Professional Documents
Culture Documents
Appendix D 210618 - 1 - 2 - 2 - 2 - 2
Appendix D 210618 - 1 - 2 - 2 - 2 - 2
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
162 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018
PFD quantifies the loss of safety due to dangerous undetected failures (with rate λDU ), during the period when it is
unknown that the function is unavailable, i.e. between the proof test intervals. For a single component with proof test
interval 𝜏𝜏 the average duration of this period is τ/2. Hence, for a single (1oo1) component, PFD is calculated from the
formula:
Intuitively this formula can be interpreted as follows: λDU is the constant failure rate and τ/2 is the average period of
time that the component is unavailable given that the failure may occur at a random point in time within a proof test
interval 𝜏𝜏.
Note that the PFD is actually the average probability of failure on demand over a period of time, i.e., PFDavg as denoted
in IEC 61508. However, due to simplicity PFDavg is denoted as PFD in this appendix.
(ind.)
PFD1oo2 ≈ (𝜆𝜆DU ⋅ 𝜏𝜏)2 /3.
(CCF)
PFD1oo2 ≈ 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).
Here β is a component specific parameter, a fraction of failures of a single component that causes both the redundant
components to fail “simultaneously”.
The traditional way of accounting for common cause failures (CCF) has been the β-factor model. In this model, it is
assumed that a certain fraction of the failures (equal to β) are common cause, i.e., failures that will cause all the
redundant components to fail simultaneously or within a short time period.
In the PDS method, we use an extended version of the β-factor model that distinguishes between different types of
voting. Here, the rate of common cause failures explicitly depends on the configuration. The beta-factor of an MooN
voting logic may be expressed as 𝛽𝛽 ∙ C𝑀𝑀oo𝑁𝑁 , where C𝑀𝑀oo𝑁𝑁 is a modification factor for various voting configurations and
𝛽𝛽 is the factor which applies for a 1oo2 voting. This means that if each of the 𝑁𝑁 redundant components has a failure
rate 𝜆𝜆DU , then the 𝑀𝑀oo𝑁𝑁 configuration will have a system failure rate due to CCF that equals: CMooN ∙ 𝛽𝛽 ∙ 𝜆𝜆DU . Table
D.1 summarises the suggested C𝑀𝑀oo𝑁𝑁 values for some typical voting configurations. Reference is also made to Table
D.5 in IEC 61508-6 for similar factors.