ISO/TR 12489: Reliability modelling & calculation of ...€¦ · TC67/ WG4 Overall framework of...

PETROBRAS Rio, November 2014

TC67

WG4

ISO/TR 12489: Reliability modelling & calculation of safety systems.Presentation and applications

Jean-Pierre SIGNORETISO/TR 12489 project leader

Reliability expert, TOTAL

Jean-Pierre SIGNORETISO/TR 12489 project leader

Reliability expert, TOTAL


TC67

WG4

Presentation of ISO/TR 12489

TR prepared by ISO TC67 WG4/Project Group 3PG3 leader : Jean Pierre Signoret (Total)WG4 Convenor: Runar Østebø (Statoil)

TR prepared by ISO TC67 WG4/Project Group 3PG3 leader : Jean Pierre Signoret (Total)WG4 Convenor: Runar Østebø (Statoil)

3 - PETROBRAS Rio, November 2014TC67/ WG4

Background

Numerous safetysystems (SS) in

industrialinstallations

Numerous safetysystems (SS) in

industrialinstallations

Needs for accurate

reliability models & probabilistic

calculations

Needs for accurate

reliability models & probabilistic

calculations

More than 50 years of research & development

More than 50 years of research & development

ISO TC 67/WG4Reliability

Engineering and Technology

ISO TC 67/WG4Reliability

Engineering and Technology

IEC TC 65Functional Safety

standards

IEC TC 65Functional Safety

standards

Extensive expertiseexists in the field ofreliability modelling

& probabilisticcalculations

Extensive expertiseexists in the field ofreliability modelling

& probabilisticcalculations

Need to share expertise to fill the gaps and fulfill the

needs

Need to share expertise to fill the gaps and fulfill the

needsNo standardsfocused on

safety system

No standardsfocused on

safety system

Over simplifiedapproaches (*)

Over simplifiedapproaches (*)

Plenty ofavailable accurate

approaches

Plenty ofavailable accurate

approaches

(*) this has been improved in new editions (*) this has been improved in new editions

ISO/TR12489

ISO/TR12489

With regard tosafety

With regard tosafety

With regard toproduction

With regard toproduction

Launched in2008

Launched in2008

Developedfrom scratchDeveloped

from scratchDeveloped in parallelof the maintenance

of IEC 61508and IEC 61511

Developed in parallelof the maintenance

of IEC 61508and IEC 61511

FRFRNONO

UKUK

BRBR

BEBE

NINICHNCHN

USUS

NENE

Proposed andachieved by ISOTC67/WG4/PG3

Proposed andachieved by ISOTC67/WG4/PG3

ITIT

SPSP

Published inNov. 2013

Published inNov. 2013

Keptin line withIEC 61508-6

annex B

Keptin line withIEC 61508-6

annex B


ISO/TR 12489 outline

Reliability modelling & calculation of safety systems

This document dealswith reliability modelling

& calculations

This document dealswith reliability modelling

& calculations

This document dealswith safety systems

This document dealswith safety systems

Simplified &non-simplified

approaches

Simplified &non-simplified

approaches

SafetyInstrumented

Systems(SIS)

SafetyInstrumented

Systems(SIS)

This is aTechnical Report

This is aTechnical Report

Onlyinformative

matters

Onlyinformative

matters

Atechnical reportis obviously"technical"!

Atechnical reportis obviously"technical"!

OrdinarySafety

Systems

OrdinarySafety

Systems

Spurious actionsSpurious actions

Implementation of systemic approaches

Implementation of systemic approaches

Impact onDependability

Impact onDependability

Aims toprovide guidelines

Aims toprovide guidelines

Mathematical development of

formulae

Mathematical development of

formulae

Not explainedelsewhere

Not explainedelsewhere

Not developedelsewhere

Not developedelsewhere

Failure of safety actions

Failure of safety actions

Impact onsafety

Impact onsafety

Production availability

(ISO 20815)

Production availability

(ISO 20815) Simple& complexsystems

Simple& complexsystems

Reliabilitydata collection

(ISO 14224)

Reliabilitydata collection

(ISO 14224)


Overall framework of ISO/TR 12489

Risk management

Risk assessment

With regards to:safety,environment,production,operations,etc.

With regards to:safety,environment,production,operations,etc. Risk identificationRisk identification

Risk analysis

Modelling& calculations

Modelling& calculations

ISO/TR12489

ISO/TR12489

Reliability analysis

Risk evaluationRisk evaluation

ISO 31000ISO 31000


GeneralmattersGeneralmatters

General &methodological

matters

General &methodological

matters

Target users of ISO/TR 12489

ManagementManagement Technical staff

Technical staff

OperatorsOperators

ManufacturersManufacturers

ConsultantsConsultants

Reliability engineersReliability engineers

Various stakeholders

Various stakeholders

Certification bodies

Certification bodies

Safety authoritiesSafety authorities UniversitiesUniversities

Teachers & students

Teachers & students

Coreof the

document

Coreof the

documentAnnexesAnnexes


Some examples of safety systems covered by ISO/TR 12489 (instrumented or not)

Emergency / Processshutdown

Emergency / Processshutdown

Overpressureprotection systems

Overpressureprotection systems

Fire & gassystems

Fire & gassystems

Process controlsystems

Process controlsystems

Public alarmsystems

Public alarmsystems

Emergencypreparedness systems

Emergencypreparedness systems

Marineequipment

Marineequipment

Electrical & telecom.systems

Electrical & telecom.systems

Other utilitiesOther utilities

Drilling & wellsDrilling & wells

SubseaSubsea

ESDESDPSDPSD EDPEDP

HIPSHIPS HIPPSHIPPS Pressurerelief

Pressurerelief

Gasdetection

Gasdetection

Fire fightingsystem

Fire fightingsystem

Fire watersystem

Fire watersystem

Control &monitoringControl &

monitoringChemicalinjection

Chemicalinjection

Emergencycommunication

Emergencycommunication

Evacuationsystem

Evacuationsystem

Discon-nectionsystem

Discon-nectionsystem

StationkeepingStationkeeping Ballast

waterBallastwater

UPSUPS Telecom.Telecom.

FlaresystemFlare

systemHVACHVAC

MaterialhandlingMaterialhandling

Wellintegrity

Wellintegrity

Wellcompletion

Wellcompletion

ESDESDPSDPSD

HIPPSHIPPS

IsolationIsolation DivingDiving

Etc.Etc.

31 systemsidentified inthe TR

31 systemsidentified inthe TR


Part 7Part 7

ISO/TR 12489 versus IEC 61508/511 and IEC TC56

ISO/TR12489

ISO/TR12489

IEC61508IEC

61508

IEC61511IEC

61511

IEC TC65Process Sector - Safety Instrumented Systems

IEC TC65Process Sector - Safety Instrumented Systems ISO TC 67/WG4

Reliability Engineeringand Technology

ISO TC 67/WG4Reliability Engineering

and Technology

Part 1Part 1Part 2Part 2

Part 3Part 3

Part 4Part 4

Part 5Part 5

Part 6Part 6

Part 1Part 1

Part 2Part 2

Part 3Part 3

Part 6annex B

Probabilisticcalculations

Part 6annex B


Part 3annex J


Part 3annex J


Approximatedformulae

Approximatedformulae

"Alternative"approaches

"Alternative"approaches

Multiplesafety systems

Multiplesafety systems

Bring the methodology to the state of the art

Bring the methodology to the state of the art

Detailed explanations of proposed solutions to reliability engineers

Detailed explanations of proposed solutions to reliability engineers

Identification and explanations of weaknesses

Identification and explanations of weaknesses

Consolidation of simplified approaches

Consolidation of simplified approaches

Demystification of systemic approaches & provision of

extensive solutions

Demystification of systemic approaches & provision of

extensive solutions

In line withIEC 61508 &IEC 61511

In line withIEC 61508 &IEC 61511Extension

to spuriousfailures

Extensionto spurious

failures

Any kindof safetysystems

Any kindof safetysystems

Self containeddocument

Self containeddocument

Extension tocomplex systems

Extension tocomplex systems

IEC TC56Dependability

IEC TC56DependabilityMethodsMethods

Link with

ISO 20815

Link with

ISO 20815


Distribution of the topics within the 260 pages of ISO/TR 12489


ApproachesApproachesMiscellaneousMiscellaneous

Typicalapplications

Typicalapplications

FormulaFormula

BooleanBooleanMarkovMarkov

Petri netsPetri nets

DefinitionsDefinitions

GeneralanalyticsGeneralanalytics

Human factor

Human factor

CCFCCF

Monte CarloMonte Carlo

UncertaintyUncertainty

SafetysystemsSafety

systems

Reliability dataReliability data

41%

32%

21%

6%

5%

28%

7%

8%

34%3%

14%5%

30%

26%

29%

26%

OverallcontentOverallcontent

ApproachesApproaches


More than 30safety systemsare identified

More than 30safety systemsare identified


TC67

WG4

Introduction to functional safety concepts


3rdProtection

layer

3rdProtection

layer

RRF = 10 to 100RRF = 10 to 100

ALARP : Minimumneeded reductionALARP : Minimumneeded reduction

SIL Principle: identification of Risk Reduction needed

44

33

22

11

Dangerous event

frequencies

Dangerous event

frequencies

Processrisk

ProcessriskTolerable

riskTolerable

risk

1stProtection

layer

1stProtection

layer2ndProtection

layer

2ndProtection

layer

Risk Reductionwith conventional means

Risk Reductionwith conventional means

Dangerous events

consequences

Dangerous events

consequences

Risk without SISRisk without SIS

R2R2 R1R1

RRF = 100 to 1000RRF = 100 to 1000

RRF = 1000 to 10 000RRF = 1000 to 10 000

RRF > 10 000RRF > 10 000

RiskReductionFactor: R1/R2

RiskReductionFactor: R1/R2

SafetyIntegrityLevel: SIL

SafetyIntegrityLevel: SIL

HIPSHIPS

Con

sequ

ence

Frequency

Maxreduction

allowable ifnon SIF

=> 10

Maxreduction

allowable ifnon SIF

=> 10

4 sets ofrequirements

4 sets ofrequirements


From conventional Safety system to Safety Instrumented System

PT3

PT2

PT1

L1 L2

Over-

PressureOver-

Pressure

IEC 61508IEC 61511IEC 61508IEC 61511API 14CAPI 14C

Relief ValveRelief Valve

SafetyInstrumented

System

SafetyInstrumented

System

CostCost

SizeSize

HighIntegrity

(Pressure)ProtectionSystem

HighIntegrity

(Pressure)ProtectionSystem

Conventionalsafetysystem

Reliability?Reliability?


Low demandmode of operation

Low demandmode of operation

PFDavgPFDavg

Types of Safety Instrumented Systems (SIS)

Demand frequency1 Year1 Year

Average of theProbability ofFailure onDemand


High demand or continuous mode of operation

High demand or continuous mode of operation

Continuousmode of operation

Continuousmode of operation

High demandmode of operation

High demandmode of operation

PFHPFH

Probability ofFailure perHour

Probability ofFailure perHour

Functionalsafety

standards

Functionalsafety

standards

Averageunavailability

U(T)


U(T)

Reliabilityengineering


Averagefailure frequency

w(T)

Averagefailure frequency

w(T)


SIL

PFH

(SIL0)SIL1SIL4 SIL3 SIL2

SIL- summary & difficulties

Applies toSafetyInstrumentedFunction

Applies toSafetyInstrumentedFunction

Deterministicconstraints

10-4/h10-8/h 10-7/h 10-6/h 10-5/h

10-010-4 10-3 10-110-2

PFD

SFF

HFT

SFF

HFT

Relevancefor safety?Relevance

for safety?

SimplifiedcalculationsSimplifiedcalculations

Definitions Definitions

RRFRRF

links withPFD/PFHlinks withPFD/PFH

Splittinglow / highdemandmodes

Splittinglow / highdemandmodes

SafeFailureFraction

SafeFailureFraction

HarwareFaultTolerance

HarwareFaultTolerance

Spuriousfailures

Spuriousfailures

Proposed clarifications, explanations & improvements in ISO/TR 12489

Proposed clarifications, explanations & improvements in ISO/TR 12489

Organizationof the worksthrough the

life cycle

Organizationof the worksthrough the

life cycle FormalProcess


TC67

WG4

Introduction to the methods developed into ISO/TR 12489 for

PFDavg calculations

Lowdemand

mode safetysystems

Lowdemand

mode safetysystems



Functionalsafety

standards

Functionalsafety

standards




U(T)


U(T)


Formulae

Taylor'sexpansionTaylor's

expansion

FTRBD

State Transition models(finite state automata)

Probabilistic models overviewProbabilistic models overview

Analyticalmethods

Analyticalmethods

Monte Carlosimulation

Monte Carlosimulation

Generictools

Generictools

SpecificformulaeSpecificformulae

Behavioralmodels

Behavioralmodels

PetrinetsPetrinets

FormallanguagesFormal

languages

50 years of

experience

50 years of

experience

Markovianapproach

Markovianapproach

BooleanapproachBoolean

approach

State ofthe art

State ofthe art

Developedwhen

computersdidn't exist

Developedwhen

computersdidn't exist

Computeroriented

Computeroriented

FT / RBDdriven Markov

processes

FT / RBDdriven Markov

processes

RBDdriven

Petri Nets

RBDdriven

Petri Nets


TC67

WG4

Simplified analytical approach


2 parameters:λλλλ : Failure rateττττ : test interval


OKOK KOKO

τ / 2τ / 2τ / 2τ / 2

ττττ

ButBut

2

τλτδ .≈unv

Proba. ofhiddenfailures


Averagehidden failure

duration


duration

2

λττ

δ=≈ unv

avgPFD

Simplest approximation of the PFDavg

00

=→

avgLim PFD τ

22

11 2

0

λτλττ

δλδτ

ττ

==≈= ∫ dUavg .)(PFD

τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ

Unavailabilityduration


AA

The mostfamous formula

in functionalsafety

The mostfamous formula

in functionalsafety

Notrealistic!

Notrealistic!

λδλδδ ≈−−= )exp()( 1U


3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate


KOKO

ττττ

ButBut2

τλτδ .≈unv

µλλτ

τδ

+=≈2

unvavgPFD

Approximation of the PFDavgfrom IEC 61508

µλτ 1

.+




AA

1/µµµµ

Averagerepair

duration

Averagerepair

duration



1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ

IEC 61508formula

IEC 61508formula

Influentparametersare missing

Influentparametersare missing

OKOK

Uof revealed

failures

Uof revealed

failures

τµ

τ ≈− 1


Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure

due to a demandππππ : test durationψ ψ ψ ψ : reconfiguration error


due to a demandππππ : test durationψ ψ ψ ψ : reconfiguration error

ττττ

τψπµ

γµ

λττλτδ ... ++++≈ 11

2unv

ψτπ

τµγ

µλλτ

τδ

++++=≈.

PFD2

unvavg

Approximation of the PFDavg with more parameters (ISO/TR 12489) τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ



AA

1/µµµµ

1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τOKOK

ττττ

ππππKOKO

π << τπ << τπ << τπ << τπ << τπ << τπ << τπ << τ

ττττ

ππππ

etc.etc.

Taylorexpansion formore complex

cases

Taylorexpansion formore complex

cases

γγγγ

ψψψψ

OKOK KOKO

KOKOτπτ ≈−


Test interval ττττTest interval ττττ

Average unavailability U ≡≡≡≡ PFDavgAverage unavailability U ≡≡≡≡ PFDavg

1

0

Limit average unavailability versus test interval

ττττ1ττττ1 ττττ2

ττττ2

OptimumOptimumττττo ≈≈≈≈ 2222γγγγ/(/(/(/(λµλµλµλµ))))

γγγγ increases

γγγγ increaseslog-loggraphiclog-loggraphic

Flat in thevicinity of

the minimum

Flat in thevicinity of

the minimum

Not enoughtests

Not enoughtests

Too muchtests

Too muchtests

Two testintervals

for the sameU

Two testintervals

for the sameU

Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure due to a demand

Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure due to a demand

AA

Need fordata collectionto estimate γγγγ

Need fordata collectionto estimate γγγγ




Simplest approximation of the PFDavg for redundant systems

22

11 2

0

λτλττ

δδλτ

ττ

==≈= ∫ dUavg ..)(PFD A


AA

OKOK KOKO

τ / 2τ / 2τ / 2τ / 2

ττττ

OKOK KOKO

τ / 3τ / 3τ / 3τ / 3

ττττAA

BB

44

11 343

0

3 )().()(PFD ABC

λττλτ

δδλτ

ττ

==≈= ∫ dUavg

OKOK KOKO

τ / 4τ / 4τ / 4τ / 4

ττττ

AA

BB

CC

Even for simplest systems, each case implies specific

Taylor expansion development

Even for simplest systems, each case implies specific

Taylor expansion development


duration


duration

Taylor expansionλδλδλδλδ <<1

Taylor expansionλδλδλδλδ <<1

)().().()(),().()( CBAABCBAAB τττττττ UUUUUUU ≠≠

Notpossible to

combineformulae!

Notpossible to

combineformulae!

Catalog ofad hoc formulae

Catalog ofad hoc formulae

33

11 232

0

2 )().()(PFD AB

λττλτ

δδλτ

ττ

==≈= ∫ dUavg

Effect of systemicdependencies

Effect of systemicdependencies

Not in linewith reliability

analysisphilosophy

Not in linewith reliability

analysisphilosophy


TC67

WG4

Multi-phase Markovian approach


Multi phase Markov model

)(*])[*()( 0ii MEXP PrPrPrPr

PrPrPrPr

δδ =

∫=τ

δδτ0

d).()( ii PrPrPrPr

AST

AST

AST

AST

τττ /)(1)( Aavg AST

AST

AST

AST

−== UPFD

λλλλ

µµµµA

DU

R

A

DU

R

A

DU

R

1

1

1

Linkingmatrix

[C]

Linkingmatrix

[C]

ττττ δδδδ



AA

AvailableAvailable

Dangerousundetected

failure

Dangerousundetected

failure

RepairRepair

Markovmatrix[M]

Markovmatrix[M]

Behaviorduring test

intervals

Behaviorduring test

intervals

Effect ofthe test

Effect ofthe test

λλλλ

µµµµA

DU

R

A

DU

R

A

DU

R

1

1

1

AccumulatedSojournTimes

AccumulatedSojournTimes

TestTest

)(].[)( τ10 −= ii PrPrPrPr

CCCCPrPrPrPr

)()()( A δδδ PrPFD −== 1U

Repairstarts as soonas the fault is

detected

Repairstarts as soonas the fault is

detected


Typical saw -tooth curves for a singleperiodically tested component

Classical saw-tooth curve

Classical saw-tooth curve

λ λ λ λ ��λ λ λ λ ��

1/µ 1/µ 1/µ 1/µ ��1/µ 1/µ 1/µ 1/µ ��

1/µ 1/µ 1/µ 1/µ ��1/µ 1/µ 1/µ 1/µ ��

τ τ τ τ ��τ τ τ τ ��

ττττ ��0Idem revealed

faults

ττττ ��0Idem revealed

faults

AA


1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ

U(t)

U(T)

T

U(t)

U(T)

T

U(t)

U(T)

T

Ut)

U(T)

T

U(T)

U(t)

T


due to a demandππππ : test duration


due to a demandππππ : test duration


U(t)

T

U(T)

γγγγ

1 - γγγγ

Modeling the probability of failure due to the demand itself and the test duration

γγγγA

R

DU

A

R

DU

Test

1U(t)

ππππ

Failure dueto tests ( γγγγ)

Failure dueto tests ( γγγγ)

Testduration

Testduration

T


TC67

WG4

Fault tree approach


Indisponibilitédes feuilles

Indisponibilitédes feuilles

Fault tree driven Markov processes: principle for unavailability calculation.

Top

E1

E2 E3

t

U1(t)

t

U2(t)

t

U3(t)

t

US(t)

ti

ti

titi

Calculate N results distributedover the time interval [0, T]

Calculate N results distributedover the time interval [0, T]

Calculate the systemunavailability at ti (Top)Calculate the system

unavailability at ti (Top)

Select an instant tiSelect an instant ti

Calculate each leaf unavailability of at ti

Calculate each leaf unavailability of at ti

Systemunavailability


US(t)US(t)FT driven Markov

processesFT driven Markov

processes

Establish Uk(t) foreach leaf.

Establish Uk(t) foreach leaf.

Independentcomponents Independentcomponents

Markovprocesses

Markovprocesses

Leavesunavailabilities

Leavesunavailabilities


1 2

TOP

1 2

TOP

λλλλ : 1e-4ττττ : 1000 λλλλ : 1e-4ττττ : 1000 Max : 1.81 10 -1

Mean : 9.37 10 -2Max : 1.81 10 -1

Mean : 9.37 10-2Max : 1.39 10 -1

Mean : 9.01 10 -2Max : 1.39 10 -1

Mean : 9.01 10-2

1 2

1 2

Hips Unavailability

0 1000 2000 3000 4000

1e-1

0 1000 2000 3000 4000

5e-2

0 1000 2000 3000 4000

5e-2

Hips Unavailability

0 1000 2000 3000 4000

1e-1

0 1000 2000 3000 4000

5e-2

0 1000 2000 3000 4000

5e-2

Staggering

5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)

9.75 10-29.75 10-2


• No Max value• Staggering not

possible

• No Max value• Staggering not

possible

• Conservative• Conservative

UsualCalculations

UsualCalculations

CorrectCalculations

CorrectCalculations

PFDi(t)PFDi(t)PFDavgPFDavg

Becautious

Becautious

Independentcomponents

PFD(t)PFD(t)??!??!

OR gate

PFDavgPFDavg

1 2

TOP


2

1

UsualCalculations

UsualCalculations


2.25 10-32.25 10-3


1 2

TOP

Non conservativeNon conservative

λλλλ : 1e-4ττττ : 1000 λλλλ : 1e-4ττττ : 1000

11 22

No max valueNo max valueCorrect

CalculationsCorrect

Calculations

Max : 9.05 10 -3

Mean : 3.13 10 -3

Max : 9.05 10 -3

Mean : 3.13 10 -3Max : 4.6 10 -3

Mean : 1.92 10 -3

Max : 4.6 10 -3

Mean : 1.92 10 -3

1 2

TOP

1 2

TOP

0 1000 2000 3000 4000

5e-2

0 1000 2000 3000 4000

5e-2

0 1000 2000 3000 4000

5e-2

0 1000 2000 3000 4000

5e-2

Unavailability

0 1000 2000 3000 4000

5e-3

Unavailability

0 1000 2000 3000 4000

2e-34e-35e-3

Staggering

Staggering not possible

Staggering not possible

PFD(t)PFD(t)PFDavgPFDavg

Be verycautiousBe verycautious

PFD(t)PFD(t)

PFDavgPFDavg

Independentcomponents

AND gate


Parameters of a periodically tested component (dangerous undetected failures)

DU Failurerate

DU Failurerate

Failure rateduring testFailure rateduring test

Repairrate

Repairrate

TestdurationTest

duration

TestintervalTest

interval

Date of 1st testDate of 1st test

Probabilityof failure dueto the test

Probabilityof failure dueto the test

Availabilityduring testAvailabilityduring test

TestcoverageTest

coverageProba. of

reconfigurationfailure

Proba. ofreconfiguration

failure

ClassicalparametersClassical

parameters

Teststaggering

Teststaggering

Big PFDcontributor

when unavailable

Big PFDcontributor

when unavailable

Genuine PFDGenuine PFD

GenerallyneglectedGenerallyneglected

Smallcontributor

Smallcontributor

Failuresnever tested

Failuresnever tested Should be

discovered atthe next test

Should be discovered atthe next test

Generallyignored

Generallyignored

Simplestmodels

Simplestmodels

IEC61508

IEC61508


FT driven Markov processes:application to safety systems.

E1, E2 & E3reasonably

independent

Top

E1

E2 E3

0

0.025

0.075

0.1

0 10000 20000 30000 40000

t

U1(t)

0

0.4

0.81

0 10000 20000 30000 40000

t

U2(t)

00.04

0.12

0.2

0 10000 20000 30000 40000

t

U3(t)

0

0.1

0.2

0.3

0 10000 20000 30000 40000

t

US(t)

Multi-phaseMarkov processes

Multi-phaseMarkov processes

Fault treeinputs

Fault treeinputs

- On demand failure ( γγγγ)- Test coverage ( σσσσ) - On demand failure ( γγγγ)- Test coverage ( σσσσ)

-Test duration ( ππππ)- unavailable during tests-Test duration ( ππππ)- unavailable during tests

Simplesaw-tooth curve

Simplesaw-tooth curve



PFDavgPFDavg

Describedin IEC

61508 Ed2

Describedin IEC

61508 Ed2


TC67

WG4

RBD driven Petri net and Monte Carlo simulation

approaches


Simulation of any probability law

1

0

F(x)

x

F(x)=P(X≤x)

X: wanted distribution

(cdf)

X: wanted distribution

(cdf)

0 z

P(Z ≤ z)

Z: Uniform distributionZ: Uniform distribution

1

1

1

2

3 1

Randomnumber

Randomnumber

x = F-1(z) distributedalong to F(x)

x = F-1(z) distributedalong to F(x)

λδ )(zLN−=

ex: delay δδδδexponentiallydistributed

ex: delay δδδδexponentiallydistributed

Cumulateddistribution

function(cdf)

Cumulateddistribution

function(cdf)


Random number generators

PhysicalmethodsPhysicalmethods

Decimals of ππππDecimals of ππππ

Pseudo randomnumber generators

Pseudo randomnumber generators Xn+1= (a.Xn+b) mod mXn+1= (a.Xn+b) mod m

Linear congruential generators

Linear congruential generators

3,1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 82148086513282306647093844609550582231725359408128 ...

3,1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 82148086513282306647093844609550582231725359408128 ...

ComputerComputer

J. Von Neumann

Trajectoryof the bouleTrajectory

of the boule

Zenerdiode

Thermalnoise

Thermalnoise

Several billons are known

Several billons are known

Length ofone revolution

Length ofone revolution

Widelyused

Widelyused


Periodically tested component

OKOK

DUDU

RR

??MT==true !Ci=false

AvailableAvailable

Non detectedfault

Non detectedfault

RepairRepair

!!Ci=true

Assertion:State of thecomponent

Assertion:State of thecomponent

µµµµ

δ= τδ= τδ= τδ= τ−−−− t mod(τ(τ(τ(τ))))

DDDD

Detectedfault

Detectedfault

!! MT=false

!!MT=true

FailureFailure

TestTest

Start ofrepair

Start ofrepair

End ofrepair

End ofrepair

δ= 0δ= 0δ= 0δ= 0

Predicate:availability of the

maintenance team

Predicate:availability of the

maintenance team

Place:local state

Place:local state

Transition:event

Transition:event

Token:actual local

state

Token:actual local

state

Arcs:links place/transitions

Arcs:links place/transitions

Statevariable Ci

Statevariable Ci


OK

DU

R

??MT==true

DD

!! MT=false

!!MT=true

test

Repair team mobilization

nM

MOL

ωωωω

OK

DU

R

DD

test

2/3 O1

A

BE

FDO1 O2 S

C

RBD driven PN modelling: applicationto SIL calculations

Simple periodicallytested component

Simple periodicallytested component

SIS modelSIS model

O1=A.B+A.C+B.C

O2= O1.D

S= O2.(E+F)

!-A

! A

IEC 61508ISO/TR 12489

IEC 61508ISO/TR 12489

•Reliability•Availability•Frequency

•Reliability•Availability•Frequency

StatisticsStatistics

-PFDavg-PFH-PFDavg-PFH

GlobalassertionGlobal

assertion

!-E

! E

Monte carlosimulation

Monte carlosimulation

VirtualRBD

VirtualRBD

Statevariable A

Statevariable A

Statevariable E

Statevariable E

λλλλDDµµµµ

DD

OK

!-D

! D

Statevariable D

Statevariable D

Simple componentwith revealed failuresSimple component

with revealed failures

!!NbR=NbR+1

!!NbR=NbR-1

OL

M

??NbR>0

??NbR==0

- Nb. component failed: !NbR- Repair resources on location: OL- Repair team mobilized: M

- Nb. component failed: !NbR- Repair resources on location: OL- Repair team mobilized: M

Simple periodicallytested component with

repair team mobilization

Simple periodicallytested component with

repair team mobilization

SS


Parameter calculations: The magic sub PN!

OK

KO

AvailabilityAvailability

UnavailabilityUnavailability

UnreliabilityUnreliability

MTTFMTTF

Detectionof the first

failure

Detectionof the first

failure

PFDavg =Mean markingPFDavg =

Mean marking

PFD(t) =KO marked at tPFD(t) =

KO marked at t

PFH = failure frequency

(not ultimate layer)

PFH = failure frequency

(not ultimate layer)

PFH≈≈≈≈ 1/MTTF

(ultimate layer)

PFH≈≈≈≈ 1/MTTF

(ultimate layer)

Single shotSingle shot PFH≈≈≈≈ F(T)/T

(ultimate layer)

PFH≈≈≈≈ F(T)/T

(ultimate layer)

?? S=0?? S=0

?? S=1?? S=1

S=1S=1S=0S=0S=1S=1

Beware

of this

formula

Beware

of this

formula

VirtualRBD

output

VirtualRBD

output


Example of Monte Carlo output(50 000 histories)

2/3 O1

AA

BBEE

FFDDO1 O2 S

CC O1=A.B+A.C+B.CO1=A.B+A.C+B.C

O2= O1.DO2= O1.D

S= O2.(E+F)S= O2.(E+F)Sensors availability

0.4

0.6

0.8

1

0 5000 10000 15000 20000 25000 30000 35000

Time

Availability of 3 sensors in 2oo3

0.4

0.6

0.8

1

0 5000 10000 15000 20000 25000 30000 35000

Time

Logic solver with revealed failures

0.9984

0.9988

0.9992

0.9996

1

0 5000 10000 15000 20000 25000 30000 35000

Time

Avalability of safety valves

0.4

0.6

0.8

1

0 5000 10000 15000 20000 25000 30000 35000

Time

SIS availability

0.4

0.6

0.8

1

0 5000 10000 15000 20000 25000 30000 35000

Time

SIS unavailability – PFD( t)

0

0.2

0.4

0.6

0 5000 10000 15000 20000 25000 30000 35000

Time

Not SNot S

PFDavgPFDavg

SS


Monte Carlo simulation uncertainties

90%confidence

interval

90%confidence

interval

Unavailability(500 histories)

0

0.1

0.2

0.3

0.4

0.5

0.6

0 5000 10000 15000 20000 25000 30000 35000

Time

A(t)A(t)

PFDavgPFDavg


Other possible outputs

Unreliability

0

0.2

0.6

1

0 5000 10000 15000 20000 25000 30000 35000

Time

Time to failure

0

2000

4000

6000

0 5000 10000 15000 20000 25000 30000 35000

Time

Accumulated number of failures

0

2

4

6

0 5000 10000 15000 20000 25000 30000 35000

Time

Average failure frequency

0

0.00004

0.00012

0.0002

0 5000 10000 15000 20000 25000 30000 35000

Time

Average failure frequency

0.00016

0.000162

0.000166

0.00017

0 5000 10000 15000 20000 25000 30000 35000

Time

MTTFMTTF


TC67

WG4

Multiple safety systems


Two simple SIS acting in sequence

SIS1SIS2 Situation

Perfect functioningYes

Hazardous eventNo

NoYes

Degraded functioning

Processdemand

Safestates

ww

demandfrequency

F1(t)= λλλλ1111tF1(t)= λλλλ1111tww

λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ


U1(t)≈λλλλ1111....t

U2(t)≈λλλλ2222t

F2(t)= λλλλ2222....tF2(t)= λλλλ2222....t 3)()(

22

21τλλδδλλ

τδδδ

τττ 210

210

11wdwdw == ∫∫ FFHEFS

ww PFD1= λλλλ1111τ τ τ τ / 2PFD1= λλλλ1111τ τ τ τ / 2 PFD2= λλλλ2222τ τ τ τ / 2PFD2= λλλλ2222τ τ τ τ / 24

..2

21τλλ 21ww == PFDPFDHEFS

Simplistic calculation(e.g. LOPA)


Notconservative

Notconservative

Multiple SISMultiple SIS

Probabilityof failure at δδδδProbability

of failure at δδδδ

Probability offailure at t


HazardousEventFrequency

HazardousEventFrequencyAverage

probabilityof failure

Averageprobabilityof failure

Riskreduction

over estimatedby 25%

Riskreduction


Effect dueto systemic

dependencies

Effect dueto systemic

dependencies


U2(t)≈(λλλλ2222....t)2

Two Redundant SIS acting in sequence

SIS1SIS2 Situation

Perfect functioningYes

Hazardous eventNo

NoYes

Degraded functioning

Processdemand

Safestates

ww

demandfrequencydemand

frequency

F1(t)= (λλλλ1111t)2F1(t)= (λλλλ1111t)2ww F2(t)= (λλλλ2222....t)2F2(t)= (λλλλ2222....t)2

5)()()(

44

21τλλδδλλ

τδδδ

τττ 2

22

12

021

0

11wdwdw == ∫∫ FFHEFS

ww PFD1= (λλλλ1111ττττ)2 / 3PFD1= (λλλλ1111ττττ)2 / 3 PFD2= (λλλλ2222τ τ τ τ )2 2 2 2 / 3PFD2= (λλλλ2222τ τ τ τ )2 2 2 2 / 39

..4

21τλλ 2

22

1ww == PFDPFDHEFS



Notconservative

Notconservative

Multiple SISMultiple SIS

Probabilityof failure at δδδδProbability

of failure at δδδδ



HazardousEventFrequency

HazardousEventFrequencyAverage

probabilityof failure

Averageprobabilityof failure


λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τ

λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τU1(t)≈(λλλλ1111....t)

2

Riskreduction


Riskreduction


The effectof systemic

dependenciesincreases when

redundancyincreases

The effectof systemic

dependenciesincreases when

redundancyincreases


PDFavgPDFavg

Scenariosprobabilities

Initiatingevent

Protectionlayer 1

Protectionlayer 2

Protectionlayer 3

yes

Noyes

No yes

No

p1(t)

1-p1(t)

p2(t)

1-p2(t)

p3(t)

1-p3(t)

Event tree (multiple SIS) or fault tree (redundant SIS) calculation difficulties

1-p11-p1

p1(1-p2)p1(1-p2)

p1.p2.p3p1.p2.p3

p1.p2(1-p3)p1.p2(1-p3)

CommonCause

Failures

CommonCause

Failures

Constantprobabilities

Constantprobabilities

AsymptoticprobabilitiesAsymptoticprobabilities

Instantaneousprobabilities

Instantaneousprobabilities

Averageprobabilities

Averageprobabilities

Popularcalculation

Popularcalculation

p1(ττττ).p2(ττττ).p3(ττττ).dττττp1(ττττ).p2(ττττ).p3(ττττ).dττττ1

T 0

T

1-p1(t)1-p1(t)

p1(t) [1-p 2(t)]p1(t) [1-p 2(t)]

p1(t).p2(t).p3(t)p1(t).p2(t).p3(t)

p1(t).p2(t) [1-p 3(t)]p1(t).p2(t) [1-p 3(t)]

Nonconservative

results

Nonconservative

results

Explained in IEC 61511and ISO/TR 12489

Explained in IEC 61511and ISO/TR 12489

Systemicdependen-

cies

Systemicdependen-

cies


That's allFolks...

That's allFolks...

Anyquestions

?...

Anyquestions

?...

PETROBRAS Rio, November 201456-

SIL Bridge ! PFDavg is not reallya good indicator for worker in operation

PFDavg is not reallya good indicator for worker in operation

ISO/TR 12489: Reliability modelling & calculation of ...€¦ · TC67/ WG4 Overall framework of...

Documents

Transcript of ISO/TR 12489: Reliability modelling & calculation of ...€¦ · TC67/ WG4 Overall framework of...