SIF probability of failure

1 The probability of failure on demand of each safety instrumented function shall be equal to, or less than, the target failure measure as specified in the safety requirement specifications. This shall be verified by calculation. 

No reproduction or networking permitted without license from IHS 

NOTE 1 In the case of safety instrumented functions operating in the demand mode of operation, the target failure measure should be expressed in terms of the average probability of failure to perform its design function on demand, as determined by the safety integrity level of the safety instrumented function (see Table 3). 

NOTE 3 It is necessary to quantify the probability of failure separately for each safety instrumented function because different component failure modes could apply and the architecture of the SIS (in terms of redundancy) may also vary. 

1 Users and designers should refer to Annex A of this standard for guidance in techniques available to ensure SIS design satisfies performance relating to random hardware failures. 

2 Most of the techniques in Annex A of this standard require some quantification of the diagnostic coverage of the SIS. Diagnostics are tests performed automatically to detect faults in the SIS that may result in safe or dangerous failures. 

A particular diagnostic technique cannot usually detect all possible faults. An estimate of the effectiveness of the diagnostics used may be provided for the set of faults being addressed. Subclauses 7.4.4.5 and 7.4.4.6 of lEC 61508-2 provide requirements for how diagnostics could be determined (see also Annex C of lEC 61508-6 for an example of how diagnostic coverage is calculated). 

In situations where the SIS is the only layer of protection and is used for a safety function operating in the continuous mode of operation, then the diagnostic test interval will need to be such that faults in the SIS are detected in time to ensure the integrity of the SIS and to allow action to be taken to ensure a safe state in the event of a failure occurring in the process or the basic process control system. 

To achieve this, the sum of the diagnostic test interval and the reaction time to achieve a safe state should be less than the process safety time . The process safety time is defined as the time period between a failure occurring in the process or the basic process control system (with the potential to give rise to a hazardous event) and the occurrence of the hazardous event if the safety instrumented function is not performed. 

---

The targets for average probability of failure on demand or frequency of dangerous failures per hour apply to the safety instrumented function, not to individual components or subsystems. A component or subsystem (for example, sensor, logic solver, final element) cannot have a SIL assigned to it outside its use in a specific SIF. However, it can have an independent maximum SIL capability claim. 

Table 3.8 Safety integrity levels probability of failure on demand, target risk reduction factor and target frequency of dangerous failure to perform the SIF.

These three modes have been defined because SIF testing may or may not be given credit depending on the level of redundancy and the mode. The probability of failure on demand is calculated differently for each mode. The essential differences are due to the relationship between the dangerous condition (the demand) and the diagnostic testing. 

The quantitative requirements for a low demand SIF are statedby means of the average probability of failure... 

It is important to note that only those protection layers that can mitigate the initiating cause are given credit in the analysis. The calculation results in an optimistic result when the calculation is done by simply multiplying the initiating event frequency of the entire BPCS loop by the probability of failure of the SIF without regard for the common mode existing between them. This is shown in Table F.3 as Incorrect... 

PFDavg, probability of failure on demand SIF, safety instrument functions SIL, safety integrity level. 

The proposed methodology has been applied to a SIS in order to evaluate the Probability of Failure on Demand (PFD) of a Safety Instrumented Eunc-tion (SIF). 

The level of overall availability for a system component is calculated as 1 minus the sum of the average probability of dangerous failure on demand. SIL-1 availability of 90-99 percent SIL-2 availability of 99-99.9 percent SIL-3 availability of 99.9-99.99 percent. See also Layers of Protection Analysis (LOPA) Safety Instrumented Function (SIF) Safety Instrumented System (SIS). 

NOTE 3 In determining safety integrity, all causes of failures (both random hardware failures and systematic failures) which lead to an unsafe state should be included for example, hardware failures, software induced failures and failures due to electrical interference. Some of these types of failure, in particular random hardware failures, may be quantified using such measures as the failure rate in the dangerous mode of failure or the probability of a safety instrumented function failing to operate on demand. However, the safety integrity of an SIF also depends on many factors, which cannot be accurately quantified but can only be considered qualitatively. 

The second case considered by the standard is where the SIS is not fault tolerant and is providing protection in a demand mode. Continued operation within the MTTR is taken into account in the calculation of the probability of random hardware failure. However, in this case, there is no protection until the faulted device is repaired and returned to service. Therefore, when continuing operation with a disabled SIF, compensating measures should be identified that provide risk reduction equivalent to that provided by the SIF in the absence of the fault. These compensating measures should be documented in the operation and maintenance procedures so that personnel are trained on their appropriate use. To continue operation beyond the MTTR, a management of change review should be conducted to ensure that the compensating measures identified are sufficient for extended operation and that priority has been placed on the repair. 

Characteristics of each SIF device, the interactions among its components, and the properties of the system itself are responsible for SIF performance. The following issues are responsible for performance and failure probability of SIF ... 

As discussed many times earlier, PFDavg is an important parameter for SIF and it is dependent on proof test interval (PTI). This means that if a device has a PFDavg of 4 X 10 for Tproof 1 year the failure probability of the safety function for the device is 0.0004 within 1 year. A similar calculation is also applicable for PFH. 

Step 1 - Complete the LOPA without taking any credit for the SIF. First, determine the initiating events from HAZOP/What-if/EMEA study. Next, evaluate frequencies of all initiating events from company database and industry experience. Then, determine the probability that each IPL will function successfully from an industrial database. PFO yg of some typical protection layers are (CCPS, 2000) BPCS control loop = 0.10 Operator s response to alarm = 0.10 Rehef safety valve = 0.01 to 0.001 and vessel failure probability at maximum design pressure = 10 ". Finally, compare the calculated risk with the tolerable risk target... 

The middle portion of the bathtub has a failure rate that remains relatively flat or declining as a function of operating time interval. Failures are primarily due to random stresses in the environment. During this period of time it is reasonable to assume that the failure rate is constant. While many consider this to be too conservative due to the fact that the failure rate is probably declining, this assumption simplifies the math and is very appropriate for probabilistic SIF verification. 

---