Norwegian Oil and Gas Association

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
162 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

D.1 Probability of failure on demand (PFD)

PFD is defined as the average probability that a safety system is unable to perform its safety function upon a demand.

PFD quantifies the loss of safety due to dangerous undetected failures (with rate λDU ), during the period when it is
unknown that the function is unavailable, i.e. between the proof test intervals. For a single component with proof test
interval 𝜏𝜏 the average duration of this period is τ/2. Hence, for a single (1oo1) component, PFD is calculated from the
formula:

PFD ≈ 𝜆𝜆DU ⋅ 𝜏𝜏/2.

Intuitively this formula can be interpreted as follows: λDU is the constant failure rate and τ/2 is the average period of
time that the component is unavailable given that the failure may occur at a random point in time within a proof test
interval 𝜏𝜏.

Note that the PFD is actually the average probability of failure on demand over a period of time, i.e., PFDavg as denoted
in IEC 61508. However, due to simplicity PFDavg is denoted as PFD in this appendix.

D.1.1 Independent failures, common cause failures and formulas

When quantifying the PFD of systems with redundancy it is essential to distinguish between independent failures (ind.)
and common cause failures (CCF). CCF are "simultaneous" failure of more than one component due to a shared cause.
For all systems with redundant components, e.g. 1oo2, 2oo3 or 1oo3 voted components/systems, the PFD consists of
an independent contribution and a common cause contribution. E.g., for a duplicated module, voted 1oo2, we have the
following independent contribution and CCF contribution respectively:

(ind.)
PFD1oo2 ≈ (𝜆𝜆DU ⋅ 𝜏𝜏)2 /3.

(CCF)
PFD1oo2 ≈ 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).

The total PFD then becomes:

(𝜆𝜆DU ⋅ 𝜏𝜏)2
PFD1oo2 ≈ + 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).
3

Here β is a component specific parameter, a fraction of failures of a single component that causes both the redundant
components to fail “simultaneously”.

The traditional way of accounting for common cause failures (CCF) has been the β-factor model. In this model, it is
assumed that a certain fraction of the failures (equal to β) are common cause, i.e., failures that will cause all the
redundant components to fail simultaneously or within a short time period.

In the PDS method, we use an extended version of the β-factor model that distinguishes between different types of
voting. Here, the rate of common cause failures explicitly depends on the configuration. The beta-factor of an MooN
voting logic may be expressed as 𝛽𝛽 ∙ C𝑀𝑀oo𝑁𝑁 , where C𝑀𝑀oo𝑁𝑁 is a modification factor for various voting configurations and
𝛽𝛽 is the factor which applies for a 1oo2 voting. This means that if each of the 𝑁𝑁 redundant components has a failure
rate 𝜆𝜆DU , then the 𝑀𝑀oo𝑁𝑁 configuration will have a system failure rate due to CCF that equals: CMooN ∙ 𝛽𝛽 ∙ 𝜆𝜆DU . Table
D.1 summarises the suggested C𝑀𝑀oo𝑁𝑁 values for some typical voting configurations. Reference is also made to Table
D.5 in IEC 61508-6 for similar factors.