B - WP - A Practical Approach For The Selection of PES Used For SF in The Process Industry

White Paper
A Practical Approach for the Selection of

Programmable Electronic Systems Used for
Safety Functions in the Process Industry
Date: 1 May 1998

Author(s): Prof. Dr. D.M. Karydas, Dr. M.J.M. Houtermans
Risknowlogy B.V.
Brunner bron 2
6441 GX Brunssum
The Netherlands
www.risknowlogy.com
RISKNOWLOGY Experts in Risk, Reliability and Safety

White Paper
Prof. Dr. D.M. Karydas, Dr. M.J.M. Houtermans
A Practical Approach for the Selection of Programmable Electronic Systems Used for Safety Functions in the Process
Industry
© 2002 - 2007 Risknowlogy B.V.
All Rights Reserved
Printed in The Netherlands
This document is the property of, and is proprietary to Risknowlogy. It is not to be disclosed in whole or in part and no portion of this document shall be
duplicated in any manner for any purpose without Risknowlogy’s expressed written authorization.
Risknowlogy, the Risknowlogy logo, and Functional Safety Data Sheet are registered service marks.
RISKNOWLOGY Experts in Risk, Reliability and Safety Page 2

White Paper
Industry
A Practical Approach for the Selection of Programmable

Electronic Systems Used for Safety Functions in the
Process Industry
Prof. Dr. D.M. Karydas

Factory Mutual Engineer, Norwood, MA, USA
Dr. M.J.M. Houtermans 1
Risknowlogy B.V., Brunssum, The Netherlands
Abstract
Recently published international standards, such as ISA-SP84 i of the Instrument Society of America,
and the IEC 61508 draft of the International Electrotechnical Commission ii establish performance
based criteria for the design, installation, operation, and decommissioning of Programmable
Electronic Systems (PES) used for safety related functions. These criteria address specifications for
the necessary function of these systems, and requirements about their appropriate Safety Integrity
Levels, as well as issues of hardware, and software design, testing, management, maintenance and
documentation.
The present paper demonstrates, through specific examples, an approach for the evaluation of the
Safety Integrity Level (SIL) of Programmable Electronic Systems performing specific safety functions
in accordance with the aforementioned standards. This approach addresses the definition of PES
architectures in terms of the interaction of PES components, their failure modes and associated
failure rates. Also, it addresses the impact of the imbedded software quality, the significance of the
coverage factor of diagnostic systems of fault tolerant PES, and the significance of common cause
failures. The use of appropriate tools for the evaluation of SIL, such as reliability block diagrams, fault
trees, and Markov models is discussed and demonstrated.
1 Introduction
Programmable Electronic Systems play a significant role in the management of risk in the process
industry. When used as "safety" systems, they contribute to the reduction of the likelihood and
consequences of events causing harm to human health, exposure of the environment, damage of
assets and interruption of the continuity of production. The role of safety systems includes,
prevention, and detection of deviations of critical process parameters, such as temperature (over-
temperature, fire), level (high, or low), pressure (over-pressure, depressurisation), concentration (toxic
gas, smoke), as well as control of accident sequences, for example, shutdown and isolation of plant
systems, and initiation of emergency procedures (e.g., fire fighting systems).
A Programmable Electronic System (PES) is: "A system based on one or more programmable
electronic devices, connected to (and including) input devices (e.g., sensors) and/or output
devices/final elements (e.g., actuators), for the purpose of control, protection or monitoring. The term
PES includes all elements in the system, including power supplies, extending from sensors, or other
input devices, via data highways or other communication paths, to the actuators, or other output
devices (sensors/other input devices, and actuators/other output devices are therefore included in the
1
Corresponding author: m.j.m.houtermans@risknowlogy.com

White Paper
Industry
term)." iii When used as a safety-related system, the PES is expected to "carry out the actions
necessary to achieve a safe state for the equipment under control, or to maintain a safe state for the
equipment under control." iv
There are two key attributes characterizing the performance of a safety-related system, namely, its
ability to implement safety functions, and the required Safety Integrity Level (SIL) at which these
safety functions need to be carried out. The selection and specification of a PES, therefore, should be
guided by the results of a detailed examination of the process safety functional specifications and an
evaluation of the process functional integrity requirements. The process safety functional
specifications dictate the safety functions that the safety system must perform under stated
circumstances. The functional integrity requirements specify the level of confidence (reliability and
availability) these safety functions must be performed in those circumstances, so that a desirable
reduction of risk associated with the process hazards is achieved.
The functional specifications and the SIL requirements of the process must be matched by
appropriate PES design, quality of installation, and operational performance. This paper addresses
design considerations only, namely hardware architecture and reliability, and software quality and
dependability.
2 Functional Specifications
The functional specifications define the relevant functional parameters assigned to the PES. Such
parameters include the boundaries of the function, interfaces and interactions with other systems, set-
points and tolerances, the logical relationship between detection and actuation of final elements, the
response time of the overall function and the response times of relevant component and allowable
tolerances v .
The objective of a functional PES specification, in terms of a simple example, may be stated in the
following way: "to detect flammable gas in the recovered solvent tank area and, on confirmed
detection, initiate the emergency ventilation scram system." A statement of the PES functional
specification in the same example could be the following: "Detect gas at 0.5 m above the floor level
and 20% Low Explosion Level (LEL) concentration and enunciate in the Control Room within 1
second. At 60% LEL concentration initiate automatic process shutdown and actuation of the
ventilation scram system within 3 seconds."
3 Integrity Specification
Quantitative definitions of Safety Integrity Levels (SIL) are given in ISA-SP84, and IEC 61508. Each
SIL corresponds to the range of probability of failure on demand. The IEC 61508 definitions are listed
in Table 1.
The design aspects of the PES include the overall hardware and software architecture (sensors,
actuators, programmable electronics, embedded software, application software, etc.) that satisfies
safety integrity requirements established by existing standards and the process hazard analysis and
risk assessment.

White Paper
Industry
Table 1. SIL levels
Safety Integrity Level (SIL) Probability of Failure on Demand

(PFD)
4 10-4-10-5
3 10-3-10-4
2 10-2-10-3
1 10-1-10-2
To achieve hardware and systematic safety integrity, the overall process for the selection of a
safety-related PES of predetermined SIL should include the following elements:
Architecture Modeling: Architecture pertains to the configuration of hardware and software elements
of the PES (e.g., single, dual, triple-channel architecture, 1oo2 (one out of two), 1oo3, 2oo3 shutdown
logic, etc.). Architecture modeling addresses the development of a detailed block diagram of the PES
identifying each subsystem and the interconnections related to the safety function under
consideration. Depending on the availability of failure data and appropriate analytical tools the model
may extend to a detailed representation of each hardware subsystem, identifying each component or
group of components and the interconnections between them.
Hardware Failure Modes and Failure Rates: Random failures are identified and failure rates are
tabulated for each component included in the modeled architecture. The list of possible failure modes
includes common cause failures, i.e., failures, which result from events causing simultaneous or
coincident failures of two or more separate channels in a multiple channel system, leading to system
failure. The system failures are discriminated into detected or undetected through diagnostic
coverage. Hardware/software diagnostic programs are used to troubleshoot and identify hardware or
software malfunctions of the PES on a continuous on-line (diagnostic test) or periodic off-line (proof
test) basis. Diagnostic coverage characterizes the quality of the diagnostic programs. It is expressed
quantitatively as the ratio of detectable faults to the total number of faults that may be hidden within
the PES and render it inoperable when it is required to perform safety functions. The term diagnostic
coverage is used to describe the fractional decrease in the probability of safe and dangerous
hardware failures, resulting from the operation of the diagnostic tests.
Systematic Failure Modes: Qualitative or quantitative assessment of selected design features that
control and tolerate systematic failures in actual operation, and design procedures that prevent the
introduction of systematic failures during the design process. Examples of systematic failures include
human error introduced in the PES safety requirements specification phase, or in the design and
manufacture stages of the hardware, or in the design, implementation and testing phases of the
software.
Reliability Modeling: Translation of the Programmable Electronic System into a reliability model that
represents the interaction of its components and subsystems, as well as the transition from an
operational state to a partially or totally failed state, of either safe or dangerous nature. Reliability
modeling methods include simulation techniques, reliability block diagrams, fault tree analysis, and
Markov modeling.
Reliability Evaluation: Quantification of the selected PES reliability model. Introduction of the
component and subsystem failure rates and probabilities in the model and numerical manipulation of
the model generates characteristic reliability curves as a function of time, or inspection and testing
interval. The comparison of these output reliability curves with the safety integrity requirements of the
process leads to the acceptance or rejection of specific PES architecture.
4 Procedure for estimating the likelihood of PES failures

A major objective in the selection and design of safety systems is the calculation of the probability of
failure of the system upon demand, i.e., the probability of the PES to fail to function, when the

White Paper
Industry
safeguarded process deviates from a predefined acceptable safe state. The failures of programmable
systems may be attributed to the hardware components or the software elements of the system. The
following steps demonstrate a systematic approach towards meeting this objective.
4.1 Architecture Modeling

The PES is represented in terms of its components and subsystems, such as sensors, logic system
components, final elements, as well as the number and type of the components and subsystems
required for each safety function.
An example architecture used as a baseline in this paper consists of a single Sensor, dual Logic
Solvers (Main Processors) with dual Input and Output (I/O) modules, One-out-of-Two (1oo2)
shutdown logic and a single final element. A block diagram of the system is shown in Figure 1.
The logic solver is the portion of the PES that performs the logic function specified by the process
safety requirements. In the architecture of Figure 1 the logic solver consists of two redundant
independent channels. Each channel includes an Input Module, a Main Processor and an Output
Module. The I/O Modules are intermediary elements between the Sensor or the Final Element and the
Main Processor. The Input Modules transfer the signals from the field devices to the Main Processor.
The Output Modules convert the signals from the Main Processor into standard Final Element signals.
The 1oo2 shutdown logic consists of an output from each channel wired in series causing the system
to take action, if any one of the two channels trips.
The system examined here includes a single sensor and final element performing one safety
function. In other applications multiple sensors and final elements may be included for higher level of
redundancy and reliability. Multiple safety functions may also be handled by the same system. The
corresponding "loops", i.e., the sensors, electronics, and actuators handling each safety function
should be addressed separately.
4.2 Failure Modes

The objective at this stage is to identify the possible failures of the elements of the overall hardware
architecture that carry out each separate safety function. The failures of the PES are addressed in
terms of the connection and interaction of its components and subsystems. Failure Modes and Effects
Analysis (FMEA) vi is an appropriate method to identify and evaluate the different failure modes and
causes of the system. FMEA tabulates the actions to be taken to eliminate or reduce system failures,
and documents the safety function under consideration.

White Paper
Industry
Power
Supply +V
Input M ain Output
M odule Processor M odule
Sensor
xx
1oo2
a shutdown
yyy
Logic
Input M ain Output
M odule Processor M odule
Power
Supply Final
Element
Figure 1. Dual PE with Dual I/O, One-out-of-Two (1oo2) Shutdown Logic, and Single
Sensors and Final Elements
The overall system failure is a function of the failures of its components. Table 2 provides a short
list of random failures (i.e., failures occurring at random times and resulting from degradation in the
hardware) and failure rates of the typical PES components. These figures, presented in terms of
ranges of a low, average and high value, can only be used for demonstration reasons and do not
reflect failure rates supported by field data. They represent consensus rates used for demonstrative
reliability quantification of widely used PES architectures included in the ISA Technical Report
dTR84.0.02. vii For the reliability evaluation of actual systems site specific failure rate data are
preferred, if available. If this is not possible, then generic data from credible published sources may
be used.
A PES used for safety can fail in two generic modes, "Fail Safe" and "Fail Dangerous". A "Fail
Safe" mode causes the process to trip while no underlying deviation from safe process boundaries is
present. It is a nuisance trip. A "Fail Dangerous" mode describes the condition of the PES not being
able to respond to upsets of the process. In such failure mode of the PES, the process will continue
its course and may enter a dangerous state. The failed PES is insensitive to this state, therefore this
failure mode is dangerous.
Table 2. Hardware Failure Rates
Item Failures per million hours

Range
Main Processor Board (memory, bus logic, 12.00 25.00 50.00
communication) 2.50 5.00 10.00
I/O Processor and/or Common logic I/O module 0.10 0.20 0.40
Single Digital Input Circuit 0.10 0.20 0.40
Single Digital Output Circuit 0.05 0.10 0.20
Single Analog Input Circuit 0.25 0.50 1.00
Single Analog Output Circuit 1.50 2.50 5.00
Electromechanical Timer 0.20 0.40 0.80
Analog Trip Amplifier 2.50 5.00 10.00
Power supply 2.00 13.00 42.00
Sensor 2.00 13.00 42.00
Final Element

White Paper
Industry
Table 3 depicts the fraction of the total failure rates of PES components that is attributed to "Fail
Safe" mode. These figures, also, are expressed in a range of low, average, and high values and are
characterized by the same limitations of validity, as those in Table 2.
Table 3. Safe Failure Mode Ratios
Item % Safe Failures

Range
Main Processor Board 40 50 60
I/O Processor/ Common logic I/O 40 50 60
module 25 50 75
Single Digital Input Circuit 25 50 75
Single Digital Output Circuit 25 50 75
Single Analog Input Circuit 25 50 75
Single Analog Output Circuit 50 75 90
Relay (Industrial Type) 80 95 99
Power Supply 20 40 60
Sensor 20 40 60
Final Element 20 50 60
Total Systematic Failures
In addition to random hardware failures, common cause failures of the PES components should be
considered and quantified. Common cause failures are the result of external events which cause
multiple components in separate channels of a redundant system to fail, thus rendering the PES
unable to perform its intended function. There is considerable amount of research in the modeling and
quantification of common cause failures viii, ix , x . Draft IEC 61508 provides a practical methodology for
the evaluation of common cause failures xi using the β-factor model, summarized here for reasons of
convenience.
The β-factor model relates the probability of common cause failure of the hardware to the probability
of random hardware failures. The β factor is calculated for the sensors, the logic system and the
actuators separately and reflects the fraction of single-channel random failures that will affect all
channels.
The overall failure rate due to dangerous common cause failures is given by the expression:
λDU β + λDDβD
where, λDU is the probability of a undetected failure of a single channel,
λDD is the probability of detected failure of a single channel.
β is obtained from Table 4, using a score, S = X + Y (see Table 5);
βD is obtained from Table 4, using a score, S D = X ( Z + 1) + Y .

White Paper
Industry
Table 4. Calculation of β or βD11

Score (S or Corresponding value of b or bD for the:
SD)
from Table 5 Logic system Sensors or actuators
120 or above 0.5% 1%
70 to 120 1% 2%
45 to 70 2% 5%
Less than 45 5% 10%
Systematic failures introduced in the PES safety requirements specification phase, or in the design
and manufacture stages of the hardware, or in the design, implementation and testing phases of the
software need to be analyzed systematically to determine any contribution to the system unreliability.
Table 5. Common Cause Score Values for Programmable Electronics11

Category Diverse Diverse Redundancy Redundancy
system with system with system with system with
good poor good poor
diagnostic diagnostic diagnostic diagnostic
testing testing testing testing
Separation/ segregation X/Y 3.50/1.50 3.50/1.50 3.50/1.50 3.50/1.50
Diversity/ redundancy X/Y 14.50/3.00 14.50/3.00 2.00/1.00 2.00/100
Complexity/ design/..... X/Y 2.75/2.25 2.75/2.25 2.75/2.25 2.75/2.25
Assessment/ analysis.... X/Y 0.25/4.75 0.25/4.75 0.25/4.75 0.25/4.75
Procedures/ human interface X/Y 3.50/3.00 3.50/3.00 3.50/3.00 3.50/3.00
Competence/training/... X/Y 1.25/3.75 1.25/3.75 1.25/3.75 1.25/3.75
Environmental control X/Y 2.75/2.25 2.75/2.25 2.75/2.25 2.75/2.25
Environmental test X/Y 5.00/5.00 5.00/5.00 5.00/5.00 5.00/5.00
Diagnostic coverage Z 2.00 0.00 2.00 0.00
Total X 33.5 33.5 21 21
Total Y 25.5 25.5 23.5 23.5
Score S 59 59 44.5 44.5
β 2% 2% 2% 2%
Score SD 126 59 86.5 44.5
βD 0.5% 2% 1% 5%
Techniques of software evaluation can be quantitative or qualitative. Mathematical models for

software modeling have been tried only on very small applications. It is not certain that they can
realistically address actual systems. On the other hand "assigning a probability to a software logic is
basically meaningless, if design errors are found, they should be fixed rather than left in the code and
assign a probability." xii It appears that the current state of the art in terms of software evaluation is
limited to qualitative, albeit systematic methods from detailed structured checklists xiii to Software
Sneak Analysis xiv and Software Fault Tree Analysis (SFTA). xv Therefore, we do not include any
particular evaluation technique in this paper, but only demonstrate parametrically in the results section
the impact of the "software reliability" upon the overall PES reliability.
Diagnostic systems built in the PES as software or hardware elements, as well as diagnostic and
proof tests separate safe and dangerous hardware failures, into detectable and undetectable failures.
Table 6 illustrates typical diagnostic coverage factors governed by the same limitations of validity, as
those in Tables 2 and 3.
Table 6. Diagnostic Coverage Factors

White Paper
Industry
Item Safe Failure Percentage (%)

Dangerous Failure Range
Main Processor Board SF/DF 80/70 90/80 99/99
I/O Processor/Common logic I/O module SF/DF 70/60 85/75 99/99
Single Digital Input Circuit SF/DF 0/0 50/25 99/99
Single Digital Output Circuit SF/DF 0/0 50/25 99/99
Single Analog Input Circuit SF/DF 0/0 50/25 99/99
Single Analog Output Circuit SF/DF 0/0 50/25 99/99
Analog Input/Trip Amplifier SF/DF 0/0 50/25 99/99
Power Supply SF/DF 90/90 95/95 99/99
Sensor SF/DF 25/255 50/50 90/90
Final Element SF/DF 25/25 50/50 90/90
4.3 Reliability Models

The conversion of the PES architecture into a mathematical model facilitates the quantification of the
reliability of the PES and its SIL classification. The available methods for mathematical modeling
have proliferated in the last 25 years and cover a wide range of sophistication from the simplest to the
most complex techniques. In terms of increasing complexity and flexibility the list of methods includes
Reliability Block Diagrams, Fault Trees, Dynamic Fault Trees, Markov Models, Hybrid Hierarchical
Models, and Simulation. We modeled the example of Figure 1 using three of the most popular
methods, i.e., Reliability Block Diagrams, Fault Trees and Markov Models (see Figure 3, Figure 4, and
Figure 5). The first two methods represent the fail-safe and fail-dangerous modes in two separate
models. The Markov model represents the transitions from the normal state (1) to fail-safe state (2) or
fail-dangerous state (3) directly, or through the intermediate fail-dangerous undetected states (4), (5),
(6), (7), (8), and (9) of system elements.
4.4 RESULTS and discussion

Using failure rates of PES components from the cited tables of failure modes and diagnostic coverage
we quantify the reliability models. The results of this quantification are summarized in curves of failure
probabilities of the PES, as a function of the inspection interval. Such curves are shown in Figure 5.
Observation of this graph indicates that the probability of the system failure increases when the
system quantification incorporates field devices (i.e., sensors, actuators) and software. Also the
probability of the system failure increases as the inspection interval increases. SIL requirements
superimposed on these results facilitate the comparison of the PES functional integrity with the
requirements derived from the process safety and hazards analysis. Decisions of the inspection
frequency may also be derived based on these results and their comparison with the SIL
requirements included in the graph of Figure 5.

White Paper
Industry
1oo2 Fail Dangerous
FD IM FD MP FD MP
Systematic Common FD Power FD

FD FE
Failures Cause Supply Sensor
FD IM FD MP FD MP
1oo2 Fail Safe

Systematic Commo FS Power FS
FS IM FD IM FS MP FS MP FS OM FS OM FS FE
Failures Cause Supply Sensor
Figure 2. Block diagrams
Fail To
Operate (FD)
Fail Safe
OR
OR
FD Logic Fails Systematic

FS Spurious Systematic Valve to operate Failure
Valve Signal Logic Failure
AND
OR
Chan 1 Fails Chan 2 Fails

FS Channel 1 FS Channel 2 to operate to Operate
1 OR 1
1 OR 1
Failure Failure Failure Spurious Failure Failure Failure Sensor Fails

IM MP OM Signal Sensor IM MP OM to operate
FS FD
OR OR OR OR OR OR
Sensor Sensor
FS IM CCIM FS MP CC M P FS OM CC OM FD IM CCIM FD MP CC M P FD OM CC OM
Figure 3. Fault Tree

White Paper
Industry
λ
a b 2 F a il S a fe
μ
4
5
6
O p era tion a l 1 P a r tia lly F a iled
7
8
9
3 F a il D a n g erou s
Figure 4. Markov Model
Probability Hardware
of Fail to SIL 1
Hardware & Software
Function Hardware, Software &Field Devices
SIL 2
SIL 3
SIL 4
Time
Figure 5. Results
REFERENCES
1. ANSI/ISA S84.01-1996, Applications of Safety Instrumented Systems for the Process Industry,
Instrument Society of America, Research Triangle Park, N. Carolina, USA, February 1996.
2. Draft IEC 61508: Functional Safety of Electrical / Electronic / Programmable Electronic Safety-
Related Systems, Parts1-7, IEC Reference 65A/179-185 International Electrotechnical
Commission, 1997
3. Draft IEC61508: Functional Safety of Electrical / Electronic / Programmable Electronic Safety-
Related Systems, Part 4, IEC, 1997.
4. Bell, R., "Overview of proposed IEC 1508 & implications for PLCs" Health and Safety Executive,
Technology Division, March 1996.
5. UKOOA "Guidelines for INSTRUMENT-BASED PROTECTIVE SYSTEMS", UK Offshore
Operators Association Limited, December 1995.
6. MIL-STD-1629 "Procedures For Performing A Failure Mode Effects and Criticality Analysis", Nov.
1984.

White Paper
Industry
7. ISA Draft Technical Report dTR84.0.02, "Electrical / Electronic/ Programmable Electronic

Systems (PES) - Safety Integrity Level Evaluation, Instrument Society of America, Research
Triangle Park, NC 27709, USA May 1997.
8. Apostolakis, G., Moieni, P., "The Foundation of Models of Dependence in Probabilistic Safety
Assessment", Reliability Engineering, 18 (3), 1987, pp. 177-95.
9. Mosleh, A., Siu, N., "A Multi-parameter, Event-based Common Cause Failure Model", Trans. 9th
International Conference of Structural Mechanics in Reactor Technology, vol. M, Lausanne,
Switzerland, August 1987.
10. Mosleh, A., "Common Cause Failures: An Analysis Methodology and Examples," Reliability
Engineering and System Safety, Special Issue, 34,, 1991, pp. 249-91.
11. Draft IEC61508: Functional Safety of Electrical / Electronic / Programmable Electronic Safety-
Related Systems, Part 6, Appendix D, IEC, 1997.
12. Levenson, N. G., " Safeware, System Safety and Computers", Addison-Wesley Publishing
Company, Reading Massachusetts, 1995.
13. "Programmable Electronic Systems in Safety Related Applications", Health and Safety Executive,
London 1987.
14. Shimeal, T. J., Leveson, N. G., "An Empirical Comparison of Software Fault Tolerance and Fault
Elimination" IEEE Transactions on Software Engineering, SE -17(2) pp. 173-183, February 1991.
15. Taylor, J. R., "Fault Tree and Cause-Consequence Analysis for Control Software Validation"
Technical Report RISO-M-2326, RISO National Laboratory, Roskilde, Denmark, January 1982.

B - WP - A Practical Approach For The Selection of PES Used For SF in The Process Industry

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B - WP - A Practical Approach For The Selection of PES Used For SF in The Process Industry

Uploaded by

Copyright:

Available Formats

White Paper

A Practical Approach for the Selection of

Date: 1 May 1998

RISKNOWLOGY Experts in Risk, Reliability and Safety

© 2002 - 2007 Risknowlogy B.V.

All Rights Reserved

Printed in The Netherlands

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 2

A Practical Approach for the Selection of Programmable

Prof. Dr. D.M. Karydas

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 3

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 4

Table 1. SIL levels

Safety Integrity Level (SIL) Probability of Failure on Demand

4 Procedure for estimating the likelihood of PES failures

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 5

4.1 Architecture Modeling

4.2 Failure Modes

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 6

Item Failures per million hours

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 7

Table 3. Safe Failure Mode Ratios

Item % Safe Failures

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 8

Table 4. Calculation of β or βD11

Table 5. Common Cause Score Values for Programmable Electronics11

Techniques of software evaluation can be quantitative or qualitative. Mathematical models for

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 9

Item Safe Failure Percentage (%)

4.3 Reliability Models

4.4 RESULTS and discussion

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 10

1oo2 Fail Dangerous

Systematic Common FD Power FD

1oo2 Fail Safe

Figure 2. Block diagrams

FD Logic Fails Systematic

Chan 1 Fails Chan 2 Fails

Failure Failure Failure Spurious Failure Failure Failure Sensor Fails

Figure 3. Fault Tree

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 11

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 12

7. ISA Draft Technical Report dTR84.0.02, "Electrical / Electronic/ Programmable Electronic

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 13

You might also like