Documente Academic
Documente Profesional
Documente Cultură
a r t i c l e i n f o
a b s t r a c t
Article history:
Received 3 April 2013
Received in revised form
4 August 2013
Accepted 30 March 2014
Safety integrity level (SIL) verication is a critical step in the life cycle of safety instrumented systems
(SIS). For the chemical process industry (CPI), SIL verication often means calculation of average probability of failure on demand (PFDavg) of a SIS. Markov analysis covers most aspects of the quantitative
safety evaluation and shows great exibility. However, for a complex SIS, the model building is so
cumbersome that industrial users always try to avoid using it. A simplied approach by conducting
Markov analysis on each channel of a SIS with any type of architecture and combining the results
together is proposed in this paper. A case study is performed and the results prove that the simplied
approach can simplify Markov modeling without loss of accuracy if a proper common cause failure (CCF)
model is adopted.
2014 Elsevier Ltd. All rights reserved.
Keywords:
Safety integrity level
Markov analysis
1. Introduction
It is of great importance to ensure the safety of industrial processes. Safety instrumented system (SIS) is an important layer of
protection for reducing the process safety risk.
To categorize the risk reduction factor, the SIS-related standard,
IEC 61508, puts forward an important concept, safety integrity level
(SIL). SIL, which means the order of magnitude levels of risk
reduction, is a critical parameter in most of the phases of safety
lifecycle of SIS. Despite of being built to achieve a high availability,
SIS may still fail. According to the standards, the ability of the SIS to
achieve a specic SIL must be validated at each stage of design and
prior to any changes made to the design after commissioning
(Wang, West, & Mannan, 2004).
IEC 61508 denes two modes of a SIS. One is the low demand
mode, and the other is the high demand or continuous mode. For
the low demand mode, which is the most commonly used mode in
the CPI, SIL is related to both the hardware fault tolerance (HFT) and
the average probability of failure on demand (PFDavg). HFT expresses architectural constraints, which means the requirements to
achieve a sufciently robust architecture (Lundteigen & Rausand,
2009). On the other hand, PFDavg represents the unavailability of
Y. Shu, J. Zhao / Journal of Loss Prevention in the Process Industries 29 (2014) 262e266
263
10
Table 1
SIL vs. PFDavg for low demand mode.
SIL1
SIL2
SIL3
SIL4
PFDavg
102e101
103e102
104e103
105e104
Torres algorithm
PFD
SIL
SU
SU
MA:
MA:
=1e6 hr
=1e5 hr
10
t/month
10
11
12
Fig. 1. PFD calculation result comparison between Torres algorithm and the Markov
analysis (MA) algorithm.
1oo1
1oo2
2oo2*
2oo3
3oo4*
6oo6*
4-by-4
7-by-7
13-by-13
23-by-23
54-by-54
204-by-204
264
Y. Shu, J. Zhao / Journal of Loss Prevention in the Process Industries 29 (2014) 262e266
PFDavg
X
1 12LT
PFDt
12LT t 1
(2)
4. Case study
3.2. Procedure of the simplied approach
A case study is performed in this section to illustrate the effectiveness of the above simplied approach. The result of the
approach is compared with the result of conventional Markov
approach. The matrix model for a full Markov analysis (FMA) is built
by using the automatic Markov analysis approach described in
literature (Guo & Yang, 2008).
In FMA, only the single b-factor model was applied. To keep
consistent with the CCF model, the multi b-factor model is applied
to both FMA and SMA in Section 4.2.
4.1. Parameter initiation
In the architectures discussed in this section, we assume all the
channels are identical. The data of the relevant parameters are set
as follows:
MTTR 24 h
TSD 24 h
LT 5 year
TI 12 month
CTI 0.9
10
6oo6
4oo4
3oo3
2oo2
1oo1
5oo6
10
3oo4
2oo3
1oo2
2oo4
3oo6
10
1oo3
PFD
1oo4
(1)
10
1oo6
10
Table 3
Values of CMooN of different MooN voting architectures.
N
N
N
N
N
2
3
4
5
6
M1
M2
M3
M4
M5
M6
1
0.3
0.15
0.08
0.04
2/b 1
2.4
0.75
0.45
0.26
e
3/b 2.7
4.0
1.2
8.3
e
e
4/b 4.95
6.0
1.6
e
e
e
5/b 7.7
8.1
e
e
e
e
6/b 10.8
10
t/year
Fig. 2. Results of FMA (red stars) and SMA (black lines) when multi b-factor model
used. (For interpretation of the references to color in this gure legend, the reader is
referred to the web version of this article.)
Y. Shu, J. Zhao / Journal of Loss Prevention in the Process Industries 29 (2014) 262e266
Table 4
PFDavg result comparison with the multi b-factor model applied.
Voting architecture
1oo1
1oo2
2oo2
1oo3
2oo3
3oo3
1oo4
2oo4
3oo4
4oo4
1oo6
3oo6
5oo6
6oo6
FMA
5.84e-4
5.88e-5
1.11e-3
1.76e-5
1.41e-4
1.59e-3
8.78e-6
4.40e-5
2.38e-4
2.05e-3
2.34e-6
4.27e-5
4.72e-4
2.87e-3
SMA
5.84e-4
5.84e-5
1.11e-3
1.75e-5
1.40e-4
1.60e-3
8.76e-6
4.38e-5
2.37e-4
2.05e-3
2.34e-6
4.27e-5
4.69e-4
2.87e-3
265
Relative
deviation (%)
0
0.68
0
0.57
0.71
0.63
0.22
0.45
0.42
0
0
0
0.64
0
the Markov model of FMA are replaced by the failure rates calculated based on the multi-b factor model.
Based on FMA and SMA with Equation (1) applied, the timedependent PFDs are obtained and shown in Fig. 2. The PFDavgs for
different voting architectures derived from FMA and SMA using
equation (2) are listed in Table 4. According to the comparison results in
Fig. 2 and Table 4, the proposed SMA shows high agreement with FMA
on MooN architectures as well with the multi-b factor model applied.
4.3. Summary
Although the simplied modeling of SMA omits the intermediate states of the MooN architecture, the results still show high
agreement with those of the full modeling of FMA if a proper CCF
model is applied. In our opinion, such phenomenon is caused by the
following features of SIS.
In common practice, SISs often stay in the normal state, which
means the probability of the normal state is much higher than that
of the other states. As a result, if the normal state has a transition
probability to dangerous failure state in a full Markov matrix, the
transition probability will be a dominant contribution factor to the
calculated PFD, and other transition paths can be ignored without
loss of signicant accuracy. The range of parameters within which
our simplication can keep good agreement with the full modeling
still needs further study.
5. Conclusion
SIL verication is critical for assuring the reliability of SIS. In the
CPI, the calculation of PFDavg is an important and difcult part in SIL
verication. Markov analysis shows great advantages in exibility
and ability to describe the time-dependent PFD. But the size of
Markov models increases explosively as systems become complex.
This paper presents a simplied three-step Markov analysis
approach that avoids building large Markov models. The presented
approach simplies the modeling and calculating of Markov-based
SIL verication without loss of accuracy, and makes it more
convenient to apply different CCF models or other failure-related
assumptions.
Acknowledgments
The authors gratefully acknowledge nancial support from the
National Basic Research Program of China (973 Program, Grant No.
2012CB720500) and the National High-Tech R&D Program of China
(863 Program)(No. 2013AA040702).
1S
B 1=T
B
SD
P B
B
@ 1=MTTR
lSD
1S
lSU
lDD
lDU
1
1S
1
C
C
C
C
A
(3)
1
S means sum of other elements on the same row. The statuses in
sequence are:
1.
2.
3.
4.
5.
Normal;
Safe failure detected;
Safe failure undetected
Dangerous failure detected;
Dangerous failure undetected
1
B 1
B
W B
B CTI
@ 1
CTI
0
0
0
0
0
0
0
1 CTI
0
0
0
0
0
0
0
1
0
0 C
C
0 C
C
0 A
1 CTI
(4)
Pm P 744
(5)
01
8
>
<
n
TI W
r ; rs0
S
P
Pm
0
m
BC
S@t A
n1
>
TI W
TI ; r 0
: S0 Pm
Pm
(6)
lt St,V
(7)
Wherein
V 0
1 T
(8)
References
Boercsoek, J., & Holub, P. (2008). Consideration of common cause failure in safety
systems. In WSEAS Conference on Recent Advances in Systems, Communication
and Computers, Hangzhou, China.
Bukowski, J., & Goble, W. (1995). Using Markov models for safety analysis of programmable electronic systems. ISA Transactions, 34, 193e198.
Dutuit, Y., Innal, F., Rauzy, A., & Signoret, J.-P. (2008). Probabilistic assessments in
relationship with safety integrity levels by using fault trees. Reliability Engineering and System Safety, 93, 1867e1876.
Guo, H., & Yang, X. (2007). A simple reliability block diagram method for safety
integrity verication. Reliability Engineering and System Safety, 92, 1267e
1273.
Guo, H., & Yang, X. (2008). Automatic creation of Markov models for reliability
assessment of safety instrumented systems. Reliability Engineering and System
Safety, 93, 807e815.
266
Y. Shu, J. Zhao / Journal of Loss Prevention in the Process Industries 29 (2014) 262e266
Hokstad, P., & Corneliussen, K. (2004). Loss of safety assessment and IEC 61508
standard. Reliability Engineering and System Safety, 83, 111e120.
Hokstad, P., Maria, A., & Tomis, P. (2006). Estimation of common cause factor from
systems with different number of channels. IEEE Transactions on Reliability, 55,
18e25.
Jin, H., Lundteigen, M. A., & Rausand, M. (2011). Reliability performance of
safety instrumented systems: a common approach for both low- and highdemand mode of operation. Reliability Engineering and System Safety, 96,
365e373.
Knegtering, B., & Brombacher, A. (1999). Application of micro Markov models for
quantitative safety assessment to determine safety integrity levels as dened by
the IEC 61508 standard for functional safety. Reliability Engineering and System
Safety, 66, 171e175.
Lu, L., & Lewis, G. (2008). Conguration determination for k-out-of-n partially
redundant systems. Reliability Engineering and System Safety, 93, 1594e
1604.
Lundteigen, M., & Rausand, M. (2009). Architectural constraints in IEC 61508: do
they have the intended effect? Reliability Engineering and System Safety, 94,
520e525.
Oliveira, L., & Abramovitch, R. (2010). Extension of ISA TR84.00.02 PFD equation to KooN architectures. Reliability Engineering and System Safety, 95,
707e715.
Rouvroye, J., & Brombacher, A. (1999). New quantitative safety standards: different
techniques, different results? Reliability Engineering and System Safety, 66, 121e
125.
Summers, A. (2000). Viewpoint on ISA TR84.0.02 e simplied methods and fault
tree analysis. ISA Transactions, 39, 125e131.
Torres-Echeverria, A. C., Martorell, S., & Thompson, H. A. (2009). Modelling and
optimization of proof testing policies for safety instrumented systems. Reliability Engineering and System Safety, 94, 834e854.
Torres-Echeverria, A. C., Martorell, S., & Thompson, H. A. (2011). Modeling safety
instrumented systems with MooN voting architectures addressing system
reconguration for testing. Reliability Engineering and System Safety, 96, 545e
563.
Vaurio, J. (2011). Unavailability equations for k-out-of-n systems. Reliability Engineering and System Safety, 96, 350e352.
Wang, Y., West, H. H., & Mannan, M. S. (2004). The impact of data uncertainty in
determining safety integrity level. Process Safety and Environmental Protection,
82, 393e397.
Glossary
CCF: common cause failure
CMooN: modication factor of b factor in multi-b factor model, unitless
CkN: the number of k-combination from a set of N elements, unitless
CTI: coverage of proof test, unitless
FTA: fault tree analysis
FMA: full Markov analysis
HFT: hardware fault tolerance
IEC: International Electrotechnical Commission
LT: lifetime, year
mod: modulo operator
MTTR: mean time to repair, h
MooN: M out of N voting architecture
MTBF: mean time before failure, h
PFD: probability of failure on demand, unitless
PFDavg: average PFD, unitless
PFD(t): time-dependent PFD, unitless
PFS: probability of failing safely, unitless
SIL: safety integrity level
SIS: safety instrumented system
SMA: simplied Markov analysis
t: time, month
TI: proof test interval, month
TSD: time to start up, h
b: b factor in b factor model for quantication of CCF, unitless
l(t): time-dependent probability of 1oo1 failure
lDD: rate of dangerous failure detected, h1
lDU: rate of dangerous failure undetected, h1
lSD: rate of safe failure detected, h1
lSU: rate of safe failure undetected, h1