This blog may help if you have ever attempted a SIL verification probability of failure calculation for a safety function.
A safety integrity level - SIL - verification is required for compliance with IEC 61511 / ISA 61511 in the process sector and in IEC 62061 projects in the machinery sector.
In this article, we'll outline why there are calculations called PFD and PFH for different modes of operation.
Limitations of SIL verification
At the outset, let's be clear that probability of failure calculations are far from an exact science. Calculating a probability does not make the outcome accurate, especially if the assumptions are incomplete or if the underlying data is flawed.
So, a probability of failure calculation aims to ensure that safety functions result in sufficient integrity, and "an order of magnitude" is the expected outcome, rather than a precise value. Having said that, estimations should always be as realistic as possible, including erring on the side of conservative or "safe-side" values.
Get the safety requirements specification (SRS)
The Safety Requirements Specification (SRS) must be the starting point for any SIL verification probability of failure calculation exercise. Requirements for each safety function provide a vital link back to the hazard and risk analysis.
If completed correctly, the SRS will specify what each safety function must achieve, including what to sense and actuate to achieve or maintain a safe state. The SRS is also the primary reference source for the SIL target and other critical factors like required response and reaction time of each safety function.
In the early stages of design, the SRS may not specify the actual equipment or even the required level of redundancy. It is commonplace for there to be several updates of the SRS following SIL verification at multiple stages in design.
Select a modelling method and tool
The analyst must decide on a calculation method to complete a SIL verification. Below are the most common methods used in industry today.
Calculating the most common SIL 1 safety function designs is possible using simplified equations provided in IEC 61508 part 6. However, if you have five (5) or more safety functions, it's much better to invest in a specialist database-oriented tool like aeShield to control the linkage between SRS, SIL Calcs, Cause & Effects and proof test procedures.
Every method has positives and negatives, but with higher integrity requirements (higher SIL), you should adopt a more rigorous approach or use multiple methods to compare results.
Find conservative failure data
Failure rates of equipment items are the source information needed for any PFD or PFH calculation. A good reference source is important.
Some typically used industry reference sources are provided below:
- Prior use data from end-user collection of failures
- Offshore Reliability Database (OREDA)
- Manufacturer SIL Capability Data from Certificates or Safety Manuals
Agree on all assumptions
It is an excellent idea to develop a checklist to agree on the assumptions for the calculations.
Consider the following questions as a starting point:
Completing the SIL verification
Completing the SIL verification exercise may involve several calculation stages, safety requirement specification update and re-calculation as the design matures and equipment selection occurs within the project.
If you are already operating a safety system, you can complete the calculations based on the installed equipment. If field failure data is available, then you should use that in preference to other data sources.
The conclusion of a SIL verification calculation requires that the resulting PFD or PFH for each safety function meets the target set in the SRS.
The target may be simply a SIL band rather than a specific value, in which case the PFD or PFH is technically only required to meet the minimum requirement in that band.
If the target is a numerical value, the achieved PFD or PFH must be LOWER than this value to ensure the conservative "safe-side" approach explained earlier.
The SIL verification exercise is not fully complete until several other factors have been considered, including hardware fault tolerance and systematic capability.
Importantly, if there is software involved, the PFD/PFH calculation will not reveal anything about the quality of that software. Software issues can only be found by rigorous testing and requirements control.
Read the Frequently Asked Questions below to discover more about how PFD and PFH differ.
FAQ About PFD, PFH and SIL Verification
Safety Integrity Level (SIL) is now somewhat familiar to most process plants with hazards requiring independent protection layers.
When correctly applied, a SIL requirement from SIL 1 to SIL 4 can be assigned to an end-to-end safety function to provide a marker of the level of integrity required for equipment hardware and software concerning the risk of a given hazard; SIL 1 being the lowest integrity and SIL 4 the highest.
Equipment designed for automatically sensing and reacting to hazards can be created and employed in many applications.
Typical process industry applications include emergency shutdown or trip systems that prevent potentially dangerous pressure, temperature or level conditions from escalating.
For hazardous machinery, automated safety functions detect human proximity and bring about a safe state to protect workers from harm.
Whatever the application, the hazard owner should decide the SIL target for each safety function. This process is known as SIL determination or SIL selection.
A PFD or PFH calculation is required to demonstrate that each safety function can meet random failure targets.
PFD = Probability of Failure on Demand
PFH = Probability of Failure per Hour
There are two calculation methods due to the different MODES OF OPERATION defined for a safety function; LOW DEMAND MODE and HIGH DEMAND / CONTINUOUS MODE.
The answer to this is an emphatic NO! PFD/PFH calculations are only a part of a much larger picture.
Put simply, this is the way (mode) in which a safety function operates. Examples follow in the definitions below.
As the name indicates, this is where the end application of a safety function gets called upon very INFREQUENTLY. The standards define low demand mode as a maximum frequency of demands no greater than once per year.
LOW DEMAND MODE safety functions require a Probability of Failure on Demand - *PFD calculation. These are common in process industry applications.
*Note: The technically correct term is PFDavg; where "avg" is the abbreviation for "average".
This is where a safety function still works on demand, but the frequency of demands is greater than once per year.
HIGH DEMAND MODE safety functions require a Probability of Failure per Hour (*PFH) calculation.
*Note: PFH is also known as PFHD in machinery safety standards IEC 62061 and ISO 13849-1.
Note that the word "demand" does not appear in this case. This type of safety function is continously operating to retain a safe state.
CONTINOUS MODE safety functions require a Probability of Failure per Hour (*PFH) calculation.
*Note: PFH is also known as PFHD in machinery safety standards IEC 62061 and ISO 13849-1.