ 2:84$1010 þ 5:00$108 ¼ 5:028$108 (10) not fully reasonable. The likelihood of having a demand during the
mean restoration time of the final DD-failure should be much
From the above result, DU-CCF is seen to be responsible for 99% higher in high demand mode compared to low demand mode.
of the total PFH for a 1oo2:G voted group. Such result is therefore
not so sensitive to changes in other parameters (i.e., lDD, t, bD, MRT,
MTTR).
6. PFH formulas considering different demand rates
5.1.3. HFT 2
Consider a high-demand SIF that operates in a critically
When HFT 2, the PFH of dangerous group failures can also be
degraded state, such that an extra channel failure will lead to a
divided into two parts: independent failures and CCFs. First, we
dangerous group failure. The final channel failure could be either a
consider independent channel failures. After the first channel D-
DD- or a DU-failure. If the final channel failure is a DU-failure, the
failure, the group must have a dangerous failure where at least two
group failure is undetected dangerous. In this case, the SIF will be
or more independent channel D-failures occur. A koon:G voted
unavailable for a relatively long time. During the SIF downtime, the
group can be represented as a series structure of its minimal cuts,
probability that a demand occurs may be rather high. If the final
where each minimal cut is a 1oo(n k þ 1):G voted group. The PFH
channel failure is a DD-failure, the failure is detected immediately
of a series structure is therefore approximately equal to the sum of
and restored within a very short time interval. The mean SIF
the PFHs of each minimal cut. Therefore, a koon:G voted group with
downtime is then MTTRDD. If the demand rate is relatively low, the
HFT ¼ 2 is equal to a series structure of identical 1oo3:G voted
DD-failures can be disregarded when determining the PFH. After
groups (since at least 3 channels must fail to get a SIF-failure). We
restoring the final DD-failure, the SIF is able to perform again in a
degraded mode. The PFH formulas presented in IEC 61508-6 are
Table 3 partly applicable for this case. If the demand rate is high, the final
Input data (t ¼ 1 year). DD-failure should not be disregarded in the calculation of the PFH
lD DC b bD MRT MTTR
as a demand may occur during the restoration time (MTTRDD).
Based on the demand rate, two scenarios are analyzed to derive the
0:5,106 per hour 0.6 0.1 0.05 8h 8h
PFH formulas.
Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264 261
6.1. Scenario 1
PFHðn1Þoon:G;b ¼ nlDD;i 1 eðn1ÞlDU;i MTTRDD
In this scenario, the demand rate is assumed to be rather high
that the mean demand interval is less than one month. znðn 1ÞlDD;i lDU;i MTTRDD (14)
n
6.1.1. noon:G voted group ¼2 ð1 bD ÞlDD ð1 bÞlDU MTTRDD
2
The group is a series structure and fails when the first channel
D-failure occurs in the proof test interval. If this failure is a DD-
failure, it is a detected SIF failure, and the EUC is immediately when (n 1)lDU,iMTTRDD 0.10.
brought to a safe state. If the failure is a DU-failure, it is an unde-
tected dangerous group failure. It is, therefore, sufficient to consider (iii) A DU-CCF causes a dangerous group failure and the contri-
only DU-failures to determine the PFH and we get the same result bution to the PFH is
as in (6).
(16)
2 3
Zt h i 6.1.3. koon:G voted group with n k 2
Pr4DGFinð0; tÞ5 ¼ 1 eðn1ÞlD;i ðttÞ nlDU;i enlDU;i t dt For this group, at least three channels must have simultaneous
0 D-failures for a dangerous group failure to occur. Most SIFs are so
Zt reliable that the probability of having three or more independent
z ðn 1ÞlD;i ðt tÞnlDU;i dt channel D-failures in the same test interval is negligible. The PFH of
0 voted groups with HFT 2 can therefore be adequately approxi-
Zt mated by the contribution from DU-CCFs.
¼ nðn 1ÞlD;i lDU;i ðt tÞdt
PFHkoon:G zblDU (17)
0
2 3
General PFH formulas for koon voted groups with both DD- and
n
¼ 4ð1 bD ÞlDD þ ð1 bÞlDU 5ð1 bÞlDU t2 DU-failures are developed by Jin et al. (Jin et al., 2013).
2
6.2. Scenario 2
by using the approximations 1 eðn1ÞlD;i ðttÞ zðn 1ÞlD;i ðt tÞ In this scenario, the demand rate is relatively low, such that the
and enlDU;i t z1. mean demand interval is between one month and one year. The
Based on the same arguments that were used to derive (6), the probability of having a demand while a DD-failure is restored is
(average) PFH contribution from this combination of failure in the negligible and we may therefore assume that the final failure
proof test interval (0,t) is. causing a dangerous group failure is a DU-failure.
PFHðn1Þoon:G;a ¼ nlDD;i 1 eðn1ÞlDU;i MTTRDD E½NG ðtÞ ¼ 0$PrðNG ðtÞ ¼ 0Þ þ 1$PrðNG ðtÞ ¼ 1Þ ¼ PrðNðtÞ
n k þ 1Þ (23)
znlDD;i ðn 1ÞlDU;i MTTRDD (18)
n The contribution to the PFH from independent failures is
¼2 ð1 bD ÞlDD ð1 bÞlDU MTTRDD therefore.
2
j nj
E½NG ðtÞ 1 X n
n
PFHkoon:G;a ¼ ¼ 1 elDU;i t elDU;i t
t t j
j¼nkþ1
(ii) First, an independent channel DU-failure occurs. As the final
channel failure must be an DU-failure, the contribution to the 1 X n
n nkþ1
z lDU;i t
PFH from this combination of failure is therefore t j
j¼nkþ1
n
Z t
¼ ½ð1 bÞlDU nkþ1 tnk
nkþ1
nlDU;i eðn1ÞlDU;i ðttÞ dt
PFHðn1Þoon:G;b ¼ 0 (24)
Z t
t
by using the approximations 1 elDU;i t zlDU;i t and elDU;i t z1.
nlDU;i ðn 1ÞlDU;i ðt tÞdt (19)
0
z
t (ii) A DU-CCF occurs and the contribution to the PFH is
n
¼ ð1 bÞ2 l2DU t
2
Langeron, Y., Barros, A., Grall, A., Grall, A., Berenguer, C., 2008. Combination of safety Oliveira, L.F., Abramovitch, R.N., 2010. Extension of ISA TR84.00.02 PFD equations to
integrity levels (SILs): a study of IEC 61508 merging rules. J. Loss Prev. Process KooN architectures. Reliab. Eng. Syst. Saf. 95, 707e715.
Ind. 21, 437e449. OREDA, 2009. Offshore Reliability Data Handbook, fifth ed. OREDA Participants, Det
Liu, Y., Rausand, M., 2011. Reliability assessment of safety instrumented systems Norske Veritas, NO 1322 Høvik, Norway.
subject to different demand modes. J. Loss Prev. Process Ind. 24, 49e56. Rausand, M., 2011. Risk Assessment: Theory, Methods, and Applications. Wiley,
Liu, Y., Rausand, M., 2013. Reliability effects of test strategies on safety- Hoboken, NJ.
instrumented systems in different demand modes. Reliab. Eng. Syst. Saf. 119, Rausand, M., 2014. Reliability of Safety-critical Systems: Theory and Applications.
235e243. Wiley, Hoboken, NJ.
Lundteigen, M.A., Rausand, M., 2007. Common cause failures in safety instrumented Rausand, M., Høyland, A., 2004. System Reliability Theory: Models, Statistical
systems on oil and gas installations: implementing defense measures through Methods, and Applications, second ed. Wiley, Hoboken, NJ.
function testing. J. Loss Prev. Process Ind. 20, 218e229. SIEMENS, 2007. Simatic Safety Integrated for Factory Automation-practical Appli-
Lundteigen, M.A., Rausand, M., 2009. Reliability assessment of safety instrumented cation of IEC 62061. Tech. rep.. SIEMENS.
systems in the oil and gas industry: a practical approach and a case study. Int. J.
Reliab. Qual. Saf. Eng. 16, 187e212.