Post on 22-Sep-2018
Determinación de PFDavg (SIL) de un Sistema Instrumentado de Se-guridad (SIS)
Preparado para: Curso en Análisis de Riesgos y Seguridad FuncionalPreparado por: Victor Machiavelo Salinas
Risk Software SA de CV www.risksoftware.com.mx
Risk Software S.A. de C.V.
1. IntroducciónEl valor de PFDavg (Probabilidad de Fallas Sobre Demanda Promedio) es utilizado en la Seguridad Funcional para determinar el Nivel de Integridad de Seguridad -NIL- (Safety Integrity Level- SIL) que un Sistema Instrumentado de Seguridad -SIS- tiene para una Función Instrumentada de Seguridad -FIS- dada.
La figura #1 nos muestra la relación que guarda un Sistema Instrumentado de Seguridad entre la relación (frecuencia) de demandas (eventos/año) en que el SIS es requerido por el proceso dada una condición insegura y la relación (frecuencia) de eventos indeseados finales (eventos/año) ocurridos dados la ineficiencia/falla/incapacidad, del SIS.
El nivel NIL/SIL, es una relación del valor numérico calculado de PFDavg para un SIS, donde incluimos a los elementos sensores (presión, temperatura, Flujo, etc), al controlador lógico programable y a los elementos finales de control (válvulas, motores, actuadores, etc).
El valor de la PFDavg Total para un SIS es la suma algebraica de la probabilidad de fallas sobre demanda promedio del sensor mas la del controlador lógico mas la del elemento final de control como se muestra en la figura #2
para realizar el calculo de la PFDavg de un sistema SIS, el estándar ANSI/ISA 84.01-2004 recomienda tres métodos:
1. Ecuaciones Simplificadas (Diagramas de Bloques de Confiabilidad)
2. Análisis de Arboles de Falla (FTA)
3. Modelos de Markov.
El presente informe técnico se centra en el calculo de la PFDavg, utilizando los dos primeros métodos, los cuales son los mas utilizados en la seguridad funcional, aclarando que los modelos de Markov son mas precisos y pueden modelar sistemas en el tiempo, con secuencias y reparables.
Determinación de la PFDavg 1
Risk Software S.A. de C.V.
Relación de Demandas
(D)
Relación de Eventos
(H)
Figura #1PFDavg = H/D = 1/(Factor de Reducción de Riesgos)
SIS
Sensor Elementos Finales
Figura #2PFDavg Total = PFDS + PFDL + PFDEF
Controlador Logico
2. Falla de los SistemasEs necesario comprender la forma en que los sistemas y equipos fallan, debido a que las ecuaciones utilizadas para determinar el valor de PFDavg depende directamente del mecanismo de falla de los sensores, controlador lógico y elementos finales.
La figura #3 muestra los modos de falla que pueden tener los componentes de un SIS.
MTBF = Mean Time Between Failures (Tiempo Medio Entre Fallas)
MTTF = Mean Time To Fail (Tiempo medio Para Fallar)
Modos de Falla Descubiertas:
Son conocidas también como fallas “Reveladas” debido a que estas fallas son conocidas en cuanto suceden, como ejemplo tenemos la falla de la señal de un sensor cuando los cables que conducen la señal son cortados o bien la falla de la bobina de una válvula solenoide.
Las fallas descubiertas normalmente generan una respuesta del sistema conocida como “Falla Segura” la consecuencia mas común es una parada por emergencia del proceso. A esto se le conoce como “Relación de Disparos en Falso” en muchos procesos esta condición es indeseada debido a que afecta directamente a la producción o a los tiempos de producción, en procesos continuos como en la industria química o petrolera esta condición es muy costosa debido a que volver a iniciar los procesos no es una tarea fácil ni rápida, en ciertos procesos esta condición también puede ser muy peligrosa, ya que parar proceso inherentemente peligrosos donde se manejan grandes cantidades de materia y energía puede ocasionar condiciones riesgosas para el personal, medio ambiente y bienes de las empresas.
La forma en que podemos evitar que esto ocurra es incrementando la tolerancia a falla en los sistemas y equipos (redundan-cia). La norma IEC-61511 en el punto 11.4 nos indica los mecanismos y niveles de tolerancia a falla para los sistemas SIS.
Determinación de la PFDavg 2
Risk Software S.A. de C.V.
No Detectadas
Por Diagnosticos Por Pruebas manuales
Detectadas
Fallas CubiertasRelación de Paros Peligrosos
λD = 1/MTTF
Se debe vivir con perdida de la producción
Paro de Planta o Permanecer en Riesgo
Mientras se Repara
El SIS esta Fuera Durante las
Pruebas
Fallas DescubiertasRelación de Paros en Falso λS = 1/MTBFsp
Modos de Falla
Figura #3Modos de Falla
Modos de Falla Cubiertas:
Las fallas cubiertas, son fallas peligrosas hasta que son detectadas y corregidas. El calculo de la PFDavg se basa en este tipo de fallas. Típicamente las fallas cubiertas se manifiestas en dispositivos que tienen la función de generar o conducir al evento final, como pueden ser los dispositivos de salida de las tarjetas del PLC, la bobina del relevador, el actuador de la válvula o bien la lógica del controlador. El problema principal de estas fallas se presenta en dispositivos que no han sido operados por periodos lagos de tiempo, tres tipos de condiciones se presentan en las fallas cubiertas:
1. Fallas que pueden ser detectadas por auto diagnósticos.
2. Fallas que pueden ser encontradas en un periodo de pruebas.
3. Fallas que permanecen ocultas sin ser detectadas en el sistema hasta que se presenta una falla en demanda.
Cada una de estas fallas contribuyen al valor de PFDavg del SIS. Cada falla requiere un tratamiento diferente de calculo de confiabilidad.
Las formulas para el calculo de sistemas basados en Auto diagnósticos, están generalmente referidas a controladores lógicos programables ya que estos sistemas utilizan técnicas avanzadas de diagnósticos, en la mayoría de los sistemas cuando nos referimos a “diagnósticos” no estamos refiriendo a la capacidad del sistema a realizar pruebas sin necesidad de intervención del ser humano, estos diagnósticos que también son referidos como “activos” son pruebas funcionales del estado del siste-ma, como por ejemplo seria cambiar de estado la posición de las salidas de las tarjetas del controlador abrir/cerrar (On/Off) para poder probar que el sistema tiene la capacidad de llevar al proceso a condición segura. Estas pruebas se realizan de forma muy rápida generalmente en milisegundos, evitando que las pruebas sean en si mismas una condición peligrosa para el proceso.
Cálculos:
El calculo de las fallas reveladas (llamadas también fallas seguras) es importante desde el punto de vista de la operación de los procesos, la instalación de un sistema de seguridad es un proceso complicado y costoso, lo que menos deseamos es que este sistema sea en si mismo quien genere una condición potencialmente inseguro o binen sea quien ocasiona perdidas de producción o económicas. La selección de un sistema de seguridad sin tolerancia a fallas deberá ser cuidadosamente evaluada desde el punto de vista de la seguridad y de la operación de los procesos, el diseño del sistema bajo el concepto de ciclo de vida deberá incluir los costos de disparos en falso y los costos asociados a la tolerancia a fallas. las fallas releva-das también tienen dos componentes, fallas seguras detectables y fallas seguras no detectables. El echo de que ambas con-duzcan a un paro seguro del proceso minimiza la necesidad de detallar cada una en una ecuación diferente.
Las fallas cubiertas (llamadas también peligrosas) como se muestra en la figura # 3 tienen dos componentes,
Determinación de la PFDavg 3
Risk Software S.A. de C.V.
1) Fallas peligrosas detectadas por auto diagnósticos, las cuales realizan el proceso de prueba y detección de errores y fallas de forma automática, asociamos a estas fallas a las provocadas por los sistemas complejos como los controladores lógicos, sin embargo en los últimos años algunos dispositivos de campo como sensores y actuadores de válvulas, han incorporado altos niveles de auto diagnostico en su electrónica. Típicamente el tiempo de las pruebas con auto diagnósticos fluctúa entre 1 y 10 segundos.
2) Fallas peligrosas detectadas por pruebas manuales, son pruebas que no pueden ser realizadas por diagnósticos y es ne-cesario que manualmente se realice la prueba y el diagnostico, típicamente el tiempo de estas pruebas es mucho menor que el MTBF, este tipo de pruebas esta asociada a dispositivos de campo y elementos finales de control.
La figura #4 muestra la diferencia de pruebas requeridas para los diferentes dispositivos, existe una gran diferencia entre las ecuaciones utilizadas para modelar el valor de PFDavg para sensores y elementos finales de control y las ecuaciones para modelar a los controladores lógicos, no solo por que estos realizan sus pruebas de auto diagnostico, también debido a que cada sistema puede contener diferentes dispositivos en diferentes configuraciones y numero (módulos de entradas y salidas, fuentes de poder, procesadores, comunicaciones, etc).
Las ecuaciones para modelar a los controladores lógicos programables han sido definidas a detalle en la norma IEC 61508-6.Edición 2.0 2010-04. También se cuentan con ecuaciones simplificadas para los controladores lógicos programa-bles, que hacen mas fácil pero menos exacta la determinación del de la PFDavg.
Determinación de la PFDavg 4
Risk Software S.A. de C.V.
Sensor Controlador Logico
Relación de Demandas
(D)
Relación de Eventos
(H)
Elementos Finales
Figura #4Requerimientos de Pruebas para Dispositivos
PruebasManuales
PruebasAuto
Diagnosticos
PruebasManuales
3. Determinación de la Relación de Disparos en Falso STREcuaciones para la determinación de la Relación de Disparos en Falso (Spurious Trip Rate -STR).
Como comentamos anteriormente es conveniente conocer la relación de disparos en falso que un sistema tendrá, esto nos permitirá seleccionar sistemas basados en los costos asociados a disparar/parar un procesos por la falla de alguno de los componentes del sistema instrumentado de seguridad:
Arquitectura Ecuación Compleja/ISA TR 8402p2 Ecuación Simplificada /ISA TR 8402p2
1oo1
" 27 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9) spuriousS
MTTF1
=$
1oo1
(Eq. No. 10) STR S DDFS= + +$ $ $
Where $S is the safe or spurious failure rate for the component,
$DD is the dangerous detected failure rate for the component, and
$FS is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2
The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( )[ ] ( )[ ] SF
DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312
ISA-TR84.00.02-2002 - Part 2 " 28 "
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:
1oo1
(Eq. No. 10a) STR S= $
1oo2
(Eq. No. 11a) SSTR $%= 2
1oo3
(Eq. No. 12a) SSTR $%= 3
2oo2
(Eq. No. 13a) ( ) MTTRSTR S %%=22 $
2oo3
(Eq. No. 14a) ( ) MTTRSTR S %%=26 $
2oo4
(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $
5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:
(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)M TTF spu r iou s
ST R S IS=
1
The result is the MTTFspurious for the SIS.
1oo2
" 27 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9) spuriousS
MTTF1
=$
1oo1
(Eq. No. 10) STR S DDFS= + +$ $ $
Where $S is the safe or spurious failure rate for the component,
$DD is the dangerous detected failure rate for the component, and
$FS is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2
The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( )[ ] ( )[ ] SF
DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312
ISA-TR84.00.02-2002 - Part 2 " 28 "
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:
1oo1
(Eq. No. 10a) STR S= $
1oo2
(Eq. No. 11a) SSTR $%= 2
1oo3
(Eq. No. 12a) SSTR $%= 3
2oo2
(Eq. No. 13a) ( ) MTTRSTR S %%=22 $
2oo3
(Eq. No. 14a) ( ) MTTRSTR S %%=26 $
2oo4
(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $
5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:
(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)M TTF spu r iou s
ST R S IS=
1
The result is the MTTFspurious for the SIS.
1oo3
" 27 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9) spuriousS
MTTF1
=$
1oo1
(Eq. No. 10) STR S DDFS= + +$ $ $
Where $S is the safe or spurious failure rate for the component,
$DD is the dangerous detected failure rate for the component, and
$FS is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2
The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( )[ ] ( )[ ] SF
DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312
ISA-TR84.00.02-2002 - Part 2 " 28 "
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:
1oo1
(Eq. No. 10a) STR S= $
1oo2
(Eq. No. 11a) SSTR $%= 2
1oo3
(Eq. No. 12a) SSTR $%= 3
2oo2
(Eq. No. 13a) ( ) MTTRSTR S %%=22 $
2oo3
(Eq. No. 14a) ( ) MTTRSTR S %%=26 $
2oo4
(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $
5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:
(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)M TTF spu r iou s
ST R S IS=
1
The result is the MTTFspurious for the SIS.
2oo2
" 27 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9) spuriousS
MTTF1
=$
1oo1
(Eq. No. 10) STR S DDFS= + +$ $ $
Where $S is the safe or spurious failure rate for the component,
$DD is the dangerous detected failure rate for the component, and
$FS is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2
The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( )[ ] ( )[ ] SF
DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312
ISA-TR84.00.02-2002 - Part 2 " 28 "
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:
1oo1
(Eq. No. 10a) STR S= $
1oo2
(Eq. No. 11a) SSTR $%= 2
1oo3
(Eq. No. 12a) SSTR $%= 3
2oo2
(Eq. No. 13a) ( ) MTTRSTR S %%=22 $
2oo3
(Eq. No. 14a) ( ) MTTRSTR S %%=26 $
2oo4
(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $
5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:
(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)M TTF spu r iou s
ST R S IS=
1
The result is the MTTFspurious for the SIS.
2oo3
" 27 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9) spuriousS
MTTF1
=$
1oo1
(Eq. No. 10) STR S DDFS= + +$ $ $
Where $S is the safe or spurious failure rate for the component,
$DD is the dangerous detected failure rate for the component, and
$FS is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2
The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( )[ ] ( )[ ] SF
DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312
ISA-TR84.00.02-2002 - Part 2 " 28 "
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:
1oo1
(Eq. No. 10a) STR S= $
1oo2
(Eq. No. 11a) SSTR $%= 2
1oo3
(Eq. No. 12a) SSTR $%= 3
2oo2
(Eq. No. 13a) ( ) MTTRSTR S %%=22 $
2oo3
(Eq. No. 14a) ( ) MTTRSTR S %%=26 $
2oo4
(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $
5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:
(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)M TTF spu r iou s
ST R S IS=
1
The result is the MTTFspurious for the SIS.
2oo4
" 27 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9) spuriousS
MTTF1
=$
1oo1
(Eq. No. 10) STR S DDFS= + +$ $ $
Where $S is the safe or spurious failure rate for the component,
$DD is the dangerous detected failure rate for the component, and
$FS is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( )[ ] ( )[ ] SF
DDSDDSSTR $$$,$$ ++%++%= 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2
The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF
DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( )[ ] ( )[ ] SF
DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312
ISA-TR84.00.02-2002 - Part 2 " 28 "
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:
1oo1
(Eq. No. 10a) STR S= $
1oo2
(Eq. No. 11a) SSTR $%= 2
1oo3
(Eq. No. 12a) SSTR $%= 3
2oo2
(Eq. No. 13a) ( ) MTTRSTR S %%=22 $
2oo3
(Eq. No. 14a) ( ) MTTRSTR S %%=26 $
2oo4
(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $
5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:
(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)M TTF spu r iou s
ST R S IS=
1
The result is the MTTFspurious for the SIS.
λS es la relación de fallas seguras o en falso para cada componente.
λDD es la relación de fallas peligrosas detectadas para cada componente.
λSF es la relación de fallas sistemáticas seguras para cada componente.
El valor final de la relación de disparos en falso del sistema SIS (utilizando las ecuaciones simplificadas) es la suma de cada elemento del sistema:
STRSIS = ∑STRSensor + ∑STRCLP + ∑STREF + λSF
El valor de MTTF (Tiempo Medio Para Fallar) esta dado por:
M TTF En Falso = 1/STRSIS
Determinación de la PFDavg 5
Risk Software S.A. de C.V.
4. Determinación de la Probabilidad de Falla Sobre DemandaEcuaciones para la determinación de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con prue-bas manuales.
La Probabilidad de Fallas Sobre Demanda para sistemas con pruebas manuales, esta relacionada generalmente a los ele-mentos de campo, como son sensores y elementos finales de control.
La base de estas ecuaciones es el tiempo o intervalo entre pruebas manuales (TI), que tiene como objetivo la identificación y localización de fallas peligrosas en el sistema o elementos del sistema.
Las ecuaciones que describen los sistemas utilizan el componente de Relación de Fallas Peligrosas Sistemáticas.
Esta relación representa las fallas sistemáticas introducidas durante el diseño, selección, implementación y mantenimiento de los elementos de campo del Sistema Instrumentado de Seguridad.
Arquitectura Ecuación Compleja/ISA TR 8402p2 Ecuación Simplificada /ISA TR 8402p2
1oo1
ISA-TR84.00.02-2002 - Part 2 " 22 "
Equations for typical configurations:
(Eq. No. 3) 1oo1 PFDTI2avg = %
&
'()
*++ %&
'()
*+$ $DU
FD TI
2
where $DU is the undetected dangerous failure rate
$FD is the dangerous systematic failure rate, and
TI is the time interval between manual functional tests of the component.
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during thespecification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to arandom failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout themission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve underthe process pressure that occurs during the hazardous event, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled using TI%$ . When modeling systematic failures, the readermust determine which model is more appropriate for the type of failure being assessed.
1oo2
(Eq. No. 4A)
( ) [ ] +*
)('
& %++*
)('
& %%+%%%%"++*
)('
&%%"=
22)1(
3)1(PFD
22
avgTITITIMTTRTI D
FDUDDDUDU $$,$$,$,
For simplification, 1-, is generally assumed to be one, which yields conservative results. Consequently,the equation reduces to
(Eq. No. 4B)
( ) [ ] +*
)('
& %++*
)('
& %%+%%%++*
)('
&%=
223PFD
22
avgTITITIMTTRTI D
FDUDDDUDU $$,$$$
where MTTR is the mean time to repair
$DD is dangerous detected failure rate, and
, is fraction of failures that impact more than one channel of a redundant system(common cause).
The second term represents multiple failures during repair. This factor is typically negligible for shortrepair times (typically less than 8 hours). The third term is the common cause term. The fourth term isthe systematic error term.
1oo3
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
1oo2
ISA-TR84.00.02-2002 - Part 2 " 22 "
Equations for typical configurations:
(Eq. No. 3) 1oo1 PFDTI2avg = %
&
'()
*++ %&
'()
*+$ $DU
FD TI
2
where $DU is the undetected dangerous failure rate
$FD is the dangerous systematic failure rate, and
TI is the time interval between manual functional tests of the component.
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during thespecification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to arandom failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout themission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve underthe process pressure that occurs during the hazardous event, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled using TI%$ . When modeling systematic failures, the readermust determine which model is more appropriate for the type of failure being assessed.
1oo2
(Eq. No. 4A)
( ) [ ] +*
)('
& %++*
)('
& %%+%%%%"++*
)('
&%%"=
22)1(
3)1(PFD
22
avgTITITIMTTRTI D
FDUDDDUDU $$,$$,$,
For simplification, 1-, is generally assumed to be one, which yields conservative results. Consequently,the equation reduces to
(Eq. No. 4B)
( ) [ ] +*
)('
& %++*
)('
& %%+%%%++*
)('
&%=
223PFD
22
avgTITITIMTTRTI D
FDUDDDUDU $$,$$$
where MTTR is the mean time to repair
$DD is dangerous detected failure rate, and
, is fraction of failures that impact more than one channel of a redundant system(common cause).
The second term represents multiple failures during repair. This factor is typically negligible for shortrepair times (typically less than 8 hours). The third term is the common cause term. The fourth term isthe systematic error term.
1oo3
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
1oo3
" 23 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) )([ ] +*
)('
& %++*
)('
&-.
/01
2 %%+%%%++*
)('
&%=
22422
33 TITITIMTTRTIPFD D
FDUDDDUDU
avg $$,$$$
The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ] +*
)('
& %+%%+%=2
PFDavgTITITI D
FDUDU $$,$
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ]PFDavg = % + % % % + % %&
'()
*++ %&
'()
*+( ) ( )$ $ $ , $ $DU DU DD DU
FDTI MTTR TI
TI TI2 2 32 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
2oo4
(Eq. No. 8)
( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI
avgDU DU DD DU
FD= % + % % % + % %
&
'()
*++ %&
'()
*+$ $ $ , $ $
3 3 2 242 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
2oo2
" 23 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) )([ ] +*
)('
& %++*
)('
&-.
/01
2 %%+%%%++*
)('
&%=
22422
33 TITITIMTTRTIPFD D
FDUDDDUDU
avg $$,$$$
The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ] +*
)('
& %+%%+%=2
PFDavgTITITI D
FDUDU $$,$
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ]PFDavg = % + % % % + % %&
'()
*++ %&
'()
*+( ) ( )$ $ $ , $ $DU DU DD DU
FDTI MTTR TI
TI TI2 2 32 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
2oo4
(Eq. No. 8)
( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI
avgDU DU DD DU
FD= % + % % % + % %
&
'()
*++ %&
'()
*+$ $ $ , $ $
3 3 2 242 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
2oo3
" 23 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) )([ ] +*
)('
& %++*
)('
&-.
/01
2 %%+%%%++*
)('
&%=
22422
33 TITITIMTTRTIPFD D
FDUDDDUDU
avg $$,$$$
The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ] +*
)('
& %+%%+%=2
PFDavgTITITI D
FDUDU $$,$
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ]PFDavg = % + % % % + % %&
'()
*++ %&
'()
*+( ) ( )$ $ $ , $ $DU DU DD DU
FDTI MTTR TI
TI TI2 2 32 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
2oo4
(Eq. No. 8)
( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI
avgDU DU DD DU
FD= % + % % % + % %
&
'()
*++ %&
'()
*+$ $ $ , $ $
3 3 2 242 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
2oo4
" 23 " ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) )([ ] +*
)('
& %++*
)('
&-.
/01
2 %%+%%%++*
)('
&%=
22422
33 TITITIMTTRTIPFD D
FDUDDDUDU
avg $$,$$$
The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ] +*
)('
& %+%%+%=2
PFDavgTITITI D
FDUDU $$,$
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ]PFDavg = % + % % % + % %&
'()
*++ %&
'()
*+( ) ( )$ $ $ , $ $DU DU DD DU
FDTI MTTR TI
TI TI2 2 32 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
2oo4
(Eq. No. 8)
( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI
avgDU DU DD DU
FD= % + % % % + % %
&
'()
*++ %&
'()
*+$ $ $ , $ $
3 3 2 242 2
The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
MTTR es el tiempo medio para reparación
λDD es la relación de fallas peligrosas detectadas
β es la fracción de fallas que impacta en uno o mas canales de los sistemas redundantes (Factor de falla Común).
Determinación de la PFDavg 6
Risk Software S.A. de C.V.
ISA-TR84.00.02-2002 - Part 2 " 22 "
Equations for typical configurations:
(Eq. No. 3) 1oo1 PFDTI2avg = %
&
'()
*++ %&
'()
*+$ $DU
FD TI
2
where $DU is the undetected dangerous failure rate
$FD is the dangerous systematic failure rate, and
TI is the time interval between manual functional tests of the component.
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during thespecification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to arandom failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout themission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve underthe process pressure that occurs during the hazardous event, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled using TI%$ . When modeling systematic failures, the readermust determine which model is more appropriate for the type of failure being assessed.
1oo2
(Eq. No. 4A)
( ) [ ] +*
)('
& %++*
)('
& %%+%%%%"++*
)('
&%%"=
22)1(
3)1(PFD
22
avgTITITIMTTRTI D
FDUDDDUDU $$,$$,$,
For simplification, 1-, is generally assumed to be one, which yields conservative results. Consequently,the equation reduces to
(Eq. No. 4B)
( ) [ ] +*
)('
& %++*
)('
& %%+%%%++*
)('
&%=
223PFD
22
avgTITITIMTTRTI D
FDUDDDUDU $$,$$$
where MTTR is the mean time to repair
$DD is dangerous detected failure rate, and
, is fraction of failures that impact more than one channel of a redundant system(common cause).
The second term represents multiple failures during repair. This factor is typically negligible for shortrepair times (typically less than 8 hours). The third term is the common cause term. The fourth term isthe systematic error term.
1oo3
Para sistemas redundantes el segundo termino en las ecuaciones complejas representa las múltiples fallas presentadas du-rante la reparación y el tercer termino representa la causa de falla común (CCF).
En las ecuaciones simplificadas se considera que el segundo termino es despreciable debido a que el valor es muy pequeño cuando el tiempo de reparaciones es menor a 8 hr. El tercer termino es despreciable debido a que se considera que el diseño de los sistemas en los procesos industriales esta diseñado considerando las fallas de causa común, y el cuarto termino las fallas sistemáticas son despreciables si se utiliza una metodología para el diseño de los SIS como puede ser seguir los reque-rimientos y consideraciones en el diseño basado en el Ciclo de Vida de Seguridad de la IEC 61511.
El valor final de la PFDavg es representada como:
PFDSIS = ∑PFDSensor + ∑PFDCLP + ∑PFDEF + λSF
En términos generales es aceptado el uso de las ecuaciones simplificadas para sistemas con pruebas manuales como son los sensores y elementos finales, si bien es común el uso de estas ecuaciones para los controladores lógicos programables, la norma IEC 61508 Edición 2.0 2010-04. Ha desarrollado ecuaciones mas exactas para describir a los sistemas que cuentan con pruebas basadas en auto diagnósticos.
5. Calculo de la Probabilidad de Fallas Sobre Demanda PFDavg
Ecuaciones para la determinación de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con pruebas basadas en Auto Diagnósticos, tomadas de la norma IEC 61508-6 Edición 2.0, 2010-04.
La Probabilidad de Fallas Sobre Demanda para sistemas complejos con auto diagnósticos considera las relación de fallas peligrosas totales, dadas por la suma de la relación de fallas peligrosas detectadas y no detectadas.
λTot = λDU + λDD
Ecuación para sistema con arquitectura 1oo1:
La arquitectura consiste en canales sencillos, donde la cualquier falla peligrosa genera una falla de la función de seguridad cuando se genera una demanda:
Determinación de la PFDavg 7
Risk Software S.A. de C.V.
Canal
Diagnosticos
Figura #5Diagrama de Bloques Fisico
La configuración sencilla se ve comprometida por la falla resultante tanto por la relación de fallas peligrosas no detectables λDU, y la relación de fallas peligrosas detectables λDD. Es posible la equivalencia del sistema para el Tiempo Medio Abajo (MDT) para los dos componentes tC1 y tC2:
Para cada componente del canal la relación de fallas peligrosas no detectables y detectables esta dada por:
Para un canal con un tiempo abajo tCE que resulta en una falla peligrosa:
La probabilidad de fallas sobre demanda para una arquitectura 1oo1 queda establecida como:
Ecuación para sistema con arquitectura 1oo2:
La arquitectura 1oo2 consiste en dos canales conectados en paralelo, en los cuales cada uno puede realizar la función de seguridad. En esta arquitectura ambos canales deberán de fallar de forma peligrosa para que la función de seguridad falle en demanda. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.
Las figuras # 7 y 8 muestran los diagramas de bloques para la arquitectura 1oo2, tCE es calculado de la misma manera que como calculamos 1oo1, pero ahora debemos calcular tGE que esta dado por la ecuación:
Determinación de la PFDavg 8
Risk Software S.A. de C.V.
λDUtC1 =
T1 + MRT2
tC2 = MTTRλDD
λD
tCE
Figura #6Diagrama de Bloques de Confiabilidad
61508-6 ! IEC:2010 - 31 -
Figure B.5 + 1oo1 reliability block diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by
DDDUD """ +=
Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:
MTTRMRT2
Tt
D
DD1
D
DUCE "
""
"+��
�
����
� +=
For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by
( )DC1DDU #= "" ; DCDDD "" =
For a channel with down time tCE resulting from dangerous failures
1tte1PFD
CEDCED
tCED
<<$#= #
""
"
since
Hence, for a 1oo1 architecture, the average probability of failure on demand is
( ) CEDDDUG tPFD "" +=
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
" DUt c1 = 1 _ T + MRT
2
"DDtc2 = MTTR
"D
tCE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 ! IEC:2010 - 31 -
Figure B.5 + 1oo1 reliability block diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by
DDDUD """ +=
Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:
MTTRMRT2
Tt
D
DD1
D
DUCE "
""
"+��
�
����
� +=
For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by
( )DC1DDU #= "" ; DCDDD "" =
For a channel with down time tCE resulting from dangerous failures
1tte1PFD
CEDCED
tCED
<<$#= #
""
"
since
Hence, for a 1oo1 architecture, the average probability of failure on demand is
( ) CEDDDUG tPFD "" +=
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
" DUt c1 = 1 _ T + MRT
2
"DDtc2 = MTTR
"D
tCE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 ! IEC:2010 - 31 -
Figure B.5 + 1oo1 reliability block diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by
DDDUD """ +=
Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:
MTTRMRT2
Tt
D
DD1
D
DUCE "
""
"+��
�
����
� +=
For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by
( )DC1DDU #= "" ; DCDDD "" =
For a channel with down time tCE resulting from dangerous failures
1tte1PFD
CEDCED
tCED
<<$#= #
""
"
since
Hence, for a 1oo1 architecture, the average probability of failure on demand is
( ) CEDDDUG tPFD "" +=
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
" DUt c1 = 1 _ T + MRT
2
"DDtc2 = MTTR
"D
tCE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 ! IEC:2010 - 31 -
Figure B.5 + 1oo1 reliability block diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by
DDDUD """ +=
Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:
MTTRMRT2
Tt
D
DD1
D
DUCE "
""
"+��
�
����
� +=
For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by
( )DC1DDU #= "" ; DCDDD "" =
For a channel with down time tCE resulting from dangerous failures
1tte1PFD
CEDCED
tCED
<<$#= #
""
"
since
Hence, for a 1oo1 architecture, the average probability of failure on demand is
( ) CEDDDUG tPFD "" +=
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
" DUt c1 = 1 _ T + MRT
2
"DDtc2 = MTTR
"D
tCE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
La probabilidad de fallas sobre demanda para la arquitectura 1oo2 queda entonces dada por:
Ecuación para sistema con arquitectura 2oo2:
La arquitectura 2oo2 consiste en dos canales conectados de forma paralelo, ambos canales deben de demandar a la función de seguridad para que esta se ejecute. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.
Determinación de la PFDavg 9
Risk Software S.A. de C.V.
" 32 " 61508-6 ! IEC:2010
Channel
Channel
Diagnostics 1oo2
IEC 326/2000
Figure B.6 7 1oo2 physical block diagram
Commoncause failure
"DD"DU
tGE
"D
tCE
IEC 327/2000
Figure B.7 7 1oo2 reliability block diagram
Figures B.6 and B.7 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time tGE, which is given by
MTTRMRT3Tt
D
DD1
D
DUGE "
""" +�
�
���
� +=
The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRtt112PFD 1
DUDDDGECE2
DUDDDG $""$"$"$
B.3.2.2.3 2oo2
This architecture consists of two channels connected in parallel so that both channels need to demand the safety function before it can take place. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
" 32 " 61508-6 ! IEC:2010
Channel
Channel
Diagnostics 1oo2
IEC 326/2000
Figure B.6 7 1oo2 physical block diagram
Commoncause failure
"DD"DU
tGE
"D
tCE
IEC 327/2000
Figure B.7 7 1oo2 reliability block diagram
Figures B.6 and B.7 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time tGE, which is given by
MTTRMRT3Tt
D
DD1
D
DUGE "
""" +�
�
���
� +=
The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRtt112PFD 1
DUDDDGECE2
DUDDDG $""$"$"$
B.3.2.2.3 2oo2
This architecture consists of two channels connected in parallel so that both channels need to demand the safety function before it can take place. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Canal
Diagnosticos
Figura #7Diagrama de Bloques Fisico 1oo2
1oo2
Canal
λDU λDD
λD
tCE
Figura #8Diagrama de Bloques de Confiabilidad 1oo2
Falla de causa Comun
tGE
La probabilidad de fallas sobre demanda queda establecida por:
Ecuación para sistema con arquitectura 1oo2D:
La arquitectura 1oo2D consiste en dos canales conectados en paralelo. Durante la operación normal, ambos canales deben de demandar a la función de seguridad para que esta se ejecute. En adición, si los diagnósticos en cada canal detectan una falla, entonces la votación de salida es adaptada de tal manera que la operación continúe con el canal que se encuentra ope-rando sin fallas. Si los diagnósticos encuentran una falla en ambos canales o existe una discrepancia que no es posible loca-lizar en algún canal, entonces las salidas se sitúan en una posición segura. Para poder detectar una discrepancia entre los canales, ambos canales deberán poder el estado del otro canal de forma independiente. La comparación o el mecanismo de transferencia puede que no sea 100% eficiente, por lo tanto K representa la eficiencia de los mecanismos de comparación o mecanismo de transferencia.
Determinación de la PFDavg 10
Risk Software S.A. de C.V.
Canal
Diagnosticos
Figura #9Diagrama de Bloques Fisico 2oo2
2oo2
Canal
λDU λDD
λD
tCE
Figura #10Diagrama de Bloques de Confiabilidad 2002
λDU λDD
λD
tCE
61508-6 ! IEC:2010 - 33 -
Channel
Channel
Diagnostics 2oo2
IEC 328/200
Figure B.8 6 2oo2 physical block diagram
"DD"DU"D
tCE"DD"DU
"D
tCE
Figure B.9 6 2oo2 reliability block diagram
Figures B.8 and B.9 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1, and the average probability of failure on demand for the architecture is
CEDG t2PFD "=
B.3.2.2.4 1oo2D
This architecture consists of two channels connected in parallel. During normal operation, both channels need to demand the safety function before it can take place. In addition, if the diagnostic tests in either channel detect a fault then the output voting is adapted so that the overall output state then follows that given by the other channel. If the diagnostic tests find faults in both channels or a discrepancy that cannot be allocated to either channel, then the output goes to the safe state. In order to detect a discrepancy between the channels, either channel can determine the state of the other channel via a means independent of the other channel. The channel comparison / switch over mechanism may not be 100 % efficient therefore K represents the efficiency of this inter-channel comparison / switch mechanism, i.e. the output may remain on the 2oo2 voting even with one channel detected as faulty.
NOTE The parameter K will need to be determined by an FMEA.
Diagnostics
Diagnostics
Channel
Channel
1oo2D
IEC 330/2000
Figure B.10 6 1oo2D physical block diagram
IEC 329/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Canal
Diagnosticos
Figura #11Diagrama de Bloques Fisico 1oo2D
1oo2D
Canal
Diagnosticos
La relación de fallas seguras detectadas para cada canal esta dada por:
Aquí los valores de equivalencia de de Tiempo Medio Abajo están dados por :
La probabilidad de fallas bajo demanda para la arquitectura 1oo2D queda dada por:
Ecuación para sistema con arquitectura 2oo3:
La arquitectura 2oo3 consiste en tres canales conectados en paralelo con un arreglo de votación a la salida, aquí el estado de las salidas no difiere si solo un canal muestra discrepancia con los otros dos canales. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.
Determinación de la PFDavg 11
Risk Software S.A. de C.V.
tCE
Figura #12Diagrama de Bloques de Confiabilidad 1oo2D
Falla de Causa Comun
tGE
λDU
λDUλSDλDD
" 34 " 61508-6 ! IEC:2010
Commoncause failure
"DU
"DU
"DD "SD
tGE#
tCE# IEC 331/2000
Figure B.11 4 1oo2D reliability block diagram
The detected safe failure rate for every channel is given by
DCSSD "" =
Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down times differ from those given for the other architectures in B.3.2.2 and hence are labelled tCE# and tGE#. Their values are given by
( )( )SDDDDU
SDDD1
DU
CE
MTTRMRT2T
't"""
"""
++
++��
���
� +=
MRT3T't 1
GE +=
The average probability of failure on demand for the architecture is
( ) ( ) ( )( ) ( ) ��
���
� ++$++$+$$= MRT2T'tK12't't1112PFD 1
DUCEDDGECESDDDDDUDUG %""""%"%"%
B.3.2.2.5 2oo3
This architecture consists of three channels connected in parallel with a majority voting arrangement for the output signals, such that the output state is not changed if only one channel gives a different result which disagrees with the other two channels.
It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
Figure B.12 4 2oo3 physical block diagram
Channel
Channel
2oo3Channel
Diagnostics
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
" 34 " 61508-6 ! IEC:2010
Commoncause failure
"DU
"DU
"DD "SD
tGE#
tCE# IEC 331/2000
Figure B.11 4 1oo2D reliability block diagram
The detected safe failure rate for every channel is given by
DCSSD "" =
Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down times differ from those given for the other architectures in B.3.2.2 and hence are labelled tCE# and tGE#. Their values are given by
( )( )SDDDDU
SDDD1
DU
CE
MTTRMRT2T
't"""
"""
++
++��
���
� +=
MRT3T't 1
GE +=
The average probability of failure on demand for the architecture is
( ) ( ) ( )( ) ( ) ��
���
� ++$++$+$$= MRT2T'tK12't't1112PFD 1
DUCEDDGECESDDDDDUDUG %""""%"%"%
B.3.2.2.5 2oo3
This architecture consists of three channels connected in parallel with a majority voting arrangement for the output signals, such that the output state is not changed if only one channel gives a different result which disagrees with the other two channels.
It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
Figure B.12 4 2oo3 physical block diagram
Channel
Channel
2oo3Channel
Diagnostics
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
" 34 " 61508-6 ! IEC:2010
Commoncause failure
"DU
"DU
"DD "SD
tGE#
tCE# IEC 331/2000
Figure B.11 4 1oo2D reliability block diagram
The detected safe failure rate for every channel is given by
DCSSD "" =
Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down times differ from those given for the other architectures in B.3.2.2 and hence are labelled tCE# and tGE#. Their values are given by
( )( )SDDDDU
SDDD1
DU
CE
MTTRMRT2T
't"""
"""
++
++��
���
� +=
MRT3T't 1
GE +=
The average probability of failure on demand for the architecture is
( ) ( ) ( )( ) ( ) ��
���
� ++$++$+$$= MRT2T'tK12't't1112PFD 1
DUCEDDGECESDDDDDUDUG %""""%"%"%
B.3.2.2.5 2oo3
This architecture consists of three channels connected in parallel with a majority voting arrangement for the output signals, such that the output state is not changed if only one channel gives a different result which disagrees with the other two channels.
It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
Figure B.12 4 2oo3 physical block diagram
Channel
Channel
2oo3Channel
Diagnostics
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Canal
Diagnosticos
Figura #13Diagrama de Bloques Fisico 2oo3
2oo3Canal
Canal
La probabilidad de fallas sobre demanda para la arquitectura 2oo3 se establece como:
Ecuación para sistema con arquitectura 1oo3:
La arquitectura 1oo3 consiste en tres canales conectados en paralelo con un arreglo de votación de salida de 1oo3, cualquier falla detectada por diagnósticos ocasionara que el sistema se posicione en falla segura. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.
La probabilidad de fallas sobre demanda para la arquitectura 1oo3 se establece como:
Donde:
Determinación de la PFDavg 12
Risk Software S.A. de C.V.
λD
tCE
Figura #14Diagrama de Bloques de Confiabilidad 2oo3
Falla de causa Comun
tGE
λDU λDD
61508-6 ! IEC:2010 - 35 -
Commoncause failure
"DD"DU
tGE
"D
tCE
2oo3
IEC 333/2000
Figure B.13 6 2oo3 reliability block diagram
Figures B.12 and B.13 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRtt116PFD 1
DUDDDGECE2
DUDDDG $""$"$"$
B.3.2.2.6 1oo3
This architecture consists of three channels connected in parallel with a voting arrangement for the output signals, such that the output state follows 1oo3 voting.
It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRttt116PFD 1
DUDDDE2GGECE3
DUDDDG $""$"$"$
Where
MTTRMRT4Tt
D
DD1
D
DUE2G "
""" +�
�
���
� +=
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 ! IEC:2010 - 35 -
Commoncause failure
"DD"DU
tGE
"D
tCE
2oo3
IEC 333/2000
Figure B.13 6 2oo3 reliability block diagram
Figures B.12 and B.13 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRtt116PFD 1
DUDDDGECE2
DUDDDG $""$"$"$
B.3.2.2.6 1oo3
This architecture consists of three channels connected in parallel with a voting arrangement for the output signals, such that the output state follows 1oo3 voting.
It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRttt116PFD 1
DUDDDE2GGECE3
DUDDDG $""$"$"$
Where
MTTRMRT4Tt
D
DD1
D
DUE2G "
""" +�
�
���
� +=
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 ! IEC:2010 - 35 -
Commoncause failure
"DD"DU
tGE
"D
tCE
2oo3
IEC 333/2000
Figure B.13 6 2oo3 reliability block diagram
Figures B.12 and B.13 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRtt116PFD 1
DUDDDGECE2
DUDDDG $""$"$"$
B.3.2.2.6 1oo3
This architecture consists of three channels connected in parallel with a voting arrangement for the output signals, such that the output state follows 1oo3 voting.
It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.
The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is
( ) ( )( ) ��
���
� +++#+#= MRT2TMTTRttt116PFD 1
DUDDDE2GGECE3
DUDDDG $""$"$"$
Where
MTTRMRT4Tt
D
DD1
D
DUE2G "
""" +�
�
���
� +=
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Cuantificación del Efecto de las Fallas de Causa Común:
Los cálculos de PFDavg deberán incorporar el efecto que causan las fallas de causa común en los sistemas redundantes, en la seguridad funcional es común utilizar la metodología de factor Beta (β) para determinar la falla de causa común. en un arti-culo técnico posterior describiremos como se determina este factor.
El efecto final en la ecuación de PFDavg del factor de causa común se representa con la siguiente ecuación:
PFDFCC = ( PFDa x PFDb x..... PFDn ) + (β x PFDPeor)
Donde:
PFD a.....n representa la probabilidad de falla sobre demanda del dispositivo a al n.
PFDPeor representa la probabilidad de fallas sobre demanda del dispositivo mas débil o peor.
Beta (β) representa el factor de falla común.
6. Arquitecturas Redundantes
Arquitecturas de sistemas redundantes para Diagramas de Bloques.
Determinación de la PFDavg 13
Risk Software S.A. de C.V.
Figura #15 2oo2
AE BFALLA DE
CAUSA COMUN
S
A
E
B
FALLA DE CAUSA COMUN
S
Figura #16 1oo2
Determinación de la PFDavg 14
Risk Software S.A. de C.V.
AE BFALLA DE
CAUSA COMUN
SC
Figura #18 1oo3
A
E
B
FALLA DE CAUSA COMUN
S
Figura #17 2oo3
A
C
B
C
Arquitecturas de sistemas redundantes para Arboles de Falla. Bloques OR (Se Suman). Bloques AND (Se Multiplican)
Determinación de la PFDavg 15
Risk Software S.A. de C.V.
A B
OR
FCC
Salida
OR
Figura #19 2oo2
A
AND
B
OR
FCC
Salida
Figura #20 1oo2
A
AND
OR
B A
AND
C B
AND
C
OR
FCC
Salida
Figura #21 2oo3
AND
A B C
OR
FCC
Salida
Figura #22 1oo3
7. Ejemplos de Determinación de PFDavg.
Podemos modelar la PFDavg de un sistema utilizando diagramas de bloques utilizando en las siguientes simplificaciones:
✓ Cadenas en paralelo se Multiplican.
✓ Cadenas en serie se Suman.
Ejemplo:
Considere el siguiente sistema de protección de presión a la entrada de una plataforma marina que maneja grandes volúmenes de gas natural, una sobre presión podría generar un gran impacto ocasionando ruptura de la tubería y generando una fuga mayor que podría incluso generar un gran fuego o explosión:
PT-9002A
D PT-9002B
PT-9002C
FALLA DE CAUSA COMUN
TMR
SVA
SVB
FALLA DE CAUSA COMUN
ESDV H
ENTRADAS LOGICA SALIDAS
Considere Arquitectura
2oo3
Determinación de la PFDavg 16
Risk Software S.A. de C.V.
Se cuenta con los siguientes datos:
Valores PT (FIT) TMR (FIT) Solenoide (FIT) Válvula Corte (FIT)
λsd 396 71 0
λsu 440 0 1401
λdd 52 99 0
λdu 69 1 765
SFF 92.8% ---- ----
TI 1 año 1 año 1 año
MTTR 8 hr 8 hr 8 hr
β 5% 5% ----
PFDavg 2.5 x 10-4
Problema: Dibujar el diagrama de bloques para el sistema y calcular el valor de PFDavg para el sistema:
ISA-TR84.00.02-2002 - Part 2 " 24 "
If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFDTI
avgDU= %$
2
1oo2
(Eq. No. 4a)( )[ ]
PFDTI
avg
DU
=%$
2 2
3
1oo3
(Eq. No. 5a)( )[ ]
PFDTI
avg
DU
=%$
3 3
4
2oo2
(Eq. No. 6a) PFD TIavgDU= %$
2oo3
(Eq. No. 7a) ( )PFD TIavgDU= %$
2 2
2oo4
(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $
5.1.6 Combining components’ PFDs to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.
(Eq. No. 1a) +*
)('
&%++++=# # # # 2TIPFD D
FPSi $LiAiSiSIS PFDPFDPFDPFD
Solución con Diagramas de Bloques: Lo primero que debemos realizar es calcular los valores de PFDavg para cada bloque, para esto utilizamos la formula:
1) Para los transmisores tenemos:
PFDavg = (69 x10-9 x 8760)/2 = 3.02 x10-6
PFDavg (A x B) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12
PFDavg (A x C) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12
PFDavg (B x C) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12
PFDFCC = (3.02 x10-6 x 3.02 x10-6 x 3.02 x10-6) + (0.05 x 3.02 x10-6 ) = 1.51 x 10-07
PFDavg = 3.02 x10-6 + 3.02 x10-6 + 3.02 x10-6 = 9.07 x 10-6
PFDavg tot = 9.07 x 10-6 + 1.51 x 10-07 = 9.21 x 10-06
2) Para el controlador lógico tenemos PFDavg = 2.5 x 10-4
Determinación de la PFDavg 17
Risk Software S.A. de C.V.
3) Para las Válvulas Solenoides Tenemos:
PFDavg = (1 x10-9 x 8760)/2 = 4.38 x10-6
PFDavg = (4.38 x10-6 x 4.38 x10-6) = 1.91 x 10-11
PFDFCC = (4.38 x10-6 x 4.38 x10-6 ) + (0.05 x 4.38 x10-6 ) = 2.19 x 10-7
PFDavg tot = 1.91 x 10-11 + 2.19 x 10-7 = 2.19 x 10-7
4) Para la válvula de corte tenemos
PFDavg = (765 x10-9 x 8760)/2 = 3.35 x10-3
El valor de PFDavg para el SIS será:
PFDavg SIS = 9.21 x 10-06 + 2.5 x 10-4 + 2.19 x 10-7 + 3.35 x10-3 = 3.61 x10-3
FRR = 277 SIL2
Determinación de la PFDavg 18
Risk Software S.A. de C.V.
Solución con Arboles de Falla:
A
AND
OR
B A
AND
C B
AND
C
OR
FCC
PT
CLP
A
AND
OR
B
OR
FCC
SV
FCC SCV
OR
OR
OR
SV
Falla SIS
3.02 x10-6 2.5 x 10-4 4.38 x10-6 3.35 x10-3
1.51 x 10-072.19 x 10-7
9.07 x 10-6
9.21 x 10-06
1.91 x 10-11
2.19 x 10-7
3.61 x10-3
2.19 x 10-7
Los valores mostrados en los eventos iniciales están dados en PFDavg
Determinación de la PFDavg 19
Risk Software S.A. de C.V.
Ejemplo:
Cálculos utilizando FTA-Pro de Dyadem
Determinación de la PFDavg 20
Risk Software S.A. de C.V.
Resultados al Tiempo: 8760
Falta de disponibilidad 0.007206
Frecuencia: N/A
Tiempo Falta de disponibilidadFalta de disponibilidad
0.00000 0.0000000.000000
796.36364 0.0006570.000657
1592.72727 0.0013140.001314
2389.09091 0.0019700.001970
3185.45455 0.0026260.002626
3981.81818 0.0032820.003282
4778.18182 0.0039370.003937
5574.54545 0.0045920.004592
6370.90909 0.0052460.005246
7167.27273 0.0059000.005900
7963.63636 0.0065530.006553
8760.00000 0.0072060.007206
Total de Tiempo Sistema Parado 30.972005
PFDavg: 0.003536
FRR = 282 SIL=2
Determinación de la PFDavg 21
Risk Software S.A. de C.V.
Los comentarios de este documento expresan el punto de vista de:
Victor Machiavelo SalinasTUV FS Expert ID-141/09Risk Software SA de CV
victorm@risksoftware.com.mxwww.risksoftware.com,mx
Agradeceremos cualquier comentario.
Determinación de la PFDavg 22
Risk Software S.A. de C.V.