Determinación de PFDavg (SIL) de un Sistema Instrumentado de Se-guridad (SIS)

Preparado para: Curso en Análisis de Riesgos y Seguridad FuncionalPreparado por: Victor Machiavelo Salinas

Risk Software SA de CV www.risksoftware.com.mx

Risk Software S.A. de C.V.

1. IntroducciónEl valor de PFDavg (Probabilidad de Fallas Sobre Demanda Promedio) es utilizado en la Seguridad Funcional para determinar el Nivel de Integridad de Seguridad -NIL- (Safety Integrity Level- SIL) que un Sistema Instrumentado de Seguridad -SIS- tiene para una Función Instrumentada de Seguridad -FIS- dada.

La figura #1 nos muestra la relación que guarda un Sistema Instrumentado de Seguridad entre la relación (frecuencia) de demandas (eventos/año) en que el SIS es requerido por el proceso dada una condición insegura y la relación (frecuencia) de eventos indeseados finales (eventos/año) ocurridos dados la ineficiencia/falla/incapacidad, del SIS.

El nivel NIL/SIL, es una relación del valor numérico calculado de PFDavg para un SIS, donde incluimos a los elementos sensores (presión, temperatura, Flujo, etc), al controlador lógico programable y a los elementos finales de control (válvulas, motores, actuadores, etc).

El valor de la PFDavg Total para un SIS es la suma algebraica de la probabilidad de fallas sobre demanda promedio del sensor mas la del controlador lógico mas la del elemento final de control como se muestra en la figura #2

para realizar el calculo de la PFDavg de un sistema SIS, el estándar ANSI/ISA 84.01-2004 recomienda tres métodos:

1. Ecuaciones Simplificadas (Diagramas de Bloques de Confiabilidad)

2. Análisis de Arboles de Falla (FTA)

3. Modelos de Markov.

El presente informe técnico se centra en el calculo de la PFDavg, utilizando los dos primeros métodos, los cuales son los mas utilizados en la seguridad funcional, aclarando que los modelos de Markov son mas precisos y pueden modelar sistemas en el tiempo, con secuencias y reparables.

Determinación de la PFDavg 1

Risk Software S.A. de C.V.

Relación de Demandas

(D)

Relación de Eventos

(H)

Figura #1PFDavg = H/D = 1/(Factor de Reducción de Riesgos)

SIS

Sensor Elementos Finales

Figura #2PFDavg Total = PFDS + PFDL + PFDEF

Controlador Logico

2. Falla de los SistemasEs necesario comprender la forma en que los sistemas y equipos fallan, debido a que las ecuaciones utilizadas para determinar el valor de PFDavg depende directamente del mecanismo de falla de los sensores, controlador lógico y elementos finales.

La figura #3 muestra los modos de falla que pueden tener los componentes de un SIS.

MTBF = Mean Time Between Failures (Tiempo Medio Entre Fallas)

MTTF = Mean Time To Fail (Tiempo medio Para Fallar)

Modos de Falla Descubiertas:

Son conocidas también como fallas “Reveladas” debido a que estas fallas son conocidas en cuanto suceden, como ejemplo tenemos la falla de la señal de un sensor cuando los cables que conducen la señal son cortados o bien la falla de la bobina de una válvula solenoide.

Las fallas descubiertas normalmente generan una respuesta del sistema conocida como “Falla Segura” la consecuencia mas común es una parada por emergencia del proceso. A esto se le conoce como “Relación de Disparos en Falso” en muchos procesos esta condición es indeseada debido a que afecta directamente a la producción o a los tiempos de producción, en procesos continuos como en la industria química o petrolera esta condición es muy costosa debido a que volver a iniciar los procesos no es una tarea fácil ni rápida, en ciertos procesos esta condición también puede ser muy peligrosa, ya que parar proceso inherentemente peligrosos donde se manejan grandes cantidades de materia y energía puede ocasionar condiciones riesgosas para el personal, medio ambiente y bienes de las empresas.

La forma en que podemos evitar que esto ocurra es incrementando la tolerancia a falla en los sistemas y equipos (redundan-cia). La norma IEC-61511 en el punto 11.4 nos indica los mecanismos y niveles de tolerancia a falla para los sistemas SIS.

Determinación de la PFDavg 2

Risk Software S.A. de C.V.

No Detectadas

Por Diagnosticos Por Pruebas manuales

Detectadas

Fallas CubiertasRelación de Paros Peligrosos

λD = 1/MTTF

Se debe vivir con perdida de la producción

Paro de Planta o Permanecer en Riesgo

Mientras se Repara

El SIS esta Fuera Durante las

Pruebas

Fallas DescubiertasRelación de Paros en Falso λS = 1/MTBFsp

Modos de Falla

Figura #3Modos de Falla

Modos de Falla Cubiertas:

Las fallas cubiertas, son fallas peligrosas hasta que son detectadas y corregidas. El calculo de la PFDavg se basa en este tipo de fallas. Típicamente las fallas cubiertas se manifiestas en dispositivos que tienen la función de generar o conducir al evento final, como pueden ser los dispositivos de salida de las tarjetas del PLC, la bobina del relevador, el actuador de la válvula o bien la lógica del controlador. El problema principal de estas fallas se presenta en dispositivos que no han sido operados por periodos lagos de tiempo, tres tipos de condiciones se presentan en las fallas cubiertas:

1. Fallas que pueden ser detectadas por auto diagnósticos.

2. Fallas que pueden ser encontradas en un periodo de pruebas.

3. Fallas que permanecen ocultas sin ser detectadas en el sistema hasta que se presenta una falla en demanda.

Cada una de estas fallas contribuyen al valor de PFDavg del SIS. Cada falla requiere un tratamiento diferente de calculo de confiabilidad.

Las formulas para el calculo de sistemas basados en Auto diagnósticos, están generalmente referidas a controladores lógicos programables ya que estos sistemas utilizan técnicas avanzadas de diagnósticos, en la mayoría de los sistemas cuando nos referimos a “diagnósticos” no estamos refiriendo a la capacidad del sistema a realizar pruebas sin necesidad de intervención del ser humano, estos diagnósticos que también son referidos como “activos” son pruebas funcionales del estado del siste-ma, como por ejemplo seria cambiar de estado la posición de las salidas de las tarjetas del controlador abrir/cerrar (On/Off) para poder probar que el sistema tiene la capacidad de llevar al proceso a condición segura. Estas pruebas se realizan de forma muy rápida generalmente en milisegundos, evitando que las pruebas sean en si mismas una condición peligrosa para el proceso.

Cálculos:

El calculo de las fallas reveladas (llamadas también fallas seguras) es importante desde el punto de vista de la operación de los procesos, la instalación de un sistema de seguridad es un proceso complicado y costoso, lo que menos deseamos es que este sistema sea en si mismo quien genere una condición potencialmente inseguro o binen sea quien ocasiona perdidas de producción o económicas. La selección de un sistema de seguridad sin tolerancia a fallas deberá ser cuidadosamente evaluada desde el punto de vista de la seguridad y de la operación de los procesos, el diseño del sistema bajo el concepto de ciclo de vida deberá incluir los costos de disparos en falso y los costos asociados a la tolerancia a fallas. las fallas releva-das también tienen dos componentes, fallas seguras detectables y fallas seguras no detectables. El echo de que ambas con-duzcan a un paro seguro del proceso minimiza la necesidad de detallar cada una en una ecuación diferente.

Las fallas cubiertas (llamadas también peligrosas) como se muestra en la figura # 3 tienen dos componentes,

Determinación de la PFDavg 3

Risk Software S.A. de C.V.

1) Fallas peligrosas detectadas por auto diagnósticos, las cuales realizan el proceso de prueba y detección de errores y fallas de forma automática, asociamos a estas fallas a las provocadas por los sistemas complejos como los controladores lógicos, sin embargo en los últimos años algunos dispositivos de campo como sensores y actuadores de válvulas, han incorporado altos niveles de auto diagnostico en su electrónica. Típicamente el tiempo de las pruebas con auto diagnósticos fluctúa entre 1 y 10 segundos.

2) Fallas peligrosas detectadas por pruebas manuales, son pruebas que no pueden ser realizadas por diagnósticos y es ne-cesario que manualmente se realice la prueba y el diagnostico, típicamente el tiempo de estas pruebas es mucho menor que el MTBF, este tipo de pruebas esta asociada a dispositivos de campo y elementos finales de control.

La figura #4 muestra la diferencia de pruebas requeridas para los diferentes dispositivos, existe una gran diferencia entre las ecuaciones utilizadas para modelar el valor de PFDavg para sensores y elementos finales de control y las ecuaciones para modelar a los controladores lógicos, no solo por que estos realizan sus pruebas de auto diagnostico, también debido a que cada sistema puede contener diferentes dispositivos en diferentes configuraciones y numero (módulos de entradas y salidas, fuentes de poder, procesadores, comunicaciones, etc).

Las ecuaciones para modelar a los controladores lógicos programables han sido definidas a detalle en la norma IEC 61508-6.Edición 2.0 2010-04. También se cuentan con ecuaciones simplificadas para los controladores lógicos programa-bles, que hacen mas fácil pero menos exacta la determinación del de la PFDavg.

Determinación de la PFDavg 4

Risk Software S.A. de C.V.

Sensor Controlador Logico

Relación de Demandas

(D)

Relación de Eventos

(H)

Elementos Finales

Figura #4Requerimientos de Pruebas para Dispositivos

PruebasManuales

PruebasAuto

Diagnosticos

PruebasManuales

3. Determinación de la Relación de Disparos en Falso STREcuaciones para la determinación de la Relación de Disparos en Falso (Spurious Trip Rate -STR).

Como comentamos anteriormente es conveniente conocer la relación de disparos en falso que un sistema tendrá, esto nos permitirá seleccionar sistemas basados en los costos asociados a disparar/parar un procesos por la falla de alguno de los componentes del sistema instrumentado de seguridad:

Arquitectura Ecuación Compleja/ISA TR 8402p2 Ecuación Simplificada /ISA TR 8402p2

1oo1

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) spuriousS

MTTF1

=$

1oo1

(Eq. No. 10) STR S DDFS= + +$ $ $

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$FS is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 2

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 3

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2

The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.

2oo3

(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15) ( )[ ] ( )[ ] SF

DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:

1oo1

(Eq. No. 10a) STR S= $

1oo2

(Eq. No. 11a) SSTR $%= 2

1oo3

(Eq. No. 12a) SSTR $%= 3

2oo2

(Eq. No. 13a) ( ) MTTRSTR S %%=22 $

2oo3

(Eq. No. 14a) ( ) MTTRSTR S %%=26 $

2oo4

(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)M TTF spu r iou s

ST R S IS=

1

The result is the MTTFspurious for the SIS.

1oo2

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) spuriousS

MTTF1

=$

1oo1

(Eq. No. 10) STR S DDFS= + +$ $ $

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$FS is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 2

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 3

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2

The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.

2oo3

(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15) ( )[ ] ( )[ ] SF

DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:

1oo1

(Eq. No. 10a) STR S= $

1oo2

(Eq. No. 11a) SSTR $%= 2

1oo3

(Eq. No. 12a) SSTR $%= 3

2oo2

(Eq. No. 13a) ( ) MTTRSTR S %%=22 $

2oo3

(Eq. No. 14a) ( ) MTTRSTR S %%=26 $

2oo4

(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)M TTF spu r iou s

ST R S IS=

1

The result is the MTTFspurious for the SIS.

1oo3

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) spuriousS

MTTF1

=$

1oo1

(Eq. No. 10) STR S DDFS= + +$ $ $

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$FS is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 2

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 3

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2

The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.

2oo3

(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15) ( )[ ] ( )[ ] SF

DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:

1oo1

(Eq. No. 10a) STR S= $

1oo2

(Eq. No. 11a) SSTR $%= 2

1oo3

(Eq. No. 12a) SSTR $%= 3

2oo2

(Eq. No. 13a) ( ) MTTRSTR S %%=22 $

2oo3

(Eq. No. 14a) ( ) MTTRSTR S %%=26 $

2oo4

(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)M TTF spu r iou s

ST R S IS=

1

The result is the MTTFspurious for the SIS.

2oo2

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) spuriousS

MTTF1

=$

1oo1

(Eq. No. 10) STR S DDFS= + +$ $ $

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$FS is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 2

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 3

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2

The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.

2oo3

(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15) ( )[ ] ( )[ ] SF

DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:

1oo1

(Eq. No. 10a) STR S= $

1oo2

(Eq. No. 11a) SSTR $%= 2

1oo3

(Eq. No. 12a) SSTR $%= 3

2oo2

(Eq. No. 13a) ( ) MTTRSTR S %%=22 $

2oo3

(Eq. No. 14a) ( ) MTTRSTR S %%=26 $

2oo4

(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)M TTF spu r iou s

ST R S IS=

1

The result is the MTTFspurious for the SIS.

2oo3

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) spuriousS

MTTF1

=$

1oo1

(Eq. No. 10) STR S DDFS= + +$ $ $

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$FS is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 2

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 3

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2

The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.

2oo3

(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15) ( )[ ] ( )[ ] SF

DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:

1oo1

(Eq. No. 10a) STR S= $

1oo2

(Eq. No. 11a) SSTR $%= 2

1oo3

(Eq. No. 12a) SSTR $%= 3

2oo2

(Eq. No. 13a) ( ) MTTRSTR S %%=22 $

2oo3

(Eq. No. 14a) ( ) MTTRSTR S %%=26 $

2oo4

(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)M TTF spu r iou s

ST R S IS=

1

The result is the MTTFspurious for the SIS.

2oo4

" 27 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 9) spuriousS

MTTF1

=$

1oo1

(Eq. No. 10) STR S DDFS= + +$ $ $

Where $S is the safe or spurious failure rate for the component,

$DD is the dangerous detected failure rate for the component, and

$FS is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rate term and the third term is thesystematic error rate term. The dangerous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-redundant) in a safe (de-energized) state. This can be done either automatically or by humanintervention. If dangerous detected failure does not place the channel or system into a safe state, thisterm is not included in Equations 10 through 15.

1oo2

(Eq. No. 11) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 2

The second term is the common cause term and the third term is the systematic error rate term.

1oo3

(Eq. No. 12) ( )[ ] ( )[ ] SF

DDSDDSSTR $$$,$$ ++%++%= 3

The second term is the common cause term and the third term is the systematic error rate term.

2oo2

(Eq. No. 13) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%= 2

The second term is the common cause term and the third term is the systematic error rate term. Thisequation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safefailures can only be detected through testing or inspection, the testing (or inspection) interval TI should besubstituted for MTTR.

2oo3

(Eq. No. 14) ( ) ( )[ ] ( )[ ] SF

DDSDDSS MTTRSTR $$$,$$$ ++%+%+%%= 6

The second term is the common cause term, and the third term is the systematic error rate term.

2oo4

(Eq. No. 15) ( )[ ] ( )[ ] SF

DDSDDS MTTRSTR $$$,$$ ++%+%+%= 2312

ISA-TR84.00.02-2002 - Part 2 " 28 "

The second term is the common cause term, and the third term is the systematic error rate term.

NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service to make repairs when failures aredetected unless redundancy of components is provided. Accounting for additional failures while repairsare being made is typically not considered due to the relatively short repair time. Common cause andsystematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced tothe following:

1oo1

(Eq. No. 10a) STR S= $

1oo2

(Eq. No. 11a) SSTR $%= 2

1oo3

(Eq. No. 12a) SSTR $%= 3

2oo2

(Eq. No. 13a) ( ) MTTRSTR S %%=22 $

2oo3

(Eq. No. 14a) ( ) MTTRSTR S %%=26 $

2oo4

(Eq. No. 15a) ( ) 2312 MTTRSTR S %%= $

5.2.6 Combining spurious trip rates for components to obtain SIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portions are evaluated, the overallMTTFspurious for the SIS being evaluated is obtained as follows:

(Eq. No. 16) STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +# ### $

NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for inindividual component STR and the user desires to include an overall value for the entire system.

(Eq. No. 17)M TTF spu r iou s

ST R S IS=

1

The result is the MTTFspurious for the SIS.

λS es la relación de fallas seguras o en falso para cada componente.

λDD es la relación de fallas peligrosas detectadas para cada componente.

λSF es la relación de fallas sistemáticas seguras para cada componente.

El valor final de la relación de disparos en falso del sistema SIS (utilizando las ecuaciones simplificadas) es la suma de cada elemento del sistema:

STRSIS = ∑STRSensor + ∑STRCLP + ∑STREF + λSF

El valor de MTTF (Tiempo Medio Para Fallar) esta dado por:

M TTF En Falso = 1/STRSIS

Determinación de la PFDavg 5

Risk Software S.A. de C.V.

4. Determinación de la Probabilidad de Falla Sobre DemandaEcuaciones para la determinación de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con prue-bas manuales.

La Probabilidad de Fallas Sobre Demanda para sistemas con pruebas manuales, esta relacionada generalmente a los ele-mentos de campo, como son sensores y elementos finales de control.

La base de estas ecuaciones es el tiempo o intervalo entre pruebas manuales (TI), que tiene como objetivo la identificación y localización de fallas peligrosas en el sistema o elementos del sistema.

Las ecuaciones que describen los sistemas utilizan el componente de Relación de Fallas Peligrosas Sistemáticas.

Esta relación representa las fallas sistemáticas introducidas durante el diseño, selección, implementación y mantenimiento de los elementos de campo del Sistema Instrumentado de Seguridad.

Arquitectura Ecuación Compleja/ISA TR 8402p2 Ecuación Simplificada /ISA TR 8402p2

1oo1

ISA-TR84.00.02-2002 - Part 2 " 22 "

Equations for typical configurations:

(Eq. No. 3) 1oo1 PFDTI2avg = %

&

'()

*++ %&

'()

*+$ $DU

FD TI

2

where $DU is the undetected dangerous failure rate

$FD is the dangerous systematic failure rate, and

TI is the time interval between manual functional tests of the component.

NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during thespecification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to arandom failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout themission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve underthe process pressure that occurs during the hazardous event, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled using TI%$ . When modeling systematic failures, the readermust determine which model is more appropriate for the type of failure being assessed.

1oo2

(Eq. No. 4A)

( ) [ ] +*

)('

& %++*

)('

& %%+%%%%"++*

)('

&%%"=

22)1(

3)1(PFD

22

avgTITITIMTTRTI D

FDUDDDUDU $$,$$,$,

For simplification, 1-, is generally assumed to be one, which yields conservative results. Consequently,the equation reduces to

(Eq. No. 4B)

( ) [ ] +*

)('

& %++*

)('

& %%+%%%++*

)('

&%=

223PFD

22

avgTITITIMTTRTI D

FDUDDDUDU $$,$$$

where MTTR is the mean time to repair

$DD is dangerous detected failure rate, and

, is fraction of failures that impact more than one channel of a redundant system(common cause).

The second term represents multiple failures during repair. This factor is typically negligible for shortrepair times (typically less than 8 hours). The third term is the common cause term. The fourth term isthe systematic error term.

1oo3

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

1oo2

ISA-TR84.00.02-2002 - Part 2 " 22 "

Equations for typical configurations:

(Eq. No. 3) 1oo1 PFDTI2avg = %

&

'()

*++ %&

'()

*+$ $DU

FD TI

2

where $DU is the undetected dangerous failure rate

$FD is the dangerous systematic failure rate, and

TI is the time interval between manual functional tests of the component.

NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during thespecification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to arandom failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout themission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve underthe process pressure that occurs during the hazardous event, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled using TI%$ . When modeling systematic failures, the readermust determine which model is more appropriate for the type of failure being assessed.

1oo2

(Eq. No. 4A)

( ) [ ] +*

)('

& %++*

)('

& %%+%%%%"++*

)('

&%%"=

22)1(

3)1(PFD

22

avgTITITIMTTRTI D

FDUDDDUDU $$,$$,$,

For simplification, 1-, is generally assumed to be one, which yields conservative results. Consequently,the equation reduces to

(Eq. No. 4B)

( ) [ ] +*

)('

& %++*

)('

& %%+%%%++*

)('

&%=

223PFD

22

avgTITITIMTTRTI D

FDUDDDUDU $$,$$$

where MTTR is the mean time to repair

$DD is dangerous detected failure rate, and

, is fraction of failures that impact more than one channel of a redundant system(common cause).

The second term represents multiple failures during repair. This factor is typically negligible for shortrepair times (typically less than 8 hours). The third term is the common cause term. The fourth term isthe systematic error term.

1oo3

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

1oo3

" 23 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 5)

( ) )([ ] +*

)('

& %++*

)('

&-.

/01

2 %%+%%%++*

)('

&%=

22422

33 TITITIMTTRTIPFD D

FDUDDDUDU

avg $$,$$$

The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.

2oo2

(Eq. No. 6) [ ] [ ] +*

)('

& %+%%+%=2

PFDavgTITITI D

FDUDU $$,$

The second term is the common cause term and the third term is the systematic error term.

2oo3

(Eq. No. 7)

[ ] [ ]PFDavg = % + % % % + % %&

'()

*++ %&

'()

*+( ) ( )$ $ $ , $ $DU DU DD DU

FDTI MTTR TI

TI TI2 2 32 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

2oo4

(Eq. No. 8)

( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI

avgDU DU DD DU

FD= % + % % % + % %

&

'()

*++ %&

'()

*+$ $ $ , $ $

3 3 2 242 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.

The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.

Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

2oo2

" 23 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 5)

( ) )([ ] +*

)('

& %++*

)('

&-.

/01

2 %%+%%%++*

)('

&%=

22422

33 TITITIMTTRTIPFD D

FDUDDDUDU

avg $$,$$$

The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.

2oo2

(Eq. No. 6) [ ] [ ] +*

)('

& %+%%+%=2

PFDavgTITITI D

FDUDU $$,$

The second term is the common cause term and the third term is the systematic error term.

2oo3

(Eq. No. 7)

[ ] [ ]PFDavg = % + % % % + % %&

'()

*++ %&

'()

*+( ) ( )$ $ $ , $ $DU DU DD DU

FDTI MTTR TI

TI TI2 2 32 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

2oo4

(Eq. No. 8)

( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI

avgDU DU DD DU

FD= % + % % % + % %

&

'()

*++ %&

'()

*+$ $ $ , $ $

3 3 2 242 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.

The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.

Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

2oo3

" 23 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 5)

( ) )([ ] +*

)('

& %++*

)('

&-.

/01

2 %%+%%%++*

)('

&%=

22422

33 TITITIMTTRTIPFD D

FDUDDDUDU

avg $$,$$$

The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.

2oo2

(Eq. No. 6) [ ] [ ] +*

)('

& %+%%+%=2

PFDavgTITITI D

FDUDU $$,$

The second term is the common cause term and the third term is the systematic error term.

2oo3

(Eq. No. 7)

[ ] [ ]PFDavg = % + % % % + % %&

'()

*++ %&

'()

*+( ) ( )$ $ $ , $ $DU DU DD DU

FDTI MTTR TI

TI TI2 2 32 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

2oo4

(Eq. No. 8)

( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI

avgDU DU DD DU

FD= % + % % % + % %

&

'()

*++ %&

'()

*+$ $ $ , $ $

3 3 2 242 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.

The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.

Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

2oo4

" 23 " ISA-TR84.00.02-2002 - Part 2

(Eq. No. 5)

( ) )([ ] +*

)('

& %++*

)('

&-.

/01

2 %%+%%%++*

)('

&%=

22422

33 TITITIMTTRTIPFD D

FDUDDDUDU

avg $$,$$$

The second term accounts for multiple failures during repair. This factor is typically negligible for shortrepair times. The third term is the common cause term and the fourth term is the systematic error term.

2oo2

(Eq. No. 6) [ ] [ ] +*

)('

& %+%%+%=2

PFDavgTITITI D

FDUDU $$,$

The second term is the common cause term and the third term is the systematic error term.

2oo3

(Eq. No. 7)

[ ] [ ]PFDavg = % + % % % + % %&

'()

*++ %&

'()

*+( ) ( )$ $ $ , $ $DU DU DD DU

FDTI MTTR TI

TI TI2 2 32 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

2oo4

(Eq. No. 8)

( ) ( )[ ] ( ) ( )[ ]PFD TI MTTR TITI TI

avgDU DU DD DU

FD= % + % % % + % %

&

'()

*++ %&

'()

*+$ $ $ , $ $

3 3 2 242 2

The second term in the equation represents multiple failures during repair. This factor is typicallynegligible for short repair times. The third term is the common cause term. The fourth term is thesystematic error term.

For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.

The terms in the equations representing common cause (Beta factor term) and systematic failures aretypically not included in calculations performed in the process industries. These factors are usuallyaccounted for during the design by using components based on plant experience.

Common cause includes environmental factors, e.g., temperature, humidity, vibration, external eventssuch as lightning strikes, etc. Systematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for adiscussion of their impact on the PFDavg calculations.

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

MTTR es el tiempo medio para reparación

λDD es la relación de fallas peligrosas detectadas

β es la fracción de fallas que impacta en uno o mas canales de los sistemas redundantes (Factor de falla Común).

Determinación de la PFDavg 6

Risk Software S.A. de C.V.

ISA-TR84.00.02-2002 - Part 2 " 22 "

Equations for typical configurations:

(Eq. No. 3) 1oo1 PFDTI2avg = %

&

'()

*++ %&

'()

*+$ $DU

FD TI

2

where $DU is the undetected dangerous failure rate

$FD is the dangerous systematic failure rate, and

TI is the time interval between manual functional tests of the component.

NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during thespecification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to arandom failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout themission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve underthe process pressure that occurs during the hazardous event, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled using TI%$ . When modeling systematic failures, the readermust determine which model is more appropriate for the type of failure being assessed.

1oo2

(Eq. No. 4A)

( ) [ ] +*

)('

& %++*

)('

& %%+%%%%"++*

)('

&%%"=

22)1(

3)1(PFD

22

avgTITITIMTTRTI D

FDUDDDUDU $$,$$,$,

For simplification, 1-, is generally assumed to be one, which yields conservative results. Consequently,the equation reduces to

(Eq. No. 4B)

( ) [ ] +*

)('

& %++*

)('

& %%+%%%++*

)('

&%=

223PFD

22

avgTITITIMTTRTI D

FDUDDDUDU $$,$$$

where MTTR is the mean time to repair

$DD is dangerous detected failure rate, and

, is fraction of failures that impact more than one channel of a redundant system(common cause).

The second term represents multiple failures during repair. This factor is typically negligible for shortrepair times (typically less than 8 hours). The third term is the common cause term. The fourth term isthe systematic error term.

1oo3

Para sistemas redundantes el segundo termino en las ecuaciones complejas representa las múltiples fallas presentadas du-rante la reparación y el tercer termino representa la causa de falla común (CCF).

En las ecuaciones simplificadas se considera que el segundo termino es despreciable debido a que el valor es muy pequeño cuando el tiempo de reparaciones es menor a 8 hr. El tercer termino es despreciable debido a que se considera que el diseño de los sistemas en los procesos industriales esta diseñado considerando las fallas de causa común, y el cuarto termino las fallas sistemáticas son despreciables si se utiliza una metodología para el diseño de los SIS como puede ser seguir los reque-rimientos y consideraciones en el diseño basado en el Ciclo de Vida de Seguridad de la IEC 61511.

El valor final de la PFDavg es representada como:

PFDSIS = ∑PFDSensor + ∑PFDCLP + ∑PFDEF + λSF

En términos generales es aceptado el uso de las ecuaciones simplificadas para sistemas con pruebas manuales como son los sensores y elementos finales, si bien es común el uso de estas ecuaciones para los controladores lógicos programables, la norma IEC 61508 Edición 2.0 2010-04. Ha desarrollado ecuaciones mas exactas para describir a los sistemas que cuentan con pruebas basadas en auto diagnósticos.

5. Calculo de la Probabilidad de Fallas Sobre Demanda PFDavg

Ecuaciones para la determinación de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con pruebas basadas en Auto Diagnósticos, tomadas de la norma IEC 61508-6 Edición 2.0, 2010-04.

La Probabilidad de Fallas Sobre Demanda para sistemas complejos con auto diagnósticos considera las relación de fallas peligrosas totales, dadas por la suma de la relación de fallas peligrosas detectadas y no detectadas.

λTot = λDU + λDD

Ecuación para sistema con arquitectura 1oo1:

La arquitectura consiste en canales sencillos, donde la cualquier falla peligrosa genera una falla de la función de seguridad cuando se genera una demanda:

Determinación de la PFDavg 7

Risk Software S.A. de C.V.

Canal

Diagnosticos

Figura #5Diagrama de Bloques Fisico

La configuración sencilla se ve comprometida por la falla resultante tanto por la relación de fallas peligrosas no detectables λDU, y la relación de fallas peligrosas detectables λDD. Es posible la equivalencia del sistema para el Tiempo Medio Abajo (MDT) para los dos componentes tC1 y tC2:

Para cada componente del canal la relación de fallas peligrosas no detectables y detectables esta dada por:

Para un canal con un tiempo abajo tCE que resulta en una falla peligrosa:

La probabilidad de fallas sobre demanda para una arquitectura 1oo1 queda establecida como:

Ecuación para sistema con arquitectura 1oo2:

La arquitectura 1oo2 consiste en dos canales conectados en paralelo, en los cuales cada uno puede realizar la función de seguridad. En esta arquitectura ambos canales deberán de fallar de forma peligrosa para que la función de seguridad falle en demanda. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.

Las figuras # 7 y 8 muestran los diagramas de bloques para la arquitectura 1oo2, tCE es calculado de la misma manera que como calculamos 1oo1, pero ahora debemos calcular tGE que esta dado por la ecuación:

Determinación de la PFDavg 8

Risk Software S.A. de C.V.

λDUtC1 =

T1 + MRT2

tC2 = MTTRλDD

λD

tCE

Figura #6Diagrama de Bloques de Confiabilidad

61508-6 ! IEC:2010 - 31 -

Figure B.5 + 1oo1 reliability block diagram

Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by

DDDUD """ +=

Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:

MTTRMRT2

Tt

D

DD1

D

DUCE "

""

"+��

�

����

� +=

For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by

( )DC1DDU #= "" ; DCDDD "" =

For a channel with down time tCE resulting from dangerous failures

1tte1PFD

CEDCED

tCED

<<$#= #

""

"

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is

( ) CEDDDUG tPFD "" +=

B.3.2.2.2 1oo2

This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

" DUt c1 = 1 _ T + MRT

2

"DDtc2 = MTTR

"D

tCE

IEC 325/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

61508-6 ! IEC:2010 - 31 -

Figure B.5 + 1oo1 reliability block diagram

Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by

DDDUD """ +=

Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:

MTTRMRT2

Tt

D

DD1

D

DUCE "

""

"+��

�

����

� +=

For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by

( )DC1DDU #= "" ; DCDDD "" =

For a channel with down time tCE resulting from dangerous failures

1tte1PFD

CEDCED

tCED

<<$#= #

""

"

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is

( ) CEDDDUG tPFD "" +=

B.3.2.2.2 1oo2

This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

" DUt c1 = 1 _ T + MRT

2

"DDtc2 = MTTR

"D

tCE

IEC 325/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

61508-6 ! IEC:2010 - 31 -

Figure B.5 + 1oo1 reliability block diagram

Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by

DDDUD """ +=

Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:

MTTRMRT2

Tt

D

DD1

D

DUCE "

""

"+��

�

����

� +=

For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by

( )DC1DDU #= "" ; DCDDD "" =

For a channel with down time tCE resulting from dangerous failures

1tte1PFD

CEDCED

tCED

<<$#= #

""

"

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is

( ) CEDDDUG tPFD "" +=

B.3.2.2.2 1oo2

This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

" DUt c1 = 1 _ T + MRT

2

"DDtc2 = MTTR

"D

tCE

IEC 325/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

61508-6 ! IEC:2010 - 31 -

Figure B.5 + 1oo1 reliability block diagram

Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the channel is given by

DDDUD """ +=

Figure B.5 shows that the channel can be considered to comprise of two components, one with a dangerous failure rate "DU resulting from undetected failures and the other with a dangerous failure rate "DD resulting from detected failures. It is possible to calculate the channel equivalent mean down time tCE, adding the individual down times from both components, tc1 and tc2, in direct proportion to each componentNs contribution to the probability of failure of the channel:

MTTRMRT2

Tt

D

DD1

D

DUCE "

""

"+��

�

����

� +=

For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate are given by

( )DC1DDU #= "" ; DCDDD "" =

For a channel with down time tCE resulting from dangerous failures

1tte1PFD

CEDCED

tCED

<<$#= #

""

"

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is

( ) CEDDDUG tPFD "" +=

B.3.2.2.2 1oo2

This architecture consists of two channels connected in parallel, such that either channel can process the safety function. Thus there would have to be a dangerous failure in both channels before a safety function failed on demand. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

" DUt c1 = 1 _ T + MRT

2

"DDtc2 = MTTR

"D

tCE

IEC 325/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

La probabilidad de fallas sobre demanda para la arquitectura 1oo2 queda entonces dada por:

Ecuación para sistema con arquitectura 2oo2:

La arquitectura 2oo2 consiste en dos canales conectados de forma paralelo, ambos canales deben de demandar a la función de seguridad para que esta se ejecute. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.

Determinación de la PFDavg 9

Risk Software S.A. de C.V.

" 32 " 61508-6 ! IEC:2010

Channel

Channel

Diagnostics 1oo2

IEC 326/2000

Figure B.6 7 1oo2 physical block diagram

Commoncause failure

"DD"DU

tGE

"D

tCE

IEC 327/2000

Figure B.7 7 1oo2 reliability block diagram

Figures B.6 and B.7 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time tGE, which is given by

MTTRMRT3Tt

D

DD1

D

DUGE "

""" +�

�

���

� +=

The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRtt112PFD 1

DUDDDGECE2

DUDDDG $""$"$"$

B.3.2.2.3 2oo2

This architecture consists of two channels connected in parallel so that both channels need to demand the safety function before it can take place. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

" 32 " 61508-6 ! IEC:2010

Channel

Channel

Diagnostics 1oo2

IEC 326/2000

Figure B.6 7 1oo2 physical block diagram

Commoncause failure

"DD"DU

tGE

"D

tCE

IEC 327/2000

Figure B.7 7 1oo2 reliability block diagram

Figures B.6 and B.7 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time tGE, which is given by

MTTRMRT3Tt

D

DD1

D

DUGE "

""" +�

�

���

� +=

The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRtt112PFD 1

DUDDDGECE2

DUDDDG $""$"$"$

B.3.2.2.3 2oo2

This architecture consists of two channels connected in parallel so that both channels need to demand the safety function before it can take place. It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

Canal

Diagnosticos

Figura #7Diagrama de Bloques Fisico 1oo2

1oo2

Canal

λDU λDD

λD

tCE

Figura #8Diagrama de Bloques de Confiabilidad 1oo2

Falla de causa Comun

tGE

La probabilidad de fallas sobre demanda queda establecida por:

Ecuación para sistema con arquitectura 1oo2D:

La arquitectura 1oo2D consiste en dos canales conectados en paralelo. Durante la operación normal, ambos canales deben de demandar a la función de seguridad para que esta se ejecute. En adición, si los diagnósticos en cada canal detectan una falla, entonces la votación de salida es adaptada de tal manera que la operación continúe con el canal que se encuentra ope-rando sin fallas. Si los diagnósticos encuentran una falla en ambos canales o existe una discrepancia que no es posible loca-lizar en algún canal, entonces las salidas se sitúan en una posición segura. Para poder detectar una discrepancia entre los canales, ambos canales deberán poder el estado del otro canal de forma independiente. La comparación o el mecanismo de transferencia puede que no sea 100% eficiente, por lo tanto K representa la eficiencia de los mecanismos de comparación o mecanismo de transferencia.

Determinación de la PFDavg 10

Risk Software S.A. de C.V.

Canal

Diagnosticos

Figura #9Diagrama de Bloques Fisico 2oo2

2oo2

Canal

λDU λDD

λD

tCE

Figura #10Diagrama de Bloques de Confiabilidad 2002

λDU λDD

λD

tCE

61508-6 ! IEC:2010 - 33 -

Channel

Channel

Diagnostics 2oo2

IEC 328/200

Figure B.8 6 2oo2 physical block diagram

"DD"DU"D

tCE"DD"DU

"D

tCE

Figure B.9 6 2oo2 reliability block diagram

Figures B.8 and B.9 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1, and the average probability of failure on demand for the architecture is

CEDG t2PFD "=

B.3.2.2.4 1oo2D

This architecture consists of two channels connected in parallel. During normal operation, both channels need to demand the safety function before it can take place. In addition, if the diagnostic tests in either channel detect a fault then the output voting is adapted so that the overall output state then follows that given by the other channel. If the diagnostic tests find faults in both channels or a discrepancy that cannot be allocated to either channel, then the output goes to the safe state. In order to detect a discrepancy between the channels, either channel can determine the state of the other channel via a means independent of the other channel. The channel comparison / switch over mechanism may not be 100 % efficient therefore K represents the efficiency of this inter-channel comparison / switch mechanism, i.e. the output may remain on the 2oo2 voting even with one channel detected as faulty.

NOTE The parameter K will need to be determined by an FMEA.

Diagnostics

Diagnostics

Channel

Channel

1oo2D

IEC 330/2000

Figure B.10 6 1oo2D physical block diagram

IEC 329/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

Canal

Diagnosticos

Figura #11Diagrama de Bloques Fisico 1oo2D

1oo2D

Canal

Diagnosticos

La relación de fallas seguras detectadas para cada canal esta dada por:

Aquí los valores de equivalencia de de Tiempo Medio Abajo están dados por :

La probabilidad de fallas bajo demanda para la arquitectura 1oo2D queda dada por:

Ecuación para sistema con arquitectura 2oo3:

La arquitectura 2oo3 consiste en tres canales conectados en paralelo con un arreglo de votación a la salida, aquí el estado de las salidas no difiere si solo un canal muestra discrepancia con los otros dos canales. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.

Determinación de la PFDavg 11

Risk Software S.A. de C.V.

tCE

Figura #12Diagrama de Bloques de Confiabilidad 1oo2D

Falla de Causa Comun

tGE

λDU

λDUλSDλDD

" 34 " 61508-6 ! IEC:2010

Commoncause failure

"DU

"DU

"DD "SD

tGE#

tCE# IEC 331/2000

Figure B.11 4 1oo2D reliability block diagram

The detected safe failure rate for every channel is given by

DCSSD "" =

Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down times differ from those given for the other architectures in B.3.2.2 and hence are labelled tCE# and tGE#. Their values are given by

( )( )SDDDDU

SDDD1

DU

CE

MTTRMRT2T

't"""

"""

++

++��

���

� +=

MRT3T't 1

GE +=

The average probability of failure on demand for the architecture is

( ) ( ) ( )( ) ( ) ��

���

� ++$++$+$$= MRT2T'tK12't't1112PFD 1

DUCEDDGECESDDDDDUDUG %""""%"%"%

B.3.2.2.5 2oo3

This architecture consists of three channels connected in parallel with a majority voting arrangement for the output signals, such that the output state is not changed if only one channel gives a different result which disagrees with the other two channels.

It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

Figure B.12 4 2oo3 physical block diagram

Channel

Channel

2oo3Channel

Diagnostics

IEC 332/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

" 34 " 61508-6 ! IEC:2010

Commoncause failure

"DU

"DU

"DD "SD

tGE#

tCE# IEC 331/2000

Figure B.11 4 1oo2D reliability block diagram

The detected safe failure rate for every channel is given by

DCSSD "" =

Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down times differ from those given for the other architectures in B.3.2.2 and hence are labelled tCE# and tGE#. Their values are given by

( )( )SDDDDU

SDDD1

DU

CE

MTTRMRT2T

't"""

"""

++

++��

���

� +=

MRT3T't 1

GE +=

The average probability of failure on demand for the architecture is

( ) ( ) ( )( ) ( ) ��

���

� ++$++$+$$= MRT2T'tK12't't1112PFD 1

DUCEDDGECESDDDDDUDUG %""""%"%"%

B.3.2.2.5 2oo3

This architecture consists of three channels connected in parallel with a majority voting arrangement for the output signals, such that the output state is not changed if only one channel gives a different result which disagrees with the other two channels.

It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

Figure B.12 4 2oo3 physical block diagram

Channel

Channel

2oo3Channel

Diagnostics

IEC 332/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

" 34 " 61508-6 ! IEC:2010

Commoncause failure

"DU

"DU

"DD "SD

tGE#

tCE# IEC 331/2000

Figure B.11 4 1oo2D reliability block diagram

The detected safe failure rate for every channel is given by

DCSSD "" =

Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down times differ from those given for the other architectures in B.3.2.2 and hence are labelled tCE# and tGE#. Their values are given by

( )( )SDDDDU

SDDD1

DU

CE

MTTRMRT2T

't"""

"""

++

++��

���

� +=

MRT3T't 1

GE +=

The average probability of failure on demand for the architecture is

( ) ( ) ( )( ) ( ) ��

���

� ++$++$+$$= MRT2T'tK12't't1112PFD 1

DUCEDDGECESDDDDDUDUG %""""%"%"%

B.3.2.2.5 2oo3

This architecture consists of three channels connected in parallel with a majority voting arrangement for the output signals, such that the output state is not changed if only one channel gives a different result which disagrees with the other two channels.

It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

Figure B.12 4 2oo3 physical block diagram

Channel

Channel

2oo3Channel

Diagnostics

IEC 332/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

Canal

Diagnosticos

Figura #13Diagrama de Bloques Fisico 2oo3

2oo3Canal

Canal

La probabilidad de fallas sobre demanda para la arquitectura 2oo3 se establece como:

Ecuación para sistema con arquitectura 1oo3:

La arquitectura 1oo3 consiste en tres canales conectados en paralelo con un arreglo de votación de salida de 1oo3, cualquier falla detectada por diagnósticos ocasionara que el sistema se posicione en falla segura. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no habrá un cambio en el estado final de la votación de salidas.

La probabilidad de fallas sobre demanda para la arquitectura 1oo3 se establece como:

Donde:

Determinación de la PFDavg 12

Risk Software S.A. de C.V.

λD

tCE

Figura #14Diagrama de Bloques de Confiabilidad 2oo3

Falla de causa Comun

tGE

λDU λDD

61508-6 ! IEC:2010 - 35 -

Commoncause failure

"DD"DU

tGE

"D

tCE

2oo3

IEC 333/2000

Figure B.13 6 2oo3 reliability block diagram

Figures B.12 and B.13 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRtt116PFD 1

DUDDDGECE2

DUDDDG $""$"$"$

B.3.2.2.6 1oo3

This architecture consists of three channels connected in parallel with a voting arrangement for the output signals, such that the output state follows 1oo3 voting.

It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRttt116PFD 1

DUDDDE2GGECE3

DUDDDG $""$"$"$

Where

MTTRMRT4Tt

D

DD1

D

DUE2G "

""" +�

�

���

� +=

IEC 332/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

61508-6 ! IEC:2010 - 35 -

Commoncause failure

"DD"DU

tGE

"D

tCE

2oo3

IEC 333/2000

Figure B.13 6 2oo3 reliability block diagram

Figures B.12 and B.13 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRtt116PFD 1

DUDDDGECE2

DUDDDG $""$"$"$

B.3.2.2.6 1oo3

This architecture consists of three channels connected in parallel with a voting arrangement for the output signals, such that the output state follows 1oo3 voting.

It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRttt116PFD 1

DUDDDE2GGECE3

DUDDDG $""$"$"$

Where

MTTRMRT4Tt

D

DD1

D

DUE2G "

""" +�

�

���

� +=

IEC 332/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

61508-6 ! IEC:2010 - 35 -

Commoncause failure

"DD"DU

tGE

"D

tCE

2oo3

IEC 333/2000

Figure B.13 6 2oo3 reliability block diagram

Figures B.12 and B.13 contain the relevant block diagrams. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRtt116PFD 1

DUDDDGECE2

DUDDDG $""$"$"$

B.3.2.2.6 1oo3

This architecture consists of three channels connected in parallel with a voting arrangement for the output signals, such that the output state follows 1oo3 voting.

It is assumed that any diagnostic testing would only report the faults found and would not change any output states or change the output voting.

The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value of tCE is as given in B.3.2.2.1 and the value of tGE is as given in B.3.2.2.2. The average probability of failure on demand for the architecture is

( ) ( )( ) ��

���

� +++#+#= MRT2TMTTRttt116PFD 1

DUDDDE2GGECE3

DUDDDG $""$"$"$

Where

MTTRMRT4Tt

D

DD1

D

DUE2G "

""" +�

�

���

� +=

IEC 332/2000

Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CVOrder No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11

Cuantificación del Efecto de las Fallas de Causa Común:

Los cálculos de PFDavg deberán incorporar el efecto que causan las fallas de causa común en los sistemas redundantes, en la seguridad funcional es común utilizar la metodología de factor Beta (β) para determinar la falla de causa común. en un arti-culo técnico posterior describiremos como se determina este factor.

El efecto final en la ecuación de PFDavg del factor de causa común se representa con la siguiente ecuación:

PFDFCC = ( PFDa x PFDb x..... PFDn ) + (β x PFDPeor)

Donde:

PFD a.....n representa la probabilidad de falla sobre demanda del dispositivo a al n.

PFDPeor representa la probabilidad de fallas sobre demanda del dispositivo mas débil o peor.

Beta (β) representa el factor de falla común.

6. Arquitecturas Redundantes

Arquitecturas de sistemas redundantes para Diagramas de Bloques.

Determinación de la PFDavg 13

Risk Software S.A. de C.V.

Figura #15 2oo2

AE BFALLA DE

CAUSA COMUN

S

A

E

B

FALLA DE CAUSA COMUN

S

Figura #16 1oo2

Determinación de la PFDavg 14

Risk Software S.A. de C.V.

AE BFALLA DE

CAUSA COMUN

SC

Figura #18 1oo3

A

E

B

FALLA DE CAUSA COMUN

S

Figura #17 2oo3

A

C

B

C

Arquitecturas de sistemas redundantes para Arboles de Falla. Bloques OR (Se Suman). Bloques AND (Se Multiplican)

Determinación de la PFDavg 15

Risk Software S.A. de C.V.

A B

OR

FCC

Salida

OR

Figura #19 2oo2

A

AND

B

OR

FCC

Salida

Figura #20 1oo2

A

AND

OR

B A

AND

C B

AND

C

OR

FCC

Salida

Figura #21 2oo3

AND

A B C

OR

FCC

Salida

Figura #22 1oo3

7. Ejemplos de Determinación de PFDavg.

Podemos modelar la PFDavg de un sistema utilizando diagramas de bloques utilizando en las siguientes simplificaciones:

✓ Cadenas en paralelo se Multiplican.

✓ Cadenas en serie se Suman.

Ejemplo:

Considere el siguiente sistema de protección de presión a la entrada de una plataforma marina que maneja grandes volúmenes de gas natural, una sobre presión podría generar un gran impacto ocasionando ruptura de la tubería y generando una fuga mayor que podría incluso generar un gran fuego o explosión:

PT-9002A

D PT-9002B

PT-9002C

FALLA DE CAUSA COMUN

TMR

SVA

SVB

FALLA DE CAUSA COMUN

ESDV H

ENTRADAS LOGICA SALIDAS

Considere Arquitectura

2oo3

Determinación de la PFDavg 16

Risk Software S.A. de C.V.

Se cuenta con los siguientes datos:

Valores PT (FIT) TMR (FIT) Solenoide (FIT) Válvula Corte (FIT)

λsd 396 71 0

λsu 440 0 1401

λdd 52 99 0

λdu 69 1 765

SFF 92.8% ---- ----

TI 1 año 1 año 1 año

MTTR 8 hr 8 hr 8 hr

β 5% 5% ----

PFDavg 2.5 x 10-4

Problema: Dibujar el diagrama de bloques para el sistema y calcular el valor de PFDavg para el sistema:

ISA-TR84.00.02-2002 - Part 2 " 24 "

If systematic errors (functional failures) are to be included in the calculations, separate values for eachsub-system, if available, may be used in the equations above. An alternate approach is to use a singlevalue for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.

NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modesand effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely importantand can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management ofchange. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance related to random failures.

The simplified equations without the terms for multiple failures during repair, common cause andsystematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a) PFDTI

avgDU= %$

2

1oo2

(Eq. No. 4a)( )[ ]

PFDTI

avg

DU

=%$

2 2

3

1oo3

(Eq. No. 5a)( )[ ]

PFDTI

avg

DU

=%$

3 3

4

2oo2

(Eq. No. 6a) PFD TIavgDU= %$

2oo3

(Eq. No. 7a) ( )PFD TIavgDU= %$

2 2

2oo4

(Eq. No. 8a) ( ) ( )33 TIPFD DUavg %= $

5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, theoverall PFDavg for the SIF being evaluated is obtained by summing the individual components. The resultis the PFDavg for the SIF for the event being protected against.

(Eq. No. 1a) +*

)('

&%++++=# # # # 2TIPFD D

FPSi $LiAiSiSIS PFDPFDPFDPFD

Solución con Diagramas de Bloques: Lo primero que debemos realizar es calcular los valores de PFDavg para cada bloque, para esto utilizamos la formula:

1) Para los transmisores tenemos:

PFDavg = (69 x10-9 x 8760)/2 = 3.02 x10-6

PFDavg (A x B) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12

PFDavg (A x C) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12

PFDavg (B x C) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12

PFDFCC = (3.02 x10-6 x 3.02 x10-6 x 3.02 x10-6) + (0.05 x 3.02 x10-6 ) = 1.51 x 10-07

PFDavg = 3.02 x10-6 + 3.02 x10-6 + 3.02 x10-6 = 9.07 x 10-6

PFDavg tot = 9.07 x 10-6 + 1.51 x 10-07 = 9.21 x 10-06

2) Para el controlador lógico tenemos PFDavg = 2.5 x 10-4

Determinación de la PFDavg 17

Risk Software S.A. de C.V.

3) Para las Válvulas Solenoides Tenemos:

PFDavg = (1 x10-9 x 8760)/2 = 4.38 x10-6

PFDavg = (4.38 x10-6 x 4.38 x10-6) = 1.91 x 10-11

PFDFCC = (4.38 x10-6 x 4.38 x10-6 ) + (0.05 x 4.38 x10-6 ) = 2.19 x 10-7

PFDavg tot = 1.91 x 10-11 + 2.19 x 10-7 = 2.19 x 10-7

4) Para la válvula de corte tenemos

PFDavg = (765 x10-9 x 8760)/2 = 3.35 x10-3

El valor de PFDavg para el SIS será:

PFDavg SIS = 9.21 x 10-06 + 2.5 x 10-4 + 2.19 x 10-7 + 3.35 x10-3 = 3.61 x10-3

FRR = 277 SIL2

Determinación de la PFDavg 18

Risk Software S.A. de C.V.

Solución con Arboles de Falla:

A

AND

OR

B A

AND

C B

AND

C

OR

FCC

PT

CLP

A

AND

OR

B

OR

FCC

SV

FCC SCV

OR

OR

OR

SV

Falla SIS

3.02 x10-6 2.5 x 10-4 4.38 x10-6 3.35 x10-3

1.51 x 10-072.19 x 10-7

9.07 x 10-6

9.21 x 10-06

1.91 x 10-11

2.19 x 10-7

3.61 x10-3

2.19 x 10-7

Los valores mostrados en los eventos iniciales están dados en PFDavg

Determinación de la PFDavg 19

Risk Software S.A. de C.V.

Ejemplo:

Cálculos utilizando FTA-Pro de Dyadem

Determinación de la PFDavg 20

Risk Software S.A. de C.V.

Resultados al Tiempo: 8760

Falta de disponibilidad 0.007206

Frecuencia: N/A

Tiempo Falta de disponibilidadFalta de disponibilidad

0.00000 0.0000000.000000

796.36364 0.0006570.000657

1592.72727 0.0013140.001314

2389.09091 0.0019700.001970

3185.45455 0.0026260.002626

3981.81818 0.0032820.003282

4778.18182 0.0039370.003937

5574.54545 0.0045920.004592

6370.90909 0.0052460.005246

7167.27273 0.0059000.005900

7963.63636 0.0065530.006553

8760.00000 0.0072060.007206

Total de Tiempo Sistema Parado 30.972005

PFDavg: 0.003536

FRR = 282 SIL=2

Determinación de la PFDavg 21

Risk Software S.A. de C.V.

Los comentarios de este documento expresan el punto de vista de:

Victor Machiavelo SalinasTUV FS Expert ID-141/09Risk Software SA de CV

victorm@risksoftware.com.mxwww.risksoftware.com,mx

Agradeceremos cualquier comentario.

Determinación de la PFDavg 22

Risk Software S.A. de C.V.