Derivation of Equations STR MTTFS

ANEXPLANATIONOFTHEPRINCIPLESBEHINDSIFFAILURERATEEQUATIONS
The probability of failure calculations are based on the idea of fractional dead time. This is the
proportionoftimethatachannelwillbeunabletoperformitsfunction.
Failure detected
Healthy
Down Time: Time to detect and repair
Failure repaired
MDT
Failed
Time
PFD avg MDT/T
MDT represents the Mean Dead Time. We can think of 2 contributions to the dead time,
corresponding tofailures detected by continuous diagnostics,andfailures thatremainundetected
untilafulltestoruntilthereisademandonthesafetyfunction.
The dead time includes the time to detect and then to repair the failure. The dead time for
detectedfailuresthataredetectedbycontinuousautomaticdiagnosticsisrelativelyshort.
The dead time for the undetected failures is much longer. The failures may remain undetected
untilthenextprooftest,sothedeadtimedependsontheintervalbetweenprooftests.
Undetected Failures
Random failure occurring continuously and independently at a constant average rate can be
described as a Poisson process. The accumulating failures follow an exponential distribution,
buildingupuntileventuallytheentirepopulationhasfailed:
Theinitialrateofaccumulationoffailuresisproportionaltotheelapsedtimeandtherateoffailures
(DU).ThefailurerateDUisthereciprocalofthemeantimebetweenfailures,=1/MTBFDU.
Thenumberofdevicesfailedattime t DU.t,providedthattheelapsedtime tismuchlessthan
meantimebetweenundetecteddangerousfailures(MTBFDU).
2014I&ESystemsPtyLimited,PerthWesternAustralia.PreparedbyMirekGenerowicz
The probability of failure is proportional to number of failures that have accumulated in the
population.
Failuresthatareundetectedbydiagnosticsaccumulateinthismannerastimeprogresses.Thefailed
devicesremainfaileduntiltheprooftestattimeT.
The average number of failed devices and therefore the average probability of failure can be
calculatedas:
1
IfT<<MTBFDUwecanusetheapproximationDU(t)DU.t
1
1
.

. .

2
.
2
Strictly speaking we need to add in the mean repair time MRT to represent the time that the
function is out of action after the failure is found at time T. The MRT is usually measured in
measuredinhoursordays,muchshorterthanTwhichismeasuredinyears.Inpracticetheprocess
istakenoutofserviceduringtherepairorelseadditionalriskmitigationisimplemented.TheMRTis
usuallyneglected.
Detected Failures
Detectedfailuresaredetectedbycontinuous,automaticdiagnosticfunctions.Detectedfailuresare
detectedandrepairedwithinthemeantimetorestoration,MTTR:
Healthy
MTBFDD
MTTR
Failed
Time
IfMTBFDDisthemeantimebetweendetecteddangerousfailures,andtheMTTRisthemeantimeto
restoration(=timetodetect+timetorepair),thentheprobabilityoffailureissimplythefractionof
timethatthechannelisoutofaction,MTTR/MTBFDD.
Therateofdetecteddangerousfailures,DD=1/MTBFDD.,sowecanexpresstheprobabilityas:
.
Overall probability of failure
The overall probability of failure is the sum of the probabilities of failure for undetected and
detectedfailures.
Itisvalidapproximationtosimplyaddtheprobabilitiesbecausetheprobabilitiesare<<1.

Inalowdemandfunctionthelasttermfordetectedfailuresisusuallyverysmallcomparedtothe
undetectedfailures,soitmayusuallybeneglected.
Probability of failure for 1oo2 voting
In a 1oo2 architecture, the function will fail only if both channels fail, so the probability is
proportionaltotheproductoftheprobabilityofeachchannelfailing,(DU.t).(DU.t)
ToderivethebasicequationcalculatingPFDAVGfora1oo2architecturesweintegratetheprobability
function over time to T, (the test interval) and divide by the time period T to get the average
probability:
1
.
1
3
3
Theprobabilityofcommon causefailuresshouldalwaysbeadded to thePFDforanyarchitecture

withvoting,asitusuallydominates.
The factor represents the proportion of failures that have a common cause. These common
failures behave in the same way as a single channel, so the average probability of failure due to
commoncausesis:
.
IftheMTTRisshortwecanneglectthecontributionfromdetectedfailuresagain,sotheendresult
is:
.
.
3
.
2
M out of N equations
ThemethodofcalculatingprobabilityoffailureondemandforMoutofNarchitectureisbasedon:
FlorentBrissaud,AnneBarros,ChristopheBrenguer.(2010).ProbabilityofFailureof
SafetyCriticalSystemsSubjecttoPartialTests.ReliabilityandMaintainabilitySymposium,
RAMS2010,SanJose(referencedinCornellUniversityLibrary,<arXiv:1007.5448>).
Thesimplifiedequationis:
1
.
2
!
1 !.
1 !
.
2
.
2
This simplified equation neglects MRT and MTTR on the basis that they are << T. This is a valid
simplificationthatiscommonlyusedwiththeIEC61508andISAS84calculations.
/(NM+2)istheaveragenumberofaccumulatedfailures,calculated
Thesecondterm (DU.T
bytheintegrationoftheaccumulatedfailuresovertimeT,asdemonstratedabovefor1oo2.
NM+1
ThetermNM+1intheexponentisthehardwarefaulttolerance+1.Itisthenumberofchannels
thathavetofailforthefunctiontofail,whichiswhyitappearsastheexponentfortheterm.
Forinstancein2oo3,NM+1=32+1=2.Astheprobabilityofonedevicefailingisproportionalto
(DU.t)theprobabilityof2devicesfailingtogetheris(DU.t)2.
NM+1
ThefactorNM+2inthedenominatorcomesfromintegratingt
theperiodT.
Thefirstterm
.dttocalculatetheaverageover
NchooseNM+1takesintoaccountthedifferentcombinationsoftheN
M+1faultychannels.ThePFDincreasesindirectproportiontothenumberofwayswecanchoose
a combination of enough faulty channels for the SIF to fail. 1oo2 voting and 2oo3 both need 2
coincidentfailuresforthefunctiontofail,butfailureis3xmorelikelywith2oo3becausethereare3
timesasmanywaysofhaving2coincidentfailures.
In1oo2votingbetweenchannelAandchannelB,bothAandBmustfailforthefunctiontofail.
In 2oo3 voting, the function will fail if 2 channels are faulty and 1 remains healthy. There are 3
possible choices for the 2 failed channels (A and B), (B and C) or (C and A), or the other way of
thinkingaboutitisthatthereare3choicesforhavingonly1healthychannel:A,BorC.
3
2
3

1
3!
1!. 2!
WesawabovethatthePFDAVGfor1oo2votingisgivenby:
.
.
3
Theequationfor2oo3votingisthensimply:
3.

.
3
.
2
.
2
ThisisthereforeconsistentwiththeformulagiveninIEC615086andISAS84.
SystematicFailures
The equations in ISA technical report ISATR84.00.022002 include a factor to quantify systematic
failures,(F)butstrictlyspeakingsystematicfailurescannotbequantifiedusingaconstantfailure
rate.
For instance errors in the design of a component or in the coding of software do not occur at a
measurable rate. The probability of systematic failures cannot be calculated. Appropriate
techniquesandmeasuresshouldbeappliedtoavoidortocontrolsystematicfaults.Theycannever
becompletelyeliminated.
Inpracticeonlyelectroniccomponentsaresubjecttopurelyrandomfailure.Virtuallyallfailuresof
mechanical components (such as actuated valves) are systematic failures but they are treated as
quasirandom failures. They are caused by age or wear related deterioration. They cant be
preventedandwithintheusefullifeoftheequipmenttheexpectedfailureratesarecloseenoughto
beingconstant.Theycanbeconsideredtobequasirandomandmodelledbyaconstantfailurerate.
ThefailureratestatisticsthatareprovidedbyOREDAandexidaincludesystematicfailures.
Thereisnoneedtoaddtheseparateterm Fbutitisgoodpracticetoincludeasafetymarginover
ourcalculatedPFD.Thereisnoruledefininghowmuchmarginisneeded.Afactorof2or3might
beenough.
Weneedtoconsiderthefeasibilityofmaintainingthatrateduringthelifeoftheplant,allowingfor
deterioration and for problems in maintenance (such as lack of accessibility for testing, lack of
opportunityformaintenance).SoifyoucalculateaRRFof1007willyoubeconfidentinclaimingSIL
3 is achieved? No, maybe not, because it might not be maintainable. But yes, you might be
confidentthatSIL2isachieved.
Itisimportanttorememberthattheuncertaintyinourinputdataistypicallynotmuchbetterthan
halfanorderofmagnitude.Useonly1significantfigureofprecisioninexpressingcalculationresults.
ThedifferencebetweenanRRFof990andanRRFof1100isnotmeaningful.
SPURIOUSTRIPRATEEQUATIONS
TheISAtechnicalreportISATR84.00.022002Part2providesequationsforestimatingspurioustrip
rates.Thederivationoftheequationsisexplainedbelow.
1ooNSpuriousTripRate
Put simply, the spurious trip rate (STR) for a single device is the same as its safe failure rate, S.
Spurioustripratesareusuallymeasuredinfailuresperyear.
If detected dangerous failures also cause a trip condition the rate of dangerous detected failures
shouldbeaddedtogiveSTR=SDD.
Strictlyspeakingweshouldusetherateofsafefailuresthatareundetected(SU)andwillcausea
tripcondition.Inlogicsolvervotingarrangementssuchas1oo2Dsomesafefailurescanbedetected
bydiagnosticfunctions.Ifasafefailureisdetectedthevotingisautomaticallyadaptedratherthan
causingatrip.Thetermsafedetected(andtherateSD)isonlyusedinarchitectureswithadaptive
voting.Itdoesnotapplytosensorsorfinalelements.Forsimplicityinthefollowingexplanationthe
termSisused.
With1ooNvotingtherateofspurioustripsissimplyproportionaltothenumberofdevices.The
tripratewith2devicesis2xthetriprateforasingledevice.
1oo2STR=2xS
1oo3STR=3xS
1ooNSTR=NxS
2oo2SpuriousTripRatesimplified
With2oo2voting2coincidentsafefailuresareneededbeforeaspurioustripoccurs.
Thespurioustripoccursonlyifasecondfailureoccursduringthetimeatrisk,theperiodinwhich
thefirstfailureisbeingrepaired:
Healthy
MTTR
MTBFS
Failed
Time at risk
Time
Asthereare2devicestherateofonesafefailure(1oo2)is2x S.Therateoftheoneremaining
devicefailingsafely(1oo1)is S.Theprobabilitythatthesecondfailurehappensduringthetimeat
riskfromthefirstfailureisproportionaltothefractionaldeadtime,FDT=MTTR/MTBFS,andcanbe
writtenas:
FDT=MTTRx2xS.
Therateatwhichacoincidentfailureofbothdevicescanbeexpectedistherefore:
STR=(MTTRx2xS)xS.
With 2oo3 voting, the first failure is any 1 out of the 3. After the first failure there are then 2
functioning devices left in service, essentially in a 1 out of 2 arrangement. Either one of those 2
failingwillcauseatrip.
Thetimeatriskistherepairperiodafter1failureoutof3devices(MTTRx3xS).
Therateofanother1ofthe2remainingdevicesfailingis2xS.
Thespurioustriprateisthereforetherateofthecoincidentfailure:
STR=(MTTRx3xS)x(2xS).
With 2ooN voting, after the first failure there are (N1) functioning devices left in service, in a
1oo(N1)arrangement.Anyoneofthosefailingduringthetimeatriskwillcauseatrip.
AtanypointintimetheprobabilitythatonefailurehasalreadyoccurredisMTTRxNx S(thetime
atrisk,usingthe1ooNequationforfailurerate).AfterthatfirstfailurethereareN1inservice.The
ratewithwhichwecanexpectasecondfailureis(N1)xS,andsothespurioustriprateis:
STR=(MTTRxNxS)x((N1)xS).
Forexampletheequationfor2oo4votingis
STR=(MTTRx4xS)x(3xS).
=12xMTTRxS2
2ooNSpuriousTripRatecomplete
ThecompleteformoftheequationaddstheDDterm(assumingthatdetectedfailuresleadtoatrip)
andacommoncausefailureterm:
STR=[MTTRxNx(S+DD)]x[(N1)x(S+DD)]+[x(S+DD)]
Thecommoncausefailuretermmustalwaysbeaddedbecauseusually(xS)>>S .
2
3oo3SpuriousTripRate
With3oo3votingthetimeatriskisthefractionoftimeduringwhichthefirst2faileddevicesare
bothoutofservice:
FDT=MTTRx[(MTTRx3xS)x(2xS)],
Thespurioustriprateisthefailurerateofthe3rddevice(only1left)xtheFDT:
STR=MTTRx[(MTTRx3xS)x(2xS)]xS
3ooNSpuriousTripRate
With3ooNvotingafterthefirst2failuresthereare(N2)devicestochoosefromforthe3rdtrip.Any
oneofthosefailingsafelywillcausethetrip.Theequationbecomes:
STR=MTTRx[(MTTRxNxS)x((N1)xS)]x(N2)xS
=MTTR2xS2xNxN1xN2
=MTTR2xS3xN!/(N3)!
Forexampletheequationfor3oo4votingis
STR=(MTTR2xS3)x4!/1!
=24xMTTR2xS3
MooNSpuriousTripRate
WithMooNvotingthefractionaldeadtimeinwhichM1deviceshavefailedintoatripstateis:
FDT=MTTR(M1)xS(M1)xNx(N1)x(N2)..x(N(M2))
AfterthefirstM1failurestherearethen(N(M1))devicestochoosefromfortheMthtrip.Anyone
ofthosefailingsafelywillcausethetrip.Theequationbecomes
STR=[MTTR(M1)xS(M1)xNx(N1)x(N2)..x(N(M2))]x(N(M1))xS
Theseriesofmultiplierscanbeneatlywrittenusingthefactorialform:
STR=MTTR(M1)xSMxN!/(NM)!
MooNSpuriousTripRatecompleteequation
ThecompleteformoftheequationaddstheDDtermandthecommoncausefailureterm:
STR=[MTTR(M1)x(S+DD)MxN!/(NM)!]+[x(S+DD)]

Derivation of Equations STR MTTFS

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Derivation of Equations STR MTTFS

Hochgeladen von

Copyright:

Verfügbare Formate

ANEXPLANATIONOFTHEPRINCIPLESBEHINDSIFFAILURERATEEQUATIONS

Down Time: Time to detect and repair

PFD avg MDT/T

Overall probability of failure

Probability of failure for 1oo2 voting

Theprobabilityofcommon causefailuresshouldalwaysbeadded to thePFDforanyarchitecture

Das könnte Ihnen auch gefallen