Reliability of Safety-Critical Systems E-Book

Contents

Cover

Half Title page

Title page

Copyright page

Dedication

Preface

Acknowledgements

Chapter 1: Introduction

1.1 Introduction

1.2 Objectives and Scope

1.3 Functional Safety Standards

1.4 The Main Elements of a SIS

1.5 A Brief History

1.6 Structure of the Book

1.7 Additional Reading

Chapter 2: Concepts and Requirements

2.1 Introduction

2.2 System Hardware Aspects

2.3 Safety-Instrumented Functions

2.4 Modes of Operation

2.5 Safe State

2.6 Demands and Demand Rate

2.7 Testing of Safety-Instrumented Functions

2.8 Safety Integrity Levels (SILs)

2.9 Safety Life Cycle

2.10 Reliability of Safety-Instrumented Systems

2.11 Functional Safety Certificates

2.12 Safety Analysis Report

2.13 Functional Safety Assessment

2.14 Reliability and Decision-Making

2.15 Additional Reading

Chapter 3: Failures and Failure Analysis

3.1 Introduction

3.2 Failures and Failure Modes

3.3 Failure Causes and Mechanisms

3.4 Failure Effects

3.5 Failure/Fault Classification

3.6 FMECA

3.7 FMEDA

3.8 Additional Reading

Chapter 4: Testing and Maintenance

4.1 Introduction

4.2 Testing

4.3 Maintenance

4.4 Additional Reading

Chapter 5: Reliability Quantification

5.1 Introduction

5.2 Reliability Block Diagrams

5.3 Fault Tree Analysis

5.4 The Beta-Factor Model

5.5 Markov Approach

5.6 Petri Net Approach

5.7 Additional Reading

Chapter 6: Reliability data Sources

6.1 Introduction

6.2 Types of Data

6.3 Failure Modes

6.4 Generic Failure Rate Sources

6.5 Plant-Specific Reliability Data

6.6 Data Dossier

6.7 Additional Reading

Chapter 7: Demand Modes and Performance Measures

7.1 Introduction

7.2 Mode of Operation According to the IEC Standards

7.3 Functional Categories

7.4 Operational Strategies

7.5 Reliability Measures

7.6 PFDavg versus PFH

7.7 Placement of the SIF

7.8 Analytical Methods

7.9 Assumptions and Input Data

7.10 Additional Reading

Chapter 8: Average Probability of Failure on Demand

8.1 Introduction

8.2 Reliability Block Diagrams

8.3 Simplified Formulas

8.4 The IEC 61508 Formulas

8.5 The PDS Method

8.6 Fault Tree Approach

8.7 Markov Approach

8.8 Petri Net Approach

8.9 Additional Reading

Chapter 9: Average Frequency of Dangerous Failures

9.1 Introduction

9.2 Frequency of Failures

9.3 Average Frequency of Dangerous Failures (PFH)

9.4 Simplified PFH Formulas

9.5 The IEC 61508 Formulas

9.6 Alternative IEC Formulas

9.7 The PDS Method

9.8 Fault Tree Approach

9.9 Markov Approach

9.10 Petri Net Approach

9.11 PFDavg or PFH?

9.12 Additional Reading

Chapter 10: Common-Cause Failures

10.1 Introduction

10.2 Causes of CCF

10.3 Defenses Against CCF

10.4 Explicit Versus Implicit Modeling

10.5 The Beta-Factor Model

10.6 The Binomial Failure Rate Model

10.7 Multiplicity of Faults

10.8 The Multiple Beta-Factor Model

10.9 CCF Modeling with Petri Nets

10.10 CCFs Between Groups and Subsystems

10.11 Additional Reading

Chapter 11: Imperfect Proof-Testing

11.1 Introduction

11.2 Proof Test Coverage

11.3 Splitting the Failure Rate

11.4 Adding a Constant PFDavg

11.5 Nonconstant Failure Rates

11.6 Markov Models

11.7 Additional Reading

Chapter 12: Spurious Activation

12.1 Introduction

12.2 Main Concepts

12.3 Causes of Spurious Activation

12.4 Reliability Data for Spurious Operations

12.5 Quantitative Analysis

12.6 Additional Reading

Chapter 13: Uncertainty Assessment

13.1 Introduction

13.2 What Is Uncertainty?

13.3 Completeness Uncertainty

13.4 Model Uncertainty

13.5 Parameter Uncertainty

13.6 Concluding Remarks

13.7 Additional Reading

Chapter 14: Closure

14.1 Introduction

14.2 Which Approach Should Be Used?

14.3 Remaining Issues

14.4 A Final Word

Appendix A: Elements of Probability Theory

A.1 Introduction

A.2 Probability

A.3 Discrete Distributions

A.4 Life Distributions

A.5 Repairable Items

Acronyms

Symbols

Bibliography

Index

RELIABILITY OF SAFETY-CRITICAL SYSTEMS

Copyright © 2014 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representation or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print, however, may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Rausand, Marvin.

Reliability of safety-critical systems : theory and application / Marvin Rausand.    pages cm  Includes bibliographical references and index.  ISBN 978-1-118-11272-4 (cloth) — ISBN 978-1-118-77635-3 — ISBN 978-1-118-55340-4 (ePDF) — ISBN 978-1-118-55338-1 (ePub) — ISBN 978-1-118-55337-4 (eMOBI) 1. Reliability (Engineering) I. Title.   TA169.R375 2013   620’.00452dc232013034448

To Hella, Guro, Idunn, and Emil

PREFACE

This book provides an introduction to reliability assessment of safety-critical systems with a focus on safety-related systems that are based on electrical, electronic, and/or programmable electronic (E/E/PE) technology. Several international standards give requirements for the reliability, or safety integrity, of such systems. The most important of these standards is IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems. This standard introduces several new features, the most noticeable being (i) the life cycle approach with requirements for each phase of the life cycle, and (ii) the classification of requirements into four distinct safety integrity levels (SILs).

The standard has seven parts, is very comprehensive, and may be difficult to fully understand. As a performance-based standard, methods and formulas are just suggested and explanations and justifications are lacking. An objective of this book is therefore to introduce, describe, and extend these methods and formulas, explain how they can be used, and highlight their limitations.

IEC 61508 gives general requirements for E/E/PE safety-related systems and was developed as a basis for more detailed sector-specific standards. Several sector-specific standards have been developed, such as IEC 61511 for the process industry, IEC 62061 for machinery systems, IEC 61513 for the nuclear power industry, and ISO 26262 for the automotive industry. The intention was to obtain a unifying system of standards, but the terminology and the suggested approaches are not fully consistent across the various standards. This book focuses on IEC 61508 and the sector-specific standard for the process industry, IEC 61511.

The book concentrates on quantitative reliability analysis of the hardware of E/E/-PE safety-related systems. It does not treat software issues, human and organizational aspects, or the qualitative requirements of the standards. It is therefore not at all a replacement for IEC 61508 and its sector-specific standards, but I hope that the book will be regarded as a helpful supplement to the standards to meet the quantitative safety integrity requirements.

Many of the approaches described in this book are general and can be applied to analyze any safety-critical system, including those that are not based on E/E/PE technology. I therefore hope that this book will be of interest to a wide range of reliability engineers, also to those working outside the scope of IEC 61508.

SIL analysis and verification of SIL are important topics in many industries and many engineers struggle to understand all the requirements and how to perform the required calculations. IEC 61508 requires in Part 1, paragraph 6.2 that all persons with responsibilities related to the development and use of of E/E/PE safety-related systems shall have a sufficient competence (see also HSE, 2007). It is my hope that this book contributes to obtaining this competence and makes life easier for reliability engineers. The book is mainly aimed at engineers who are developing E/E/PE safety-related systems, with main roles as system designers, system integrators, and functional safety assessors. The book does not explicitly treat SIL in operation, but may all the same be useful for end-users of safety-related systems.

The technical report ISO/DTR 12489 is currently being developed with a scope similar to this book. The technical report (TR) is written as a guideline for the petroleum, petrochemical, and natural gas industries. Unfortunately, I did not see a draft of this TR early enough to let it influence much of my presentation.

Since the book is aimed primarily at reliability engineers who carry out reliability assessments of practical E/E/PE safety-related systems, I have refrained from too much mathematical rigor and included a high number of worked examples. I have also refrained from theory and methods that are too difficult to understand or will require too much efforts to use. I realize, however, that this may be a contested issue and that some readers will find the book too basic and others will find it far too advanced. Readers who find this book too basic may consult ISO/DTR 12489 for a more thorough treatment of some approaches, notably the Petri net approach and partly also the Markov approach.

When I started writing this book, I thought that I had adequate knowledge on reliability assessment of E/E/PE safety-related systems. After having read and re-read hundreds of research papers and reports, I realize that my knowledge is rather shallow, and I have again proved that “The more you understand, the more you realize that you do not understand.”

To fully appreciate the book, you should have a basic knowledge of probability theory. I have tried to reduce the use of difficult theory, but you still need to understand the basic concepts of probability theory. For this purpose, I have included a very brief introduction to probability theory as an appendix.

A large number of abbreviations and symbols are used in the book, and brief explanations are found as appendices.

I hope that you will enjoy reading this book as well as find it useful. I also hope that professors will find the book suitable as a textbook for courses in functional safety.

If you have questions or comments, you will find my email address on the book’s homepage http://www.ntnu.edu/ross/books/sis. On this homepage, you will also find slides, problems, and additional information related to the book.

M. RAUSAND

Trondheim, NorwayJuly 1, 2013

ACKNOWLEDGMENTS

This book started out as a joint project with Mary Ann Lundteigen. She has a master’s degree in cybernetics and has been working with maintenance of safety-instrumented systems in the Norwegian offshore oil and gas industry. She returned to the university and took a PhD degree in reliability of safety-instrumented systems with me as supervisor. Thereafter, she got a postdoc position, and we started to plan this book. After the postdoc period, she became my colleague. Unfortunately, she decided to leave the university to start working in a consulting company (DNV). In her new position, she was no longer able to continue participating in the book project, and 1 decided to carry on alone. With her thorough knowledge and experience on safety-instrumented systems, Mary Ann has had a significant influence on the book, and I am very grateful for her contribution.

My colleague, Yiliu Liu, also started out as a PhD and a postdoc in reliability of safety-instrumented systems, under my supervision. Yiliu has helped me to write the sections in this book related to Petri net analysis and also inspired me through numerous related discussions. Another colleague, Professor Jørn Vatn, has tested a draft of the book in an industry course and given many helpful comments.

During the book project, the cooperation with PhD students Hui Jin, Inger Lise Johansen, and Yukun Wang has been a great inspiration. They have raised many challenging questions and put forward many proposals.

Many students have written their master’s theses related to reliability assessment of safety-instrumented systems, often in cooperation with industry. It has been inspiring to work with all of them.

During the book project, I read many scientific papers and reports. I have tried to process, combine, and reformulate the information obtained in these sources and to give proper references. I hope that I have understood the messages in these sources, and that I have presented them in an acceptable way.

Many of the definitions used in the book are from the International electrotech-nical vocabulary (IEV) http://www.electropedia.org. I appreciate the initiative of the International Electrotechnical Commission (IEC) to make this vocabulary freely available. References to the vocabulary are given in the text as IEV 191-xx-yy, where 191 refers to the chapter Dependability and quality of service, and xx-yy is the number of the definition.

The author thanks the International Electrotechnical Commission (IEC) for permission to reproduce information from International Standards IEC 61508-4 ed.2.0 (2010) and IEC 62551 ed. 1.0 (2012). All such extracts are copyright of IEC, Geneva, Switzerland. All rights reserved. Further information on the IEC is available from http://www.iec.ch. IEC has no responsibility for the placement and context in which the extracts and contents are reproduced by the author, nor is IEC in any way responsible for the other content or accuracy therein.

I thank SINTEF for the permission to reproduce Table 8.8 and Statoil for the permission to use the picture “Melkøya Snøhvit Winter morning light” by Øyvind Hagen on the front cover of the book.

Last, but not least, I am grateful to the editorial and production staff at John Wiley & Sons for their careful, effective, and professional work.

M.R.

CHAPTER 1

INTRODUCTION

1.1 Introduction

The title of this book, Reliability of Safety-Critical Systems, embraces a wide range of issues and may be too broad to truly represent the content of the book. Our intuitive understanding of a safety-critical system is a system whose failure may lead to harm to people, economic loss, and/or environmental damage. Some failures may lead directly to undesired consequences, while other failures may increase the risk of damage.

Whether or not a system is considered to be safety critical depends on the possible consequences of its failure. If the failure can result in consequences that are judged to be unacceptable, we say that the system is safety-critical.

Safety-critical systems are used in many products and application areas. The safety-critical systems that are considered in this book are technical systems and may, or may not, involve human operator actions. The scope is delimited to systems that are designed to perform one or more safety functions. A safety function is usually implemented to protect against a specific undesired event that can cause harm. The system that is protected by the safety-critical system is called equipment undercontrol (EUC). When the safety-critical system is medical equipment, the EUC may be a person.

Examples of safety-critical systems that may be assessed by the models and methods described in this book include:

EXAMPLE 1.1 Interlock

Another word in the title of the book is reliability. The reliability of an item is defined as “the ability of the item to perform a required function, under given environmental and operational conditions and for a stated period of time” (e.g., see Rausand & Høyland, 2004). The reliability of an item is always related to its required functions and it may therefore be more relevant to talk about the reliability of a function. In this book we are especially concerned about safety functions and the reliability of these functions. Several quantitative reliability measures for safety functions are defined and used in the following chapters.

A safety function that is performed by a safety-critical system may be categorized as follows:

Safety control function. A safety function that is a normal part of the operation of the EUC and/or integrated into the EUC control system (e.g., a railway signaling system, the braking system of an automobile).

Safety protective function. A dedicated safety function that is separate from the EUC control system and is only activated when the safety function is demanded (e.g., the ESD system in a process plant, the airbag system in an automobile).

Many safety-critical systems are based on electrical, electronic, or programmable electronic (E/E/PE) technology. The development of programmable electronics and computers continues at a fast pace, and the new technology gets more functions and becomes steadily cheaper, and finds its way into more and more advanced safety-critical systems.

In this book, we mainly consider safety-critical systems where E/E/PE technology plays an important role, often together with mechanical or other technology items. The important standard IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems designates these systems by the term E/E/PE safety-related systems. This term is long and difficult to pronounce, and the author therefore prefers to use the term safety-instrumented system (SIS), which is the corresponding term used in the process industry.

The IEC 61508 standard is introduced briefly in Section 1.3.1 and further discussed in Chapter 2. A notable feature of IEC 61508 is that it is risk-based, which means that reliability requirements for the E/E/PE safety-related systems (i.e., SISs) must be allocated based on the results from a risk analysis. We therefore start with a brief introduction to risk and risk analysis.

1.1.1 Risk and Risk Analysis

The term risk is complex and has been given a wide range of definitions (e.g., see Rausand, 2011). In this book, we define risk as the combined answer to the following three questions:

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!