Determinacion de PFD

Risk Software S.A. de C.V.
Determinación de PFDavg (SIL) de
un Sistema Instrumentado de Seguridad (SIS)
Preparado para: Curso en Análisis de Riesgos y Seguridad Funcional
Preparado por: Victor Machiavelo Salinas
Risk Software SA de CV
www.risksoftware.com.mx
Risk Software S.A. de C.V.
1. Introducción
El valor de PFDavg (Probabilidad de Fallas Sobre Demanda Promedio) es utilizado en la Seguridad Funcional para determinar
el Nivel de Integridad de Seguridad -NIL- (Safety Integrity Level- SIL) que un Sistema Instrumentado de Seguridad -SIS- tiene
para una Función Instrumentada de Seguridad -FIS- dada.
La figura #1 nos muestra la relación que guarda un Sistema Instrumentado de Seguridad entre la relación (frecuencia) de
demandas (eventos/año) en que el SIS es requerido por el proceso dada una condición insegura y la relación (frecuencia) de
eventos indeseados finales (eventos/año) ocurridos dados la ineficiencia/falla/incapacidad, del SIS.
Relación de
Demandas
(D)
SIS
Relación de
Eventos
(H)
Figura #1
PFDavg = H/D = 1/(Factor de Reducción de Riesgos)
El nivel NIL/SIL, es una relación del valor numérico calculado de PFDavg para un SIS, donde incluimos a los elementos
sensores (presión, temperatura, Flujo, etc), al controlador lógico programable y a los elementos finales de control (válvulas,
motores, actuadores, etc).
El valor de la PFDavg Total para un SIS es la suma algebraica de la probabilidad de fallas sobre demanda promedio del
sensor mas la del controlador lógico mas la del elemento final de control como se muestra en la figura #2
Controlador
Logico
Sensor
Elementos
Finales
Figura #2
PFDavg Total = PFDS + PFDL + PFDEF
para realizar el calculo de la PFDavg de un sistema SIS, el estándar ANSI/ISA 84.01-2004 recomienda tres métodos:
1.
Ecuaciones Simplificadas (Diagramas de Bloques de Confiabilidad)
2.
Análisis de Arboles de Falla (FTA)
3.
Modelos de Markov.
El presente informe técnico se centra en el calculo de la PFDavg, utilizando los dos primeros métodos, los cuales son los mas
utilizados en la seguridad funcional, aclarando que los modelos de Markov son mas precisos y pueden modelar sistemas en
el tiempo, con secuencias y reparables.
Determinación de la PFDavg
1
Risk Software S.A. de C.V.
2. Falla de los Sistemas
Es necesario comprender la forma en que los sistemas y equipos fallan, debido a que las ecuaciones utilizadas para
determinar el valor de PFDavg depende directamente del mecanismo de falla de los sensores, controlador lógico y elementos
finales.
La figura #3 muestra los modos de falla que pueden tener los componentes de un SIS.
Modos de
Falla
Fallas Descubiertas
Relación de Paros en Falso
Fallas Cubiertas
Relación de Paros Peligrosos
λS = 1/MTBFsp
λD = 1/MTTF
Se debe vivir con
perdida de la producción
Paro de Planta o
Permanecer en Riesgo
Mientras se Repara
Detectadas
Por Diagnosticos
No Detectadas
Por Pruebas
manuales
El SIS esta Fuera
Durante las
Pruebas
Figura #3
Modos de Falla
MTBF = Mean Time Between Failures (Tiempo Medio Entre Fallas)
MTTF = Mean Time To Fail (Tiempo medio Para Fallar)
Modos de Falla Descubiertas:
Son conocidas también como fallas “Reveladas” debido a que estas fallas son conocidas en cuanto suceden, como ejemplo
tenemos la falla de la señal de un sensor cuando los cables que conducen la señal son cortados o bien la falla de la bobina
de una válvula solenoide.
Las fallas descubiertas normalmente generan una respuesta del sistema conocida como “Falla Segura” la consecuencia mas
común es una parada por emergencia del proceso. A esto se le conoce como “Relación de Disparos en Falso” en muchos
procesos esta condición es indeseada debido a que afecta directamente a la producción o a los tiempos de producción, en
procesos continuos como en la industria química o petrolera esta condición es muy costosa debido a que volver a iniciar los
procesos no es una tarea fácil ni rápida, en ciertos procesos esta condición también puede ser muy peligrosa, ya que parar
proceso inherentemente peligrosos donde se manejan grandes cantidades de materia y energía puede ocasionar condiciones
riesgosas para el personal, medio ambiente y bienes de las empresas.
La forma en que podemos evitar que esto ocurra es incrementando la tolerancia a falla en los sistemas y equipos (redundancia). La norma IEC-61511 en el punto 11.4 nos indica los mecanismos y niveles de tolerancia a falla para los sistemas SIS.
Determinación de la PFDavg
2
Risk Software S.A. de C.V.
Modos de Falla Cubiertas:
Las fallas cubiertas, son fallas peligrosas hasta que son detectadas y corregidas. El calculo de la PFDavg se basa en este tipo
de fallas. Típicamente las fallas cubiertas se manifiestas en dispositivos que tienen la función de generar o conducir al evento
final, como pueden ser los dispositivos de salida de las tarjetas del PLC, la bobina del relevador, el actuador de la válvula o
bien la lógica del controlador. El problema principal de estas fallas se presenta en dispositivos que no han sido operados por
periodos lagos de tiempo, tres tipos de condiciones se presentan en las fallas cubiertas:
1.
Fallas que pueden ser detectadas por auto diagnósticos.
2.
Fallas que pueden ser encontradas en un periodo de pruebas.
3.
Fallas que permanecen ocultas sin ser detectadas en el sistema hasta que se presenta una falla en demanda.
Cada una de estas fallas contribuyen al valor de PFDavg del SIS. Cada falla requiere un tratamiento diferente de calculo de
confiabilidad.
Las formulas para el calculo de sistemas basados en Auto diagnósticos, están generalmente referidas a controladores lógicos
programables ya que estos sistemas utilizan técnicas avanzadas de diagnósticos, en la mayoría de los sistemas cuando nos
referimos a “diagnósticos” no estamos refiriendo a la capacidad del sistema a realizar pruebas sin necesidad de intervención
del ser humano, estos diagnósticos que también son referidos como “activos” son pruebas funcionales del estado del sistema, como por ejemplo seria cambiar de estado la posición de las salidas de las tarjetas del controlador abrir/cerrar (On/Off)
para poder probar que el sistema tiene la capacidad de llevar al proceso a condición segura. Estas pruebas se realizan de
forma muy rápida generalmente en milisegundos, evitando que las pruebas sean en si mismas una condición peligrosa para el
proceso.
Cálculos:
El calculo de las fallas reveladas (llamadas también fallas seguras) es importante desde el punto de vista de la operación de
los procesos, la instalación de un sistema de seguridad es un proceso complicado y costoso, lo que menos deseamos es
que este sistema sea en si mismo quien genere una condición potencialmente inseguro o binen sea quien ocasiona perdidas
de producción o económicas. La selección de un sistema de seguridad sin tolerancia a fallas deberá ser cuidadosamente
evaluada desde el punto de vista de la seguridad y de la operación de los procesos, el diseño del sistema bajo el concepto
de ciclo de vida deberá incluir los costos de disparos en falso y los costos asociados a la tolerancia a fallas. las fallas relevadas también tienen dos componentes, fallas seguras detectables y fallas seguras no detectables. El echo de que ambas conduzcan a un paro seguro del proceso minimiza la necesidad de detallar cada una en una ecuación diferente.
Las fallas cubiertas (llamadas también peligrosas) como se muestra en la figura # 3 tienen dos componentes,
Determinación de la PFDavg
3
Risk Software S.A. de C.V.
1) Fallas peligrosas detectadas por auto diagnósticos, las cuales realizan el proceso de prueba y detección de errores y fallas
de forma automática, asociamos a estas fallas a las provocadas por los sistemas complejos como los controladores lógicos,
sin embargo en los últimos años algunos dispositivos de campo como sensores y actuadores de válvulas, han incorporado
altos niveles de auto diagnostico en su electrónica. Típicamente el tiempo de las pruebas con auto diagnósticos fluctúa entre
1 y 10 segundos.
2) Fallas peligrosas detectadas por pruebas manuales, son pruebas que no pueden ser realizadas por diagnósticos y es necesario que manualmente se realice la prueba y el diagnostico, típicamente el tiempo de estas pruebas es mucho menor
que el MTBF, este tipo de pruebas esta asociada a dispositivos de campo y elementos finales de control.
La figura #4 muestra la diferencia de pruebas requeridas para los diferentes dispositivos, existe una gran diferencia entre las
ecuaciones utilizadas para modelar el valor de PFDavg para sensores y elementos finales de control y las ecuaciones para
modelar a los controladores lógicos, no solo por que estos realizan sus pruebas de auto diagnostico, también debido a que
cada sistema puede contener diferentes dispositivos en diferentes configuraciones y numero (módulos de entradas y salidas,
fuentes de poder, procesadores, comunicaciones, etc).
Relación de
Demandas
(D)
Sensor
Controlador
Logico
Elementos
Finales
Pruebas
Manuales
Pruebas
Auto
Diagnosticos
Pruebas
Manuales
Relación de
Eventos
(H)
Figura #4
Requerimientos de Pruebas para Dispositivos
Las ecuaciones para modelar a los controladores lógicos programables han sido definidas a detalle en la norma IEC
61508-6.Edición 2.0 2010-04. También se cuentan con ecuaciones simplificadas para los controladores lógicos programables, que hacen mas fácil pero menos exacta la determinación del de la PFDavg.
Determinación de la PFDavg
4
" 27 "
ISA-TR84.00.02-2002 - Part 2
ISA-TR84.00.02-2002
- Part 2
" 28 "
ISA-TR84.00.02-2002 - Part 2
" 27 "
(Eq. No. 9)
$S =
ISA-TR84.00.02-2002 - Part 2
1
MTTF spurious
" 28 "
ISA-TR84.00.02-2002
- Part 22
ISA-TR84.00.02-2002
Part
28 the
" third term is the systematic er
The
second
term is the- common
cause term, "and
ISA-TR84.00.02-2002 - Part 2
The second -term
is2the
term,
Part
" 28
" and the third term is the systema
ISA-TR84.00.02-2002
- Part
2 common cause
" 27 ISA-TR84.00.02-2002
"
S
The above equations apply to elements with the same failure rates. If elements with different fa
S
DD
SNOTE
(Eq.
(Eq.No.
No.9)10) $ =
STR
=
$
+
$
+
$
F
ISA-TR84.00.02-2002
- Part
2 (See
28the
" with
"thethird
MTTF spurious
The second
term is
the
common
cause
and
is theIfsystematic
erro
appropriate
adjustments
must
beequations
made
ISA-TR84.00.02-2002,
Partterm
5 for rates.
method).
NOTE
The
above
apply
toterm,
elements
same
failure
elements with diffe
1oo1
1
S S S
1
appropriate
adjustments
must
be
made
(See
ISA-TR84.00.02-2002,
Part 5 for method).
Where
$ =is the safe or spurious failure rate for the component,
(Eq. No.
9)
(Eq.
No. 9) $ $ =
1oo1
spurious
The
second
term is the common
causewith
term,
and
the third
term
is the systematic
er
MTTF spurious
NOTE
The process
above equations
apply
the taken
same failure
rates.
If elements
with different
MTTF
SIS
industry
typically
must be
of
service
to make
repairsfail
w
S
S in the
DD
- Part
2to elements
" 28 "outPart
(Eq. No.
10)
+DD $+DD
+ISA-TR84.00.02-2002
$
dangerous
detected
rate for theadjustments
component,
and
$ is theSTR
F
appropriate
must
be
made
(See
ISA-TR84.00.02-2002,
5
for
method).
(Eq.
No. 10)
STR
==$ S$+ $
$ SF failure
Risktaken
Software
S.A.
de
C.V.
SIS
the
process
industry
typically
must
be
out
of is
service
toadditional
make repa
The
second
terminredundancy
is
the
common
cause
term, is
and
the
third
term
the for
systematic
er
detected
unless
of
components
provided.
Accounting
1oo1
NOTE
The
above
equations
apply
to
elements
with
the
same
failure
rates.
If
elements
with
different
fa
1oo1
detected
unless redundancy
of components
provided. short
Accounting
additio
S
are
being
made
is typically
not considered
due to theisrelatively
repairfor
time.
C
is the
systematic
failure
rate
for
the component.
S $S$isF the
Where
safesafe
or
spurious
failure
rate
forrate
the
component,
adjustments
must
be
made
(See
ISA-TR84.00.02-2002,
Part
5
for
method).
S
DD failure
S appropriate
Where
is
the
safe
or
spurious
for
the
component,
$
are being
made
istypically
typically
notwith
considered
due of
torates.
the relatively
short
repair
tim
SIS in The
the above
process
industry
must
be
taken
out
service
to make
repairs
wh
(Eq. No. 10)
STR = $ + $ + $ F NOTE
equations
apply
to
elements
the
same
failure
If
elements
with
different
fa
systematic
error
are
handled
as
described
in
5.1.5.
Therefore,
the
equations
above
S
DD
S
DD
second
term
isandthe
common
causeas
term,
the
third
term
is thefor
systematic
systematic
error
areofishandled
described
in 5.1.5.
the
equationser
a
the equation
dangerous
the
component,
and
$ inis the
(Eq. No.The
10)second term
STR =is$detected
$ failure
+The
$rate
the+
dangerous
detected
failure
rate
term
the
third
term
the
detected
unless
redundancy
components
isand
provided.
Accounting
additional
fa
F for
appropriate
adjustments
must
be made
(See
ISA-TR84.00.02-2002,
Part
5Therefore,
for method).
DDS
the
following:
SIS
in
the
typically
must
be
taken
out
of
service
to
make
repairs
w
systematic $
error
rate
term.
The
dangerous
detected
failure
term process
isthe
included
inindustry
the spurious
trip calculation
is
the
dangerous
detected
failure
rate
for
the
component,
and
Where
is
the
safe
or
spurious
failure
rate
for
the
component,
$
following:
are
being
made
is
typically
not
considered
due
to
the
relatively
short
repair
time.
Co
3. Determinación
de lafailure
Relación
de
Disparos en Falso STR
S dangerous
when the detected
puts that channel
(ofcomponent.
a redundant system) or system (if it is nonfor the
S $ F is the safe systematic failure rate
detected
unless
redundancy
components
provided.
Accounting
forwith
additional
NOTE
The
above
equations
apply of
to elements
with theissame
failure rates.
If elements
different faf
DD
systematic
error
are
handled
Where redundant) $in S$ais
the
safe
or spurious
failure
rate
the
component,
safe
(de-energized)
state. This
can
be done
either
automatically
or by humanas described in 5.1.5. Therefore, the equations above
is the
dangerous
detected
failure
rate
forfor
the
component,
and
SIS
in
the
process
industry
typically
must
be
taken
outrelatively
of
to make
repairs
1oo1
appropriate
adjustments
must
be
made
(See
ISA-TR84.00.02-2002,
Partservice
5 for method).
EcuacionesThe
para
la
determinación
de
la
Relación
de
Disparos
en
Falso
(Spurious
Trip
Rate
-STR).
1oo1
are
being
made
is
typically
not
considered
due
to
the
short
repair
time. wC
intervention.
If
dangerous
detected
failure
does
not
place
the
channel
or
system
into
a
safe
state,
this
$
is
the
safe
systematic
failure
rate
for
the
component.
second term
failure rate term and the third term is the
F in the equation is the dangerous detected
the following:
term
is
not
included
in
Equations
10
through
15.
detected
unless
redundancy
of
components
is
provided.
Accounting
for
additional
DD
S
systematic error
term.
Thesystematic
dangerous
detected
failure
term
is included
the spurious
tripand
calculation
systematic
error
are
handled
as described in 5.1.5.
Therefore,
the equations abovef
is isthe
detected
failure
rate
theincomponent,
$ $rate
thedangerous
safe
failure
rate
for"the
component.
27
ISA-TR84.00.02-2002
- Part
2
" for
when the detectedF dangerous failure puts that channel
(ofbeing
a redundant
system)
ortypically
system (if it is
non-considered
S
S
are
made
is
not
due
to
the
relatively
short
repairrepairs
time. w
C
SIS
in
the
process
industry
typically
must
be
taken
out
of
service
make
ComoThe
comentamos
conveniente
conocer
la(Eq.
relación
de
disparos
un sistema tendrá, estotonos
following:
second
the(de-energized)
equationes
isstate.
the
dangerous
detected
failure
rate
term
and
the en
third
termque
is $
the
1oo2 term
No.
STR
=
redundant)
inanteriormente
ainsafe
This canthe
be
done
either10a)
automatically
or10a)
by
human
(Eq.
No.
STR
=
$falso
1oo1
The
second
term
in term.
the equation
is
the
dangerous
detected
failure
rate
and
the
term
is
the
systematic
error
are
handled
as
described
in
5.1.5.
Therefore,
the
equations
above
intervention.
IfSdangerous
detected
failure
does detected
notdetected
place thefailure
channel
or term
system
into
a third
safein
state,
this
systematic
error
rate
The
dangerous
term
is
included
the
spurious
trip
calculation
unless
redundancy
of
components
is
provided.
Accounting
for
additional
f
$sistemas
isinterm.
the
safe
systematic
failure
rateterm
for isthe
permitirá seleccionar
basados
los
asociados
a disparar/parar
un procesos por la falla de alguno de los
Frate
S detected
DD
systematic
The
dangerous
included
the spurious trip calculation
term
isNo.
noterror
included
Equations
10
15.
[2puts
]channel
[,(of
]component.
(Eq.
11)
STR
= through
%puts
($en
+ $DDare
)costos
+failure
% ($S (of
+ $made
)1oo2
+ $SFisin typically
when when
the
detected
dangerous
failure
a redundant
system)
(if it is due
non- to the relatively short repair time. C
the
following:
being
considered
1oo1
the detected
dangerous failure
that that
channel
a redundant
system) or system
(ifnot
itor
is system
nonS
1oo2
componentes
instrumentado
de
seguridad:
1 isstate.
(Eq.
No.
10a)
STR
redundant)
in sistema
ainsafe
state.
This
can
beeither
done
either
automatically
or =
by$human
redundant)
aSsafe(de-energized)
(de-energized)
This
can
be
done
automatically
or by human
1oo2del
systematic
are
as
The
term
indangerous
the
equation
the term
dangerous
detected
failure
ratehandled
term
and
the described
third term is in
the5.1.5. Therefore, the equations above
term
is the
common
cause
and
the
third
term
is error
the
systematic
error
rate
term.
(Eq.intervention.
No.second
9)The second
=
$
intervention.
If
detected
failure
does
not
place
the
channel
or
system
into
a
safe
state,
this
If dangerous detected
failure does not place the channel or system into a safe state, this
spurious
systematic
error
rate
term.
The
dangerous
term
is
included
in
the
spurious
the
following:
S trip calculation
S
S
DD detected
S failure
DD
S
1oo1
term
is
not
included
in
Equations
10
through
15.
MTTF
[channel
No.
11)
STR = [210
% ($through
+ $ )] +
, % ($No.
+ $ 10a)
)]a+(Eq.
$ F No. 11a)
term is (Eq.
not
included
in Equations
15.
STR
S = 2%$
(Eq.
STR
== $
1oo3
when the
detected dangerous failure
puts that
redundant
system)
or system
(if$it is non-/ISA TR
(Eq.
STR
2Simplificada
%
1oo2No.(of11a)
Arquitectura
Ecuación
Compleja/ISA
TR
8402p2
Ecuación
1oo2
redundant)
in a safe
done
automatically
or by human
The second
term is(de-energized)
the common causestate.
termS andDD
the third
systematic
error
rate term.
Sis theDD
S
1oo1
1oo2
[,notterm
(Eq. No. 12)
STR = [3 %failure
($ + $This
)]+ can
%No.
(be
$place
+10a)
$ the
)]either
+channel
$SF
1oo1
8402p2
(Eq.
STR
= a$safe
1oo3
intervention.
If dangerous detected
does
or
system
into
state, this
1oo2
S
DD
S
DD
S
1oo3
]+1oo3
[, % ($No.
(Eq.
No.included
11)
STR = [210
% (through
$ + $ )15.
+ $ 11a)
)]+ $F
(Eq.
STR = 2 % $S
term is
not
in Equations
The second term is the common cause term
the third term is the
error
S and DD
S systematic
DD
S rate term.
(Eq. No.
11)
STR
=[3 %2($%S S+$$DD+)]$+DD
%10a)
$]+(Eq.
+S $ No. +12a)
$ F rate term.
S ,
(Eq.
STR = $ SSTRS = 3 % $S
[,third
(Eq.
No.1oo1
12)term is the common
STR
=cause
%+
($+No.
+S$DD
$systematic
second
is )the
error
(Eq.1oo2
No.The
10)
STR
= $term +and$the
$term
1oo2
F 11a)F
(Eq.
No.
STR
2oo2
1oo3No. 12a)
(Eq.
STR == 23%% $$S
The second
is thecommon
common cause
termterm
and the
third
term
is theterm
systematic
error
rate term. error rate term.
1oo3
The second
termterm
is the
cause
and
the
third
is
the
systematic
S
DD
(Eq. No. 13)S
STR = [2 % $S ($
% ($S DD
+ $DD )] +S$SF
DD)% MTTR ] + [,S2oo2
S
(Eq. No.
11) 1oo2
STR
= spurious
2 %S $S DD
++$$1oo2
+No.
,rate
%11a)
$for
+ $the
+ $F
Where
or
failure
component,
$ is the safe
2oo2
S
(Eq.
STR
== 23 %
$
1oo3
S
DD
S
[
]
[
]
(Eq.
No.
12)
STR
=
3
%
(
$
+
$
)
+
,
%
(
$
+
$
)
+
$
(Eq.
No.
12a)
STR
%
$
2oo2
F
1oo3 The second term is the common cause term and the
third term is the systematic error rate term. This
(Eq. No.1oo1
9)
$S =
" 27 "
1
MTTF1 spurious
" 27 "
[ (
)] [ (
)]
[ (
)] [ (
)]
[cause
]+ [,isfailures
(Eq.
No.term
13)asDD
STR =14
2 %and
$ (15,
$term
+
$ and
)% third
MTTR
%term
($(Eq.
+can
$ No.
$13a)
equation,
well
as Equations
assumes
that
safe
be)] +
detected
on-line.
If safe
F
The second
is
the
the
third
is
the
systematic
error
term.
(Eq.
No.
11a)
STR
= rate
2 and
%
$ S = 2 % $S % MTTR
STR
The second
is
thecommon
common
cause
term
and the
term
therate
systematic
error
rate term.
is
dangerous
detected
failure
for
the
component,
$term
failures1oo3
can
only
bethe
detected
through testing
the12a)
testing
(orDD
inspection)
TI should
be $
S or inspection,
DD
S
S interval
1oo3
(Eq.
No.
STR
=
3
%
2
(Eq. No.
12)
STR = 3 % $ + $ 2oo2
+ , is%the$systematic
+ $ error
+ $rate
F term.STR
substituted
for MTTR.
The
second term
is the common cause term and the(Eq.
third term
This = 2 % $ S
No. 13a)
% MTTR
1oo3 2oo2
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
S
S
DD
S
[ (
DD
)] [ (
( )
2
S
S
)]
( )
$
STR
[ (
] [$ (+ $ )]+)] $
)(Eq.
STR =
= 32%% $($ ) % MTTR
(Eq. No. 12)
STR
= [3 % ($ + $ 2oo3
)]+ [No.
, % (13a)
STR = [6 % ($ )% ($ + $ )% MTTR ]+ [, % ($ + $ )]+ $
(Eq. No. 14a) STR = 3 %STR
= 6 % ($ ) % MTTR
(Eq. No. detected
12a)
The2oo2
second term in the equation is the dangerous
failure rate term and$the third term is the
2oo2
(Eq.
No.
13a)
STR
=
2
%
(
$
)) %% MTTR
The second term is the common [cause
term
and
the
third
term
is
the
systematic
error
rate
term.
2oo3
[,failure
($ ) ($ $ (Eq.
) No.] 14a)
($ $term
)] $ is included
systematic error
rate term. The dangerous
detected
trip calculation
2oo3
STR = in
6 %the
($spurious
MTTR
2oo3
S
1oo3
failures
through
testing or inspection,
the testing
(or
interval TI should be
2oo3 can only be
S 2
isdetected
the
safe
systematic
failure
rate
forSinspection)
S term
S
DD
DD component.
The second
is
the
common
cause
and
the
third
term
isthe
systematic
error rate term.
2oo2
F
S
(Eq.
No.
12a)
substituted
for
MTTR.
(Eq.
No. term
13)
STR
=
2
%
$
$
+
$
%
MTTR
+
,
%
$the
+ $SSF
S
DD
S $ +DD
2oo2
S
S
DD
S
DD
S
F
(Eq. No. 14)
F
2oo3
The
second term is the common cause term and the third term is the systematic error rate term. This
equation,
as
well
as
Equations
14
and
15,
assumes
that
safe
failures
can
be
detected
on-line.
If safe
S term,
DD
S
The second term is the common cause
the third term is the systematic
rate term.
(Eq. No.
14)
STR
= 6 % testing
% orS and
+inspection,
% MTTR
+ % S + DD + error
failures
can
only be detected
through
be
S
S
DD the testing (or inspection)
S Finterval
DD TI should
2oo4
No.
13) for MTTR.
STR = 2 %
+
+ %
+
+ SF
substituted
2oo2 % MTTR
2oo4
[
(
)
] [ (
S 2
S
S 2
S 2
)]
(Eq.
$ that
$ channel (of ,a redundant
$ $ system)
$
when
the The
detected
dangerous failure$ puts
or system
(if it is nonsecond term is the common cause term, and the third term is the systematic error rate term.
2oo2
2
2oo3
SS 2by human
redundant)
This
can
be
done
either
automatically
or
2oo3in a safe (de-energized) state. (Eq.
No.
13a)
STR
=
2
%
$
%
MTTR
3 (Eq. No.
14a) S is the
STR
6 term.
MTTR2
DD and
2
S 3 This
2oo4
The second
term
the third
error
rate
2oo4
(Eq. No.
15) is the common
STR = cause
12 % ($S term
MTTR
+ [,term
%(Eq.
($ +No.
$DD )]systematic
+ S$SF DDSTR
2oo4
=
S+ $ S ) %does
DD
S 12 % $into
intervention.
Ifwell
dangerous
detected
failure
not
place
the(15a)
channel
or
system
safe state, this
S 2 %aMTTR
(Eq. No.
13)
STR
=
2
%
(
$
$
)
%
MTTR
+
$
+
$
)
+
$
S$
S + DD
S, % DD
S detected
equation,
as
as
Equations
14
and
15,
assumes
that
safe
failures
can
be
on-line.
If
safe
F
(Eq.
No.
13a)
STR
=
2
%
$
%
MTTR
(Eq. No. 14)
STR = [6 % ($S )%DD
($ 3 + $ 15.
)% 2MTTR ]+ [S, % (DD$ + $ S )]+ $F
S 2
termfailures
is not
included
Equations
[
]
(Eq.
No.
15) be in
STR through
= [12 % (10
$ testing
+through
$ ) %or
MTTR
]
+
,
%
(
$
+
$
)
+
$
can
only
detected
inspection,
the
testing
(or
inspection)
interval
TI
should
be
(Eq.
STRS =3 6 % $ %2 MTTR
F
2oo4No. 14a)
2oo3
spurio
5.2.6
Combining
spurious
trip rates
for components to obtain SIS MTTF
(Eq.
No.
STR
=
12
$
%
MTTR
substituted
for
MTTR.
The second
term
is
thecommon
common cause
term,
and and
the
third
term
is15a)
the
systematic
error
rate %
term.
The
second
term
is
the
cause
term
the
third
term
is
the
systematic
error
rate
term.
This
S
λ1oo2
equation,
es la as
relación
fallas seguras
en assumes
falso
parathat
cada
2oo3
well asdeEquations
14 ando15,
safecomponente.
failures can be detected3 on-line. If safe
2 2 solver, and power supply portions are eva
2oo4
2oo4
S logic
Once
the (or
sensor,
2oo3
failures
can only be detected through testing or
inspection,
the
testing
interval
TI
should
be
spurious
(Eq.
No.
15a)
STR
=inspection)
12 STR
%final
$S =element,
(Eq.
No.
14a)
6%%MTTR
$for
% MTTR
spurious
5.2.6
Combining
spurious
trip
rates
components
to obtain
SIS MTTF
DD
for
the
SIS
being
evaluated
is obtained
as follows:
MTTF
substituted
for
MTTR.
λ es la relación de fallas peligrosas
detectadas
componente.
S 2
S
DD 3S
2para cada
S
DD
S DD
DD
S
S
[14a)
(Eq.
No. 15)
STR
= 12 %=($ 2+%$S $) %(Eq.
, %,
($ %+ $$ )]++ $$F S STR
S $ No.
DD+ +
(Eq.(Eq.
No.No.
11)14)
STR
+MTTR
+$DD
$ FS =+3$6S% $ %2 MTTR
spurious
STR
= 6 % $ % $(Eq.
+ $No.
%Combining
MTTR
+
,spurious
%=$12+%
15a)
STR
$ logic
%F MTTR
5.2.6
trip
rates
for components
to supply
obtain SIS
MTTF
Once
the
sensor,
final
element,
solver,
and power
portions
are evaluat
2oo3
2oo4
S
STR
=
STR
+
STR
+
STR
+
STR
λ F
es la relación de fallas sistemáticas seguras para
cada
componente.
spurious
SIS
Si
Li
PSi + $
(Eq.
No. SIS
16) being evaluated
for the
is obtained
as Ai
follows:
MTTF
2oo4
second
termisisthe
the common
term,
and
the
third
term
is
the
systematic
error
rate
term.
TheThe
second
term
commoncause
cause
term
and
the
third
term
is
the
systematic
error
rate
term.
S
S
S solver, and power supply portions are spurious
Once
the
sensor,
trip
rates
for components
to obtain SIS MTTF evaluate
(Eq. No. 14)
STR = 6 % ($S )% ($5.2.6
+ $DDspurious
)Combining
% MTTR
+ final
,spurious
% ($element,
+ $DD
)S +logic
3$ F
2
El valor final de la relación de disparos en falso(Eq.
del
sistema
SIS
(utilizando
las% in
ecuaciones
simplificadas)
es follows:
laterm,
suma
de used
cadawhen systematic e
NOTE
The
last
term
the
equation,
theobtained
systematic
failure
is only
for
the
SIS
being
evaluated
is
as
MTTF
No.
15a)
STR
=
12
$
%
MTTR
2oo4
3 the user
individual
component
STRSTR
desires
toAiinclude
an
overall
value
for
the entire
STR
=
+
STR
+
STR
+
STR
$FS
Sand
2
1oo3
SIS
Si
Li
PSi +system.
(Eq.
No.
16)
elemento
del sistema:
No.
15a)
=element,
12 % $error
%
MTTR
The second
term is the common cause term, (Eq.
and
the
third
term isSTR
the
systematic
rate
term. and power supply portions are
Once
the
sensor,
final
logic
solver,
evaluat
spurious
S
spurious
3
SIS
being
evaluated
obtained
follows:
MTTF
2 for the
S
DD
S rates+foriscomponents
= +trip
STR
STR Ai + as STR
STR
5.2.6
Combining
spurious
to
obtain
MTTF
SIS
Si
Li + SIS
PSi + $F
(Eq.
No. 15)
STR = 12 % $S + $S DD
%DDMTTR
+ term
,
%SSTR
$
+DD
$
$
S the
(Eq.
No.
16)
S
F
1
2oo4
s
p
u
r
io
u
s
spurious
NOTE
The
last
in
the
equation,
systematic
failure
term,
is
only
used
when
systematic
error
ha
STR
= 12)
∑STRSensor + ∑STRCLP
(Eq.SISNo.
STR+ ∑STR
= 3 %EF$+ λ5.2.6
+F$
+ , % $ +spurious
$
+Mtrip
$TF Trates
Combining
to obtain SIS MTTF
F for components
= anS T
individual component STR and the user desires to include
overall
value for the entire system.
R
S
IS
(Eq. No.
17)element,
3
Once
the
sensor,
final
solver,STR
andAiterm,
power
supply
portions
evaluate
STR
= ) + $STR
+ is only
STR
STRare
$FS has
NOTE
The
in Sthe
equation,
the
systematic
failure
used
when
systematic
S
DD
2last term
DD
Slogic
SIS
Si +
Li +
PSi +error
(Eq.
No.
16)
(Eq.
No.
15) (Tiempo Medio
STR
=
12
%
(
$
+
$
)
%
MTTR
+
,
%
(
$
+
$
spurious
ElThe
valor
de
MTTF
Para
Fallar)
esta
dado
por:
F
Once
the
sensor,
final
element,
logic
solver,
and
power
supply
portions
are
evaluate
second term is the common cause term
and the
third
term
isand
the
error
rate
individual
component
STR
thesystematic
user
desires to
include
anterm.
overall
value for the entire system.
for the
SIS
being
evaluated
is
obtained
as follows:
MTTF
spurious The result is the MTTFspurious for the SIS.
1
s p u evaluated
r io u s
for the SIS being
is obtained
as follows:
MTTF
T Tequation,
F
NOTE The last termM
in the
the systematic
failure term, is only used when systematic error ha
=
M2oo2
TTF En Falso = 1/STRSIS
T1R S an
IS overall value for the entire system. S
individual
STR and=the
toSinclude
(Eq. No.component
17)
s p user
u r STR
io udesires
s
STR
+
STR
STR Li + STR PSi + $FS
Si=
Ai +
(Eq. No. 16)
M TSIST F
STR
=
STR
+
STR
STR Li + STR PSi + $F
SIS
Si
Ai +
S
T
R
S
IS
(Eq.
No.
16)
(Eq.
No. 17)
spurious S
S
the MTTF
(Eq. No. 13)
STR = 2 % $S $The
+ result
$DD %isMTTR
+ , % $for
+the
$DDSIS.
+ $SF
[[
((
] [
]
((
( )
( ) (
])]) [ (] [ ( )] )] (
( )
)
))
)
]
[ [ [ ( () (
[
] [
[ [( (
[
[
)
(NOTE
(# ] )
( )
)
)
#
#
)] [ ] [( (
]
)] )#
]
#
]
#
#
#
#
#
#
#
)
[
] [ (
)]
#
#
#
#
#
#
#
#
#
#
#
#
1
s p u r iothe
u ssystematic failure
The last term in the equation,
term, is only used when systematic error ha
M
Tand
Tequation,
Fthe user
spurious
= toSinclude
NOTE
The
last
termMTTF
in the
systematic
failure
term,
is only
when
systematic
The result
is the
forthe
the
SIS.
individual
component
STR
desires
an
overall
valueused
for the
entire
system. error ha
T
R
S
IS
(Eq. No.component
17)
individual
STR is
and
thesystematic
user desires to
include
anterm.
overall This
value for the entire system.
term
and the third term
the
error
rate
The second term is the common cause
equation, as well as Equations 14 and 15, assumes that safe failures
can be detected on-line. If safe
spurious
The result is the MTTF s p ufor
r io inspection)
uthe
s SIS. 1interval TI should be
failures can only be detected through testing or inspection, M
theTtesting
1
s p u(or
r io u s =
T
F
M TTF
= SS T
substituteddefor
MTTR.
Determinación
la PFDavg
(Eq. No. 17)
TR
R SS IS
IS
(Eq. No. 17)
2oo3
spurious
The result
result is
is the
the MTTF
MTTFspurious for
The
for the
the SIS.
SIS.
S
S
DD
S
DD
S
5
Risk Software S.A. de C.V.
ISA-TR84.00.02-2002
Part2 2
ISA-TR84.00.02-2002 - -Part
" 24
" 24
" "
4. Determinación de la Probabilidad de Falla Sobre Demanda
IfIfISA-TR84.00.02-2002
systematic
errors(functional
(functional
failures)
are
included
in the
calculations,
systematic
are
to to
be
included
the
calculations,
sep
- Part
2failures)
24
" be
" coninprueEcuaciones para la determinación de la Probabilidad de Fallas
Sobreerrors
Demanda
PFDavg
para
Sistemas
sub-system,
available,may
maybebeused
used
equations
above.
An alternate
a
sub-system, ififavailable,
in in
thethe
equations
above.
An alternate
appro
bas manuales.
value for
for functional
functionalfailure
failurefor
forthe
theentire
entire
SIF
and
add
term
as shown
in Eq
SIF
and
add
thisthis
term
as shown
in Equati
If systematic errors (functional failures) are to be included in the calculations, se
NOTE
Systematic
failures
are
rarely
modeled
for
SIF
Verification
calculations
due
the difficu
Systematic
failures
are
rarely
modeled
SIF
Verification
calculations
due
thetodifficulty
in
- Part 2 para sistemas
" 22 "
La Probabilidad de Fallas ISA-TR84.00.02-2002
Sobre Demanda
con pruebas
manuales,
esta
relacionada
generalmente
aabove.
los elesub-system,
if available,
may
be
usedforin
the
equations
Anto
alternate
app
effects
and
data
forfor
various
types
of systematic
failure.
However,
thesethe
fai
and
effects
andthe
thelack
lackoffailure
offailure
failurerate
rate
data
various
types
of systematic
failure.
However,
value
for
functional
for
the
entire
SIF
and
add
this
term
as
shown
in
Equa
ISA-TR84.00.02-2002
Part
2
24
"
"
mentos de campo, como son
sensores y elementos finales de control.
can
the
SIF
performance.
ForFor
thisthis
reason,
ANSI/ISA-84.01-1996,
IE
and
can result
resultininsignificant
significantimpact
the
SIF
performance.
reason,
ANSI/ISA-84.01-19
Equations for typical configurations:
ISA-TR84.00.02-2002
- impact
Part 2toto
" 24 "
provide aa lifecycle
design
andand
installation
concepts,
validation
and testing
provide
lifecycleprocess
processthat
thatincorporates
incorporates
design
installation
concepts,
validation
and tesc
NOTE
Systematic
failures
are
rarely
modeled
for SIF
Verification
duefailures.
to the difficulty
TI ) & D change.
TI
&
)
ISA-TR84.00.02-2002
- Part
2intended
24
" the
"
This
process
isis
intended
to to
support
the
reduction
incalculations
the
SIL Ve
This lifecycle
lifecycle
process
support
in systematic
the systematic
failures.
S
PFD avg = ($ DUentre
% + + pruebas
$ % change.
tiempo o intervalo
manuales
(TI),
que
tiene
como
objetivo
lareduction
identificación
yfailures.
errors
failures)
are
to betypes
included
in the
calculations,
separate
va
and
effects
and
the
lack(functional
of
failure
rate
data
for
various
of
systematic
failure.
However,
these
2 * '( F predominantly
2 If
*+ systematic
'
concerned
thethe
SIS
performance
related
to random
" 22 "
predominantly
concernedwith
withassessing
assessing
SIS
performance
related
to random
failures.
La base de estas ecuaciones es el
(Eq. No. 3)
1oo1
ISA-TR84.00.02-2002 - Part 2
If systematic errors (functional failures) are to be included in the calculations, separate
sub-system,
available,impact
may be
inperformance.
the equationsFor
above.
An alternate
approach is t
and
can result inif significant
to used
the SIF
this reason,
ANSI/ISA-84.01-1996,
localización de fallas peligrosas
en el$DUsistema
o elementos del sistema.
sub-system, if available, may be used in the equations above. An alternate approach i
where
is the undetected dangerous failure rate
Equations
for typical
Las ecuaciones
queconfigurations:
describen los
(Eq. No. 3)
value afor
functional
failure
the entiredesign
SIF and
this term
as shown
in Equation
1a in
provide
lifecycle
process
thatfor
incorporates
andadd
installation
concepts,
validation
and testing
Ifvalue
systematic
errors
(functional
failures)
are
to
beadd
included
in the
calculations,
separate
The
simplified
equations
the
terms
for
multiple
failures
during
com
for
functional
failurewithout
for
the
entire
SIF
and
this term
assystematic
shown
inrepair,
Equation
1aV
The
simplified
equations
the
terms
for
multiple
failures
during
repair,
change.
This
lifecycle
process
iswithout
intended
to support
the
reduction
in the
failures.
SIL
D
sub-system,
if available,
may
be
usedforinSIF
thefor
equations
above.
Antoalternate
approach
$ F is the dangerous systematic failure rate, and systematic
errors
reduce
toPeligrosas
following
use
incalculations
the
procedures
outlined
in 5.1
NOTE
Systematic
failures
are rarely
modeled
Verification
due
the difficulty
in assessing
predominantly
concerned
with
assessing
the SIS
performance
related
to
random
failures.
systematic
errors
reduce
tothe
the
following
for
use
in
the
procedures
outlined
in
sistemas
utilizan el componente
de Relación
de
Fallas
Sistemáticas.
value for functional failure for the entire SIF and add this term as shown in Equation 1a
and effects
and the lack
of failure
rate data
for various
types
of systematic
failure. due
However,
these failures
are
NOTE
Systematic
failures
are rarely
modeled
for SIF
Verification
calculations
to the difficulty
in assess
TI is the time interval between manual functional tests
of the component.
result
significant
impact rate
to the
SIFfor
performance.
For
reason, failure.
ANSI/ISA-84.01-1996,
61508,
and can
effects
andinthe
lack of failure
data
various types
of this
systematic
However, theseIEC
failures
a
1oo1
The
simplified
equations
without
the
terms
forFor
multiple
failures
during
repair,
com
TI failure
& DU TI- Part) 1 model
& theDsystematic
)1oo1
provide
aSystematic
lifecycle
process
that
design
and
concepts,
and
criteria,
and
NOTE
failures
areincorporates
rarely
modeled
for
SIF installation
Verification
calculations
due to
thetesting
difficulty
in asses
NOTE The equations in ISA-TR84.00.02-2002
as
an error
occurred
the
and
canthat
result
in during
significant
impact
to the
SIF
performance.
this
reason, validation
ANSI/ISA-84.01-1996,
IEC
615
PFD
=
$
%
+
$
%
specification, design,
in change.
the SIF component
being
susceptible
a
avgimplementation,
errors
reduce
to
following
for
use
in
the
procedures
outlined
in 5isa
This
lifecycle
process
is intended
support
thetypes
reduction
in the
systematic
SIL
Verification
( commissioning,+ or maintenance
( F that 2resulted
+butsystematic
and
effects
and
the
lack
oftofailure
ratethe
datato
for
various
of systematic
failure. failures.
However,
these
failures
provide
lifecycle
process
that
random failure. Some systematic failures do not2manifest themselves randomly,
exist
at time 0aand
remain failed
throughout
the incorporates design and installation concepts, validation and testing criteria,
1oo1
'
*
'
*
TI
predominantly
concerned
with
assessing
performance
related
random
failures.
mission time of the SIF. For example, if the valve actuator is specified improperly, leading
to
the inability
close
the valve
under
and
can
result
in
significant
impact
to thethe
SIF
performance.
For
thisinto
reason,
ANSI/ISA-84.01-1996,
IEC 615
change.
Thistolifecycle
process
is intended
toSIS
support
the reduction
the
systematic
failures. SIL Verificatio
DU
the process pressure that occurs during the hazardous event, then the average value as shown in the above equation is not
provide
a lifecycle
processwith
thatassessing
incorporates
and installation
concepts,
validation
predominantly
the design
SIS performance
related
to random
failures.and testing criteria,
applicable. In this event, the systematic failure would be modeled using $ % TI . When
modeling systematicconcerned
failures, the reader
DU
avg
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verificatio
must determine which model is more appropriate for the type of failure being assessed.
(Eq.
No.
3a) selección,
PFD =implementación
$ % TI
Esta relación representa las fallas sistemáticas introducidas durante
diseño,
y mantenimiento de
1oo1el
(Eq.
3a) equations
PFDavg
= $ the terms
%2 for multiple failures during repair, common cau
TheNo.
simplified
without
where
$DU is the undetected dangerous failure rate
2
predominantly
concerned
with
assessing
the
SIS
performance
related
to random
failures.
los elementos de campo del
Sistema
Instrumentado
de
Seguridad.
systematic
errors
reduce
to
the
following
for
use
in the
procedures
outlined
in 5.1.1
throuc
The simplified equations without the terms for multiple
failures
during
repair,
common
1oo2
$ DF
TI for use in the procedures outlined in 5.1.1 thro
systematic errors reduce to the DU
following
1oo2
(Eq.
No.
3a) equations
PFDavgwithout
= $ the%terms for multiple failures during repair, common
The
simplified
1oo1
1oo2
2 for /ISA
systematic
errors
reduce
to
following
use inTR
the procedures outlined in 5.1.1 thr
Arquitectura
Ecuación
Compleja/ISA
TR 8402p2
EcuacióntheSimplificada
1oo1 &
&
TI 2 )
TI ) & D TI )
DU 2
2
DU 2
DU
DD
DU
]
" , ) % $ ) %manual
+ [(1 "functional
% MTTRof
% TI
+ (component.
, ) % $ % $ tests
, % $ % + + ( $F % +
TI
%
TI
$
avg = (((1between
+
TI is the timePFD
interval
the
DU
2
3 *
2 * = $ 8402p2
'
'
'
1oo2
(Eq. No.
3a) 2 * PFD
%$ DU % TI 2
1oo1
Equations for typical configurations:
(Eq.
No. 4a)
PFDavg
2TI
avg = DU
ISA-TR84.00.02-2002 - Part 2
" 23 "
(Eq.
No.
3a)
PFD
=
$
% 3
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model
failure
as(Eq.
an error
that
occurred
during
the =
No.
4a)
PFD
ISA-TR84.00.02-2002
-Consequently,
Part
2 avgavg
" 23 assumed
"the systematic
For simplification,
1-, is generally
to
be
one,
which
yields
conservative
results.
22
TI
TI
&
)
&
) resulted in the SIF component being susceptible to
specification, design, implementation,
commissioning,
a DUTI
DU toor maintenance
2
(Eq.
No.
5) = reduces
the
equation
1oo2No. 3a)
PFD
% + + ($ DF % that
(Eq. No. 3)
1oo1
1oo1
(Eq.
PFD
= $ DU$%the 3% TI
($manifest
+*
random failure. Some systematic failures avg
do not
but exist
at time 0 and remain
failed
throughout
avg
2 themselves
2randomly,
'
* '
1oo3
2
&
)
(Eq.
No.
4B)
& leading
) &No.
TI
TI1oo2
TI4a)
2
/to
)
PFD
=under
mission time
the5)SIF. For example,PFD
if the=valve
actuator
is specified improperly,
to close
the avg
valve
% (Eq.
$ %inability
-+ +the
(Eq.ofNo.
(($ ) %
+ + [($ ) % $ % "MTTR
23 " % TI ]+ ( , % 0 $ISA-TR84.00.02-2002
- Part 2
4 *event, then the
2shown
2 +* above equation is not DU 2
1 as1oo3
.* (' in the
'
DU
the process
during the
hazardous
average 'value
( $ DU) 2%3 3TI 2 3
where pressure$ that
is occurs
the undetected
dangerous
failure rate
1oo2
applicable. In this event, the systematic
failure
would
be
modeled
using
$
%
TI
.
When
modeling
systematic
failures,
the
reader
(Eq.
4a)
= $$DU %%TITI
3 No. 5) &
(Eq.
)multipleDUfailures
TIfor2 type
TInegligible
TI ) TI PFD
&2 isDU
) /No.
DU
& DU is3 more
)second=term
2for
&TIThis] +factor
)&$DF &for
TI
TI
The
during
repair.
typically
( DU
)3 3 2 3
) avg
must determine which
model
appropriate
the
being
DU
2 %assessed.
($DUaccounts
)2%%term
[MTTR
PFD
$ of %failure
$DD%
% MTTR
% short
1oo3
(' +error
+*%
($the )dangerous
)
% repair
+avgsystematic
%+rate,
+ the
%& ('0,term
%%TIsystematic
$&('The
$3DD
,fourth
$% $is(Eq.
$TI2DFterm.
PFDavg1oo2
$=DF(is
failure
and
third
is +the
common
causeTI
term and
the
-+No.
2/)+*No.
5a)
PFD
=
+ times.
(
+
(
+
)*
2
TI
(Eq.
4a)
PFD
=
2
&
)
avg
% TI
$
42oo2
avg
23 " % TI' ]+ ( ,1%ISA-TR84.00.02-2002
2 2 *
PFD
0 $ % 2-+ .+*($ %' - Part
'
* = (($ ) % 4 + + [($ ) % $ %" MTTR
$ DU ) 34% TI 2
(
2 .* '
2 *+
1
'
'
*
1oo2
1oo3
(Eq.
No.
5a)
PFD
=
3
TI is the time interval between manual functional tests of the component.
(Eq. No. 4a)
PFDavgavg=
where
MTTR is the mean time to repair
TI )
&
(Eq.
No. 5)
$ DU3 4% TI 3
(Eq. No. 6)
PFD = [$ % TI ] + [, % $ % TI ] + ($ % +
1oo3
2oo2
The second term accounts for multiple failures during repair. This
factor2 is
typically
negligible for short
'
*
3
NOTE
The
equations
in
ISA-TR84.00.02-2002
Part
1
model
the
systematic
failure
as
an
error
that
occurred
during
the
DD
(Eq. No.
4A)
The
second term accounts
fortimes.
multiple
during
repair.
factor
is(Eq.
typically
short = DU
repair
term
common
causefailure
termThis
and
theand
fourth term
is the systematic
error term.for
No.negligible
5a)
PFD
$failures
is dangerous
detected
rate,
&Theorthird
)is the that
&
avg ( $
TI
TI
2 beingTIsusceptible
/) &
) % 4TI 3
specification, design, implementation, commissioning,
resulted in the SIF component
to a)
)the
= term
% common
+ [(cause
% $ and%and
%term
%
%error
$ ismaintenance
$ ) term
,systematic
+systematic
PFD
MTTR
TIfourth
0 $ is
- term.
repair times.
The third term
is
the
the
term
the
The
term
third
is]+the
((common
+cause
1oo3
('$ % 2 +* the error term.
random failure. Some
systematic failures
dosecond
not manifest
themselves
randomly,
buttheexist
at
time
0('and
failed
throughout
2oo2
1oo3
2oo2
4 *
2 .+* No.
1remain
'
(Eq.
5a)
PFD
=
DU
DU 3
, fraction of
mission time of the SIF. For example, if the
improperly,
leading
tomore
the inability
to(Eq.
close
the
under system
failures that
impact
than one
channel
ofvalve
a redundant
No.
6a)
PFDavg
%)4 TI
2oo3valve actuator isisspecified
% TI 3
( $TI
avg = $
2
the process
during
the hazardous
event,
then the
average value as shown in the& above
is not
TIequation
(common
cause).
)
2oo2&pressure that occursDU
)
2 (Eq.
TI
TI
&
)
&
)
[, %modeling
No. 6)
PFD
= [DU
$%failures
% TI ]during
+DD
$ % TI ]systematic
+ (factor
$ % 2oo2
DUshortPFD
D
3
(Eq.
No.
5a)
=
+
(Eq.
No.would
7) termbe
The
second
accounts
forusing
multiple
repair. This
is
typically
negligible
for
applicable.
In
this
event,
the
systematic
failure
modeled
$
TI
.
When
failures,
the
reader
DU
avg $ % DU
2* + , %$
' % TI
PFD
= ( (1which
" ,model
) % is$more appropriate
%Thetimes.
+the
(type
1represents
"term
%cause
% MTTR
%forPFD
,is)the%multiple
$ assessed.
$ during
avg
+ The
TI 3
repair
third
common
term and
the fourth
is the
systematic
error term.
(Eq.
No.
term
failures
repair.
Thisterm
factor
is typically
negligible
short
(' 6a)
+ +avg
( F=( $$ 2 )+*4%%TI
must
determine
for
of failure
being
2oo2
3second
repair
times
(typically
less than
8 hours).
The
common
term.
term*is '
TI)) cause
TI ) The fourth 2
'
*
2oo3
&No.
& the
The
second
term
is theDU
common
cause
term and
thethird
thirdterm
term is
is
the
systematic
error
term.
TI
&
(Eq.
5a)
PFD
=
DU
D
(
)
(
)
+
%
PFD
=
$
%
TI
+
3
$
%
$
%
MTTR
%
TI
+
,
%
$
%
$
[
]
[
]
2oo2
the
systematic
error term.
PFD
% TI ] + [, % $ % TI ] + ('( $ F % (Eq.
2+*+ '(No. 26a)
*+
2oo2
avg = [$
1oo2(Eq. No. 6)
PFDavg = $ DU %4 TI
2oo3
2TI2oo2
' & 2oo3
*) No. 6a)
(Eq.
PFDavgavg= $ DU % TI2
1oo3
(Eq. No. 4A) systematic failure rate, and
is the dangerous
ISA-TR84.00.02-2002 - Part 2
" 22 "
3
DU 3
DU 2
DD
2
DU
D
F
avg
[(
3
DU 3
DU 2
]
DD
2
DU
D
F
avg
DU
DU
D
F
avg
3
DU 3
DU 2
DD
2
DU
D
F
avg
(
[
)
DU
DU
DU
2
DU
]
D
F
avg
2
DD
DU
D
F
avg
PFD
(Eq. No. 6)
[
[([(
[(
[(
[[
] [
]
]]
]
]
]]
)
)
)
[ [( ) ] ]
[( ) ]
[
]
[
]
[
]
(
= $DU % TI + , % $DU % TI + $D %
)
DU
)
2
(Eq.
7) term in the equation avg
(' F This
+* No.
TheNo.
second
represents multiple failures during repair.
is typically
(Eq. No. 4A)
2 factor
(Eq.
7a)
$
% TI
2oo2
avg = DU
negligible assumed
for short repair times.
The third
term is
the common
term.
The
fourth term is the
For simplification,
1-, is
generally
be
one,
which
conservative
results.PFD
Consequently,
The second term
is the
common
cause termtoand
the
third
term yields
is cause
the systematic
error
term.
(Eq.
No.
6a)
PFD
% TI
2oo3
systematic error term.
TI
TI )
avg = $
)
& term.
&
2oo3
ThePFD
second=term
third%term
is the
systematic
error
the equation reduces
to
($ is )the%common
(TI ) ] +cause
+
%
3$ term
% $ and% the
MTTR
TI ] +
,
%
$
%
$
[
[
(
2
DU 2
2
2 TI
*+ ) PFD
*+ '(& 7a)
& 2oo3 DU 2 TI2oo4
)
DU$
TI2 )No.
(Eq.
& '
D
avg= =
2oo3 + [(1 " , ) % $DU % $DD % MTTR % TI ] + , % $DU2oo4
(Eq.
No.
6a)
PFD
$
%
TI2 % TI
(
)
PFD2oo3
=
(
1
"
)
%
%
%
+
%
,
$
$
avg
avg
F
(
+
(
+
(
+
2
2oo3
2
DU
2
DU
No. 8)
3(Eq.second
2factor
'
*No.
'is typically
(Eq. No. 4B)'
The *
This
7a)
PFD = =$ $ % TI% TI
(Eq.
No.
7a) 2 * PFD
(Eq.
No. 7) term in the equation represents multiple failures during repair.(Eq.
DU
2
2
DU
DD
DU
avg
D
F
(
)
avgavg ( ( ) )
(Eq. No. 7)
TI ) &
TI )
&
DU 23
2oo4
2oo3
PFD = [( $ ) % ( TI ) ] + [4( $ ) % $ % MTTR % (TI ) ] +&(, % $ % TI+)+ (&$ % TI+ )
2oo4
) %%TI(TI2 )3
PFD
= (($$DU
*+No.
+'($8a)
%2 * +
PFD = [($ ) % (TI ) ] + [3$ % $ % MTTR % TI ] + ', % $(Eq.
% 2 No.
avg =
(Eq.
7a)
PFDavg
)
2oo4
2
2
For simplification, 1-, is generally assumed to be one, which yields conservative ('results.
Consequently,
*
*
'
2oo4TI ) &
TI )
&
the equation
reduces to
% +
PFD
% + + ($ TI
2
& DU= 2[($ TI)2 )% (TI )DU] + [3$DD % $ % MTTR % &TI ] + (',DU% $ (Eq.
TI
) 2No.
&* Combining
)2PFD
(Eq.
No.
7a)
($DU(DU$DU
) 2 )%3 TI
D
avg = =
* components’
'
3 PFDs
)3 SIF PFDavg
8a)
PFD
%
TIobtain
3(to
5.1.6
2oo4
(
)
[
]
PFD
=
%
$
+
$
%
$
%
%
+
,
%
$
%
+
$
%
MTTR
TI
avg
3
avg
F
(
+
)
(
)
(Eq. No. 4B)
(Eq.
No.
%
TI
TI
3
) &8a) TI ) +PFDavg = ($
&
(
+
(
DU
MTTR es
+ ($ % 2+ * PFD
= [( $ reparación
%2
$ * %No.
) % (TI ) ] + [4( $ ) % $ % MTTR
' % (TI ) ] + (', (Eq.
) % (TI )
' el tiempo3medio
* PFDpara
2'+* 8a)
2*
avg = ($
'
negligible for short repair times. The third term is the common cause term. The fourth term is the
3
3
2
DU 2
DD
DU
D
systematic errorDUterm.
avg
2oo4
DU
2
DU
2
2
DU
DD
DU
FD
F
avg
2
DU
D
F
The
equationrepresents
representsmultiple
multiple
failures
during
repair.
is typically
Thesecond
secondterm
term in
in the equation
failures
during
repair.
ThisThis
factorfactor
is typically
negligiblefor
forshort
short
The
third
is is
thethe
common
cause
The The
fourth
term term
is theDis the
negligible
times.
TheDU
third
term
common
cause
term.
2 term
3
2 term.
DU 3repair times.
DD
DU fourth
systematic
error term.
term.
avg
F
systematic
error
(Eq. No. 8)
avg
DD
DU
2oo4
Once
the sensor,
final element,
DU logic solver, and power supply (if applicable) port
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002
- Part 5.
2oo4
The second term in the equation
represents multiple failures during repair.5.1.6
This
is typically
components’
to obtain
SIF
PFDavg
(Eq.
No.Combining
8a)
PFD
%PFDs
TI
5.1.6factor
Combining
components’
to obtain
SIF PFD
avg = $
avg
the
SIF
beingPFDs
evaluated
is obtained
by summing
the individual
overall
PFD
The
terms
inThe
the equations
representing
common
causeTI
(Beta
factor term)
and
systematic
failuresterm
are for
avg
times.
third term
is&the
common
cause
term.
The fourth
is the
negligible
es& laDUfor
relación
fallas
peligrosas
detectadas
No.
8)
) de (Eq.
2 short
TI 2 repair
TI
)
&
)
5.1.6
Combining
components’
DU
DD
DU
D
The
second
term
in
the
equation
represents
multiple
failures
during
repair.
This
factor
is
typically
3 PFDs3 to obtain SIF PFDavg
typically
not included
in calculations
performed
in the%process +
industries.
These factors are usually
DU
PFD
=
%
$
+
$
%
$
%
%
+
,
%
$
$
%
MTTR
TI
systematic
error
term.
for
the
SIF
for
the
event
being
protected
against.
is
the
PFD
where avg (
MTTR is
meanforfortime
to design
repair
Fexperience.
+ thenegligible
short
repair
times.
The
third
term is thebased
common
cause
term. (Eq.
The fourth
term
is the
avg
(
+
(
+
accounted
during
the
by
using
components
on plant
No.
8a)
PFD
=
$
%
TI
Once
the
sensor,
final
element,
logic
solver,
and
power
supply
(if
applicable)
portions are
avgelement,
3 *
2* '
2 *5.1.6
'
systematic error
TI
TI ) final
the
logictosolver,
andPFD
power
supply (if applicable)
'
) Combining
&sensor,
components’
PFDs
obtain SIF
avg
+ (events
PFD
% overall
$ DU %external
$ DF % for
( $DUterm.
) 3 % (TI ) 3 + 4( $DU ) 2 % $DD % MTTR % (TI ) 2 + &(,Once
avg =cause
+*PFD
SIF
being evaluated
is obtained
by
summing
the(if
individual
compon
Common
includes environmental factors, e.g., temperature, humidity,
vibration,
avg 2 +* the
2
'
'
Once
the
sensor,
final
element,
logic
solver,
and
power
supply
applicable)
po
β 2oo4es la fracción
de
fallas
que
impacta
en
uno
o
mas
canales
de
los
sistemas
redundantes
(Factor
de
falla
Común).
For
configurations
other than
indicated
above,
seecalibration
Reference
3 or overall
ISA-TR84.00.02-2002
- Partfor
5. the SIF being evaluated is obtained by summing the individ
avg
such
as lightning strikes,
etc. those
Systematic
failures
include
errors,
design
errors, PFD
programming
DD
λDD
[
( )
]
] [
[
]
( ) ( )
( ) ( )
3
3
thethe
SIFSIF
for the
event
being
protected
against.
is the
PFD
& D TIa
is dangerous
failure
andrefer to ISA-TR84.00.02-2002
errors, etc.detected
If there is concern
related to rate,
these factors,
- Part
1Combining
forsensor,
aavg for
5.1.6
components’
PFDs
to being
obtain
SIF
for
being
evaluated
is Aiobtained
byagainst.
summing
individua
overall
PFD
Once
the
final
element,
logic
solver,
and
power
supply
(if applicable)
portions
avg
avgfor
PFDthe
PFD
PFD
PFD
= for
+ PFD
(Eq.
No.
1a)
the
SIF
the
event
protected
is
the
PFD
The
terms
equations
common cause (Beta factor term)
and
systematic
failures
are PFD
avg
discussion
their
impact onrepresenting
the PFD calculations.
PSi + ($ F %
SIS
Si +
Li +
where
MTTR is the mean
timeinoftothe
repair
typically not included in calculations performed in the process industries. is
These
factors
are usuallyfor
(Eq. No. 8)
for
the
SIF
being
evaluated
is
obtained
by
summing
the
individual
overall
PFD
' comp2
the
SIF
for
the
event
being
protected
against.
the
PFD
avg
avg
The
secondfor
term
in the
represents
multiple failures
during
This factor is typically
accounted
during
theequation
design by
using components
based on
plantrepair.
experience.
TI )
&
the
sensor,
finalSIF
element,
logic
and
supply
(if applicable)
negligible for short repair times. The third term is the common cause term.Once
The
fourth
term
is theforPFD
the
event
being
against.
is
the
PFD
avg
PFD
PFD
PFDprotected
PFD
=for the
+ solver,
+ power
+
+ ($ DF % portions
(Eq.
No.
1a)
PSi
SIS
Si
Ai
Li
$,DDis
is dangerous
detected
failure
rate,
and
+ & D
fraction
of
failures
that
impact
more
than
one
channel
of
a
redundant
system
systematic
error includes
term.
Common cause
environmental factors, e.g., temperature, humidity, vibration, external events
Determinación de la PFDavg
'PFD 2 * +comp
the
evaluated
overall
PFD
3
2 etc. Systematic
TI
TI SIF
)SIS being
) avg& for
&errors,
2
such3 as lightning DU
strikes,
failures include calibration
design
errors,
programming
PFDSi + is obtained
PFD Ai +by summing
PFD6Li +the individual
=
(Eq.
1a)
DD
DUNo.
D PFD
& D($ F
PSi
)
(
)
+
%
PFDavg =(common
$ DU % (cause).
TI
+
4
$
%
$
%
MTTR
%
TI
+
,
%
$
%
$
errors,
etc.
If
there
is
concern
related
to
these
factors,
refer
to
ISA-TR84.00.02-2002
Part
1
for
a
configurations other than those indicated above, see Reference(3 or (Eq.
ISA-TR84.00.02-2002
Part
5.
eventSibeing
protected
is theNo.
PFD
F the
PFD
PFD
PFD
PFDLi +
= the PFD
+
+*SISfor
+*avg ('-for
& PSi
, is fraction ofFor
Ai + against.
D +TI
($)F' %
discussion
theirimpact
impact onmore
the PFD
21a)
2SIF
'
failures ofthat
thancalculations.
one channel of a redundant
system
PFD
PFD
PFD
PFD
PFD
$
=
+
+
+
+
%
(Eq.
No.
1a)
PSi
SIS
Si
Ai
Li
( F 2' +
The terms in the equations representing common cause (Beta factor term) and systematic failures are
(common
cause).
'
*
The second term representstypically
multiple
failures
during
repair.
This industries.
factor is
typically
negligible for short
not included
in calculations
performed
in the process
These
factors are usually
& D TI )
accounted for during the design by using components based on plant experience.
PFD
PFD
PFD
PFD
PFD
$
=
+
+
+
+
%
(Eq.
No.
1a)
repair
times
(typically
less
than
8
hours).
The
third
term
is
the
common
cause
term.
The
fourth
term
is
PSi
F
SIS
Si
Ai
Li
(
The second term represents multiple failures during repair. This factor is typically negligible for short
2 +*
'
the systematic error term. Common cause includes environmental factors, e.g., temperature, humidity, vibration, external events
$
#
avg
[(
)
][
(
)
avg
]
#
#
#
#
#
#
##
#
#
#
#
#
#
#
## # # # #
#
#
Risk Software S.A. de C.V.
Para sistemas redundantes el segundo termino en las ecuaciones complejas representa las múltiples fallas presentadas durante la reparación y el tercer termino representa la causa de falla común (CCF).
En las ecuaciones simplificadas se considera que el segundo termino es despreciable debido a que el valor es muy pequeño
cuando el tiempo de reparaciones es menor a 8 hr. El tercer termino es despreciable debido a que se considera que el diseño
de los sistemas en los procesos industriales esta diseñado considerando las fallas de causa común, y el cuarto termino las
fallas sistemáticas son despreciables si se utiliza una metodología para el diseño de los SIS como puede ser seguir los requerimientos y consideraciones en el diseño basado en el Ciclo de Vida de Seguridad de la IEC 61511.
El valor final de la PFDavg es representada como:
PFDSIS = ∑PFDSensor + ∑PFDCLP + ∑PFDEF + λSF
En términos generales es aceptado el uso de las ecuaciones simplificadas para sistemas con pruebas manuales como son
los sensores y elementos finales, si bien es común el uso de estas ecuaciones para los controladores lógicos programables,
la norma IEC 61508 Edición 2.0 2010-04. Ha desarrollado ecuaciones mas exactas para describir a los sistemas que cuentan
con pruebas basadas en auto diagnósticos.
5. Calculo de la Probabilidad de Fallas Sobre Demanda PFDavg
Ecuaciones para la determinación de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con pruebas basadas
en Auto Diagnósticos, tomadas de la norma IEC 61508-6 Edición 2.0, 2010-04.
La Probabilidad de Fallas Sobre Demanda para sistemas complejos con auto diagnósticos considera las relación de fallas
peligrosas totales, dadas por la suma de la relación de fallas peligrosas detectadas y no detectadas.
λTot = λDU + λDD
Ecuación para sistema con arquitectura 1oo1:
La arquitectura consiste en canales sencillos, donde la cualquier falla peligrosa genera una falla de la función de seguridad
cuando se genera una demanda:
Canal
Diagnosticos
Figura #5
Diagrama de Bloques Fisico
Determinación de la PFDavg
7
61508-6  IEC:2010
- 31 -
λ Dλ D
λD
λ DU
tc1
λ DU
λ DU
λ DU
= T
MRT
c1= =T
_1T
_+1 +MRT
_1t+c1tMRT
t
=
T
2c12 _1 + MRT
2
2 t
CE
λλD
DD
λ DD
λ DD
λ
DD
tc2
tc2 = MTTR
tc2==MTTR
MTTR
tc2 = MTTR
tCE
tCE
tCE
IEC
IEC 325/2000
325/2000
IEC
325/2000
IEC
325/2000 Risk Software S.A. de C.V.
Figure
B.5++reliability
1oo1reliability
reliability
blockdiagram
diagram
FigureFigure
B.5 + 1oo1
block block
diagram
B.5
1oo1
Figure B.5 + 1oo1 reliability block diagram
λD
Figures
B.4
and
B.5contain
contain
therelevant
relevant
blockdiagrams.
diagrams.
Thedangerous
dangerous
failure
rate
for the
the
Figures
B.4 and
B.5
contain
the relevant
block diagrams.
The dangerous
failure failure
rate
forrate
thefor
Figures
B.4
and
B.5
the
block
The
channel
is
given
by
Figures
B.4
and
B.5
contain
the
relevant
block
diagrams.
The
dangerous
failure
rate
for
the
λ
λ
channel
is given
DU
DD
channel
is by
given by
T + MRT
tC2 = MTTR
channel is given by
tC1 = 1
2
λD=+=λλDDDU++λλDD
λD = λλDU
D
λDDU= λtDUDD+ λDD
CE
Figure
B.5shows
shows
that
thechannel
channel
can
beconsidered
considered
comprise
of two
two components,
components,
one
FigureFigure
B.5
shows
that
the
channel
can becan
considered
to comprise
of two of
components,
one one
B.5
that
the
be
totocomprise
Figura #6
λ
resulting
from
undetected
failures
and
the
other
with
with
a
dangerous
failure
rate
Figure
B.5
shows
that
the
channel
can
be
considered
to
comprise
of
two
components,
DU
from de
undetected
failuresfailures
and the
other
with awith
dangerous
failurefailure
rate λ DU
λ DU resulting
from
and
the with
othera with aaone
a dangerous
rateresulting
Diagrama
Bloquesundetected
de Confiabilidad
λ
resulting
from
detected
failures.
It
is
possible
to
calculate
the
dangerous
failure
rate
λ
resulting
from
undetected
failures
and
the
other the
with a
with
a
dangerous
failure
rate
DD
from DU
detected
failures.
It is possible
to calculate
the
dangerous
failurefailure
rate λrate
λ DD resulting
from detected
failures.
It is possible
to calculate
dangerous
DD resulting
t
,
adding
the
individual
down
times
from
both
channel
equivalent
mean
down
time
λ
resulting
from
detected
failures.
It
is
possible
to
calculate
the
dangerous
failure
rate
CE
t
,
adding
the
individual
down
times
from
both
channel
equivalent
mean
down
time
DD
La configuración
sencilla mean
se ve comprometida
resultante
por la relación
fallas peligrosas
no detectables
t CEla, falla
adding
the tanto
individual
downdetimes
from both
channel
equivalent
down
time
CE por
t
and
t
,
in
direct
proportion
to
each
componentNs
contribution
to
the
components,
t
,
adding
the
individual
down
times
from
both
channel
equivalent
mean
down
time
c1
c2
t
and
t
,
in
direct
proportion
to
each
componentNs
contribution
to
the
components,
DU, y la relación
t c1
and
t c2 , in direct
proportion
to each
componentNs
contribution
to theMedio Abajo
components,
c1
λprobability
de c2
fallas
peligrosas
detectables
λDD.CE
Es posible
la equivalencia
del sistema
para el Tiempo
of of
failure
ofand
the channel:
t c1of
t c2 , in direct proportion to each componentNs contribution to the
components,
probability
of failure
the
channel:
probability
of
failure
the
channel:
(MDT)
para los dosofcomponentes
tC1 ychannel:
tC2:
probability
failure of the
λ tDUCE =Tλ1λDUDU TT1 1 + MRT
λ DD +λλDDDD MTTR
+
t CE = t CE
MRT
+
MTTR
=
+ λ D MTTR
λ 2 +TMRT
λ
1
λ D t CE2λλD=D DU
+λ MRT
2
λ D+ DD MTTR
D
2
λD
λD
For every architecture, the detected dangerous failure rate and the undetected dangerous
For every
architecture,
thedeldetected
dangerous
rate
and
undetected
dangerous
For
every
architecture,
the ladetected
failure
ratethe
and
undetected
dangerous
Para
cadarate
componente
canal
relación
dedangerous
fallasfailure
peligrosas
no detectables
y the
detectables
esta dada
por:
failure
arearchitecture,
given
by
every
the detected dangerous failure rate and the undetected dangerous
failurefailure
rateFor
are
given
rate
are by
given by
failure rate are given by
λDU = λD (1 − DC ) ; λDD = λD DC
λDU = λλDDU
(1 −=DC
λDD) ;= λD DC
λ (1) ;− DC
= λ DC
λDUD = λD (1 − DC )DD
; λDDD= λD DC
For a channel with down time t CE resulting from dangerous failures
For a channel
with con
down
time
resulting
from dangerous
failuresfailures
For
channel
with
downt CE
time
Paraaun
canal
un tiempo
abajo
ttCE
resulta
en
una dangerous
falla peligrosa:
resulting
from
CEque
For a channel with down time
t CE resulting from dangerous failures
PFD
1 − e − λD tCE
− λ D=t CE
PFD = 1
−
e
PFD =≈1 λ− et − λD tCE − λsince
PFD D=CE
1 − e D tCE λD tCE << 1
≈ λDtCE ≈ λ tsince λsince
D tCE <<
λD1tCE << 1
D CE
≈ λDtCE
since
λD tCE << 1
Hence, for a 1oo1 architecture, the average probability of failure on demand is
La
de fallas sobrethe
demanda
una arquitectura
1oo1 queda
establecida
Hence,Hence,
forprobabilidad
a 1oo1
average
probability
of failure
on demand
is como:
for a architecture,
1oo1
architecture,
thepara
average
probability
of failure
on demand
is
Hence, for a 1oo1 architecture, the average probability of failure on demand is
PFDG = (λDU + λDD )tCE
PFDG =PFD
(λDUG +=λ(DD
)tCE
PFDλDU= +(λλDD+)tCE
λ )t
G
DU
DD
CE
B.3.2.2.2
1oo2
B.3.2.2.2
1oo2
B.3.2.2.2
1oo21oo2
Ecuación
para sistema
con arquitectura
1oo2: connected in parallel, such that either channel can
ThisB.3.2.2.2
architecture
consists
of two channels
This architecture
consists
of two of
channels
connected
in parallel,
that
either
channel
can
process
the
safety
function.
Thuschannels
there
would
have
toinbe
asuch
dangerous
failure
in both
channels
This
architecture
consists
two
connected
parallel,
such
that
either
channel
can can
This
architecture
consists
of would
two channels
connected
in parallel,
such
that
either
channel
process
the
safety
function.
Thus
there
have
to
be
a
dangerous
failure
in
both
channels
La
arquitectura
1oo2function
consiste
en
dos canales
conectados
paralelo,
en
los any
cuales
cada uno
puede
realizar
la función de
before
a safety
failed
on
demand.
It
isenassumed
that
diagnostic
testing
would
process
the
safety
function.
Thus
there
would
have
to
be
a
dangerous
failure
in
both
channels
process
the safety
function.
Thus there
would have
to any
be adiagnostic
dangeroustesting
failure would
in both channels
beforebefore
a
safety
function
failed
on
demand.
Itdeberán
isnot
assumed
that
only
report
the function
faults
found
and
would
change
anyforma
output
states
orque
change
thedewould
output
a
safety
failed
on
demand.
It
is
assumed
that
any
diagnostic
testing
seguridad.
En
esta
arquitectura
ambos
canales
de
fallar
de
peligrosa
para
la
función
seguridad
before
a safety
failednot
onchange
demand.
It output
is assumed
any diagnostic
testing wouldfalle en
only report
the faults
foundfunction
and would
any
statesthat
or change
the output
voting.
only
report
the
faults
found
and
would
not
change
any
output
states
or
change
the
output
demanda.
asume
quefaults
cualquier
diagnostico
deberánot
ser change
reportado any
y la falla
encontrada
un cambio
en el estado
only Se
report
the
found
and would
output
statesy no
or habrá
change
the output
voting.voting.
voting.
final de la votación de salidas.
Las figuras # 7 y 8 muestran los diagramas de bloques para la arquitectura 1oo2, tCE es calculado de la misma manera que
como calculamos 1oo1, pero ahora debemos calcular tGE que esta dado por la ecuación:
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE C
No.: WS-2010-007542
- IMPORTANT:
This file
is copyright
of IEC, Geneva,
Switzerland.INDUSTRILA
All rights reserved.
Customer:Order
josefile
angel
alvarado
- No. of User(s):
1 - Company:
CSIPA
CONSULTORIA
EN-SEGURIDAD
Y PROTECCION AL AMBIENTE SA DE CV
ThisCustomer:
isjose
subject
toalvarado
a licence
[email protected]
Tel.: EN
+41SEGURIDAD
22
02 11INDUSTRILA
Customer:
angel
- agreement.
No. of
User(s):
1 - Company:
CSIPA
CONSULTORIA
Y PROTECCION
AL AMBIENTE
SA DE C
alvarado
- No.
ofEnquiries
User(s):
1to- Email:
Company:
CSIPA
CONSULTORIA
EN919
SEGURIDAD
INDUSTRILA
Y PROTECCION
Order No.:
WS-2010-007542
IMPORTANT:
This
file
is
copyright
of IEC,
Geneva,
Switzerland.
All rights
reserved.
Determinaciónjose
de -laangel
PFDavg
8 AL AMBIENTE SA
Order
No.:
WS-2010-007542
IMPORTANT:
This
file
is
copyright
of
IEC,
Geneva,
Switzerland.
All
rights
reserved.
Order
WS-2010-007542
- IMPORTANT:
This
file is copyright- of
IEC,
Geneva,
All rights reserved.
This file is subject
to No.:
a licence
agreement. Enquiries
to Email:
[email protected]
Tel.:
+41
22 919 Switzerland.
02 11
This file
is subject
to a licence
agreement.
Enquiries
to Email:
[email protected]
- Tel.: -+41
9192202919
11 02 11
This
file is subject
to a licence
agreement.
Enquiries
to Email:
[email protected]
Tel.:22+41
61508-6  IEC:2010
61508-6  IEC:2010
" 32 "
" 32 "
Channel
Channel
Risk Software S.A. de C.V.
Diagnostics Canal
Diagnostics
1oo2
1oo2
Channel
Diagnosticos
Channel
1oo2
IEC 326/2000
IEC 326/2000
Figure B.6 7 1oo2 Canal
physical block diagram
Figure B.6 7 1oo2 physical block diagram
Figura #7
Diagrama de Bloques Fisico 1oo2
λDU
λD
λDU
tCE
λDU
λD
λDD
λD
λDD
tCE
λDD
tCE
Common
Common
cause failure
cause failure
Falla de causa
Comun
tGE
IEC 327/2000
IEC 327/2000
tGE
Figure B.7 7 1oo2 reliability
block diagram
tGE
Figure B.7 7 1oo2
reliability block diagram
Figura #8
Figures B.6 and B.7 contain the Diagrama
relevant
block diagrams.
The value of t CE is as given in
de Bloques de
Confiabilidad
1oo2
Figures B.6 and B.7 contain the relevant
block
diagrams.
The value of t CE is as given in
B.3.2.2.1, but now it is necessary to also calculate the system equivalent down
time t GE ,
B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time
t GE ,
which is given by
which is given by
tGE =
λDU T1
λ
λDU+ MRT
λDD
T1
+ DD MTTR
tGE
=
+
MRT
MTTR
λD 3
λD +
λD 3
λD
The
probability
of failure
on para
demand
for the architecture
is
Laaverage
probabilidad
de fallas
sobre
demanda
arquitectura
entonces
The average
probability
of failure
onlademand
for1oo2
the queda
architecture
isdada por:
T
2
T1
PFDG = 2 ((1 − βD )λDD + (1 − β )λDU ) tCE tGE2 + βD λDDMTTR + βλDU 1 + MRT
PFDG = 2 ((1 − βD )λDD + (1 − β )λDU ) tCE tGE + βD λDDMTTR + βλ
+ MRT
2 DU
2
B.3.2.2.3
2oo2
B.3.2.2.3
2oo2
This
architecture
consists
twoofchannels
connected
in parallel so that both channels need to
Ecuación
para sistema
conofarquitectura
2oo2:
This architecture
consists
two channels
connected in parallel so that both channels need to
demand
the
safety
function
before
it
can
take
place.
It
is assumed
that any
testing
demand the safety function before it can take place.
It is assumed
thatdiagnostic
any diagnostic
testing
would
only
report
the
faults
found
and
would
not
change
any
output
states
or
change
the the
La arquitectura
consiste
dos canales
de not
formachange
paralelo,any
ambos
canales
deben or
de demandar
a la función
would only2oo2
report
the en
faults
found conectados
and would
output
states
change
output
voting.
output
voting.
de seguridad para que esta se ejecute. Se asume que cualquier diagnostico deberá ser reportado y la falla encontrada y no
habrá un cambio en el estado final de la votación de salidas.
Determinación de la PFDavg
9
61508-6  IEC:2010
- 33 -
Channel
Risk Software S.A. de C.V.
Canal
Diagnostics
2oo2
2oo2
Diagnosticos
Channel
IEC 328/200
Canal
Figura #9
Diagrama de Bloques Fisico 2oo2
Figure B.8 6 2oo2 physical block diagram
λD
λ DU
λ D λDU
tCE
λD
λ DD
λDD
λ DU
λDU
λD
λDD
λ DD
tCE
tCE
tCE
IEC
329/2000
Figura #10
Diagrama de Bloques de Confiabilidad 2002
Figure B.9 6 2oo2 reliability block diagram
Figures B.8 and B.9 contain the relevant block diagrams. The value of t CE is as given in
La probabilidad
de average
fallas sobreprobability
demanda queda
establecida
por:
B.3.2.2.1,
and the
of failure
on demand
for the architecture is
PFDG = 2 λD tCE
B.3.2.2.4
1oo2D
Ecuación para sistema con arquitectura 1oo2D:
This architecture consists of two channels connected in parallel. During normal operation,
both
demand
safety function
before
it canDurante
take place.
In addition,
if the canales deben
La channels
arquitecturaneed
1oo2Dtoconsiste
en the
dos canales
conectados
en paralelo.
la operación
normal, ambos
diagnostic tests in either channel detect a fault then the output voting is adapted so that the
de demandar
la función
seguridad
para
que esta
se ejecute.
adición, If
si los
cada find
canal detectan una
overall
output astate
thendefollows
that
given
by the
other En
channel.
thediagnósticos
diagnosticentests
falla,inentonces
la votaciónor
deasalida
es adaptada
de tal
manerabe
que
la operación
con el canal
que the
se encuentra opefaults
both channels
discrepancy
that
cannot
allocated
to continúe
either channel,
then
output
goes
to
the
safe
state.
In
order
to
detect
a
discrepancy
between
the
channels,
either
rando sin fallas. Si los diagnósticos encuentran una falla en ambos canales o existe una discrepancia que no es posible locachannel can determine the state of the other channel via a means independent of the other
lizar en algún canal, entonces las salidas se sitúan en una posición segura. Para poder detectar una discrepancia entre los
channel. The channel comparison / switch over mechanism may not be 100 % efficient
canales, Kambos
canales the
deberán
poder elofestado
del otro canal decomparison
forma independiente.
comparación oi.e.
el mecanismo de
therefore
represents
efficiency
this inter-channel
/ switchLamechanism,
thetransferencia
output maypuede
remain
on
the
2oo2
voting
even
with
one
channel
detected
as
faulty.
que no sea 100% eficiente, por lo tanto K representa la eficiencia de los mecanismos de comparación o
mecanismo de transferencia.
NOTE
The parameter K will need to be determined byCanal
an FMEA.
Diagnosticos
Channel
Diagnostics
Diagnostics
Channel
1oo2
D
Diagnosticos
1oo2D
Canal
Figura #11
Diagrama de Bloques Fisico 1oo2D
Determinación de la PFDavg
IEC 330/2000
Figure B.10 6 1oo2D physical block diagram
10
Risk Software S.A. de C.V.
61508-6
 IEC:2010
61508-6
 IEC:2010
" 34" "34 "
λDU
tGE′
tGE′
λDU
61508-6  IEC:2010
λDU
GE
Falla
de Causa
Common
ComunCommon
cause
failure
cause failure
λDU
λDU λ
tGE′
DU
tCE′ t ′
CE
" 34 "
λDUt
λDD λ
DD
λDU
λDD
λSD λ
SD
λDD
tCE
Common
cause failure
IEC 331/2000
λSD
λSD
IEC 331/2000
tCE′
Figure
B.11B.11
4 1oo2D
reliability
block
diagram
Figure
4 1oo2D
reliability
block
diagram
Figura #12
IEC 331/2000
Diagrama de Bloques de Confiabilidad 1oo2D
Figure
4 1oo2D
reliability
block
diagram
TheThe
detected
safesafe
failure
rateB.11
for every
channel
is given
by by
detected
failure
rate
for
every
channel
is given
The detected
safedefailure
rate for
every channel
given
bydada por:
λSDcada
=λis
λScanal
DC
La relación
fallas seguras
detectadas
para
esta
= λ DC
SD
S
λSD = λblock
S DC
Figures
B.10B.10
and and
B.11B.11
contain
the the
relevant
diagrams.
The The
values
of the
equivalent
Figures
contain
relevant
block
diagrams.
values
of the
equivalent
mean
down
times
differ
from
those
given
for
the
other
architectures
in
B.3.2.2
and
hence
are are
mean
down
times
differ
from
those
given
for
the
other
architectures
in
B.3.2.2
and
hence
Aquí
los
valores
de
equivalencia
de are
de Tiempo
Medio
Abajo están dados por :
labelled
t
′
and
t
′
.
Their
values
given
by
Figures
B.10
B.11
relevant
block
CE t CE ′ and
GE t GEcontain
labelled
′ . Their the
values
are given
by diagrams. The values of the equivalent
mean down times differ from those given for the other architectures in B.3.2.2 and hence are
labelled t CE ′ and t GE ′ . Their values are T
given by
1
1
λDU λDU
+ (λDD (+ λSD )MTTR
+TMRT
)
2 2 + MRT + λDD + λSD MTTR
tCE ' =t ' =T
CE
)λ)SD
λDU +λDU
)
λDU 1 + MRT
+(λ(DD
λ+DD(+λDD
+λSD
λ+SD
MTTR
2
tCE ' =
λDU + (λDD + λSD )
T
1
tGE ' =tGE1' =+TMRT
+ MRT
3 3
T
tGE ' = 1 + MRT
3 for the
TheThe
average
probability
of failure
on demand
is is
average
probability
of failure
on demand
for architecture
the architecture
La probabilidad de fallas bajo demanda para la arquitectura 1oo2D queda dada por:
The average probability of failure on demand for the architecture is
T1 T1
(1 − β )λ β ()(λ1DU− (β(1)λ−DUβ )+λDU(1 −+ β(1D−)λβDDD )+λDDλSD+)tλCESD' )ttGECE''+t2GE(1' +−2K(1)−λDDKt)CEλDD' +tβλ
PFDPFD
+ βλDU + MRT
+ MRT
G = 2
G = 2 (1 −DU
CE 'DU
2 2
T
PFDG = 2 (1 − β )λDU ((1 − β )λDU + (1 − β D )λDD + λSD )tCE ' tGE ' +2 (1 − K )λDDtCE ' + βλDU 1 + MRT
2
B.3.2.2.5
2oo3
B.3.2.2.5
2oo3
Ecuación para
sistema con arquitectura 2oo3:
ThisThis
architecture
of three
channels
connected
in parallel
withwith
a
majority
voting
architecture
consists
of tres
three
channels
connected
a majority
voting
B.3.2.2.5
2oo3consists
La arquitectura
2oo3
consiste en
canales
conectados
en paraleloinconparallel
un arreglo
de votación
a la salida,
aquí el estado de
arrangement
for for
the the
output
signals,
suchsuch
that that
the the
output
statestate
is not
changed
if only
one one
arrangement
output
signals,
output
is not
changed
if only
lasgives
salidasano
difiere siresult
solo
unwhich
canalchannels
muestra discrepancia
otroschannels.
dos canales.
Se asumevoting
que cualquier diagnostico
channel
different
disagrees
withwith
the con
other
two
This
architecture
consists
of result
three
connected
in los
parallel
a majority
channel
gives
a different
which
disagrees
the
other
two with
channels.
deberá for
ser reportado
y la falla
encontrada
no habrá
cambiostate
en el estado
de la votación
de salidas.
arrangement
the output
signals,
suchy that
theunoutput
is notfinal
changed
if only
one
channel
gives
a
different
result
which
disagrees
with
the
other
two
channels.
It isItassumed
thatthat
any any
diagnostic
testing
would
onlyonly
report
the the
faults
found
and and
would
not not
is assumed
diagnostic
testing
would
report
faults
found
would
Canal
change
any any
output
states
or change
the the
output
voting.
change
output
states
or change
output
voting.
Diagnosticos
It is assumed that any diagnostic testing would only
report the faults found and would not
change any output states or change the output voting.
Canal
2oo3
Channel
Channel
Channel
Diagnostics
Diagnostics
Canal
Channel
Channel
Diagnostics
Figura #13
Determinación de la PFDavg
2oo32oo3
Diagrama de Bloques Fisico 2oo3
Channel
Channel
Channel
11
2oo3
IEC
332/2000
IEC 332/2000
61508-6  IEC:2010
61508-6  IEC:2010
- 35 λD
λ DU
λ DU
tCE
λ DD
λD
- 35 -
λ DD
tCE
2oo3
λD
λ DU
λ DD
tCE
Common
cause failure
Common
2oo3
cause failure
Risk Software S.A. de C.V.
tGE
tGE
2oo3
Common
cause failure
IEC 333/2000
tGE
IEC 333/2000
Falla de causa
Comun
Figure B.13 6 2oo3 reliability block diagram
Figure B.13
reliability block diagram
tGE 6 2oo3
λD
IEC 333/2000
Figures B.12 and B.13 contain the
relevant
block
diagrams.
The value of t CE is as given in
λDD
λDU
is as the
given
in B.3.2.2.2.
The average
of failure
on in
B.3.2.2.1
andB.12
the and
valueB.13
of t GE
tCE
Figures
contain
relevant
block diagrams.
The probability
value of t CE
is as given
demand
for
the
architecture
is
B.3.2.2.1 and the value of t GE is as given in B.3.2.2.2. The average probability of failure on
Figure B.13
reliability
block diagram
Figura
#14
demand for the architecture
is 6 2oo3
Diagrama de Bloques de Confiabilidad 2oo3
T1
2
(
(
)
PFD
=
6
1
−
β
λ
+ (1 −relevant
β )λDU ) tCE
tGE + diagrams.
βD λDDMTTRThe
+ βλvalue
+ MRT
D
DD the
DU
Figures B.12 andG B.13 contain
block
2 ofT1t CE is as given in
2
given in B.3.2.2.2. The average probability
of failure on
B.3.2.2.1 and thePFD
value
of t − β Dis)λas
+ MRT
G = 6 ((1 GE
DD + (1 − β )λDU ) tCE tGE + β D λDD MTTR + βλDU
2
demand
for the
architecture
is
La
probabilidad
de fallas
sobre demanda
para la arquitectura 2oo3 se establece como:
B.3.2.2.6
1oo3
B.3.2.2.6
1oo3
This architecture
three channels2 connected in parallel withT1a +voting
PFDGconsists
= 6 ((1 − βof
MRT arrangement
D )λDD + (1 − β )λDU ) tCE tGE + β D λDD MTTR + βλDU
2
for the
output
signals,
such
that
the
output
state
follows
1oo3
voting.
This architecture consists of three channels connected in parallel with a voting arrangement
for the output signals, such that the output state follows 1oo3 voting.
It
is assumed
that
any
B.3.2.2.6
1oo3
Ecuación
para sistema
con diagnostic
arquitecturatesting
1oo3: would only report the faults found and would not
change
output states
or change
the testing
output voting.
It isany
assumed
that any
diagnostic
would only report the faults found and would not
This
architecture
consists
of
three
channels
connected
in parallel with a voting arrangement
La arquitectura
1oo3output
consistestates
en tres or
canales
conectados
en paralelo
change any
change
the output
voting.con un arreglo de votación de salida de 1oo3, cualquier
for
the
output
signals,
such
that
the
output
state
follows
1oo3
The reliability diagram will be the same as for the 2oo3 case voting.
but with voting 1oo3. The value
falla detectada por diagnósticos ocasionara que el sistema se posicione en falla segura. Se asume que cualquier diagnostico
is reportado
as giveny diagram
B.3.2.2.1
and
value
of
as case
given
in laB.3.2.2.2.
average
of t CE
deberá
ser
lainfalla
encontrada
ythe
nothe
habrá
unas
cambio
en is
el
estado
finalbut
de
votación
deThe
salidas.
The
reliability
will be
same
for t GE
the
2oo3
with
voting
1oo3.
The value
It is assumed
that any
diagnostic
testing
would only report the faults found and would not
probability
failure
on demand
for the
architecture
isoutput
as given
in B.3.2.2.1
and
the value is
of t
is as given in B.3.2.2.2. The average
of t anyof
change CE
states or change the output voting. GE
La probabilidad
de fallas
sobre on
demanda
parafor
la arquitectura
1oo3 seisestablece como:
probability
of failure
demand
the architecture
T1
)3 tCE
PFD
β D )λbe
+ (1 same
− β )λDUas
tG 2 E2oo3
+ βD λcase
βλDUvoting
+ MRT
The reliability
diagram
fortGEthe
but+with
1oo3. The value
G = 6 ((1 −will
DD the
DD MTTR
2 T1 The average
3 of t
in
B.3.2.2.1
and
the
value
is
as
given
in
B.3.2.2.2.
of t CE is as given
GE
PFD = 6 ((1 − β D )λDD + (1 − β )λDU ) tCE tGE tG 2 E + βD λDDMTTR + βλDU
+ MRT
probability of failure Gon demand
for the architecture is
2
Where
IEC 332/2000
Donde:
T1
Where PFD = 6 ((1 − β )λ + (1 − β )λ )3 t t t
+
β
λ
MTTR
+
βλ
MRT
G
D
DD
DU
CE GE G 2 E
D DD
DU IEC +332/2000
2
λDU T1
λDD
tG 2 E =
+ MRT +
MTTR
λD λ4DU T1
λD λDD
tG 2 E =
+ MRT +
MTTR
Where
λD 4
λD
IEC
tG 2 E =
332/2000
λDU T1
λ
+ MRT + DD MTTR
λD 4
λD
Determinación
de la alvarado
PFDavg - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION 12
Customer:
jose angel
AL AMBIENTE SA DE C
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file
is subjectjose
to aangel
licence
agreement.
[email protected]
- Tel.: +41 22EN
919SEGURIDAD
02 11
Customer:
alvarado
- No. Enquiries
of User(s):to1Email:
- Company:
CSIPA CONSULTORIA
INDUSTRILA Y PROTECCION AL AMBIENTE SA
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: [email protected] - Tel.: +41 22 919 02 11
Risk Software S.A. de C.V.
Cuantificación del Efecto de las Fallas de Causa Común:
Los cálculos de PFDavg deberán incorporar el efecto que causan las fallas de causa común en los sistemas redundantes, en
la seguridad funcional es común utilizar la metodología de factor Beta (β) para determinar la falla de causa común. en un articulo técnico posterior describiremos como se determina este factor.
El efecto final en la ecuación de PFDavg del factor de causa común se representa con la siguiente ecuación:
PFDFCC = ( PFDa x PFDb x..... PFDn ) + (β x PFDPeor)
Donde:
PFD a.....n representa la probabilidad de falla sobre demanda del dispositivo a al n.
PFDPeor representa la probabilidad de fallas sobre demanda del dispositivo mas débil o peor.
Beta (β) representa el factor de falla común.
6. Arquitecturas Redundantes
Arquitecturas de sistemas redundantes para Diagramas de Bloques.
E
A
FALLA DE
CAUSA
COMUN
B
S
Figura #15 2oo2
A
FALLA DE
CAUSA
COMUN
E
S
B
Figura #16 1oo2
Determinación de la PFDavg
13
Risk Software S.A. de C.V.
A
A
B
FALLA DE
CAUSA
COMUN
E
B
C
S
C
Figura #17 2oo3
E
A
B
C
FALLA DE
CAUSA
COMUN
S
Figura #18 1oo3
Determinación de la PFDavg
14
Risk Software S.A. de C.V.
Arquitecturas de sistemas redundantes para Arboles de Falla. Bloques OR (Se Suman). Bloques AND (Se Multiplican)
Salida
A
OR
AND
OR
OR
Salida
FCC
B
A
FCC
B
Figura #20 1oo2
Figura #19 2oo2
Salida
OR
OR
OR
Salida
AND
A
AND
AND
AND
FCC
B
FCC
C
Figura #22 1oo3
A
B
A
C
B
C
Figura #21 2oo3
Determinación de la PFDavg
15
Risk Software S.A. de C.V.
7. Ejemplos de Determinación de PFDavg.
Podemos modelar la PFDavg de un sistema utilizando diagramas de bloques utilizando en las siguientes simplificaciones:
✓
Cadenas en paralelo se Multiplican.
✓
Cadenas en serie se Suman.
Ejemplo:
Considere el siguiente sistema de protección de presión a la entrada de una plataforma marina que maneja grandes
volúmenes de gas natural, una sobre presión podría generar un gran impacto ocasionando ruptura de la tubería y generando
una fuga mayor que podría incluso generar un gran fuego o explosión:
ENTRADAS
LOGICA
PT-9002A
D
PT-9002B
PT-9002C
SALIDAS
SVA
FALLA DE
CAUSA
COMUN
FALLA DE
CAUSA
COMUN
TMR
ESDV
H
SVB
Considere
Arquitectura
2oo3
Determinación de la PFDavg
16
Risk Software S.A. de C.V.
Se cuenta con los siguientes datos:
Valores
PT (FIT)
λsd
λsu
λdd
ISA-TR84.00.02-2002 - Part 2
" 24 "
λdu
TMR (FIT)
Solenoide (FIT)
Válvula Corte (FIT)
396
71
0
440
0
1401
52
99
0
69
1
765
----
----
1 año
1 año
8 hr
8 hr
5%
----
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be usedSFF
in the equations above.
An alternate approach is to use a single
92.8%
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
TI
1 año
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
8 ANSI/ISA-84.01-1996,
hr
and can result in significant impact to the SIF MTTR
performance. For this reason,
IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
β
5%
predominantly concerned with assessing the SIS performance related to random failures.
2.5 x cause
10- and
The simplified equations without thePFDavg
terms for multiple failures during repair, common
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
4
1oo1
Problema: Dibujar el diagrama de bloques para el sistema y calcular el valor de PFDavg para el sistema:
(Eq. No. 3a)
PFDavg = $ DU %
1oo2
Solución con Diagramas de Bloques: Lo primero que debemos realizar es calcular los valores de PFDavg para cada
TI
2
bloque, para$ DU
esto2 %
utilizamos
la formula:
TI 2
(Eq. No. 4a)
1oo3
[(
]
)
PFDavg =
3
1) Para los transmisores
tenemos:
PFDavg = (69 x10-9 x 8760)/2 = 3.02 x10-6
(Eq. No. 5a)
[( $
DU
)
3
% TI 3
]
-6
-6
-12
PFDavg
PFD =(A x B) = 3.02 x10 x 3.02 x10 = 9.13 x 10
avg
4
PFDavg (A x C) = 3.02 x10-6 x 3.02 x10-6 = 9.13 x 10-12
2oo2
(Eq. No. 6a)
-6
-6
-12
PFDavg
PFD =(B$xDUC)%=TI3.02 x10 x 3.02 x10 = 9.13 x 10
2oo3
PFDFCC = (3.02 x10-6 x 3.02 x10-6 x 3.02 x10-6) + (0.05 x 3.02 x10-6 ) = 1.51 x 10-07
(Eq. No. 7a)
-6
-6
-6
-6
2
PFDavg
PFD == (3.02
$ DU ) x10
% TI 2+ 3.02 x10 + 3.02 x10 = 9.07 x 10
2oo4
PFDavg tot = 9.07 x 10-6 + 1.51 x 10-07 = 9.21 x 10-06
(Eq. No. 8a)
3
4
3
2)
Para el
PFD
= controlador
$DU % (TI ) lógico tenemos PFDavg = 2.5 x 10-
5.1.6
avg
avg
avg
( )
Determinación
dePFDs
la PFDavg
Combining
components’
to obtain SIF PFDavg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFDavg for the SIF being evaluated is obtained by summing the individual components. The result
is the PFDavg for the SIF for the event being protected against.
17
Risk Software S.A. de C.V.
3) Para las Válvulas Solenoides Tenemos:
PFDavg = (1 x10-9 x 8760)/2 = 4.38 x10-6
PFDavg = (4.38 x10-6 x 4.38 x10-6) = 1.91 x 10-11
PFDFCC = (4.38 x10-6 x 4.38 x10-6 ) + (0.05 x 4.38 x10-6 ) = 2.19 x 10-7
PFDavg tot = 1.91 x 10-11 + 2.19 x 10-7 = 2.19 x 10-7
4) Para la válvula de corte tenemos
PFDavg = (765 x10-9 x 8760)/2 = 3.35 x10-3
El valor de PFDavg para el SIS será:
PFDavg SIS = 9.21 x 10-06 + 2.5 x 10-4 + 2.19 x 10-7 + 3.35 x10-3 = 3.61 x10-3
FRR = 277 SIL2
Determinación de la PFDavg
18
Risk Software S.A. de C.V.
Solución con Arboles de Falla:
Falla
SIS
OR
OR
OR
3.61 x10-3
PT
OR
OR
9.21 x 10-06
SV
2.19 x 10-7
SV
2.19 x 10-7
OR
1.51 x 10-07
OR
9.07 x 10-6
FCC
FCC
A
B
A
C
3.02 x10-6
B
CLP
C
A
2.5 x 10-4
2.19 x 10-7
AND
AND
AND
AND
1.91 x
10-11
FCC
SCV
B
4.38 x10-6
3.35 x10-3
Los valores mostrados en los eventos iniciales están dados en PFDavg
Determinación de la PFDavg
19
Risk Software S.A. de C.V.
Ejemplo:
Cálculos utilizando FTA-Pro de Dyadem
Determinación de la PFDavg
20
Risk Software S.A. de C.V.
Resultados al Tiempo:
8760
Falta de disponibilidad
0.007206
Frecuencia:
N/A
Tiempo
Falta de disponibilidad
0.00000
0.000000
796.36364
0.000657
1592.72727
0.001314
2389.09091
0.001970
3185.45455
0.002626
3981.81818
0.003282
4778.18182
0.003937
5574.54545
0.004592
6370.90909
0.005246
7167.27273
0.005900
7963.63636
0.006553
8760.00000
0.007206
Total de Tiempo Sistema Parado 30.972005
PFDavg:
0.003536
FRR = 282 SIL=2
Determinación de la PFDavg
21
Risk Software S.A. de C.V.
Los comentarios de este documento expresan el punto de vista de:
Victor Machiavelo Salinas
TUV FS Expert ID-141/09
Risk Software SA de CV
[email protected]
www.risksoftware.com,mx
Agradeceremos cualquier comentario.
Determinación de la PFDavg
22