Determi naci n de PFDavg (SI L) de

un Si stema I nstrumentado de Se-

guri dad (SI S)
Preparado para: Curso en Anlisis de Riesgos y Seguridad Funcional
Preparado por: Victor Machiavelo Salinas
Risk Software SA de CV www.risksoftware.com.mx
Risk Software S.A. de C.V.
1. Introduccin
El valor de PFDavg (Probabilidad de Fallas Sobre Demanda Promedio) es utilizado en la Seguridad Funcional para determinar
el Nivel de Integridad de Seguridad -NIL- (Safety Integrity Level- SIL) que un Sistema Instrumentado de Seguridad -SIS- tiene
para una Funcin Instrumentada de Seguridad -FIS- dada.
La figura #1 nos muestra la relacin que guarda un Sistema Instrumentado de Seguridad entre la relacin (frecuencia) de
demandas (eventos/ao) en que el SIS es requerido por el proceso dada una condicin insegura y la relacin (frecuencia) de
eventos indeseados finales (eventos/ao) ocurridos dados la ineficiencia/falla/incapacidad, del SIS.
El nivel NIL/SIL, es una relacin del valor numrico calculado de PFDavg para un SIS, donde incluimos a los elementos
sensores (presin, temperatura, Flujo, etc), al controlador lgico programable y a los elementos finales de control (vlvulas,
motores, actuadores, etc).
El valor de la PFDavg Total para un SIS es la suma algebraica de la probabilidad de fallas sobre demanda promedio del
sensor mas la del controlador lgico mas la del elemento final de control como se muestra en la figura #2
para realizar el calculo de la PFDavg de un sistema SIS, el estndar ANSI/ISA 84.01-2004 recomienda tres mtodos:
1. Ecuaciones Simplificadas (Diagramas de Bloques de Confiabilidad)
2. Anlisis de Arboles de Falla (FTA)
3. Modelos de Markov.
El presente informe tcnico se centra en el calculo de la PFDavg, utilizando los dos primeros mtodos, los cuales son los mas
utilizados en la seguridad funcional, aclarando que los modelos de Markov son mas precisos y pueden modelar sistemas en
el tiempo, con secuencias y reparables.
Determinacin de la PFDavg# 1
Risk Software S.A. de C.V.
Relacin de
Demandas
(D)
Relacin de
Eventos
(H)
Figura #1
PFDavg = H/D = 1/(Factor de Reduccin de Riesgos)
SIS
Sensor
Elementos
Finales
Figura #2
PFDavg
Total
= PFD
S
+ PFD
L
+ PFD
EF

Controlador
Logico
2. Falla de los Sistemas
Es necesario comprender la forma en que los sistemas y equipos fallan, debido a que las ecuaciones utilizadas para
determinar el valor de PFDavg depende directamente del mecanismo de falla de los sensores, controlador lgico y elementos
finales.
La figura #3 muestra los modos de falla que pueden tener los componentes de un SIS.
MTBF = Mean Time Between Failures (Tiempo Medio Entre Fallas)
MTTF = Mean Time To Fail (Tiempo medio Para Fallar)
Modos de Falla Descubiertas:
Son conocidas tambin como fallas Reveladas debido a que estas fallas son conocidas en cuanto suceden, como ejemplo
tenemos la falla de la seal de un sensor cuando los cables que conducen la seal son cortados o bien la falla de la bobina
de una vlvula solenoide.
Las fallas descubiertas normalmente generan una respuesta del sistema conocida como Falla Segura la consecuencia mas
comn es una parada por emergencia del proceso. A esto se le conoce como Relacin de Disparos en Falso en muchos
procesos esta condicin es indeseada debido a que afecta directamente a la produccin o a los tiempos de produccin, en
procesos continuos como en la industria qumica o petrolera esta condicin es muy costosa debido a que volver a iniciar los
procesos no es una tarea fcil ni rpida, en ciertos procesos esta condicin tambin puede ser muy peligrosa, ya que parar
proceso inherentemente peligrosos donde se manejan grandes cantidades de materia y energa puede ocasionar condiciones
riesgosas para el personal, medio ambiente y bienes de las empresas.
La forma en que podemos evitar que esto ocurra es incrementando la tolerancia a falla en los sistemas y equipos (redundan-
cia). La norma IEC-61511 en el punto 11.4 nos indica los mecanismos y niveles de tolerancia a falla para los sistemas SIS.
Determinacin de la PFDavg# 2
Risk Software S.A. de C.V.
No Detectadas
Por Diagnosticos
Por Pruebas
manuales
Detectadas
Fallas Cubiertas
Relacin de Paros Peligrosos
!D = 1/MTTF
Se debe vivir con
perdida de la produccin
Paro de Planta o
Permanecer en Riesgo
Mientras se Repara
El SIS esta Fuera
Durante las
Pruebas
Fallas Descubiertas
Relacin de Paros en Falso
!S = 1/MTBFsp
Modos de
Falla
Figura #3
Modos de Falla
Modos de Falla Cubiertas:
Las fallas cubiertas, son fallas peligrosas hasta que son detectadas y corregidas. El calculo de la PFDavg se basa en este tipo
de fallas. Tpicamente las fallas cubiertas se manifiestas en dispositivos que tienen la funcin de generar o conducir al evento
final, como pueden ser los dispositivos de salida de las tarjetas del PLC, la bobina del relevador, el actuador de la vlvula o
bien la lgica del controlador. El problema principal de estas fallas se presenta en dispositivos que no han sido operados por
periodos lagos de tiempo, tres tipos de condiciones se presentan en las fallas cubiertas:
1. Fallas que pueden ser detectadas por auto diagnsticos.
2. Fallas que pueden ser encontradas en un periodo de pruebas.
3. Fallas que permanecen ocultas sin ser detectadas en el sistema hasta que se presenta una falla en demanda.
Cada una de estas fallas contribuyen al valor de PFDavg del SIS. Cada falla requiere un tratamiento diferente de calculo de
confiabilidad.
Las formulas para el calculo de sistemas basados en Auto diagnsticos, estn generalmente referidas a controladores lgicos
programables ya que estos sistemas utilizan tcnicas avanzadas de diagnsticos, en la mayora de los sistemas cuando nos
referimos a diagnsticos no estamos refiriendo a la capacidad del sistema a realizar pruebas sin necesidad de intervencin
del ser humano, estos diagnsticos que tambin son referidos como activos son pruebas funcionales del estado del siste-
ma, como por ejemplo seria cambiar de estado la posicin de las salidas de las tarjetas del controlador abrir/cerrar (On/Off)
para poder probar que el sistema tiene la capacidad de llevar al proceso a condicin segura. Estas pruebas se realizan de
forma muy rpida generalmente en milisegundos, evitando que las pruebas sean en si mismas una condicin peligrosa para el
proceso.
Clculos:
El calculo de las fallas reveladas (llamadas tambin fallas seguras) es importante desde el punto de vista de la operacin de
los procesos, la instalacin de un sistema de seguridad es un proceso complicado y costoso, lo que menos deseamos es
que este sistema sea en si mismo quien genere una condicin potencialmente inseguro o binen sea quien ocasiona perdidas
de produccin o econmicas. La seleccin de un sistema de seguridad sin tolerancia a fallas deber ser cuidadosamente
evaluada desde el punto de vista de la seguridad y de la operacin de los procesos, el diseo del sistema bajo el concepto
de ciclo de vida deber incluir los costos de disparos en falso y los costos asociados a la tolerancia a fallas. las fallas releva-
das tambin tienen dos componentes, fallas seguras detectables y fallas seguras no detectables. El echo de que ambas con-
duzcan a un paro seguro del proceso minimiza la necesidad de detallar cada una en una ecuacin diferente.
Las fallas cubiertas (llamadas tambin peligrosas) como se muestra en la figura # 3 tienen dos componentes,
Determinacin de la PFDavg# 3
Risk Software S.A. de C.V.
1) Fallas peligrosas detectadas por auto diagnsticos, las cuales realizan el proceso de prueba y deteccin de errores y fallas
de forma automtica, asociamos a estas fallas a las provocadas por los sistemas complejos como los controladores lgicos,
sin embargo en los ltimos aos algunos dispositivos de campo como sensores y actuadores de vlvulas, han incorporado
altos niveles de auto diagnostico en su electrnica. Tpicamente el tiempo de las pruebas con auto diagnsticos flucta entre
1 y 10 segundos.
2) Fallas peligrosas detectadas por pruebas manuales, son pruebas que no pueden ser realizadas por diagnsticos y es ne-
cesario que manualmente se realice la prueba y el diagnostico, tpicamente el tiempo de estas pruebas es mucho menor
que el MTBF, este tipo de pruebas esta asociada a dispositivos de campo y elementos finales de control.
La figura #4 muestra la diferencia de pruebas requeridas para los diferentes dispositivos, existe una gran diferencia entre las
ecuaciones utilizadas para modelar el valor de PFDavg para sensores y elementos finales de control y las ecuaciones para
modelar a los controladores lgicos, no solo por que estos realizan sus pruebas de auto diagnostico, tambin debido a que
cada sistema puede contener diferentes dispositivos en diferentes configuraciones y numero (mdulos de entradas y salidas,
fuentes de poder, procesadores, comunicaciones, etc).
Las ecuaciones para modelar a los controladores lgicos programables han sido definidas a detalle en la norma IEC
61508-6.Edicin 2.0 2010-04. Tambin se cuentan con ecuaciones simplificadas para los controladores lgicos programa-
bles, que hacen mas fcil pero menos exacta la determinacin del de la PFDavg.
Determinacin de la PFDavg# 4
Risk Software S.A. de C.V.
Sensor
Controlador
Logico
Relacin de
Demandas
(D)
Relacin de
Eventos
(H)
Elementos
Finales
Figura #4
Requerimientos de Pruebas para Dispositivos
Pruebas
Manuales
Pruebas
Auto
Diagnosticos
Pruebas
Manuales
3. Determinacin de la Relacin de Disparos en Falso STR
Ecuaciones para la determinacin de la Relacin de Disparos en Falso (Spurious Trip Rate -STR).
Como comentamos anteriormente es conveniente conocer la relacin de disparos en falso que un sistema tendr, esto nos
permitir seleccionar sistemas basados en los costos asociados a disparar/parar un procesos por la falla de alguno de los
componentes del sistema instrumentado de seguridad:
Arquitectura Ecuacin Compleja/ISA TR 8402p2 Ecuacin Simplicada /ISA TR
8402p2
1oo1
! 27 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9)
spurious
S
MTTF
1
= "
1oo1
(Eq. No. 10) STR
S DD
F
S
= + + " " "
Where "
S
is the safe or spurious failure rate for the component,
"
DD
is the dangerous detected failure rate for the component, and
"
F
S
is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is the
systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation
when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-
redundant) in a safe (de-energized) state. This can be done either automatically or by human
intervention. If dangerous detected failure does not place the channel or system into a safe state, this
term is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ = 2
The second term is the common cause term and the third term is the systematic error rate term. This
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be
substituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ $ = 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( ) [ ] ( ) [ ]
S
F
DD S DD S
MTTR STR " " " # " " + + $ + $ + $ =
2
3
12
ISA-TR84.00.02-2002 - Part 2 ! 28 !
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,
appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures are
detected unless redundancy of components is provided. Accounting for additional failures while repairs
are being made is typically not considered due to the relatively short repair time. Common cause and
systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to
the following:
1oo1
(Eq. No. 10a) STR
S
= "
1oo2
(Eq. No. 11a)
S
STR " # = 2
1oo3
(Eq. No. 12a)
S
STR " # = 3
2oo2
(Eq. No. 13a) ( ) MTTR STR
S
# # =
2
2 "
2oo3
(Eq. No. 14a) ( ) MTTR STR
S
# # =
2
6 "
2oo4
(Eq. No. 15a) ( )
2
3
12 MTTR STR
S
# # = "
5.2.6 Combining spurious trip rates for components to obtain SIS MTTF
spurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall
MTTF
spurious
for the SIS being evaluated is obtained as follows:
(Eq. No. 16)
STR STR STR STR STR
SIS Si Ai Li PSi F
S
= + + + +
$ $ $ $
"
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in
individual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)
M TTF
spur ious
STRS IS
=
1
The result is the MTTF
spurious
for the SIS.
1oo2
! 27 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9)
spurious
S
MTTF
1
= "
1oo1
(Eq. No. 10) STR
S DD
F
S
= + + " " "
Where "
S
is the safe or spurious failure rate for the component,
"
DD
is the dangerous detected failure rate for the component, and
"
F
S
is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is the
systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation
when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-
redundant) in a safe (de-energized) state. This can be done either automatically or by human
intervention. If dangerous detected failure does not place the channel or system into a safe state, this
term is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ = 2
The second term is the common cause term and the third term is the systematic error rate term. This
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be
substituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ $ = 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( ) [ ] ( ) [ ]
S
F
DD S DD S
MTTR STR " " " # " " + + $ + $ + $ =
2
3
12
ISA-TR84.00.02-2002 - Part 2 ! 28 !
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,
appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures are
detected unless redundancy of components is provided. Accounting for additional failures while repairs
are being made is typically not considered due to the relatively short repair time. Common cause and
systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to
the following:
1oo1
(Eq. No. 10a) STR
S
= "
1oo2
(Eq. No. 11a)
S
STR " # = 2
1oo3
(Eq. No. 12a)
S
STR " # = 3
2oo2
(Eq. No. 13a) ( ) MTTR STR
S
# # =
2
2 "
2oo3
(Eq. No. 14a) ( ) MTTR STR
S
# # =
2
6 "
2oo4
(Eq. No. 15a) ( )
2
3
12 MTTR STR
S
# # = "
5.2.6 Combining spurious trip rates for components to obtain SIS MTTF
spurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall
MTTF
spurious
for the SIS being evaluated is obtained as follows:
(Eq. No. 16)
STR STR STR STR STR
SIS Si Ai Li PSi F
S
= + + + +
$ $ $ $
"
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in
individual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)
M TTF
spur ious
STRS IS
=
1
The result is the MTTF
spurious
for the SIS.
1oo3
! 27 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9)
spurious
S
MTTF
1
= "
1oo1
(Eq. No. 10) STR
S DD
F
S
= + + " " "
Where "
S
is the safe or spurious failure rate for the component,
"
DD
is the dangerous detected failure rate for the component, and
"
F
S
is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is the
systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation
when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-
redundant) in a safe (de-energized) state. This can be done either automatically or by human
intervention. If dangerous detected failure does not place the channel or system into a safe state, this
term is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ = 2
The second term is the common cause term and the third term is the systematic error rate term. This
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be
substituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ $ = 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( ) [ ] ( ) [ ]
S
F
DD S DD S
MTTR STR " " " # " " + + $ + $ + $ =
2
3
12
ISA-TR84.00.02-2002 - Part 2 ! 28 !
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,
appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures are
detected unless redundancy of components is provided. Accounting for additional failures while repairs
are being made is typically not considered due to the relatively short repair time. Common cause and
systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to
the following:
1oo1
(Eq. No. 10a) STR
S
= "
1oo2
(Eq. No. 11a)
S
STR " # = 2
1oo3
(Eq. No. 12a)
S
STR " # = 3
2oo2
(Eq. No. 13a) ( ) MTTR STR
S
# # =
2
2 "
2oo3
(Eq. No. 14a) ( ) MTTR STR
S
# # =
2
6 "
2oo4
(Eq. No. 15a) ( )
2
3
12 MTTR STR
S
# # = "
5.2.6 Combining spurious trip rates for components to obtain SIS MTTF
spurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall
MTTF
spurious
for the SIS being evaluated is obtained as follows:
(Eq. No. 16)
STR STR STR STR STR
SIS Si Ai Li PSi F
S
= + + + +
$ $ $ $
"
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in
individual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)
M TTF
spur ious
STRS IS
=
1
The result is the MTTF
spurious
for the SIS.
2oo2
! 27 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9)
spurious
S
MTTF
1
= "
1oo1
(Eq. No. 10) STR
S DD
F
S
= + + " " "
Where "
S
is the safe or spurious failure rate for the component,
"
DD
is the dangerous detected failure rate for the component, and
"
F
S
is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is the
systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation
when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-
redundant) in a safe (de-energized) state. This can be done either automatically or by human
intervention. If dangerous detected failure does not place the channel or system into a safe state, this
term is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ = 2
The second term is the common cause term and the third term is the systematic error rate term. This
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be
substituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ $ = 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( ) [ ] ( ) [ ]
S
F
DD S DD S
MTTR STR " " " # " " + + $ + $ + $ =
2
3
12
ISA-TR84.00.02-2002 - Part 2 ! 28 !
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,
appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures are
detected unless redundancy of components is provided. Accounting for additional failures while repairs
are being made is typically not considered due to the relatively short repair time. Common cause and
systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to
the following:
1oo1
(Eq. No. 10a) STR
S
= "
1oo2
(Eq. No. 11a)
S
STR " # = 2
1oo3
(Eq. No. 12a)
S
STR " # = 3
2oo2
(Eq. No. 13a) ( ) MTTR STR
S
# # =
2
2 "
2oo3
(Eq. No. 14a) ( ) MTTR STR
S
# # =
2
6 "
2oo4
(Eq. No. 15a) ( )
2
3
12 MTTR STR
S
# # = "
5.2.6 Combining spurious trip rates for components to obtain SIS MTTF
spurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall
MTTF
spurious
for the SIS being evaluated is obtained as follows:
(Eq. No. 16)
STR STR STR STR STR
SIS Si Ai Li PSi F
S
= + + + +
$ $ $ $
"
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in
individual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)
M TTF
spur ious
STRS IS
=
1
The result is the MTTF
spurious
for the SIS.
2oo3
! 27 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9)
spurious
S
MTTF
1
= "
1oo1
(Eq. No. 10) STR
S DD
F
S
= + + " " "
Where "
S
is the safe or spurious failure rate for the component,
"
DD
is the dangerous detected failure rate for the component, and
"
F
S
is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is the
systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation
when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-
redundant) in a safe (de-energized) state. This can be done either automatically or by human
intervention. If dangerous detected failure does not place the channel or system into a safe state, this
term is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ = 2
The second term is the common cause term and the third term is the systematic error rate term. This
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be
substituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ $ = 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( ) [ ] ( ) [ ]
S
F
DD S DD S
MTTR STR " " " # " " + + $ + $ + $ =
2
3
12
ISA-TR84.00.02-2002 - Part 2 ! 28 !
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,
appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures are
detected unless redundancy of components is provided. Accounting for additional failures while repairs
are being made is typically not considered due to the relatively short repair time. Common cause and
systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to
the following:
1oo1
(Eq. No. 10a) STR
S
= "
1oo2
(Eq. No. 11a)
S
STR " # = 2
1oo3
(Eq. No. 12a)
S
STR " # = 3
2oo2
(Eq. No. 13a) ( ) MTTR STR
S
# # =
2
2 "
2oo3
(Eq. No. 14a) ( ) MTTR STR
S
# # =
2
6 "
2oo4
(Eq. No. 15a) ( )
2
3
12 MTTR STR
S
# # = "
5.2.6 Combining spurious trip rates for components to obtain SIS MTTF
spurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall
MTTF
spurious
for the SIS being evaluated is obtained as follows:
(Eq. No. 16)
STR STR STR STR STR
SIS Si Ai Li PSi F
S
= + + + +
$ $ $ $
"
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in
individual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)
M TTF
spur ious
STRS IS
=
1
The result is the MTTF
spurious
for the SIS.
2oo4
! 27 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 9)
spurious
S
MTTF
1
= "
1oo1
(Eq. No. 10) STR
S DD
F
S
= + + " " "
Where "
S
is the safe or spurious failure rate for the component,
"
DD
is the dangerous detected failure rate for the component, and
"
F
S
is the safe systematic failure rate for the component.
The second term in the equation is the dangerous detected failure rate term and the third term is the
systematic error rate term. The dangerous detected failure term is included in the spurious trip calculation
when the detected dangerous failure puts that channel (of a redundant system) or system (if it is non-
redundant) in a safe (de-energized) state. This can be done either automatically or by human
intervention. If dangerous detected failure does not place the channel or system into a safe state, this
term is not included in Equations 10 through 15.
1oo2
(Eq. No. 11) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 2
The second term is the common cause term and the third term is the systematic error rate term.
1oo3
(Eq. No. 12) ( ) [ ] ( ) [ ]
S
F
DD S DD S
STR " " " # " " + + $ + + $ = 3
The second term is the common cause term and the third term is the systematic error rate term.
2oo2
(Eq. No. 13) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ = 2
The second term is the common cause term and the third term is the systematic error rate term. This
equation, as well as Equations 14 and 15, assumes that safe failures can be detected on-line. If safe
failures can only be detected through testing or inspection, the testing (or inspection) interval TI should be
substituted for MTTR.
2oo3
(Eq. No. 14) ( ) ( ) [ ] ( ) [ ]
S
F
DD S DD S S
MTTR STR " " " # " " " + + $ + $ + $ $ = 6
The second term is the common cause term, and the third term is the systematic error rate term.
2oo4
(Eq. No. 15) ( ) [ ] ( ) [ ]
S
F
DD S DD S
MTTR STR " " " # " " + + $ + $ + $ =
2
3
12
ISA-TR84.00.02-2002 - Part 2 ! 28 !
The second term is the common cause term, and the third term is the systematic error rate term.
NOTE The above equations apply to elements with the same failure rates. If elements with different failure rates are used,
appropriate adjustments must be made (See ISA-TR84.00.02-2002, Part 5 for method).
SIS in the process industry typically must be taken out of service to make repairs when failures are
detected unless redundancy of components is provided. Accounting for additional failures while repairs
are being made is typically not considered due to the relatively short repair time. Common cause and
systematic error are handled as described in 5.1.5. Therefore, the equations above can be reduced to
the following:
1oo1
(Eq. No. 10a) STR
S
= "
1oo2
(Eq. No. 11a)
S
STR " # = 2
1oo3
(Eq. No. 12a)
S
STR " # = 3
2oo2
(Eq. No. 13a) ( ) MTTR STR
S
# # =
2
2 "
2oo3
(Eq. No. 14a) ( ) MTTR STR
S
# # =
2
6 "
2oo4
(Eq. No. 15a) ( )
2
3
12 MTTR STR
S
# # = "
5.2.6 Combining spurious trip rates for components to obtain SIS MTTF
spurious
Once the sensor, final element, logic solver, and power supply portions are evaluated, the overall
MTTF
spurious
for the SIS being evaluated is obtained as follows:
(Eq. No. 16)
STR STR STR STR STR
SIS Si Ai Li PSi F
S
= + + + +
$ $ $ $
"
NOTE The last term in the equation, the systematic failure term, is only used when systematic error has not been accounted for in
individual component STR and the user desires to include an overall value for the entire system.
(Eq. No. 17)
M TTF
spur ious
STRS IS
=
1
The result is the MTTF
spurious
for the SIS.
!
S
es la relacin de fallas seguras o en falso para cada componente.
!
DD
es la relacin de fallas peligrosas detectadas para cada componente.
!
S
F es la relacin de fallas sistemticas seguras para cada componente.
El valor final de la relacin de disparos en falso del sistema SIS (utilizando las ecuaciones simplificadas) es la suma de cada
elemento del sistema:
STRSIS# = $STRSensor + $STRCLP + $STREF + %
S
F
El valor de MTTF (Tiempo Medio Para Fallar) esta dado por:
M TTF
En Falso
= 1/STRSIS
Determinacin de la PFDavg# 5
Risk Software S.A. de C.V.
4. Determinacin de la Probabilidad de Falla Sobre Demanda
Ecuaciones para la determinacin de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con prue-
bas manuales.
La Probabilidad de Fallas Sobre Demanda para sistemas con pruebas manuales, esta relacionada generalmente a los ele-
mentos de campo, como son sensores y elementos finales de control.
La base de estas ecuaciones es el tiempo o intervalo entre pruebas manuales (TI), que tiene como objetivo la identificacin y
localizacin de fallas peligrosas en el sistema o elementos del sistema.
Las ecuaciones que describen los sistemas utilizan el componente de Relacin de Fallas Peligrosas Sistemticas.
Esta relacin representa las fallas sistemticas introducidas durante el diseo, seleccin, implementacin y mantenimiento de
los elementos de campo del Sistema Instrumentado de Seguridad.
Arquitectura Ecuacin Compleja/ISA TR 8402p2 Ecuacin Simplicada /ISA TR
8402p2
1oo1
ISA-TR84.00.02-2002 - Part 2 ! 22 !
Equations for typical configurations:
(Eq. No. 3) 1oo1 PFD
TI
2
avg
= "
#
$
%
&
'
(
+ "
#
$
%
&
'
(
) )
DU
F
D
TI
2

where )
DU
is the undetected dangerous failure rate
)
F
D
is the dangerous systematic failure rate, and
TI is the time interval between manual functional tests of the component.
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during the
specification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to a
random failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout the
mission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve under
the process pressure that occurs during the hazardous event, then the average value as shown in the above equation is not
applicable. In this event, the systematic failure would be modeled using TI " ) . When modeling systematic failures, the reader
must determine which model is more appropriate for the type of failure being assessed.
1oo2
(Eq. No. 4A)
( ) [ ]
(
'
&
%
$
#
" +
(
'
&
%
$
#
" " + " " " " ! +
(
'
&
%
$
#
" " ! =
2 2
) 1 (
3
) 1 ( PFD
2
2
avg
TI TI
TI MTTR
TI
D
F
DU DD DU DU
) ) * ) ) * ) *
For simplification, 1-* is generally assumed to be one, which yields conservative results. Consequently,
the equation reduces to
(Eq. No. 4B)
( ) [ ]
(
'
&
%
$
#
" +
(
'
&
%
$
#
" " + " " " +
(
'
&
%
$
#
" =
2 2 3
PFD
2
2
avg
TI TI
TI MTTR
TI
D
F
DU DD DU DU
) ) * ) ) )
where MTTR is the mean time to repair
)
DD
is dangerous detected failure rate, and
*
is fraction of failures that impact more than one channel of a redundant system
(common cause).
The second term represents multiple failures during repair. This factor is typically negligible for short
repair times (typically less than 8 hours). The third term is the common cause term. The fourth term is
the systematic error term.
1oo3
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
1oo2
ISA-TR84.00.02-2002 - Part 2 ! 22 !
Equations for typical configurations:
(Eq. No. 3) 1oo1 PFD
TI
2
avg
= "
#
$
%
&
'
(
+ "
#
$
%
&
'
(
) )
DU
F
D
TI
2

where )
DU
is the undetected dangerous failure rate
)
F
D
is the dangerous systematic failure rate, and
TI is the time interval between manual functional tests of the component.
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during the
specification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to a
random failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout the
mission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve under
the process pressure that occurs during the hazardous event, then the average value as shown in the above equation is not
applicable. In this event, the systematic failure would be modeled using TI " ) . When modeling systematic failures, the reader
must determine which model is more appropriate for the type of failure being assessed.
1oo2
(Eq. No. 4A)
( ) [ ]
(
'
&
%
$
#
" +
(
'
&
%
$
#
" " + " " " " ! +
(
'
&
%
$
#
" " ! =
2 2
) 1 (
3
) 1 ( PFD
2
2
avg
TI TI
TI MTTR
TI
D
F
DU DD DU DU
) ) * ) ) * ) *
For simplification, 1-* is generally assumed to be one, which yields conservative results. Consequently,
the equation reduces to
(Eq. No. 4B)
( ) [ ]
(
'
&
%
$
#
" +
(
'
&
%
$
#
" " + " " " +
(
'
&
%
$
#
" =
2 2 3
PFD
2
2
avg
TI TI
TI MTTR
TI
D
F
DU DD DU DU
) ) * ) ) )
where MTTR is the mean time to repair
)
DD
is dangerous detected failure rate, and
*
is fraction of failures that impact more than one channel of a redundant system
(common cause).
The second term represents multiple failures during repair. This factor is typically negligible for short
repair times (typically less than 8 hours). The third term is the common cause term. The fourth term is
the systematic error term.
1oo3
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
1oo3
! 23 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) ) ( [ ]
"
#
$
%
&
'
( +
"
#
$
%
&
'
)
*
+
,
-
.
( ( + ( ( ( +
"
#
$
%
&
'
( =
2 2 4
2
2
3
3 TI TI
TI MTTR
TI
PFD
D
F
DU DD DU DU
avg
/ / 0 / / /
The second term accounts for multiple failures during repair. This factor is typically negligible for short
repair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ]
"
#
$
%
&
'
( + ( ( + ( =
2
PFD
avg
TI
TI TI
D
F
DU DU
/ / 0 /
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ] PFD
avg
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
( ) ( ) / / / 0 / /
DU DU DD DU
F
D
TI MTTR TI
TI TI
2 2
3
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
2oo4
(Eq. No. 8)
( ) ( )
[ ]
( ) ( )
[ ]
PFD TI MTTR TI
TI TI
avg
DU DU DD DU
F
D
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
/ / / 0 / /
3 3 2 2
4
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures are
typically not included in calculations performed in the process industries. These factors are usually
accounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external events
such as lightning strikes, etc. Systematic failures include calibration errors, design errors, programming
errors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for a
discussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
2oo2
! 23 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) ) ( [ ]
"
#
$
%
&
'
( +
"
#
$
%
&
'
)
*
+
,
-
.
( ( + ( ( ( +
"
#
$
%
&
'
( =
2 2 4
2
2
3
3 TI TI
TI MTTR
TI
PFD
D
F
DU DD DU DU
avg
/ / 0 / / /
The second term accounts for multiple failures during repair. This factor is typically negligible for short
repair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ]
"
#
$
%
&
'
( + ( ( + ( =
2
PFD
avg
TI
TI TI
D
F
DU DU
/ / 0 /
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ] PFD
avg
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
( ) ( ) / / / 0 / /
DU DU DD DU
F
D
TI MTTR TI
TI TI
2 2
3
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
2oo4
(Eq. No. 8)
( ) ( )
[ ]
( ) ( )
[ ]
PFD TI MTTR TI
TI TI
avg
DU DU DD DU
F
D
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
/ / / 0 / /
3
3
2
2
4
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures are
typically not included in calculations performed in the process industries. These factors are usually
accounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external events
such as lightning strikes, etc. Systematic failures include calibration errors, design errors, programming
errors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for a
discussion of their impact on the PFD
avg
calculations.
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
2oo3
! 23 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) ) ( [ ]
"
#
$
%
&
'
( +
"
#
$
%
&
'
)
*
+
,
-
.
( ( + ( ( ( +
"
#
$
%
&
'
( =
2 2 4
2
2
3
3 TI TI
TI MTTR
TI
PFD
D
F
DU DD DU DU
avg
/ / 0 / / /
The second term accounts for multiple failures during repair. This factor is typically negligible for short
repair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ]
"
#
$
%
&
'
( + ( ( + ( =
2
PFD
avg
TI
TI TI
D
F
DU DU
/ / 0 /
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ] PFD
avg
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
( ) ( ) / / / 0 / /
DU DU DD DU
F
D
TI MTTR TI
TI TI
2 2
3
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
2oo4
(Eq. No. 8)
( ) ( )
[ ]
( ) ( )
[ ]
PFD TI MTTR TI
TI TI
avg
DU DU DD DU
F
D
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
/ / / 0 / /
3 3 2 2
4
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures are
typically not included in calculations performed in the process industries. These factors are usually
accounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external events
such as lightning strikes, etc. Systematic failures include calibration errors, design errors, programming
errors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for a
discussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
2oo4
! 23 ! ISA-TR84.00.02-2002 - Part 2
(Eq. No. 5)
( ) ) ( [ ]
"
#
$
%
&
'
( +
"
#
$
%
&
'
)
*
+
,
-
.
( ( + ( ( ( +
"
#
$
%
&
'
( =
2 2 4
2
2
3
3 TI TI
TI MTTR
TI
PFD
D
F
DU DD DU DU
avg
/ / 0 / / /
The second term accounts for multiple failures during repair. This factor is typically negligible for short
repair times. The third term is the common cause term and the fourth term is the systematic error term.
2oo2
(Eq. No. 6) [ ] [ ]
"
#
$
%
&
'
( + ( ( + ( =
2
PFD
avg
TI
TI TI
D
F
DU DU
/ / 0 /
The second term is the common cause term and the third term is the systematic error term.
2oo3
(Eq. No. 7)
[ ] [ ] PFD
avg
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
( ) ( ) / / / 0 / /
DU DU DD DU
F
D
TI MTTR TI
TI TI
2 2
3
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
2oo4
(Eq. No. 8)
( ) ( )
[ ]
( ) ( )
[ ]
PFD TI MTTR TI
TI TI
avg
DU DU DD DU
F
D
= ( + ( ( ( + ( (
'
&
%
$
#
"
+ (
'
&
%
$
#
"
/ / / 0 / /
3 3 2 2
4
2 2
The second term in the equation represents multiple failures during repair. This factor is typically
negligible for short repair times. The third term is the common cause term. The fourth term is the
systematic error term.
For configurations other than those indicated above, see Reference 3 or ISA-TR84.00.02-2002 - Part 5.
The terms in the equations representing common cause (Beta factor term) and systematic failures are
typically not included in calculations performed in the process industries. These factors are usually
accounted for during the design by using components based on plant experience.
Common cause includes environmental factors, e.g., temperature, humidity, vibration, external events
such as lightning strikes, etc. Systematic failures include calibration errors, design errors, programming
errors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for a
discussion of their impact on the PFDavg calculations.
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
MTTR es el tiempo medio para reparacin
!
DD
es la relacin de fallas peligrosas detectadas
" es la fraccin de fallas que impacta en uno o mas canales de los sistemas redundantes (Factor de falla Comn).
Determinacin de la PFDavg# 6
Risk Software S.A. de C.V.
ISA-TR84.00.02-2002 - Part 2 ! 22 !
Equations for typical configurations:
(Eq. No. 3) 1oo1 PFD
TI
2
avg
= "
#
$
%
&
'
(
+ "
#
$
%
&
'
(
) )
DU
F
D
TI
2

where )
DU
is the undetected dangerous failure rate
)
F
D
is the dangerous systematic failure rate, and
TI is the time interval between manual functional tests of the component.
NOTE The equations in ISA-TR84.00.02-2002 - Part 1 model the systematic failure as an error that occurred during the
specification, design, implementation, commissioning, or maintenance that resulted in the SIF component being susceptible to a
random failure. Some systematic failures do not manifest themselves randomly, but exist at time 0 and remain failed throughout the
mission time of the SIF. For example, if the valve actuator is specified improperly, leading to the inability to close the valve under
the process pressure that occurs during the hazardous event, then the average value as shown in the above equation is not
applicable. In this event, the systematic failure would be modeled using TI " ) . When modeling systematic failures, the reader
must determine which model is more appropriate for the type of failure being assessed.
1oo2
(Eq. No. 4A)
( ) [ ]
(
'
&
%
$
#
" +
(
'
&
%
$
#
" " + " " " " ! +
(
'
&
%
$
#
" " ! =
2 2
) 1 (
3
) 1 ( PFD
2
2
avg
TI TI
TI MTTR
TI
D
F
DU DD DU DU
) ) * ) ) * ) *
For simplification, 1-* is generally assumed to be one, which yields conservative results. Consequently,
the equation reduces to
(Eq. No. 4B)
( ) [ ]
(
'
&
%
$
#
" +
(
'
&
%
$
#
" " + " " " +
(
'
&
%
$
#
" =
2 2 3
PFD
2
2
avg
TI TI
TI MTTR
TI
D
F
DU DD DU DU
) ) * ) ) )
where MTTR is the mean time to repair
)
DD
is dangerous detected failure rate, and
*
is fraction of failures that impact more than one channel of a redundant system
(common cause).
The second term represents multiple failures during repair. This factor is typically negligible for short
repair times (typically less than 8 hours). The third term is the common cause term. The fourth term is
the systematic error term.
1oo3
Para sistemas redundantes el segundo termino en las ecuaciones complejas representa las mltiples fallas presentadas du-
rante la reparacin y el tercer termino representa la causa de falla comn (CCF).
En las ecuaciones simplificadas se considera que el segundo termino es despreciable debido a que el valor es muy pequeo
cuando el tiempo de reparaciones es menor a 8 hr. El tercer termino es despreciable debido a que se considera que el diseo
de los sistemas en los procesos industriales esta diseado considerando las fallas de causa comn, y el cuarto termino las
fallas sistemticas son despreciables si se utiliza una metodologa para el diseo de los SIS como puede ser seguir los reque-
rimientos y consideraciones en el diseo basado en el Ciclo de Vida de Seguridad de la IEC 61511.
El valor final de la PFDavg es representada como:
PFDSIS# = $PFDSensor + $PFDCLP + $PFDEF + %
S
F
En trminos generales es aceptado el uso de las ecuaciones simplificadas para sistemas con pruebas manuales como son
los sensores y elementos finales, si bien es comn el uso de estas ecuaciones para los controladores lgicos programables,
la norma IEC 61508 Edicin 2.0 2010-04. Ha desarrollado ecuaciones mas exactas para describir a los sistemas que cuentan
con pruebas basadas en auto diagnsticos.
5. Calculo de la Probabilidad de Fallas Sobre Demanda PFDavg
Ecuaciones para la determinacin de la Probabilidad de Fallas Sobre Demanda PFDavg para Sistemas con pruebas basadas
en Auto Diagnsticos, tomadas de la norma IEC 61508-6 Edicin 2.0, 2010-04.
La Probabilidad de Fallas Sobre Demanda para sistemas complejos con auto diagnsticos considera las relacin de fallas
peligrosas totales, dadas por la suma de la relacin de fallas peligrosas detectadas y no detectadas.
%
Tot
= %
DU
+ %
DD
Ecuacin para sistema con arquitectura 1oo1:
La arquitectura consiste en canales sencillos, donde la cualquier falla peligrosa genera una falla de la funcin de seguridad
cuando se genera una demanda:
Determinacin de la PFDavg# 7
Risk Software S.A. de C.V.
Canal
Diagnosticos
Figura #5
Diagrama de Bloques Fisico
La configuracin sencilla se ve comprometida por la falla resultante tanto por la relacin de fallas peligrosas no detectables
!
DU
, y la relacin de fallas peligrosas detectables !
DD
. Es posible la equivalencia del sistema para el Tiempo Medio Abajo
(MDT) para los dos componentes tC1 y tC2:
Para cada componente del canal la relacin de fallas peligrosas no detectables y detectables esta dada por:
Para un canal con un tiempo abajo tCE que resulta en una falla peligrosa:
La probabilidad de fallas sobre demanda para una arquitectura 1oo1 queda establecida como:
Ecuacin para sistema con arquitectura 1oo2:
La arquitectura 1oo2 consiste en dos canales conectados en paralelo, en los cuales cada uno puede realizar la funcin de
seguridad. En esta arquitectura ambos canales debern de fallar de forma peligrosa para que la funcin de seguridad falle en
demanda. Se asume que cualquier diagnostico deber ser reportado y la falla encontrada y no habr un cambio en el estado
final de la votacin de salidas.
Las figuras # 7 y 8 muestran los diagramas de bloques para la arquitectura 1oo2, tCE es calculado de la misma manera que
como calculamos 1oo1, pero ahora debemos calcular tGE que esta dado por la ecuacin:
Determinacin de la PFDavg# 8
Risk Software S.A. de C.V.
!
DU
t
C1
=
T
1
+ MRT
2
t
C2
= MTTR
!
DD
!
D
t
CE
Figura #6
Diagrama de Bloques de Conabilidad
61508-6 EC:2010 31


Figure B.5 - 1oo1 reIiabiIity bIock diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the
channel is given by
!! !" !
+ =
Figure B.5 shows that the channel can be considered to comprise of two components, one
with a dangerous failure rate
DU
resulting from undetected failures and the other with a
dangerous failure rate
DD
resulting from detected failures. t is possible to calculate the
channel equivalent mean down time t
CE
, adding the individual down times from both
components, t
c1
and t
c2
, in direct proportion to each component's contribution to the
probability of failure of the channel:
MTTR MRT
2
T
t
D
DD 1
D
DU
CE

+ =
For every architecture, the detected dangerous failure rate and the undetected dangerous
failure rate are given by
( ) DC 1
D DU
= ; !#
! !!
=
For a channel with down time t
CE
resulting from dangerous failures
1 t t
e 1 PFD
CE D CE D
t
CE D
<<
=

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is
( )
CE DD DU G
t PFD + =
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can
process the safety function. Thus there would have to be a dangerous failure in both channels
before a safety function failed on demand. t is assumed that any diagnostic testing would
only report the faults found and would not change any output states or change the output
voting.

DU
t
c1
=
1 _

T + MRT
2

DD
t
c2
= MTTR

D
t
CE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 EC:2010 31


Figure B.5 - 1oo1 reIiabiIity bIock diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the
channel is given by
!! !" !
+ =
Figure B.5 shows that the channel can be considered to comprise of two components, one
with a dangerous failure rate
DU
resulting from undetected failures and the other with a
dangerous failure rate
DD
resulting from detected failures. t is possible to calculate the
channel equivalent mean down time t
CE
, adding the individual down times from both
components, t
c1
and t
c2
, in direct proportion to each component's contribution to the
probability of failure of the channel:
MTTR MRT
2
T
t
D
DD 1
D
DU
CE

+ =
For every architecture, the detected dangerous failure rate and the undetected dangerous
failure rate are given by
( ) DC 1
D DU
= ; !#
! !!
=
For a channel with down time t
CE
resulting from dangerous failures
1 t t
e 1 PFD
CE D CE D
t
CE D
<<
=

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is
( )
CE DD DU G
t PFD + =
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can
process the safety function. Thus there would have to be a dangerous failure in both channels
before a safety function failed on demand. t is assumed that any diagnostic testing would
only report the faults found and would not change any output states or change the output
voting.

DU
t
c1
=
1 _

T + MRT
2

DD
t
c2
= MTTR

D
t
CE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 EC:2010 31


Figure B.5 - 1oo1 reIiabiIity bIock diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the
channel is given by
!! !" !
+ =
Figure B.5 shows that the channel can be considered to comprise of two components, one
with a dangerous failure rate
DU
resulting from undetected failures and the other with a
dangerous failure rate
DD
resulting from detected failures. t is possible to calculate the
channel equivalent mean down time t
CE
, adding the individual down times from both
components, t
c1
and t
c2
, in direct proportion to each component's contribution to the
probability of failure of the channel:
MTTR MRT
2
T
t
D
DD 1
D
DU
CE

+ =
For every architecture, the detected dangerous failure rate and the undetected dangerous
failure rate are given by
( ) DC 1
D DU
= ; !#
! !!
=
For a channel with down time t
CE
resulting from dangerous failures
1 t t
e 1 PFD
CE D CE D
t
CE D
<<
=

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is
( )
CE DD DU G
t PFD + =
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can
process the safety function. Thus there would have to be a dangerous failure in both channels
before a safety function failed on demand. t is assumed that any diagnostic testing would
only report the faults found and would not change any output states or change the output
voting.

DU
t
c1
=
1 _

T + MRT
2

DD
t
c2
= MTTR

D
t
CE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 EC:2010 31


Figure B.5 - 1oo1 reIiabiIity bIock diagram
Figures B.4 and B.5 contain the relevant block diagrams. The dangerous failure rate for the
channel is given by
!! !" !
+ =
Figure B.5 shows that the channel can be considered to comprise of two components, one
with a dangerous failure rate
DU
resulting from undetected failures and the other with a
dangerous failure rate
DD
resulting from detected failures. t is possible to calculate the
channel equivalent mean down time t
CE
, adding the individual down times from both
components, t
c1
and t
c2
, in direct proportion to each component's contribution to the
probability of failure of the channel:
MTTR MRT
2
T
t
D
DD 1
D
DU
CE

+ =
For every architecture, the detected dangerous failure rate and the undetected dangerous
failure rate are given by
( ) DC 1
D DU
= ; !#
! !!
=
For a channel with down time t
CE
resulting from dangerous failures
1 t t
e 1 PFD
CE D CE D
t
CE D
<<
=

since

Hence, for a 1oo1 architecture, the average probability of failure on demand is
( )
CE DD DU G
t PFD + =
B.3.2.2.2 1oo2
This architecture consists of two channels connected in parallel, such that either channel can
process the safety function. Thus there would have to be a dangerous failure in both channels
before a safety function failed on demand. t is assumed that any diagnostic testing would
only report the faults found and would not change any output states or change the output
voting.

DU
t
c1
=
1 _

T + MRT
2

DD
t
c2
= MTTR

D
t
CE
IEC 325/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
La probabilidad de fallas sobre demanda para la arquitectura 1oo2 queda entonces dada por:
Ecuacin para sistema con arquitectura 2oo2:
La arquitectura 2oo2 consiste en dos canales conectados de forma paralelo, ambos canales deben de demandar a la funcin
de seguridad para que esta se ejecute. Se asume que cualquier diagnostico deber ser reportado y la falla encontrada y no
habr un cambio en el estado final de la votacin de salidas.
Determinacin de la PFDavg# 9
Risk Software S.A. de C.V.
32 61508-6 EC:2010
ChanneI
ChanneI
Diagnostics
1oo2
IEC 326/2000

Figure B.6 - 1oo2 physicaI bIock diagram
Common
cause faiIure

!!

!"
#
$%

!
#
&%
IEC 327/2000

Figure B.7 - 1oo2 reIiabiIity bIock diagram
Figures B.6 and B.7 contain the relevant block diagrams. The value of t
CE
is as given in
B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time t
GE
,
which is given by
MTTR MRT
3
T
t
D
DD 1
D
DU
GE

+ =
The average probability of failure on demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t 1 1 2 PFD
1
DU DD D GE CE
2
DU DD D G

B.3.2.2.3 2oo2
This architecture consists of two channels connected in parallel so that both channels need to
demand the safety function before it can take place. t is assumed that any diagnostic testing
would only report the faults found and would not change any output states or change the
output voting.
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
32 61508-6 EC:2010
ChanneI
ChanneI
Diagnostics
1oo2
IEC 326/2000

Figure B.6 - 1oo2 physicaI bIock diagram
Common
cause faiIure

!!

!"
#
$%

!
#
&%
IEC 327/2000

Figure B.7 - 1oo2 reIiabiIity bIock diagram
Figures B.6 and B.7 contain the relevant block diagrams. The value of t
CE
is as given in
B.3.2.2.1, but now it is necessary to also calculate the system equivalent down time t
GE
,
which is given by
MTTR MRT
3
T
t
D
DD 1
D
DU
GE

+ =
The average probability of failure on demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t 1 1 2 PFD
1
DU DD D GE CE
2
DU DD D G

B.3.2.2.3 2oo2
This architecture consists of two channels connected in parallel so that both channels need to
demand the safety function before it can take place. t is assumed that any diagnostic testing
would only report the faults found and would not change any output states or change the
output voting.
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Canal
Diagnosticos
Figura #7
Diagrama de Bloques Fisico 1oo2
1oo2
Canal
!
DU
!
DD
!
D
t
CE
Figura #8
Diagrama de Bloques de Conabilidad 1oo2
Falla de causa
Comun
t
GE
La probabilidad de fallas sobre demanda queda establecida por:
Ecuacin para sistema con arquitectura 1oo2D:
La arquitectura 1oo2D consiste en dos canales conectados en paralelo. Durante la operacin normal, ambos canales deben
de demandar a la funcin de seguridad para que esta se ejecute. En adicin, si los diagnsticos en cada canal detectan una
falla, entonces la votacin de salida es adaptada de tal manera que la operacin contine con el canal que se encuentra ope-
rando sin fallas. Si los diagnsticos encuentran una falla en ambos canales o existe una discrepancia que no es posible loca-
lizar en algn canal, entonces las salidas se sitan en una posicin segura. Para poder detectar una discrepancia entre los
canales, ambos canales debern poder el estado del otro canal de forma independiente. La comparacin o el mecanismo de
transferencia puede que no sea 100% eficiente, por lo tanto K representa la eficiencia de los mecanismos de comparacin o
mecanismo de transferencia.
Determinacin de la PFDavg# 10
Risk Software S.A. de C.V.
Canal
Diagnosticos
Figura #9
Diagrama de Bloques Fisico 2oo2
2oo2
Canal
!
DU
!
DD
!
D
t
CE
Figura #10
Diagrama de Bloques de Conabilidad 2002
!
DU
!
DD
!
D
t
CE
61508-6 EC:2010 33
ChanneI
ChanneI
Diagnostics
2oo2
IEC 328/200

Figure B.8 - 2oo2 physicaI bIock diagram
!! !"
!
#
$%
!! !"
!
#
$%

Figure B.9 - 2oo2 reIiabiIity bIock diagram
Figures B.8 and B.9 contain the relevant block diagrams. The value of t
CE
is as given in
B.3.2.2.1, and the average probability of failure on demand for the architecture is
CE D G
t 2 PFD =
B.3.2.2.4 1oo2D
This architecture consists of two channels connected in parallel. During normal operation,
both channels need to demand the safety function before it can take place. n addition, if the
diagnostic tests in either channel detect a fault then the output voting is adapted so that the
overall output state then follows that given by the other channel. f the diagnostic tests find
faults in both channels or a discrepancy that cannot be allocated to either channel, then the
output goes to the safe state. n order to detect a discrepancy between the channels, either
channel can determine the state of the other channel via a means independent of the other
channel. The channel comparison / switch over mechanism may not be 100 % efficient
therefore K represents the efficiency of this inter-channel comparison / switch mechanism, i.e.
the output may remain on the 2oo2 voting even with one channel detected as faulty.
NOTE The parameter K will need to be determined by an FMEA.
Diagnostics
Diagnostics
ChanneI
ChanneI
1oo2D
IEC 330/2000

Figure B.10 - 1oo2D physicaI bIock diagram
IEC 329/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Canal
Diagnosticos
Figura #11
Diagrama de Bloques Fisico 1oo2D
1oo2
D
Canal
Diagnosticos
La relacin de fallas seguras detectadas para cada canal esta dada por:
Aqu los valores de equivalencia de de Tiempo Medio Abajo estn dados por :
La probabilidad de fallas bajo demanda para la arquitectura 1oo2D queda dada por:
Ecuacin para sistema con arquitectura 2oo3:
La arquitectura 2oo3 consiste en tres canales conectados en paralelo con un arreglo de votacin a la salida, aqu el estado de
las salidas no difiere si solo un canal muestra discrepancia con los otros dos canales. Se asume que cualquier diagnostico
deber ser reportado y la falla encontrada y no habr un cambio en el estado final de la votacin de salidas.
Determinacin de la PFDavg# 11
Risk Software S.A. de C.V.
t
CE
Figura #12
Diagrama de Bloques de Conabilidad 1oo2D
Falla de Causa
Comun
t
GE
!
DU
!
DU
!
SD
!
DD
34 61508-6 EC:2010
Common
cause faiIure
!"
!"
!! #!
$%&
$'&
IEC 331/2000

Figure B.11 - 1oo2D reIiabiIity bIock diagram
The detected safe failure rate for every channel is given by
DC
S SD
=
Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent
mean down times differ from those given for the other architectures in B.3.2.2 and hence are
labelled t
CE
and t
GE
. Their values are given by
( )
( )
SD DD DU
SD DD
1
DU
CE
MTTR MRT
2
T
' t


+ +
+ +

+
=
MRT
3
T
' t
1
GE
+ =
The average probability of failure on demand for the architecture is
( ) ( ) ( ) ( ) ( )

+ + + + + = MRT
2
T
' t K 1 2 ' t ' t 1 1 1 2 PFD
1
DU CE DD GE CE SD DD D DU DU G

B.3.2.2.5 2oo3
This architecture consists of three channels connected in parallel with a majority voting
arrangement for the output signals, such that the output state is not changed if only one
channel gives a different result which disagrees with the other two channels.
t is assumed that any diagnostic testing would only report the faults found and would not
change any output states or change the output voting.

Figure B.12 - 2oo3 physicaI bIock diagram
Channel
ChanneI
2oo3 ChanneI
Diagnostics
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
34 61508-6 EC:2010
Common
cause faiIure
!"
!"
!! #!
$%&
$'&
IEC 331/2000

Figure B.11 - 1oo2D reIiabiIity bIock diagram
The detected safe failure rate for every channel is given by
DC
S SD
=
Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent
mean down times differ from those given for the other architectures in B.3.2.2 and hence are
labelled t
CE
and t
GE
. Their values are given by
( )
( )
SD DD DU
SD DD
1
DU
CE
MTTR MRT
2
T
' t


+ +
+ +

+
=
MRT
3
T
' t
1
GE
+ =
The average probability of failure on demand for the architecture is
( ) ( ) ( ) ( ) ( )

+ + + + + = MRT
2
T
' t K 1 2 ' t ' t 1 1 1 2 PFD
1
DU CE DD GE CE SD DD D DU DU G

B.3.2.2.5 2oo3
This architecture consists of three channels connected in parallel with a majority voting
arrangement for the output signals, such that the output state is not changed if only one
channel gives a different result which disagrees with the other two channels.
t is assumed that any diagnostic testing would only report the faults found and would not
change any output states or change the output voting.

Figure B.12 - 2oo3 physicaI bIock diagram
Channel
ChanneI
2oo3 ChanneI
Diagnostics
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
34 61508-6 EC:2010
Common
cause faiIure
!"
!"
!! #!
$%&
$'&
IEC 331/2000

Figure B.11 - 1oo2D reIiabiIity bIock diagram
The detected safe failure rate for every channel is given by
DC
S SD
=
Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent
mean down times differ from those given for the other architectures in B.3.2.2 and hence are
labelled t
CE
and t
GE
. Their values are given by
( )
( )
SD DD DU
SD DD
1
DU
CE
MTTR MRT
2
T
' t


+ +
+ +

+
=
MRT
3
T
' t
1
GE
+ =
The average probability of failure on demand for the architecture is
( ) ( ) ( ) ( ) ( )

+ + + + + = MRT
2
T
' t K 1 2 ' t ' t 1 1 1 2 PFD
1
DU CE DD GE CE SD DD D DU DU G

B.3.2.2.5 2oo3
This architecture consists of three channels connected in parallel with a majority voting
arrangement for the output signals, such that the output state is not changed if only one
channel gives a different result which disagrees with the other two channels.
t is assumed that any diagnostic testing would only report the faults found and would not
change any output states or change the output voting.

Figure B.12 - 2oo3 physicaI bIock diagram
Channel
ChanneI
2oo3 ChanneI
Diagnostics
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Canal
Diagnosticos
Figura #13
Diagrama de Bloques Fisico 2oo3
2oo3 Canal
Canal
La probabilidad de fallas sobre demanda para la arquitectura 2oo3 se establece como:
Ecuacin para sistema con arquitectura 1oo3:
La arquitectura 1oo3 consiste en tres canales conectados en paralelo con un arreglo de votacin de salida de 1oo3, cualquier
falla detectada por diagnsticos ocasionara que el sistema se posicione en falla segura. Se asume que cualquier diagnostico
deber ser reportado y la falla encontrada y no habr un cambio en el estado final de la votacin de salidas.
La probabilidad de fallas sobre demanda para la arquitectura 1oo3 se establece como:
Donde:
Determinacin de la PFDavg# 12
Risk Software S.A. de C.V.
!
D
t
CE
Figura #14
Diagrama de Bloques de Conabilidad 2oo3
Falla de causa
Comun
t
GE
!
DU
!
DD
61508-6 EC:2010 35
Common
cause faiIure

!!

!"
#
$%

!
#
&%
2oo3
IEC 333/2000

Figure B.13 - 2oo3 reIiabiIity bIock diagram
Figures B.12 and B.13 contain the relevant block diagrams. The value of t
CE
is as given in
B.3.2.2.1 and the value of t
GE
is as given in B.3.2.2.2. The average probability of failure on
demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t 1 1 6 PFD
1
DU DD D GE CE
2
DU DD D G

B.3.2.2.6 1oo3
This architecture consists of three channels connected in parallel with a voting arrangement
for the output signals, such that the output state follows 1oo3 voting.
t is assumed that any diagnostic testing would only report the faults found and would not
change any output states or change the output voting.
The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value
of t
CE
is as given in B.3.2.2.1 and the value of t
GE
is as given in B.3.2.2.2. The average
probability of failure on demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t t 1 1 6 PFD
1
DU DD D E 2 G GE CE
3
DU DD D G

Where
MTTR MRT
4
T
t
D
DD 1
D
DU
E 2 G

+ =
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 EC:2010 35
Common
cause faiIure

!!

!"
#
$%

!
#
&%
2oo3
IEC 333/2000

Figure B.13 - 2oo3 reIiabiIity bIock diagram
Figures B.12 and B.13 contain the relevant block diagrams. The value of t
CE
is as given in
B.3.2.2.1 and the value of t
GE
is as given in B.3.2.2.2. The average probability of failure on
demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t 1 1 6 PFD
1
DU DD D GE CE
2
DU DD D G

B.3.2.2.6 1oo3
This architecture consists of three channels connected in parallel with a voting arrangement
for the output signals, such that the output state follows 1oo3 voting.
t is assumed that any diagnostic testing would only report the faults found and would not
change any output states or change the output voting.
The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value
of t
CE
is as given in B.3.2.2.1 and the value of t
GE
is as given in B.3.2.2.2. The average
probability of failure on demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t t 1 1 6 PFD
1
DU DD D E 2 G GE CE
3
DU DD D G

Where
MTTR MRT
4
T
t
D
DD 1
D
DU
E 2 G

+ =
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
61508-6 EC:2010 35
Common
cause faiIure

!!

!"
#
$%

!
#
&%
2oo3
IEC 333/2000

Figure B.13 - 2oo3 reIiabiIity bIock diagram
Figures B.12 and B.13 contain the relevant block diagrams. The value of t
CE
is as given in
B.3.2.2.1 and the value of t
GE
is as given in B.3.2.2.2. The average probability of failure on
demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t 1 1 6 PFD
1
DU DD D GE CE
2
DU DD D G

B.3.2.2.6 1oo3
This architecture consists of three channels connected in parallel with a voting arrangement
for the output signals, such that the output state follows 1oo3 voting.
t is assumed that any diagnostic testing would only report the faults found and would not
change any output states or change the output voting.
The reliability diagram will be the same as for the 2oo3 case but with voting 1oo3. The value
of t
CE
is as given in B.3.2.2.1 and the value of t
GE
is as given in B.3.2.2.2. The average
probability of failure on demand for the architecture is
( ) ( ) ( )

+ + + + = MRT
2
T
MTTR t t t 1 1 6 PFD
1
DU DD D E 2 G GE CE
3
DU DD D G

Where
MTTR MRT
4
T
t
D
DD 1
D
DU
E 2 G

+ =
IEC 332/2000
Customer: jose angel alvarado - No. of User(s): 1 - Company: CSIPA CONSULTORIA EN SEGURIDAD INDUSTRILA Y PROTECCION AL AMBIENTE SA DE CV
Order No.: WS-2010-007542 - IMPORTANT: This file is copyright of IEC, Geneva, Switzerland. All rights reserved.
This file is subject to a licence agreement. Enquiries to Email: custserv@iec.ch - Tel.: +41 22 919 02 11
Cuantificacin del Efecto de las Fallas de Causa Comn:
Los clculos de PFDavg debern incorporar el efecto que causan las fallas de causa comn en los sistemas redundantes, en
la seguridad funcional es comn utilizar la metodologa de factor Beta (") para determinar la falla de causa comn. en un arti-
culo tcnico posterior describiremos como se determina este factor.
El efecto final en la ecuacin de PFDavg del factor de causa comn se representa con la siguiente ecuacin:
PFDFCC# = ( PFDa x PFDb x..... PFDn ) + (& x PFDPeor)
Donde:
PFD a.....n representa la probabilidad de falla sobre demanda del dispositivo a al n.
PFDPeor representa la probabilidad de fallas sobre demanda del dispositivo mas dbil o peor.
Beta (") representa el factor de falla comn.
6. Arquitecturas Redundantes
Arquitecturas de sistemas redundantes para Diagramas de Bloques.
Determinacin de la PFDavg# 13
Risk Software S.A. de C.V.
Figura #15 2oo2
A E B
FALLA DE
CAUSA
COMUN
S
A
E
B
FALLA DE
CAUSA
COMUN
S
Figura #16 1oo2
Determinacin de la PFDavg# 14
Risk Software S.A. de C.V.
A E B
FALLA DE
CAUSA
COMUN
S C
Figura #18 1oo3
A
E
B
FALLA DE
CAUSA
COMUN
S
Figura #17 2oo3
A
C
B
C
Arquitecturas de sistemas redundantes para Arboles de Falla. Bloques OR (Se Suman). Bloques AND (Se Multiplican)
Determinacin de la PFDavg# 15
Risk Software S.A. de C.V.
A B
O
R
FCC
Salida
O
R
Figura #19 2oo2
A
A
N
D
B
O
R
FCC
Salida
Figura #20 1oo2
A
A
N
D
O
R
B A
A
N
D
C B
A
N
D
C
O
R
FCC
Salida
Figura #21 2oo3
A
N
D
A B C
O
R
FCC
Salida
Figura #22 1oo3
7. Ejemplos de Determinacin de PFDavg.
Podemos modelar la PFDavg de un sistema utilizando diagramas de bloques utilizando en las siguientes simplificaciones:
# Cadenas en paralelo se Multiplican.
# Cadenas en serie se Suman.
Ejemplo:
Considere el siguiente sistema de proteccin de presin a la entrada de una plataforma marina que maneja grandes
volmenes de gas natural, una sobre presin podra generar un gran impacto ocasionando ruptura de la tubera y generando
una fuga mayor que podra incluso generar un gran fuego o explosin:
PT-9002A
D PT-9002B
PT-9002C
FALLA DE
CAUSA
COMUN
TMR
SVA
SVB
FALLA DE
CAUSA
COMUN
ESDV H
ENTRADAS LOGICA SALIDAS
Considere
Arquitectura
2oo3
Determinacin de la PFDavg# 16
Risk Software S.A. de C.V.
Se cuenta con los siguientes datos:
Valores PT (FIT) TMR (FIT) Solenoide (FIT) Vlvula Corte (FIT)
!sd 396 71 0
!su 440 0 1401
!dd 52 99 0
!du 69 1 765
SFF 92.8% ---- ----
TI 1 ao 1 ao 1 ao
MTTR 8 hr 8 hr 8 hr
" 5% 5% ----
PFDavg 2.5 x 10-
4
Problema: Dibujar el diagrama de bloques para el sistema y calcular el valor de PFDavg para el sistema:
ISA-TR84.00.02-2002 - Part 2 ! 24 !
If systematic errors (functional failures) are to be included in the calculations, separate values for each
sub-system, if available, may be used in the equations above. An alternate approach is to use a single
value for functional failure for the entire SIF and add this term as shown in Equation 1a in 5.1.6.
NOTE Systematic failures are rarely modeled for SIF Verification calculations due to the difficulty in assessing the failure modes
and effects and the lack of failure rate data for various types of systematic failure. However, these failures are extremely important
and can result in significant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511
provide a lifecycle process that incorporates design and installation concepts, validation and testing criteria, and management of
change. This lifecycle process is intended to support the reduction in the systematic failures. SIL Verification is therefore
predominantly concerned with assessing the SIS performance related to random failures.
The simplified equations without the terms for multiple failures during repair, common cause and
systematic errors reduce to the following for use in the procedures outlined in 5.1.1 through 5.1.4.
1oo1
(Eq. No. 3a) PFD
TI
avg
DU
= " #
2
1oo2
(Eq. No. 4a)
( )
[ ]
PFD
TI
avg
DU
=
" #
2
2
3
1oo3
(Eq. No. 5a)
( )
[ ]
PFD
TI
avg
DU
=
" #
3
3
4
2oo2
(Eq. No. 6a) PFD TI
avg
DU
= " #
2oo3
(Eq. No. 7a) ( ) PFD TI
avg
DU
= " #
2
2
2oo4
(Eq. No. 8a) ( ) ( )
3
3
TI PFD
DU
avg
" = #
5.1.6 Combining components PFDs to obtain SIF PFD
avg
Once the sensor, final element, logic solver, and power supply (if applicable) portions are evaluated, the
overall PFD
avg
for the SIF being evaluated is obtained by summing the individual components. The result
is the PFD
avg
for the SIF for the event being protected against.
(Eq. No. 1a)
$
%
&
'
(
)
" + + + + =
* * * *
2
TI
PFD
D
F PSi
#
Li Ai Si SIS
PFD PFD PFD PFD
Solucin con Diagramas de Bloques: Lo primero que debemos realizar es calcular los valores de PFDavg para cada
bloque, para esto utilizamos la formula:
1) Para los transmisores tenemos:
PFDavg = (69 x10
-9
x 8760)/2 = 3.02 x10
-6
PFDavg (A x B) = 3.02 x10
-6
x 3.02 x10
-6
= 9.13 x 10
-12
PFDavg (A x C) = 3.02 x10
-6
x 3.02 x10
-6
= 9.13 x 10
-12
PFDavg (B x C) = 3.02 x10
-6
x 3.02 x10
-6
= 9.13 x 10
-12
PFDFCC = (3.02 x10
-6
x 3.02 x10
-6
x 3.02 x10
-6
) + (0.05 x 3.02 x10
-6
) = 1.51 x 10
-07
PFDavg = 3.02 x10
-6
+ 3.02 x10
-6
+ 3.02 x10
-6
= 9.07 x 10
-6
PFDavg tot = 9.07 x 10
-6
+ 1.51 x 10
-07
= 9.21 x 10
-06
2) Para el controlador lgico tenemos PFDavg = 2.5 x 10-
4
Determinacin de la PFDavg# 17
Risk Software S.A. de C.V.
3) Para las Vlvulas Solenoides Tenemos:
PFDavg = (1 x10
-9
x 8760)/2 = 4.38 x10
-6
PFDavg = (4.38 x10
-6
x 4.38 x10
-6
) = 1.91 x 10
-11
PFDFCC = (4.38 x10
-6
x 4.38 x10
-6
) + (0.05 x 4.38 x10
-6
) = 2.19 x 10
-7
PFDavg tot = 1.91 x 10
-11
+ 2.19 x 10
-7
= 2.19 x 10
-7
4) Para la vlvula de corte tenemos
PFDavg = (765 x10
-9
x 8760)/2 = 3.35 x10
-3
El valor de PFDavg para el SIS ser:
PFDavg SIS = 9.21 x 10
-06
+ 2.5 x 10-
4
+ 2.19 x 10
-7
+ 3.35 x10
-3
= 3.61 x10
-3
FRR = 277 SIL2
Determinacin de la PFDavg# 18
Risk Software S.A. de C.V.
Solucin con Arboles de Falla:
A
A
N
D
O
R
B A
A
N
D
C B
A
N
D
C
O
R
FCC
PT
CLP
A
A
N
D
O
R
B
O
R
FCC
SV
FCC SCV
O
R
O
R
O
R
SV
Falla
SIS
3.02 x10
-6
2.5 x 10-
4
4.38 x10
-6
3.35 x10
-3
1.51 x 10
-07
2.19 x 10
-7
9.07 x 10
-6
9.21 x 10
-06
1.91 x 10
-11
2.19 x 10
-7
3.61 x10
-3
2.19 x 10
-7
Los valores mostrados en los eventos iniciales estn dados en PFDavg
Determinacin de la PFDavg# 19
Risk Software S.A. de C.V.
Ejemplo:
Clculos utilizando FTA-Pro de Dyadem
Determinacin de la PFDavg# 20
Risk Software S.A. de C.V.
Resultados al Tiempo: 8760
Falta de disponibilidad 0.007206
Frecuencia: N/A
Tiempo Falta de disponibilidad Falta de disponibilidad
0.00000 0.000000 0.000000
796.36364 0.000657 0.000657
1592.72727 0.001314 0.001314
2389.09091 0.001970 0.001970
3185.45455 0.002626 0.002626
3981.81818 0.003282 0.003282
4778.18182 0.003937 0.003937
5574.54545 0.004592 0.004592
6370.90909 0.005246 0.005246
7167.27273 0.005900 0.005900
7963.63636 0.006553 0.006553
8760.00000 0.007206 0.007206
Total de Tiempo Sistema Parado 30.972005
PFDavg: 0.003536
FRR = 282 SIL=2
Determinacin de la PFDavg# 21
Risk Software S.A. de C.V.
Los comentarios de este documento expresan el punto de vista de:
Victor Machiavelo Salinas
TUV FS Expert ID-141/09
Risk Software SA de CV
victorm@risksoftware.com.mx
www.risksoftware.com,mx
Agradeceremos cualquier comentario.
Determinacin de la PFDavg# 22
Risk Software S.A. de C.V.