Journal of Loss Prevention in the Process Industries 32 (2014) 254e264

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Reliability analysis of safety-instrumented systems operated in

high-demand mode
Yukun Wang a, b, *, Marvin Rausand b
a
College of Management and Economics, Tianjin University, NO 30072 Tianjin, China
b
Department of Production and Quality Engineering, Norwegian University of Science and Technology, NO 7491 Trondheim, Norway

a r t i c l e i n f o a b s t r a c t

Article history: The international standards IEC 61508 and IEC 61511 give safety integrity requirements to safety-
Received 27 January 2014 instrumented systems (SISs) that are used in the process industry. A SIS performs one or more safety-
Received in revised form instrumented functions (SIFs). IEC 61508 distinguishes between SIFs operated in low-demand and
17 September 2014
high-demand/continuous mode, whereas IEC 61511 distinguishes between demanded and continuous
Accepted 17 September 2014
Available online 18 September 2014
mode of operation. In the past, almost all attention has been paid to low-demand SIFs, and this is re-
flected in IEC 61511, the available guidelines, and the scientific literature. Recently, however, suppliers of
SISs to the process industry have been met with safety requirements to SIFs operated in high-demand
Keywords:
Safety-instrumented systems
and continuous mode. This paper intends to help suppliers and reliability analysts who are familiar
Reliability with the mathematical formulas in IEC 61508-6 for safety integrity assessment of low-demand SIFs to
High-demand verify the safety integrity of SIFs in high-demand and continuous mode. This is done by highlighting the
PFH similarities and differences between the required approaches and by presenting two new sets of
approximation formulas for the PFH of general koon:G voted groups. One set of PFH formulas extends the
IEC formulas for PFH based on the ideas applied in IEC 61508-6. The other set of PFH formulas is derived
considering the risk contribution also from DD-failures when the demand rate is high. The results of the
IEC formulas of PFH and the two new sets of PFH formulas are compared and discussed.
© 2014 Elsevier Ltd. All rights reserved.

1. Introduction subsystem detects the onset of possible hazardous situations, the

Safety-instrumented systems (SISs) are widely used in the
process industry to protect humans, the environment, and material
assets against hazardous events, such as gas leaks and runaway
reactions. The risk related to a specific hazardous event in a process
may be illustrated by a bow-tie diagram (Rausand, 2011) as shown
in Fig. 1, which illustrates the possible causes and consequences
that are related to the hazardous event. A SIS may be used as a
proactive safety barrier to prevent the hazardous event from
occurring, or as a reactive safety barrier to prevent or mitigate the
consequences of the hazardous event. A proactive barrier is
sometimes called a frequency-reducing barrier, whereas a reactive
barrier is called a consequence-reducing barrier.
A SIS generally consists of three parts: a sensor subsystem, a
logic solver subsystem, and a final element subsystem. The sensor
* Corresponding author. College of Management and Economics, Tianjin Uni-
versity, No. 92, Weijin Road, Nankai District, Tianjin, China.
E-mail address: yukunwang89@gmail.com (Y. Wang).
logic solver subsystem decides what to do by evaluating the in-
formation from the sensor subsystem, and the final element sub-
system takes action through safety valves, circuit breakers, and so
on.
To provide a specified risk reduction, the SIS must fulfill certain
safety requirements. A number of standards and guidelines have
been issued, which define the required safety-instrumented func-
tions (SIFs), establish their safety integrity levels (SILs), and give
guidance on how to implement them to achieve the desired func-
tional safety. The most important of these standards is IEC 61508
(IEC 61508, 2010), which is a generic standard specifying the
functional safety requirements for SISs. IEC 61508 (IEC 61508, 2010)
serves also as an overall guideline for the development of sector-
specific safety standards, such as IEC 61511 (IEC 61511, 2003) for
the process industry and IEC 62061 (IEC 62061, 2012) for machinery
systems.
IEC 61508 and the associated sector-specific standards adopt a
risk-based approach to determine the safety requirements of a SIS
in a safety life-cycle. Risk assessments are carried out to determine
the process risk and the necessary risk reduction that should be

http://dx.doi.org/10.1016/j.jlp.2014.09.007
0950-4230/© 2014 Elsevier Ltd. All rights reserved.
 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
Fig. 1. Bow-tie diagram for a hazardous event with proactive and reactive safety
barriers.
achieved by one or more SISs. Accordingly, the safety requirements
of the SIS, including safety functional requirements and safety
integrity requirements, are derived to achieve the necessary risk
reduction. The safety functional requirements specify which SIFs
are to be performed by the SIS, and the associated safety integrity
requirements specify the required reliability performance of the SIF
in terms of a SIL. A SIS may perform one or more SIFs to achieve the
required functional safety. SIFs are classified according to how often
they are demanded. IEC 61508 distinguishes between low-demand,
high-demand, and continuous mode safety functions, where the
boundary between low-demand and high-demand/continuous
mode is the demand rate of once per year.
IEC 61511 distinguishes between two modes of operation:
demanded mode and continuous mode. SIFs operating in deman-
ded mode are mainly reactive barriers, while SIFs operating in
continuous mode are mainly proactive barriers, see Fig. 1.
In the process industry, most attention has been paid to
demanded SIFs, and especially low-demand SIFs. This is reflected in
the available publications where the vast majority treat problems
related to low-demand SIFs (Dutuit et al., 2008; Hokstad and
Corneliussen, 2004; Innal et al., 2010; Jin et al., 2011, 2012;
Langeron et al., 2008; Liu and Rausand, 2013; Lundteigen and
Rausand, 2009; Rausand, 2011; Rausand and Høyland, 2004). The
same focus is also reflected in the standards and IEC 61511 treats
only demanded SIFs with the main focus on the low-demand mode
of operation.
Recently, suppliers of SISs to the offshore oil and gas industry
have been met with requirements to document the safety integrity
of SIFs in high-demand and continuous mode, for example for
machinery systems. Many suppliers have procedures and compe-
tence related to safety integrity assessment of low-demand SIFs,
but limited experience with high-demand SIFs (IEC 61511, 2003).
IEC 61511 does not provide much help on SIFs operated in high
demand mode, but this topic is treated in slightly more detail in IEC
62061 for machinery systems. Recently, some attention has been
paid to high-demand systems in scientific publications (Innal,
2008; Innal et al., 2010; Jin et al., 2013; Rausand, 2014), but this
field is still immature.
Several reliability analysts find it difficult to follow the recom-
mendations of IEC 61508 when the demand rate is close to the
boundary-point (i.e., once per year) between low-demand and
high-demand mode. By using the approximation formulas sug-
gested in IEC 61508-6, they may be able to meet the reliability re-
quirements for a specified SIL by using the PFDavg, but may not be
able to meet the same requirements if using PFH (or vice versa).
PFDavg is the average probability of a dangerous failure on demand
of the SIF, and PFH is the average frequency of dangerous failures of
the SIF per hour (IEC 61508, 2010; Rausand, 2014). Both reliability
measures are further discussed in the current paper. It is therefore a
reason to question whether the requirements are appropriate when
the demand rate approaches once per year e or, maybe the
approximation formulas in IEC 61508-6 are not sufficiently accurate
255
in this case? The approach outlined in IEC 61508-6 does not solve
this challenge, since we may get different SILs depending on which
safety performance measure we choose.
The objectives of this paper are to (i) compare the requirements
to risk assessment and safety requirements for low-demand and
high-demand/continuous SIFs in IEC 61508, IEC 61511, and IEC
62061, (ii) explore the consistency of PFDavg and PFH in deter-
mining the SIL of a SIF, and (iii) derive two sets of approximated PFH
formulas based on different assumptions, and discuss their
strengths and weaknesses.
The rest of the paper is organized as follows. The hazard and risk
assessment of the protected system which aims at deriving safety
requirements of SIS is discussed in Section 2. In Section 3, the
specified functional requirements and safety integrity re-
quirements in low-demand and high-demand (continuous) mode
are compared. In Section 4, the available modeling approaches to
evaluate safety performance are listed and discussed to find
whether the two performance measures have consistency in
leading to the same SIL by using the approximated formulas pre-
sented by IEC 61508-6. In Section 5 and Section 6, two sets of
approximated PFH formulas are derived, respectively. The results of
these two sets of formulas are compared with the IEC formulas and
discussed in Section 7. Finally, concluding remarks are given.
2. Hazard and risk assessment
IEC 61508 and its sector-specific standards are risk-based, which
means that reliability requirements to the SIFs have to be deduced
from the results of a risk assessment of the process.
In the process industry, a hazard and risk assessment must be
carried out to determine the safety requirements of each SIF. The
hazards, non-hazardous operability problems, and potential de-
mands are commonly identified through a hazard and operability
(HAZOP) study, and the process risk is determined by a quantitative
or semi-quantitative risk assessment (IEC 61511, 2003; Rausand,
2011) to derive the necessary risk reduction. Based on the evalu-
ated process risk, the safety integrity requirements are determined
and allocated to each SIF.
For machinery applications, the standard ISO 12100 (ISO 12100,
2010) gives guidance on risk assessment of machinery systems.
The risk analysis is initiated by defining the physical and opera-
tional boundaries of the machinery system. The potential hazards,
hazardous situations, and hazardous events are identified by using
the checklists provided by the standard. For each hazardous sit-
uation, the risk is estimated through preliminary hazard analysis,
failure modes, effects, or criticality analysis (FMECA), and/or fault
tree analysis (FTA). Based on the results from the risk estimation,
the risk is evaluated to decide which hazardous situation requires
further risk reduction. The terminology used in the sector-specific
standard IEC 62061 for machinery systems is different from the
one used in IEC 61511; a SIS is called a safety-related control
system (SRECS) and a SIF is called a safety-related control function
(SRCF).
The approaches to hazard and risk assessment in IEC 61511 and
IEC 62061 are comparable and we may use approximately the same
methods to identify hazards and allocate SIL requirements to the
various SIFs (SRCFs).
3. Safety requirements
Based on the hazard and risk assessment, safety requirements
are determined and allocated to one or more SIFs and other risk
reduction measures. The safety requirements to a SIF consist of two
parts e the functional requirements and the associated safety
integrity requirements to be achieved.
256 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
3.1. Safety functional requirements
In the process industry, the SIFs allocated to a SIS are imple-
mented to bring the process to a safe state when certain types of
demands occur. The safety functional requirements should specify
the required safety function (a verb and a noun) together with one
or more performance requirements, and provide information on
how to perform these functions. The SIFs may be described in
general terms or with particular technology terms, depending on
the type of system. A safety valve may, for example, have the
function “close flow” on demand. The associated performance re-
quirements could be (i) closing time must be between 5 and 10 s,
and (ii) leakage in closed position must be less than 10 ml/min.
In the machinery sector, the functional safety requirements are
mainly the same as for SIFs in the process industry, but may be
slightly more complicated (IEC 62061, 2012). An SRCF in a SRECS
may, for example, be defined as “Stop the rotating blade when the
protective cover is open” (SIEMENS, 2007). This safety function
consists of three sub-functions implemented by the subsystems:
detecting the position of protective cover via sensor(s), evaluating
the information in the programmable logic controller (PLC) to
decide what to do, and reacting by switching off the motor via an
actuator.
3.2. Safety integrity requirements
3.2.1. Performance measure
To achieve the required risk reduction, the SIFs must meet
certain safety integrity requirements that are specified in terms of
four distinct SILs, where SIL 4 represents the most strict require-
ment, and SIL 1 the least strict. To fulfill a SIL, the SIF must meet (i) a
quantitative requirement and (ii) a set of qualitative requirements.
The quantitative requirement must, according to IEC 61508, be
formulated based on PFDavg for low-demand SIFs and PFH for high-
demand/continuous mode SIFs.
Each SIL corresponds to a certain range of risk reduction for SIFs
in low-demand mode, and a maximum frequency of dangerous
system failures for SIFs in high-demand and continuous mode. Two
safety performance measures are used to express the reliability
requirement. In low-demand mode, the SIF is demanded less than
once per year and remains dormant until it is activated. The SIS
operates as a separate device in addition to the basic control sys-
tem. The reliability of a low-demand SIF is measured by the average
unavailability of SIS to perform the SIF on demand, PFDavg. In high
demand mode, the SIF is demanded more often than once a year,
and activated more frequently to transfer the process into a safe
state. A high-demand SIS is often partially integrated into the
control system, meaning that some parts of the system are used on
a more or less continuous basis, and some parts are separate safety
elements. In continuous mode of operation, the demand is present
all the time. The SIS is totally integrated into the process control
system, to perform safety functions continuously as a part of
normal operation. The reliability of a SIF in high-demand or
continuous mode is measured by the average frequency of
dangerous failures of the SIF per hour, PFH.
IEC 61511 indicates in paragraph 9.2.3 that the user may choose
either PFDavg or PFH as the safety performance measure for any
demanded SIF. This means that for any SIF operated in demand
mode, the reliability requirement can be measured with either
PFDavg or PFH. However, IEC 61511 requires that if using PFH,
neither the demand rate nor the proof-test interval can be
considered in the calculation of PFH. In contrast, IEC 62061, aiming
at the SRECSs operated in high-demand or continuous mode, pre-
sents several simplified PFH formulas considering proof tests, and
this is also the case for IEC 61508.
3.2.2. Architectural constraints
The reliability quantification of SIS is subject to several types of
uncertainty, such as completeness uncertainty, parameter uncer-
tainty, and model uncertainty (Jin et al., 2012). In addition to the
quantitative reliability requirements, the IEC-standards give addi-
tional requirements on the robustness of the SIS structure. These
requirements are given as architectural constraints, aiming to set
restrictions in the freedom to choose hardware architecture on the
basis of PFDavg or PFH calculations alone.
The requirements related to architectural constraints are
determined by three elements: (i) the hardware fault tolerance
(HFT), (ii) the safe failure fraction (SFF), and (iii) the type and
complexity of channels. The HFT denotes the number of faults that
can be tolerated before the SIF is lost. The SFF gives the proportion
of “safe” failures plus dangerous detected (DD) failures among all
failures. Before determining the achievable SIL of a SIF performed
by a subsystem, the complexity of the subsystem components
should be assessed and classified. IEC 61508 distinguishes between
type A and type B components in a generic manner. Type A com-
ponents are characterized by well defined failure modes, complete
knowledge of component behaviors and sufficient failure field data.
Type B components do not fulfill at least one of these requirements.
IEC 61511 classifies the components in a more specific way, where
channels with programmable electronic (PE) technology belong to
one type, and channels based on non-PE technology to the other
type.
The relationships between SFF, HFT, and SIL are presented in IEC
61508 in two tables, one for type A channels and one for type B
channels. In these tables, the SFF is split into four intervals: below
60%, between 60% and 90%, between 90% and 99%, and above 99%.
Similarly, IEC 61511 suggests two separate tables for non-PE
channels and PE channels, to reflect specific categories of chan-
nels, but SIL 4 subsystems and requirements for SFF above 99% are
not covered in IEC 61511.
For high-demand SRECS in the machinery sector, IEC 62061
defines a SIL Claim Limit to express the maximum SIL related to
architectural constraints that can be claimed. The HFT and SFF of
the subsystem are both taken into account when architectural
constraints are determined. A table is set up to specify the highest
SIL that can be claimed for the safety function. In the table, the
classification of SFF is the same as in (IEC 61508, 2010), but a SIL 4
claim limit is not included. With the same SFF and HFT of the
component, the three standards may give different achievable SILs
requirements for subsystems with the same voted architecture.
Due to the ambiguity of the SFF concept, the SFF-HFT-SIL rela-
tionship has, however, been questioned by reliability analysts to be
not well founded (Lundteigen and Rausand, 2009). Increasing the
safe failure rates of a component will lead to a higher SFF according
to the definition of SFF. But a high SFF can not indicate that the
component is safe enough to reduce its HFT, as the SIS response to
safe failures may be not “safe” and even introduce new failures.
Besides, the estimation of SFF is usually uncertain, as safe failures
get less attention than dangerous failures in the data collection
(OREDA, 2009). Due to the controversy of SFF-HFT-SIL relationship,
IEC 61508 presents an alternative means to determine the mini-
mum HFT for each subsystem based on the component reliability
field data and the increased confidence levels for specified SIL.
However, as reliability data uncertainties always exist, the derived
requirement related to architectural constraints may not be so
evident to capture the system complexity in addition to the
quantitative reliability assessment.
3.2.3. Systematic failures
The channels of a SIS are exposed to both random hardware
failures and systematic failures. A random hardware failure occurs
 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
at a random time due to natural degradation mechanism in the
channel. A systematic failure is related to a specific cause, such as
errors in the design and implementation of hardware or software,
or errors in the specification of the SIS. Systematic failures may lead
to failures of multiple channels, give rise to common-cause failures
(CCFs), and become a dominating factor in the system reliability
quantification. Such failures can only be corrected by a modification
of the design or the selection of components, manufacturing pro-
cess, operating procedures, and the changes of documentation. The
PDS-method (Hauge et al., 2013) classifies systematic failures into
five categories, including software faults, design related faults,
installation errors, excessive stress failures, and operational fail-
ures. Systematic failures may be detected by tests or be hidden till a
true demand occurs. For high demand SIFs, systematic failures may
be more likely to occur due to human errors during operation. The
flaws in design specification, combined with failures introduced
during the manufacturing and installation process, may lead the
system to operate under excessive stress and generate more sys-
tematic failures.
The reliability related to random hardware failures may be
quantified based on failure rates, while the reliability related to
systematic failures cannot be precisely estimated, as causes leading
to such failures are not easy to determine. In current practices, only
random hardware failures are fully considered in the reliability
quantification of a SIF. The IEC-standards give qualitative re-
quirements to prevent and control systematic failures.
If disregarding systematic failures, the predicted unavailability
will be lower and less conservative compared with the actual un-
availability. However, systematic failures are not totally disregarded
in the reliability quantification since they enter as causes of CCFs.
The PDS-method (Hauge et al., 2013) adds the contribution of
systematic failures by incorporating CCFs and test-independent
failures (TIFs). Some data sources, such as OREDA (OREDA, 2009),
partly include systematic failures in the failure rate estimation. It
also has been argued whether or not systematic failures should be
included in the reliability quantification. The causes of such failures
are hard to identify, and if identified and corrected, this kind of
failures may not occur again. If systematic failures are included, to
what degree is it possible to add them into the model is also
necessary to consider.
3.2.4. Common-cause failures
To enhance the reliability of a SIF, redundancy is often imple-
mented in the system configuration (Lundteigen and Rausand,
2007). A general k-out-of-n:G (koon:G) voted group means that at
least k of its n elements need to perform the required safety func-
tion upon demand [i.e., be “good” (G)]. CCFs may cause two or more
channels to fail simultaneously or within a short time interval, and
hence reduce the effect of redundancy. IEC 61508 therefore requires
CCFs to be incorporated in the SIF reliability quantification.
For CCF modeling, lack of data is always a challenge for
parameter estimation, as the causes of a CCF are often sector-
specific and rarely the same. Hence, choosing a plant-specific
CCF-factor based on generic data may not give adequate results.
Without sufficient data, the parameters have to be determined by
other methods.
The beta-factor model is suggested in IEC 61508-6 as an
adequate approach for modeling CCFs, but several other ap-
proaches are also mentioned. The beta-factor b is the fraction of
CCFs among all failures of a channel. It is often estimated with the
checklist approach suggested in IEC 61508-6. The checklist has two
scoring tables, one for logic solvers and another for sensors and
final elements. Each table assesses the operating environment and
various defense measures against CCFs, and thereby determine the
susceptibility to CCFs. The checklist in IEC 61508-6 is rather
257
extensive with 37 questions, some of which may be difficult to
answer. A more simple checklist for machinery systems is given in
IEC 62061. For subsystems with the same voting configuration, the
checklists in IEC 61508 and IEC 62061 may give slightly different
values of b.
The standard beta-factor model is simple and widely used in
practice, but does not distinguish between different voting con-
figurations. b is the same for any koon:G voted group, which may
not be realistic for groups with a high level of redundancy. Due to
this limitation, a modified CCF-model is proposed by the PDS-
method (Hauge et al., 2013). In the PDS approach, a configuration
factor Ckoon is assigned to b for different voting configurations. For a
group voted koon:G, the beta-factor is bCkoon, where b is the frac-
tion of CCFs between any two redundant channels.
4. Modeling approaches
The IEC-standards require reliability quantification to be per-
formed, but do not give any requirements related to methods.
Several methods are presented in IEC 61508-6, but this part is only
informative. The approaches presented in IEC 61508-6 are

IEC formulas based on reliability block diagrams (i.e., the
approximation formulas presented in IEC 61508-6);

Fault tree analysis (IEC 61508, 2010; Innal, 2008; Lundteigen and
Rausand, 2009; Rausand, 2014);

Markov approach (IEC 61508, 2010; Jin et al., 2011; Liu and
Rausand, 2011; Rausand, 2014; Rausand and Høyland, 2004);

Petri net approach (IEC 61508, 2010; IEC 62551, 2012; Innal et al.,
2010; Liu and Rausand, 2013).
All these approaches can be used to analyze SIFs operated in
both low-demand and high-demand/continuous modes. The
different approaches have their own pros and cons. The first two
approaches assume that the SIS is static with no dynamic proper-
ties. The reliability block diagram (RBD) represents a success-
oriented logic system structure. Each block in the RBD represents
the function that must be performed in order for the SIS to perform
a specific SIF. The sequence of the functional blocks in the RBD is
often set up to be similar to the sequence the SIS elements are
activated. Since the RBD is success-oriented, the analyst will focus
on functions rather than failures, and may thereby fail to identify all
the possible failure modes. Fault tree analysis (FTA) is a failure-
oriented approach, which focuses on how a SIF may fail rather
than how the SIF can be achieved. Using a top-down analysis, it is
easier to define the system failure (top-event) and reveal all the
possible individual channel and element failure modes that may
lead to system failure. The FTA approach will therefore often give a
more complete reliability model than the RBD approach. When the
model is established, a fault tree with only OR-gates and AND-gates
can always be transferred to a RBD, and vice versa. As explained in
IEC 61508-6, both fault trees and RBDs are Boolean models and are
more suitable for static systems than for dynamic systems.
The Markov approach and Petri nets, on the other hand, are
state-based methods that are suitable for analyzing systems with
dynamic features. The Markov approach is based on a Markov
process with a finite number of states where the distribution of
future states only depends on the present state. The method pro-
vides a range of performance measures for the system, but is
limited to items with constant failure rates and repair actions with
constant repair rate. The number of states and the complexity of the
state transition diagram explode exponentially when the number
of items of the system increases. As a result, the calculation will be
cumbersome and difficult to perform. Therefore, the Markov
approach is mainly suitable for analysis of rather small systems
258 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
with dynamic properties. A Petri net is a graphical and mathe-
matical tool for modeling and analysis of discrete event systems. It
is flexible and can model the system failure with any distribution,
but it also has limitations in modeling capacity when the system
becomes large and complex. The language to develop the Petri net
model is sometimes hard to understand for analysts.
Reliability quantification of SISs is always associated with un-
certainty. Any model can capture only the most important system
characteristics and should be sufficiently simple to be handled by
available mathematical and statistical methods. The analyst must
understand the system behavior to select the most suitable
modeling approach for the reliability assessment.
4.1. The IEC formulas
IEC 61508-6 provides approximation formulas of PFDavg and PFH
for voted groups with up to three channels. More general PFDavg
formulas for low-demand systems are given by Oliveira and Abra-
movitch (Oliveira and Abramovitch, 2010) and Rausand (Rausand,
2014). The IEC formulas are obtained based on the frequency of
dangerous SIF failures and the associated SIF mean downtime. The
SIF mean downtime is determined based on the channel-equivalent
mean downtime, tCE, and the voted group-equivalent mean downtime,
tGE. The channel-equivalent mean downtime is given by.
lDU
t  l
tCE ¼ þ MRT þ DD MTTR
lD 2 lD
where MRT is the mean repair time related to a DU-failure, and
MTTR is the mean time to restoration related to a DD-failure (IEC
61508, 2010). For a D-failure, MTTR encompasses the time to
detect the failure and the mean repair time. In the Table B.1 listed in
IEC 61508-6, MTTR is equal to MRT based on the assumption that
the mean time to detect a DD-failure is negligible because of the
self-testing features. When a D-failure occurs, the probability that
this failure is a DU-failure is lDU/lD. DU-failures are only revealed in
a proof test. The associated downtime of the channel has two parts,
an unknown downtime with mean length t/2 where it is not
known that the channel is down, and a known downtime, MRT,
where the channel is restored. The probability that the D-failure is a
DD-failure is lDD/lD. Equation (1) is obtained by combining these
two parts.
For a koon:G voted group of identical channels, the group-
equivalent mean downtime is derived in the same way as (1) and
is expressed as
lDU
t  l
tGE ¼ þ MRT þ DD MTTR
lD n  k þ 2 lD
where t/(n  k þ 2) is the unknown downtime of the koon:G voted
group in the proof test interval (Rausand, 2014). It should be noted
that the IEC formulas do not distinguish between known and un-
known downtime. In practice, it is sometimes possible to take
special precautions when it is known that a SIF or a channel is
down, and hence making the known downtime less dangerous
than the unknown downtime.
The fraction of dangerous failures revealed by diagnostic testing
is called the diagnostic coverage, DC, and is expressed as.
lDD lDD
DC ¼ ¼ (3)
lD lDD þ lDU
When a channel is periodically proof-tested, t is the length of
the proof test interval. If the element is not proof-tested, the time
interval (0,t) is either the overhaul, or the mission time of the
channel. IEC 62061 requires that if the component is neither proof-
tested nor overhauled, the mission time should be set to 20 years.
4.2. SIL requirements
The SIL requirement is always related to a SIF and not to the
subsystems of the safety loop (of the SIS) performing the SIF. In the
design phase, it is necessary to allocate specific SIL requirements to
the various subsystems. This is sometimes called a SIL budget for
the safety loop. This budget will obviously depend on the tech-
nology, the configuration, and especially the possibility of self-
testing of the sensors and logic solvers. More advanced systems
for self-testing has lead to a very high operational reliability of
these items, especially the logic solvers. The same possibilities for
self-testing do not, however, exist for final elements such as valves
and circuit breakers. Several authors (Hoekstra, 2005) suggest that
35% of the budget is used for the sensor subsystem, 15% for the logic
solver subsystem, and 50% for the final element subsystem. With
the development of more advanced smart sensors and logic solvers,
the percentage of the budget that must be allocated to the final
element subsystem. More recent investigations (e.g., (Baradits,
2010)) suggest that, when the final element subsystem is a valve,
it will consume as much as 80e85% of the SIL budget.
The IEC 61508 gives ranges of PFDavg and PFH for four SILs
shown in Table 1. Based on this table, a SIS performing a low de-
mand SIF with a SIL 3 requirement must, for example, fulfill
PFDavg < 103 for the whole SIF. With the suggested SIL budget, this
(1)
means that the sensor (S) subsystem must fulfill
PFDavg,S < 3.5$104.
4.3. Boundary point challenge
When the demand rate is equal or close to the boundary point
(i.e., once per year), the SIF unavailability can be quantified by
either PFDavg or PFH using the IEC formulas. These formulas may,
however, lead to different results. To illustrate the boundary point
problem, a sensor subsystem consisting of a 1oo2:G voted group of
identical sensors is considered. We use the same SIL budget as
indicated above (i.e., with 35% of the SIL budget to the sensor
subsystem), and assume the SIF implemented is supposed to fulfill
the SIL 4 requirement. The hardware failure data of the elements is
sufficient, and the operational experience of the elements is
extensive. This means around the boundary point, the safety loop
must fulfill PFDavg < 104 or PFH < 108 for the whole SIF. Therefore,
the sensor subsystem must fulfill PFDavg,S < 3.5$105 when using
PFDavg, or PFHS < 3.5$109 if using PFH.
The IEC 61508-6 has presented several tables to given example
(2)
values of PFDavg,S and PFH for different voting groups performing
low/high-demand SIFs. Here we also use the IEC formulas to
calculate PFDavg and PFH, and the results are presented in Table 2.
The input parameters including D-failure rate, diagnostic cover-
age(DC), CCF-factor are extracted from Tables B.10 in IEC 61508-6.
CCF-factor for DD-failures denoted by bD is distinguished from the
CCF-factor for DU-failures denoted by b. Due to the automatic
detection features of a SIS, multiple DD-failures need to occur very
closely in time to be a CCF. Otherwise, one failure will be repaired
Table 1
Range of PFDavg and PFH for each SIL.
SIL PFDavg PFH
4 105e<104 109e108
3 104e103 108e107
2 103e102 107e106
1 102e101 106e105
 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
Table 2
PFDavg,S and PFHS of a 1oo2:G group by IEC formulas (t ¼ 1 month).
lD DC b bD PFDavg,S
0:5,106 per hour 0.6 0.1 0.05 9:6,106
0:5,106 per hour 0.9 0.1 0.05 2:0,106
0:5,106 per hour 0.9 0.2 0.1 4:0,106
before the next failure occurs. Therefore, bD is often assumed to be
lower than b (IEC 61508, 2010), and is here set to be half of the value
of b. With DC equal to 0.6 and b equal to 0.1, the resulting PFDavg,S is
equal to 9.6$106 and less than 3.5$105, while the PFHS is 2.0$108
and greater than 3.5$109. This means the allocated SIL require-
ment is fulfilled when using PFDavg,S instead of using PFHS. When
increasing the DC to 0.9, the resulting PFDavg,S decreases to
2.0$106, and the calculated PFHS is still greater than 3.5$109. Now
if we keep DC of 0.9 unchanged and increase the b value to 0.2, the
obtained PFDavg,S still makes the SIF fulfills the allocated SIL
requirement while the resulting PFHS can not again.
It is confusing that around the “boundary point”, these two
performance measures may lead to different SILs with the same
voted architecture and the same input data. The IEC 61508 gives
two SIL tables for low-demand mode and high-demand/continuous
mode SIFs, but does not explain how the boundary points of the
PFDavg and PFH for each are selected.
For a koon:G voted group in low-demand mode, the PFDavg of
the group can be calculated as.
PFDavg;G ¼ lD;G $tGE
where G denotes the voted group, and tGE is the equivalent-group
mean downtime in (2). lD,G is the frequency of dangerous group
failures and should be the same concept as the PFH of the group. If
this relationship were correct, the PFH of the voted group would be
PFDavg;G
PFHG ¼
tGE
If we compare the IEC formulas for PFDavg and PFH for a single
channel (i.e., a 1oo1:G voted group) in IEC 61508-6, the Equation (5)
is not correct. A possible reason may be that the IEC formulas for
PFDavg and PFH are not derived under the same assumptions. When
presenting the IEC formulas for PFH, the IEC 61508-6 makes the
assumption that, once a dangerous failure of the SIF is detected, the
EUC is immediately brought to a safe state. This “stop” action is
assumed to take so short time that the detected dangerous SIF
failure is not “dangerous” for the EUC, and shall therefore not be
included in the calculation of PFH. The same assumption is, how-
ever, not made when determining the PFDavg in IEC 61508-6. In the
calculation of PFDavg, all the dangerous failures that terminate the
ability of the SIS to perform the required SIF are incorporated. This
means the PFDavg includes more failure types than the PFH, and
may therefore give a more “conservative” result than PFH around
the boundary point. Another issue of concern is how the two SIL-
tables in IEC 61508 are calibrated. Do the boundary values for the
SIL intervals correspond?
5. Extended PFH formulas based on the ideas of the IEC
formulas
The current IEC formulas for PFH are only available for voted
groups with up to three channels. An underlying assumption for
these PFH formulas is that the SIF is allowed to operate in a
degraded mode with one or more channel failures in the voted
group, but the EUC has to be closed down immediately when a
dangerous failure of the SIF is detected. In a critically degraded
259
mode, an extra channel failure will lead to a SIF failure. This final
channel failure could be either a DD- or DU-failure. In this section,
PFHS we apply the idea of the PFH formulas in IEC 61508-6, and derive
2:0,108
extended PFH formulas for voted groups with more than three
5:0,109 channels. The following assumptions are initially made:
1:0,108

The channels of the voted group are identical and independent.

The group is exposed to both independent dangerous failures
and CCFs.

A channel failure is detected either by diagnostic test, or a proof
test.

The CCFs may be either all DD-failures or DU-failures. A com-
bination of DD-CCF and DU-CCF is not considered.

A DD-failure and a DU-failure cannot occur on the same channel
at the same time.

The EUC is immediately brought to a safe state when a
dangerous failure of the group is detected.

The group is studied in a proof test interval (0,t), and the proof
test is perfect and will reveal all DU-failures.
The standard beta-factor model is used to model CCFs. The in-
dividual failure rates are: lDU,i ¼ (1  b)lDU for DU-failures and
lDD,i ¼ (1  bDD)lDD for DD-failures, such that the total individual D-
failure rate becomes lD,i ¼ (1  bDD)lDD þ (1  b)lDU.
5.1. koon:G voted group
(4) For a koon:G voted group, the hardware fault tolerance, HFT, is
n  k. In the following, we determine the PFH for voted groups with
different HFT.
5.1.1. HFT ¼ 0
When HFT ¼ 0, the voted group is a series structure with noon:G
voting and a dangerous group failure occurs as soon as a channel
gets a D-failure. If a channel DD-failure occurs, it is a detected
(5)
dangerous SIF failure, and the EUC is immediately brought to a safe
state. DD-failures can therefore be disregarded and we may
consider only DU-failures when calculating the average PFH. Since
the group is assumed to be as-good-as-new after each proof test,
we may consider only the proof test interval (0,t), and since only
DU-failures are considered, the number, N(0,t), of dangerous group
failure in the interval must be either zero or one. The mean number
of dangerous group failures in (0,t) is therefore.
h i
E Nð0; tÞ ¼ 0$PrðNð0; tÞ ¼ 0Þ þ 1$PrðNð0; tÞ ¼ 1Þ
¼ 1  enlDU t znlDU t
The average frequency of dangerous group failures per hour, that
is, PFH, is the mean number of dangerous group failures in a time
interval divided by the length of the interval, such that the resulting
average PFH of the noon:G voted group in (0,t) is.
1  enlDU t
PFHnoon:G ¼ znlDU (6)
t
The approximation in (6) is considered to be adequate when
nlDU  0.10. It is here important that the time must be measured in
hours.
5.1.2. HFT ¼ 1
When HFT ¼ 1, the group is voted (n  1)oon:G and a dangerous
group failure occurs when at least two of the n channels get D-
failures. In this case, we split the total PFH of the group into the
contributions from two combinations of dangerous channel
failures.
260 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264

(i) An independent D-failure occurs first in one of the n chan- first calculate the PFH of the 1oo3:G voted group, which is pre-
nels, and then a second independent failure occurs in one of sented in IEC 61508-6 as.
the remaining n  1 channels. To be a dangerous group
failure, the second failure must be a DU-failure. The contri- PFH1oo3:G ¼ 6½ð1  bD ÞlDD þ ð1  bÞlDU 2 ð1  bÞlDU tCE tGE
bution to the PFH from this combination of failures is
þ blDU
therefore
(11)

 The channel-equivalent mean downtime, tCE, is.
PFHðn1Þoon:G;a ¼ nlD;i 1  eðn1ÞlDU;i tCE (7)
ð1  bÞlDU
t 
where tCE is the mean downtime of the channel. tCE ¼ þ MRT
ð1  bD ÞlDD þ ð1  bÞlDU 2
ð1  bD ÞlDD
(ii) A DU-CCF occurs, and this is also an undetected dangerous þ MTTR
ð1  bD ÞlDD þ ð1  bÞlDU
SIF failure. The CCF contribution to the PFH is therefore

PFHðn1Þoon:G;C ¼ blDU (8) and the group-equivalent mean downtime, tGE, is

ð1  bÞlDU
t 
By summing the PFH contributions from these two types of
tGE ¼ þ MRT
dangerous group failures, the total PFH of the (n  1) oon:G voted ð1  bD ÞlDD þ ð1  bÞlDU 4
group is. ð1  bD ÞlDD
þ MTTR
ð1  bD ÞlDD þ ð1  bÞlDU
PFHðn1Þoon:G ¼ PFHðn1Þoon:G;a þ PFHðn1Þoon:G;C

 With the parameter values in Table 3, the total PFH of 1oo3:G
¼ nlD;i 1  eðn1ÞlDU;i tCE þ blDU
voted group becomes.
 
zn ð1  bD ÞlDD þ ð1  bÞlDU ðn  1Þð1  bÞlDU tCE
PFH1oo3:G ¼ 3:35$1013 þ 2:00$108 z2:00$108
  
n According to the above result, the PFH contribution from inde-
þ blDU ¼ 2 ð1  bD ÞlDD þ ð1  bÞlDU
2 pendent channel failures can be totally negligible compared to the
 ð1  bÞlDU tCE þ blDU contribution from CCFs. With HFT  2, this contribution is even
(9) more negligible. Therefore, for a koon:G voted group with HFT  2,
the PFH contribution from independent dangerous group failures
when (n  1)lDU,itCE  0.10. can be disregarded. The total PFH is thus approximately.
Consider a 1oo2:G voted group of two identical channels and
apply the data presented in Table 3, which is extracted from PFHkoon:G zblDU (12)
Table B.13 in IEC 61508-6. With the input data, the extended PFH The above extended PFH formulas apply the same idea in PFH
formula for (n  1)oon:G group gives formulas in IEC 61508-6, which tacitly assumes that the final
channel failure causing a dangerous group failure must be a DU-
PFH1oo2:G ¼ PFH1oo2:G;a þ PFH1oo2:G;C
failure. However, to disregard the detected dangerous failures is
¼ 2:84$1010 þ 5:00$108 ¼ 5:028$108 (10) not fully reasonable. The likelihood of having a demand during the
mean restoration time of the final DD-failure should be much
From the above result, DU-CCF is seen to be responsible for 99% higher in high demand mode compared to low demand mode.
of the total PFH for a 1oo2:G voted group. Such result is therefore
not so sensitive to changes in other parameters (i.e., lDD, t, bD, MRT,
MTTR).
6. PFH formulas considering different demand rates
5.1.3. HFT  2
Consider a high-demand SIF that operates in a critically
When HFT  2, the PFH of dangerous group failures can also be
degraded state, such that an extra channel failure will lead to a
divided into two parts: independent failures and CCFs. First, we
dangerous group failure. The final channel failure could be either a
consider independent channel failures. After the first channel D-
DD- or a DU-failure. If the final channel failure is a DU-failure, the
failure, the group must have a dangerous failure where at least two
group failure is undetected dangerous. In this case, the SIF will be
or more independent channel D-failures occur. A koon:G voted
unavailable for a relatively long time. During the SIF downtime, the
group can be represented as a series structure of its minimal cuts,
probability that a demand occurs may be rather high. If the final
where each minimal cut is a 1oo(n  k þ 1):G voted group. The PFH
channel failure is a DD-failure, the failure is detected immediately
of a series structure is therefore approximately equal to the sum of
and restored within a very short time interval. The mean SIF
the PFHs of each minimal cut. Therefore, a koon:G voted group with
downtime is then MTTRDD. If the demand rate is relatively low, the
HFT ¼ 2 is equal to a series structure of identical 1oo3:G voted
DD-failures can be disregarded when determining the PFH. After
groups (since at least 3 channels must fail to get a SIF-failure). We
restoring the final DD-failure, the SIF is able to perform again in a
degraded mode. The PFH formulas presented in IEC 61508-6 are
Table 3 partly applicable for this case. If the demand rate is high, the final
Input data (t ¼ 1 year). DD-failure should not be disregarded in the calculation of the PFH
lD DC b bD MRT MTTR
as a demand may occur during the restoration time (MTTRDD).
Based on the demand rate, two scenarios are analyzed to derive the
0:5,106 per hour 0.6 0.1 0.05 8h 8h
PFH formulas.
 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264 261

6.1. Scenario 1


PFHðn1Þoon:G;b ¼ nlDD;i 1  eðn1ÞlDU;i MTTRDD
In this scenario, the demand rate is assumed to be rather high
that the mean demand interval is less than one month. znðn  1ÞlDD;i lDU;i MTTRDD (14)
 
n
6.1.1. noon:G voted group ¼2 ð1  bD ÞlDD ð1  bÞlDU MTTRDD
2
The group is a series structure and fails when the first channel
D-failure occurs in the proof test interval. If this failure is a DD-
failure, it is a detected SIF failure, and the EUC is immediately when (n  1)lDU,iMTTRDD  0.10.
brought to a safe state. If the failure is a DU-failure, it is an unde-
tected dangerous group failure. It is, therefore, sufficient to consider (iii) A DU-CCF causes a dangerous group failure and the contri-
only DU-failures to determine the PFH and we get the same result bution to the PFH is
as in (6).

6.1.2. (n  1)oon:G voted group

PFHðn1Þoon:G;C ¼ blDU (15)
For this group, a dangerous group failure occurs when at least
two of the n channels have a dangerous failure at the same time. Combining the contributions to the PFH from the three types of
The total PFH of the voted group can be divided into the PFH con- failures, the total PFH of the (n  1) oon voted group becomes.
tributions from three combinations of failures.
PFHðn1Þoon:G ¼ PFHðn1Þoon:G;a þ PFHðn1Þoon:G;b þ PFHðn1Þoon:G;C
(i) The first independent channel DU-failure occurs with rate       
nlDU,i at a random time t in (0,t). A dangerous group failure n
z ð1  bÞ2 l2DU þ 1  bD lDD 1  b lDU t
occurs as soon as one of the remaining n  1 channels gets an 2
    
independent D-failure in (t,t). The probability of a dangerous
group failure in (0,t) is therefore þ 2 1  bD lDD 1  b lDU MTTRDD þ blDU

(16)

2 3
Zt h i 6.1.3. koon:G voted group with n  k  2
Pr4DGFinð0; tÞ5 ¼ 1  eðn1ÞlD;i ðttÞ nlDU;i enlDU;i t dt For this group, at least three channels must have simultaneous
0 D-failures for a dangerous group failure to occur. Most SIFs are so
Zt reliable that the probability of having three or more independent
z ðn  1ÞlD;i ðt  tÞnlDU;i dt channel D-failures in the same test interval is negligible. The PFH of
0 voted groups with HFT  2 can therefore be adequately approxi-
Zt mated by the contribution from DU-CCFs.
¼ nðn  1ÞlD;i lDU;i ðt  tÞdt
PFHkoon:G zblDU (17)
0
2 3
  General PFH formulas for koon voted groups with both DD- and
n
¼ 4ð1  bD ÞlDD þ ð1  bÞlDU 5ð1  bÞlDU t2 DU-failures are developed by Jin et al. (Jin et al., 2013).
2
6.2. Scenario 2

by using the approximations 1  eðn1ÞlD;i ðttÞ zðn  1ÞlD;i ðt  tÞ
and enlDU;i t z1.
Based on the same arguments that were used to derive (6), the
(average) PFH contribution from this combination of failure in the
proof test interval (0,t) is.
In this scenario, the demand rate is relatively low, such that the
mean demand interval is between one month and one year. The
probability of having a demand while a DD-failure is restored is
negligible and we may therefore assume that the final failure
causing a dangerous group failure is a DU-failure.

  6.2.1. noon:G voted group

Pr½DGFinð0; tÞ n
PFHðn1Þoon:G;a ¼ z ð1  bÞ2 l2DU This group is a series structure and a dangerous group failure
t 2 occurs when the first channel D-failure occurs. When the channel

gets a DD-failure, this is a detected SIF failure, and the EUC is
þ ð1  bD ÞlDD ð1  bÞlDU t (13)
immediately brought to a safe state. The PFH is thus determined by
considering only DU-failures, and we get the same result as in (6).

6.2.2. (n  1)oon:G voted group

(ii) The first independent channel DD-failure occurs with rate
nlDD,i. A dangerous group failure occurs if a channel D-failure
occurs during the downtime of the first DD-failure. If this D-
failure is a DD-failure, we have a detected dangerous SIF
failure and the EUC is immediately brought to a safe state.
Therefore, the second failure must be a DU-failure for a
dangerous group failure to occur. The PFH contribution from
this combination of failure is then
Three combinations of dangerous failures contribute to the total
PFH in the proof test interval (0,t).
(i) First, one of the n channels gets an independent DD-failure. A
dangerous group failure occurs as soon as an independent
DU-failure occurs in one of the remaining n  1 channels
during the restoration of the first DD-failure. The contribu-
tion to the PFH by this combination of failure is
262 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264


PFHðn1Þoon:G;a ¼ nlDD;i 1  eðn1ÞlDU;i MTTRDD E½NG ðtÞ ¼ 0$PrðNG ðtÞ ¼ 0Þ þ 1$PrðNG ðtÞ ¼ 1Þ ¼ PrðNðtÞ
 n  k þ 1Þ (23)
znlDD;i ðn  1ÞlDU;i MTTRDD (18)
 
n The contribution to the PFH from independent failures is
¼2 ð1  bD ÞlDD ð1  bÞlDU MTTRDD therefore.
2
 
j
nj
E½NG ðtÞ 1 X n
n
PFHkoon:G;a ¼ ¼ 1  elDU;i t elDU;i t
t t j
j¼nkþ1
(ii) First, an independent channel DU-failure occurs. As the final  
channel failure must be an DU-failure, the contribution to the 1 X n
n  nkþ1
z lDU;i t
PFH from this combination of failure is therefore t j
j¼nkþ1
 
n
Z t
¼ ½ð1  bÞlDU nkþ1 tnk
nkþ1
nlDU;i eðn1ÞlDU;i ðttÞ dt
PFHðn1Þoon:G;b ¼ 0 (24)
Z t
t
by using the approximations 1  elDU;i t zlDU;i t and elDU;i t z1.
nlDU;i ðn  1ÞlDU;i ðt  tÞdt (19)
0
z
  t (ii) A DU-CCF occurs and the contribution to the PFH is
n
¼ ð1  bÞ2 l2DU t
2

PFHkoon:G;C ¼ blDU (25)

(iii) A DU-CCF occurs and causes a dangerous group failure. The
contribution to the PFH from CCFs is Combining the PFH contributions, the total PFH of a koon:G
voted group becomes.

PFHðn1Þoon:G;C ¼ blDU (20) PFHkoon:G ¼ PFHkoon:G;a þ PFHkoon:G;C

 
Therefore, combining the PFH contributions from the three n (26)
z ½ð1  bÞlDU nkþ1 tnk þ blDU
types of failure, the total PFH of (n  1) oon voted group is. nkþ1

PFHðn1Þoon:G ¼ PFHðn1Þoon:G;a þ PFHðn1Þoon:G;b

 
n
þ PFHðn1Þoon:G;C z
2 7. Discussion

 2ð1  bD ÞlDD ð1  bÞlDU MTTRDD
The two sets of PFH formulas are derived under slightly different
 assumptions. The extended PFH formulas are based on the same
þ ð1  bÞ2 l2DU t þ blDU (21) idea as the IEC formulas for PFH, and it is tacitly assumed that the
final channel failure must be a DU-failure. If the final failure is a DD-
failure, this failure is detected and restored. The probability that a
demand occurs during the restoration time (MTTR) is assumed to
be so low that the contribution from DD-failures can be disregard.
6.2.3. koon:G voted group with n  k  2 For the second set of PFH formulas, it is assumed the demand
The hardware fault tolerance for this group is HFT  2. Given rate is so high that DD-failures cannot be disregarded. These for-
that the final channel failure is a DU-failure, at least two other in- mulas will, therefore, give a more conservative PFH value than what
dependent D-failures must occur in the proof test interval (0,t) for a is obtained by using the first set of formulas for the same voted
dangerous group failure to occur. As the probability of additional group and the same input data.
failures when a DD-failure is restored is negligible, two types of If we assume that the final channel failure causing a SIF failure is
failures give dangerous group failures in the proof test interval (0,t). a DD-failure, given the mean downtime MTTRDD and the demand
rate lDE, the probability of a demand occurring during the SIF mean
(i) At least n  k þ 1 independent DU-failures occur. Let NG(t) downtime can be approximated by.
denote the number of channels that fail during the proof test
interval. The probability that at least n  k þ 1 channels fail 1  elDE MTTRDD zlDE MTTRDD
during (0,t) is therefore If we set MTTRDD¼8 hours, and the mean demand interval be-
tween 1 day and 1 year, we will find that the probability of a hazard
event occurring during the SIF is unavailable increases with the
X
n  
j
nj demand rate shown in Table 4. When the demand rate increases to
n
PrðNG ðtÞ  n  k þ 1Þ ¼ 1  elDU;i t elDU;i t once per month, a hazardous event may occur during the SIF mean
j downtime with the probability greater than 1%. This probability
j¼nkþ1
increases dramatically to more than 20 percent when the demand
(22)
rate comes to once per day. This means that when the demand
Within the proof test interval (0,t), the expected number of the interval is between one day and one month, the probability of a
dangerous group failures is thus. demand occurring during the restoration of a DD-failure is rather
 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
Table 4
The probability of a hazardous event (MTTRDD ¼ 8 h).
Mean demand interval Probability of a hazardous event
1 day 2:84,101
1 month 1:09,102
3 months 0:36,102
6 months 0:18,102
1 year 9:13,104
high. Even when the DD-failure is detected, it can not be considered
to be fully “safe” in this case.
Using the failure data in Table 3, we compare the results ob-
tained by the IEC formulas of PFH with the results obtained by the
extended PFH formulas and the second set of PFH formulas. The
comparison is carried out for the PFH contribution from indepen-
dent failures, because the PFH contribution from CCFs dominates in
the total PFH of a voted group with HFT  1. The diagnostic test
interval is assumed to be negligible and the mean repair time (MRT)
related to a DU-failure, and the MTTR related to a DD-failure are
both equal to 8 h.
Assuming the proof test is perfect and the demand rate is higher
than once per month, the PFH contribution from independent
failures is calculated for several koon:G voted groups in Table 5
based on the IEC formulas, the extended PFH formulas and the
new simplified PFH formulas. Table 5 shows that the IEC formulas
and the extended PFH formulas give the same results as they are
both derived under the same assumption and disregard the effect of
DD-failures on the risk contribution. The second set of PFH for-
mulas give more conservative results than the IEC formulas and the
extended PFH formulas, because the combinations of DD-failures
and DU-failures causing a dangerous group failure are included in
the second PFH formulas. It also should be noted that, given the
parameters in Table 3, the PFH contribution from CCF is in the
magnitude of 10(8). Compared to the PFH contribution from in-
dependent failures in Table 5, the PFH contribution from CCF is
dominant. If the CCF is included in the comparison, the results from
the three sets of formulas will be rather similar.
Both the new sets of PFH formulas assume that when a SIF
failure is detected, the EUC is immediately brought to a safe failure.
In many cases, it is not possible to stop a process within a short time
interval. A process shutdown may, for example, take a rather long
time. The effect of this assumption should be subject to further
study.
8. Concluding remarks
To provide the necessary risk reduction for the protected sys-
tem, a SIF performed by a SIS has to meet a number of specified
functional and safety integrity requirements. SIFs operating under
low-demand mode have been paid a lot of attention, while publi-
cations discussing high-demand SIFs are scarce.
This paper has analyzed the reliability of a SIF operated in high-
demand mode. The hazard and risk assessment before developing
safety requirements is initially discussed. For SIFs operating under
low-demand and high-demand mode, the associated safety re-
quirements are compared. To meet the SIL requirement for a certain
Table 5
The PFH contribution from independent failures (t ¼ 1 year).
Voted group IEC formulas Proposal (9) Proposal (16)
1oo2:G 2:84,1010 2:84,1010 7:33,1010
2oo3:G 8:51,1010 8:51,1010 2:20,109
3oo4:G N/A 1:70,109 4:40,109
263
SIF, the safety performance should be evaluated with an appro-
priate modeling approach. Several methods for safety performance
evaluation exist including both static and dynamic approaches,
each of which has its strengths and weaknesses. By using the
approximation formulas presented in IEC 61508-6, the obtainable
SILs are different when choosing the PFDavg and PFH respectively.
The main reason causing this inconsistency is that these two sets of
formulas are determined under different assumptions. The IEC
formulas for PFH assume that the demand rate is relatively low,
hence the final DD-failure which causes a dangerous group failure
is disregarded in the PFH calculation. This is not fully reasonable,
because the probability of a demand occurring during the resto-
ration of a DD-failure always exists and increases dramatically with
the demand rate as shown in Table 4.
The approximated IEC formulas for PFH apply to voted groups
with no more than three channels. This paper presents two sets of
PFH formulas for different voted groups, one set is derived based on
the same assumption as the IEC formulas for PFH, and another set is
derived considering different demand rates. The second set of PFH
formulas incorporate the risk contribution from final DD-failure
when the demand rate is fairly high, and therefore give more
conservative results than the IEC formulas and the extended PFH
formulas. Both new sets of PFH formulas indicate that CCFs make
the greatest contribution to the PFH when the voted group has a
high HFT, and the total PFH can be approximated by the PFH
contribution from CCFs.
Acknowledgments
This research is partly supported by the National Science
Foundation of China (No. 71171142) and the Doctoral Fund of the
Ministry of Education of China (20110032110034).
References
Baradits, G., 2010. Safety Instrumented System Management (Ph.D. thesis). Uni-
versity of Pannonia, Veszpre m, Hungary.
Dutuit, Y., Innal, F., Rauzy, A., Signoret, J.-P., 2008. Probabilistic assessments in
relationship with safety integrity levels by using fault trees. Reliab. Eng. Syst.
Saf. 93, 1867e1876.
Hauge, S., Lundteigen, M.A., Hokstad, P., Håbrekke, S., 2013. Reliability Prediction
Method for Safety Instrumented Systems. SINTEF.
Hoekstra, B., 2005. Safety integrity e not only a matter of reliability hardware. Bus.
Brief. Explor. Prod. Oil Gas Rev. xx, 114e117.
Hokstad, P., Corneliussen, K., 2004. Loss of safety assessment and the IEC 61508
standard. Reliab. Eng. Syst. Saf. 83, 111e120.
IEC 61508, 2010. Functional Safety of Electrical/programmable Electronic Safety-
related Systems. Part 1e7. International Electrotechnical Commission, Geneva.
IEC 61511, 2003. Functional Safety-safety Instrumented Systems for the Process
Industry Sector. Part 1e3. International Electrotechnical Commission, Geneva.
IEC 62061, 2012. Safety of Machinery e Functional Safety of Safety-related Elec-
trical,electronic and Programmable Electronic Control Systems. International
Electrotechnical Commission, Geneva.
IEC 62551, 2012. Analysis Techniques for Dependability e Petri net Techniques.
International Electrotechnical Commission, Geneva.
Innal, F., 2008. Contribution to Modelling Safety Instrumented Systems and to
Assessing Their Performance Critical Analysis of IEC 61508 Standard (Ph.D.
thesis). University of Bordeaux, France.
Innal, F., Dutuit, Y., Rauzy, A., Signoret, J.-P., 2010. New insight into the average
probability of failure on demand and the probability of dangerous failure per
hour of safety instrumented systems. J. Risk Reliab. 224, 75e86.
ISO 12100, 2010. Safety of Machinery-General Principles for Design-Risk Assess-
ment and Risk Reduction. International Organization for Standardization,
Geneva.
Jin, H., Lundteigen, M.A., Rausand, M., 2011. Reliability performance of safety
instrumented systems: a common approach for both low- and high-demand
mode of operation. Reliab. Eng. Syst. Saf. 96, 365e373.
Jin, H., Lundteigen, M.A., Rausand, M., 2012. Uncertainty assessment of reliability
estimates for safety-instrumented systems. Proc. Inst. Mech. Eng. Part O: J. Risk
Reliab. 226, 646e655.
Jin, H., Lundteigen, M.A., Rausand, M., 2013. New PFH-formulas for k-out-of-n:F-
systems. Reliab. Eng. Syst. Saf. 111, 112e118.
264 Y. Wang, M. Rausand / Journal of Loss Prevention in the Process Industries 32 (2014) 254e264
Langeron, Y., Barros, A., Grall, A., Grall, A., Berenguer, C., 2008. Combination of safety
integrity levels (SILs): a study of IEC 61508 merging rules. J. Loss Prev. Process
Ind. 21, 437e449.
Liu, Y., Rausand, M., 2011. Reliability assessment of safety instrumented systems
subject to different demand modes. J. Loss Prev. Process Ind. 24, 49e56.
Liu, Y., Rausand, M., 2013. Reliability effects of test strategies on safety-
instrumented systems in different demand modes. Reliab. Eng. Syst. Saf. 119,
235e243.
Lundteigen, M.A., Rausand, M., 2007. Common cause failures in safety instrumented
systems on oil and gas installations: implementing defense measures through
function testing. J. Loss Prev. Process Ind. 20, 218e229.
Lundteigen, M.A., Rausand, M., 2009. Reliability assessment of safety instrumented
systems in the oil and gas industry: a practical approach and a case study. Int. J.
Reliab. Qual. Saf. Eng. 16, 187e212.
Oliveira, L.F., Abramovitch, R.N., 2010. Extension of ISA TR84.00.02 PFD equations to
KooN architectures. Reliab. Eng. Syst. Saf. 95, 707e715.
OREDA, 2009. Offshore Reliability Data Handbook, fifth ed. OREDA Participants, Det
Norske Veritas, NO 1322 Høvik, Norway.
Rausand, M., 2011. Risk Assessment: Theory, Methods, and Applications. Wiley,
Hoboken, NJ.
Rausand, M., 2014. Reliability of Safety-critical Systems: Theory and Applications.
Wiley, Hoboken, NJ.
Rausand, M., Høyland, A., 2004. System Reliability Theory: Models, Statistical
Methods, and Applications, second ed. Wiley, Hoboken, NJ.
SIEMENS, 2007. Simatic Safety Integrated for Factory Automation-practical Appli-
cation of IEC 62061. Tech. rep.. SIEMENS.