Professional Documents
Culture Documents
Appendix D 210618 - 1 - 2 - 2 - 2 - 3
Appendix D 210618 - 1 - 2 - 2 - 2 - 3
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
162 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018
PFD quantifies the loss of safety due to dangerous undetected failures (with rate λDU ), during the period when it is
unknown that the function is unavailable, i.e. between the proof test intervals. For a single component with proof test
interval 𝜏𝜏 the average duration of this period is τ/2. Hence, for a single (1oo1) component, PFD is calculated from the
formula:
Intuitively this formula can be interpreted as follows: λDU is the constant failure rate and τ/2 is the average period of
time that the component is unavailable given that the failure may occur at a random point in time within a proof test
interval 𝜏𝜏.
Note that the PFD is actually the average probability of failure on demand over a period of time, i.e., PFDavg as denoted
in IEC 61508. However, due to simplicity PFDavg is denoted as PFD in this appendix.
(ind.)
PFD1oo2 ≈ (𝜆𝜆DU ⋅ 𝜏𝜏)2 /3.
(CCF)
PFD1oo2 ≈ 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).
Here β is a component specific parameter, a fraction of failures of a single component that causes both the redundant
components to fail “simultaneously”.
The traditional way of accounting for common cause failures (CCF) has been the β-factor model. In this model, it is
assumed that a certain fraction of the failures (equal to β) are common cause, i.e., failures that will cause all the
redundant components to fail simultaneously or within a short time period.
In the PDS method, we use an extended version of the β-factor model that distinguishes between different types of
voting. Here, the rate of common cause failures explicitly depends on the configuration. The beta-factor of an MooN
voting logic may be expressed as 𝛽𝛽 ∙ C𝑀𝑀oo𝑁𝑁 , where C𝑀𝑀oo𝑁𝑁 is a modification factor for various voting configurations and
𝛽𝛽 is the factor which applies for a 1oo2 voting. This means that if each of the 𝑁𝑁 redundant components has a failure
rate 𝜆𝜆DU , then the 𝑀𝑀oo𝑁𝑁 configuration will have a system failure rate due to CCF that equals: CMooN ∙ 𝛽𝛽 ∙ 𝜆𝜆DU . Table
D.1 summarises the suggested C𝑀𝑀oo𝑁𝑁 values for some typical voting configurations. Reference is also made to Table
D.5 in IEC 61508-6 for similar factors.
Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
164 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018
Modelling of CCF for components with non-identical characteristics, e.g. differing failure rates or proof test intervals
is more complicated. For details on this topic, references are made to the PDS method handbook and the PDS example
collection. See also the PDS 2013 method handbook for more formulas and background information on CCF, C𝑀𝑀oo𝑁𝑁
factor, etc.
The formulas in Table D.2 assume that the proof test performed at interval τ is "perfect", i.e. all failures can be revealed
upon this proof test. If the test is non-perfect, suggested calculations are given in section D.2. Also, the known downtime
unavailability due to e.g. maintenance and repair may be treated separately and added to the PFD figure.
Downtime unavailability is often expressed by mean time to restoration (MTTR) or mean repair time (MRT). MRT
encompasses the time elapsing from the failure is detected until the component is put back into operation. MTTR also
encompasses the time to detect the failure (in addition to the time elapsing from the failure is detected until the
component is put back into operation). Further description of and suggested formulas for downtime unavailability are
given in the PDS method handbook, where downtime unavailability is denoted DTU.
Note that often the downtime unavailability is small compared to the PFD contributions from undetected failures given
in Table 3.2., i.e., usually MTTR << τ, and then the downtime contribution is neglected. This is, however, not always
the case; e.g., for subsea production equipment the MTTR could be rather long.
The analytical formulas described above are developed and applicable for a limited range of voting arrangements and
may fall short when considering multiple safety systems and complex architectures. Instead, for more complex cases,
where dependencies between multiple protection layers should be modelled in detail, reference is made to methods
such as time dependent fault trees and Petri nets as described in IEC 61508-6 appendix B and in ISO/TR 12489.
In the PDS method handbook a simplified approach towards modelling dependencies between multiple protection layers
has been suggested; using a correction factor (CF) for multiple systems. Basically this correction factor caters for the