PD CEN ISO/TR 12489:2016 Petroleum, petrochemical and natural gas industries — Reliability modelling and calculation of safety systems making excellence a habit”PD CEN ISO/TR 12489:2016 PUBLISHED DOCUMENT National foreword ‘This Published Document is the UK implementation of CEN ISO/TR 12489:2016. It identical to ISOITR 12489:2013. it supersedes PD ISQITR 12489:2013 which is withdrawn. ‘The UK participation in its preparation was entrusted to Technical Committee PSE/17, Materials and equipment for petroleum, petrachamical and natural gas industrias. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract, Users are responsible for its correct application. (© The British Standards institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 s86H2 9 1€$ 75.180.01; 75.200 ‘Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and strategy Committee on 30 November 2013. ‘Amendments/corrigenda issued since publication Date Text affected 29 February 2016 This corrigendum renumbers PD ISO/TR 12489:2013 ‘as PD CEN ISO/TR 17489:2016.TECHNICAL REPORT CEN ISO/TR 12489 RAPPORT TECHNIQUE TECHNISCHER BERICHT January 2016 1¢875.200, 75.180.01 English Version Petroleum, petrochemical and natural gas industries - Reliability modelling and calculation of safety systems (ISO/TR 12489:2013) pétcole,plrechiniect gzz marl -Noasstion bre, petrechenische md gata asre calcul fiabilistes des systemes de sécurité (SO/TR werlassigkeit der M odellierang und Berechnung von Tes7003) ‘icherbelgitemen (80/1 1280500015) ‘This Technical Report was approvedby CEN on 28 March 20 1S. Ithas been dravm upby theTechnical Committee CEN/TC 12. CEN members are the national standards bodies of Austria, Belgium, Bulgaria. Crvatia. Cyprus. Czech Republic, Denmark, Estonia, Finland, Former Yugostav Republic of Macedonta Brance, Germany, Greece, Hungary. Iceland, Ireland Italy. Latvia, Lithuania Laxembourg Malta Netherlands, Norway, Poland, Pertugal Romania, Slovakia, Sovenia, Spain, Sweden, Switzerland, Turkey ad United Kingdom, a [EUROPEAN COMMITTEE FOR STANDARDIZATION CONITE EUROPEEN DE NORMALISATION (CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels ©2016 CEN Allvights of exploitation in any form and by auymeaneresteved Ref.No, CEN I50/TR 12409:2016 ‘worldwide for CEN national Members.PD CEN ISO/TR 12489:2016 CEN ISO/TR 12489:2016 (E) European foreword ‘This document (CEN ISO/TR 12489:2016) has been prepared by Technical Committee 1SO/TC 67 “Materials, equipment and offshore structures for petroleum, petrochemical and natural gas industries” in collaboration with Technical Committee CEN/TC 12 “Materials, equipment and offshore structures for petroleum, petrochemical and natural gas industries” the secretariat of which is held by NEN. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights, CEN [and /or CENELEC] shallnot be held responsible for identifying any or all such patent rights. Endorsement notice The text of IS0/TR £2489:20 13 has been approved by CEN as CENISO/IR 124692046 without any modification.PD CEN ISO/TR 12489:2016 ISO/TR 12489:2013(E) Contents Page Foreword. ov = Saini = on Introduction. scala iscsi pene + cecal 1 Scope... ce eects 2 Analysis framework... cies 7 st th 2.1 Users ofthis Technical Report 02.0... oe nse . gu 2.2 1S0/TR 12489 with regard to risk and reliability analysis processes... 2 23 Overview ofthe reliability modelling and calculation approaches considered in this. Technical Report... a 24 Safety systems and safety functions... 3 Terms and definitions....... 3.1 Basic reliability concepts. 3.2 Failure classification... 3.3 Safety systems ty pology. 3.4 — Maintenance issues... 35 Otherterms...... 3.6 Equipment-related tens... 4 Symbols and abbreviated terms aera 7 3 = 5 Overview and challenges... si . 5.1 General considerations about modelling and calculation challenges ~.. 83 5.2 Deterministic versus probabilistic approaches... 8 5:3 Safe faire an! design philosophy 5.4 — Dependent failures... 55 Human factors. 5.6 Documentation of underlying assumptions 6 Introduction to modelling and calculations... 6.1 Generalities about safety systems operating in “on demand” or “continuous” modes......41 62 Analytical approaches... 7 Analytical formulae approach (low demand mode). 7. Introduction .. 1 72 — Underlying hypothesis and main assumptions. 73 Single failure analysis... sit 7.4 — Double failure analysis. cn 75 Triple failure analysis. 7.6 Common cause failure: 7.7 Example of implementation of analytical formulae: 7.8 — Conchision about analytical formulae approach...... 8 Boolean and sequential approaches... 8.1 Introduction 8.2 Reliability block diagrams (RBD). 83 Fault Tree Analysis (FTA)... i B4 — Sequence modelling: cause consequence diagrams, even t tree analysts, LOPA...-.--...61 85 Calailtions with Boolean models, 8.6 — Conchtsion about the Boolean approach 9 Markovian approach... = sa 9.1 Introduction and principles. 9.2 Multiphase Markov models... 93° Conclusion about the Markovian approach... 10 Petrinetapproach 10.1 Basic principle 10.2. RBD driven Petrinet modelling... sme tisctrnnson © 180 2013 ~ Allrights reserved aPD CEN ISO/TR 12489:2016 ISO/TR 12489:2013(E) 10.3. Conclusion about Petrinet approach... eee 11 Monte Carlo simulation approach... sts 12 Numerical reliability data uncertainty handling... 13 Reliability data considerations... 13.1 Introduction ...... 13.2 Relability data SOUTCES .onomonemnmnnm so 13.3. Required reliability data 7 sis 13.4 Reliability data collection ssa 14 Typical applications... sostnntnnninennnnnnnnanmnn 14.1 Introduction .. —s 7 14.2 Typical application TAL: single channel ae “ 14.3 Typical application TA2: dual charm ela cns-nsemnrnninrnenen si 14.4 Typical application TA3: popular redundant architectate.......». 14.5 Typical application TA4: multiple safety system........ 14.0 Typical application TAS: emergency depressurization system (ee) 14.7 Conclusion about typical applications... Annex A (informative) Systems with safety functions... nee 146 Annex C (in formative) Relationship between failure rate, conditional and unconditional failure Annex B (informative) State analysis and failure classification. intensities and failure frequency .n.0.1eon-- i ao 152 Annex D (informative) Broad models for demand mode (reactive) safety systems... 160 Annex E (informative) Continuous mode (preventive) safety systems... 167 Annex F (informative) Multi-layers safety systems/multiple safety systems......... sec 70 Annex G (informative) Common cause failUres ..onnoornomnm a aca Annex H (informative) The human factor... eter 7 ooo 180 Annex I (informative) Analytical formulae si -186 Annex J (Informative) Sequential modelling ... cvsnnnsniannnninnimninnnnnenens 207 Annex K (formative) Overview of calculations with Boolean models.. ee) Annex L (informative) Markovian approach ... ws uc itt Annex M (informative) Petri net modelling... mvnennennninnnnnereniinnsenn B89 Annex N (informative) Monte Carlo simulation approach... arsceesen ao 248 Annex O (informative) Numerical uncertainties handling... ‘ one BZ Bibliography... - ~ 285 eertielemcn, © 180 2013- All rights reservedPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) Foreword 180 (the Intemational Organization for tandardization) is a worldwide federation ofnational standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through 1SO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. 180 collaborates closely with the Intemational Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the 1S0/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of [80 documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patentrights. 1SO shallnot be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www. iso.org/patents) Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explination on the meaning of 180 specific terms and expressions related to conformity assessment, as wellasin formation about IS0's adherence to the WTO principles in the Technical Barriers to Trade(TRT) see the following URL: Foreword - Supplementary information The committee responsible for this document is IS0/TC 67, Materials, equipment and offshore structures ‘for petroleum, petrochemical and natural gas industries. This first edition of IS0/TR 12489 belongs of the family of reliability related standards developed by IS0/TC 67: — 180 14224, Petroleum, petrochemical and natural gas industries — Collection and exchange of reliability ‘and maintenance data for equipment — 180 20815, Petroleum, petrochemical and natural gas industries — Production assurance and reliability management erriasessmion 0150-2013 Allrights reserved vPD CEN ISO/TR 1248 1SO/TR 12489:2013(F) 016 Introduction Safety systems have a vital function in petroleum, petrochemical and natural gas industries where safety systems range from simple mechanical safety devices to safety instrumented systems. ‘They share three important characteristics which make them difficult to handle: 1) They should be designed to achieve good balance between safety and production. This implies a high probability of performing the safety action as well as a low frequency ofspurious actions. 2) Some of their failures are not revealed until relevant periodic tests are performed to detect and repair them. 3) Agiven safety system rarely works alone. It generally belongs to a set of several safety systems called multiple safety systems) working together to prevent accidents. Therefore improving safety may be detrimental to dependability and vice versa. These two aspects should therefore, ideally, be handled at the same time by the same reliability engineers. However, in reality they are generally considered separately and handled by different persons belonging to different departments. Moreover this is encouraged by the international safety standards, which exclude dependability from their scopes, and the international dependability (see 3.1.1) standard, which exchudes safety from thelrs. This may lead to dangerous situations (e.g. safety system disconnected because of too many spurious trips) as well as high production losses The proof of the conservativeness of probabilistic calculations of safety systems is generally required hy safety authorities. Unfortunately, managing the systemic dependencies introduced by the periodic tests to obtain conservative results implies mathematical difficulties which are frequently ignored. The impact is particularly noticeable for redundant safety systems and multiple safety systems. Awareness ofthese challenges is important for reliability engineers as well as safety managers and decision makers, utilizing reliability analytical support. Most of the methods and tools presently applied in reliability engineering have been developed since the 1950s before the emergence of personal computers when only pencil and paper were available. At that time the reliability pioneers could only manage simplified models and calculations but this has completely chan ged because of the tremendous improvement in the computation means achieved over the past 30 years. Nowadays, models and calatlations which were once impossible are carried out with a simple laptop computer. Flexible (graphical) models and powerful algorithms based on sound mathematics are now available to handle “industrial size” systems (i.e. many components with complex interactions). This allows the users to focus on the analysis of the systems and assessment of results, rather than on the calculations themselves. All the approaches described in this Technical Report have been introduced in the petroleum, petrochemical and natural gas industries as early as the 1970s where they have proven to be very effective. They constitute the present time state-of the-art in reliability calculations. Nevertheless some of them have not been widely disseminated in this sector although they can be of great help for reliability engineers to overcome the problems mentioned above. This is. particularly true when quantitative reliability or availability requirements need confirmation and/or ‘when the objective of the reliability study lay beyond the scope of the elementary approaches ‘The present document is a “technical” report and its content is obviously “technical’. Nevertheless, it only requires a basic knowledge in probabilistic calculation and mathematics and any skilled reliability engineer should have no difficulties in using it. wer racllboncn, © SO 2013- Allrights reservedPD CEN ISO/TR 1248! TECHNICAL REPORT 1SO/TR 12489:2013(E) 016 Petroleum, petrochemical and natural gas industries — Reliability modelling and calculation of safety systems 1 Scope ‘This TechnicalReportaimsto close the gap between the state-of the-artand the application of probabilistic calculations for the safety systemsofthe petroleum, petrochemicaland natural gas industries. Itprovides guidelines for reliability and safety system analysts and the ofl and gas industries to: + understand the correct meaning of the definitions used in the reliability field; + Identity — the safety systems which may be concerned, — the difficulties encountered when dealing with reliability modelling and calculation of safety systems, — the relevant probabilistic parameters to be considered; + beinformed ofeffective solutions overcoming the encountered difficulties and allow ing to undertake the calculations of relevant probabilistic parameters, + obtain sufficient knowledge of the principles and framework (eg. the modelling power and limitations) of the well-established approaches currently used in the reliability field: — analy tical formutae;(i] 21031 — Boolean: + reliability block diagrams;E8! + fault trees [5] — sequential event trees,{!] cause consequence diagramstd] and LoPa;(?) — Markovian; {€l — Petrinets;{2 + obtain sufficient mowledge of the principles of probabilistic evaluations: — analytical calculations (e.g. performed on Boolean or Markovian models}; (02115) — and Monte Carlo simulation (eg. performed on Petrinets!2 + selectan approach suitable with the complexity of the related safety system and the reliability study which is undertaken; + handle safety and dependability (e.g, for production assurance purpose, see 3.1.1) within the same reliability framework. ‘The elementary approaches (e.g PHA, HAZID, HAZOP, FMECA) are out of the scope of this Technical Report. Yet they are ofutmost importance and ought to be applied first as their results provide the input information essential to properly undertake the implementation of the approaches described in this ‘Technical Report: analytical formulae, Boolean approaches (reliability block diagrams, fault trees, event trees, etc), Markov graphs and Petri nets. awemamm © 1802013 Allrights reserved 1PD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(F) ‘This Technical Report is focused on probabilistic calculations of random failures and, therefore, the non- random (ie. systematic failures as per the intemmational reliability vocabulary IEV 19114) failures are out ofthe scope even if, to some extent, they are partly included into the reliability data collected from the field. 2 Analysis framework 2.1. Users of this Technical Report ‘This Technical Reportis intended for the following users, in aroledefining the scope of work of reliability models (customer or decision-maker), executing reliability analysis or as a risk analyst using these calculations: + Installation/Plant/Facility: op erating facility staff e.g. safety,maintenance and engineering personnel. + Owner/Operator/Company: reliability staff or others analysing or responsible for reliability studies for safety related equipment located in company facilities. * Industry: groups of companies collaborating to enhance reliability of safety systems and safety functions, The use of this Technical Report supports “reliability analytical best practices” for the benefit of societal risk management in accordance with IS0 2600022, + Manufacturers/Designers: users having to doanment the reliability of their safety equipment. + Authorities/Regulatory bodies: enforcers of regulatory requirements which can quote these guidelines to enhance quality and resource utilization. + Consultant/Contractor: experts and contractors/consultants undertaking reliability modelling and probabilistic calculation studies. + University bodies: those having educational roles in society and experts that might improve methods on thesematters. + Research institutioy calculation methods. experts that might improve reliability modelling and probabilistic 2.2 1S0/TR 12489 with regard to risk and reliability analysis processes When a safety system has been designed using good engineering practice (ie. applying the relevant regulations, standards, rules and technical and safety requirements) it is expected to work properly. After that. reliability analysis is usually undertaken in order to evaluate its probability of failure and, ifneeded, identify how it can be improved to reach some safety targets. wa tedeunon © 180 2013- All rights reservedPD CEN ISO/TR 12489:2016 ISO/TR 12489:2013(E) Eee oe ae Risk management production, operations, etc Risk assessment Risk analysis f Reliability analysis IsOTR 12488) Figure 1 —1S0/TR 12489 wi jn the framework of risk management Relevant interdisciplinary communication and a good understanding of the safety system life cycle are required to have qualified inputs and correct result interpretations. Applying this Techn ical Report also requires interaction and compliance with other standards such as [SO 2081515] (production assurance), 10 1422405) (reliability data collection) or ISO 17776225] and ISO 31000[221 (risk management). As shown in Figure 1, this Technical Report contributesto the riskmanagement process which encompasses both safety and production (dependability, cf. 3.1.1) aspects and involves different stages such as risk assessmen tand risk analysis. More precisely, this Technical Report contributes to the probabilisticpart (reliability analysis) of the risk analysis stage. NOTE — 180 2081505) gives further information on reliability/availability in a production assurance perspective, while 180 142245] which {s devoted to reliability data collection is another fundamental reference for both safety and production within our industries (within I80/TC67 business arena), ISO 17776125 and 180 3100.24] are devoted to risk management. ‘When such a process is undertaken, the usual steps are the following: a) Defining the objective of the study and system boundaries in order to identify the limits of the processand the safety system(s) to be analysed 1) Functioning analysis to understand how the safety system works. Q._ Dysfunctioning analysis to understand how the safety system may fail J) risk identification and establishment of the safety targets, 2) elementary analyses (e.g. HAZOP, FMEA, etc); 3) common cause fathires identification. 4) Modelling and calculations: 1) Modelling: 1) functioning and dysfunctioning modelling ve esomenscy 180-2013 Allrights reserved 3PD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) 9 ; i 2 me : 3) Quantitative analysis (if qualitative analysis is not sufficient). 6) Discussion with field specialists and redesign if improvements arenceded. f) Final_results (weak points, failure contributors, failure probabilities, interpretation, specifications, etc). The present Technical Report is focused on the steps written in bold and underlined characters: modelling and calculations [step d)] and final results of interest [step f)]. Nevertheless, step d) and consequently £) can be achieved only ifthe steps a), b) and c) and consequently e) have been properly undertaken first. Therefore in this Technical Report it is supposed that the limits of the safety system and the objective of the study have been properly identified [step a)], that the analyst has acquired a sound understanding about the functioning [step b)] and dysfunctioning of the safety system under study, that the relevant risk identification and the safety targets have been properly established [and )] and that field specialists have been invited to give their advice in due time [step ¢)] to ensure that the final results are close to real life feedback. ‘This Technical Report also suggests the safety systems and safety functions typically requiring such reliability analysis support in order to utilize resources effectively. See Annex A. 2.3. Overview of the reliability modelling and calculation approaches considered in this Technical Report Figure 2 gives an overview of the approaches selected for the purpose of this Technical Report and provides some guidelines to select them when the level i difficulty and complexity increases. sree onion @ 180 2013- Allrights reservedPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(F) From [reabany ana aa (rare) quantitative resus 7 Strong ependencies ? Tee noTe2) Constant ‘ansition rates ? ‘Weak ependencies ? Large number ‘orstaes ? Relevance of series-parallel model? = et, u Monte Carts simulation mea ae NOTE1 The questions on the left hand sitle can be used as guidelines to choose an adequate approach to study a given safety system. NOTE2 _ Systems without dependencies do not really axist in the real world but the dependencies may have a negligible impact (weak dependencies) or a strong impact (strong dependencies) on the probability of failure. ‘An example of weak dependency is the use of a single repair team for a topside periodically tested component (because the repair time ls negligible compared to the MFDT (Mean Fault Detection Time, see 3.1.35). Anexample of strong dependency is when a stand-by component starts when another fails. NOTE3 — “Series-parallel mod!” refers to a popular model found in numerous textbooks which uses only series and parallel structures to mode! the logic ofthe systems, for example, reliability block diagrams/$1. NOTE4 The arrow from “Markov” to “Analytical Formulae” through “fault tree” and “RBD" highlights the Fact ‘thatthe analytical formulae are obtained through models mixing Eoolean( (4 and Markovl“l model. Figure 2 — Overview of reliability modelling and calculation approaches currently used Other criteria can beused to classify the reliability modelling and calculation approaches: + theaccuracy of results (approximated or exact}; + conservativeness of the results (pessimistic or optimistiq; + thenature of the calaikations (analytical or Monte Carlo simulation); + thenature of the modelling (static or dynamic); + theuser friendImess (graphical ornon graphical); + the input data which can be made available: wns sisoennsion © 180 2013 - Allrights reserved 3PD CEN ISO/TR 1248: 1SO/TR 12489:2013(F) 016 + the possibility to update the model after several years by someone else. The various approaches currently used in reliability engineering have different characteristics (strengths and limitations). It is important for the selection and use of these approaches to be aware of their limitations and conservativeness: a) Analytical formulae:(2J0% analytical methods which provide approximated suitable results when used skilfully. They are useful for quick calailations but the underlying limits and approximations often limit their application to systems of limited complexity. This also limits their application to systems where sequence-dependent failures or other time-dependent failures, such as desynchronized testing (see 3.4.10), are not important contributors to the overall performance, Analytical formulae are generally obtained from underlying Boolean and for Markovian models. b) Boolean models: static and graphical models supporting analy tical calaulations. “Reliability block diagrams" (RBD) {| and fault trees (FT)E] belong to Boolean models, To some extent, the sequential approaches event trees (ET)[2, LOPAL or cause consequence diagramsl2] can also be associated with Boolean models. These approaches provide clear and understandable models for large or complex systems. Boolean models are limited to “two-state” systems (working, failed) and handling oftime evolution requires a high level of understanding in probabilistic calculations. Q) Markovian modelsi*l: dynamic and graphical models supporting analy tical calculations and modelling of sequence-dependent or time-dependent failures. A Markovian model is a “state- transition” model limited to exponentially distributed events. The combinatory explosion of the number of system states limits this approach to small (simple or complex) systems with few states. The impact of approximations performed to deal with larger systems is often difficult to evaluate. Boolean and Markovian approaches can be mixed to model large systems when weak dependencies between the components are involved. This can be achieved by implementing the fault tree driven Markov models (see Figure 2). 4) Petri netst/1: dynamic and graphical models supporting Monte Carlo simulation to provide statisticalresults associated with their confidence intervals. A Petri net isa “state-transition” model handling any kind of probabilistic distributions. Time-, state- or sequence-dependent failures can be modelled explicitly. The size of the model is linear with regard to the number of components This makes possible the modelling of very large complex systems. The Monte Carlo simulation computation time increases when low probability events are calculated but probabilities of failure as low as 10-5 over one year can be handled with modern personal computers. For large safety systems, the Petri netmay become difficult to handle. Theuse of the RBD driven PN overcomes this difficulty (see Figure 2). 2) Formal languages{LiI02i: dynamic models used to generate analytical models (e.g. Markovian models or fault trees, when possible) or used directly for Monte Carlo simulation. The other characteristics are same as Petri nets except that computations may be slower. They are just mentioned but they are outside the scope of this Technical Report. Except for bullet ¢), more details canbe found in Clauses 7 to 10. All these models can be mathematically described in terms of “finite states automata” (i.e. amathematical state machine with a finite number of discrete states). The system behaviour can be modelled more and more rigorously when going from a) to ¢) but, of course, every approach can be used to model simple safety systems. Figure 2 gives advice to the analyst to select the relevant approach in order to optimize the design of a safety system and meet some reliability targets. This choice depends on the safety function, purpose and complexity the analyst has to face. When severa] approaches are relevant, the analystmay choose his favourite. A.waming may be raised here: using a software package as a black box or a formula asa magic recipe Is likely to lead to inacaurate, often non-conservative, results. In all cases the reliability engineers should be aware of the limitations of the tools that they are using and they should have a minimum understanding of the mathematics behind the calculations and a good knovrledge of the nature of the results that they obtain (unreliability, point unavailability, average unavailability, frequency, etc), of the wr tefherwan © 180 2013~ Al rights reservedPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(F) conservativeness and of the associated uncertainties. Without adequate understanding of the software tool, erroneous results can be obtained through its misuse. Table 1 — Road map of ISO/TR 12489 Topic Reference to main report Reference to annexes (sub)clause T General issues a) _Termsand definitions 34 b) _ General analytical overview 56 BGDEF Human factors H 4) Common cause é €)_ Monte Carto simulation 1 W 1D) Uncertainty 2 ° z) Reliability data 3 |h) Systems with safety functions 24 A I- Approaches a) _ Analytical formulae 7 1 b) Boolean 3 K - Reliability Block Diagram a2 - Fault Tree 83 - Sequence modelling 84 i ©) Markovian 9 L ‘@)_Petrinet 10 " Mi. Examples 1 IV. Bibliography End of IS0/TR 12489 Its hmportant that the reliability methods and application of those, including the available input data are adapted to the life cycle phase. Uncertainty handling is further addressed in Clause 12. ‘The human factor is addressed in 5.5 and Annex H in terms of the quantificati human performed tasks. This incision is intended to support assessment of the pros and cons of ‘including human tasks with the potential for failure in safety systems. ‘Table 1 gives a road map for these issues and the supporting annexes and supplement Figure 2. 2.4 Safety systems and safety functions ‘Numerous safety systems are implemented in the petroleum, petrochemical and natural gas industries. ‘Theyrange from very simple to very complexsystems,used on-demand or i contintiousmode of operation. Table A.l gives anon-exhaustive list of safety systems and safety functions which may require reliability ‘modelling in the petroleum, petrochemical and natural gas industries. It has been built in relationship with the taxonomy developed in the [SO 14224115] standard and covers either safety systems (taxonomy level 5) or other systems with safety function(s). A summary is given below: A. Emergency/process shutdown (splitin A.1 and A2) B. Fire and gasdetection Fire water sees astnasion © 1SO 2013 ~ Allrights reserved 7PD CEN ISO/TR 12489:2016 ISO/TR 12489:2013(E) Fire-fighting Process control Publicalarm Emergency preparedness systems Marine equipment Electrical and Telecommunication J. Other utilities K. Dri ling and Wells L. Subsea NOTE —_AtoGarecovored as safety and control systems in Table A.3 of $0 14274115]. Thelisthas been extended from H to Lto givea broader coverage. ‘This Technical Report provides a number of reliability modelling and calculation approaches large enough to cope with any kind of safety system like those identified in Table A.L. They can be used when the objectives of the reliability studies lay beyond the scope of the elementary approaches (e.g. PHA, HAZID, HAZOP FMECA ..) and selected accord ing to Figure 2. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. NOTE 1 — Since their introduction more than 50 years ago, the core concepts of the reliability engineering field have been used and adapted for various purposes. Over time this hat caused “somantic’ drifts and most of the terms have varlous meanings. They have become so polysemicnow that It ls necessary to define them accurately to avoid confusion, even when they seem well known. NOTE2 The terms are divided into: — 3 Basicroliability concepts — 2.2 Failure dassification — 3.3 Safety systems typology — 34Maintenan — 25 Other terms — 3.6 Equipment related terms ‘Textual definitions are provided as well as, when this is possible, the corresponding mathematical formulae which leave less place to interpretation, Notes are ad ded when clarifications are useful. 3.1 Basic reliability concepts 344 dependability ability to perform as and when required Note 1 to entry: Dependability is mainly business oriented. @ 80.2013 Allrights reservedPD CEN ISO/TR 12489:2016 ISO/TR 12489:2013(F) Note 2 to entry: IEC/TC $6 which is the international “dependability” technical committee deals with reliability, availability, maintainability and maintenance support. More than 80 dependability standardshave been published by the IEC/TCS6. In particular, itis in charge of the international vocab ulary related to those topics (IEV 1911141) and also of the methode used in the reliability fleld (e.g. FMEA, HAZOP, reliability block diagrams, fault treas, Markovian approach, event tree, Petri nets) Note 3 to entry: The proctuction availability is an extension, for production systems, of the classical depen ability measures, This term is defined in the ISO 208 15E}0! standard which deals with production assurance and relates to systems and operations associated with drilling, processing and transport of petroleum, petrochemical and natural gas. The relationship between production-assurance terms can be found in Figure G.1 of ISO 20815124. [SOURCE: IEC 60050 ~191] 3A2 safety integrity ability ofa safety imstrumented system to perform the required safety instrumented functions as and when required Note 1 to entry: This definition is equivalent to the depondability of the $1S (Safety Instrumented System) with regard to the required safety instrumented function. Dependability, being often understood as an economical rather a safety concept, has not been used to avoid confusion, Note 2 to entry: The term “integrity” is used to point out that a SIS aims to protect the integrity of the operators aswell as ofthe process and its related equipment from hazardous events. 313 SIL. Safety Integrity Level discrete level (one out of four) for specifying thesafety integrity requirements ofthe safety instrumented functions to be allocated to the safety instrumented systems Note 1 to entry: Safety integrity level 4 is related to the highest level of safety integrity; safety integrity level 1 has the lowest. Note 2 to entry: The safety intogrity level is a requirement about a safety instrumented function. The higher the safety integrity level, the higher the probability that the required safety instrumented function (SIF) wil be carried out upon a real demand. Note 3 to entry: This term differs from the dofinition in IEC 61508-4[4 to reflect differonces in process sector terminology. 314 safe state state of the process when safety is achieved Note 1 to entry: Some states are safer than others (see Figures Bul, B.2 and B.3) and in going from a potentially hazardous condition to the final safe state, or in going from the nominal safe condition toa potentially hazardous condition, the process may have to go through a number of Intermed|ate safe-states. Note 2 toentry: For some situations, a safe state exists only solong as the pracess is continuously controlled. Such continuous control maybe for a short oran indefinite period of time. Note 3 to entry: A state which is safe with regard to a given safety function may increase the probability of hazardous event with regard to another given safety function. In this case, the maximum allowable spurious trip rate (Gee 10.3)forthe first function should consider thepotential increased riskassociated with the other function. 3.15 dangerous state state of the process when safety isnot achieved Note 1to entry: A dangorous state is the result ofthe occurrence ofa critical dangerous failure (3.2.4, Figure B.1), er actranicn © 150 20.13 - Allriphts reserved 4PD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) 3.1.6 safety function function which is mtended to achieve or maintain a safe state, in respect of a specific hazardous event Note 1 to ontry: This term deviates from the definition in IBC 61508-4 to reflect differences in process sector terminology. 347 safety system system which realizes one or more safety functions 3.1.8 reliability RO (measure) probability for an item to perform a required function under given conditions over a given Sm time interval 2= Note 1 to entry: This is a time-dependent parameter Note 2 to entry: This parameter is related on a continuous functioning from Oto t. Note 3 to entry: For non-repairable items, Reliability and Availability are identical Note 4 to entry: In IEC 60500-194f141, the reliability is defined both as ability and as measure, 349 unreliability AQ ; (measure) probability for an item to fail to perform a required function under given conditions over a given time interval (0.¢| Note 1 to entry: F{0) is also the probability that thetime ofthe firstfailure tris lower than t: F(¢)=P(t; <¢). This is in relationship with the occurrence ofthe first failure. Note 2 to entry: F(0) is the caf (cumulative distribution function) of the time to the first failure ty of the item. It ranges from 0 to 1 when f goes from 0 to infinity. Note 3 to entr ‘The unreliability 1s the complementary of the reliability: F(¢)=1-R(¢) Note 4 to entry: When dealing with safety, F())is generally small compared to 1 and this property is used to develop approximated formulae (see Clause 7). Note 5 to entry: Unreliability is better to communicate than MTTF. 3.1.10 failure probability density fo (measure) probability for an item to fail between tand ted Note 4 to entry: /(Q is the classical paf (probability density function) of the time to the first fail f(O)= Meet ct ode) Note 2 to entr te derivative of FO f(0)= Note 3 to entry: The failure density islinked to the failure rate by the following relation Note 4to entry: /(:)=A(0)M(¢)=A(0[1-F(t)) Gee Annex C for more details) een Deon © 80 7013 - Alrrights reservedPD CEN ISO/TR 12489:2016 ISO/TR 12489:2013(F) 3441 instantaneous availability point availability ee) probability for an item tobe ina state to perform as required ata given instant Note 1 to entry: in this Technical Rep ortthe word “availability” used alone stands for “instantaneous availability”. ‘Note 2 to entry: This is a time-dependent parameter. Note 3 to entry: No matter ifthe item has failed before the given instant if ithas been repaired before. Note 4 to entry: Fornon-repairable items, Availability and Reliability are identical Note § to entry: When dealing with safety, AG) is generally close to 1 and this property is used to develop approximated formulae (see Clause 7). instantaneous unavailability point unavailability oe (measure) probability for an item not to be in a state to perform as required ata given instant Note 1 to entry: The unavailability isthe complementary of the availability: (7 = ate) Note 2 to entry: The unavailability is called “Probability of Failure on Demand” (PFD) by the standards related to the functional safety of safety related/instrumented systems (e.g. IEC 6150812). Note 3 to entry: Note 3 to entry: When dealing with safety U(#)is generally small compared to Land this property is used to develop approximated formulae (¢ae Clause 7). 3.143 Aye) average availability (measure) average value of the avaihbbility A(t) over a given interval [¢),t:| J Aes Note 1 to entry: The mathematle definition Is the followings. Ay f2)=~ at r Note 2 to entry: When f -O and t2 - Ttheaverage availability becomes Aer y= 2 fatnae Note 3 to entry: Mathematically speaking, the average availability is the mathematical expectation of the availability. It does nothave the mathomatical property of a normal probability and cannot behandled as such. 3.14 average unavailability eta) (measure) average value of the unavailability U(t) overa given interval Note 1 to entry: The average unavailability is the complementary of the average availability: Note 2 to entry: O(c, 2) Heysty) oF Or) 1-atry Note 3 to entry: The average unavailability is called ‘average Probability of Failure on Demand” (PFDayg) by the standards related to functional safety of safety related/instrumented systems (e.g. IEC 61508121): PFD), = U(r) where T'is the overall life duration of the system. Note 4 to entry: Mathematically speaking, the average unavailability is the mathematical expectation of the unavailab lity. Itdoes not havethe mathematical property ofa normal probabilityand cann othe handled as such. seeeeactncazion © 180 2013 ~ Allrights reserved 4aPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(F) Note 5 to entry: When dealing with safety (7) 1s generally small compared to 1 and this property is used to develop approximated formulae (see Clause-7), 3.1.15 probability of failure on demand PED unavailability as per 3.1.12 in the functional safety standard terminology (e.g. 1BC 61508121) Note 1 to entry: “Failure on demand” means here “failure likely to be observed when a demand occurs”. This encompasses both the failure occurred before the demand and the failure occurring due to the demand itself ‘Then this term needs not to be mixed up with the probability of a failure due to a demand (see 3.2.13). 3.1.46 average probability of failure on demand PED, ave average unavailability as per 3.1.12 in the functional safety standard terminology (eg. IBC 61508121) Note 1 to entry: “Failure on demand means here “fallure Iitely to be observed when a demand occurs”. PFDay encompasses both the failure occurred before the demand and the failure occurring due to the demand itself ‘Then this term needs notte be mixed up with theprob ability ofa failure due to a demand (s20 3.2.13). 3.1.17 steady state availability asymptotic availability Aor aas (measure) limit, when it exists, of the availability A(d) when t goes to infinity Note 1 to entry: The mathematical definition is the following: im A(e) Note 2 to entry: Mathematically speaking, the steady-state availability isa probability and can be handled as such Note to entry: When tefats th steady state avalabllty is als the average avaabilty overthe interval [0 Note 4toentry: A=A(s)=AT-rd=Aets->) Note 5 to entry: Average and steady-state availability should not be confused. The average availability exists in any cases but components with immediately revealed and quickly repaired failures reach quickly a steady-state; perlodically tested components have no steady-state, 31.18 failure rate 40 conditional probability per unit of time that the item fails between tand t+ dt, provided that it works over [0.1] ame) __ fe) Ried 1-F(e) Note 2 taentry:2(9Attsthe probsbity thatthe tm fal between tand ¢ dt provided that Ithas working over [ne] -therefars the aur ratets in rattonship with he Brtfallre ofthe related em, Note 1 to entry: 2(9 fs the hazard rate ofa vellability function: R(@)=exp(-[a(eWlr) amd A(0)=— Note 3 to entry: A(@isa time-dependent parameter. Itis generally accepted that it evalves accordingly a “bathtub” curve: decreasing during the early failures period, becoming (almost) constant during the useful life and creasing during the wear out period. s_ rrr Note 5to entry: An individual component with a constant failure rate remains permanently “as good as new” until it fails suddenly, completely and without warnings. This is the characteristic of the so-called catalecticfailures (ee definition 3.2.9) Note 4 to entry: When the failure rate is constant the followingrrelationship holds: A(t): Note 6 to entry: The failure rate {s linked to the fallure density by the following relation: (© ISO. 2013- All rights reservedPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) Note7 to entry: A(t)= f(Q/R(O=w)/l1-FO) Gee Annex C for more details). 3.1.19 average failure rate My.ty) » MT) average value of the time-dependent failure rate over a given time interval Note 1 to entry: The mathematical definition is the following: Z[¢,.t) 3% wal (elds or A(T) 7fieme Note 2 to entry: Mathematically speaking, the average failure rate is the mathematical expectation of the failure rate. It does not have the mathematical property of a fallure rate as per 3.1.18 and cannotbe handled as such 3.1.20 asymptotic failure rate a limit, when itexists, of the failure rate A(@ when t goes to infinity Note 1 to entry: The mathematic definition isthe following: 2° = tim A(¢) Note 20 entry: Mathematically speaking, the ary mptoticfailurerate ie failure rate and ican bohandled as euch Note 3 to entty: When exists the aymptotiralure rat is als theaveragefaliurerate ovr the interval (0, Note 4to entry: °° =A(x)=2(r— (G22) Note S to entry: Average and asymptotic any case, but: lure rate should not be confused. The average failure rate exists in = components with immediately revealed and quickly repaired failures reach quickly a steady-state corresponding to a constant asymptotic failure rate which is both, on the long term, an average failure rate as per 3.1.19 and afallure rate as per 3.1.18, i periodically tested components have no steady-state and therefore the asymptotic failure rate just docs not exist. The average of the failure rate can still be evaluated but this average has not the mathematical properties of a failure rate as per 3.1.18 (see also Figure 32, Figure 33 and Figure 34). 34.21 Vesely failure rate conditional failure intensity y(t) conditional probability per unit of time that the item fails between ¢ and tdf, provided that it was working at time 0 and at time t Note 1 to entry: The Vesely failure rate is linked to the failure frequency by the following relation: Note2 to entry: Ay(t)=(¢)/A(t)=w(t)/{1-U(e)] Gee Annex C for more details) Note 3to entry: In the general case, the Vesely failurerate is not afailurerateasper 3.1.18 and cannotbe used as such. Note 4 to entry: In special cases (e.g. system with immediately revealed and quickly repaired failures), the Vesely failure rate reaches an asymptotic valu which is also a good appraximation of the asymptotic failure rato 2® = 2%. inthis case it can be used as a failure rato as per3.1.18. we riaotranice © 150-20 18 Allright reserved 13PD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) 3.1.22 failure frequency unconditional failure intensity w(9 conditional probability per unit of time that the ttem fails between ¢ and t+dz, provided that it was working at time 0 Note 1 to ent w(e)=Ay(@4Ce) The Failure frequency Is lnked to the Vesely fallure rate by the following relation: y(e)[1-U(0) (See Annex C for more details). Note 2 to entry: A(@, av(Q and w() should no be confused even if in particular cases they have the same numerical values. Note 3 to entry: For highly available systems, A(})=1, the followingrelationship holds: w(t)=2,(¢) Note Sto entry: When the Vesely failureratereachesanasymptoticvalue the followingrelation ship holds: w* = 2° 3.1.23 average failure frequency WE pty)» WIT), w average value of the time-dependent failure frequency over a given time interval Note 1 to entry: The mathematical definition is the following: w(t,,t,)-—' —[ w(ekle or w(t) | Jwtente ah} Note 2 to entry: The average failure frequency is also called “Probability of Failure per Hour” (PFH) by the standards related to functional safety of safety related/Instrumented systems (e.g. IEC 61508(41): PrH= (7) where Tis the overall life duration of the system. Note 3 to entry: Mathematically speaking, this is the mathematical expectation of the failure frequency. It does nothave the mathematical property of afailure frequency as per 3.1.22 and cannot be handled at such. 3.1.24 PFH DEPRECATED: probability of failure per hour average failure frequency as 3.1.23 in the functional safety standard terminology (e.g. IEC 6150812] or IBC 6151112) Note Lto entry: The old meaning "Probability of Failure per Hou" is obsolete and replaced by “average failure frequency’, ‘Neverth less PFH is still in use to keep the consistency with the previous versions of functional safety standards, 3.1.25 hazardous event frequency accident frequency 2) failure frequency as3.1.23 related to the hazardous event (or to the accident) 3.1.26 average hazardous event frequency average accident frequency Bet) BT), average frequency as 3.1.23 related to of the hazardous event (or to the accident) 3.4.27 mean up time MUT expectation of the up time Note 1 to entry: See Figure 3 and also 180 14224115] or IEC 60050-19114 for definitions of up time and dowa time. [SOURCE: IEC 60050 -191] re rcchthacn ‘© ISO 2013 Allrights reservedPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) 3.4.28 mean down time MDT expectation ofthe down time Note 1 to entry: See Figure 3 and also ISO 1422415] or 1EC 60050-19141 for definitions of up time and down time, [SOURCE: 1EC 60050 -191] ([Fatare] Timebetneen tates (TBF) TOF opaaing ~S| “Tie to fail (TTF) Operating stone. ‘Standby Down rate Uptime ‘ome 3.1.29 mean time to failure MTTF expected time before the item fails Note Lto entry: The MTTFis classically wed to describe the timeto failure fora non-repairableitem oto the rst faire fora repairable tem, When the tom is as good as new ater a repay its als valid or the urther Failures Gee Figure 4). Note 2 to entry: inthe cases Mustrated hy Flgure 4 the MTF may be calculated by the following formulae: verte eiede= aa Note 3 to entry: The followingrelationship holds when the failure rate is constant: MITTF = 1/2, Note 4to entry: Inthe cate illustrated by Figure 3 where operating and stand by failures are mixed, the formulas described in Note 2 to entry are-no longer valid Note Sto entry: The MTTF should note mixed up with the design life time ofthe item. Note 6 to entry: Sometimes It may be more understandable to express lifetime in probability of fallure (Le. unreliability, see 3.1.9) during a certain lifespan, Fine (Fame) Operating Stand by Figure 4 — Particular cases of the behaviour of an item over its lifetime ewvrsctrnsin © 180 2013 ~ Altrights raceevad 18PD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(F) 3.1.30 mean time between failures MTBF expected time between successive failtres of a repairable item, Note 1 to entry: In the cases illustrated in Figure 4, the MTBF is linked with MT and MTTRes by the following relationship: MTBE = MTTFENTTRes. More generally Itis also linked tothe MUT and MDT by MTBR= MUT+MDT. Note 2 to entry: The acronym MTBF Is sometimes defined as the mean operating time between fallures (e.g. In JEV19104), This isnot at all the ame and, in this case, the formula described in Note 1 to entry is no longer valid. This is very confusing, therefore the traditional definition of the MTBFis retained in this Technical Report. [cea] Time to restoration (MITRes) Ea] ay Overall repairing time (MRT) ee ‘Covtecve maintenance te Ba tan |] 2 | 2s cereinemantnresine ES] idetion|| 2 er] Repartime — (evior- a] detection |) 28 |! ciate —— time PEP |) ecm Ere Eres] eee (MFD" -—_, localization correction Teas (wron) | wean || conecen || eet | me ime nee (Ee || Preparation andor say EEE] | Active Pepairtime [ese] [toes 0 w © €) Figure 5 — Repair time taxonomies as per IEV 1911441, IEC 61508121 and ISO/TR 12489 3.1.31 mean time to repair MITR expected time to achieve the repair ofa failed item Note 1 to entry: This term MTTR is used in ISO 14224115] and 180 20815ll¢ where the fault detection time is not really con sidered: 180 14224015] deals with detected faults (infact, the actual time spent to detect the faultis never known and cannot be collected} 150 208 15146) deals mainly with immediately revealed failure where the time spent to detect the faults is closeto 0 (Le. negligible). As the fault dotection time is very important forthe purpose ofthis Technical Report thereis aneed to clearly distinguish between the two following times (cf. Fisure 5) 1) the time elapsing from the actual occurrence ofthe failure of an item to its detection (¢f 3.1.35, MFDT); 2). thetime clapsingfrom the detection of the failure ofan item to thorestoration ofits function (cf.3.1.33, MRT). Note 2 to ontry: Tho acronym MTTR is defined as the mean time to restore in the IEC 60500-19114] or in the IEC 615082. This is not the same as in 180 1422415] or 180 208 151151. Therefore, In order to avold any mixed-up, the acronym MTTRes is used in this Technical Report instead of MTTR (¢f.3.1.32). 3.1.32 mean time to restoration MTTRes expected time to achteve the following actions: (see Figure 5, Figure 6 and Figure 7): + the time to detect the failure 3; and, + the time spent before startin g the repair b; and, + the effective time to repair ¢ and, + the time before the component is made available to be put back into operation d ech Gc © 180 2013- AN rights reservedPD CEN ISO/TR 12489:2016 1SO/TR 12489:2013(E) Note 1 to entry: Figure $ ilustrateshowthe times a, b, cand d defined in the IEC 61508{ standard are linked to the delays defined in the IEC 60050-19114] standard. Time b starts at the end of a time c starts at the end of b; time d starts at the end of c. Note 2toentry: Figures, Figure 6 and Figure? can be used to understand the differences between the definitions of MTTRes, MRT and MART used in this Technical Report. Note 3 to entry: The MTTRes slinked to the MRT and the MFDT by the followin g for mula: MTTRes = MFDT + MRT. 8 Prepatation Active Wating ) End ot €| satue repair time andlor detay| tale 3 —— Dowmtine Restoration time ‘overall repairing tne Tne = (__The protected) i installation is running during repair) Tine Random ; duration Tho protec 7 installation reaches 2 Tes a sofe state safe tate (TTS) Time Determii * @ ‘Maximum penitted repat time (UPRT) Tine Figure 6 — Mlustration of the restoration time and of the risk exposure for immediately revealed failures of an item 3.1.33 MRT mean overall repairing time expected time to achieve the following actions: + the time spent before starting the repairb; and, + theeffective time to repair c and, «the time before the component is made available to be is put back into operation d Note 1 to entry: See Figure, Figure 6 and Figure 7. Note 2 to entry: The terms “repair”, “repairable”, “repaired” used in this Technical Report, unless otherwise specified, arerelated to the overall repairing time (see Figure 5). Note 3 to ontry: When a safety system operating in demand mode is faulty, the risk disappears as toon as the protected installation is placed in 2 safe state (e.g. stopped). In this case (see Figure 6 and Figure 7) the MTTS replaces the MRT (see 3.1.36) with regard to the probabilistic calculations. Note 4to entry; This definition is in line with IEC 6150812] but not with IEC 60050-191.141 me riastrasioe ©1S0 2013 Allrights reserved ”