Critical instrumental systems prevent hazardous events of situations in which people could be injured (or worse) and/or the environment could be polluted.
The standards, IEC 61511:2017 and IEC 61508:2010, define the criteria for Safety Instrumented Functions (abbr. SIFs).
A SIF shall be fit for purpose preventing the identified hazard.
The integrity level of a SIF, defined as SIL 1, 2, 3 or 4, provide risk reduction.
A SIF may be compromised by systematic failures and/or random hardware failures.
Systematic failures shall be prevented by:
- An adequate functional safety management system
- Competent personnel
Fabricated instruments/components shall meet the systematic capability requirements (e.g. SC-3).
The technical integrity of a SIF is depending of:
- Independency of the SIF
- Architectural constraints of the sensor subsystem, the logic solver and the final elements
- Probabilistic constraints of the SIF (average probability of failure on demand, PFDavg).
During a SIL verification the integrity of the SIL safeguard is checked against the required integrity.
Average probability of failure on demand – PFDavg
In the process industry sector, the demand rate is often less frequent than once per year. The following PFDavg values are required:
SIL 1 PFDavg < 10-1
SIL 2 PFDavg < 10-2
SIL 3 PFDavg < 10-3
SIL 4 PFDavg < 10-4
IEC 61511 provides the following information:
Several modelling approaches are available and the most appropriate approach is a matter for the analyst and can depend on the circumstances. Available means include:
– cause consequence analysis;
– reliability block diagrams;
– fault-tree analysis;
– Markov models;
– Petri nets models.
PFDavg is depending on:
- Dangerous Detected and Undetected failure rates of the instruments and components, λDDand λDU
- Redundancy configuration
- Common cause β-factor in case of redundancy configuration
- Proof test interval
- Proof test coverage
- Lifetime of the SIF
- Mean Time to Restoration
- Time needed for tests
But how relevant are all these variables and how sophisticated should be the modelling approach?
With powerful, sophisticated PFD calculation software, the PFDavg can be calculated very precise. However, the outcome stays uncertain while the following factors are just raw estimates:
- Common cause ß factor
- Proof test coverage and lifetime
A frequently used basis to determine ß factors is the informative Annex D of IEC 61508:6. By filling in scores, a ß factor will be determined. ß= 5% is almost standard. According to a thoroughly performed study of SINTEF, the actual common cause factor is in between 10 – 15 % (reference can be made to ‘Common cause failures in safety instrumented systems’, final version, 20 May 2015).
It is the opinion of Consiltant BV that for SIL 1 and SIL 2 SIF’s it does not make sense to use complex sophisticated software to calculate precisely the PFDavg if other relevant factors are just estimates.
A minimal common cause Beta factor of 10% is to be recommended.
The correct performance of proof tests is critical! Poor proof tests are never acceptable although it can be modelled in de PFDavg calculation (e.g. a proof test coverage factor of 75%). A low proof test coverage may never be compensated by more frequent poor proof tests in order to meet the PFDavg target.
It is the opinion of Consiltant BV that a proof test procedure shall always be complete and detailed. Personnel shall be competent in order to detect and restore dangerous undetected failures and systematic failures.
Consiltant BV developed PFD Consiltator, an Excel based tool in order to calculate the PFDavg.
PFD Consiltator can be downloaded here.
PFD Consiltator consists of a simple and more advanced calculation methode. The simple calculation is based on the following formulas:
Proof test coverage is not taken into account. The test procedure is assumed to be 100% correct.
In the advanced version, the proof test coverage is included in the calculation. The expected lifespan / mission time of the selected components must also be included in the analysis. The calculation is based on the methods described in IEC-61508-6 and VDI/VDE 2180 (part 3).
Download the Consiltator.