Reliability block diagram

Reliability block diagrams are often applied to determine the PFD of a SIF. This section provides a description of the application for a 1oo1 and 1oo2 system that are the systems analysed in this thesis.

1oo1 system

A 1oo1 system can be represented by the reliability block diagram in Figure 2.2. This system is operating successfully if it is possible to find a path from the leftmost node to the rightmost node.

Figure 2.2: Reliability block diagram for a 1oo1 system.

Since T_DU, the time until a DU failure, is supposed to be exponentially distributed with parameterλ_DU, the survivor function R_DU(t) becomes

R_DU(t) =P(T_DU ≥t) =e^−λDUt.

The unknown PFD from individual failures is, according to equation 2.1:

PFD_unknown = 1− 1 τ

Z τ 0

e^−λDUtdt

= 1− 1

λDUτ

1−e^−λDUτ

≈ λ_DUτ 2 .

The approximation follows from the Maclaurin series expansion of the exponential func-tion³and it can be seen that the approximation is always conservative which is important to ensure safe design.

PFD_known due to repair activities is calculated by using equation 2.2, i.e., PFD_known ≈ λDMTTR_D.

The total PFD is the sum of these two contributors, i.e., PFD_tot = PFD_unknown+ PFD_known ≈ λDUτ

2 +λDMTTR_D. (2.7) 1oo2 system

This section looks at a 1oo2 system that can be represented by the reliability block diagram in Figure 2.3. Common cause failures are now introduced because the different components can fail due to a shared event. For this system there are three events that may contribute to PFD_known, and these are:

Event 1: Loss of safety due to individual DU failures, PFD¹_unknown. It can be cal-culated by using the survivor function of the parallel structure shown in Figure 2.3

31−e^−at=at−^(at)_2!² +^(at)_3!³ +. . .≈at−^(at)_2!² +^(at)_3!³. This approximation is commonly used when atis less than 0.1.

2.2 Mathematical models

Figure 2.3: Reliability block diagram for a 1oo2 system.

and becomes:

R_individual(t) = 1−(1−e^{−(1−β)λ(1)DUt})(1−e^{−(1−β)λ(2)DUt})

= 1−

1−e^{−(1−β)λ(1)DUt}−e^{−(1−β)λ(2)DUt}+e^{−2(1−β)t(λ(1)DU+λ(2)DU)}

= e^{−(1−β)λ(1)DUt}+e^{−(1−β)λ(2)DUt}−e^{−2(1−β)t(λ(1)DU+λ(2)DU)}. Equation 2.1 for individual failures becomes

PFD¹_unknown= 1−1 τ

Z τ 0

R_individual ≈ [(1−β)τ]² 6

λ⁽¹⁾_DU+λ⁽²⁾_DU²−λ⁽¹⁾_DU²−λ⁽²⁾_DU²

.

Event 2: Loss of safety due to common cause failures, PFD²_unknown. Only unde-tected CCFs contribute to the unknown PFD, and it is necessary to treat only the rightmost component in Figure 2.3. The failure rate due to common cause DU fail-ures can be computed using the geometric mean [Hauge et al., 2006a, Appendix D], i.e., λ_DU,CC =

q

λ⁽¹⁾_DU·λ⁽²⁾_DU. ⁴ The survivor function R_CC,DU(t) becomes the same as for an individual DU failure in a 1oo1 system and PFD²_unknown becomes similar to equation 2.7 except that the failure rate is multiplied byβ, i.e.,

PFD²_unknown≈βλDU,CCτ

2 ≈β

q

λ⁽¹⁾_DU·λ⁽²⁾_DUτ

2 .

Event 3: Loss of safety due to degraded operation. When one component has a DD failure the system is supposed to run as a 1oo1 system, and there is a prob-ability that the remaining component will fail DU during restoration of the other

4This is not always a good method while it does not take into account the various degrees of coupling between the components.

component and thus contribute to the PFD. This factor is denoted PFD³_unknown and becomes

PFD³_unknown = (1−β)λ⁽¹⁾_DDMTTR_Dλ⁽²⁾_DUτ

2 + (1−β)λ⁽²⁾_DDMTTR_Dλ⁽¹⁾_DUτ 2

= (1−β)MTTRD

τ 2

λ⁽¹⁾_DDλ⁽²⁾_DU+λ⁽²⁾_DDλ⁽¹⁾_DU.

The total unknown PFD can be calculated by the probability of the union of these three events, i.e.,

PFD_unknown = Pr (Event 1∪Event 2∪Event 3)

= Pr (A∪B∪C)

= Pr (A) + Pr (B) + Pr (C)

−Pr (A∩B)−Pr (A∩C)−Pr (B∩C) + Pr (A∩B∩C)

≈ PFD¹_unknown+ PFD²_unknown+ PFD³_unknown.

This is an acceptable approximation in most cases because the probabilities of the in-tersections are so small that they can be neglected. It is important to notice that the approximation is always conservative which is desirable in reliability calculations.

The restoration time due to two individual DD failures are assumed negligible and the contribution from repair activities becomes the same as for a 1oo1 system only multiplied by a factorβ.

PFD_known ≈ βλ_D,CCMTTR_D

≈ β q

λ⁽¹⁾_D ·λ⁽²⁾_D MTTR_D. The total PFD for a 1oo2 system becomes

PFD_total = PFD_unknown+ PFD_known

≈ [(1−β)τ]² 6

λ⁽¹⁾_DU+λ⁽²⁾_DU²−λ⁽¹⁾_DU²−λ⁽²⁾_DU²

+β q

λ⁽¹⁾_DU·λ⁽²⁾_DUτ 2

+(1−β)MTTR_Dτ 2

λ⁽¹⁾_DDλ⁽²⁾_DU+λ⁽²⁾_DDλ⁽¹⁾_DU +β

q

λ⁽¹⁾_D ·λ⁽²⁾_D MTTR_D.

CHAPTER 3

Application

This chapter starts with a presentation of what impact safe failures may have on the availability of a SIS. These potential effects are discussed for different models of safety systems and their respective modelling algorithm is presented. The results are presented in Chapter 4.

3.1 Possible effects of safe failures

There are several possible effects of safe failures, but this thesis focuses on the ones that may have positive impact on the availability of a SIS. These are:

1. An increased portion of time spent in safe state reduces the possibility of going to dangerous state.

2. Safe failures can be seen as a function test where DU failures are detected.

3. Safe failures can give assurance that the system functions properly and shorten the expected time the system is unavailable due to a DU failure found by a function test.

Consider a high integrity pressure protection system (HIPPS) that is installed to pre-vent overpressure by isolating a low pressure rated system for a source of high pressure.

The system is also called a production shutdown system. A HIPPS that is designed and built in accordance with IEC 61508 and IEC 61511 is an alternative to the conventional pressure safety valve (PSV) that opens an outlet for the fluid once a set pressure is exceeded.

This section provides an analysis of a specific final element of a HIPPS, a fail-safe-close (FSC) valve including the actuator. If a deviation from the acceptable pressure level is detected, the FSC valve is designed to close and thereby shut down the process.

There are several possible failure modes related to a FSC valve, but this thesis pays attention to the ones that may be affected by a safe failure. These failure modes are given in Table 3.1.

3.1 Possible effects of safe failures

Table 3.1: Possible failure modes related to a FSC valve

Failure mode Abbreviation

Fail to open FTO

Delayed operation DOP

Fail to close on demand FTC Valve leakage in closed position LCP External leakage of utility medium ELU

Spurious operation SPO

The following assumptions applies for a FSC valve:

1. The Markov property is assumed to hold.

This means that the state of the system at the future time step,(t+1), is dependent on the current state, (t), but not the past (t−n∆tfor n= 1,2, . . .). It follows that the failure and restoration rates are assumed to be constant with respect to calendar time. Constant failure rate is valid in what is called the useful life period of an item where failures are supposed to occur randomly as opposed to the burn-in and wear-out period where the failure rate is decreasing and increasing, respectively.

These features can be seen from the bathtub curve [Rausand and Høyland, 2004, fig. 2.5], where the failure rate is shown as a function of time. Constant restoration rate is a rough approximation because it is expected that the time left to restore a failure will decrease, and not stay constant, as time goes by. Restoration rates for the possible failures modes are defined later in this section. To simplify the calculations, the failure rates are measured with respect to calendar time and not to operational time.

2. The system is considered working in a low demand mode of operation.

Safety shutdown systems are not supposed to be activated more frequently than once a year and a FSC valve falls in the low demand category.

3. The system is function tested at regular time intervals of lengthτ and the system is supposed to be as good as new after each test interval. This means that all possible failure modes are repaired or the failed item is replaced and the system is brought back to initial state after a function test. It follows that the system has test coverage equal to 100%.

4. The duration of a test is assumed to be so short compared to τ that it can be neglected.

5. The failure mode SPO is denoted safe detected (SD). It follows that all SD failures result in a spurious closure of the FSC valve given that a FTC failure is not present.

The presence of FTC failure is explained further in item 9.

6. Several failures in a system are restored simultaneously.

7. The failure mode FTO will not affect PFD since a process shutdown system already is in safe state when the failure is detected. This failure is incorporated into SD state.

8. The failure mode ELU is always supposed to result in a spurious activation and incorporated into SD state.

9. All FTC failures are assumed to be detected by a spurious closure.

The failure mode makes the process unable to get into SD state and the system is brought to DD state. This occurrence depends on a device installed to register that the valve is intended to close even though this is not possible.

10. The leakage resulting from the failure mode LCP is assumed to be so small that it can not be revealed by a spurious closure.

11. All DOP failures are assumed to be detected by a spurious closure.

This property depends on a registration of the time it takes to close the valve.

12. The failure mode DOP will not contribute to PFD since the system is brought to safe state even if a DOP failure is present. This failure is classified as safe undetected (SU), but since it does not result in a spurious closure it is not incor-porated into SD state. The extra time needed to shut down the process is assumed negligible.

3.2 1oo1 system

A 1oo1 system can be represented by the reliability block diagram in Figure 2.2. The procedure for establishing Markov models is given in Section 2.2.1 where the first step is to define possible states of the system. The assumptions above reduce the collection of all possible states of a FSC valve to the ones given in Table 3.2.

Table 3.2: Possible states of a FSC valve State Property

0 DU_FTC 1 DU_LCP

2 DD

3 SU_DOP

4 SD

5 OK

Transitions between these states and their respective transition rates are given in Figure 3.1.

3.2 1oo1 system

Figure 3.1: State transition diagram for a FSC valve.

The next step in the procedure is to utilise the transition rate matrix which becomes:

A=

The last step in the derivation of the PFD is to solve the set of equations given in 2.4 and 2.5 which becomes:

The resulting procedure used to perform the implementation is given in Algorithm 1.

A lot of data has been collected to describe the parameters in the first step, e.g., Hauge et al. [2006b], OREDA [2002]. Testing is supposed to be conducted once a year, i.e., τ = 8670 hours. The parameters k1,k2 are the percentage of all dangerous failures that are assumed to be FTC and LCP, respectively, whereas k₃ denote the percentage of all safe failures that are DOP.

Output: PFD values as a function of SFF

Algorithm 1: Algorithm for estimating the PFD for a 1oo1 system

3.2 1oo1 system

Figure 3.2: The mean behaviour of the state variableX(t) of a system.

Assumption 1 says that the process considered fulfils the Markov property. Since the exponential distribution is the only continuous distribution that models a memoryless process it follows that T_DD, the time spent in state 2 before making a transition, is exponentially distributed with parameter µ_DD. Thus the expected time spent in state 2 equals _µ¹

DD. DD failures are supposed to be repaired immediately after arising, so the expected time spent in state 2 equals the mean time to restore a DD failure, MTTR_DD, which is defined in step 1.1. This relationship is given in the first equation in step 1.4.

The restoration rate for undetected failures is not the same as for detected failures mainly because it is not known when they actually occurred. What is known is that they are revealed and repaired at time τ. In fact, there is a distinction between the restoration rates for the three possible undetected failures. The failure mode FTC and DOP can be revealed by a SD failure which becomes an issue when a SD failure occurs prior to one of these failures within the same test interval. Because of assumption 9 and 11, the system is known to be free from FTC and DOP failures after restoration of a SD failure and the SD failure then has the same properties as a function test.

Suppose that the probability of three or more failures occurring during a test interval is so small that these situations can be neglected. If a DU_FTC or SU_DOP failure is detected by the function test, there are two possible scenarios involving no more than two failures in a test interval of lengthτ. These possible situations can be represented by the function diagrams in Figure 3.2 where the expected state of the system is represented by the binary variableX(t). X(t) = 0 means that a DUFTC failure is present at time t and X(t) = 1 means that no DU_FTC failure is present at time tand it follows that the safety of the system is maintained. A DU_FTCfailure is used for illustrative purpose, but a SU_DOP will follow the same arguments.

The upper diagram shows the mean behaviour of the state variable X(t) when a SD failure occurs before a DU_FTC within the same test interval. The time interval is separated in three periods of equal length, where the SD failure is, on average, supposed to occur at time τ /3 and the DUFTC failure at time 2τ /3. The expected duration of a DU_FTC failure before it is detected is τ /3. This partition of the interval is based on the assumption of equal failure rates, i.e., λ_SD = λ_DU,FTC. Different failure rates will

probably change the occurrence time, but the effect is assumed to be so small that it can be neglected.

The lower diagram shows the possibility of a DU_FTC failure occurring before a SD failure within the same test interval. Since the possibility of more than two independent failures are assumed negligible, a SD failure cannot occur after a DU_FTCfailure since it is known that the system is found in failed state at timeτ. Suppose that the probability of occurrence of a DU_FTC failure is the same for all times within the test interval of length τ. It follows that T_DU,FTC is uniformly distributed on the interval (0, τ] and it follows that the expected duration of a DU_FTC failure in this situation isτ /2.

LetTDUand TSDdenote the time until a DU_FTC failure and SD failure, respectively.

The average duration of a DU_FTC failure, D, is calculated based on the law of total probability and becomes:

The restoration rate from DU_FTC is the reciprocal of Equation 3.1, resulting in the equation in Step 1.12. The restoration rate from SU_DOP is based on a similar deduction and the result is expressed in Step 1.13. According to assumption 10, DU_LCP failures are not detected by a spurious closure. Suppose that the occurrence time is uniformly distributed on the interval, then the expected time spent in state 1 is equal to MTTR_D+^τ₂. The resulting restoration rate from DU_LCPfailures is given in Step 1.4.

It becomes visible that the restoration rate from DU_FTC, DU_LCP, and SU_DOPfailures are not constant during the test period and do not satisfy the requirements for a Markov process. The exponential distribution is still an adequate approximation for the purpose of this thesis while it does not affect the limiting probabilities considerably.

SFF is a vector with values ranging from C_d¹, the coverage factor, to 1. λ_S in Step 1.7 is derived from the expression for SSF given in equation 2.3. PFD in Step 1.20 is calculated as the proportion of time spent in dangerous state, i.e., state 0, 1, or 2.

3.3 1oo2 system

The work in the previous section is developed further to treat two identical FSC’s con-nected in series. This system is able to respond adequately upon demand as long as one

1SFF equalsCdcorresponds toλSequals 0.

3.3 1oo2 system

of the valves is functioning as illustrated by the reliability block diagram in Figure 2.3.

The system is supposed to have active functional redundancy which means that both components get the same signal from the logic solver. Common cause failures are taken into consideration since both components may fail as a direct result of a shared cause.

It is necessary to define additional requirements that are specific for a 1oo2 system.

These are:

1. The system is made up of two identical components and they are supposed to operate in a common environment.

2. Both components respond in the same manner to a CCF. It follows that a CCF results in either two safe failures, two DD failures or two DU failures.

3. Both components are function tested simultaneously.

4. The same β-factor is applied for DU, DD, and safe failures. This may not be a realistic assumption, but there is little experience on the subject of application of specific β-factors.

5. The probability of having an undetected failure in one component and a DD failure in the other at the end of the test interval, i.e., at timesnτ; n= 1,2,3.., is assumed negligible.

6. SD state is supposed to be instantaneous, i.e.,µ_SD→ ∞.

7. Two independent failures cannot occur simultaneously.

8. A DD failure in one component is repaired without affecting the other component which means that degraded operation is considered.

Possible states of a 1oo2 system is given in Table 3.3:

State 0, 1, and 2 consider the situation where both components fail due to a common cause while state 6, 9, and 11 are due to two individual failures. This separation is done because the restoration rates are different. Since multiple failures are restored simultaneously, the restoration rate from state 0, 1, and 2 are equal to their respective restoration rate computed in the previous section.

It becomes evident that the complexity of a Markov model grows rapidly by adding redundant components. The general view of the Markov diagram becomes difficult to grasp and for a 1oo2 system it is more easy to follow a table of all possible transactions.

These are dislayed in Table 3.4.

Table 3.3: Possible states of a 1oo2 system State FSC₁ FSC₂

0 CCSU_DOP CCSU_DOP 1 CCDU_FTC CCDU_FTC 2 CCDU_LCP CCDU_LCP

3 SU_DOP DD

4 DU_FTC DD

5 DU_LCP DD

6 SU_DOP SU_DOP

7 SU_DOP DU_FTC

8 SU_DOP DU_LCP

9 DU_FTC DU_FTC

10 DU_FTC DU_LCP

11 DU_LCP DU_LCP

12 DD DD

13 OK DD

14 SU_DOP OK

15 DU_FTC OK

16 DU_LCP OK

17 OK OK

3.3 1oo2 system

Table 3.4: Possible transitions a 1oo2 system

From To Transition rate Condition

17 16 2(1−β)λDU,LCP A DULCPfailure occurs in one component.

15 2(1−β)λDU,FTC A DUFTCfailure occurs in one component.

14 2(1−β)λSU,DOP A SUDOPfailure occurs in one component.

13 βλDD A CCDD failure occurs in both components.

2 βλDU,LCP A CCDULCPfailure occurs in both components.

1 βλDU,FTC A CCDUFTCfailure occurs in both components.

0 βλSU,DOP A CCSUDOPfailure occurs in both components.

16 17 µDU,LCP DULCPis restored.

11 (1−β)λDU,LCP A DULCPfailure occurs in the faultless component.

10 (1−β)λDU,FTC A DUFTCfailure occurs in the faultless component.

8 (1−β)λSU,DOP A SUDOPfailure occurs in the faultless component.

15 17 µDU,FTC DUFTCis restored.

13 (1−β)λSD DUFTCis detected by a SD failure.

13 βλSD DUFTCis detected and the faultless component fail SD.

10 (1−β)λDU,LCP A DULCPfailure occurs in the faultless component.

9 (1−β)λDU,FTC A DUFTCfailure occurs in the faultless component.

7 (1−β)λSU,DOP A SUDOPfailure occurs in the faultless component.

14 17 µSU,DOP SUDOPis restored.

14 17 µSU,DOP SUDOPis restored.

In document Effect of Safe Failures on the Reliability of Safety Instrumented Systems (sider 24-41)