P9: a comparison between RBD and Markov models for the analysis of Safety Instrumented Systems

•  In low demand, the parameter used to indicate the Unreliability of a safety function is the Average Probability of Dangerous Failure on Demand 〖PFD〗_avg, equation (2)

• In High Demand mode of operation, the Unreliability is specified by the Average Frequency of a Dangerous Failure per Hour (or), equation (3).

The distinction between low and high demand, is quantified by the normative in the value of one request per year.

Table 1: Relationship between performance levels (PL) and safety integrity levels (SIL).

The normative related to process industry is IEC 61511, which does not contain any formula but defines what must be achieved to meet the requirements of IEC 61508 in a process sector application (typically in low demand mode of operation).

The highest level that can be claimed by a safety related control system (SCS) is limited by a combination of redundancy, detection and component reliability.

To facilitate the design or the assessment of the achieved SIL or PL, the standards employ a methodology based on the categorization of architectures, with specific design criteria and behaviour under faults conditions (redundancy). These categories represent the ways in which achieve a specific SIL or PL of a subsystem, in other terms they describe the required behaviour of the subsystem with respect to its resistance to faults.

Except ISO 13849-1, which applies Markov chains models, the standards analyzed deal with the quantification of safety parameters using Reliability Block Diagrams (RBDs).

IEC 61508-6 provides approximation formulas for the  and  (low and high demand mode of operations) of simple configurations with no more than three ch

Except ISO 13849-1, which applies Markov chains models, the standards analyzed deal with the quantification of safety parameters using Reliability Block Diagrams (RBDs).

IEC 61508-6 provides approximation formulas for the  and  (low and high demand mode of operations) of simple configurations with no more than three channels.

The main idea of the IEC 61508-6 formulas is to treat a voted group of channels as if the group were a single item. This calculation is based on the average dangerous group failure frequency  and the group-equivalent mean downtime  , defined differently for low and high demand.

IEC 62061 is based on RBD graphical representations, where the PFH value of the safety function is given by the sum of the PFH values of all subsystems involved in performing the safety function. Another standard that follows this method is IEC DTS 63394.

The feasibility of a standard RBD approach is based on a few coherent simplifications on the nature of our safety related systems, which represents also its limitation in comparison with the complete Markov methods.

nnels.

The main idea of the IEC 61508-6 formulas is to treat a voted group of channels as if the group were a single item. This calculation is based on the average dangerous group failure frequency  and the group-equivalent mean downtime  , defined differently for low and high demand.

IEC 62061 is based on RBD graphical representations, where the PFH value of the safety function is given by the sum of the PFH values of all subsystems involved in performing the safety function. Another standard that follows this method is IEC DTS 63394.

The feasibility of a standard RBD approach is based on a few coherent simplifications on the nature of our safety related systems, which represents also its limitation in comparison with the complete Markov methods.

Figure 1: RBD (IEC DTS 63394) and Markov (IEC 62061) models comparison for 1oo1D at variable

The discrepancy between RBD and Markov increases as the reliability of the elements worsens. Expanding our comparison range to higher values of λ_D, for example between 10^(-6) and 10^(-4) 1/h , as in figure 2, leads RBD model to generates meaningless negative PFH values. This dynamic is attributable to the model applied to include Common Cause Failures (CCFs). This effect is also shown when β varies at fixed λ_D (figure 3).

Figure 2: RBD (IEC DTS 63394) and Markov (IEC 62061) models comparison for 1oo1D at high λ_D values.

Figure 3: RBD (IEC DTS 63394) and Markov (IEC 62061) models comparison for 1oo1D with variable β .

For the double channel configuration with diagnostic (1oo2D), both models remain adherent (figure 4).

Figure 4: RBD (IEC DTS 63394) and Markov (ISO TC-199) models comparison for 1oo2D at variable λ_D .

The variation of DC and  (in 1oo1D) does not influence the relation between RBD and Markov.

Figure 5: 1oo2 and 1oo2D with internal fault handling models comparison.

The construction of a model that considers the Fault Handling Function as external (i.e. subjected to failure), complex from a mathematical point of view, would produce worsening curves in the safety performance of the architecture. In particular, these new curves would move, for each model considered, the closer to the double channel without diagnostics (1oo2), the higher the failure rate of the diagnostics itself. The extent of this expected deviation compared to the ideal model must be consistent with what is shown by the comparison between the external and internal diagnostic models for the single channel, according to the models prescribed by the standards.
If we excluded the relationship produced by IEC 61508-6, because of the difference with the IEC DTS 63394 and Markov models (which coincide each other), as observed in the comparison in section 6. the new model will produce a curve included between the curves in black and the curve in blue (figure 5).
An interesting solution, in the absence of a precise mathematical model, can derive from the analysis of the only equation to involve a concept of efficiency linked to diagnostics: that of IEC 61508.
Among the components of the proposed formula, a term K is presented as the Fraction of the Success of the Autotest circuit in the 1oo2D systems, an efficiency quantifying the effectiveness of the detection/reaction mechanism. With this parameter is built a term 2(1-K) λ_Dd that add to PFH a contribute due to the non-ideality of the diagnostic, with which the output may remain on the 2oo2 voting even with one channel detected as faulty. Where λ_Dd represent the fraction of dangerous failure that could be detected by the diagnostic, without degrading the safety performances.

The RBD based model modified as above is reported in equation (5).

IEC 61508-6 prescribes the precise estimation of this parameter K through an FMEA analysis.

Without precise information on the frequency of failure of the diagnostic, it is possible to hypothesize a coherent investigation K value, which helps to outline a range of variability for the parameter itself.

Since the monitoring channel is born with this specific function, it is reasonable to expect a high efficiency.

It should also be remembered that the new model will have to operate a reduction of the PFH term with respect to the internal diagnostics that is smaller, in percentage terms, than what happens in the single channel.

If we compare the two structures, 1oo1D and 1oo2D, both with diagnostics external to the functional channel, the diagnostic mechanism for the single channel is fundamental to bring the system to the safe state, while in the dual channel this function is achieved by redundancy.

A conservative value to investigate the applicability of this parameter can be chosen as K=0.99.

In figure 6 it is possible to observe how the new model is positioned in the interval between the curves, as searched and described previously.

As the efficiency K decreases the more failures (that normally could be detected and does not participate in terms of safety) are accounted, shifting the curve upwards and producing higher PFH values.

Raising this curve too much, however, as for example using a K between 0.95 and 0.98, would theoretically attribute too much importance to the term PFH linked to diagnostics. Contrary to what happens with dual channel systems, where in presence of a redundancy, the failure of one of the two diagnostic functions could be compensated. Unlike what is observed in the single channel, which model’s comparison is shown as example in figure 7. In this case, the reliability of the diagnostic plays a crucial role in the implementation of the safety function.

Figure 7: 1oo1 and 1oo1D with external and internal fault handling models comparison.