Scribd
Upload
425 views15 pages

Key Variables Needed For PFDavg Calculation

The document discusses key variables that must be included when calculating the average Probability of Failure on Demand (PFDavg) for safety instrumented systems. It identifies 9 key variables: 1) failure rates, 2) mission time, 3) proof test intervals, 4) proof test effectiveness, 5) proof test duration, 6) mean time to restore, 7) probability of initial failure, 8) site safety index, and 9) redundancy. Excluding these variables can result in an optimistic PFDavg calculation that may compromise safety. An example shows how different values for variables can change the calculated PFDavg by an entire safety integrity level.

Uploaded by

nubbler
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
425 views15 pages

Key Variables Needed For PFDavg Calculation

The document discusses key variables that must be included when calculating the average Probability of Failure on Demand (PFDavg) for safety instrumented systems. It identifies 9 key variables: 1) failure rates, 2) mission time, 3) proof test intervals, 4) proof test effectiveness, 5) proof test duration, 6) mean time to restore, 7) probability of initial failure, 8) site safety index, and 9) redundancy. Excluding these variables can result in an optimistic PFDavg calculation that may compromise safety. An example shows how different values for variables can change the calculated PFDavg by an entire safety integrity level.

Uploaded by

nubbler
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

TheKeyVariablesNeededforPFDavgCalculation

IwanvanBeurden,CFSE
Dr.WilliamM.Goble,CFSE
exida
Sellersville,PA18960,USA
[email protected]
July2015
Update1.2September2016

Abstract

Inperformancebasedfunctionalsafetystandards,safetyfunctiondesignsareverifiedusing
specifiedmetrics.AkeymetricforprocessindustrydesignsiscalledaverageProbabilityof
FailureonDemand(PFDavg).Afterseveralstudiesofmanyfieldfailureandprooftestreports,
severalvariableshavebeenidentifiedaskeytoarealisticPFDavgcalculation.Mostsimplified
equationsincludingtheinformativesectioninIEC61508,Part6donotincludeseveralkey
variables.Itisshownthatexclusionoftheseparametersmayresultinanoptimisticmetric
calculationwhichmayresultinanunsafedesign.

ThispaperidentifiesthekeyvariablesthatneedtobeincludedinaPFDavgcalculationand
providessomesimplifiedequationsshowingtheimpactofmostvariables.Anexampleshowing
twosetsofvariablesrevealsanentireSILleveldifferenceinPFDavgcalculationresults.

Introduction

IEC61511,thefunctionalsafetystandardfortheprocessindustries,isperformancebased.
Ratherthanhavingspecificdesignsandalonglistofspecificrulesthatbecomeobsolete,the
IEC61511standardallowsanydesigntobeimplemented.Thestandardallowsthedesignto
useoldproductsornewtechnology.Thestandardallowsinnovationandgoodengineering.
However,anydesignmustbeverifiedwithdocumentedperformancemetricswhichmust
matchriskreductionrequirementsintheformofsafetyintegritylevels(SIL).Inordertoverify
thatadesignmeetstheneededriskreduction,thedesignermustcheckthreeperformance
criteria[1].exidacallsthesethethreebarriers.

TheKeyVariablesNeededforPFDavgCalculation
TheachievedSILlevelistheminimumof:
Barrier1 SILlevelbasedonSystematicCapability(SC)ofeachdeviceusedina
safetyinstrumentedfunction(SIF).SCisameasureofdesignqualitythat
showssufficientprotectionagainstsystematicdesignfaultswithina
device.SCisachievedbyeitherchoosingacertifieddevicewith
systematiccapabilitytothegivenSILlevelorbycompletingaprioruse
justificationofadevicetothegivenSILlevel.
Barrier2 SILlevelbasedonaPFH(highdemand),oraPFDavg(lowdemand)forall
equipmentinaSIF.
Barrier3 SILlevelbasedonminimumarchitectureconstraints(SILac)foreach
element(subsystem)inaSIF.Therearemanydifferenttablesthatcan
beusedtoestablisharchitectureconstraints;someareinIEC61511,and
twoalternativesareinIEC61508(Route1HorRoute2H).

AllthreeofthesedesignbarriersmustachievethetargetSILlevelorgreater.IfaSIFdesign
onlymeetstwoofthebarrierstheworstcase(lowest)SILlevelwins.

BarrierTwo:PFDavgCalculation

PFDavgcalculationisanextremelyimportantpartofsafetyengineeringinlowdemand
applicationsasitisprobablythehardestofthethreebarrierstomeetifrealisticassumptions
aremadeandifrealisticfailureratesareused(www.SILSafeData.com).Targetlevelsfor
PFDavgaredefinedinIEC61508foreachof4SafetyIntegrityLevels(SIL).Thehighestsafety
levelisachievedinSILlevel4andthelowestisSILlevel1.Table1showsthatPFDavgfora
givensetofsafetyfunctionequipmentwillcorrespondtoanequivalentSILlevelwithinan
orderofmagnituderange.

SafetyIntegrityLevel LowDemandModeofOperation
(AverageProbabilityofFailureonDemand,PFDavg)

4 105to<104

3 104to<103

2 103to<102

1 102to<101

Table1:SILLevelrelatedtoPFDavg

HowdowecalculatearealisticnumberforPFDavg?Whatvariablesneedtobetakeninto
accountwhencalculatingPFDavg?

TheKeyVariablesNeededforPFDavgCalculation
PFDavgKeyVariables

Asaresultofresearchintohundredsofsetsoffieldfailuredataandprooftestresults,a
numberofthingshavebeenobservedwhichmaysignificantlyimpactaPFDavg.exidahas
compiledalistcomprisedofninevariablesthatmustbeconsideredinordertocalculatea
realisticandsafePFDavg.

1. Failureratesofeachdeviceincludingfailuremodesandanydiagnostic
coveragefromautomaticdiagnostics,DD,DU(attributesofthe
equipmentchosen).
2. MissionTime,MTthetimeperiodasetofequipmentwillbeoperated
beforeoverhaulorreplacement(assignablebyenduserpractices).
3. ProofTestIntervals,TI(assignablebyenduserpractices).
4. ProofTestEffectiveness,Cpt(anattributeofprooftestmethod).
5. ProofTestDuration,PTD(anattributeofenduserpractices).
6. MeanTimeToRestore,MTTR(anattributeofenduserpractices).
7. ProbabilityofInitialFailure,PIF(anattributeofenduserpractices).
8. SiteSafetyIndex,SSI(anattributeofenduserpractices).
9. Redundancyofdevicesincludingcommoncausefailures(anattributeof
SIFdesign).

Manyofthesevariablesarenotcommonlyrecognizedandthereforenotincluded,yettheymay
impacttheresultbyaSILlevelormore.

FailureRates,DD,DU

Failurerates,inparticularthedangerousfailurerates,comefromavarietyofsources[2,3,4].
MostmanufacturersprovideanFMEDApredictionthathasbeenverifiedbyfaultinjection
testingandfieldfailureanalysis[5,6].

Whenautomaticdiagnosticsaredesignedintoadeviceorsubsystem,FMEDAanalysiscan
distinguishbetweenthosefailuresdetectedandthoseundetectedbytheautomatic
diagnostics.Thetotaldangerousfailurerate, ispartitionedintotwosubcategories: ,
DangerousDetectedand ,DangerousUndetected.

TheKeyVariablesNeededforPFDavgCalculation
MissionTime,MT

MissionTimeisaperiodoftimeduringwhichasetofequipmentoperates.Thisisanold
reliabilityengineeringtermthatisusedtodefinetheprobabilitycalculationperiod.Mostend
userschooseaMissionTimeof5,10,20,or30yearswhichcorrespondstotheendoflifefor
theprocessequipmentoraperiodoftimebetweeneachmajorshutdownand
overhaul/replacementofallequipment.AnySIFdevicethatreachestheendofitsusefullife
duringtheMTisreplacedorcompletelyoverhauledandtestedbeforetheMTends.
Givenadangerousfailurerateandamissiontime,anapproximationforprobabilityoffailure
forasimplex(nonredundant)systemcanbeshowntobe:

PFD= DU*MT.

TheaverageProbabilityofFailureonDemandisthen:

PFDavg=DU*MT/2.

ImpactofanIdealProofTestProofTestIntervals

InmostindustrialapplicationswhereaSafetyInstrumentedSystem(SIS)ispresent,itis
possibletodesigntheSIFsothatitcanbemanuallyprooftestedtoseeifitisworkingornot.If
anassumptionismadethattheprooftestis100%effectiveandrequiresnobypasstime,thisis
calledaperfectprooftest.Nowthisassumptionisquiteunrealisticbutisusefulinshowingthe
developmentofsimplifiedequationstocalculatePFDavg.Attheendofaperfectprooftestwe
mayconcludethereisnofailure.Thismeansthattheprobabilityoffailureatthatmomentin
timeisideallyzero.ThePFDasafunctionoftimewithperfectprooftestlookslikearepeating
sawtoothasshowninFigure1.

PFD(t)
PerfectProofTestImpact

MissionTimeInterval

Figure1:ProbabilityofFailureonDemand(PFD)asafunctionoftimeshowingmultiplecycles
withaperfectprooftest.

TheKeyVariablesNeededforPFDavgCalculation
ThebookControlSystemsSafetyEvaluationandReliability[7],Chapter8explainsthe
derivationofthischartingreatdetailandprovidestheequationforPFDavgas:

TheMTisnolongeravariableinthissituationbecausethePFDavgofeachoftheprooftest
cyclesisthesameasthePFDavgofthefirstcycle.ThisequationforPFDavgisofcoursevery
idealisticandunrealistic,butitisagreatplacetostartthedevelopmentofmorerealistic
modelsandequations.

ProofTestEffectiveness

Whathappensinarealprooftest?Itcanclearlybeshownviadetailedanalysisofdevicesand
examplesthatnorealprooftestisperfect.Therearemanyexamplesoffailuresinproducts
thatcannotbedetectedbyprooftesting.Anobviousexampleisaprooftestdonebyputtinga
blockingdeviceonanactuatorandcheckingtoseeiftheactuator/valveassemblyattemptsto
move.Thisdoesshowthataportionofthesubsystemisworkingbutthetestgivesno
indicationofthehealthofmanypartsincludingthevalveseat.Didthevalveactuallyseal?This
testcannottellandisclearlynotperfect.

WhathappenstoPFDwhenyouhaveanimperfectprooftest?Attheendoftheprooftestitis
knownthattheprobabilityoffailureisreducedbutitisnotzerobecausenotallfailuresare
detected.Probabilityoffailureisreducedtosomevalueabovezero.Theprobabilityoffailure
willincreaseaftereachprooftest.Thiscontinuesfortheentiremissiontimeofthesystem.
Figure2showstheprobabilityoffailureondemand(PFD)asafunctionoftimeforanimperfect
prooftest.

PFD (t)

CPT

Proof Test Interval

Mission Time Interval


Figure2:ProbabilityofFailureonDemandasafunctionoftimewithimperfectprooftesting.

TheKeyVariablesNeededforPFDavgCalculation
Figure3showsthePFDavgfortheentireMTconsistingofsixprooftestintervals.Comparing
thePFDavgofthefirsttestintervalwiththeoverallPFDavgclearlyshowsalargerPFDavgfor
theentireMT.Thisdifferenceisduetoprooftesteffectiveness.

PFD(t)

PFDavg

PFDavgFirstTI CPT

Proof Test Interval

MissionTimeInterval

Figure3:ProbabilityofFailureonDemandwithimperfectprooftestingshowingPFDavg.

Prooftesteffectivenesscanbeexpressedinasimplifiedapproximateequation.Theprooftest
effectiveness, ,isanumberbetween0100%whichindicatestheportionoftheDU
detectedbythemanualprooftest.Thefirsttermofthenewequationusestheidealformula
forPFDavgmultipliedbyCPTasthosefailuresaredetectedbytheprooftest.Thesecondterm
ofthenewequationshowsfailuresnotdetectedbytheprooftest(1CPT)withalongertime
interval,MT.

MeanTimeToRestore(MTTR)

Whenasafetyfunctionhasautomaticdiagnostics,thePFDavgisimpactedbytheMTTRunless
theSIFisprogrammedtoautomaticallyshutdownonadetectedfailure.Assumingthisisnot
done,whenafailureisdetectedbyanautomaticdiagnostic,annunciatedtooperations
personnel,andarepairpersonisdispatchedquicklysothattheaveragerepairtimeis
maintained,thenthe failureonlycontributestothePFDforasmalldurationoftimecalled
MeanTimeToRestore(MTTR).Thisamountoftimeistheaveragetimeittakestofind,
diagnose,andrepairafailureinasystem.ThePFDavgequationforthissituationis:

Whenthisisaddedtothepreviousequation,theresultis:

TheKeyVariablesNeededforPFDavgCalculation
Everytimeasystemfailswerepairit.Aslongastheaveragerepairtimeismaintained,the
portionofthatequationisvalid.

ProofTestDuration(PTD)

Whenprooftestingisdonewiththeprocessactiveandhazardspresentthenprooftest
designersmustdecideifthesafetyfunctionmustbebypassedduringtheprooftest.Asafety
functionbypassisdonewhenthetestingwill(ormight)causeafalsetripoftheprocessunit.
WhathappenstoPFDduringthatbypasstime?Whenasafetyfunctionisputonbypassthat
meansitwillnotrespondtoademand.ThePFDduringthedurationoftheprooftestperiod
equals1.ThiswillcausethePFD(t)functiontolooklikeFigure4,wherePFDgoesto1forthe
durationoftheprooftestandthendowntotheexpectedlevel.

1
Proof Test starts. Proof Test complete,
Safety function put bypass is removed.
into bypass.
PFD

Dangerous Failure
occurs

Proof Test Duration (PTD)

Mission Time

Figure4:ProbabilityofFailureonDemandduringaprooftestbypasswithnofailurefound.

Howdoweaccountforthistime,knownasProofTestDuration(PTD)?Thetimespentin
bypass(PTD)occursonceeveryprooftestinterval(TI).ThereforethePFDavgduetoPTDisa
newtermintheequation.Ifnoproblemisfoundduringtheprooftestthen:

TheKeyVariablesNeededforPFDavgCalculation
However,whenthereisaproblemfoundduringtheprooftest,theaveragetimeneededto
repairtheproblemandrestoresafetyfunctionoperation(MTTR)mustbeaccountedfor.The
equationthenlookslikethis:

Byseparatingthetwotermsinthenumerator,wecanmultiplythesecondtermbythe
probabilityofdangerousfailure.Thisaccountsfortheprobabilityoffindingaproblemduring
theprooftestinterval.Theequationthenlookslike:

whichsimplifiesto:

TheequationabovecannowbeaddedtoourexistingPFDavgequationtocreateanequation
thataccountsforallvariablessofarconsidered:

whichsimplifiesto:

ProbabilityofInitialFailure(PIF)

ProbabilityofinitialfailuremeansthatadevicedoesnotworkwhenaSIFisfirstbroughtinto
operation.Ineffect,thePFDis1atleastuntilthefirstprooftest.Anextensivestudyof
detailedprooftestdata[8,9]showedthattherewasclearlyaprobabilityofinitialfailurein
sometypesofdevicesusedinSIFapplications.Threeindependentdatasetsofpressurerelief
valvespredictedaninitialfailureprobabilityofapproximately1%1.6%.Thisinitialfailure
probabilitywasextremelysignificantasitaccountedforthemajorityoffailuresobservedin
prooftest.Thisappearstohappenwhenthereisnotcarefulinstallationandthorough
commissioningprocedures.Whencommissioningtestingcannotbedoneafterinstallation,
thereisahigherPIF.ThiscanbemodeledintheapproximationequationbyaddingthePIF
contribution.

TheKeyVariablesNeededforPFDavgCalculation

SiteSafetyIndex(SSI)

Duringadetailedstudyoffieldreturns[10]atMooreProductsCo.inthelate1990s,itwasdiscovered
thatthereturnrateforidenticalmoduleswas4timesdifferentfromonesitetoanother.Somefailures
wereduetosystematicproblemswhereuntrainedpeopleweredamagingequipmentduringtheirproof
testprocess.Howeverwhenthosefailureswereremovedfromthedata,therewasstillroughlya2X
differenceinfailurerateforthesamedevicefromsitetosite.

Sincethe1998study,severalotherfieldfailurestudiesfromanumberofdifferentsources,primarily
endusersintheprocessindustries,haveindicatedthereisalsoadifferenceinfailureratesforthesame
productfromsitetosite.Typicallytheratioisaveragingbetween1.2and3timesdifferencedepending
onproducttype.

Thereforeweconcludethatrandomfailurescanbedividedintotwocategories.Therearerandom
failuresattributedtoaproductandrandomfailuresthataresitespecific.Theseseemtoberelatedto
procedures,training,andothervariablesthatsomehavecalledthesafetyculture.exidadefinesthis
variableastheSiteSafetyIndex(SSI)[11].

SeveralfactorshavebeenidentifiedthusfarwhichimpacttheSSI.Theseincludethequalityof:

1. CommissioningTest
2. SafetyValidationTest
3. ProofTestProcedures
4. ProofTestDocumentation
5. FailureDiagnosticandRepairProcedures
6. DeviceUsefulLifeTrackingandReplacementProcess
7. SISModificationProcedures
8. SISDecommissioningProcedures
9. Andothers

SSIcanbeevaluatedusingasetofquestionsandascoringsystem[12,13,14].TheSSImodelhasfive
levelsasshowninTable1.

TheKeyVariablesNeededforPFDavgCalculation

Table1:FivelevelsofSiteSafetyIndexfromexSILentia

Level Effectiveness Description


PerfectRepairsarealwayscorrectlyperformed,Testingisalways
donecorrectlyandonschedule,equipmentisalwaysreplacedbefore
SMI4 100% endofusefullife,etc.
AlmostperfectRepairsarecorrectlyperformed,Testingisdone
correctlyandonschedule,equipmentisreplacedbeforeendof
SMI3 99% usefullife,etc.
GoodRepairsarecorrectlyperformed,Testingisdonecorrectlyand
mostlyonschedule,mostequipmentisreplacedbeforeendofuseful
SMI2 90% life,etc.
MediumRepairsareoftencorrectlyperformed,Testingisdoneand
mostlyonschedule,someequipmentisreplacedbeforeendof
SMI1 60% usefullife,etc.
NoneRepairsarenotperformed,Testingisnotdone,equipmentis
SMI0 0% notreplaceduntilfailure,etc.

PIF,failurerates,probabilityofsuccessfulrepair,probabilityofsuccessfulprooftest,andprobabilityof
doingaprooftestonscheduleareallimpactedbySSIbecauseofthestochasticnatureofthose
probabilities.

Redundancy

Whataboutredundancy?Toaccountforredundancy,timedependentprobabilitiescanbeusedinfault
trees;whereanORgateisinvolvedweadduptheprobabilities(providedthattheeventsaremutually
exclusive),andifanANDgateisinvolvedwemultiplytheprobabilities(providingtheeventsare
independent).Thesefaulttreeswouldbequitecomplicatedbuttheresultingequationswouldbe
somewhatrealistic.AlternativelyMarkovmodelscanbeusedasasimplermethodtocalculate
probabilitiesasafunctionoftime.Thedetailedequationsarebeyondthescopeofthispaper.

AllnineofthevariableslistedneedtobeconsideredwhencalculatingaPFDavg.

10

TheKeyVariablesNeededforPFDavgCalculation

Variable
Description Source Applicability
Number
1 FailureRates,DDandDU Manufacturer Always
2 MissionTime,MT EndUser Always
3 ProofTestIntervals,TI EndUser Always
4 ProofTestEffectiveness,CPT EndUser Always
Ifprooftestdone
5 ProofTestDuration,PTD EndUser withprocess
operating
Ifnoautomatic
6 MeanTimeToRestore,MTTR EndUser shutdownafter
detectedfault
Ifequipmentisnot
7 ProbabilityofInitialFailure,PIF EndUser 100%testedafter
installation
8 SafetyMaturityIndex EndUser Always
9 Redundancy SystemDesigner IfHFT=1ormore

Theimpactofnotusingrealisticvariables

ToevaluatetheimpactonPFDavgofnotusingallimportantvariables,considertheexampleof
ahighlevelprotectionSIF.TheproposeddesignhasaSILlevel2target.Thedesignisusinga
singleSILlevel2capabilityleveltransmitter,aSILlevel3capabilitycertifiedsafetylogicsolver,
andasingleremoteactuatedvalve.Theactuatedvalveconsistsofacertifiedsolenoidvalve,a
certifiedscotchyokeactuatorandacertifiedballvalvewithallcomponentshavingaSILlevel3
capability.Usingcertifiedpartseliminatesanyneedtoperformprioruseanalysisforsafety
integritypurposes.

TheexSILentiatoolaccountsforallcriticalvariables.UsingexSILentia,idealistic/optimistic
variablesareentered.Amissiontime(MT)of5yearsisentered,andtheprooftestintervalis1
yearforthesensorandfieldelements,and5yearsforthelogicsolver.Aprooftestcoverageof
100%isenteredwhichistheequivalentofnotconsideringprooftestcoverageasavariable.It
isalsoassumedthattheprooftestisdonewiththeprocessofflinewhichremovesPTDfromthe
calculation.

11

TheKeyVariablesNeededforPFDavgCalculation

Figure7:exSILentiaScreenshotshowingresultsofidealisticassumptions

Inthisexample,thePFDavgwascomputedas6.82x103.ThisvaluemeetsSILlevel2withaRisk
ReductionFactor(RRF)of147.ItcanbeseenthatthearchitectureconstraintsmeetSILlevel2
andsystematiccapabilitiesmetSILlevel2.Therefore,theentiredesignmeetsSILlevel2(all
indicatedbyredcircles).

ThepiechartontheleftsideofFigure7(indicatedbyanarrow)showshowmucheach
subsystemcontributedtothePFDavg.Thefigureshowsthatfinalelementswerethemain
contributor.TheexSILentiatoolalsocalculatestheMeanTimetoFailSpuriously(MTTFS),which
isboxedinblue.Thisnumberindicateshowoftenafalsetripwilloccur,sohighnumbersare
thegoalinordertoavoidcostlyfalsetrips.

ButwhatifmorerealisticvariableswereenteredforthesameSIF?Amissiontimeof25years
willnowbeused.Aprooftestintervalof1yearforthesensorandfinalelement,aswellas5
yearsforthelogicsolverwillbeused.Prooftestcoverageisnow90%forthesensorand70%
forfinalelement.Aprooftestdurationof2hoursisincludedandanMTTRvalueof48hoursis
morerealistic.SiteSafetyIndexismediumforthesensorandfinalelements,andgoodforthe
logicsolver.Thiscalculationconsidersallninevariables.

12

TheKeyVariablesNeededforPFDavgCalculation

Figure8:exSILentiascreenshotwithmorerealisticvariablesconsidered

WhathappenedtothePFDavg?ForthesetofidealisticvaluesthePFDavgwas6.82x103and
theRRFwas147.Thesamedesignwasanalyzedagain,butthistimeallninevariablesarebeing
realisticallyincluded.ThecalculatedPFDavgforthisSafetyInstrumentedFunctionnowdrops
toavalueof5.76x102!TheRRF,whichwasatavalueof147,nowdropsto17!Thisbarely
meetsSILlevel1.

Whyarethesevaluessodifferent?Sensitivityanalysisindicatesthatprooftestcoverage(%)is
asignificantvariable.SSIissignificant.TheimpactofPTDisnotthatsignificantinthiscase,but
itsometimescanbe.

Failurerates,redundancy,prooftestintervals,andMeanTimetoRestoreareallwellknown
variablescoveredinIEC61508,Part6equations.Prooftesteffectivenessandmissiontimeare
evenmentionedinthenewversionofIEC61508.However,thesevariablesareonlymentioned
andarenotpartofanyofthepresentedequations.Othervariables,especiallySiteSafety
Index,arelargelyoverlooked.Allofthevariablesneedtobetakenintoaccounttoensurea
safedesign.

13

TheKeyVariablesNeededforPFDavgCalculation

References

1. ThreeStepsinSIFDesignVerification,WhitePaper,exida.Sellersville,PA
www.exida.com,June2014.
2. SINTEF,OREDAOffshoreandOnshoreReliabilityDataHandbook,Vol1.Topside
EquipmentandVol.2SubseaEquipment,6thEd,OREDAParticipants,2015.
3. SafetyEquipmentReliabilityHandbook4thEdition,exida.Sellersville,PA
www.exida.com,2015.
4. Bukowski,J.V.andStewart,L.L.,ExplainingtheDifferencesinMechanicalFailureRates:
exidaFMEDAPredictionsandOREDAEstimations,WhitePaper,exida.Sellersville,PA
www.exida.com,July2015.
5. Goble,W.M.,andBrombacher,A.C.,"UsingaFailureModes,EffectsandDiagnostic
Analysis(FMEDA)toMeasureDiagnosticCoverageinProgrammableElectronic
Systems,"ReliabilityEngineeringandSystemSafety,Vol.66,No.2,November1999.
6. Grebe,J.C.,andGoble,W.M.,FMEDAAccurateProductFailureMetrics,WhitePaper,
exida.Sellersville,PAwww.exida.com,V1.2,October2009.
7. Goble,W.M.,ControlSystemsSafetyEvaluationandReliability,ThirdEdition,ISA,
ResearchTrianglePark,NC,2010.
8. Bukowski,J.V.(2007),"ResultsofStatisticalAnalysisofPressureReliefValveProofTest
DataDesignedtoValidateaMechanicalPartsFailureDatabase,"TechnicalReport,
September,exida,Sellersville,PA.
9. Bukowski,J.V.,andGoble,W.M.(2009),"AnalysisofPressureReliefValveProofTest
Data,"AIChEJournalProcessSafetyProgress,March2009.
10. vanBeurden,I.J.W.R.J.,ReliabilityAnalysisofQuadlog,Fieldfailureresearchandstudy
ofthereliabilityinformationflow,MooreProductsCo.,SpringHouse,PA,USA,February
1998.
11. Bukowski,J.V.andGoble,W.M.,"AProposedFrameworkforIncorporatingtheEffects
ofEndUserPracticesintheComputationofPFDavg,"exidawhitepaper,January2014.
12. Bukowski,J.V.,Gross,R.,andvanBeurden,I.,"ProductFailureRatesvsTotalFailure
RatesatSpecificSites:ImplicationsforSafety,"ProceedingsAIChE11thAnnualGlobal
ConferenceonProcessSafetyProcessPlantSafetySymposium,Austin,TX,April2015.
13. Bukowski,J.V.andChastainKnight,D.,AssessingSafetyCultureviatheSiteSafety
IndexTM,ProceedingsAIChE12thAnnualGlobalCongressonProcessSafetyProcess
PlantSafetySymposium,Houston,TX,April2016.
14. Bukowski,J.V.andStewart,L.L.,QuantifyingtheImpactsofHumanFactorson
FunctionalSafety,ProceedingsAIChE12thAnnualGlobalCongressonProcessSafety
ProcessPlantSafetySymposium,Houston,TX,April2016.

14

TheKeyVariablesNeededforPFDavgCalculation
RevisionHistory
Revision0.1 InitialDraft July,2015 MicahStutzman,W.Goble
Revision1 FirstRelease July,2015
Revision1.1 UpdatedSSIterminology October7,2015 TESandWMG
Revision1.2 Updatedreferences,conditionsSeptember2016 WMG

15

You might also like