Menu

Search

Print

Fault Tree Analysis as a Tool for Safety Instrumented System (SIS) Performance Evaluation
Kimberly A. Dejmek Senior Engineer Wilfred Baker Engineering, Inc. Sugar Land, TX 77478

KEYWORDS
Safety Instrumented Systems, SIS, Safety Integrity Level, SIL, Performance, Fault Tree Analysis, FTA

ABSTRACT
The standards defining the requirements for the management of Safety Instrumented Systems, namely ANSI/ISA S84.01-1996 Application of Safety Instrumented Systems for the Process Industries and the upcoming IEC 61511 Functional Safety Instrumented Systems for the Process Industry Sector, have a common fundamental basis in the concept of Safety Integrity Level (SIL). This SIL is a measure of system criticality and defines the safety performance criteria for the system in terms of its availability. Given that SIL has been defined as a quantitative performance target, verification of system performance through quantitative analysis is required. Fault Tree Analysis (FTA) is an excellent tool for performing such evaluations of Safety Instrumented Systems. This well-known tool is easily applicable to the evaluation of SIS and provides numerous benefits to those who use it. The principal benefits include: A clear graphical representation of the system Mathematical models for numerous modes of operation (i.e., repairable, non-repairable, and stand-by) Results directly indicate key contributors to system unavailability Consideration of sensitivity cases for modifications to system components, architecture, and component testing intervals Easy conversion of system model for evaluation of nuisance trip rates Publicly available software tools for performing FTA This paper will provide an introduction to the application of FTA to Safety Instrumented Systems and discuss the benefits and limitations of the technique .

INTRODUCTION

Menu

Search

Print

The standards defining the requirements for the management of Safety Instrumented Systems, namely ANSI/ISA S84.01-1996 Application of Safety Instrumented Systems for the Process Industries and the upcoming IEC 61511 Functional Safety Instrumented Systems for the Process Industry Sector, have a common fundamental basis in the concept of Safety Integrity Level (SIL). This SIL is a measure of system criticality and defines the safety performance criteria for the system in terms of its availability. Given that SIL has been defined as a quantitative performance target, verification of system performance through quantitative analysis is required. Fault Tree Analysis (FTA) is an excellent tool for performing such evaluations of Safety Instrumented Systems.

Fault Tree Basics

Fault tree analysis has been in use as a tool for evaluating complex failure scenarios since its development in the 1960s for the United States Department of Defense. Bell Laboratories developed the fault tree analysis method for the Polaris Missile Project in order to evaluate the potential for an inadvertent launch of a Minuteman Missile. Since its origination in the aerospace industry, FTA has been used extensively by the nuclear power industry to qualify and quantify the hazards and risks associated with the operation of nuclear power plants. The successful application of FTA in the aerospace and nuclear industries has resulted in its subsequent adoption within the chemical industry. Fault tree analysis is a deductive method for identifying the numerous ways in which equipment failures, software failures, human error, environmental factors, and external events can lead to accidents or other undesirable conditions. A fault tree model consists of a top event and a connecting logic structure of events that must take place in order for the undesired top event to result. In the evaluation of Safety Instrumented Systems, there are two top events that are typically of interest: SIS Failure on Demand and SIS Spurious Trip. A model of the SIS failure on demand investigates the potential for the SIS failing to perform its designed safety function. In the event of a failure on demand, the process plant is experiencing an undesired condition that the SIS has been designed to detect and, upon detection, automatically take the process to a safe state but because of a latent failure, the SIS fails to function, allowing the undesired condition and the subsequent consequences to continue. In short, the SIS fails to perform its designed function when needed. The second top event that is considered in the evaluation of SIS is a spurious trip. In the event of a spurious trip, the SIS has taken action when no process condition warranting such action is present. Both the failure on demand and the spurious trip are critical performance characteristics of an SIS. The fault tree model consists of single top event and simple faults called basic events and logical operators that dictate how the basic events must combine to result in failure described by the fault tree top event. Basic events, which represent a simple failure or fault, are the building blocks of the model. It may be a hardware failure, a human error, or an adverse condition. Hardware failures are usually expressed in terms of a specific component and a failure mode, such as Pressure Transmitter PT101 fails to respond to High Pressure

Menu

Search

Print

Condition. Human errors can be failure to carry out a desired task (failure to place controller in automatic), failure to perform a specific recovery action (failure to start a backup system), or execution of a wrong action that has adverse effects on the fault tree top event (isolated transmitter from process). An adverse condition is not necessarily a failure but in combination with other events can lead to failure. For example, the temperature being below 32 F is an adverse condition necessary for the failure of pressure detection due to a frozen impulse line. Basic events are always assumed to be independent of each other. This means that the occurrence of one basic event does not influence the probability of occurrence of any other basic event. For example, suppose that there are two diesel generators, and the failure of either to start on demand is a basic event. Independence of the basic events says that if one diesel generator fails to start on demand, this does not alter the probability that the second diesel generator will fail to start. A common cause event, such as two diesel generators fail to start because of unusually cold weather, must be modeled as its own basic event, and be assigned its own failure probability or failure rate. This event is then regarded as statistically independent of all other basic events. Logical gates are used to connect the basic events and the resulting secondary conditions, in order to represent the ways to achieve the top event. There are two basic types of gates: OR gates and AND gates. OR gates are used to relate sufficient events, a combination of events where only one is required for the secondary condition to be created. An example of a set of sufficient events would be the failure of the alarm clock or traffic problems resulting in the secondary condition of late to work. AND gates are used to represent combinations of necessary events, a set of events all of which are needed to create the secondary condition. An example of a set of necessary events is the failure of the electric firewater pump AND the diesel driven firewater pump creating the secondary condition firewater pumps fail to deliver water. A number of symbols are used in the construction of fault trees in order to reflect the various types of events and logical gates. The most common symbols are presented below.

OUT

IN

BASIC EVENT

UNDEVELOPED EVENT

EXTERNAL EVENT

TRANSFER GATE

OR GATE AND GATE

A fault tree analysis of a safety-instrumented system is conducted by following these steps:

Menu

Search

Print

1. 2. 3. 4. 5.

Identify the SIS safety function Define the top event Construct the fault tree Perform qualitative analysis Perform quantitative analysis

A brief description of each step and information specific to the evaluation of SIS has been provided below. Additional instruction in fault tree analysis is available in a number of books on risk and reliability assessment, including the Guidelines for Performing Chemical Process Quantitative Risk Assessment by the CCPS, Loss Prevention in the Process Industries by Frank Lees, and Probabilistic Risk Assessment by Henley and Kumamoto. Identify the SIS safety function The SIS safety function is the function to be implemented by the SIS that is intended to achieve or maintain a safe state in order to avoid a specific hazardous event. The SIS safety function can be either simple or complex, depending upon the process and the hazardous event that it addresses. An example of a simple safety function would be the prevention of a tank overflow by shutting down the supply pump when a high level condition is reached. The prevention of a runaway reaction by monitoring the temperature, pressure, and concentration within the reactor that stops all reactant flow, initiates cooling, and injects a reaction kill chemical when required, is a single complex safety function. Define the top event As previously discussed, the two most relevant top events in the evaluation of SIS are SIS failure on demand and SIS spurious trip. Construct the Tree Fault trees are constructed by beginning with the top event, and deducing the major events that can directly lead to it. When modeling SIS, the first level of the tree below the top event is typically the sufficient events of Failure of the Input Devices, Failure of the Logic Solver, Failure of the Output Action, or Failure of the Support Systems. Next each of these intermediate events is considered in turn. The events that that occur to contribute to this single event are identified and connected with the appropriate logical gate. This development of the fault tree continues until all of the branches have been terminated by basic, undeveloped, or external events. An example fault tree for the failure on demand of a simple SIS has been provided below in Figure 1. Qualitative Fault Tree Evaluation The qualitative evaluation of a fault tree can indicate how many pathways to the top event exist, the smallest number of events that form a set of sufficient events, and an indication of the importance of a particular basic event. Once the fault tree has been completely drawn, a number of computations can be performed. The first of which is the determination of the minimal cut sets. The minimal cut sets are the various unique sets of events that could lead to the top event. The order of the cut sets is determined by counting the number of events in each set. This indicates the system redundancy as well as any single points of failure. A

Menu

Search

Print

review of the minimal cut set list and specifically at the basic events in each cut set, it is possible to identify any events that appear in numerous events. Special attention should be paid to such events because they are important to the overall system performance.

Tank Overfill Protection Fails on Demand

TANK_OVERFILL Fail to Detect High Level Condition Pump Fails to Shutdown Safety PLC Fails on Demand

INPUTS High Level Switch Fails Level Transmitter Fails Low Motor Starter Relay Fails to Open

PUMP_SD Interposing Relay Fails to Open

LOGIC_SOLVER

LEVEL_SWITCH

LEVEL_XMIT

MOTOR_STARTER

IPR

Figure 1. Sample SIS Fault Tree

Quantitative Fault Tree Evaluation The fault tree can be quantified in order to determine the probability of SIS failure on demand (PFD) or the spurious trip rate (STR). The first step in the quantification of a fault tree is the identification of failure rate data for each of the basic events. Through the use of generic published data or company-collected data, the appropriate data can be identified. In the determination of the PFD, the quantified result is a probability. Therefore, all of the basic events must be expressed as probabilities. The failure frequency can be converted to a probability using an equation that reflects the operating mode of the device. Equations are available for continuously operating components without repair, operating components with repair, and stand-by components with periodic testing. The majority of SIS components are operated in a stand-by mode with periodic testing. However, some devices such as redundant transmitters with deviation alarming can be treated as repairable, operating components. Once the basic event probabilities have been calculated, the minimal cut-set probabilities are calculated. The probability of each minimal cut set is determined by:

Ci = q1q 2 q k where, C i is the minimal cut set probabilit y q k is the basic event probabilit y
(1)

Menu

Search

Print

The resulting information is quite useful. The relative importance of each of the minimal cut sets can be determined and the system areas where improvement would be most effective will be apparent. The top event probability can be calculated by either of two methods: one based on the minimal cut sets and one based upon the fault tree model. The top event probability is calculated by calculating the union of all min. cut sets. For very small cut set probabilities, this is estimated by adding the cut set probabilities. For an exact calculation, the following formula must be applied:
P( A1 A2 or P( A1 A2

An ) = P( Ai ) P ( Ai A j ) + + (1) n P (A1 A2 An )

(2)
An ) = 1 (1 Pi )
i =1 n

If the top event probability is to be calculated from the fault tree model, computation is performed at each gate, working from the bottom of the tree to the top. The probability at an AND gate is calculated by multiplying the probabilities of all events entering the gate. The resulting probability of an OR gate is calculated by using equation (2b) above. Similar calculations are performed for the determination of the spurious trip rate, however, it is important to remember that the STR is a rate, not a unitless probability. Therefore, care must be taken while performing the calculation to ensure that the proper units are maintained.

Fault Tree Tools

There are a number of tools available in the public domain for aiding in the conduct of fault tree analysis. There are generally of two types: failure rate data books and FTA software. Although publicly available data does not exist for all devices or all failure modes, there are a number of resources that address the majority of typical SIS components. Table 1 below lists the most useful sources of failure rate data for the evaluation of SIS. Table 1 Publicly Available Failure Rate Data Resources
OREDA: Offshore Reliability Data Handbook, 3rd Edition, SINTEF Industrial Management, OREDA Participants, Norway, 1997. OREDA: Offshore Reliability Data Handbook, 2nd Edition, DNV Technica Inc., OREDA Participants, Norway, 1992. Guidelines for Process Equipment Reliability Data with Data Tables, Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, 1989. IEEE Standard 500-1984 Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component, and Mechanical Equipment Reliability Data for Nuclear-Power Generating Stations, The Institute of Electrical and Electronics Engineers, New York, NY, 1983. Loss Prevention in the Process Industries, F. P. Lees, Butterworth-Heinemann, Oxford, 1996.

Menu

Search

Print

The Fault Tree Analysis method is well suited to the use of computerized tools and since the method has been used for decades there are a number of software packages that are currently available for supporting risk analysts in performing FTAs. These tools can aid in the production of the graphical fault tree logic models, the generation of cut sets, and fault tree quantification. When selecting a FTA software tool, there are a number of features that should be considered. In addition to price, these include rigorous mathematics, user interface(s) for tree construction, data management, and report generating features. The price of FTA software packages ranges from around $500 a copy to about $5,000 per copy. There are programs throughout this range that have the necessary features for conducting FTA on SIS. Rigorous computational methods employed by the software package are the most important feature to consider when making a selection. The key mathematical features to require are cut set generation rather than tree based calculations, full equations for probability calculations rather than rare event approximations, and the capability to work in both the frequency and probability domains. When evaluating the fault tree construction capabilities, one should consider tree presentation, auto-formating, and auto-pagination features. Valuable data management features are built-in tables for frequently used data and the ease of creating sensitivity cases for evaluating various test intervals. The use of these tools improves the accuracy, efficiency, and ease of communication when performing fault tree evaluations.

Strengths and Limitations of FTA

Fault Tree Analysis is a well established tool in the fields of reliability and risk analysis with numerous qualities that make it the method of choice in the evaluation of SIS. The following strengths are unique to the FTA method: Generation of minimal cut sets which provides numerous insights into contributors to SIS performance Ease in evaluating sensitivity cases with changes in SIS design, device selection, and testing interval Ease of modification of PFD tree to generate STR tree Results in both probability and frequency Testing intervals unique to each SIS basic event Addresses all operating modes (i.e., continuous un-repairable, continuous repairable, and stand-by) Publicly available software tools Graphical representation of logic model that is easy to review and discuss Can address common cause, diagnostic coverage, and partial stroke testing Numerous practitioners within operating companies and contractors The most important of these is the generation of the minimal cut sets. Both the qualitative and the quantitative results associated with the minimal cut set list are powerful in evaluating SIS performance. These results directly indicate the SIS components that are the principal contributors to system failure and the performance improvement that is required to achieve the performance target.

Menu

Search

Print

The limitations of the technique are minimal when FTA is applied to the evaluation of SIS. These include the inability to address partially failed states and time-dependent failure rates, as well as the requirement for training of the analyst. FTA assumes that a device is in only one of two states working or failed. This does not allow for the consideration of functioning, but damaged states. This limitation is rarely an issue when addressing SIS field devices; however, it does limit the application of FTA to the evaluation of complex logic solvers. When modeling redundant technology programmable logic solvers it is often necessary to employ Markov modeling, which does allow for the inclusion of degraded states. The second mathematical limitation is that a constant failure rate must be used. This indicates that the quantitative evaluation is not applicable to the break-in and wear-out periods in the life of the device. This limitation is not, however, unique to fault tree analysis. All of the methods included in the draft of ISA TR84.0.02 are limited to the consideration of constant failure and repair rates. The final noted disadvantage, the requirement for a trained analyst, is also not unique to FTA. However, there are numerous courses in FTA offered by industry associations and risk/reliability consultants. There are many more practitioners of FTA, when compared to Markov modeling; hence, the availability of training resources is much greater.

CONCLUSIONS
Fault tree analysis is an established tool for the evaluation of complex systems and sequences of events, and it is well suited to the analysis of safety instrumented system performance. There are numerous unique benefits associated with fault tree analysis that more than justify the effort required to learn the method.

REFERENCES
1. Application of Safety Instrumented Systems for the Process Industries, ANSI/ISA-SP 84.01-1996, ISA, Research Triangle Park, NC, 1996. 2. Ford, K.A. and Summers, A.E., Are Your Instrumented Safety Systems Up To Standard, Chemical Engineering Progress, November 1998. 3. Safety Instrumented Systems (SIS) -- Safety Integrity Level (SIL) Evaluation Techniques, ISA-TR84.0.02, ISA, Research Triangle Park, NC, 1999. 4. Dejmek, Mark W., Overcoming the Reliability Data Gap in the Process Industries, The 33rd Annual Reliability Engineering and Management Institute (REMI), Tucson, AZ, 1995. 5. CCPS/AIChE Guidelines for Chemical Process Quantitative Risk Analysis, New York: American Institute of Chemical Engineering, 1989.