www.sis-tech.

com

Module 9
Data Estimation

Introduction
• IEC 61511 Clause 11.9 requires verification of the SIS
performance through calculation of the probability of
failure on demand (PFD) or average frequency of failure
(PFH)

• IEC 61511-1:2010 Clause 16.2.9 requires monitoring of

the cause and frequency of spurious trips of the SIS
(among other performance parameters) and comparison
against the expected behavior.

• Various types of data estimates are discussed with an

emphasis on collecting internal and industrial data

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Performance Verification
• Integrity
– Equipment must be user approved
– Subsystems must provide minimum fault tolerance
– Systems must achieve probability of failure on
demand
• (or hazard rate if continuous mode)
• Reliability
– Spurious trip rate
– Understand Secondary Consequences

Why verification using models?

• All devices, even the best, eventually fail.
• Demonstrates that system can theoretically
achieve the required integrity and desired
reliability
• Identifies weaknesses in the design and
mechanical integrity strategy
– Allows comparison of options
– Evaluate how combination of voting and test interval
affect the predicted performance

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Caution on SIL Verification

• Only addresses random, hardware failure
– No software errors
• Random hardware failure due to:
– Known Equipment Failure Modes
• Operating within service life
– Operating environment
– Mechanical integrity practices
• How well you maintain it
• Assumes competent personnel, good
procedures and training, and quality work
execution

1 of 2 5

Caution on SIL Verification

• Does not consider fractional dead time due to
test or bypass

• Use separate metric to ensure this time is

minimized
– Total hours out of service per SIF
– Number out of service beyond specified repair time
– Number out of service beyond specified repair that
are approved or not-approved by MOC

2 of 2 6

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

ISO 12489 – 2013

Random versus systematic failures
Failure

Deterministic
under given
Natural degradation conditions
mechanisms under
Random Systematic
design stresses

Non aging Hardware Aging

Human Hardware Software Human
items items

Constant Non constant

failure rate failure rate • Operation under stress • Specification • Specification • Lack of training
• Non routine operation • Design • Code • Cognition
• Delayed operation • installation • implementation • Ergonomics
• Electronic components • Youth • Oral communication • Unforeseen • installation • HMI
• useful life • Wearout • Omission/ Error in stresses • Updating • Error in the
• Mix of numerous • Mechanical routine operation • Wrong fluid • Inadequate tests procedure writing
failure modes components • etc. • etc. • etc. • etc.

Random Failures
• Early – dominated by systematic - typically due to
manufacturing defects, assembly errors, installation
errors or implementation mistakes

• Useful life – dominated by random - where the failure

rate can be considered relatively constant, because
early failures have been corrected and wear out
failures have not begun

• Wear-out – due to aging or other mechanisms that

lead to a predictable increase in the failure rate
relative to the useful life failure rate

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Bath Tub Curve

• Verification and Validation after

installation identifies early
failures

• Inspection and preventive

maintenance maintain constant
failure rate and detect wear out.

• Proof tests prove that your

mechanical integrity program is
adequate to maintain the
equipment in the “as good as
new” condition.

CCPS IPS Book

Failure Modes and Effects Analysis

(FMEA)
• A qualitative analysis method:
– identifies equipment failure modes,
– determines their impact on the equipment
operation, and
– classifies the impact severity
• impact on the system operation
• Hazard analysis at the device level

10

10

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Failure Modes and Effects Analysis

(FMEA)
• Failure mode
– The manner (e.g., symptom, condition, or effect) by
which a failure is observed
• Fails to close
• Effect
– The consequence the failure mode has on the
operation of the equipment
• Process is not isolated and hazardous event propagates
• Classification
– How the effect impacts the operation of the system
• Dangerous

11

11

Failure Modes
• Complete failures
– Loss of device’s ability to operate as specified,
resulting in either a safe or dangerous failure
– Device will fail the proof test

• Degraded conditions (Incipient)

– Typically identified during inspection and preventive
maintenance activities
– Operating well enough to pass the proof test (within
its functional requirement specification) but its current
condition could result in a complete failure, if
corrective action is not taken
– May cause the device to act earlier or later than
desired but does not prevent its operation

12

12

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Failure Cause
• Basic reason of failure or initiator of the physical
process by which deterioration proceeds to
failure
– Physical environment
– Chemical environment
– Design defect
– Device misapplication
– Quality defect

13

13

VALERO DEAD LEG

CSB Safety Videos 2005-2011, Fire from Ice

14

14

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Things to think about…

• Valve did not seat
– Foreign object in seat - welding rod?
– Enabling condition - 6°F froze water and cracked elbow
– Release through crack = 4500 lbs/min
• Boiler house was ignition source of vapor cloud
– Jet fires caused by ignition
– Other process lines failed
• Emergency response
– 1 minute after first release
– 15 minutes total evacuation 50 Million $ Loss

15

15

Failure Mechanisms
• Age (Wear Out)
• Heat
• Humidity
• Electrical surge Most of these are
outside of the
• Electro-static discharge manufacturer
• Shock analysis
• Vibration

16

16

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Failure Classifications
• Dangerous
– Failure affecting equipment within a system, which
causes the process to be put in a hazardous state or
puts the system in a condition where it may fail-to-
operate when required
• Safe
– Failure affecting equipment within a system, which
causes, or places the equipment in condition where it
can potentially cause, the process to achieve or
maintain a safe state

17

17

Electronic Pressure Transmitter

Failure Modes Failure Cause Failure Mechanism Failure
Classification

Complete Failure
Signal Output Saturated Electronic failure - Corrosion Application Dependent
High, i.e. > 100 % - Ageing
- Thermal stress
Signal Output Frozen Isolation Valve Closed - Human error Dangerous

Impulse line plugged - Solids precipitation from

process
- Liquids frozen due to
ambient temperature
Left in the Test Mode - Human error

Electronic failure - Corrosion

- Ageing
- Thermal stress
Signal Output Saturated Electronic failure - Corrosion Application Dependent
Low, i.e. < 0 % - Ageing
- Thermal stress

TR84.00.02 18

18

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Failure Distribution

SAFE
S
DANGEROUS
D

©SIS-TECH

NOTE: THE RELATIONSHIPS BETWEEN THE CATEGORIES ARE NOT RELATED TO ANY
KNOWN DEVICE. IT IS AN ILLUSTRATION ONLY

19

19

Failure Detection

• Operator observation - detects failures that are

revealed due to changes in the process operation
– Generally applies to normal control functions

• Diagnostics - occur continuously throughout the

mission time

• Inspection and Proof Tests are used to periodically

validate that the device is in the “as good as new
condition”
– When failures are found, the device is repaired or replaced

20

20

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

ISO 12489 - Classification according to

the detection means
Failure
Genuine Cannot be
revealed revealed
failure by tests
May be
revealed
Revealed Hidden by tests Due to demand

e.g 
Yes Diagnostic No
test
Yes Periodic No Workbench

e.g du
test
Yes Dismantling No
e.g dd

Almost
Immediately Revealed Never
Immediately
revealed after a delay revealed
revealed

21

21

DANGEROUS DISTRIBUTION

DANGEROUS

SAFE DETECTED
REVEALED BY

s DD DIAGNOSTICS

DANGEROUS
UNDETECTED

DANGEROUS
DU REVEALED BY
UNDETECTED INCIDENT
©SIS-TECH
DU
REVEALED BY D= DU + DD
PROOF TEST
22

22

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

SAFE DISTRIBUTION
REVEALED BY
DIAGNOSTICS

S= SU + SD SD

SAFE

SD
DETECTED

REVEALED BY
TRIP SAFE
DETECTED

DANGEROUS
SAFE D
UNDETECTED

REVEALED BY
PROOF TEST SU
23

23

Mean Time To Failure (MTTF)

and Service Life
• MTTF = rate of failure of the equipment while in its
useful life
– Calculations assume useful life is indefinite
• Limited by operating environment impact and wear-out
– Useful life has the lowest failure rate
• Bottom of bath tub curve
• Service life
– Length of time that device will remain in useful life period
– Expected number of operating hours before equipment
begins wear out

24

24

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

25

25

MTTFD and Useful Life

– Human Example
• Example:
– 500,000 25-year old humans
– 625 deaths in one year
– 625 deaths/(500,000 humans * 1 year)
– Failure rate = 0.125%/yr
– MTTFD = 1 / λD
– MTTFD = 1/0.00125 = 800 years
– Think any of the 25 year olds will live 800 years?
• 800 year MTTFD applies to 25 year olds when
they are still 25 years old!

1 of 3 26

26

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

MTTFD and Useful Life

• Reality is that humans do not have constant
failure rates.
– Neither does automation
• As humans age, more failures occur
– Likewise with automation
• Useful Life is difficult to determine from service
– Reliability expectations
– New or updated technology
– Need to maintain “as good as new”
• Do not run safety equipment to failure!

2 of 3 27

27

MTTFD and Useful Life

• User approval ensures that specification,
installation, commissioning and MI practices are
sufficient to minimize failures
– early, useful life or wear-out
• Use preventive maintenance to achieve the
expected useful life
• Proof testing frequency must be sufficient to
detect wear out
• Test interval greater than estimated useful life is
meaningless

3 of 3 28

28

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Sources of Failure Rate Data

• Internal Data
– Actual Performance

• Published Data
– Actual (some predictive)

• Manufacturer Data
– Almost all predictive now

29

29

Different Data Estimates

• Predictive
– Calculated based on equipment design
– Useful when field data is scarce or non-existent
– Usually calculated by the manufacturer early in product life

• Actual
– Calculated based on an observed sample of similar equipment
– Most useful since it is based on equipment installed in the
operating environment
– Usually collected and analyzed by the user

Use defensible MTTF estimate

for the device technology
in the operating environment.

30

30

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Data Sources
• Trips
– Process demands
– Spurious trips
• Device failures
– Detected failures (work orders)
– Proof test records
– Bypass log
– Out-of-service times (time to repair and test)

ISA TR84.00.04 Annex R and

ISA TR84.00.03 Annex C Example Failure Reports

31

31

Measures
• Failures on demand
– Process demands
– Proof tests

• Failure frequency
– Failures per year
– Failures per hour
– Failures per 106 hours (per million hours)
– Failures per 109 hours (per billion hours)
• Also known as Failures in Time (FITS)

1 year = 8760 hours

32

32

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Understand precision
• The calculation of risk reduction is an order of
magnitude estimate
– Do not get lost in searching for or calculating multiple
significant digits
• Not much difference between brands of field devices if each
brand has met user approval
– Focus on estimating order-of-magnitude values for
each device technology considering the expected
operating environment
• Most data is selected based on qualitative
judgment of the historical evidence

33

33

Internal Data
• Data requirements
– Last test date and pass/fail result
– Current test data and pass/fail result
– Device technology
– Equipment classification
– Operating environment
– Failure mode (ie., actuator stuck)
– Failure cause (ie., rust seen on shaft)

1 of 2 34

34

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Internal Data
• Need enough devices and service time to
establish reasonable confidence
– Remember the bath tub curve
• Need detailed consistent recording
– testing and maintenance
• Consider contributing to Instrument Reliability
Network
– established 2012 at the Mary Kay O’Conner Process
Safety Center - Texas A&M University

2 of 2 35

35

Manufacturer Data
• Sources:
– Manufacturer
– Third-party
• Data quality is highly variable
– Limited boundary
– Assumes specific configuration
– May include
• Very high diagnostic coverage IEC 61508-2010 limits both.
Look for revised claims.
• No effect failures
– Disclaims operating environment and support system
contributions

36

36

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Solenoid Failure Example

• Most likely failure
– Coil burnout during service
• User perspective
– In de-energize to trip (DTT), experience spurious trip
– In energize to trip (ETT), experience dangerous
failure
• Manufacturer perspective on coil burnout
– Reached end of life
– In wear-out
– Does not influence MTTF – spurious or dangerous

37

37

Field Device Data

Operating Environment
MTTFD MTTFSP
Description (years) (years)
Analyzers 0.35 - 4.00 0.35 - 4.00
Flow Switches 25 -50 10 – 50
Flow Transmitters 50 - 175 25 – 80
Level Switches 25 - 125 25 – 75
Level Transmitters 25 – 250 Most
15 – 150 devices
Pressure Switches 15 - 80 15 – 80
provide SIL 1
Pressure Transmitters 75 - 200 75 – 125
Temperature Switches 10 - 100
performance
10 – 50
Temperature Transmitters 75 - 250 25 – 100
Solenoid Valves (de-energize to trip) 30 - 100 10 - 30
Block Valves (failure to close) 25 – 100 50 - 200
Control Valves (failure to close) 15 - 60 30 - 100
CCPS IPS Book
38 of 67 1 of 2 38

38

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Field Device Data

Operating Environment
MTTFD MTTFSP
Description (years) (years)
Analyzers 0.35 - 4.00 0.35 - 4.00
Flow Switches 25 -50 10 – 50
Flow Transmitters 50 - 175 25 – 80
Level Switches
Most devices
25 - 125 25 – 75
Level Transmitters will have
25 – 250a 15 – 150
Pressure Switches safe failure
15 - 80 15 – 80
Pressure Transmitters on the order
75 - 200 75 – 125
Temperature Switches
of 1/1010 -years
100 10 – 50
Temperature Transmitters 75 - 250 25 – 100
Solenoid Valves (de-energize to trip) 30 - 100 10 - 30
Block Valves (failure to close) 25 – 100 50 - 200
Control Valves (failure to close) 15 - 60 30 - 100
CCPS IPS Book
39 of 67 2 of 2 39

39

Logic Solver Data

MTTFD MTTFSP
Description (years) (years)
Relays 100 - 1000 100 - 500
Non-Safety Configured Single Channel PES 10 - 30 10 – 30
Safety-Configured Single Channel PES 100 - 250 5 – 15
IEC 61508 Compliant SIL 3 PES 2500 – 50,000 10 - 1000
Trip Amplifiers (programmable) 300 - 600 150 - 275
Trip Amplifiers (non-programmable) 500 - 850 150 - 250

Safety configuration of general PLCs is

necessary to achieve safety class
performance

CCPS IPS Book

40 of 67 1 of 6 40

40

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Logic Solver Data

MTTFD MTTFSP
Description (years) (years)
Relays 100 - 1000 100 - 500
Relays and trip
Non-Safety Configured Single Channel PES 10 - 30 10 – 30
Safety-Configured Single Channel PES 100 - 250
amplifiers:
5 – 15
IEC 61508 Compliant SIL 3 PES 2500 – 50,000
SIL 2 in simplex
10 - 1000
Trip Amplifiers (programmable) 300 - 600 SIL
150 -3 / HFT=1
275
Trip Amplifiers (non-programmable) 500 - 850 150 - 250

CCPS IPS Book

41 of 67 2 of 6 41

41

Logic Solver Data

MTTFD MTTFSP
Description (years) (years)
Relays 100 - 1000 100 - 500
Non-Safety Configured Single Channel PES 10 - 30 10 – 30
Safety-Configured Single Channel PES 100 - 250 Logic
5 – 15solver
IEC 61508 Compliant SIL 3 PES 2500 – 50,000 performance
10 - 1000 is
Trip Amplifiers (programmable) 300 - 600 dependent
150 - 275 on
Trip Amplifiers (non-programmable) 500 - 850 architecture
150 - 250
Can vary > 10

CCPS IPS Book

42 of 67 3 of 6 42

42

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Logic Solver Data

MTTFD MTTFSP
Description (years) (years)
Relays 100 - 1000 100 - 500
Non-Safety Configured Single Channel PES 10 - 30 10 – 30
Safety-Configured Single Channel PES 100 - 250 5 – 15
IEC 61508 Compliant SIL 3 PES 2500 – 50,000 10 - 1000
Trip Amplifiers (programmable) 300 - 600 150 - 275
Trip Amplifiers (non-programmable) 500 - 850 150 - 250

Simplex channel PLCs have

high spurious failure rates

CCPS IPS Book

43 of 67 4 of 6 43

43

Logic Solver Data

MTTFD MTTFSP
Description (years) (years)
Relays 100 - 1000 100 - 500
Non-Safety Configured Single Channel PES 10 - 30 10 – 30
Safety-Configured Single Channel PES 100 - 250 5 – 15
IEC 61508 Compliant SIL 3 PES 2500 – 50,000 10 - 1000
Trip Amplifiers (programmable) 300 - 600 150 - 275
Trip Amplifiers (non-programmable) 500 - 850 150 - 250

Spurious trip rate performance is dependent on

fault tolerance. Short MTTFSP is simplex channel.
Long MTTFSP is fault tolerant for reliability
CCPS IPS Book
44 of 67 5 of 6 44

44

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Logic Solver Data

MTTFD MTTFSP
Description (years) (years)
Relays 100 - 1000 100 - 500
Non-Safety Configured Single Channel PES 10 - 30 10 – 30
Safety-Configured Single Channel PES 100 - 250 5 – 15
IEC 61508 Compliant SIL 3 PES 2500 – 50,000 10 - 1000
Trip Amplifiers (programmable) 300 - 600 150 - 275
Trip Amplifiers (non-programmable) 500 - 850 150 - 250

Spurious trip rates of relays and trip amplifiers are

low even in non-fault tolerant architecture. Add
fault tolerance to achieve MTTFSP better than fault
tolerant PLCs
CCPS IPS Book
45 of 67 6 of 6 45

45

IEC 61511
Achieving SIL
• PFD/PFH is not the only criteria limiting the achieved SIL
– 70% upper bound confidence limit on reliability parameters
– Failure rates supported by field performance feedback

• SIL claim is also limited by the hardware fault tolerance

• Remember: IEC 61511-1:2016 has its own HFT criteria

– Does not directly require prior use data

• However, IEC 61511-1:2016 allows using either of the IEC

61508 criteria for HFT instead

46

46

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Understanding IEC 61508

certification reports
• Many greenfield projects look to IEC 61508 certification
reports for initial project design failure rates

• To use the information correctly requires understanding the

IEC 61508 device types

• Selecting a device based on approved against IEC 61508

criteria requires conforming with the limitations in its safety
manual and technical report to certificate, including having
to meet IEC 61508-2:2010 HFT criteria

47

47

Understand Device Type A

• IEC 61508 Type A
– components required to achieve the safety
function meet all of the following
requirements:
a) The failure modes of all constituent components are well
defined; and
b) The behaviour of the element under fault conditions can be
completely determined; and
c) There is sufficient dependable failure data to show that the
claimed rates of failure for detected and undetected
dangerous failures are met

1 of 4 48

48

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Device Type A examples

• Field sensors, final elements, and non-PE

logic solvers are commonly classified as
Type A

3 of 4 49

49

Understand Device Type B

• IEC 61508 Type B
– One or more of the components required to achieve
the safety function meet one or more of the following:
• The failure mode of at least one constituent component is not
well defined; or
• The behaviour of the element under fault conditions cannot
be completely determined; or
• There is insufficient dependable failure data to support claims
for rates of failure for detected and undetected dangerous
failures

4 of 4 50

50

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Device Type B example

• PE logic solvers are commonly classified as
Type B

4 of 4 51

51

IEC 61508 Type not always

straightforward

• IEC 61508 certifiers routinely classify transmitters

as Type B due to limited prior use demonstration
from manufacturers
– For example: Pressure Transmitters are Type B under IEC
61508 Route 1H analysis

• The complex configuration options of intelligent

devices make them likely to be classified as Type B
devices

52

52

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

IEC 61508
SIL Claim Limit
• Two routes to determine hardware fault
tolerance limit
– Route 1H
• Hardware fault tolerance and safe failure fraction concepts.
– Route 2H
• Component reliability data from feedback from end users,
increased confidence levels and hardware fault tolerance for
specified safety integrity levels.

• Route 1H is the most popular route for product

certification in IEC 61508

53

53

% Safe Failures

Safe by inherent design features

Safe Failures
S
Ratio indicates
inherent tendency to
fail safe (aka, to the
trip condition or state)
S
D Total Failures

54

54

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Safe failure fraction (SFF)

and Route 1H

SFF= S + DD = “safe failures”

S + D total failures

Where S = safe failure rate

D = dangerous failure rate
DD = dangerous detected failure rate

Not inherently safe! Relies on Functional Safety

55

55

SFF =

Ratio indicates inherent

tendency to fail safe and
S
functional safety choice
to generate diagnostic
+
DD
alarms.

High SFF = low S More Total Failures

reliability product
D (includes more parts)

56

56

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

SFF =
Detected
Higher SFF is achieved by
increasing diagnostic sensitivity

S +
DD

Higher SFF = is it
reliable? What are S More Total Failures

total failures?
D (includes more parts)

57

57

CAUTION:
Detected Failure
• Which direction is safe?: High/Low, Open/Closed
• How do you maintain safety when a device has failed
detected?
– Fail channel to trip state
• Inherently safer choice
– Willful choice to stay on-line with known failure
• Must achieve functional safety
• Must justify continued operation with known failure
• Requires compensating measures equivalent to loss of SIF integrity

• Answers are dependent upon the specific application

• The IEC 61508 report may not be clear on its
assumptions regarding either of these

58

58

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Some manufacturer reports

pre-IEC 61508-2010 SFF

Ratio may be No Effect

dominated by
no effect S + + Failures
failures! DD

Total Failures
No Effect
S + Failures
D
59

59

Many manufacturer reports, SFF =

No Effect
S + + Failures
DD
No effect and no
part failures are
explicitly not Total Failures
allowed in the SFF No Effect
in IEC 61508 2nd  S + Failures
edition!  D

60

60

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

3051S Safety Certified Pressure

Transmitter Certificate ROS 061218 C001

0 Safe Failures – All failures are detected and reported As Fail Dangerous Detected

Failure category Failure rate (in FIT)

Fail Dangerous Detected 356
Frozen Fail Detected (detected by internal diagnostics) 264
High Fail High (detected by the logic solver) 59
Low Fail Low (detected by the logic solver) 33
Fail Dangerous Undetected 37
No Effect 138
Annunciation Undetected 5

61

61

3051S Safety Certified Pressure

Transmitter Failure Breakdown

Frozen (detected by internal diagnostics)

Fail High (detected by logic solver)
Fail Low (detected by logic solver)
Fail Dangerous Undetected

• Diagnostic Coverage Claim – 91%

– Internal Diagnostics (manufacturer) – 67%
• When failure is detected, how is it configured to fail (fail high or fail low)?
– Logic solver (user implemented) – 24%
• Manufacturer has made claims on logic that you must implement!
• Increases published diagnostic coverage
• Supports higher safe failure fraction claim (thus lowering hardware fault tolerance
required when certifying product)
• Fail Dangerous Undetected – 9% of Total Failures

62

62

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

3051S Pressure Transmitter

Certificate ROS 061218 C001
0 safe
356 DD
138 5
+ + + Annunciation
Undetected
No Effect

0 S + 37 DU + 356 DD
138 5
S + + Annunciation
Undetected
D No Effect

SFF = 93%
63

63

Minimum Hardware Fault Tolerance

IEC 61508 Route 1H

Safe failure fraction Hardware fault tolerance

0 1 2

Type B < 60 % Not allowed SIL1 SIL2

60 % – < 90 % SIL1 SIL2 SIL3

(PE) 90 % – < 99 % SIL2 SIL3 SIL4

> 99 % SIL3 SIL4 SIL4

Manufacturer claims SIL 2 by considering no effect failures, user

diagnostics, and internal diagnostics

64 of 67 64

64

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

3051S Pressure Transmitter

Remove No Effect

0 safe
356 DD
+
SFF = 91%
Without No Effect

0 S +37 DU + 356 DD

65

65

3051S Pressure Transmitter

No User Diagnostics

0 safe
264 DD
+
Internal Diagnostics Only
SFF = 67%

0 S + 37 DU + 356 DD

66

66

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Minimum Hardware Fault Tolerance

IEC 61508 Route 1H

Safe failure fraction Hardware fault tolerance

0 1 2

Type B < 60 % Not allowed SIL1 SIL2

60 % – < 90 % SIL1 SIL2 SIL3

(PE) 90 % – < 99 % SIL2 SIL3 SIL4

> 99 % SIL3 SIL4 SIL4

When only the manufacturer supplied diagnostics are considered,

the device has a claim limit of SIL 1

67 of 67 67

67

Minimum Hardware Fault Tolerance

IEC 61511
• For field devices with prior use (e.g., user
approval) information meeting the 70%
confidence limit criteria, the minimum
requirement is:
– HFT = 0 -> simplex devices OK for SIL 1 and low
demand SIL 2
– HFT = 1 -> At least dual devices in redundant
configuration for SIL 3 or high demand/continuous
mode SIL 2
• So generally need 1oo2 or 2oo3

68

68

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Determining
Test or Diagnostic Coverage
• Determine which failure modes are detected
• Determine the effect (failure classification) of the
detected failure modes
• Calculate percentage of the dangerous failures can be
detected
– Test Coverage – partial test interval
– Diagnostic Coverage – diagnostic interval
• Remaining failures are detected at complete proof test
Diagnostic requiring operator to provide
compensating measure should be limited to
90%, like any alarm response
69

69

Common Cause – Beta factor

• Can be limiting factor to PFD
• No published data to support selection of beta
factor
• Method in IEC 61508, part 6 (informative)
• Experience-based judgment provides best
estimate
• If the SIF is designed to minimize the potential
for common cause failure, the beta factor in the
range of 0.1 to 5% can be used for field device
modeling with prior use failure rates

70

70

Module 9 – Data Estimation © SIS-TECH

www.sis-tech.com

Summary
• Failure modes and effects analysis is a
qualitative analysis method:
– identifies equipment failure modes,
– determines their impact on the equipment
operation, and
– classifies the impact severity
• MTTF (failure rate) and service life
(length of useful life period) is not the
same
71

71

Summary
• Random hardware failures are considered in the
verification calculations
• A constant failure rate is assumed for the
device’s useful life
– Consider operating environment
– Proper specification, installation and commissioning
practices
– Rigorous mechanical integrity practices

72

72

Module 9 – Data Estimation © SIS-TECH