Effect of Safe Failures on the Reliability of Safety Instrumented Systems
MetadataShow full item record
Safety instrumented systems (SISs) are of prime importance to the process industry to avoid catastrophic consequences or even loss of human life. The dangerous situations that any equipment may face should be analysed in order to quantify the associated risk and to choose a design of the SIS that reduces the risk to a tolerable level. The safe failure fraction (SFF) is a parameter defined in the standards IEC 61508 and IEC 61511, and is used to determine the need for additional channels that can activate the safety function if a failure is present. The standards consider a high SFF as an indicator of a safe design, and by increasing SFF, one may allow a lower redundancy level for a SIS and therefore reduce costs. Safety engineers discuss the suitability of this parameter, and some argue that the negative effects of safe failures on the reliability are so significant that the parameter should not be used. For a safety shutdown valve installed to prevent overpressure, a safe failure is defined as a spurious closure where the source of high pressure is isolated. This thesis examines the effects of safe failures on the reliability of such systems by using a Markov model. According to IEC 61508 and IEC 61511 the system reliability of a safety shutdown system is measured by the probability of failure on demand (PFD). From the results it can be concluded that the time needed to restore the system back to initial state after a safe failure does not have a significant effect on PFD. A long restoration time after a safe failure in combination with a high frequency of safe failures is negative with respect to production downtime. The main contributor to PFD is the long run probability of being in a state where a dangerous undetected (DU) failure is present. DU failures are normally detected by function tests or sometimes upon demand, but they can also be revealed by a spurious closure. This effect is based on the assumption of perfect repair of safe failures, which means that all possible failure modes are detected and the failed items are repaired or replaced after restoration of safe failures. The ability to reveal DU failures is clearly dependent on the frequency of a DU failure and safe failure occurring in the same test interval. This thesis demonstrates that safe failures only have significant effect when the dangerous failure rate is high. Other parameters affect the PFD to a greater extent, and the importance of exact parameter estimation is crucial and more important than the positive effects of safe failures. The SFF must be close to 100% to have a significant effect on the PFD, and since it is always aimed at minimising the number of dangerous failures, the alternative is to add safe failures. This is probably not the intent of SFF and is negative with respect to production downtime. Safe failures does not justify a lower degree of redundancy. On the other hand, the positive effects of safe failures show a satisfactory reason for adopting a longer test interval. This is an optimisation of PFD and can reduce costs or even the frequency of dangerous situations during start-up and shutdown. This thesis demonstrates that the PFD is not affected by safe failures, and indicates no reason to be in doubt about this parameter as a measure of reliability. The SFF gives hardly any information and the choice of SIS architecture should not be based on SFF alone. An alternative parameter that considers different means of revealing DU failures seems to be a better choice.