Last edit: 21/08/2025
The Maclaurin series and the Failure in Time (FIT)
Mathematically, it can be shown that certain functions can be approximated by a series of other functions. In particular, ex can be developed as a so called Maclaurin series:
In case x <<1,
That means, the Reliability R(t) and Unreliability F(t) functions can be approximated to
The Failure Rate λ has a unit of inverse time: it is a common practice to use the unit of “failures per billion (109) hours.” This unit is known as FIT: Failure in Time.
Reliability Functions in Low and High Demand mode
Functional safety was born having in mind the Reliability aspects of Safety-related Control Systems, designed to be activated upon hazardous process deviations; the latter is a process demand generating a Demand Rate of the safety system that protects people, the environment and material assets.
The parameter used to indicate the Reliability of a Safety-related Control System is the Unreliability function F(t). More precisely, there are two F(t) used, depending if the safety system is working in Low or in High demand mode. Just to give an example, the car airbag safety system is operating in low demand mode since it may remain inactive for years, until a demand occurs (due to a car crash).
In low demand mode safety systems the F(t) is defined as PFDavg:
[IEC 61508-4] 3.6 Fault, failure and error
3.6.18 Average probability of dangerous failure on demand (PFDavg). Mean unavailability (see IEC 60050-191) of an E/E/PE safety-related system to perform the specified safety function when a demand occurs from the EUC or EUC control system
The PFD
The PFD(t) is the unreliability function F(t) used in low demand mode. Hereafter its definition, supposing a constant failure rate λ:
[IEC 61508-4] 3.6 Fault, failure and error
3.6.17 Probability of dangerous failure on demand (PFD). Safety unavailability (see IEC 60050-191) of an E/E/PE safety-related system to perform the specified safety function when a demand occurs from the EUC or EUC control system
Therefore, the instantaneous unreliability PFD (t) describes the probability that a safety system is not in a state to perform its required function, under given conditions, at a given instant of time, assuming that the required external resources are provided. Again, it is what we called so far F(t).
Considering, for example, a valve with a λ = 50.000 FIT, its PFD(t) is shown in figure 1.32 {1.10.1.1}. As you can see, the Unreliability increases with time; after 2 years (17520 hours), PFD≈58%. After 4 years (35040 hours), PFD≈83%.
Considering a λ = 5.000 FIT, a more realistic value, its PFD(t) is shown in figure 1.33 {1.10.1.2}. First of all, the PFD has improved: after 2 years, PFD ≈ 9% and after 4 years, PFD ≈ 18%. Moreover, the function can be approximated to a linear one, in case λ·t << 1.
As it can be seen from both graphs, the System unreliability increases with time. Going back to the example of the airbag, that means its probability of failure will be very low when the car is new and it will increase month by month. That is valid for all the elements of a Safety Instrumented System (SIS), that is made by one or more sensors, a logic unit and one or more actuators.
The Protection Layers
A Safety Instrumented System (SIS) may fail while in passive state and the failure may remain hidden until a demand occurs from the process or until the system is tested.
Let’s suppose the pressure in a vessel is controlled by a pressure transmitter and the process control system has to keep the value around a certain set point.
In case the pressure increases above a certain threshold, an alarm is generated (PSH). In case the value goes “out of control”, a safety pressure switch, set at PSHH, shuts down the process (figure 7)
We see that there are two protection layers: a Control one and a Safety one. They normally do not share the same field components. In our example, the pressure transmitter belongs to the Control Layer, while the safety pressure switch to the Safety Layer.
Testing of the Safety Instrumented System
Safety Instrumented Systems are normally dormant and their failure may remain undetected, or hidden, until there is a demand upon them (a high temperature or pressure, for example) or until the system is tested if it is still working properly.
There are two types of tests that can be done on such systems.
Diagnostic Testing. They are done automatically by the component itself, or by the logic solver or by other elements of the safety system. The extent to which this automatic testing reveals a failure is called Diagnostic Coverage (DC). The failures that can be detected in this way are defined as Detectable, the remaining failures are called Undetectable.
Function Testing. The objective of the function testing is especially to reveal the undetectable failures and to verify that the system is still able to perform its required function, in case a process demand occurs. Function testing, defined in IEC 61508 as Proof Test, is normally done manually, or initiated manually. The time interval between two function tests is indicated as Ti and, in case of a perfect Proof Test, the item is considered “as new”, after such a test. Please refer to chapter 3 for the definition of Proof Test and further details.
Do not get confused between Function Test and Functional Test. In literature, you may find that the Proof test is defined as a Function Test, as well as Periodic Test, while the Diagnostic Coverage is also defined as a Functional Test.
The average PFD (PFDavg)
The Average PFD is defined as
Ti is the time when the system is function tested. The PFD(T) of a SIF, that is periodically tested, is represented by a saw tooth curve, with a probability ranging from low, just after a test, to a maximum, just before the next test.
Its average value, or PFDavg, is represented in Figure 1.36 {1.10.2.1}.
Dangerous Failures
When dealing with Safety Critical Systems, the important failures are the dangerous ones. Those can be divided into Dangerous Detectable by the Diagnostic tests and Dangerous Undetectable.
Dangerous Undetected Failures (DU) prevent the activation, on demand, of the safety system and are also called dormant failures.
Dangerous Detected Failures (DD) are may be found immediately when they occur, for example, by an automatic built in self-test. A short circuit on a normally closed free voltage contact can be revealed with the so called “trigger” function, now available in almost all Safety-related Control Systems (chapter 3).
In low demand mode, Dangerous Detected failures do not play a role in the Unreliability of a Safety System, since, often, they are detected as soon as they appear and the process is immediately shut down. Therefore, the only significant failures that influence the value of the PFDavg, are the DU failures. Therefore, Equation 1.10.2 can be written as:
The test interval Ti is decided based upon the demand rate, so that there is a fair chance that a Dangerous Undetected fault is revealed and corrected before a demand occurs, such that a hazardous event is avoided.
Conclusion
In this first part, we introduced the concepts of Unreliability function F(t) and of Reliability Function R(t). The former is the base for the parameter PFD(t) and the one used to indicate the reliability of a Safety Instrumented Function (SIR): PFD average or PFDavg.
In the article that will be published in the next edition of Tutto Misure we will show how to calculate in practice the PFDavg.