Reliability Engineering and System Safety 66 (1999) 135144 www.elsevier.

com/locate/ress

Estimation of average hazardous-event-frequency for allocation of safety-integrity levels

Y. Misumi*, Y. Sato
Department of Electronic & Mechanical Engineering, Tokyo University of Mercantile Marine, 2-1-6, Etchujima, Koto-Ku, Tokyo, 135-8533, Japan Received 13 November 1998; accepted 13 February 1999

Abstract One of the fundamental concepts of the draft international standard, IEC 61508, is target failure measures to be allocated to Electric/ Electronic/Programmable Electronic Safety-Related Systems, i.e. Safety Integrity Levels. The Safety Integrity Levels consist of four discrete probabilistic levels for specifying the safety integrity requirements or the safety functions to be allocated to Electric/Electronic/Programmable Electronic Safety-Related Systems. In order to select the Safety Integrity Levels the draft standard classies Electric/Electronic/ Programmable Electronic Safety-Related Systems into two modes of operation using demand frequencies only. It is not clear which modes of operation should be applied to Electric/Electronic/Programmable Electronic Safety-Related Systems taking into account the demand-state probability and the spurious demand frequency. It is essential for the allocation of Safety Integrity Levels that generic algorithms be derived by involving possible parameters, which make it possible to model the actuality of real systems. The present paper addresses this issue. First of all, the overall system including Electric/Electronic/programmable Electronic Safety-Related Systems is described using a simplied fault-tree. Then, the relationships among demands, demand-states and proof-tests are studied. Overall systems are classied into two groups: a non-demand-state-at-proof-test system which includes both repairable and non-repairable demand states and a constant-demand-frequency system. The new ideas such as a demand-state, spurious demand-state, mean time between detections, rates of d-failure and h-failure, and an h/d ratio are introduced in order to make the Safety Integrity Levels and modes of operation generic and comprehensive. Finally, the overall system is simplied and modeled by fault-trees using Priority-AND gates. At the same time the assumptions for modeling are described. Generic algorithms to estimate hazardous-event frequencies are derived based on the fault-trees. Thus, new denitions regarding modes of operation for the allocation of Safety Integrity Levels and shortcut methods for estimation of hazardous-event frequencies are proposed. 1999 Elsevier Science Ltd. All rights reserved.
Keywords: IEC61508; Safety-integrity level; Safety-related system; Target failure measure; Hazardous event frequency; Mode of operation

Nomenclature BS (antilock braking system) E/E/PE (electric/electronic/programmable electronic) IEC (International Electrotechnical Commission) PE (programmable electronic) PES (programmable electronic system) SIL (safety integrity level) EUC (equipment under control): Equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities. EUC Control System: System which responds to input signals from the process and/or from an operator and generates output signals causing the EUC to operate in the desired manner. SRS (safety-related system): Designated system that both implements the required safety functions necessary to
* Corresponding author. Fax: 81-3-5245-7421. E-mail address: yoshi@ipc.tosho-u.ac.jp (Y. Misumi) 0951-8320/99/$ - see front matter PII: S0951-832 0(99)00030-7

achieve or maintain a safe state for the EUC, and is intended to achieve, on its own or with other SRSs and/or ERRFs, the necessary safety integrity for the required safety functions. SRSs are classied into E/E/PE SRSs and other technology SRSs. ERRF (external risk reduction facility): Measure to reduce or mitigate the risks which are separated and distinct from, and do not use, SRSs. Examples involve a drain system, a re wall and a bund. E/E/PE SRS: SRS based on the E/E/PE technology. Other technology SRS: SRS based on a technology other than the E/E/PE. Safe state: State of the EUC when safety is achieved. Safety function: Function to be implemented by an E/E/PE SRS, etc., which is intended to achieve or maintain a safe state for the EUC, in respect of a specic hazardous event or an accident. Hazardous event: Hazardous situation which results in harm.

1999 Elsevier Science Ltd. All rights reserved.

136

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

Failed state: State of the SRS being not able to perform a required safety function(s). Failure: Occurrence of the failed state. Hazardous failure: Subset of the failures that brings about a hazardous event when all other risk-reduction measures are in their failed states and a demand-state exists. Dangerously-failed state: Subset of the failed states that is not detected by automatic diagnostic tests, and is detected by a proof test or by an accident/incident caused by a demand (Assumptions 47). Dangerous failure: Occurrence of the dangerously-failed state. Recovery (repair): Termination of the failed state. Demand-state: State of the EUC when the SRS is being required to implement a particular safety function(s). Demand: Occurrence of the demand state. True demand-state: Subset of the demand-states, which inevitably brings about a hazardous event (or harm) if the SRS(s) is in a failed state(s). True demand: Occurrence of the true demand-state. Spurious demand-state: Demand-states other than the true demand-states. Spurious demand: Occurrence of the spurious demand-state. Completion: Termination of the demand-state. Detection: Recognition of a failed state(s). Detection-by-demand: Detection caused by a demand-state (see Assumptions 6 and 7). Detection-by-spurious demand: Detection caused by a spurious demand-state (see Assumption 7). Proof test: Periodic test performed to detect a failed state(s) (see Assumption 4). Notation ld demand rate [1/year]; the probability of a demand per year at time t, given non-demand-state at time t (see Assumption 2). md completion rate [1/year]; the probability of a completion per year at time t, given a demand-state at time t. lt true demand rate [1/year]; the probability of a true demand per year at time t, given no true demandstate at time t. demand-state probability; the probability of a Qd(t) demand-state at time t. true demand-state probability; the probability of a Qt (t) true demand-state at time t. demand frequency [1/year]; the statistically wd(t) expected number of demands per year at time t. true demand frequency [1/year]; the statistically wt (t) expected number of true demands per year at time t. constant demand-state probability; the probability Qd of a demand-state at the steady demand-sate. constant true demand-state probability; the probQt ability of a true demand-state at the steady demand-state.

constant spurious demand-state probability; the probability of a spurious demand-state at the steady demand-state. constant demand frequency [1/year]; the statistiwd cally expected number of demands per year at the steady demand-state. constant true demand frequency [1/year]; the wt statistically expected number of true demands per year at the steady demand-state. constant spurious demand frequency [1/year]; the ws statistically expected number of spurious demands per year at the steady demand-state. k the proportion of true demands to total demands, i.e. Pr{demand is true a demand}. ls d-failure rate [1/year]; the probability of a dangerous failure per year at time t, given the SRS was as good as new at t 0 and has not failed to time t (see Assumption 3 in Section 3.3). gl s h-failure rate [1/year]; the probability of a hazardous failure per year at time t, given the SRS was as good as new at t 0 and has not failed to time t (see Assumption 3 in Section 3.3). g h/d-ratio: the proportion of the hazardous failures to the dangerous failures. proof test frequency [1/year]. np proof test interval [year]( 1/np) Tp frequency of the detections-by-spurious demands ns [1/year] (see Assumption 7 in Section 3.3). d the proportion of ns to spurious demand frequency ws . n the sum of proof test frequency and detection-bydemand frequency [1/year]. T the reciprocal of n, i.e. mean time between the terminations of detection [year] (see Fig. 1). mean time between detection [year] (see Fig. 1). Ta d-failed-state probability; the probability of SRS Qs(t) being in a dangerously-failed state at time t, given it was as good as new at t 0. averaged-failed-state probability; the average of Qs Qs(t) during(0,t]. hazardous failure frequency [1/year]; the statistiws(t) cally expected number of failures per year at time t, given the SRS was as good as new at t 0. average hazardous-failure frequency [1/year]; the ws average of ws(t) during(0,t]. w(t) hazardous-event frequency [1/year]; the statistically expected number of hazardous events per year at time t, given no hazardous event at t 0. average hazardous-event frequency [1/year]; the w average of w(t) during(0,t]. ws . Note 1. wd wt Note 2. (see Section A.1). wt k wd , ws (1 k )wd , Qt k Qd and Qs (1 k )Qd . Therefore l t kl dmd/{(1 k ) l d m d} 0 k 1; k 0 if spurious demands only, and k 1 if true demands only.

Qs

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

proof test T demand state detectable of failed state of SRS proof test

137

How to choose among the modes of operation is also explored for the allocation of SILs to E/E/PE SRSs. 2. SIL

Ta non-demand state 0

time t [year]

Tp

2.1. Description of overall system The draft IEC 61508 assumes that an overall system is composed of such system elements as an EUC, an EUC control system(s), an E/E/PE SRS(s), an other-technologybased SRS(s) and an ERRF(s). The EUC control system primarily controls EUC not to cause a hazardous event(s). Here, the hazardous event is dened as a hazardous situation which results in harm, i.e. physical injury or damage to the health of people either directly or indirectly as a result of damage to property or to the environment [7]. The SRSs and ERRF are redundant sub-systems to prevent the hazardous event(s) from arising when the EUC control system fails to control EUC. The causation of accidents in such overall system is usually complicated. Therefore it is identied and analyzed using fault-tree analysis and/or other system safety technologies [8]. In accordance with the draft of IEC 61508, the simplied causation of accidents is modeled as a fault tree shown in Fig. 2. The top event, a hazardous event, is generated, for example, when all gate-inputs of EUC control system is in a failed state, E/E/PE SRS is in a failed state, other technology SRS is in a failed state, ERRF is in a failed state and EUC demand arises are true. In general, the statistical attribution of an event is a frequency given in [1/year] and failed state is quantied using probability. In the above case, the top event and gate-input EUC demand arises are events and are therefore given in frequencies whereas other gate-inputs are given in probability [8]. 2.2. Necessary risk reduction In the draft standard risks are dened as the combination of the probability of occurrence of hazardous event and the severity of the consequence. Safety is achieved by reducing a risk to a tolerable level. The SRS reduces the probability of occurrence of the event and/or the severity of that event. This ability of the SRS is called functional safety. Namely, if the necessary risk reduction is estimated, then a safety function and its target failure measure, i.e. SIL, are allocated to the SRS.

Fig. 1. The relationship between T and Ta.

Note 3. (see Note 2). ns d ws d (1 k )wd . Note 4. n np ns wt {np d (1 k ) wd k wd }. Note 5. T 1/n 1/{np d (1 k ) wd k wd }. Note 6. (see Section A.2). Ta [1 {k d (1 k )}Qd ]T 1. Introduction A technical task force of IEC called TC65 WG9&10 is drafting an epoch-making international standard, IEC 61508-Functional Safety of E/E/PE SRSs, which is generically-based on and applicable to all E/E/PE SRSs irrespective of the application [1]. In spite of the draft status of this standard, it has been already quoted into several national standards or guidelines of UK, USA and Japan, including those for offshore, process, aerospace and railway transportation sectors [24]. Safety life-cycle and SILs are fundamental concepts of this standard. The SILs consist of four possible discrete probabilistic levels for specifying the safety integrity requirements of the safety functions to be allocated to SRSs. In order to allocate SILs to SRSs, the standard classies SRSs into low- and high-demand/continuous modes of operation. However, since a generic algorithm to estimate target failure measures, i.e. average hazardous-event frequencies, has not been explored, it is still unclear which modes of operation should be applied to E/E/PE SRSs. In order to address this issue, an idea of using a sequential failure logic is proposed for developing a SIL model [5] and the algorithm to estimate average hazardous-event frequencies for constant demand frequencies from the EUC is examined [6]. The present paper establishes a generic algorithm for the estimation of average hazardous-event frequencies for those systems with such conditions as non-repairable and repairable demand states, true and spurious demands as well as hazardous and dangerous failures based on the studies [5,6].

Hazardous event

EUC control system in a failed state/fails

E/E/E SRS is in a failed state/fails

Other technology SRS is in a failed state/fails

ERRF is in a failed sate/fails

EUC demand arises/exists

Fig. 2. A simplied fault tree for a hazardous event.

138

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

Table 1 SILs: target failure measures for an E/E/PE SRS operating in low demand mode of operation (Draft IEC1508) SIL Low demand mode operation (average probability of failure to perform its design function on demand)

be demand states that appear intermittently. It is not clear which modes of operation should be applied to the SRSs with such demand states. 3. Comprehensive SIL model

4 3 2 1

Qs Qs Qs Qs

in in in in

the the the the

range range range range

of [10E-5, 10E-4) of [10E-4, 10E-3) of [10E-3, 10E-2) of [10E-2, 10E-1)

In order to review the problem in the previous section and to make the SILs model more generic and more comprehensive, the following three situations are discussed. 3.1. Demand and demand state A heart pacemaker is a typical E/E/PE SRS that has to work for a long duration, i.e. has a long demand state after a demand. Another example is the air bag system for motor vehicles. The air bag system has two safety functions to control primary and secondary hazards. Here, the primary hazard is that the system fails to start when a collision occurs. The secondary hazard is that the systems starts unnecessarily and urries the driver. This could result in a collision. For this reason, the air bag system has the safety function of controlling itself not to bring about an unnecessary starting. The driving usually continues for signicantly long duration, which turns to the demand-state regarding the safety function against the secondary hazard. Namely, the duration of demand-state is not short and the demand-state appears intermittently. Protection systems used by process industries sometimes have both primary and secondary hazards similar to the air bag systems. These examples demonstrate that there exist many cases where the demand-state is not instantaneous. Fig. 3 illustrates the demands and demand states for the system where the activity of EUC is stopped and the nondemand state is kept at a proof test. Here, this system is called a non-demand-state-at-proof-test system. Fig. 4 describes the relationships among demands, demand-states and a proof test for the system where the occurrences of the demand and the proof test are statistically independent and the demand frequency is regarded constant. This system is called a constant demand-frequency system in this paper. 3.2. True and spurious demands A light curtain interlocking system installed on a press machine is an E/E/PE SRS. This system stops the press machine when a worker puts his hand into the dangerous zone of the machine at the wrong time. Some surveys indicate there are a few hundred demands on the SRS a year on average [10]. In other words, the machine is stopped more than 100 times a year by the SRS. However, it is known that more than 99% of the demands are spurious demands since other statistics suggest that the average frequency of hazardous events caused by the machine without the SRS is estimated as 0.1 0.9 times a machine-year

The risk reduction is estimated by comparing the average hazardous-event frequencies of the overall system with and without the SRS. Thus it is important for the determination of SILs that a reasonable algorithm for the estimation of the average hazardous-event frequencies should be derived. 2.3. Modes of operation The draft standard classies the operation mode of E/E/PE SRS into two modes, low demand mode and high demand or continuous mode. The previous version of the draft dened the modes of operation: (1) low demand modewhere the demand frequency is less than the proof check frequency and (2) high demand/continuous modewhere the demand frequency is signicantly greater than the proof test frequency [9]. These denitions are changed in the latest version of the draft: (1) low demand modewhere the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency and (2) high demand/continuous mode where the frequency of demands for operation put on a safety-related system is greater than one per year of greater than twice the proof test frequency [1]. The draft denes the target failure measures of SRS for both modes of operation: (1) the average probability of failure to perform the design function on demand (for a low demand mode operation) and (2) the probability of a dangerous failure per hour (for a high demand/continuous mode of operation). If the necessary risk reduction to be achieved by an SRS and its operation mode are designated, then in accordance with this requirement an SIL is allocated to the SRS using Tables 1 and 2. This is the procedure given by the standard. Although the draft standard derives two modes of operation for E/E/PE-SRSs based on demand frequency only, it gives no denition of continuous mode. There can
Table 2 SILs: target failure measures for an E/E/PE SRS operating in high demand/ continuous mode of operation (Draft IEC1508) SIL High demand/continuous mode of operation (probability of a dangerous failure per hour)

4 3 2 1

l s in the l s in the l s in the l s in the

range range range range

of [10E-9, of [10E-8, of [10E-7, of [10E-6,

10E-8) 10E-7) 10E-6) 10E-5)

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

proof test Demand Demand state Non-demand state 1. Non-repairable demand-state Demand Demand state Non-demand state 2. Repairable demand-state (long duration) demand completion Non-demand 3. Repairable demand-state (short duration) 0 time t [year] Tp completion proof test

139

Fig. 3. Demands, demand states and proof tests model for non-demand-state-at-proof-test systems.

[11]. This results from the fact that the sensors of the interlocking systems are located not in really dangerous zones but in surroundings of dangerous zones. Moreover, it is suggested that personnel do not always notice SRS being in failed state(s) even if a spurious demand arises. This means some of the spurious demands result in the detection of the failed state(s), but others do not. An ABS for motor vehicles is a well-known E/E/PE SRS, which controls the braking power in order to prevent the vehicle from skidding. The same is true for ABS as the light curtain interlocking system. The frequency of demands on ABS may exceed hundreds times a vehicle-year, however the frequency of accidents, which are caused by the vehicle without ABS, does not exceed 1 [1/vehicle-year] on average [12]. It is exemplied in these examples that spurious demands are often generated and only a part of the demands may result in the detections of the failed state(s). 3.3. Sequential failure logic Here, since the major interest is E/E/PE SRS, gate-inputs
proof test Demand state

other than those E/E/PE SRS is in a failed state/fails and EUC demand arises/exists in Fig. 2 are neglected. The relationship between the two gate-inputs is closely explored. Two congurations of system failure logic are possible: (1) The E/E/PE SRS fails at rst and the resultant failed state continues until a true demand arises. This nally leads to a hazardous event. (2) A true demand arises rst and true demand-state continues until the SRS fails. This brings about a hazardous event. The system failure model is described using PriorityAND gates [13,14] as shown in Fig. 5. In accordance with the above discussions, it is reasonable to put the following assumptions on the system failure model. Assumptions 1. The demands and failures of E/E/PE SRS are statistically independent. 2. The occurrence of demands and completions can be modeled by an exponential distribution with constants
proof test

Non-demand state 1. Medium frequency & long duration Demand Demand state completion

Non-demand state 2. Medium frequency & medium duration 0 time t [year] Tp

Fig. 4. Demands, demand states and proof tests model for constant-demand-frequency systems.

140

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

Hazardous event Hazardous event

E/E/PE SRS fails

True demand

True demand

E/E/PE SRS fails

(1) Failure first & demand later

(2) Demand first & failure later

Fig. 5. Sequential failure-logics for a hazardous event.

3.

4. 5.

6.

7.

8.

ld ; lt ; ls and m d. For the constant demand-frequency system, the demand frequency wd and the demand-state probability Qd may be approximated by their stationary values, ld md =ld md and ld ld md , respectively. The dangerous and hazardous failures can be modeled by an exponential distribution with the d-failure rate l s and h-failure rate gl s, respectively. The dangerously failed state continues until it is detected and repaired. The relationships l sT p 1 and gl sT p 1 are always satised. Any failed-state is restored to be as good as new by a proof test immediately. Any failed-state other than the dangerous ones are detected and removed immediately. Their effect on the whole stochastic process of hazardous events can be neglected. If an accident arises, the SRS is repaired immediately. If a true demand-state does not cause any accident, it is proved that the SRS is functioning. If a spurious demand-state does not activate the SRS, a dangerously-failed state(s) is revealed. Therefore, some of spurious demand-states may result in the detection of that state(s). If the state(s) is detected, the SRS is repaired immediately. The average hazardous event frequency is sufciently smaller than unity, i.e. w p 1 [1/year].

examined and modes of operation are dened for allocation of SILs. 4.1.1. Non-repairable demand-state Here, since the statistically expected number of occurrences of demands does not exceed once an interval of two proof tests, it is assumed k 1. Then the following equations are obtained from the assumptions: Qs t 1 exp ls t

ls t gls

1 2 3 4

ws t gls exp gls t Qt t Qd t 1

exp ld t

wt t wd t ld exp ld t

where, t 0 at the completion of a proof test and t Tp at the next proof test. For failure-rst and demand-later logic the average hazardous-event frequency, Tp Qs twt t dt ls np =ld w1 1=Tp
0

{1

exp ld =np }

exp ld =np :

4. Estimation of average hazardous-event frequency It is essential for allocation of SILs to SRSs that appropriate algorithms to estimate average hazardous-event frequencies be obtained for arbitrary conditions of demands and demand states. The followings discuss the estimation of hazardous-event frequencies based on the assumptions made in the previous section. 4.1. Non-demand-state-at-proof-test system The system, where the activity of EUC is stopped and the non-demand-state is kept at a proof test, is the system of this type. It is divided into two types with regard to demandstates, viz. a non-repairable demand-state and a repairable demand-state. The demand-state of the former continues until the next proof test. On the contrary, the demand-state of the latter appears intermittently. The algorithms for the estimation of average hazardous-event frequencies are

Demand-rst and failure-later logic derives the following average hazardous-event frequency, Tp Qt tws t dt gls 1 np =ld w2 1=Tp
0

{1

exp ld =np }:

Since the sequential failure logics are mutually exclusive, the total average hazardous-event frequency, w w1 w2

ls np =ld {1
gls 1

exp ld =np }
np =ld {1 exp ld =np }:

exp ld =np

7 Average hazardous-event frequencies are obtained from Eqs. (5)(7). 4.1.2. Repairable demand-state Here, d-failed-state probability Qs(t) and hazardous failure frequency ws(t) are supposed to have the same expressions as Eqs. (1) and (2), respectively. On the contrary, the

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144 Table 3 New denition of modes of operation for allocation of SILs for non-demand-state-at-proof-test systems (k g 1) Modes of operation Average hazardous-event frequency [1/year] w1 Low demand-rate ld p np Medium demand-rate ld np High demand-rate np p ld Low frequency and short duration wd p np and np p md Medium frequency and short duration wd np and np p md High frequency and short duration np p wd and np md High frequency and medium duration np p wd and ld md High frequency and long duration np p wd and md ld w2 w

141

ls ld =2np cf. Table 1 0.26 l s cf. Table 2 ls np =ld cf. Table 2 ls wd =2np cf. Table 1 ls =4 cf. Table 2 ls =2 cf. Table 2 ls =8 cf. Table 2

ls ld =2np cf. Table 1 0.37 l s cf. Table 2 ls {1 np =ld } cf. Table 2 ls ld =md cf. Table 2 ls ld =md cf. Table 2 ls Qd cf. Table 2 ls =2 cf. Table 2 l s cf. Table 2

ls ld =np cf. Table 1 0.63 l s cf. Table 2 ls cf. Table 2 ls wd =2np ls ld =md cf. Table 1 and 2 ls =4 cf. Table 2 ls =2 cf. Table 2
5ls =8 cf. Table 2

l s cf. Table 2

demand-state probability Qd(t) and the demand frequency wd(t) are, Qd t ld =ld

and l d p m d), w w1 w2

md

ld exp{ ld

md t}=ld

md ; 8
md ; 9

kls 1 k k}

{k

d1

k}=22 =2
13

{d1

kgls =2:

wd t ld md =ld

md

l2 exp{ ld d

md t}=ld

(e) For high frequency and long duration (np p wd and p m d p l d), w w1 w2

where, t 0 at the completion of a proof test and t Tp at the next proof test. If the demand-state is short, np p m d (usually 30np m d), or the demand frequency is high, np p wd(t), the second terms of both expressions (8) and (9) become negligibly small compared with their respective rst terms rapidly with the lapse of time. Then, the system may be regarded to approximate the constant-demand-state system. The following approximations are derived from Eq. (24). (a) For low frequency and short duration (wd p np and np p m d), w w1 w2

kls 1 kwd k}

{k

d1 kgls :

k}2 =2
14

{d1

kls wd =2np

kgls ld =md :

10

Table 3 shows the shortcut methods for specic demandstate (non-repairable demand) and demand-frequency (repairable demand) modes: (1) Low demand-rate, (2) Medium demand-rate, (3) High demand-state, (4) Low frequency and short duration, (5) Medium frequency and short duration, (6) High frequency and short duration, (7) High frequency and medium duration and (8) High frequency and long duration modes, respectively. 4.2. Constant-demand-frequency system This type of system has the same expressions of d-failedstate probability Qs(t) and hazardous failure frequency ws(t) with Eqs. (1) and (2), respectively. From the assumptions and Note 2, the true demand-state probability Qt (t) and the true demand frequency wt (t) are, Qt t Qt kQd kld =ld

(b) For medium frequency and short duration (wd nP and np p m d), w w1 w2

kls =2{1

d1

k}
11

kgls ld =md :

md ; md :

15 16

(c) For high frequency and short duration (np p wd and np p m d), w w1 w2

wt t wt kwd kld md =ld

kls =2{d1

k}

kgls Qd : 12

(d) For high frequency and medium duration (np p wd

4.2.1. Failure rst and demand later logic If a demand-state which can detect a failed state exists, the failed state is repaired immediately (see Assumptions 6

142

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

Table 4 New denition of modes of operation for allocation of SILs for constant-demand-frequency systems (k 1) Modes of operation Average hazardous-event frequency [1/year] w1 Low frequency and short duration wd p np and ld p md Medium frequency and short duration wd np and ld p md High frequency and short duration np p wd and ld p md Low frequency and medium duration wd p np and ld md Medium frequency and medium duration np wd and ld md High frequency and medium duration np p wd and ld md Low frequency and long duration wd p np and md p ld Medium frequency and long duration wd np and md p ld High frequency and long duration np p wd and md p ld w2 w

ls wd =2np cf. Table 1 ls =4 cf. Table 2 ls =2 cf. Table 2 ls wd =8np cf Table 1 ls =16 cf. Table 2 ls =8 cf. Table 2 ls wd {md =ld md }2 =2np cf. Table 1 ls {md =ld md }2 =4 cf. Table 1 ls {md =ld md }2 =2 cf. Table 1

gls ld =md cf. Table 2 gls ld =md cf. Table 2 gls ld =md cf. Table 2 gls =2 cf. Table 2 gls =2 cf. Table 2 gls =2 cf. Table 2 gls cf. Table 2 gls cf. Table 2 gls cf. Table 2

ls wd =2np gls ld =md cf. Table 1 and/or 2 ls =4 gls ld =md cf. Table 2 ls =2 gls ld =md cf. Table 2

gls =2 cf. Table 2 ls =16 ls =8 gls =2 cf. Table 2 gls =2 cf. Table 2

gls cf. Table 2 gls cf. Table 2 gls cf. Table 2

and 7). Therefore, Section A.3 gives the following relationship (see Fig. 1): w1 1=T Ta
0

Qs twt dt wt =T

Ta
0

logic w2 is given as Eq. (21). T T w2 1=T Qt ws t dt Qt =T ws t dt Qt ws

0 0

Qs t dt Qs wt

kQd ws ; 21 where, (see Note 2 and Assumption 3) T ws 1=T gls exp gls t dt gls :
0

kQs wd ; 17 where, (see Notes 2, 5 and 6 as well as Assumption 3) Qs 1=T Ta {1

0

22

exp ls t} dt {1 exp ls Ta }1=ls : 1 {k 18

From Eqs. (15), (21) and (22) w2

kQd gls kgls ld =ld

md :

23

1=TTa

Using exp ls Ta Qs
2 ls Ta 2T ls 1

ls Ta d1

1=2ls Ta 2 ;

k}Qd 2 =2 kwd }:
19

4.2.3. Total average hazardous-event frequency Since sequential failure logics are exclusive, the total average hazardous-event frequency w is given by w w1 {np w2

{np

d1

kwd

klx wd 1 kwd

{k

d1

k}Qd 2 =2
24

d1

kwd }

kgls Qd :

Here, w1 is the part of w where the hazardous event occurs according to the failure rst and demand later logic. Thus, from Eqs. (17)(19), w1

kwd ls 1
{np

{k

d1 kwd

k}Qd 2 =2 kwd }:
20

d1

4.2.2. demand rst and failure later logic Similarly, the hazardous event frequency for this failure

New denitions of modes of operation for allocation of SILs and shortcut methods for estimation of hazardousevent frequencies are proposed in Table 4. Those specic demand-frequency modes are: (1) Low frequency and short duration, (2) Medium frequency and short duration, (3) High frequency and short duration, (4) Low frequency and medium duration, (5) Medium frequency and medium duration, (6) High frequency and medium duration, (7) Low frequency and long duration, (8) Medium frequency and long duration and (9) High frequency and long duration modes.

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144

143

5. Discussion The draft IEC 61508 requires the following. When the safety integrity allocation to E/E/PE SRS(s) has sufciently progressed, the safety integrity requirements, for each safety function allocated to the E/E/PE SRS(s), shall specied in terms of the SIL in accordance with Tables 1 and 2, and be quantied to indicate whether the target safety integrity parameter is either: (1) the average probability of failure to perform its design function on demand (for a low demand mode of operation); or (2) the probability of a dangerous failure per hour (foe a high demand/continuous mode of operation). Thus, in accordance with the draft standard, the average hazardous-event frequency w can be estimated using Tables 14 of the present paper for 17 types of demand modes of operation and shortcut methods, respectively. Moreover, it becomes possible to allocate SIL to arbitrary system with any parameters such as a demand and completion rates, true and spurious demand rates, h/d ratio, etc. using the algorithms obtained here. As far as IEC 61508 concerns, the target safety integrity parameters should be generic and applicable to all E/E/PE SRSs irrespective of the application sectors. However, if the demand modes are restricted, for instance, to the low demand-rate, high frequency and short duration, and high frequency and long duration modes only, the target safety integrity parameters will not be comprehensive. Therefore, the results obtained in the present paper are very important for the draft to be generic. For the secondary hazard of motor vehicles related to the air bag systems, the failure rst and demand later logic become meaningless because the hazard is materialized only when the driving continues. For such cases as the secondary hazard, the hazardous-event frequency is estimated using demand rst and failure later logic only. Thus, careful examination is required to determine which failure logics should be applied to each of the hazards in order to estimate the hazardous event. In general, there exist hazards where both failure logics must be concerned. For such cases, the idea of total average hazardous-event frequency proposed in this paper is useful.

using Priority-AND gates and generic algorithms to estimate hazardous-event frequencies are derived based on the fault-trees. Thus, new denitions of modes of operation for allocation of SILs and shortcut methods for estimation of hazardous-event frequencies are proposed. If gate-inputs other than those described in Fig. 5 must be considered, three or more gate-inputs SIL models will become necessary. These are problems to be studied hereafter. Acknowledgements The authors wish to express their sincere thanks to Mr. Ron Bell, Convener of IEC TC65 WG9 and 10, for his giving them the opportunity of meeting where the new idea of SIL model was founded; to Mr. Keith Oughton for his encouragement given them in Rome meeting of June 1997; to Dr. Dietmar Reinert who inquired the authors about the light curtain interlocking system; and also to Prof. Tomitaroh Ishimori for his assistance of improving the paper. Appendix A A.1. Derivation of Note 2 From Postulate 2, Qd ld =ld

md and Qt lt =lt

md : md kld =ld md ;

Since Qt kQd means lt =lt and lt kld md ={1 kld md }: A.2. Derivation of Note 6

6. Conclusion The relationships between the demand frequency and average hazardous-event frequency are given for arbitrary system parameters in order to make the SIL model more generic and more comprehensive. First, the overall system including E/E/PE SRS is described using a simplied fault-tree. Then, the relationships among demands, demand-states and proof-tests are studied. New ideas such as a demand-state, spurious demand-state, mean time between detections, rates of d-failure and h-failure, and an h/d ratio are introduced. Finally, the overall system is simplied and modeled by fault-trees

The following holds: Pr{no demand-state detectable of the failed state} {mean time-duration of no demand-state detectable of the failed state, i.e. mean time between detections}/{mean time between the terminations of detection} Ta/T. On the contrary, from Note 2, Ta/T is also rewritten as: Pr{no demand-state detectable of the failed state} 1 Pr{demand-state detectable of the failed state} 1 Qt dQs 1 {k d1 k}Qd : Therefore, Ta =T 1 {k d1 k}Qd ; and hence Ta 1 {k d1 k}Qd T: A.3. Derivation of Eq. (17) Let W(t1, t2) be the statistically expected number of occurrences of gate output event during (t1, t2] for Fig. 4. Then the following relations hold during time duration Dt p 1:W(t, t Dt) Pr{an accident during (t, t Dt]} Pr{a failedstate at time t} Pr{non-demand-state at time t.} Pr{a demand during (t, t Dt] non-demand-state at time t} Pr{demand is true a demand} Pr{a failed state at time t.} Pr{no true demand-state at time t.} Pr{a true demand

144

Y. Misumi, Y. Sato / Reliability Engineering and System Safety 66 (1999) 135144 [2] Guidelines for Instrumented-Based Protective Systems, UK Offshore Operators Association Ltd., December 1995. [3] Radley CF. Software safety progress in NASA, NASA Contractor Report 198412, 1995 October, 8 pp. [4] Technical Guidelines for Safety-Related Systems for Trains, Railway Technical Research Institute of Japan, 1996 March (in Japanese). [5] Kato E, Sato Y. On the application of safety integrity levels to safetyrelated systems, Procs. 30th ISATA Road and Vehicle Safety, pp. 383390, Florence, June 1997. [6] Kato E, Sato Y, Horigome, M. Safety-integrity levels model for electric/electric/programmable safety-related systems, IEEET Trans. Reliability, under review. [7] ISO/IEC Guide 51, 1997. [8] Henley EJ, Kumamoto H. Probabilistic risk assessment, New York: IEEE Press, 1992. [9] Draft IEC 61508: Part 1, Version 3.0 01/05/97; Part 4, Version 3.0 01/ 05/97, March, 1997. [10] Reinert D. Private Communication, June 1997. [11] Industrial Safety Yearbook, Japan Industrial Safety and Health Association, 1965 (in Japanese). [12] Annual Statistics of Trafc Accidents, The Analytic Center for Trafc Accident, April 1995 (in Japanese). [13] Sato Y, Henley EJ, Inoue K. An action-chain model for the design of hazard-control systems for robots. IEEE Trans Reliability 1990;39:151157. [14] Sato Y. The design of hazard-control systems and its PSA for advanced mechatronics. Probabilistic Safety Assessment and Management96-PSAM-III. Berlin: Springer, vol. 3, 1996, pp. 19591964.

during (t, t Dt] no true demand-state at time t} Qs(t)Pr{no true demand-state at time t.} l t Dt. Therefore, the average hazardous event frequency in the interval (0, T], w1, is given from W(0, T) as w1 W0; T=T 1=T 1=T T
Ta

T
0

Qs tPr{no true demand-state at time t}lt dt Qs tPr{no true demand-state at time t}lt dt

Ta
0

Qs tPr{no true demand-state at time t}lt dt:

Here, since the failed state is repaired immediately and therefore Qs (t) 0 during (Ta, T] when the demand-state detectable of the failed state exists (see Postulates 6 and 7), the second term becomes null. Thus, Formula (17) is proved to hold. References
[1] Draft IEC 61508: Part 1, Version 4.0 05/12/97; Part 4, Version 4.0 05/ 12/97, December 1997.