ARTICLE IN PRESS

Reliability Engineering and System Safety 92 (2007) 1267–1273

www.elsevier.com/locate/ress

A simple reliability block diagram method for

safety integrity verification
Haitao Guo, Xianhui Yang
Department of Automation, Tsinghua University, Beijing 100084, China
Received 27 June 2006; received in revised form 31 July 2006; accepted 8 August 2006
Available online 2 October 2006

Abstract

IEC 61508 requires safety integrity verification for safety related systems to be a necessary procedure in safety life cycle. PFDavg must
be calculated to verify the safety integrity level (SIL). Since IEC 61508-6 does not give detailed explanations of the definitions and
PFDavg calculations for its examples, it is difficult for common reliability or safety engineers to understand when they use the standard as
guidance in practice. A method using reliability block diagram is investigated in this study in order to provide a clear and feasible way of
PFDavg calculation and help those who take IEC 61508-6 as their guidance. The method finds mean down times (MDTs) of both channel
and voted group first and then PFDavg. The calculated results of various voted groups are compared with those in IEC61508 part 6 and
Ref. [Zhang T, Long W, Sato Y. Availability of systems with self-diagnostic components-applying Markov model to IEC 61508-6.
Reliab Eng System Saf 2003;80(2):133–41]. An interesting outcome can be realized from the comparison. Furthermore, although
differences in MDT of voted groups exist between IEC 61508-6 and this paper, PFDavg of voted groups are comparatively close. With
detailed description, the method of RBD presented can be applied to the quantitative SIL verification, showing a similarity of the method
in IEC 61508-6.
r 2006 Elsevier Ltd. All rights reserved.

Keywords: Safety related system; Reliability block diagram; Safety integrity level; Probability of failure on demand; IEC 61508

1. Introduction Since IEC 61508 is a performance based standard, the

IEC 61508 [1] published in 2000 has been adopted by
many countries as their national standard and is being
updated. Two significant concepts, safety life cycle and
safety integrity level (SIL) [1–3], appeared in IEC 61508. A
necessary procedure of safety life cycle is SIL verification,
which verifies whether the average probability of failure on
demand (PFDavg) of designed safety related systems (SRS)
meets the required failure measure. If not, retrofit or
modification must be taken to reduce the PFDavg of safety
related system till safety goal is satisfied. Besides PFDavg
verification, architectural constraints defined in IEC 61508
must be also considered during SIL verification process
[17]. This study focuses on PFDavg calculation.
Corresponding author. Tel.: +86 10 6278 5845x231;
fax: +86 10 6279 0497.
E-mail address:
verification can be done through a number of probabilistic
analysis techniques. There are many techniques in pub-
lished literature, such as fault tree analysis (FTA) [4,5],
reliability block diagram (RBD) [6], Markov Analysis
(MA) [5,7,8,13], simplified equations [9,10] and hybrid
method [11]. Rouvroye and Brombacher [12] compared
those techniques and outlined their advantages and
disadvantages. Bukowski [13] compared MA and simplified
equations and provided an overview of their advantages
and disadvantages. Andrews and Ericson II [14] analyzed
various design complexities using FTA and MA respec-
tively and they concluded that both FTA and MA can
provide satisfactory accuracy of calculation, but FTA
model is more intuitive and easier to create for large and
complex systems. What can also be seen is that the
outcomes of FTA and MA are considerably close in
Ref. [5]. Hauge et al. [15] introduced a method called PDS

[email protected] (H. Guo). to quantify the safety unavailability and loss of production

0951-8320/$ - see front matter r 2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2006.08.002
 ARTICLE IN PRESS
1268 H. Guo, X. Yang / Reliability Engineering and System Safety 92 (2007) 1267–1273
for safety instrumented systems. PDS accounts for all types
of failure categories: technical, software, human, etc.
RBD, which has equivalent mathematical characteristic
to FTA, has been widely used in reliability engineering for
many years. By the RBD technique, IEC 61508-6 shows the
verification of SIL through calculating average probability
of failure on demand (PFDavg). While IEC 61508 has been
adopted as national standard of many countries, its
demonstration can also be regarded as a guide to do
PFDavg calculations. A RBD model reveals the logical
reliability structure of the involved SRS and can easily be
created even for a complex large SRS. However, IEC
61508-6 does not give detailed description of RBD it uses
and its results are different from those of Markov model by
Zhang et al. [8]. Consequently, the technique used in IEC
61508-6 gets questioned. Besides, no other papers dealing
with SIL verification by RBD technique can be found yet,
and so RBD needs more supports in the field of functional
safety.
Because IEC 61508-6 does not give explanations of the
definitions and PFDavg calculations for its examples in
detail, it is difficult to use the standard as guidance in
practice. In order to provide a clear and feasible way of SIL
verification, a method of RBD for PFDavg calculation is
presented in this paper with detailed explanation including
the definitions, assumptions and parameters regulated in
IEC 61508-6 [6] based on specific system architectures and
associated conditions. The method finds mean down time
(MDTs) of both channel and voted group first and then
PFDavg. The results achieved in this study are compared
with those of IEC 61508-6 demonstration and Ref. [8].
Through the comparison, an interesting outcome can be
realized. The method of RBD in this study can be applied
to the quantitative SIL verification and helps those who
take IEC 61508-6 as their guidance.
2. Reliability block diagram
Reliability block diagram (RBD) is a graphical analysis
technique, which expresses the concerned system as
connections of a number of components in accordance
with their logical relation of reliability. Series connections
represent logic ‘‘and’’ of components, and parallel connec-
tions represent logic ‘‘or’’, while combinations of series and
parallel connections represent voting logic. From leftmost
node to rightmost node, there are several paths that are the
conditions for successful operation of system. If a
component fails, the corresponding connection will be cut
off. As failures of components occur, System keeps
operating successfully until no valid path from leftmost
node to rightmost node can be made up of available
connections. Then, probability of the failure of system can
be calculated according to probabilistic principles.
RBD model is intuitive and easy to establish. For
instance, 1oo2 voted group consists of two voted channels,
each of which has their own component(s). Common cause
failure can take place upon the two channels. 1oo2 voted
Fig. 1. A RBD example.
group with one sensor for each channel can be represented
by the RBD shown in Fig. 1.
3. Definitions and assumptions
3.1. Equivalent MDT
In IEC 61508-6, one system architecture (group) consists
of one or redundant channels and there is a voting logic for
the architecture, such as 1oo1, 1oo2. In steady state, the
normal operation and failure states of the channel(s) and
the group appear by turns because of failure detection and
reparation. The voting logic determines that how many
failures of channels will cause the group to fail.
Equivalent MDT of a component is defined as the
average of the period of time when the component is in
dangerous failure state at the steady state. Dangerous
failure state refers to the state that the component cannot
take the proper response to dangerous process demands,
which may lead to unexpected accidents, while the process
is still operating.
The PFDavg calculations in this study depend on
equivalent MDTs, group equivalent MDT and channel
equivalent MDT.
3.2. Average probability of failure on demand
Probability of failure on demand is defined as the
probability of failing to take correct action when a process
demand arises. Since the steady state is under considera-
tion, PFD is averaged for infinite.
3.3. Assumptions
The technique and results developed in this paper are
based on the assumptions following:
(i) The resulting average probability of failure on
demand for the subsystem is less than 101, or the
resultant probability of failure per hour for the
subsystem is less than 105.
(ii) Component failure and repair rates are constant over
the life of the system.
(iii) The hardware failure rates used as inputs to the
calculations and tables are for a single channel of the
subsystem.
 ARTICLE IN PRESS
H. Guo, X. Yang / Reliability Engineering and System Safety 92 (2007) 1267–1273 1269

(iv) All channels in a voted group have the same failure 5. RBD for calculating PFDavg
rate and diagnostic coverage rate.
(v) The overall hardware failure rate of a channel in a 5.1. 1oo1 architecture
subsystem is the sum of the failure rates: dangerous
and safe-failures for that channel. These values are This architecture consists of a single channel, where any
assumed to be equal. dangerous failure leads to a failure of the safety function
(vi) For each safety function, there is a perfect proof when a demand arises. Fig. 2 shows the RBD of 1oo1
testing and repairing. Namely, all failures that remain architecture. Qi represents a failure and its failure rate is
undetected are assumed to be detected by the proof located at top right corner of the same rectangle. Channel
test. equivalent MDT is represented by tCE. Probability of
(vii) The proof test interval is at least one order of dangerous failure is
magnitude greater than the diagnostic test interval.
F ðtÞ ¼ F 1 ðtÞ þ F 2 ðtÞ
(viii) The demand rate and expected interval between
demands are not considered in this study. and for steady state
(ix) For each subsystem, there is a single proof test F ¼ F 1 þ F 2. (4)
interval and mean time to restoration.
(x) Multiple repair teams (each of them is assumed to By using o1 and o2 as denotations of steady failure
have the same repair rate) are available to work on all frequency of Q1 and Q2, respectively, the following
known faults in a system. equations come into existence.
8
(xi) The expected interval between demands is at least an > lDU
>
> F1 ¼ ;
order of magnitude greater than the mean time to >
> l DU þ mDU
>
>
restoration. >
> lDD
>
>
> F2 ¼
< ;
lDD þ mDD
Other assumptions can be referred to the Annex B of (5)
>
> lDU mDU
IEC 61508-6 [6]. >
> o1 ¼ ;
>
> lDU þ mDU
>
>
>
> lDD mDD
>
>
: o2 ¼ l þ m :
4. Self-diagnostic DD DD

Channel failure frequency oC can be calculated as [16]

Nowadays, a lot of equipment can detect the failures of
them by themselves, but diagnostic coverage (DC), the X qF
oC ¼ oi . (6)
percentage of the failures detected, is seldom 100%. The qF i
total dangerous failure is divided into detected failure and Channel equivalent MDT equals steady failure probability
undetected failure with failure rate lDD and lDU, respec- divided by steady failure frequency, that is
tively. That is
F
lD ¼ lDD þ lDU . (1) tCE ¼ . (7)
oC
Repair rates of the two types of failure are also From Eqs. (1)–(7) and the condition l5m, tCE can be
separated, mDD for dangerous detected failure and mDU derived approximately as
for dangerous undetected failure, as below:
lDU mDD þ lDD mDU
tCE 
mDD ¼ MTTR1 (2) lDU mDU mDD þ lDD mDU mDD
 
lDU T I lDD
 1 ¼ þ MTTR þ MTTR: ð8Þ
TI lD 2 lD
mDU ¼ þ MTTR , (3)
2 Since 1oo1 architecture has only one channel, voted group
TI and MTTR denote proof test interval and mean time to equivalent MDT is equal to channel equivalent MDT, viz.,
restoration. tGE ¼ tCE. Then, average probability of failure on demand
Actually, some failures of equipment can cause safety
related systems to fail safely, which may lead to spurious
process shutdown. This kind of failures is defined as safe
failure. Safe failures is also divided into detected failure
and undetected failure with failure rate lSD and lSU,
respectively. Moreover, no-effect failures are the equip-
ment failures that take no effect on SRS. Accordingly, no-
effect failures contribute neither to PFD nor to probability
of failing safely. Fig. 2. RBD for 1oo1 architecture.
 ARTICLE IN PRESS
1270 H. Guo, X. Yang / Reliability Engineering and System Safety 92 (2007) 1267–1273

for system architecture, PFDG is depends on tGE, thus

PFDG ¼ 1  elD tCE  lD tCE . (9) PFDG ¼ 2ð1  elD tCE Þð1  elD tCE Þ  2l2D tCE tGE
The result above is identical with that in IEC 61508-6 and by considering the effects of common causes
Annex B.
PFDG ¼ 2½ð1  bÞlDU þ ð1  bD ÞlDD 2 tCE tGE
 
5.2. 1oo2 architecture TI
þ blDU þ MTTR þ bD lDD MTTR: ð11Þ
2
This architecture consists of two channels connected in The PFDG derived is identical with that in IEC 61508-6
parallel, so that either channel can process the safety Annex B, while tGE differs. However, the numeric results of
function. Thus there would have to be a dangerous failure PFDG are much closed to that of IEC 61508-6, as shown in
in both channels before a safety function failed on demand. the following comparison section of this paper.
It is assumed that any diagnostic test would only report the
faults found and would not change any output states or 5.3. 2oo2 architecture
change the output voting. Fig. 3 contains the relevant block
diagram. Note that common cause failure has to be This architecture consists of two channels connected in
considered because there are two identical channels. b parallel so that both channels need to demand the safety
denotes the fraction of undetected failures that have a function before it can take place. Fig. 4 shows the RBD of
common cause, while bD is of those failures that are 2oo2 architecture. Since two 1oo1 blocks are connected in
detected by the diagnostic tests, the fraction that have a series, refer to Section 5.1, PFDG is
common cause.
Approximate probability of failure of 1oo2 architecture PFDG ¼ 2lD tCE , (12)
is where tCE is given in Eq. (8).
F ðtÞ ¼ ½Q1 ðtÞ þ Q2 ðtÞ½Q3 ðtÞ þ Q4 ðtÞ
5.4. 2oo3 architecture
With the same procedures introduced in Section 5.1, voted
group equivalent MDT, tGE, can be gained as follows: This architecture consists of three channels connected in
1 lDU =ðlDU þ mDU Þ þ lDD =ðlDD þ mDD Þ parallel with a majority voting arrangement for the output
tGE ¼ signals, so that the output state is not changed if only one
2 lDU mDU =ðlDU þ mDU Þ þ lDD mDU =ðlDD þ mDD Þ
  channel gives a different result, which disagrees with the
1 lDU T I 1 lDD 1
 þ MTTR þ MTTR ¼ tCE . other two channels. Fig. 5 shows the RBD of 2oo3
2 lD 2 2 lD 2
architecture. Its equivalent transformation is given in
ð10Þ Fig. 6. Refer to Section 5.1 and by considering the effects
Channel equivalent MDT, tCE, is just the same as Eq. (8) in
Section 5.1. It can be seen that voted group equivalent
MDT is the very half of channel equivalent MDT. That
answers for intuition.
When one channel fails, the group is in degraded
operation state that can still perform intended function to
process demand. The equivalent MDT of the first failed Fig. 4. RBD for 2oo2 architecture.
channel is tCE. Then, when the second channel failure
occurs, the group fails. Therefore, the equivalent MDT of
the second failed channel is equal to the group equivalent
MDT. One channel PFDavg depends on tCE and the other

Fig. 3. RBD for 1oo2 architecture. Fig. 5. RBD for 2oo3 architecture.
 ARTICLE IN PRESS
H. Guo, X. Yang / Reliability Engineering and System Safety 92 (2007) 1267–1273 1271

Fig. 6. Equivalent RBD for 2oo3 architecture.

PFDG ¼ 2ð1  bÞlDU ½ð1  bÞlDU þ ð1  bD ÞlDD tCE tGE

 
TI
þ blDU þ MTTR þ bD lDD MTTR: ð16Þ
2
Common cause failures are considered in PFDG calcula-
tion. The PFDG derived is identical with that in IEC 61508-
6 Annex B, while tGE differs.

6. Results comparison
Fig. 7. Equivalent RBD for 1oo2D architecture.

IEC 61508-6, Ref. [8] and this paper have obtained

of common causes, PFDG is identical average probability of failure on demand for the
group of voted channels, but voted group and channel
PFDG ¼ 6½ð1  bÞlDU þ ð1  bD ÞlDD 2 tCE tGE equivalent MDT are different, as shown in Table 1.
 
TI In Table 1, it can be seen that the only differences
þ blDU þ MTTR þ bD lDD MTTR; ð13Þ between the results of IEC 61508-6 and this paper are tGE
2
for some architectures. IEC 61508-6 calculates tGE by
where tCE is given in Eq. (8) and tGE in Eq. (10). The PFDG adding the individual down times from both dangerous
derived is identical with that in IEC 61508-6 Annex B, detected failure and undetected failure in direct proportion
while tGE differs. to the contribution of each failure to the probability of
failure of the group. In Ref. [8], channel equivalent MDTs
are different with those in IEC 61508-6 and this paper.
5.5. 1oo2D architecture
However, it is very interesting to note that the results of tCE
in Ref. [8] have the same expressions with the results of tGE
Two channels in this architecture are connected in
in IEC 61508-6, while the results of tGE in Ref. [8] are
parallel. During normal operation, both channels need to
identical with the results of tGE derived in this paper. Based
demand the safety function before it can take place. In
on these differences, Zhang et al. think that a discrepancy
addition, if the diagnostic tests detect a fault in either
exists.
channel, the output voting is adapted so that the overall
Although IEC 61508-6 and this paper have different tGE,
output state then follows that given by the other channel. If
numeric results of PFDG of the both are comparatively
the diagnostic tests find faults in both of channels or a
closed. The calculated PFDG are almost identical. Table 2
discrepancy that cannot be allocated to either channel, the
illustrates the nearness.
output goes to the safe state. In order to detect a
SILs are distinguished by their ranges of PFDavg
discrepancy between the channels, either channel can
magnitudes according to the definition [3]. Therefore, such
determine the state of the other via a means independent
tiny difference found in Table 2 can reasonably be
of the other channel. Fig. 7 shows the RBD of 1oo2D
neglected in SIL verification. The technique presented is
architecture. lSD is the failure rate of safe detected failure.
quite feasible in practical application.
Refer to the procedures in Sections 5.1 and 5.2, tCE, tGE
and PFDG for 1oo2 architecture are:
  7. Conclusion
lDU TI lDD þ lSD
tCE ¼ þ MTTR þ MTTR;
lD þ lSD 2 lD þ lSD IEC 61508 requires safety integrity verification for SRS
(14) to be a necessary procedure in safety life cycle. RBD
analysis is carried out to compute the PFDavg of voted
  group and the results show the accordance with those in
1 lDU TI 1 lDD þ lSD
tGE ¼ þ MTTR þ MTTR; IEC 61508-6. The method of RBD in this study can be
2 lD þ lSD 2 2 lD þ lSD applied to the quantitative SIL verification. Moreover, the
(15) method helps those who take IEC 61508-6 as their
 ARTICLE IN PRESS
1272 H. Guo, X. Yang / Reliability Engineering and System Safety 92 (2007) 1267–1273

Table 1
Comparison of channel equivalent MDT and voted group MDT

Sys. MDT This paper IEC61508-6 Ref. [7]

     
1oo1 tCE lDU T I lDD lDU T I lDD lDU TI l
þ MTTR þ lDD MTTR
lD 2 þ MTTR þ lD MTTR lD 2 þ MTTR þ lD MTTR lD 2 D
     
2oo2 tGE lDU T I lDD lDU T I lDD lDU T I lDD
lD 2 þ MTTR þ lD MTTR lD 2 þ MTTR þ lD MTTR lD 2 þ MTTR þ lD MTTR
     
1oo2 tCE lDU T I lDD lDU T I lDD lDU T I lDD
l
D 2 þ MTTR þ l MTTR D lD 2 þ MTTR þ lD MTTR lD 3 þ MTTR þ l MTTRD
1
  1
tGE 2tCE
lDU T I lDD
2tCE
lD 3 þ MTTR þ lD MTTR
     
2oo3 tCE lDU T I l
þ MTTR þ lDD MTTR
lDU T I lDD lDU T I l
þ MTTR þ lDD MTTR
lD 2 D lD 2 þ MTTR þ lD MTTR lD 3 D
1
  1
tGE t lDU T I lDD t
3 þ MTTR þ lD MTTR
2 CE 2 CE
lD
     
1oo2D tCE lDU TI l þl
þ MTTR þ lDDþl SD MTTR
lDU T I lDD lDU T I l þl
þ MTTR þ lDDþl SD MTTR
lD þlSD 2 D SD lD 2 þ MTTR þ lD MTTR lD 2 D SD
1
  1
tGE 2tCE
lDU T I lDD t
3 þ MTTR þ l MTTR 2 CE
l
D D

Table 2
Numeric comparison of tGE and PFDG

Sys. Index MTTR ¼ 8 h, b ¼ 10%, bD ¼ 5%, lSD ¼ lDD, DC ¼ 90%, lDD ¼ lD  DC

lD ¼ 5  107 h1, TI ¼ 4380 h lD ¼ 5  107 h1, TI ¼ 8760 h lD ¼ 2.5  106 h1, TI ¼ 8760 h

This paper IEC61508 This paper IEC61508 This paper IEC61508

1oo2 tGE (h) 113.5 154 223 300 223 300

PFDG 1.1182  105 1.1183  105 2.2164  105 2.2180  105 1.1171  104 1.1209  104
2oo3 tGE (h) 113.5 154 223 300 223 300
PFDG 1.1205  105 1.1217  105 2.2253  105 2.2299  105 1.1393  104 1.1508  104
1oo2D tGE (h) 61 84.8421 119.2632 161.6842 119.2632 161.6842
PFDG 1.117  105 1.117  105 2.2121  105 2.2122  105 1.1063  104 1.1064  104

guidance the method. The technique presented has the References

following characteristics:
 RBD models can reflect the reliability structure of
concerned system.
 RBD models are intuitive and easy to create.
 Numeric accuracy of average probability of failure on
demand is satisfactory.
 Similar to the method demonstrated by IEC 61508-6,
this method has more detailed explanations.
Through the comparison in Section 6, it can be found
that the results of channel equivalent MDT in Ref. [8] have
the same expressions with the results of voted group
equivalent MDT in IEC 61508-6, while the results of voted
group equivalent MDT in Ref. [8] are identical with the
results of those derived in this paper. Efforts are still
needed in the future to study the discrepancy of voted
group and channel equivalent MDTs in Ref. [8].
Acknowledgements
The paper is a result of a work financially supported by
National Natural Science Foundation of China.
[1] Brown S. Overview of IEC 61508: functional safety of electrical/
electronic/programmable electronic safety-related systems. Comput
Control Eng J 2000;11(1):6–12.
[2] Stavrianidis P, Bhimavarapu K. Performance-based standards: safety
instrumented functions and safety integrity levels. J Hazard Mater
2000;71(1):449–65.
[3] IEC 61508, Functional safety of electrical/electronic/programmable
electronic safety-related systems. International Electrotechnical
Commission.
[4] Beckman L. Easily assess complex safety loops. Chem Eng Progr
2001;97(3):57–9.
[5] Goble W, Cheddie H. Control system safety evaluation and
reliability. US: ISA; 1998.
[6] IEC 61508-6, Functional safety of electrical/electronic/programmable
electronic safety-related systems. Part 6. Guidelines on the applica-
tion of IEC 61508-2 and IEC 61508-3.
[7] Bukowski J, Goble W. Using Markov models for safety
analysis of programmable electronic systems. ISA Trans 1995;
34(2):193–8.
[8] Zhang T, Long W, Sato Y. Availability of systems with self-
diagnostic components-applying Markov model to IEC 61508-6.
Reliab Eng System Saf 2003;80(2):133–41.
[9] ISA-S84.01.1996. Application of safety instrumented systems for
process industries.
[10] Summers A. Viewpoint on ISA TR84.0.02—simplified methods and
fault tree analysis. ISA Trans 2000;39(2):125–31.
 ARTICLE IN PRESS
H. Guo, X. Yang / Reliability Engineering and System Safety 92 (2007) 1267–1273
[11] Knegtering B, Brombacher A. Application of micro Markov
models for quantitative safety assessment to determine
safety integrity levels as defined by the IEC 61508 standard
for functional safety. Reliab Eng System Saf 1999;66(2):
171–5.
[12] Rouvroye J, Brombacher A. New quantitative safety standards:
different techniques, different results? Reliab Eng System Saf
1999;66(2):121–5.
[13] Bukowski J. A comparison of techniques for computing PFD
average. In: Proceedings of the annual reliability and maintainability
symposium, 2005. p. 590–5.
1273
[14] Andrew J, Ericson II C. Fault tree and Markov analysis applied to
various design complexities. In: Proceedings of the 18th international
system safety conference, 2000.
[15] Hauge S, Hokstad P, Langseth H, et al. Reliability prediction method
for safety instrumented systems, PDS method handbook, 2006
edition. Norway:SINTEF, 2006.
[16] Mei QZ, Liao JS, Sun HZ. Basis of system reliability engineering.
Beijing: Publication of Science; 1987. pp. 235–245, [in Chinese].
[17] Van Beurden I, Amkreutz R[J]. Safety integrity level verification—A
PFD average calculation is not enough. Hydrocarbon Process
2001;80(10):47–50.