Problems with Recalculated Failure Rates · Statistical failure Statistic behaviour Random failure...
Transcript of Problems with Recalculated Failure Rates · Statistical failure Statistic behaviour Random failure...
Prof. Dr.Prof. Dr.--Ing. habil. J. BIng. habil. J. Böörcsrcsöökk
Problems with Recalculated Failure Rates
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Introduction
� Terms and Parameters to define reliability and safety
� Risks and Hazards
� Reliability- and Functional Safety
� Methods and Procedures to improve Reliability and Safety
� Methods to calculate Reliability and Safety Parameters
� Architectures for Safety Embedded Systems
� Software Requirements
� Diagnostics for Safety Systems
� Different Approaches from different Standards
� Problems with Safety Numbers
� Backwards Calculation
Overview
2
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Introduction
� Applications of safety Computer Architecture
� Avionics and astronautics
� Rail technology
� Chemical industries
� Oil and gas industries and Pipelines
� Engineering systems (Press, automatic lathe etc.)
� Robot controls
� Turbines control
� etc.
3
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Safety
� Is Validation and Certification of critical systems according international standards in principle necessary?
� How safe are our systems and plants?
� Can we predict safety?
Introduction
4
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� “Wise predictions from the IT”
� Predictions from experts:
� “I think, worldwide is a market for maybe five computers.”Thomas Watson, IBM-Chef 1943
� “But … for what reason shall this be good?”A scientist at the IBM computer department for the development of microchips, 1968
� “There is no reason at all, why someone should have a computer at home.”Ken Olson, President and founder of DEC, 1977
� “640 KByte shall be enough.”Bill Gates, 1981
Introduction
5
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Introduction
6
� We have already systems to protect in use.
� Jamnagar Refinary 2006 � Bhopal
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Introduction
7
� We have already systems to protect in use.
� Buncefield 2006 � Piper Alpha 1988
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Introduction
8
� We have already systems to protect in use.
� Oil Rig Brasil � BP Oil Rig Mexican Gulf 2010
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� 1986 Nuclear power plant in Tschernobyl (Explosion)� 1987 Space Shuttle Challenger (Explosion)� 1988 Oil-rig in the North Sea (Explosion, Fire)� 1989 Oil-tanker Exxon nearby Alaska (Collision, Reef)� 1993 Hoechst AG (Release of gases)� 1994 Ferry from St. Petersburg to Sweden (Sunk)� 1996 Wide-bodied aircraft in the Caribbean (Crash)� 1998 Train accident nearby Enschede (Broken wheel, Collision)� 1999 Fire in the Mont Blanc tunnel (Collision, fire)� 2000 Concorde (Burst tire, Crash)� ...� ...� ...� 2010 Gulf of Mexico (Oil Rig Deep Water Horizons)� 2011 Fukushima (Japan Nuclear power plant – CC failure)
Introduction
9
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� And for all these plant´s and facilities we have had valid datas!
Introduction
10
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Terms and Parameters to define Reliability and Safety
� Reliability / Safety
� Determining Factors:
� Development of new technologies
� Quality of the component
� Maintenance costs
� Liability costs
� …
11
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Risks and Hazards
Risk reduction = Task of Functional Safety
Standard: IEC/EN 61508
12
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Type of Failures
� Components- and devices failures� Faulty Dimension � Manufacturing faults� Circuit faults� Wiring faults� Development faults� Conceptual faults
� Type of failures of programs� Specification faults� Development faults� Implementation faults� Documentation faults
Reliability- and Functional Safety
13
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Type of Failures
� Random Failure
� Systematic Failure
14
Reliability- and Functional Safety
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Type of Failures
� Dimension Failures
� Size decremented� Size incremented
� Extreme Failures
� Short-circuit� Brocken
� Time response
� Sudden Failure� Drift failure
� Point in time
� Early failure� Random Failure� Erosion failure
� Duration
� Sporadic failure
� Statistical failure
� Statistic behaviour
� Random failure
� Systematic failure
� Deterministic failure
� Number
� Single Failure
� Multiple Failures
� Cause
� Primary failure
� Sequential failures
Reliability- and Functional Safety
15
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Percentage of probability of failure within a computer system
� 15 % Computer System (HW + SW)
� 35 % Input units� 50 % Output units
15%
35%
50%
Source: IEC 61508, 1996
16
Reliability- and Functional Safety
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Percentage of failures within the lifecycles
44%
20%
15%
6%
15%� 44 % Specification� 20 % Changes after decision
(placing the order)� 15 % Operation and
maintenance � 15 % Design and
implementation� 06 % Setup and commissioning
Source: HSE, Out of Control; Why control systems go wrong and how to prevent failure, 2nd ed., 2003, S. 45
17
Reliability- and Functional Safety
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Percentage of probability of failure within a computer system
� 15 % Computer system(HW + SW)
� 35 % Input units� 50 % Output units
15%
35%
50%
� 36 % System test� 12 % Input test� 02 % Input processing� 30 % CPU-Test� 05 % CPU-processing� 12 % Output test� 03 % Output processing
36%
12%2%
30%
5%
12% 3%
18
Reliability- and Functional Safety
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Failure in applications using Safety Systems
� Hardware/Component Failures (technical Failures)
� Operating error (human error during manipulations)
� Failure when applying new technologies
� Shut down through failure in the Software
� Compatibility problems during SW-Update
� Interfaces problems when interacting SW-Products
� Manipulation errors during manual operations (emergency)
Conclusion
� Consider to relocate the error sources in the Systems
� Systematically use reliability and safety methods
Reliability- and Functional Safety
19
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Reliability Technique
� Reduction of the probability failure� better components (HW and SW)� better system structures (HW and SW)� better redundancy structure (HW and SW)
� Safety technique
� Danger Exclusion� Failure exclusion (HW and SW)� Fail-safe (true fail-safe only HW)� Failure detection (HW and SW) and crossover to safe
sides
� Reliability - and Safety technique
� Combination of the previous method and techniques� Safety not at the cost of Availability and vice versa� High grade of safety and availability has to be solved
conceptual.
Methods and Procedures to improve Reliability and Safety
20
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Overview
� Reliability block diagram� Markov Model� Failure tree analysis� Petri-Nets-Method� Boolean reliability model� Bayesian Method� etc.
� About the two first methods:� Often used in the risk analysis� Produce similar results when correctly used
Methods and Procedures to improve Reliability and Safety
21
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� Properties
� Not redundantly classified, i.e. each elements function Ei must be given
� Failure free operating time τ1, τ2, ..., τn of elements Element E1, E2, ..., En are independent failure values. The reliability function of each single elements is determined with
� Reliability Block Diagram
� Failure Behaviour
� All component are operating properly � System is operating properly
� at least one component fails � System fails
� Reliability function of the whole system
tii
dtt
ii
i
t
etRconsttmitetR λλ
λ −−
=⇒=∫
= )()()()(
0
∏=⋅⋅⋅=n
iin
s tRtRtRtRtR )()(...)()()( 21)(
R1 R2 Rn
Reliability Method: Systems with Redundancy
22
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök 23
� Properties
� Operating until the last element fails
� Reliability Block Diagram
� Failure Behaviour
� At least one component is operating properly� System operates properly
� All components failed � System failed
� Reliability function
Element 1
Element 2
Element n
R1
R2
Rn
( ) inin
kir tRtR
i
ntR −
=
−⋅⋅
=∑ )(1)()(
Reliability Method: Systems with Redundancy
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Determine the PFD ( Probability of Failure on Demand)
� Probability of Failure on Demand (PFD)
� To determine the quality of a system, it is sufficient to examine the first maintenance interval with i = 1.
� To calculate the PFDavg, the average value of the PFD-Function will be applied for the overall Proof-test interval T1.
24
( )niTitTitPtPFD iii ,...,3 ,2 ,1 with )1(for )()( 11 ∈⋅<≤⋅−=
1111 0f黵 )( TtttPFD D <≤⋅= λ
.2
111
01
1
TdttT
PFD D
T
Davg ⋅⋅=⋅⋅= ∫ λλ
T 1
P F D
P F D a v g
t0
T 1 T 1
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
( ) MTTRMTTRTTD
DD
D
DU
λλ
λλ ++= 1
DUDDD λλλ +=
Available diagnostic:only λDU make for PFD.
unavailable diagnostic:λDU and λDD make for PFD.
Time occurrence of dangerous non-detected failure
Time occurrence of dangerous detected failure
Determine the PFD ( Probability of Failure on Demand)
25
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� MooN-System, e.g. 2oo3-System (Majority-Redundancy)
� Reliability
� Probability of Failure
� Average Lifecycle (2oo3-System)
Determine Reliability and Safety
( )∫ ⋅−⋅=T
Savg dttRT
TPFD0
)(11
)(
λλλ ⋅=
⋅−
⋅=
6
5
3
2
2
3MTTF
26
A3
A2
A1
2/3
( ) inin
kiS tRtR
i
ntR −
=
−⋅⋅
=∑ )(1)()( )(2)(3)( 32 tRtRtRS −=
−+⋅⋅
+=⋅−⋅−
6
134911)(
32 TT
avg
ee
TTPFD
λλ
λ
tetR ⋅−= λ)(
∫∞
⋅=0
)( dttRMTTF S
� For 2oo3-System
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Requirements for Software safety embedded systems
� Software-Errors
� Data References
� Initialisation error
� Indexes over the limits
� Data Declaration
� Missing data declaration
� Misunderstood attribute
� Calculations
� Use different data types
� Brackets used incorrectly
� Roundoff error
27
� Comparison
� Priority of the relational operator misunderstood
� Incorrect Boolean expressions
� Thread of Control
� False criterion for loop termination
� False DO/END-Structure
� Interfaces
� Inconsistent parameters and arguments
� Misuse of constants and variables
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Requirements for Software safety embedded systems
� Reliability methods for Software development
� Two categories of methods
� Avoiding faults� High-level programming language� Structured programming� Top-down-Design� Specifications-systems and Design-systems� SW-Design tools� SW-validation and quality management
� Detect and eliminate / tolerate faults
� Programme tests and amendment
� Programme flow control
� Repetition of programme sequences
� Diversity programming
28
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Requirements for Software safety embedded systems
� Reliability methods for Software development
� Real-fail-safe-methods
� Cannot be applied in software.
� Quasi-fail-safe-methods
� Failure detection with� Program sequence monitoring� Runtime monitoring� Plausibility check� Software-diversity
Afterwards safety-related methods shall be executed.
29
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Diagnostics-and Tests classification for safety embedded systems
� Foreground test
� Executed within the safety time and can be split into several cycles.
� Reaction time: Immediately after detection
� Example: Memory test
� Cyclic tests
� Executed within one cycle
� Maximal reaction time: 2 cycles
� Examples: Test of input modules, reading back and comparing of output signals
� Background test
� Detection of a second fault, after an undetected safe single failure occurred.
� Execution with in the second fault entry time and is split in many cycles.
� Reaction time: Immediately after detection.
� Example: Walking-bit Test of Input / Output modules
30
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Diagnostics-and Tests classification for safety embedded systems
� The following diagnostic methods shall be applied for a safety-related architecture (depending on the SIL)
Diagnosis methods for
� electronic subsystems
� processing units
� unchangeable memory
� alterable memory
� Input / Output modules
� internal communication
� external power supply
� programme flow (logic / time)
� Clock
� communication with mass storage.
31
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Numbers – But which one ?
Result: We need numbers to determine Safety!!
� PFD
� Lambda value
But which one?
� PFD from which standard
� Lambda value from which catalogue? MIL, Sintef, SN,...
32
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Great: PFD Numbers
Result: PFD is good !
PFDBut which one?
� Different way’s to calculate PFD numbers e.g. ISA 84.0.02 or IEC 61508 or EN 50126/50129
� All of them are named PFD but leads to different values!
33
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Different Approaches
34
� Different Values from different Standard
� 1oo1-System
MTTR)MTTR2
T
t
t)(PFD
DD1
DU
CED
CEDDDU1oo1,G
⋅+
+⋅=
⋅=⋅+=
λλ
λλλ
with
MTTR)MTTR2
Tt
D
DD1
D
DUCE ⋅+
+⋅=λ
λλ
λ
IEC/EN 61508 ISA-TR84.0.02
2
TIPFD DU
1oo1,avg ⋅= λ
Simplified Equation without
considering λDD
Dangerous failure rate (per hour) of a channel in a subsystem
Detectable dangerous failure rate (per hour) of a channel in a subsystem
Undetectable dangerous failure rate (per hour) of a channel in a subsystem
Mean time to restoration // mean time to repair (hour)
Average probability of failure on demand for the group of voted channels
Proof-test interval // time interval between manual functional tests of the components (hour)
Channel equivalent mean down time (hour)
DU
DU λλ =DDλ
MTTR
avgG PFDPFD =
Dλ
TIT1 =
CEt
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Different Approaches
35
� Different Values from different Standard
� 1oo2-System
( )[ ]
⋅⋅+
⋅⋅⋅+
⋅=
2
TI
TIMTTR3
TIPFD
DU
DDDU
22DU
avg
λβ
λλ
λ ][( ) ( )( )
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=
MTTR2
TMTTR
tt
112PFD
1DUDDD
GECE
2
DUDDD2oo1,G
λβλβ
λβλβ
MTTR)MTTR2
Tt
D
DD1
D
DUCE ⋅+
+⋅=λ
λλ
λ
simplified equation:MTTR)MTTR
3
Tt
D
DD1
D
DUGE ⋅+
+⋅=λ
λλ
λ( )
3
TIPFD
22DU
avg
⋅= λ
with
IEC/EN 61508 ISA-TR84.0.02
Fraction of undetectable failures that have a common cause
Fraction of failures that are detectable by the diagnostic tests, fraction that have a common cause
Dangerous failure rate (per hour) of a channel in a subsystem
Detectable dangerous failure rate (per hour) of a channel in a subsystem
Undetectable dangerous failure rate (per hour) of a channel in asubsystem
Mean time to restoration // mean time to repair (hour)
DU
DU λλ =
DD
DD λλ =
MTTR
DλDβ
βavgG PFDPFD =
TIT1 =
CEt
GEt
� Without considering MTTR for CCF
� Without λ DD for simplified equation
Average probability of failure on demand for the group of voted channels
Proof-test interval // time interval between manual functional tests of the components (hour)
Channel equivalent mean down time (hour)
Voted group equivalent mean down time (hour)
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Different Approaches
36
� Different Values from different Standard
� 2oo3-System
MTTR)MTTR2
Tt
D
DD1
D
DUCE ⋅+
+⋅=λ
λλ
λ
MTTR)MTTR3
Tt
D
DD1
D
DUGE ⋅+
+⋅=λ
λλ
λ
with
IEC/EN 61508 ISA-TR84.0.02
( )[ ]
⋅⋅+
⋅⋅⋅⋅+
⋅=
2
TI
TIMTTR3
TIPFD
DU
DDDU
22DU
avg
λβ
λλλ ][( ) ( )( )
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=
MTTR2
TMTTR
tt
116PFD
1DUDDD
GECE
2
DUDDD2oo1,G
λβλβ
λβλβ
( ) 22DU
avg TIPFD ⋅= λ
simplified equation: � Without considering MTTR for CCF
� Without λ DD for simplified equation
Fraction of undetectable failures that have a common cause
Fraction of failures that are detectable by the diagnostic tests, fraction that have a common cause
Dangerous failure rate (per hour) of a channel in a subsystem
Detectable dangerous failure rate (per hour) of a channel in a subsystem
Undetectable dangerous failure rate (per hour) of a channel in asubsystem
Mean time to restoration // mean time to repair (hour)
DU
DU λλ =
DD
DD λλ =
MTTR
DλDβ
βavgG PFDPFD =
TIT1 =
CEt
GEt
Average probability of failure on demand for the group of voted channels
Proof-test interval // time interval between manual functional tests of the components (hour)
Channel equivalent mean down time (hour)
Voted group equivalent mean down time (hour)
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Different Approaches
MTTF[years]
MTTR[h]
λλλλS[1/h]
λλλλDD[1/h]
λλλλDU[1/h]
ββββD ββββ SFF[%]
DC[%]
671,50 8 8,5E-08 8,415E-08 8,5E-10 0,01 0,02 99,5 99
671,50 8 8,5E-08 8,49915E-08 8,5E-12 0,01 0,02 99,995 99,99
37
� Different Values from different Standard
� Example for calculating using the following values
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Different Approaches
38
� Different Values from different Standard
� PFD calculation for a 1oo1 system:
1,00E-07
1,00E-06
1,00E-05
1,00E-04
1 ye
ar
2 ye
ars
3 ye
ars
4 ye
ars
5 ye
ars
6 ye
ars
7 ye
ars
8 ye
ars
9 ye
ars
10 y
ears
Proof-test interval T1 / TI
PF
D
1,00E-08
1,00E-07
1,00E-06
1,00E-05
1 ye
ar
2 ye
ars
3 ye
ars
4 ye
ars
5 ye
ars
6 ye
ars
7 ye
ars
8 ye
ars
9 ye
ars
10 y
ears
Proof-test interval T1 / TI
PF
D
PFD Diagram with DC = 99 % PFD Diagram with DC = 99,99 %
ISA-TR84
IEC 61508
According to IEC/EN 61508 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 without MTTR and without Common-Cause-Failure
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Different Approaches
39
� Different Values from different Standard
� PFD calculation for a 1oo2 system:
1,00E-14
1,00E-13
1,00E-12
1,00E-11
1,00E-10
1,00E-09
1,00E-08
1,00E-07
1,00E-06
1 ye
ar
2 ye
ars
3 ye
ars
4 ye
ars
5 ye
ars
6 ye
ars
7 ye
ars
8 ye
ars
9 ye
ars
10 y
ears
Proof-test interval T1 / TI
PF
D
1,00E-18
1,00E-17
1,00E-16
1,00E-15
1,00E-14
1,00E-13
1,00E-12
1,00E-11
1,00E-10
1,00E-09
1,00E-08
1,00E-07
1 ye
ar
2 ye
ars
3 ye
ars
4 ye
ars
5 ye
ars
6 ye
ars
7 ye
ars
8 ye
ars
9 ye
ars
10 y
ears
Proof-test interval T1 / TI
PF
D
ISA-TR84
IEC 61508
Simplified equation according to ISA-TR84
PFD Diagram with DC = 99 % PFD Diagram with DC = 99,99 %
According to IEC/EN 61508 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 without MTTR and without Common-Cause-Failure
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Second chance: λ – figures
New Result: λ λ λ λ is good !
λBut which one?
� Different way’s to calculate and find λ figures e.g. MIL, SINTEF, SN 29500, etc.
� All of them are named λ but have sometimes different values!
40
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo1-Components
To calculate λλλλD:
( )
⋅+
+⋅−⋅=
⋅+
+⋅=
⋅+
+⋅⋅=
⋅=−
MTTRDCMTTRT
DC
MTTRMTTRT
MTTRMTTRT
tPFD
D
DDDU
D
DD
D
DUD
CED
21
2
2
1
1
1
comp.1oo1
λ
λλ
λλ
λλλ
λ
41
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
DC: Diagnostic coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
CED t
PFD comp.1oo1−=λ must be known: DC, T1, MTTR and PFD1oo1-Comp.
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo2-Components
For SIL 3 / SIL 4 components:
( ) ( )failure causecommon ccf_failure normalnf_ PFDPFD <<
( ) ( )[ ]
( )( )failure causecommon ccf_
failure normalnf_
2
112
1
2Comp.1oo2
PFD
PFD
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDD
+=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
λβλβ
λβλβ
42
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
+⋅⋅+⋅⋅≈− MTTRT
MTTRPFD DUDUDDD 21
comp.1oo2 λβλβ
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo2-Comp.(approximate approach)
43
( )
+⋅−⋅+⋅⋅⋅≈
+⋅⋅+⋅⋅≈−
MTTRT
DCMTTRDC
MTTRT
MTTRPFD
DD
DUDDD
21
2
1
1comp.1oo2
ββλ
λβλβ
to calculate λλλλD:
( )
+⋅−⋅+⋅⋅≈ −
MTTRT
DCMTTRDC
PFD
D
D
21 1
comp.1oo2
ββλ Must be known:
DC, T1, MTTR , ββββ, ββββD and PFD1oo2-comp.
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo2-Comp.(rigorous approach)
( ) ( )[ ]
( ) ( ) ( )[ ]
( )
DD
DD
GECEDD
DUDDD
GECEDUDDD
BA
MTTRT
DCMTTRDC
ttDCDC
MTTRT
MTTR
ttPFD
λλ
ββλ
λββ
λβλβ
λβλβ
⋅+⋅=
+⋅−⋅+⋅⋅⋅+
⋅⋅⋅−⋅−+⋅−⋅=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
2
1
22
1
2comp.1oo2
21
1112
2
112
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
44
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
with
Parameter independent from failure rate, only dependent from system parameters!
Quadratic Equation, can be solved for λλλλD !
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo2-Comp.(rigorous approach)
A
PFDABBD ⋅
⋅⋅+±−=
−
2
4 comp.1oo22
λ
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
45
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
with
Minus-Variable does not make sense , since λD would be negative.
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
Parameter independent from failure rate, only dependent from system parameters!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Components
For SIL 3 / SIL 4 Components (as for 1oo2-System):
( ) ( )failure cause common _ccffailure normal _nf PFDPFD <<
( ) ( )[ ]
( )( )failure causecommon _ccf
failure normal _nf
2
116
1
2comp.2oo3
PFD
PFD
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDD
+=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
λβλβ
λβλβ
46
+⋅⋅+⋅⋅≈− MTTRT
MTTRPFD DUDUDDD 21
comp.2oo3 λβλβ
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Components
For SIL 3 / SIL 4 components:
47
( )
+⋅−⋅+⋅⋅⋅≈
+⋅⋅+⋅⋅≈−
MTTRT
DCMTTRDC
MTTRT
MTTRPFD
DD
DUDDD
21
2
1
1comp.2oo3
ββλ
λβλβ
To calculate λλλλD
( )
+⋅−⋅+⋅⋅≈ −
MTTRT
DCMTTRDC
PFD
D
D
21 1
comp.2oo3
ββλ
Must be known:
DC, T1, MTTR , ββββ, ββββD and PFD1oo2-comp.
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
Element 1
Element 2
2oo3-Components
Element 3
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Comp.(rigorous approach)
( ) ( )[ ]
( ) ( ) ( )[ ]
( )
DD
DD
GECEDD
DUDDD
GECEDUDDD
BA
MTTRT
DCMTTRDC
ttDCDC
MTTRT
MTTR
ttPFD
λλ
ββλ
λββ
λβλβ
λβλβ
⋅+⋅=
+⋅−⋅+⋅⋅⋅+
⋅⋅⋅−⋅−+⋅−⋅=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
2
1
22
1
2comp.2oo3
21
1116
2
116
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
48
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
withQuadratic Equation, can be solved for λλλλD!
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
Parameter independent from failure rate, only dependent from system parameters!
Element 1
Element 2
2oo3-Components
Element 3
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Comp.(rigorous approach)
A
PFDABBD ⋅
⋅⋅+±−=
−
2
4 comp.2oo32
λ
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
49
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
Minus-Variable does not make sense , since λD would be negative.
with
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
Parameter independent from failure rate, only dependent from system parameters!
Element 1
Element 2
2oo3-Components
Element 3
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of simple mixed SIS
Question: How is the ratio?
2
1
PFD
PFD
50
21SIS simple total, PFDPFDPFD +=
Known are: PFDtotal , DCtotal , SFFtotal , T1, MTTR
2
1
DC
DCand Answer: Generally unknown!
2
1
D
D
λλand
PFD_nf PFD_ccf
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
1oo1-components
Element 1
Element 2
1oo2-Components
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of simple mixed SIS
For SIL 3 / SIL 4 components:
51
( )
( )
+⋅−⋅+⋅⋅⋅+
+⋅−+⋅⋅≈
MTTRT
DCMTTRDC
MTTRT
DCMTTRDCPFD
DD
D
21
21
1222
1111SIS simple total,
ββλ
λ
unknown
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD
PFD_nf PFD_ccf
1oo1-components
Element 1
Element 2
1oo2-Components
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of complex SIS
52
∑=i
iPFDPFD SubsystemSIScomplex total,
Known are: PFDtotal , DCtotal , SFFtotal , T1, MTTR
No Chance to define the failure rate λλλλD , even not approximately!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo1-Components
� To calculate λλλλD:
( )
⋅+
+⋅−⋅=
⋅+
+⋅=
⋅+
+⋅⋅=
⋅=−
MTTRDCMTTRT
DC
MTTRMTTRT
MTTRMTTRT
tPFD
D
DDDU
D
DD
D
DUD
CED
21
2
2
1
1
1
comp.1oo1
λ
λλ
λλ
λλλ
λ
53
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean down time
DC: Diagnostic coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
CED t
PFD comp.1oo1−=λ must be known: DC, T1, MTTR and PFD1oo1-Comp.
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 1oo2-Comp.(approximate approach)
54
( )
+⋅−⋅+⋅⋅⋅≈
+⋅⋅+⋅⋅≈−
MTTRT
DCMTTRDC
MTTRT
MTTRPFD
DD
DUDDD
21
2
1
1comp.1oo2
ββλ
λβλβ
To calculate λλλλD:
( )
+⋅−⋅+⋅⋅≈ −
MTTRT
DCMTTRDC
PFD
D
D
21 1
comp.1oo2
ββλ
Must be known:
DC, T1, MTTR , ββββ, ββββD
and PFD1oo2-comp.
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
( ) ( )[ ]
( ) ( ) ( )[ ]
( )
DD
DD
GECEDD
DUDDD
GECEDUDDD
BA
MTTRT
DCMTTRDC
ttDCDC
MTTRT
MTTR
ttPFD
λλ
ββλ
λββ
λβλβ
λβλβ
⋅+⋅=
+⋅−⋅+⋅⋅⋅+
⋅⋅⋅−⋅−+⋅−⋅=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
2
1
22
1
2comp.1oo2
21
1112
2
112
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
55
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
with
Parameter independent from failure rate, only dependent from system parameters!
Quadratic Equation, can be solved for λλλλD !
Failure rate λD solved by PFD of 1oo2-Comp.(rigerous approach)
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
A
PFDABBD ⋅
⋅⋅+±−=
−
2
4 comp.1oo22
λ
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
56
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
with
� For the experts: Minus-Variable does not make sense , since λD would be negative.
Parameter independent from failure rate, only dependent from system parameters!
Failure rate λD solved by PFD of 1oo2-Comp.(rigerous approach)
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Components
� For SIL 3 / SIL 4 Components (as for 1oo2-System):
( ) ( )failure cause common _ccffailure normal _nf PFDPFD <<
( ) ( )[ ]
( )( )failure causecommon _ccf
failure normal _nf
2
116
1
2comp.2oo3
PFD
PFD
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDD
+=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
λβλβ
λβλβ
57
+⋅⋅+⋅⋅≈− MTTRT
MTTRPFD DUDUDDD 21
comp.2oo3 λβλβ
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Components
� For SIL 3 / SIL 4 components:
58
( )
+⋅−⋅+⋅⋅⋅≈
+⋅⋅+⋅⋅≈−
MTTRT
DCMTTRDC
MTTRT
MTTRPFD
DD
DUDDD
21
2
1
1comp.2oo3
ββλ
λβλβ
To calculate λλλλD
( )
+⋅−⋅+⋅⋅≈ −
MTTRT
DCMTTRDC
PFD
D
D
21 1
comp.2oo3
ββλ
Must be known:
DC, T1, MTTR , ββββ, ββββD
and PFD1oo2-comp.
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Comp.(rigorous approach)
( ) ( )[ ]
( ) ( ) ( )[ ]
( )
DD
DD
GECEDD
DUDDD
GECEDUDDD
BA
MTTRT
DCMTTRDC
ttDCDC
MTTRT
MTTR
ttPFD
λλ
ββλ
λββ
λβλβ
λβλβ
⋅+⋅=
+⋅−⋅+⋅⋅⋅+
⋅⋅⋅−⋅−+⋅−⋅=
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=−
2
1
22
1
2comp.2oo3
21
1116
2
116
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
59
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
withQuadratic Equation, can be solved for λλλλD!
Parameter independent from failure rate, only dependent from system parameters!
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of 2oo3-Comp.(rigorous approach)
A
PFDABBD ⋅
⋅⋅+±−=
−
2
4 comp.2oo32
λ
60
� Minus-Variable does not make sense , since λD would be negative.
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent
mean down time
( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ
( )
+⋅−⋅+⋅⋅= MTTRT
DCMTTRDCB D 21 1ββ
( ) MTTRDCMTTRT
DCtCE ⋅+
+⋅−=2
1 1
( ) MTTRDCMTTRT
DCtGE ⋅+
+⋅−=3
1 1
with
Parameter independent from failure rate, only dependent from system parameters!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of simple mixed SIS
Question: How is the ratio?
1oo1-Components
Element 1
Element 2
1oo2-components
2
1
PFD
PFD
61
21SIS simple total, PFDPFDPFD +=
Known are: PFDtotal , DCtotal , SFFtotal , T1, MTTR
2
1
DC
DCand
Answer: Generally unknown! 2
1
D
D
λλ
and
PFD_nf PFD_ccf
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
( )
( )
+⋅−⋅+⋅⋅⋅+
+⋅−+⋅⋅≈
MTTRT
DCMTTRDC
MTTRT
DCMTTRDCPFD
DD
D
21
21
1222
1111SIS simple total,
ββλ
λ
Failure rate λD solved by PFD of simple mixed SIS
For SIL 3 / SIL 4 components:
62
unknown
PFD: Failure Probability on
Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
tGE: Voted group equivalent mean
down time
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous,
detected
λDU: Failure rate, dangerous,
undetected
β: Beta-Factor for CCF λDU
βD: Beta-D-Factor for CCF λDD
1oo1-Components
Element 1
Element 2
1oo2-components
PFD_nf PFD_ccf
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Failure rate λD solved by PFD of complex SIS
63
∑=i
iPFDPFD SubsystemSIScomplex total,
Known are: PFDtotal , DCtotal , SFFtotal , T1, MTTR
No chance to define the failure rate λλλλD , even not approximately!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
λλλλD_1oo1 4.10E-07 1/h
DC 99 %
T1 10 years
MTTR 8 h
tCE 466 h
PFDavg 1.8286E-04
λλλλD_total 5.26E-06 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
PFD_nFPFD_ccF
1.890281E-044.287788E-05
PFDavg 2.319060E-04
64
λλλλD_1oo2 4.85E-06 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
PFD_nFPFD_ccF
6.168112E-064.287788E-05
PFDavg 4.904599E-05
1oo1-Components 1oo2-Components Mixed System
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous, detected
λDU: Failure rate, dangerous, undetected
βD: Beta-D-Factor for CCF λDD
β: Beta-Factor for CCF λDU
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
Calculation Ex. 10 (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
λλλλD_1oo1 4.10E-07 1/hλλλλD_total 5.26E-06 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
PFD_nFPFD_ccF
1.890281E-044.287788E-05
PFDavg 2.319060E-04
65
λλλλD_1oo2 4.85E-06 1/h
Mixed System
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous, detected
λDU: Failure rate, dangerous, undetected
βD: Beta-D-Factor for CCF λDD
β: Beta-Factor for CCF λDU
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
Calculation Ex. 10a (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)
To calculate λλλλD
(backwards calculation with 1oo1 equation):
CED t
PFD System mixed=λ
λλλλD = 5.199686E-07 1/h
∆∆∆∆ ≈ Factor 10
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök 66
To calculate λλλλD
(backwards calculation with 1oo2-approx. equation):
λλλλD = 2.62313E-05 1/h
( )
+⋅−⋅+⋅⋅≈
MTTRT
DCMTTRDC
PFD
D
D
21 1
System mixed
ββλ
Calculation Ex. 10b (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous, detected
λDU: Failure rate, dangerous, undetected
βD: Beta-D-Factor for CCF λDD
β: Beta-Factor for CCF λDU
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
λλλλD_1oo1 4.10E-07 1/hλλλλD_total 5.26E-06 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
PFD_nFPFD_ccF
1.890281E-044.287788E-05
PFDavg 2.319060E-04
λλλλD_1oo2 4.85E-06 1/h
Mixed System
∆∆∆∆ ≈ 80 %
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök 67
λλλλD = 1.732677E-05 1/h
∆∆∆∆ ≈ 70 %
A
PFDABBD ⋅
⋅⋅+±−=
−
2
4 comp.1oo22
λ
Calculation Ex. 10c (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous, detected
λDU: Failure rate, dangerous, undetected
βD: Beta-D-Factor for CCF λDD
β: Beta-Factor for CCF λDU
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
λλλλD_1oo1 4.10E-07 1/hλλλλD_total 5.26E-06 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
PFD_nFPFD_ccF
1.890281E-044.287788E-05
PFDavg 2.319060E-04
λλλλD_1oo2 4.85E-06 1/h
Mixed System
To calculate λλλλD
(backwards calculation with 1oo2-exact equation):
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök 68
λλλλD = 4.866056E-06 1/h
∆∆∆∆ ≈ 0.32 %
A
PFDABBD ⋅
⋅⋅+±−=
−
2
4 comp.1oo22
λ
Calculation Ex. 11 (mixed Sys., approx. solution, λλλλD_1oo1 << λλλλD_1oo2)
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous, detected
λDU: Failure rate, dangerous, undetected
βD: Beta-D-Factor for CCF λDD
β: Beta-Factor for CCF λDU
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
λλλλD_1oo2 4.85E-06 1/h
Mixed System
To calculate λλλλD
(backwards calculation with 1oo2-exact equation):
λλλλD_1oo1 4.10E-10 1/hλλλλD_total 4.850410E-06 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
AB
262221.778 h2
8.8408 h
PFDavg 2.319060E-04
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök 69
λλλλD = 4.100962E-07 1/h
∆∆∆∆ ≈ -1.16 %
Calculation Ex. 12 (mixed Sys., approx. solution, λλλλD_1oo1 >> λλλλD_1oo2)
DC: Diagnostics coverage
λD: Failure rate, dangerous
λDD: Failure rate, dangerous, detected
λDU: Failure rate, dangerous, undetected
βD: Beta-D-Factor for CCF λDD
β: Beta-Factor for CCF λDU
PFD: Failure Probability on Demand
T1: Proof-Test-Interval
MTTR: Mean Time to Repair
tCE: Channel equivalent mean
down time
Mixed System
To calculate λλλλD
(backwards calculation with 1oo1 equation):
λλλλD_total 4.1485E-07 1/h
DC 99 %
ββββD 1 %
ββββ 2 %
T1 10 years
MTTR 8 h
tCE 466 h
tGE 300 h
AB
262221.778 h2
8.8408 h
PFDavg 2.319060E-04
λλλλD_1oo1 4.10E-07 1/h λλλλD_1oo2 4.85E-09 1/h
CED t
PFD System mixed=λ
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Comparison, Complex System
0,00%
100,00%
200,00%
300,00%
400,00%
500,00%
600,00%
700,00%
800,00%
900,00%
1000,00%
1 2 3
l_D_1oo1 < l_D_1oo2
Reihe1
λλλλD_total, calc.
[1/h]Abs. ∆∆∆∆-Factor
[%]
Calc. with 1oo1-Eq. 5.20E-07 911.60
Calc. with appr.1oo2-Eq. 2.62E-05 79.95
Calc. with exact 1oo2-Eq. 1.73E-05 69.64
70
λλλλD_1oo1 4.10E-07 1/h λλλλD_1oo2 4.85E-06 1/h
Mixed SystemλλλλD_total 5.26E-06 1/h
�λλλλD_1oo1 < λλλλD_1oo2
Under this condition we have NO chance to calculate back !!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Comparison, Complex System
0,00%
500,00%
1000,00%
1500,00%
2000,00%
2500,00%
3000,00%
3500,00%
4000,00%
4500,00%
1 2 3
l_D_1oo1 << l_d_1oo2
Reihe1
λλλλD_total, calc.
[1/h]Abs. ∆∆∆∆-Factor
[%]
Calc. with 1oo1-Eq. 1.10E-07 4294.34
Calc. with appr. 1oo2-Eq. 5.57E-06 12.89
Calc. with exact 1oo2-Eq. 4.87E-06 0.32
71
λλλλD_1oo1 4.10E-10 1/h λλλλD_1oo2 4.85E-06 1/h
Mixed SystemλλλλD_total 4.85E-06 1/h
�λλλλD_1oo1 << λλλλD_1oo2
Under this condition we get different values in back calculation !!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Comparison, Complex System
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
1 2 3
l_D_1oo1 >> l_D_1oo2
Reihe1
λλλλD_total, calc.
[1/h]Abs. ∆∆∆∆-Factor
[%]
Calc. with 1oo1-Eq. 4.10E-07 1.16
Calc. with appr. 1oo2-Eq. 2.07E-05 97.99
Calc. with exact 1oo2-Eq. 1.45E-05 97.13
72
λλλλD_1oo1 4.10E-07 1/h λλλλD_1oo2 4.85E-09 1/h
Mixed SystemλλλλD_total 4.15E-07 1/h
�λλλλD_1oo1 >> λλλλD_1oo2
Under this condition we get different values in back calculation !!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
This table provides simplified equations for calculating the PFDavg
for the key elements in a SIS. Once the PFD
avgfor each element is known, a SIL can be determined.
Table 1 Simplified equations for calculating PFDavg
Description EquationVariables
(supplied by the manufacturer)
SensorsTo calculate PFDavgfor sensors (2oo3)
PFDavg = (λDU TI)2
λ = failure rateDU = dangerous, undetected failure rateTI = test interval in hours
Block Valves
To calculatePFDavgfor block valves (1oo2) in series (final elements)
PFDavg =1/3 (λ
DU TI)2λ = failure rateDU= dangerous, undetected failure rateTI= test interval in hours
SystemTo calculate PFDavgfor a system
System PFDavg =Sensors PFDavg +Block valves PFDavg +Controller PFDavg
To determine the SIL, compare the calculates PFDavg to the figure on page 5. In this example, the system is acceptable as a SIS for use in SIL3 applications.
Table 2 Determining the SIL using the Equations
λDU TI PFD Result
Pressure Transmitters (2oo3) 2.28E-06 4380 1.00E-04
Temperature transmitter (2oo3) 2.85E-06 4380 1.56E-04
Total for sensors 2.56E-04
Block valve (1oo2) 2.28E-06 4380 3.33E-05
Total for Block valves 3.33E-05
Controller 2.00E-05
PFDavg for System 3.09E-04
Datas from the Internet: Datasheet XY-System
( )2*TIPFD DUavg λ=
( )2**3
1TIPFD DU
avg λ=
73
Extract from XY-System on the Internet
� Simplified ISA-Equations:
� PFD-calculations for only one proof test intervalfor TI = ½ year!
� no specification for TI
� no specification for PFD-value
� only specification for λλλλ_DU
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
This table provides simplified equations for calculating the PFDavg
for the key elements in a SIS. Once the PFD
avgfor each element is known, a SIL can be determined.
Table 1 Simplified equations for calculating PFDavg
Description EquationVariables
(supplied by the manufacturer)
SensorsTo calculate PFDavgfor sensors (2oo3)
PFDavg = (λDU TI)2
λ = failure rateDU = dangerous, undetected failure rateTI = test interval in hours
Block Valves
To calculatePFDavgfor block valves (1oo2) in series (final elements)
PFDavg =1/3 (λ
DU TI)2λ = failure rateDU= dangerous, undetected failure rateTI= test interval in hours
SystemTo calculate PFDavgfor a system
System PFDavg =Sensors PFDavg +Block valves PFDavg +Controller PFDavg
To determine the SIL, compare the calculates PFDavg to the figure on page 5. In this example, the system is acceptable as a SIS for use in SIL3 applications.
Table 2 Determining the SIL using the Equations
λDU TI PFD Result
Pressure Transmitters (2oo3) 2.28E-06 4380 1.00E-04
Temperature transmitter (2oo3) 2.85E-06 4380 1.56E-04
Total for sensors 2.56E-04
Block valve (1oo2) 2.28E-06 4380 3.33E-05
Total for Block valves 3.33E-05
Controller 2.00E-05
PFDavg for System 3.09E-04
Datas from the Internet: Datasheet XY-System
( )22oo3 , *TIPFD DUavg λ=
74
� Simplified ISA-Equations:
with
� λλλλ_DU = 2.00E-05 1/h� TI = ½ year
Discrepancy!SIL 2 !!Extract from XY-System on the Internet
is
� PFDavg, Controller = 7.67E-03
Results for the complete loop:
� PFDavg, total = 7.96E-03
But specified:
� PFDavg, total = 3.09E-04
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Comparison HIMax – XY-Controller, exact eq.
XY-Controller(2oo3)
HIMax
λλλλ_DU [1/h] 2.00E-05
X-AI 32 01 (1oo2): 6.86E-09X-CPU 01 (1oo2): 4.55E-09X-SB 01 (1oo2): 3.93E-09X-DO 24 01 (1oo2): 6.77E-09
λλλλ_DD [1/h] with DC = 99 %:1.93E-03
X-AI 32 01 (1oo2): 9,56E-07X-CPU 01 (1oo2): 1.21E-06X-SB 01 (1oo2): 8.20E-07X-DO 24 01 (1oo2): 9.48E-07
ββββ 2 % 2 %
T1 ½ Year ½ Year
PFDavg 1.27E-02 9.70E-07
( )
2**
****3*2
2oo3 ,
TI
TIMTTRTIPFD
DU
DDDUDUavg
λβ
λλλ
+
+= ( )
2
1**
***3
*2
1oo2 ,
T
TIMTTRTI
PFD
DU
DDDUDU
avg
λβ
λλλ
+
+=
75
SIL 1 !! ∆∆∆∆ ≈ 10 4 in favour
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Comparison HIMax – XY-Controller, with IEC 61508
XY-Controller(2oo3)
HIMax
λλλλ_DU [1/h] 2.00E-05
X-AI 32 01 (1oo2): 6.86E-09X-CPU 01 (1oo2): 4.55E-09X-SB 01 (1oo2): 3.93E-09X-DO 24 01 (1oo2): 6.77E-09
λλλλ_DD [1/h] with DC = 99 %:1.93E-03
X-AI 32 01 (1oo2): 9,56E-07X-CPU 01 (1oo2): 1.21E-06X-SB 01 (1oo2): 8.20E-07X-DO 24 01 (1oo2): 9.48E-07
ββββ 2 % 2 %
T1 ½ Year ½ Year
PFDavg 1.69E-02 1.29E-06
( ) ( )[ ]
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDDavg
2
116
1
22oo3 ,
λβλβ
λβλβ ( ) ( )[ ]
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDDavg
2
112
1
21oo2 ,
λβλβ
λβλβ
76∆∆∆∆ ≈ 10 4 in favourSIL 1 !!
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
Comparison HIMax – XY-Controller, with IEC 61508
XY-Controller(2oo3)
HIMax
λλλλ_DU [1/h] 2.00E-05
X-AI 32 01 (1oo2): 6.86E-09X-CPU 01 (1oo2): 4.55E-09X-SB 01 (1oo2): 3.93E-09X-DO 24 01 (1oo2): 6.77E-09
λλλλ_DD [1/h] with DC: 99 %:1.93E-03
X-AI 32 01 (1oo2): 9,56E-07X-CPU 01 (1oo2): 1.21E-06X-SB 01 (1oo2): 8.20E-07X-DO 24 01 (1oo2): 9.48E-07
ββββ 2 % 2 %
T1 10 Year 10 Year
PFDavg 3.16 2.00E-05
( ) ( )[ ]
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDDavg
2
116
1
22oo3 ,
λβλβ
λβλβ ( ) ( )[ ]
+⋅⋅+⋅⋅+
⋅⋅⋅−+⋅−⋅=
MTTRT
MTTR
ttPFD
DUDDD
GECEDUDDDavg
2
112
1
21oo2 ,
λβλβ
λβλβ
77
∆∆∆∆ ≈ 10 5 in favour
Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök
� We have to believe in safety parameters!
� We have to know how and who have generated these
� Best way follow the TÜV data-base!
� For calculating lops use a certified calculation program like
SILCas!
Conclusion
78
Thank you for your attention.