www.safeplexsystems.com safeplex@safeplexsystems.

com

Easily Assess Complex Safety Loops

Lawrence V. Beckman, Mr., Dr. SafePlex Systems, Inc 2001 Abstract
Many safety instrumented systems rely on dissimilar redundant field devices, and this can complicate required analyses. The discussed equations will enable field personnel to handle such situations readily. In 1996, the ISA S84.01 committee approved a standard addressing the implementation of process safety systems. This standard is performance-based and clearly defines criteria based on Safety Integrity Level (SIL) requirements. The standard was subsequently accepted by ANSI and is now referred to as ANSI/ISA S84.01 - 1996 (1). ANSI/ISA S84.01-1996 now has become the consensus standard for process safety in the U.S., and, as such, is deemed to meet the good engineering practice provisions of the OSHA 1910.119 PSM regulation. In the field, however, there is a considerable lack of understanding about how to apply this standard to both determine and achieve the required SIL for the safety instrumented system (SIS). ISA will soon publish a companion Technical Report, TR84.02 (2), which is intended to alleviate part of this confusion. It details three methodologies simplified equations, fault tree analysis, and Markov modeling to implement the safety performance requirements of the standard for the SIS. Each considers the programmable electronic system (PES) and the field devices for a process safety loop in determining the configuration of the PES and the redundancy of associated field devices necessary to achieve the loops required SIL, based on specified failure rate data, proof test interval, etc. The standard requires that the average probability of failure on demand (PFDavg) be used in this analysis. It should be noted that fault tree analysis and Markov modeling provide an instantaneous PFD, not the average value; additional computations are required to obtain PFDavg over the time period of interest. Practically speaking, though, such a determination still isnt easily accomplished in the field. This, for the most part, is due to the complexity of the three methodologies. Of these, only the simplified equations technique could reasonably be utilized by plant personnel it fits most common SIS configurations, and has no SIL restrictions. Given that most of these analyses will be performed in the field (and not by consultants), its imperative to provide a comprehensive set of simplified equations that consider common cause-failure, systematic failure, and second-failure prior-to-repair scenarios. The set of simplified equations (obtained from simplified Markov models) in Ref. 2 does indeed take all of these scenarios into account. It does not, however, cover the use of redundant field devices that are dissimilar, and, thus, have different failure rates for instance, two different valves in a one-out-of-two (1oo2) arrangement. Yet, the use of diverse redundant components is quite common in practice. So, in this article, I present a set of enhanced equations for such situations, as well as a couple of application examples.
Copyright SafePlex Systems, Inc

Safety loop analysis

A safety loop consists of an independent set of sensors, logic solver resources, and final elements necessary to implement a specific safety function. The required performance of a safety loop is defined in terms of its SIL (3,4), which, in turn, is defined by its average probability of failure on demand (PFDavg)

www.safetyusersgroup.com

Page 1 / 1

www.safeplexsystems.com safeplex@safeplexsystems.com

over a given time period, typically the proof test interval (TI). The proof test interval usually is selected, because it is the time between function testing of the system. (Readers unfamiliar with applying probability

theory to determine safety system performance should consult one of the several references on the subject, such as Refs. 5 and 6.) As already mentioned, the ANSI/ISA S84.01 standard requires that PFDavg (not an instantaneous PFD value or an approximation for PFDavg) be used to make this determination exceptions are not allowed!

where Pf (t) is the probability of failing to function. The specific functionality of Pf (t) is an attribute of the architecture selected. The PFDavg requirement applies to both the PES, as well as associated field devices. Thus, the testing frequency must be the same for all devices (diverse or identical) used in a redundant configuration, as PFDavg is computed for this configuration as a set. Testing of individual devices in a redundant configuration, however, need not be performed at the same time, but can be staggered. Using Eq. 1, I will derive enhanced simplified equations for the various architectures having diverse redundant components. For a one-out-of-two (1oo2) configuration, given that both failures are independent (that is, common-cause failure is not considered),

where P1(t) is the probability of Component 1 failing to function, and P2 (t) is the probability of Component 2 failing to function. Thus,

where 1 and 2 are the components rates of failing dangerously, and R1 and R2 are their reliabilities.

www.safetyusersgroup.com

Page 2 / 2

www.safeplexsystems.com safeplex@safeplexsystems.com

Approximating e-

using a Maclaurin series expansion gives

where TI < 0.6. Substituting into the above equation and simplifying yields

In a 2oo2 configuration, either component can fail dangerously. So,

Integration and simplification yields

www.safetyusersgroup.com

Page 3 / 3

www.safeplexsystems.com safeplex@safeplexsystems.com

The equation for the 2oo3 configuration can be derived from the 1oo2 equation, as follows:

where 3 is the dangerous failure rate of the third component. For the 1oo3 configuration, the equation can be developed in a manner similarly to the 1oo2 equation, given that

where P3(t) is the probability of Component 3 failing to function.

After integration and simplification, the resulting equation is

And, the equation for the 2oo4 configuration can be derived from the 1oo3 equation, as follows:

With identical components, 1 = 2 = 3 = 4, each of the preceding equations simplify to the form presented in Ref. 2.

www.safetyusersgroup.com

Page 4 / 4

www.safeplexsystems.com safeplex@safeplexsystems.com

Application examples
Lets now consider a typical situation the use of two different shutdown valves in a 1oo2 configuration. Assuming the following data, we compute PFDavg for a 1-yr proof test interval as follows: Valve 1 mean time to dangerous failure (MTTFd) = 30 yr; 1 = 0.033; d Valve 2 MTTFd = 50 yr; 2 = 0.020; and d Solenoid MTTFd = 40 yr; s = 0.025. For each pair, the combined failure rate, , is
c d

So,

Another example is the use of diverse sensors in a 2oo3 configuration. Here, lets assume Sensor 1 MTTFd = 60 yr; 1 = 0.017; d Sensor 2 MTTFd = 40 yr; 2 = 0.025; and d Sensor 3 MTTFd = 50 yr; 3 = 0.020. and a 1-yr proof test interval. Thus,
d

The PFDavg for the safety loop is the sum of the three independent elements (sensors, PES, and final elements). Taking a PFDavg value for the PES of 0.0005 (the midrange of SIL 3), which is typical, we get

which falls within SIL 2. Note that field devices (sensors and final elements) contribute almost three-quarters (22% and 50%, respectively) of the overall PFDavg of the safety loop. This is consistent with experience in actual field installations.

www.safetyusersgroup.com

Page 5 / 5

www.safeplexsystems.com safeplex@safeplexsystems.com

Summary
In this article, Ive presented equations that extend the simplified equations methodology presented in Ref. 2 to allow it to be applied to more-complex safety loop configurations. This should significantly enhance the use of the methodology in the field by plant personnel. We havent looked at modifying the other terms in the simplified equations (that reflect common-causefailure, systematic-failure, and second-failure-prior-to-repair scenarios) to consider the use of dissimilar redundant field devices. This could easily be accomplished, however, by making the appropriate substitutions in the respective equations, as follows: In the 1oo2 equation, compute failure rates as

In the 2oo2 equation, as,

In the 1oo3 and 2oo3 equations, as

and, in the 2oo4 equation, as

This would apply to all terms containing dangerous failure rates (such as as defined in Ref. 2.

DD

and ) in these equations,

DU

Nomenclature
P PFD R t TI c d probability of failure, 1 - R average probability of failure on demand over given time interval reliability, that is, probability of successful operation time proof test interval, time
Superscripts

combined dangerous
Greek letter

dangerous failure rate, that is, dangerous failures per unit time

www.safetyusersgroup.com

Page 6 / 6

www.safeplexsystems.com safeplex@safeplexsystems.com

References
1. Application of Safety Instrumented Systems for the Process Industries, ANSI/ISA-S84.01-1996, ISA, Research Triangle Park, NC (Feb. 1996). 2. Safety Instrumented Systems (SIS) Safety Integrity Level (SIL) Evaluation Techniques, Part 1: Introduction, Part 2: Simplified Equations, Part 3: Fault Tree Analysis, Part 4: Markov Analysis, Part 5: Markov Logic Solver, ISA, Research Triangle Park, NC (in press). 3. Beckman, L., Determining the Required Safety Integrity Level for Your Process, ISA Trans., 37, pp. 105111 (1998). 4. Ford, K. A., and A. E. Summers, Are Your Instrumented Safety Systems Up to Standard?, Chem. Eng. Progress, 94 (11), pp. 5558 (Nov. 1998). 5. Goble, W. M., Control System Safety Evaluation & Reliability, 2nd ed., ISA, Research Triangle Park, NC (1998). 6. Henley, E. J., and K. Kumamoto, Probalistic Risk Assessment, IEEE Press, New York (1992)

This document has been prepared by: Lawrence V. Beckman, Mr., Dr. For more information see full contact details in Safety Users Group Directory

www.safetyusersgroup.com

Page 7 / 7