Norwegian Oil and Gas Association

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
162 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

D.1 Probability of failure on demand (PFD)

PFD is defined as the average probability that a safety system is unable to perform its safety function upon a demand.

PFD quantifies the loss of safety due to dangerous undetected failures (with rate λDU ), during the period when it is
unknown that the function is unavailable, i.e. between the proof test intervals. For a single component with proof test
interval 𝜏𝜏 the average duration of this period is τ/2. Hence, for a single (1oo1) component, PFD is calculated from the
formula:

PFD ≈ 𝜆𝜆DU ⋅ 𝜏𝜏/2.

Intuitively this formula can be interpreted as follows: λDU is the constant failure rate and τ/2 is the average period of
time that the component is unavailable given that the failure may occur at a random point in time within a proof test
interval 𝜏𝜏.

Note that the PFD is actually the average probability of failure on demand over a period of time, i.e., PFDavg as denoted
in IEC 61508. However, due to simplicity PFDavg is denoted as PFD in this appendix.

D.1.1 Independent failures, common cause failures and formulas

When quantifying the PFD of systems with redundancy it is essential to distinguish between independent failures (ind.)
and common cause failures (CCF). CCF are "simultaneous" failure of more than one component due to a shared cause.
For all systems with redundant components, e.g. 1oo2, 2oo3 or 1oo3 voted components/systems, the PFD consists of
an independent contribution and a common cause contribution. E.g., for a duplicated module, voted 1oo2, we have the
following independent contribution and CCF contribution respectively:

(ind.)
PFD1oo2 ≈ (𝜆𝜆DU ⋅ 𝜏𝜏)2 /3.

(CCF)
PFD1oo2 ≈ 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).

The total PFD then becomes:

(𝜆𝜆DU ⋅ 𝜏𝜏)2
PFD1oo2 ≈ + 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).
3

Here β is a component specific parameter, a fraction of failures of a single component that causes both the redundant
components to fail “simultaneously”.

The traditional way of accounting for common cause failures (CCF) has been the β-factor model. In this model, it is
assumed that a certain fraction of the failures (equal to β) are common cause, i.e., failures that will cause all the
redundant components to fail simultaneously or within a short time period.

In the PDS method, we use an extended version of the β-factor model that distinguishes between different types of
voting. Here, the rate of common cause failures explicitly depends on the configuration. The beta-factor of an MooN
voting logic may be expressed as 𝛽𝛽 ∙ C𝑀𝑀oo𝑁𝑁 , where C𝑀𝑀oo𝑁𝑁 is a modification factor for various voting configurations and
𝛽𝛽 is the factor which applies for a 1oo2 voting. This means that if each of the 𝑁𝑁 redundant components has a failure
rate 𝜆𝜆DU , then the 𝑀𝑀oo𝑁𝑁 configuration will have a system failure rate due to CCF that equals: CMooN ∙ 𝛽𝛽 ∙ 𝜆𝜆DU . Table
D.1 summarises the suggested C𝑀𝑀oo𝑁𝑁 values for some typical voting configurations. Reference is also made to Table
D.5 in IEC 61508-6 for similar factors.
 Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
164 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

Modelling of CCF for components with non-identical characteristics, e.g. differing failure rates or proof test intervals
is more complicated. For details on this topic, references are made to the PDS method handbook and the PDS example
collection. See also the PDS 2013 method handbook for more formulas and background information on CCF, C𝑀𝑀oo𝑁𝑁
factor, etc.

The formulas in Table D.2 assume that the proof test performed at interval τ is "perfect", i.e. all failures can be revealed
upon this proof test. If the test is non-perfect, suggested calculations are given in section D.2. Also, the known downtime
unavailability due to e.g. maintenance and repair may be treated separately and added to the PFD figure.

D.1.2 Total PFD of a safety function

The PFD of a safety function is calculated by combining the PFD contributions of all components/voting of the function,
including both independent failures and common cause failures. For a function where all components need to function
and all components are voted 1oo1, the PFD of the safety function is simply calculated by adding the independent PFD
contributions from all components. If other voting than 1oo1, 2oo2, ... NooN are represented, also the common causes
contributions shall be included in the total PFD. When calculating the PFD of a system, the contributing voting to the
PFD can be identified e.g. by reliability block diagrams (as seen in Appendix A of the present guideline).

D.1.3 Unavailability due to planned downtime

Unavailability due to known or planned downtime is caused by components either taken out for repair or for
testing/maintenance. This contribution will depend heavily on the operating philosophy, on the configuration of the
process plant as well as the configuration of the system itself. Often, temporary compensating measures will be
introduced while a component is down for maintenance or repair. Other times, when the component is considered too
critical to continue production (e.g., a critical shutdown valve in single configuration), the production may simply be
shut down during the restoration and testing period. On the other hand there may be test- or repair-situations where
parts of or the whole safety system is bypassed while production is being maintained. An example may be that selected
fire and gas detectors are being inhibited while reconfiguring a node in the fire and gas system.

Downtime unavailability is often expressed by mean time to restoration (MTTR) or mean repair time (MRT). MRT
encompasses the time elapsing from the failure is detected until the component is put back into operation. MTTR also
encompasses the time to detect the failure (in addition to the time elapsing from the failure is detected until the
component is put back into operation). Further description of and suggested formulas for downtime unavailability are
given in the PDS method handbook, where downtime unavailability is denoted DTU.

Note that often the downtime unavailability is small compared to the PFD contributions from undetected failures given
in Table 3.2., i.e., usually MTTR << τ, and then the downtime contribution is neglected. This is, however, not always
the case; e.g., for subsea production equipment the MTTR could be rather long.

D.1.4 PFD calculations in multiple safety systems

Redundant safety systems are commonly referred to as independent protection layers (e.g., in the LOPA terminology)
and the total protection system may be referred to as a multiple safety system. Normally when having multiple safety
systems, it is sufficient that one of the systems works successfully in order to have a successful safety action. When
addressing the total reliability of multiple safety systems, one often calculates the average PFD of each system
independently, and combines the results to find the total PFD of the multiple system by simply taking the product of
the individual PFD. This is appropriate as long as the PFDs of the systems are totally independent, but independence is
rarely the case and then the total PFD becomes non-conservative. Dependencies exist between the systems, as well as
between components within a system, due to e.g., simultaneous proof testing, close location or common utility sources
(hydraulic, electricity, etc.).

The analytical formulas described above are developed and applicable for a limited range of voting arrangements and
may fall short when considering multiple safety systems and complex architectures. Instead, for more complex cases,
where dependencies between multiple protection layers should be modelled in detail, reference is made to methods
such as time dependent fault trees and Petri nets as described in IEC 61508-6 appendix B and in ISO/TR 12489.

In the PDS method handbook a simplified approach towards modelling dependencies between multiple protection layers
has been suggested; using a correction factor (CF) for multiple systems. Basically this correction factor caters for the