This blog will help if you have ever attempted a SIL verification probability of failure calculation for a safety function. A safety integrity level - SIL verification is required for compliance with IEC 61511 / ISA 61511 in the process sector and in IEC 62061 projects in the machinery sector.
In this blog, we'll outline why there are calculations called PFD and PFH for different modes of operation.
Limitations of SIL verification
At the outset, let's be clear that probability of failure calculations are far from an exact science. Calculating a possibility does not make the outcome accurate, especially if the assumptions are incomplete or if the underlying data is flawed.
So, a probability of failure calculation aims to ensure that safety functions result in sufficient integrity, not to calculate a precise number. Estimations should always be as realistic and err on the side of conservative estimates.
Get the safety requirements specification (SRS)
The Safety Requirements Specification (SRS) must be the starting point for any SIL verification probability of failure calculation exercise. Requirements for each safety function provide a vital link to the hazard and risk analysis.
If completed correctly, the SRS will specify what each safety function must achieve, including what to sense and actuate to achieve or maintain a safe state. The SRS is also the primary reference source for the SIL target and other critical performance factors like required response and reaction time.
In the early stages of design, the SRS may not specify the actual equipment or even the required level of redundancy. It is commonplace for there to be several updates of the SRS following SIL verification at multiple stages in design.
Select a modelling method and tool
The analyst must decide on a calculation method to complete a SIL verification. Below are the most common methods used in industry today.
Every method has positives and negatives, but with higher integrity requirements (higher SIL), analysts should adopt a more rigorous approach or use multiple ways.
Calculating the most common SIL 1 safety function designs is possible using simplified equations provided in basic safety standard IEC 61508 part 6..
A good source for safety function equations, RBD and fault trees is ISO/TR 12489:2013.
Sadly, very few of the above items are free, so it is wise to choose carefully or get a specialist company to provide support.
Find conservative failure data
Failure rates of equipment items are the source information needed for any PFD or PFH calculation. A good reference source is important.
Some good industry reference sources are provided below:
Agree on all assumptions
It is an excellent idea to develop a checklist to agree on the assumptions for the calculations.
Consider the following questions as a starting prompt:
Completing the SIL verification
Completing the SIL verification exercise may involve several calculation stages, safety requirement specification update and re-calculation as the design matures and equipment selection occurs for a new-build project.
If you are already operating a safety system, you can complete the calculations based on the installed equipment. If field failure rate data is available, then you should use that in preference to other data sources.
The conclusion of a SIL verification calculation requires that the resulting PFD or PFH for each safety function meets the target set in the SRS.
The target may be simply a SIL band, in which case the PFD or PFH is technically only required to meet the minimum requirement in that band.
If the target is a numerical value, the PFD or PFH achieved must be LOWER than this value.
The SIL verification exercise is not fully complete until other factors have also been considered, including hardware fault tolerance and systematic capability.
FAQ
Safety Integrity Level (SIL) is now somewhat familiar to most process plants with hazards requiring independent protection layers.
When correctly applied, a SIL requirement from SIL 1 to SIL 4 can be assigned to an end-to-end safety function to provide a marker of the level of integrity required for equipment hardware and software concerning the risk of a given hazard; SIL 1 being the lowest integrity and SIL 4 the highest.
Equipment designed for automatically sensing and reacting to hazards can be created and employed in many applications.
Typical process industry applications include emergency shutdown or trip systems that prevent potentially dangerous pressure, temperature or level conditions from escalating.
For hazardous machinery, automated safety functions detect human proximity and bring about a safe state to protect workers from harm.
Whatever the application, the hazard owner should decide the SIL target for each safety function. This process is known as SIL determination or SIL selection.
A PFD or PFH calculation is required to demonstrate that each safety function can meet random failure targets.
PFD = Probability of Failure on Demand
PFH = Probability of Failure per Hour
There are two calculation methods due to the different MODES OF OPERATION defined for a safety function; LOW DEMAND MODE and HIGH DEMAND / CONTINUOUS MODE.
The answer to this is an emphatic NO! PFD/PFH calculations are only a part of a much larger picture.
Put simply, this is the way (mode) in which a safety function operates. Examples follow in the definitions below.
As the name indicates, this is where the end application of a safety function gets called upon very INFREQUENTLY. The standards define low demand mode as a maximum frequency of demands no greater than once per year.
LOW DEMAND MODE safety functions require a Probability of Failure on Demand - *PFD calculation. These are common in process industry applications.
*Note: The technically correct term is PFDavg; where "avg" is the abbreviation for "average".
This is where a safety function still works on demand, but the frequency of demands is greater than once per year.
HIGH DEMAND MODE safety functions require a Probability of Failure per Hour (*PFH) calculation.
*Note: PFH is more accurately known as PFHD in machinery safety standards IEC 62061 and ISO 13849-1.
Note that the word "demand" does not appear in this case. This type of safety function is continously operating to retain a safe state.
CONTINOUS MODE safety functions require a Probability of Failure per Hour (*PFH) calculation.
*Note: PFH is more accurately known as PFHD in machinery safety standards IEC 62061 and ISO 13849-1.