Professional Documents
Culture Documents
www.elsevier.com/locate/ress
a
HAL Corporation, 6-21-17-701 Nishikasai, Edogawa-Ku, Tokyo 134-0088, Japan
Tokyo University of Mercantile Marine, 2-1-6 Etchujima, Koto-Ku, Tokyo 135-8533, Japan
Abstract
Of all the techniques applicable to safety-related analyses, each one may be adaptable to some aspects of the system safety behavior. On
the other hand, some of them can fit to analysis on one aspect of the system behavior concerning risk, but they do not always lead to the same
results. Rouvroye and Brombacher made a comparison of these techniques and indicated that Markov and Enhanced Markov analysis
techniques can cover most aspects of systems safety-related behavior. According to their conclusion, the Markov method is introduced to
Part 6 of the standard IEC 61508 for quantitative analysis in this paper. The purpose is to present explanation in details for solutions given in
the standard because there are not clear descriptions for many results and it is not easy for a safety engineer to find the clue. In addition, the
down time tc1 shown in the standard is newly defined because it is the basis to get the results of average probability of failure on demand of
system architectures and its meaning is not clearly explained. Through derivation, however, a discrepancy is found in the standard. From this
point of view, new suggestions are proposed based on the results obtained.
q 2003 Elsevier Science Ltd. All rights reserved.
Keywords: IEC 61508; Self-diagnosis; Probability of failure on demand; Markov model
1. Introduction
Recently IEC 61508 [1] was compiled and published as a
modish international standard. Many studies concerning
discussions and applications of the standard have been
carried out such as those published in the special issue of
Reliability Engineering & System Safety in 1999 [2] and
some others [3 6]. In this standard, two frameworks are
concerned. One is risk reduction with Safety-Related
System (SRS) and the other is the Overall Safety LifeCycle. In order to understand the first framework more
profoundly, the dependence of the risk reduction on both
Safety Integrity Levels (SILs) of SRS and demands from the
Equipment Under Control to SRS has to be clarified.
Misumi and Sato [7] studied this point and expressed the
mutual relationship mathematically by means of a simple
fault tree analysis (FTA). Their research needs to be
developed further. The configuration of SRS, proof test,
* Corresponding author.
E-mail addresses: zhangtling@yahoo.com (T. Zhang), yoshi@ipc.
tosho-u.ac.jp (Y. Sato).
0951-8320/03/$ - see front matter q 2003 Elsevier Science Ltd. All rights reserved.
doi:10.1016/S0951-8320(03)00004-8
134
Nomenclature
tGE
A
FF
Ft
MDT
MTTR
PCC
pdf
Pi t; Pi
t0GE
PFD
PFDG
T1
tc1
tc2
tCE
t0CE
l; m
lD
lDD
lDU
lSD
mDD
mDU
b
bD
ii.
iii.
iv.
v.
vi.
vii.
2. Assumptions
In order to describe the state transitions of systems as
clearly as possible, we make the following assumptions:
viii.
ix.
i.
135
x.
T1
0
< T1 =2
1 2 exp2lDU T1
2
136
Hence
T1
2lDU t1 2 exp2lDU texp2lDU tdt
ta
0
T1
zz
2lDU 1 2 exp2lDU texp2lDU tdt
0
T1
<
1 2 exp2lDU T1
2
2
3
7 2 3
T1 2 lDU T12
l T 2
3
4
12 DU 1
Similar to the case for 1oo2 architecture, tc1 for 1oo2D and
2oo3 architectures can be obtained as given in Eq. (5). If
lDU T1 , 0:1; one can justify that 2T1 =3 is a quite good
approximation to the real value of ta for these three
architectures by using numerical examples.
Component c1
Component c2
0
0
1
1
0
1
0
1
137
mDD mDU
:
lDD mDD lDU mDU
10
Further,
MDT
<
P0 MP
where
P0 P00 t; P01 t; P02 t;
P P0 t;
P1 t;
P2 t;
P3 t
lDU
lDD
1
T1 =2 MTTR;
mDU
1
MTTR;
mDD
T
P03 t ;
and M is given as
0
2lDD lDU
mDD
mDU
B
B
lDD
2lDU mDD
0
B
B
B
B
lDU
0
2lDD mDU
@
0
tCE MDT
1
mDU
mDD
2mDD mDU
C
C
C
C:
C
C
A
lDU
l
T =2 MTTR DD MTTR:
lD 1
lD
, lD
lD mDU lD mDD
lDU
lDD
lD
T =2 MTTR
MTTR lD tCE :
lD 1
lD
PFD <
1
{m m l m
lDD mDD lDU mDU DD DU DD DU
11
lDU
l
T =2 MTTR DD MTTR
lD 1
lD
as lD lDD lDU ;
12A
l l lDD mDU lDU mDD
DD DU
FF
lDD lDU mDD mDU
12
7
4.2. 1oo2 architecture
mDD mDU
lDD mDD lDU mDU
0
1
2
j[F
where
F is the failure states set of the system,
W is the operating states set of the system,
Pk is the probability of system in working state k and
ajk is the element of M given in Eq. (6).
138
m
2l m
10
P0 t
CB
C
B
C
2m C
A@ P1 t A:
22m
14
P2 t
2lm m2
:
l m2
12A
l2
1
1
:
FF
2m
l m2 lP1
Refer to Eqs. (5) and (11), the equivalent mean down time of
a channel in the system architecture, tCE is
tCE
lDU
l
T =3 MTTR DD MTTR:
lD 1
lD
15
1
2m
t0GE
18
1
lDU =lD T1 =3MTTRlDD =lD MTTR:
2
16
l2
PCC < l2 =m2 PCC
l m2
2
l2 tCE
PCC
19
17
139
l2 l 3m
l m3
20
21
3lm2
l m 3
12A
l 3m
FF
6m2
24
5. Discussions
5.1. Discrepancies
and
FF 2lP1 2l
since m q l:
23
22
Table 1
Comparisons among equivalent mean down times for the three system architectures
System
1oo2
2oo3
1oo2D
t 0GE
t 0GE
140
equation
Table 3
PFDG obtained by two different methods
1 T1
1 2 Atdt:
PFDG
T1 0
25
lDU mDU
lDD lDU
1oo1
1oo2
2oo3
26
For 1oo2 architecture
1 T1
l2
2l2
P2 tdt
2
PFDG
2
T1 0
l m
l m3 T1
l2
1 2 exp2l mT1
l m3 T1
1 2 exp22l mT1 ;
27
3
l m
l m4 T1
3l2 l 2 m
1 2 exp22l mT1
2
2l m4 T1
2l3
1 2 exp23l mT1 ;
28
3l m4 T1
where P2 t and P3 t are got from Eq. (20).
Through the above derivations, it is found that the values
of PFDG calculated by Eq. (25) and by the system steady
state values are different. In the following, let us investigate
the differences by numerical examples.
Table 2
PFDG calculated by two methods
System architecture
1oo1
1oo2
2oo3
System architecture
PFDG
by Eq. (25)
7.17 1023
6.28 1025
1.76 1024
1.25 1022
7.08 1025
2.11 1024
PFDG
by Eq. (25)
2.45 1023
6.89 1026
1.86 1025
4.30 1023
8.26 1026
2.47 1025
6. Remarks
In IEC 61508-6, the down time, tc1 ; is not defined. If its
meaning is not clearly known, all other results presented in
the standard could be difficult to be understood for a
common safety engineer because it is the basis as shown in
all typical system architectures. tc1 is newly named
equivalent mean down time of undetected failure in a
channel. It is defined as T1 2 ta MTTR; where ta stands
for the time when the average probability of failure for the
undetectable fault occurs in a system in the interval 0; T1 :
As the meaning of tc1 is now defined, one can get
References
[1] IEC 61508. Functional safety of electric/electronic/programmable
electronic safety-related systems, Parts. 17;October 1998May 2000.
[2] Karydas DM, Brombacher AC (Guest editors). Special issue
Reliability certification of programmable electronic systems. Reliab
Engng Syst Safety, No. 2; 1999. p. 66.
141
[3] Kato E, Sato Y. Safety integrity levels model for IEC 61508
examination of modes of operation. IEICE Trans A 2000;E83-A(5):
8635.
[4] Muta H, Ibe H, Sugiyama E. Safety design of oil reclamation system
using IEC 61508. PSAM5Proceedings of the Fifth International
Conference on Probabilistic Safety Assessment and Management,
Osaka, Japan; Nov. 27 Dec. 1, 2000. p. 479 84.
[5] Kawahara T, Kushibiki T, et al. Safety-integrity of safety-related
systems with human beings. PSAM5Proceedings of the Fifth
International Conference on Probabilistic Safety Assessment and
Management, Osaka, Japan; Nov. 27Dec. 1, 2000. p. 2411 7.
[6] Kato E, Sato Y. Safety integrity levels model for IEC 61508.
PSAM5Proceedings of the Fifth International Conference on
Probabilistic Safety Assessment and Management, Osaka, Japan;
Nov. 27 Dec. 1, 2000. p. 278793.
[7] Misumi Y, Sato Y. Estimation of average hazardous-event-frequency
for allocation of safety-integrity levels. Reliab Engng Syst Safety
1999;66:135 44.
[8] ISA-S84.01.1996. Application of safety instrumented systems for
process industries. Instrument Society of America, Research Triangle
Park; 1996.
[9] Rouvroye JL, Brombacher AC. New quantitative safety standards:
different techniques, different results? Reliab Engng Syst Safety 1999;
66:1215.
[10] IEC 61508-6. Functional safety of electric/electronic/programmable
electronic safety-related systems. Part 6. Guidelines on the application
of IEC 61508-2 and IEC 61508-3; April 2000.
[11] Cao JH, Cheng K. An introduction to mathematics of
reliability. Beijing: Publication of Science; 1986. p. 2. p. 210 30,
in Chinese.