Probabilistic Design Verification of

Instrumented Protection Functions

Dr. William M. Goble

Exida
Sellersville, PA., USA +1-215-453-1720
www.exida.com
 Design Verification
Probabilistic Failures

The task is to verify that a given instrumentation protection

function will provide sufficiently low probability of failure on
demand to ensure that the limits specified in the design basis for
the event due to a particular Postulated Initiating Event are not
exceeded.
Part of Defense in Depth strategy
Design Target: PFDavg less than 5E-3
Expected average demand rate once per twenty years
High Pressure must open valve within two seconds.
Specify all maintenance activities needed to maintain safety.

2
 Conceptual Design

Safety Requirements Specification -

Functional Description of each Safety
Instrumented Function, Target PFDavg,
Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
requirements, Response time, etc
Select Choose sensor, logic solver
Technology and final element technology

Select Redundancy: 1oo1,1oo2,

Architecture 2oo3, 1oo2D
Manufacturers
Failure Data Determine
Test Philosophy
Failure Data
Database
No Goal
Achieved? Reliability, Design Configuration
Safety Evaluation
Yes

Probability Targets Achieved

Maintenance requirements

3
 Quantitative System Analysis Techniques
Tcnicas Cuntitativas para Anlisis de Sistemas

Reliability Block Diagrams

Simplified Equations Fail
De-Energized

3
Fault Tree Diagrams
DDN
Markov Models 1
OK
0
A A
DUN
POWER
SUPPLY
CONTROLLER 2

B B Fail
Energized

POWER 4
SUPPLY CONTROLLER

4
 Failure Rates

Key Variables:
1. Constant Failure Rate
0.025
2. Useful Life
0.02
Failure rate

0.015
Quality
Manufacturer,
0.01
Burn-in,
Commissioning
0.005

0
101

201

301

401

601

701

801
501
1

Time

Copyright 2000-2007 exida.com 5

 PFD analysis

Low Demand Mode

Proof test counts therefore PFDavg is a valid concept
Automatic diagnostics count therefore given credit
Continuous Demand Mode-
No credit for proof test
No credit for diagnostics therefore Lambda D is the
primary measurement
High Demand mode
No credit for proof test use PFH chart
Credit for diagnostics only if they are 10X faster than
the Demand Rate 6
 Simplified Equation PFAVG with Incomplete Testing

PFDavg = CPT D TI / 2 + (1-CPT ) D LT / 2

CPT = Effectiveness of proof test, 0 100%
LT = Operational Lifetime of plant
PF(t)

CPT

test period

Time interval

Copyright 2000-2007 exida.com

 Markov Models - PFDavg

1
Fail-Safe For PFDavg
1 3 calculations, a
5
2 Degraded
Markov model
Detected

2 1 must be solved for

OK 6 time-dependent
0 3 PFD and averaged.
Degraded

7
Undetected
1 to 7 = Failure Rates
2 Fail-
Danger 1 = Repair Rate after a
4 4 shutdown
2 = on-line repair of
3 equipment
3 = periodic Inspection / test

3 equals zero between

8
 Failure Modes

Electro-mechanical Systems have multiple

failure modes!
Typically categorized as:

SAFE
DANGEROUS

9
 Transmitters

The functional failure modes of

each product must be translated
to the modes of the safety
function. This often depends on
the application.
Failure Modes
Output Saturated Hi
S/D Output Saturated Lo
Frozen Output
D Indication Error Hi
Indication Error Lo
Diagnostic Failure

Define Modes

Copyright 2000-2007 exida.com 10

 Normally Energized Systems- FAIL DANGER

If there is a
+ + demand -
system
cannot
respond.
Solid State
Discrete Input PLC Output Switch

LOAD

Input circuit fails

-PLC thinks the Logic Solver fails to -
sense switch is read logic 0 inputs
closed even that indicate danger, Output Circuit
when it is open. fails to solve logic, fails short
or fails to generate circuit.
logic 0 output.
Copyright 2000-2007 exida.com 11
 Final Element Failure Modes
Modos de Falla de un Actuador

De-energize to Trip Application

Copyright 2000-2007 exida.com 12

 SIF Verification Task
Verificacin de las FIS

Where does the data come from?

Manufacturers
Failure Data
Reliability and Safety
Failure Data Evaluation
Handbook

PFDavg, RRF
MTTFS
 Failure Data Handbook

Lambda DU ( DU)

Copyright 2000-2007 exida.com 14

IEC 61508 Certified Pressure Transmitter

Justification via IEC

61508 Certification
S a fe ty
P re s s u re
T r a n s m itt e r
S a fe ty
PLC TX

1002 V essel
sov V o tin g
sov

Copyright 2000-2007 exida.com

FMEDA

Using a component database, failure rates and failure modes

for a product (transmitter, I/O module, solenoid, actuator,
valve) can be determined far more accurately than with only
field warranty failure data

Copyright 2000-2007 exida.com 16

 Component
Reliability
Calculate IEC 62380 failure rate for each
component type and subtype and
Handbook
temperature profile
Gather data from independent sources of
failure rate data
Make conservative best engineering
judgment with strong preference to
IEC predicted values
Override IEC 62380 base failure rate
numbers if outside the range of the
other reference sources (particularly
when on the low side)
Combine/group component sub-types
based on significant differences
Make adjustments for identified
weakness in IEC 62380 that lead to
under estimating failure rates
Database Feedback / Update

Field ELEC./MECH.
FMEDA
Failure Product Compare COMPONENT
Product
Data DATABASE

Industry
Database YES Update
Significant
Difference?
Component
Database

NO

Finish
High Pressure Safety Function Conceptual Design

Safety Pressure

Transmitter
Safety
TX
PLC

1002 Vessel
sov sov
Voting

19
Design Verification Tool

1.93 E-3

40.54 Years

20
 Design Verification
Probabilistic Failures

Design Target: PFDavg less than 5E-3

Estimated Achieved PFDavg 1.93E-3

Specify all maintenance activities needed to maintain safety:

50 year operation life
1. Perform specified proof test on valve assembly every 12
months
2. Perform specified proof test on Safety PLC and
Transmitter every five years
3. Replace solenoid valve every five years
4. Rebuild valve seals every five years
5. Replace PLC power supply every ten years
21
 Design Verification
Probabilistic Failures

Questions and
Comments

22