Reiabiity Engineering and System Safety 92 (2007) 1267 1273 www.esevier.com/ocate/ress A simpe reiabiity bock diagram method for safety integrity verification Haitao Guo, Xianhui Yang epartment of Automation, Tsinghua University, Beijing 100084, China Received 27 June 2006; received in revised form 31 Juy 2006; accepted 8 August 2006 Avaiabe onine 2 October 2006 Abstract IEC 61508 requires safety integrity verification for safety reated systems to be a necessary procedure in safety ife cyce. PF avg must be cacuated to verify the safety integrity eve (SIL). Since IEC 61508-6 does not give detaied expanations of the definitions and PF avg cacuations for its exampes, it is difficut for common reiabiity or safety engineers to understand when they use the standard as guidance in practice. A method using reiabiity bock diagram is investigated in this study in order to provide a cear and feasibe way of PF avg cacuation and hep those who take IEC 61508-6 as their guidance. The method finds mean down times (MTs) of both channe and voted group first and then PF avg. The cacuated resuts of various voted groups are compared with those in IEC61508 part 6 and Ref. [Zhang T, Long W, Sato Y. Avaiabiity of systems with sef-diagnostic components-appying Markov mode to IEC 61508-6. Reiab Eng System Saf 2003;80(2):133 41]. An interesting outcome can be reaized from the comparison. Furthermore, athough differences in MT of voted groups exist between IEC 61508-6 and this paper, PF avg of voted groups are comparativey cose. With detaied description, the method of RB presented can be appied to the quantitative SIL verification, showing a simiarity of the method in IEC 61508-6. r 2006 Esevier Ltd. A rights reserved. Keywords: Safety reated system; Reiabiity bock diagram; Safety integrity eve; Probabiity of faiure on demand; IEC 61508 1. Introduction IEC 61508 [1] pubished in 2000 has been adopted by many countries as their nationa standard and is being updated. Two significant concepts, safety ife cyce and safety integrity eve (SIL) [1 3], appeared in IEC 61508. A necessary procedure of safety ife cyce is SIL verification, which verifies whether the average probabiity of faiure on demand (PF avg ) of designed safety reated systems (SRS) meets the required faiure measure. If not, retrofit or modification must be taken to reduce the PF avg of safety reated system ti safety goa is satisfied. Besides PF avg verification, architectura constraints defined in IEC 61508 must be aso considered during SIL verification process [17]. This study focuses on PF avg cacuation. Corresponding author. Te.: +86 10 6278 5845x231; fax: +86 10 6279 0497. E-mai address: guoht03@mais.tsinghua.edu.cn (H. Guo). Since IEC 61508 is a performance based standard, the verification can be done through a number of probabiistic anaysis techniques. There are many techniques in pubished iterature, such as faut tree anaysis (FTA) [4,5], reiabiity bock diagram (RB) [6], Markov Anaysis (MA) [5,7,8,13], simpified equations [9,10] and hybrid method [11]. Rouvroye and Brombacher [12] compared those techniques and outined their advantages and disadvantages. Bukowski [13] compared MA and simpified equations and provided an overview of their advantages and disadvantages. Andrews and Ericson II [14] anayzed various design compexities using FTA and MA respectivey and they concuded that both FTA and MA can provide satisfactory accuracy of cacuation, but FTA mode is more intuitive and easier to create for arge and compex systems. What can aso be seen is that the outcomes of FTA and MA are consideraby cose in Ref. [5]. Hauge et a. [15] introduced a method caed PS to quantify the safety unavaiabiity and oss of production 0951-8320/$ - see front matter r 2006 Esevier Ltd. A rights reserved. doi:10.1016/j.ress.2006.08.002
1268 ARTICLE IN PRESS H. Guo, X. Yang / Reiabiity Engineering and System Safety 92 (2007) 1267 1273 for safety instrumented systems. PS accounts for a types of faiure categories: technica, software, human, etc. RB, which has equivaent mathematica characteristic to FTA, has been widey used in reiabiity engineering for many years. By the RB technique, IEC 61508-6 shows the verification of SIL through cacuating average probabiity of faiure on demand (PF avg ). Whie IEC 61508 has been adopted as nationa standard of many countries, its demonstration can aso be regarded as a guide to do PF avg cacuations. A RB mode reveas the ogica reiabiity structure of the invoved SRS and can easiy be created even for a compex arge SRS. However, IEC 61508-6 does not give detaied description of RB it uses and its resuts are different from those of Markov mode by Zhang et a. [8]. Consequenty, the technique used in IEC 61508-6 gets questioned. Besides, no other papers deaing with SIL verification by RB technique can be found yet, and so RB needs more supports in the fied of functiona safety. Because IEC 61508-6 does not give expanations of the definitions and PF avg cacuations for its exampes in detai, it is difficut to use the standard as guidance in practice. In order to provide a cear and feasibe way of SIL verification, a method of RB for PF avg cacuation is presented in this paper with detaied expanation incuding the definitions, assumptions and parameters reguated in IEC 61508-6 [6] based on specific system architectures and associated conditions. The method finds mean down time (MTs) of both channe and voted group first and then PF avg. The resuts achieved in this study are compared with those of IEC 61508-6 demonstration and Ref. [8]. Through the comparison, an interesting outcome can be reaized. The method of RB in this study can be appied to the quantitative SIL verification and heps those who take IEC 61508-6 as their guidance. 2. Reiabiity bock diagram Reiabiity bock diagram (RB) is a graphica anaysis technique, which expresses the concerned system as connections of a number of components in accordance with their ogica reation of reiabiity. Series connections represent ogic and of components, and parae connections represent ogic or, whie combinations of series and parae connections represent voting ogic. From eftmost node to rightmost node, there are severa paths that are the conditions for successfu operation of system. If a component fais, the corresponding connection wi be cut off. As faiures of components occur, System keeps operating successfuy unti no vaid path from eftmost node to rightmost node can be made up of avaiabe connections. Then, probabiity of the faiure of system can be cacuated according to probabiistic principes. RB mode is intuitive and easy to estabish. For instance, 1oo2 voted group consists of two voted channes, each of which has their own component(s). Common cause faiure can take pace upon the two channes. 1oo2 voted group with one sensor for each channe can be represented by the RB shown in Fig. 1. 3. efinitions and assumptions 3.1. Equivaent MT In IEC 61508-6, one system architecture (group) consists of one or redundant channes and there is a voting ogic for the architecture, such as 1oo1, 1oo2. In steady state, the norma operation and faiure states of the channe(s) and the group appear by turns because of faiure detection and reparation. The voting ogic determines that how many faiures of channes wi cause the group to fai. Equivaent MT of a component is defined as the average of the period of time when the component is in dangerous faiure state at the steady state. angerous faiure state refers to the state that the component cannot take the proper response to dangerous process demands, which may ead to unexpected accidents, whie the process is sti operating. The PF avg cacuations in this study depend on equivaent MTs, group equivaent MT and channe equivaent MT. 3.2. Average probabiity of faiure on demand Probabiity of faiure on demand is defined as the probabiity of faiing to take correct action when a process demand arises. Since the steady state is under consideration, PF is averaged for infinite. 3.3. Assumptions Fig. 1. A RB exampe. The technique and resuts deveoped in this paper are based on the assumptions foowing: (i) The resuting average probabiity of faiure on demand for the subsystem is ess than 10 1, or the resutant probabiity of faiure per hour for the subsystem is ess than 10 5. (ii) Component faiure and repair rates are constant over the ife of the system. (iii) The hardware faiure rates used as inputs to the cacuations and tabes are for a singe channe of the subsystem.
H. Guo, X. Yang / Reiabiity Engineering and System Safety 92 (2007) 1267 1273 1269 (iv) A channes in a voted group have the same faiure rate and diagnostic coverage rate. (v) The overa hardware faiure rate of a channe in a subsystem is the sum of the faiure rates: dangerous and safe-faiures for that channe. These vaues are assumed to be equa. (vi) For each safety function, there is a perfect proof testing and repairing. Namey, a faiures that remain undetected are assumed to be detected by the proof test. (vii) The proof test interva is at east one order of magnitude greater than the diagnostic test interva. (viii) The demand rate and expected interva between demands are not considered in this study. (ix) For each subsystem, there is a singe proof test interva and mean time to restoration. (x) Mutipe repair teams (each of them is assumed to have the same repair rate) are avaiabe to work on a known fauts in a system. (xi) The expected interva between demands is at east an order of magnitude greater than the mean time to restoration. Other assumptions can be referred to the Annex B of IEC 61508-6 [6]. 4. Sef-diagnostic Nowadays, a ot of equipment can detect the faiures of them by themseves, but diagnostic coverage (C), the percentage of the faiures detected, is sedom 100%. The tota dangerous faiure is divided into detected faiure and undetected faiure with faiure rate and U, respectivey. That is ¼ þ U. (1) Repair rates of the two types of faiure are aso separated, m for dangerous detected faiure and m U for dangerous undetected faiure, as beow: m ¼ 1 (2) m U ¼ T 1 I 2 þ, (3) and denote proof test interva and mean time to restoration. Actuay, some faiures of equipment can cause safety reated systems to fai safey, which may ead to spurious process shutdown. This kind of faiures is defined as safe faiure. Safe faiures is aso divided into detected faiure and undetected faiure with faiure rate S and SU, respectivey. Moreover, no-effect faiures are the equipment faiures that take no effect on SRS. Accordingy, noeffect faiures contribute neither to PF nor to probabiity of faiing safey. 5. RB for cacuating PF avg 5.1. 1oo1 architecture This architecture consists of a singe channe, where any dangerous faiure eads to a faiure of the safety function when a demand arises. Fig. 2 shows the RB of 1oo1 architecture. Q i represents a faiure and its faiure rate is ocated at top right corner of the same rectange. Channe equivaent MT is represented by t CE. Probabiity of dangerous faiure is FðtÞ ¼F 1 ðtþþf 2 ðtþ and for steady state F ¼ F 1 þ F 2. (4) By using o 1 and o 2 as denotations of steady faiure frequency of Q 1 and Q 2, respectivey, the foowing equations come into existence. 8 U F 1 ¼ ; U þ m U >< F 2 ¼ ; þ m o 1 ¼ Um U ; U þ m U o 2 ¼ m >: : þ m Channe faiure frequency o C can be cacuated as [16] o C ¼ X qf o i. (6) qf i Channe equivaent MT equas steady faiure probabiity divided by steady faiure frequency, that is t CE ¼ F o C. (7) From Eqs. (1) (7) and the condition 5m, t CE can be derived approximatey as U m t CE þ m U U m U m þ m U m ¼ U 2 þ þ : Since 1oo1 architecture has ony one channe, voted group equivaent MT is equa to channe equivaent MT, viz., t GE ¼ t CE. Then, average probabiity of faiure on demand Fig. 2. RB for 1oo1 architecture. (5) ð8þ
1270 ARTICLE IN PRESS H. Guo, X. Yang / Reiabiity Engineering and System Safety 92 (2007) 1267 1273 for system architecture, PF G is PF G ¼ 1 e t CE t CE. (9) The resut above is identica with that in IEC 61508-6 Annex B. 5.2. 1oo2 architecture This architecture consists of two channes connected in parae, so that either channe can process the safety function. Thus there woud have to be a dangerous faiure in both channes before a safety function faied on demand. It is assumed that any diagnostic test woud ony report the fauts found and woud not change any output states or change the output voting. Fig. 3 contains the reevant bock diagram. Note that common cause faiure has to be considered because there are two identica channes. b denotes the fraction of undetected faiures that have a common cause, whie b is of those faiures that are detected by the diagnostic tests, the fraction that have a common cause. Approximate probabiity of faiure of 1oo2 architecture is FðtÞ ¼½Q 1 ðtþþq 2 ðtþš½q 3 ðtþþq 4 ðtþš With the same procedures introduced in Section 5.1, voted group equivaent MT, t GE, can be gained as foows: t GE ¼ 1 U =ð U þ m U Þþ =ð þ m Þ 2 U m U =ð U þ m U Þþ m U =ð þ m Þ 1 U 2 2 þ þ 1 ¼ 1 2 2 t CE. ð10þ Channe equivaent MT, t CE, is just the same as Eq. (8) in Section 5.1. It can be seen that voted group equivaent MT is the very haf of channe equivaent MT. That answers for intuition. When one channe fais, the group is in degraded operation state that can sti perform intended function to process demand. The equivaent MT of the first faied channe is t CE. Then, when the second channe faiure occurs, the group fais. Therefore, the equivaent MT of the second faied channe is equa to the group equivaent MT. One channe PF avg depends on t CE and the other depends on t GE, thus PF G ¼ 2ð1 e t CEÞð1 e t CEÞ 2 2 t CEt GE and by considering the effects of common causes PF G ¼ 2½ð1 bþ U þð1 b Þ Š 2 t CE t GE þ b U 2 þ þ b : ð11þ The PF G derived is identica with that in IEC 61508-6 Annex B, whie t GE differs. However, the numeric resuts of PF G are much cosed to that of IEC 61508-6, as shown in the foowing comparison section of this paper. 5.3. 2oo2 architecture This architecture consists of two channes connected in parae so that both channes need to demand the safety function before it can take pace. Fig. 4 shows the RB of 2oo2 architecture. Since two 1oo1 bocks are connected in series, refer to Section 5.1, PF G is PF G ¼ 2 t CE, (12) where t CE is given in Eq. (8). 5.4. 2oo3 architecture This architecture consists of three channes connected in parae with a majority voting arrangement for the output signas, so that the output state is not changed if ony one channe gives a different resut, which disagrees with the other two channes. Fig. 5 shows the RB of 2oo3 architecture. Its equivaent transformation is given in Fig. 6. Refer to Section 5.1 and by considering the effects Fig. 4. RB for 2oo2 architecture. Fig. 3. RB for 1oo2 architecture. Fig. 5. RB for 2oo3 architecture.
H. Guo, X. Yang / Reiabiity Engineering and System Safety 92 (2007) 1267 1273 1271 Fig. 6. Equivaent RB for 2oo3 architecture. PF G ¼ 2ð1 bþ U ½ð1 bþ U þð1 b Þ Št CE t GE þ b U 2 þ þ b : ð16þ Common cause faiures are considered in PF G cacuation. The PF G derived is identica with that in IEC 61508-6 Annex B, whie t GE differs. of common causes, PF G is PF G ¼ 6½ð1 bþ U þð1 b Þ Š 2 t CE t GE þ b U 2 þ þ b ; ð13þ where t CE is given in Eq. (8) and t GE in Eq. (10). The PF G derived is identica with that in IEC 61508-6 Annex B, whie t GE differs. 5.5. 1oo2 architecture Two channes in this architecture are connected in parae. uring norma operation, both channes need to demand the safety function before it can take pace. In addition, if the diagnostic tests detect a faut in either channe, the output voting is adapted so that the overa output state then foows that given by the other channe. If the diagnostic tests find fauts in both of channes or a discrepancy that cannot be aocated to either channe, the output goes to the safe state. In order to detect a discrepancy between the channes, either channe can determine the state of the other via a means independent of the other channe. Fig. 7 shows the RB of 1oo2 architecture. S is the faiure rate of safe detected faiure. Refer to the procedures in Sections 5.1 and 5.2, t CE, t GE and PF G for 1oo2 architecture are: t CE ¼ U þ S U t GE ¼ 1 2 þ S Fig. 7. Equivaent RB for 1oo2 architecture. 2 þ 2 þ þ þ S þ S ; (14) þ 1 þ S ; 2 þ S (15) 6. Resuts comparison IEC 61508-6, Ref. [8] and this paper have obtained identica average probabiity of faiure on demand for the group of voted channes, but voted group and channe equivaent MT are different, as shown in Tabe 1. In Tabe 1, it can be seen that the ony differences between the resuts of IEC 61508-6 and this paper are t GE for some architectures. IEC 61508-6 cacuates t GE by adding the individua down times from both dangerous detected faiure and undetected faiure in direct proportion to the contribution of each faiure to the probabiity of faiure of the group. In Ref. [8], channe equivaent MTs are different with those in IEC 61508-6 and this paper. However, it is very interesting to note that the resuts of t CE in Ref. [8] have the same expressions with the resuts of t GE in IEC 61508-6, whie the resuts of t GE in Ref. [8] are identica with the resuts of t GE derived in this paper. Based on these differences, Zhang et a. think that a discrepancy exists. Athough IEC 61508-6 and this paper have different t GE, numeric resuts of PF G of the both are comparativey cosed. The cacuated PF G are amost identica. Tabe 2 iustrates the nearness. SILs are distinguished by their ranges of PF avg magnitudes according to the definition [3]. Therefore, such tiny difference found in Tabe 2 can reasonaby be negected in SIL verification. The technique presented is quite feasibe in practica appication. 7. Concusion IEC 61508 requires safety integrity verification for SRS to be a necessary procedure in safety ife cyce. RB anaysis is carried out to compute the PF avg of voted group and the resuts show the accordance with those in IEC 61508-6. The method of RB in this study can be appied to the quantitative SIL verification. Moreover, the method heps those who take IEC 61508-6 as their
1272 ARTICLE IN PRESS H. Guo, X. Yang / Reiabiity Engineering and System Safety 92 (2007) 1267 1273 Tabe 1 Comparison of channe equivaent MT and voted group MT Sys. MT This paper IEC61508-6 Ref. [7] 1oo1 t CE U 2 þ þ U 2 þ þ U 2 þ 2oo2 t GE U 2 þ þ U 2 þ þ U 2 þ 1oo2 t CE U 2 þ þ U 2 þ þ U 3 þ t 1 GE 2 t CE U 3 þ þ 1 2 t CE 2oo3 t CE U 2 þ þ U 2 þ þ U 3 þ t 1 GE 2 t CE U 3 þ þ 1 2 t CE 1oo2 t CE U þ S 2 þ þ þ S þ U S 2 þ þ U 2 þ t 1 GE 2 t CE U 3 þ þ 1 2 t CE þ þ þ þ þ þ S þ S Tabe 2 Numeric comparison of t GE and PF G Sys. Index ¼ 8h, b ¼ 10%, b ¼ 5%, S ¼,C¼ 90%, ¼ C ¼ 5 10 7 h 1, ¼ 4380 h ¼ 5 10 7 h 1, ¼ 8760 h ¼ 2.5 10 6 h 1, ¼ 8760 h This paper IEC61508 This paper IEC61508 This paper IEC61508 1oo2 t GE (h) 113.5 154 223 300 223 300 PF G 1.1182 10 5 1.1183 10 5 2.2164 10 5 2.2180 10 5 1.1171 10 4 1.1209 10 4 2oo3 t GE (h) 113.5 154 223 300 223 300 PF G 1.1205 10 5 1.1217 10 5 2.2253 10 5 2.2299 10 5 1.1393 10 4 1.1508 10 4 1oo2 t GE (h) 61 84.8421 119.2632 161.6842 119.2632 161.6842 PF G 1.117 10 5 1.117 10 5 2.2121 10 5 2.2122 10 5 1.1063 10 4 1.1064 10 4 guidance the method. The technique presented has the foowing characteristics: RB modes can refect the reiabiity structure of concerned system. RB modes are intuitive and easy to create. Numeric accuracy of average probabiity of faiure on demand is satisfactory. Simiar to the method demonstrated by IEC 61508-6, this method has more detaied expanations. Through the comparison in Section 6, it can be found that the resuts of channe equivaent MT in Ref. [8] have the same expressions with the resuts of voted group equivaent MT in IEC 61508-6, whie the resuts of voted group equivaent MT in Ref. [8] are identica with the resuts of those derived in this paper. Efforts are sti needed in the future to study the discrepancy of voted group and channe equivaent MTs in Ref. [8]. Acknowedgements The paper is a resut of a work financiay supported by Nationa Natura Science Foundation of China. References [1] Brown S. Overview of IEC 61508: functiona safety of eectrica/ eectronic/programmabe eectronic safety-reated systems. Comput Contro Eng J 2000;11(1):6 12. [2] Stavrianidis P, Bhimavarapu K. Performance-based standards: safety instrumented functions and safety integrity eves. J Hazard Mater 2000;71(1):449 65. [3] IEC 61508, Functiona safety of eectrica/eectronic/programmabe eectronic safety-reated systems. Internationa Eectrotechnica Commission. [4] Beckman L. Easiy assess compex safety oops. Chem Eng Progr 2001;97(3):57 9. [5] Gobe W, Cheddie H. Contro system safety evauation and reiabiity. US: ISA; 1998. [6] IEC 61508-6, Functiona safety of eectrica/eectronic/programmabe eectronic safety-reated systems. Part 6. Guideines on the appication of IEC 61508-2 and IEC 61508-3. [7] Bukowski J, Gobe W. Using Markov modes for safety anaysis of programmabe eectronic systems. ISA Trans 1995; 34(2):193 8. [8] Zhang T, Long W, Sato Y. Avaiabiity of systems with sefdiagnostic components-appying Markov mode to IEC 61508-6. Reiab Eng System Saf 2003;80(2):133 41. [9] ISA-S84.01.1996. Appication of safety instrumented systems for process industries. [10] Summers A. Viewpoint on ISA TR84.0.02 simpified methods and faut tree anaysis. ISA Trans 2000;39(2):125 31.
H. Guo, X. Yang / Reiabiity Engineering and System Safety 92 (2007) 1267 1273 1273 [11] Knegtering B, Brombacher A. Appication of micro Markov modes for quantitative safety assessment to determine safety integrity eves as defined by the IEC 61508 standard for functiona safety. Reiab Eng System Saf 1999;66(2): 171 5. [12] Rouvroye J, Brombacher A. New quantitative safety standards: different techniques, different resuts? Reiab Eng System Saf 1999;66(2):121 5. [13] Bukowski J. A comparison of techniques for computing PF average. In: Proceedings of the annua reiabiity and maintainabiity symposium, 2005. p. 590 5. [14] Andrew J, Ericson II C. Faut tree and Markov anaysis appied to various design compexities. In: Proceedings of the 18th internationa system safety conference, 2000. [15] Hauge S, Hokstad P, Langseth H, et a. Reiabiity prediction method for safety instrumented systems, PS method handbook, 2006 edition. Norway:SINTEF, 2006. [16] Mei QZ, Liao JS, Sun HZ. Basis of system reiabiity engineering. Beijing: Pubication of Science; 1987. pp. 235 245, [in Chinese]. [17] Van Beurden I, Amkreutz R[J]. Safety integrity eve verification A PF average cacuation is not enough. Hydrocarbon Process 2001;80(10):47 50.