13th IFAC Symposium on Control in Transportation Systems

The International Federation of Automatic Control

September 12-14, 2012. Sofia, Bulgaria

The Relationship between Diagnostic Coverage and Proof Test Interval for 1oo2
and 1oo2D Architectures
İlker Üstoğlu*, Özgür T. Kaymakçı**,
Josef Börcsök***

*Yıldız Technical University, Davutpaşa Campus, A209, 34220, 34220 Esenler, İstanbul
TURKEY (Tel: +90-535-418-22-64; e-mail: ustoglu@yildiz.edu.tr).
** Yıldız Technical University, Davutpaşa Campus, A210, 34220, 34220 Esenler, İstanbul
TURKEY (e-mail:kaymakci@yildiz.edu.tr)
*** University Kassel, Faculty of Electrical Engineering /Computer Science
Department of Computer Architecture and System Programming, Wilhelmshöher Allee 71
34121 Kassel, GERMANY (e-mail: j.boercsoek@uni-kassel.de)}

Abstract: In order to measure the effectiveness of safety protection systems there are several design
parameters. Diagnostic coverage factor is one of the most important parameter which influences all
architectures. In this short paper the relationship between PFDavg, DC and TI are presented. 1oo2 and
1oo2D architectures are considered as examples.
Keywords: Functional safety, 1002 architecture.

1. INTRODUCTION
According to the standard IEC61508-4 equipment,
machinery, apparatus or plant used for manufacturing,
process, transportation, medical or other activities are defined
as equipment under control (EUC). Safety instrumented
systems (SIS) are automatic systems used to prevent
accidents, and to minimize their consequences to humans and
the environment. A SIS has to perform one or more safety
instrumented functions (SIFs) to achieve and maintain a safe
state for the EUC. The safe state is known as the state where
safety is achieved. Once the safe state is defined, the fail-safe
operation is considered, where the SIS is responsible for
taking the EUC to the safe state. Note that the EUC may have
different safe states. The SISs are grouped into two main
types of failures; dangerous and safe failures. Safe failures
are divided into detectable and undetectable failures with
failure rates λSD and λSU, respectively and they do not affect
the SIS to perform its functions whereas dangerous failures
prevent the SIS from working properly on demand.
Dangerous failures are also divided into detectable and
undetectable failures with failure rates λDD and λDU,
respectively. Dangerous detectable failures can be detected
by online diagnostics; dangerous undetectable failures remain
unobserved until the proof test. In the standard, proof test is
defined as the periodic test performed to detect failures in a
safety-related system so that, the system can be restored to an
“as new” condition or as close as practical to this condition
(Börcsök, 2004). If 100% of all dangerous failures are
detected, the proof test is said to be fully effective. The
failures that cannot be detected by the diagnostics or remain
undetected because of the imperfect diagnosis are considered
to be undetected failures. As mentioned before these failures
can only be found by the proof-test after the end of a proof
test interval. The SIF is implemented by an
electric/electronic/ programmable electronic safety related
system (E/E/PE SRS). The standard IEC61508 states that a
safety integrity level (SIL) should be allocated to each SIF
and defines the safety integrity as the probability of a safety
related system (SRS) satisfactorily performing the required
safety functions under all the stated conditions within a stated
period of time. There are four discrete levels for SILs in the
standard, where SIL 4 gives the highest and SIL 1 the lowest
requirements. In IEC61508 SRSs are classified into low and
high demand of operation. When the demand rate is less than
once a year and less than twice the proof test frequency the
SIS is said to be operating in low demand mode. Otherwise a
high demand mode of operation is considered. Probability of
failure on demand (PFD) is used as a reliability measure for
low-demand SISs and probability of failure per hour (PFH) is
used for high demand SISs. The SIL verifies whether the
average probability of failure on demand (PFDavg) of the
underlying SRS meets the required failure measure, where
the average is computed over the time interval of operation
between periodic proof tests. Diagnostic testing is a feature
that is provided for programmable electronic components,
and aims at revealing failures without interrupting the EUC.
Diagnostic coverage is defined as the fractional decrease in
the probability of dangerous hardware failure resulting from
the operation of the automatic diagnostic tests. Diagnostic
test interval is the interval between online tests to detect
faults in a safety-related system that have a specified
diagnostic coverage. Note that the diagnostic coverage is
seldom 100%. Recall that for a high demand SIS, the demand
rate and diagnostic test frequency has to be of the same order
of magnitude. For low demand SIS there is enough time to
restore the function before the next demand occurs (Börcsök,
2006).
2. 1oo2 and 1oo2D ARCHITECTURES

978-3-902823-13-7/12/$20.00 © 2012 IFAC 181 10.3182/20120912-3-BG-2031.00037

CTS 2012
September 12-14, 2012. Sofia, Bulgaria

2.1 1oo2 Architecture

The 1oo2 architecture consists of two elements connected in

parallel, such that either element can command a shutdown
output. Thus there would have to be a dangerous failure in
both elements before a safety function failed on demand.
Fig.1 and Fig.2 contain the physical block diagram and the
reliability block diagram of 1oo2 architecture, respectively.
Recall that common cause failure has to be considered
because there are two identical channels.

Channel

Fig. 3. 3D plot of PFDavg with varying DC and TI values for

1oo2 architecture.
Diagnostics 1oo2
Recall that, a curve in two dimensions on which the value of
a function f(DC, TI) is a constant is called an equipotential
curve. A plot of several equipotential curves is called a
Channel contour plot. For the same numerical values given above the
contour plots are shown in Fig.4, Fig.5 and Fig.6.
Fig. 1. Physical block diagram for 1oo2 architecture.
For 1oo2 architecture, it is assumed that any diagnostic
testing would only report the faults found and would not
change any output states or change the output voting.

Fig. 2. Reliability block diagram for 1oo2 architecture.

The equivalent mean down time of a channel in this system
architecture and the mean down time for this architecture are
obtained as (IEC 61508, 2000):

DU TI  Fig. 4. Contour plot of PFDavg with varying DC and TI

t DE  (  MTTR)  DD MTTR
D 2 D (1)
values. Note that DC takes values within interval [0, 0.6].
It is also possible to consider the change in PFDavg if around
DU TI  any operating point (DC*,TI*) DC or TI is changed. Using
t SE  (  MTTR)  DD MTTR.
D 3 D (2)
partial derivatives (∂DCPFDavg and ∂TI PFDavg) we obtain the
following contour plots for the same numerical values. In
The average probability of failure for the architecture is: Fig.7 the effects of DC on the deviation of PFDavg is
considered, and from Fig.8 it can be concluded that how TI
PFDavg  2((1   D )DD  (1   )DU ) 2 t DE t SE influences the change in PFDavg for fixed values. From these
  D DD MTTR plots we immediately conclude that for fixed TI, if DC
increases PFDavg decreases. Furthermore for fixed TI, DC has
  DU (TI / 2  MTTR) (3) more influence on PFDavg.
As an example, let the mean time to restoration (MTTR) be 8
hours as stated in IEC61508-6. Furthermore, average
probability of dangerous failures and the fraction of failures
having a common cause are chosen as λD = 1.63×10-6, βD =
0.01, (β = 2βD), respectively. Using these numerical values
the relationship between diagnostic coverage DC, proof test
interval TI and average probability of failure on demand
PFDavg are given in Fig. 3.

182
CTS 2012
September 12-14, 2012. Sofia, Bulgaria

Fig. 7. Contour plot of ∂PFDavg/∂DC. Consider TI fixed. Note

Fig. 5. Contour plot of PFDavg with varying DC and TI that DC takes values within interval [0.6, 0.9].
values. Note that DC takes values within interval [0.6, 0.9].

Fig. 8. Contour plot of ∂PFDavg/∂TI with respect to. Consider

Fig. 6. Contour plot of PFDavg with varying DC and TI DC fixed. Note that DC takes values within interval [0.6,
values. Note that DC takes values within interval [0.9, 1]. 0.9].

2.2 1oo2D Architecture

The 1oo2D architecture was designed to provide high safety

and high availability and consists of two elements connected
in parallel. Safety can be achieved if the diagnostics detect
the failure and de-energize the output of the failed unit. But
the system continues to operate successfully as the other unit Fig. 9. Physical block diagram for 1oo2D architecture.
will keep the load energized. During normal operation, both
channels need to demand the safety function before it can Fig.10 contains the reliability block diagram of 1oo2D
take place. If the diagnostic tests in either channel detect a architecture.
fault then the output voting is adapted so that the overall
output state then follows that given by the other channel. In
addition, if the diagnostic tests find faults in both channels or
a discrepancy that cannot be allocated to either channel, then
the output goes to the safe state. In order to detect a
discrepancy between the channels, either channel can
determine the state of the other channel via a method Fig. 10. Reliability block diagram for 1oo2D architecture.
independent of the other channel. Fig.9 contains the physical
Recall that the components follow the exponential
block diagram of 1oo2D architecture. Recall that common
distribution; the formulas of equivalent mean down times for
cause failure has to be considered because there are two
each channel and the overall architecture are given as:
identical channels.

183
CTS 2012
September 12-14, 2012. Sofia, Bulgaria

TI
DU (  MTTR)  ( DD  SD ) MTTR
t DE  2
DU  DD  SD (4)
TI
DU (  MTTR)  (DD  SD ) MTTR
t SE  3
DU  DD  SD (5)
PFDavg is given as:
PFDavg  2(1   )DU ((1   D )DD  SD  (1   )DU )t DE t SE
  D DD MTTR
Fig. 12. 3D plot of PFDavg with varying DC and TI values for
  DU (TI / 2  MTTR) (6) 1oo2D architecture (K=0.8).
Note that λSD=DC·λS and λS= λD, using the same numerical For K=0.8 and using the numerical values given in previous
values the relationship between diagnostic coverage DC, examples the relationship between diagnostic coverage, proof
proof test interval TI and average probability of failure on test interval and average probability of failure on demand is
demand PFDavg are given in Figure 11. presented in Fig.12.
In the newest version of the standard the PFDavg formula is 3. CONCLUSION
reformulated. Due to the fact that the channel comparison/
In this short paper the relationship between PFDavg, DC and
switch over mechanism may not be 100 % efficient a
TI are presented. As the underlying architectures 1oo2 and
coefficient K is represented. It is the efficiency of this inter-
1oo2D architectures are considered. It is observed that the
channel comparison /switch mechanism, i.e. the output may
influence of DC on PFDavg is greater than that of TI. If DC is
remain on the 2oo2 voting even with one channel detected as
increased to keep the same PFDavg value corresponds to
faulty. The new PFDavg formula is given as
longer TI periods. This paper does not concern the way the
PFDavg  2(1   )DU ((1   D )DD  SD  (1   )DU )t DE t SE diagnostics is performed. The influence of diagnostic testing
strategies is considered in an upcoming work.
 2(1  K ) DD t DE MTTR
REFERENCES
  DU (TI / 2  MTTR) (7 )
with tDE being the same as introduced in (4) and Börcsök, J. (2004). Electronic Safety Systems, Hüthig.
Börcsök, J. (2006). Functional Safety, Hüthig.
TI IEC 61508. (2000). Functional Safety of Electrical /
t SE  (  MTTR) .
3 (8) Electronic / Programmable Electronic Safety-Related
Systems, Geneva, Switzerland.

Fig. 11. 3D plot of PFDavg with varying DC and TI values for

1oo2D architecture.

184