Failure Probability
Is it very important to calculate very precisely the average probability of failure “PFDavg” of a Safety Instrumented Function? The short answer is “NO“, and we will try to explain it below.
The first thing to say is that Functional Safety is much more than meeting the probability of failure. IEC 61511 defines the so-called “life cycle” of the Safety Instrumented System (SIS) where we find numerous very important stages and concepts (SRS, Design, FAT, SAT, Verification, Validation, Safety Management, Maintenance, hardware failures and systematic failures, etc.)
Regarding the product itself there are two requirements, one is the Systematic Capability (certified product, “proven in use” or “prior use”) and the other is the requirement of the probability of failure that this article deals with. There is a third requirement, called Architectural Constraints, which has to do with the design of the Safety Instrumented Function (SIF) as to what its minimum redundancy should be (1oo1, 1oo2, 2oo3,…).
Parameters for calculation
To calculate PFDavg or PFH we use a series of parameters, some of them have a very significant impact on the result such as failure rates, the PTC value (“proof test coverage”) and the Beta factor used in redundant architectures (1oo2, 2oo3, …)
It is usually not easy to define these three parameters with some rigor:
–Failure rates: Are the values I am using reliable? What’s their origin? Are they valid for the operating conditions of the plant and for the type of “severe” service of some of the SIFs? If they are not reliable, it is advisable to multiply them by a factor between 2 and 5.
-Proof Test Coverage (PTC): This parameter measures how many failures we are able to detect when performing maintenance tests. This value is often neglected on the assumption that it is 100% which in practice is impossible. Many of the failures are “hidden” and go undetected. A typical value for a valve is 70% or even less. This factor must be provided by the manufacturer of the product. A variation of just 3% in this parameter can have a large impact on the PFDavg result. What kind of tests are we going to do? Are we sure that we are going to make them complete to meet the defined PTC value?
-Factor Beta: This factor quantifies possible common cause failures in redundant architectures such as 1oo2 or 2oo3. By default values of 5% / 2% / 10% are used for the sensor / logic solver / actuator.
The following tables show examples to understand the huge impact these parameters have when calculating the PFDavg:
Table 1: We assume these failure rates DD and DU =800 FITS (TI=1 year; MTTR=48h.)
| Final Element | PTC | Beta | PFDavg | SIL achieved | Result |
| 1oo1 | 100% | NA | 3.50E-03 | SIL-2 | Not realistic |
| 1oo1 | 70% | NA | 1.82E-02 | SIL-1 | Realistic |
| 1oo2 | 100% | 0% | 1.64E-05 | SIL-4 | Not realistic |
| 1oo2 | 100% | 5% | 1.91E-04 | SIL-3 | Not realistic |
| 1oo2 | 70% | 0% | 3.41E-04 | SIL-3 | Not realistic |
| 1oo2 | 70% | 5% | 1.23E-03 | SIL-2 | Realistic |
Table 2: We assume half of DD/DU failures =400 FITS (TI=1 year; MTTR=48h.)
| Final Element | PTC | Beta | PFDavg | SIL achieved | Result |
| 1oo1 | 100% | NA | 1.75E-03 | SIL-2 | Not realistic |
| 1oo1 | 70% | NA | 9.11E-03 | SIL-2 | Realistic |
| 1oo2 | 100% | 0% | 4.11E-06 | SIL-4 | Not realistic |
| 1oo2 | 100% | 5% | 9,15E-05 | SIL-4 | Not realistic |
| 1oo2 | 70% | 0% | 8.52E-05 | SIL-4 | Not realistic |
| 1oo2 | 70% | 5% | 5.36E-04 | SIL-3 | Realistic |
A small deviation in these parameters introduces much more error in the calculation of the PFDavg than the possible error that we can make by using a less complex calculation tool.
Is PFDavg = 3.77E-03 the same as 3.40E-03? The value is not the same, but from a practical point of view the difference is not so relevant. Why? Due to the aforementioned, because this error in the calculation of the probability of failure is insignificant compared to the error that we have made when using parameters that are not rigorous or of doubtful origin.
IEC 61511 standard does not require the use of any certified tool to perform these SIL verification calculations, they can even be done manually or with a spreadsheet. It is more important to handle the concepts well, select the parameters correctly and use complete formulas where the main parameters intervene, especially PTC and Beta.
As a complement to this article, we invite you to read this report.
Related posts:
Compare SILcet with exSILentia – Functional Safety (safetyandsis.com)