Norwegian Oil and Gas Association

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
160 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

APPLICATION OF
IEC 61508 AND IEC 61511
IN THE NORWEGIAN PETROLEUM
INDUSTRY
(Recommended SIL requirements)

Appendix D

QUANTIFICATION OF PROBABILITY OF
FAILURE ON DEMAND (PFD)
 Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
161 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

CONTENT

D.1 PROBABILITY OF FAILURE ON DEMAND (PFD) ............................................................................ 162

D.1.1 INDEPENDENT FAILURES, COMMON CAUSE FAILURES AND FORMULAS .................................................... 162
D.1.2 TOTAL PFD OF A SAFETY FUNCTION ..................................................................................................... 164
D.1.3 UNAVAILABILITY DUE TO PLANNED DOWNTIME .................................................................................... 164
D.1.4 PFD CALCULATIONS IN MULTIPLE SAFETY SYSTEMS ............................................................................. 164
D.1.5 NON-PERFECT TESTING ......................................................................................................................... 165
D.1.6 FAILURE RATE CONCEPTS ..................................................................................................................... 166
D.2 PROBABILITY OF FAILURE PER HOUR (PFH)................................................................................ 168
D.3 NOTATION............................................................................................................................................... 169
D.4 REFERENCES .......................................................................................................................................... 171
 Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
162 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

D.1 Probability of failure on demand (PFD)

PFD is defined as the average probability that a safety system is unable to perform its safety function upon a demand.

PFD quantifies the loss of safety due to dangerous undetected failures (with rate λDU ), during the period when it is
unknown that the function is unavailable, i.e. between the proof test intervals. For a single component with proof test
interval 𝜏𝜏 the average duration of this period is τ/2. Hence, for a single (1oo1) component, PFD is calculated from the
formula:

PFD ≈ 𝜆𝜆DU ⋅ 𝜏𝜏/2.

Intuitively this formula can be interpreted as follows: λDU is the constant failure rate and τ/2 is the average period of
time that the component is unavailable given that the failure may occur at a random point in time within a proof test
interval 𝜏𝜏.

Note that the PFD is actually the average probability of failure on demand over a period of time, i.e., PFDavg as denoted
in IEC 61508. However, due to simplicity PFDavg is denoted as PFD in this appendix.

D.1.1 Independent failures, common cause failures and formulas

When quantifying the PFD of systems with redundancy it is essential to distinguish between independent failures (ind.)
and common cause failures (CCF). CCF are "simultaneous" failure of more than one component due to a shared cause.
For all systems with redundant components, e.g. 1oo2, 2oo3 or 1oo3 voted components/systems, the PFD consists of
an independent contribution and a common cause contribution. E.g., for a duplicated module, voted 1oo2, we have the
following independent contribution and CCF contribution respectively:

(ind.)
PFD1oo2 ≈ (𝜆𝜆DU ⋅ 𝜏𝜏)2 /3.

(CCF)
PFD1oo2 ≈ 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).

The total PFD then becomes:

(𝜆𝜆DU ⋅ 𝜏𝜏)2
PFD1oo2 ≈ + 𝛽𝛽 ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏/2).
3

Here β is a component specific parameter, a fraction of failures of a single component that causes both the redundant
components to fail “simultaneously”.

The traditional way of accounting for common cause failures (CCF) has been the β-factor model. In this model, it is
assumed that a certain fraction of the failures (equal to β) are common cause, i.e., failures that will cause all the
redundant components to fail simultaneously or within a short time period.

In the PDS method, we use an extended version of the β-factor model that distinguishes between different types of
voting. Here, the rate of common cause failures explicitly depends on the configuration. The beta-factor of an MooN
voting logic may be expressed as 𝛽𝛽 ∙ C𝑀𝑀oo𝑁𝑁 , where C𝑀𝑀oo𝑁𝑁 is a modification factor for various voting configurations and
𝛽𝛽 is the factor which applies for a 1oo2 voting. This means that if each of the 𝑁𝑁 redundant components has a failure
rate 𝜆𝜆DU , then the 𝑀𝑀oo𝑁𝑁 configuration will have a system failure rate due to CCF that equals: CMooN ∙ 𝛽𝛽 ∙ 𝜆𝜆DU . Table
D.1 summarises the suggested C𝑀𝑀oo𝑁𝑁 values for some typical voting configurations. Reference is also made to Table
D.5 in IEC 61508-6 for similar factors.
 Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
163 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

Table D.1: 𝐂𝐂𝐌𝐌𝐌𝐌𝐌𝐌𝐌𝐌 values for different voting logics

𝑴𝑴 \ 𝑵𝑵 𝑵𝑵 = 𝟐𝟐 𝑵𝑵 = 𝟑𝟑 𝑵𝑵 = 𝟒𝟒 𝑵𝑵 = 𝟓𝟓 𝑵𝑵 = 𝟔𝟔

𝑴𝑴 = 𝟏𝟏 C1oo2 = 1.0 C1oo3 = 0.5 C1oo4 = 0.3 C1oo5 = 0.2 C1oo6 = 0.15

𝑴𝑴 = 𝟐𝟐 - C2oo3 = 2.0 C2oo4 = 1.1 C2oo5 = 0.8 C2oo6 = 0.6

𝑴𝑴 = 𝟑𝟑 - - C3oo4 = 2.8 C3oo5 = 1.6 C3oo6 = 1.2
𝑴𝑴 = 𝟒𝟒 - - - C4oo5 = 3.6 C4oo6 = 1.9
𝑴𝑴 = 𝟓𝟓 - - - - C5oo6 = 4.5

Simplified PFD formulas for different voting logics are summarised in Table D.2. The first column gives the voting
logic (𝑀𝑀oo𝑁𝑁). The second column includes the PFD contribution from common cause failures. For voted configurations
like 1oo2, 1oo3, 2oo3, etc. In the third column, the contribution to PFD from independent failures is given. Note that
the contribution from independent failures is slightly conservative for redundant configurations, as the failure rate (𝜆𝜆DU )
has not been reduced due to common cause failures (e.g. (1 − 𝛽𝛽) ∙ 𝜆𝜆DU for a 1oo2 voting).

Table D.2: Summary of simplified formulas for PFD

PFD calculation formulas

Voting
Common cause contribution Contribution from ind. failures

1oo1 - 𝜆𝜆DU ⋅ 𝜏𝜏/2

1oo2 𝛽𝛽 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2 + (𝜆𝜆DU ⋅ 𝜏𝜏)2 /3

2oo2 - 2 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2

1oo3 C1oo3 ⋅ 𝛽𝛽 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2 + (𝜆𝜆DU ⋅ 𝜏𝜏)3 /4

2oo3 C2oo3 ⋅ 𝛽𝛽 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2 + (𝜆𝜆DU ⋅ 𝜏𝜏)2

3oo3 - 3 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2

1oo𝑁𝑁 1
C1oo𝑁𝑁 ⋅ 𝛽𝛽 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2 + ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏)𝑁𝑁
𝑁𝑁 = 2, 3, … 𝑁𝑁 + 1

𝑀𝑀oo𝑁𝑁 𝑁𝑁!
C𝑀𝑀oo𝑁𝑁 ⋅ 𝛽𝛽 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2 + ⋅ (𝜆𝜆DU ⋅ 𝜏𝜏)𝑁𝑁−𝑀𝑀+1
𝑀𝑀 < 𝑁𝑁; 𝑁𝑁 = 2, 3, … (𝑁𝑁 − 𝑀𝑀 + 2)! ⋅ (𝑀𝑀 − 1)!
𝑁𝑁oo𝑁𝑁
- 𝑁𝑁 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2
𝑁𝑁 = 1, 2, 3, …

Note that the common cause contribution will often be the main contributor towards the total PFD for multiple voted
systems where 𝑀𝑀 < 𝑁𝑁. This means that the independent contribution, often can be neglected and it is sufficient to
calculate the CCF contribution only, i.e.

PFD = C𝑀𝑀oo𝑁𝑁 ⋅ 𝛽𝛽 ⋅ 𝜆𝜆DU ⋅ 𝜏𝜏/2.

However, when having field equipment with relatively high failure rates, the contribution from independent failures
cannot be neglected and should then be calculated.
 Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
164 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

Modelling of CCF for components with non-identical characteristics, e.g. differing failure rates or proof test intervals
is more complicated. For details on this topic, references are made to the PDS method handbook and the PDS example
collection. See also the PDS 2013 method handbook for more formulas and background information on CCF, C𝑀𝑀oo𝑁𝑁
factor, etc.

The formulas in Table D.2 assume that the proof test performed at interval τ is "perfect", i.e. all failures can be revealed
upon this proof test. If the test is non-perfect, suggested calculations are given in section D.2. Also, the known downtime
unavailability due to e.g. maintenance and repair may be treated separately and added to the PFD figure.

D.1.2 Total PFD of a safety function

The PFD of a safety function is calculated by combining the PFD contributions of all components/voting of the function,
including both independent failures and common cause failures. For a function where all components need to function
and all components are voted 1oo1, the PFD of the safety function is simply calculated by adding the independent PFD
contributions from all components. If other voting than 1oo1, 2oo2, ... NooN are represented, also the common causes
contributions shall be included in the total PFD. When calculating the PFD of a system, the contributing voting to the
PFD can be identified e.g. by reliability block diagrams (as seen in Appendix A of the present guideline).

D.1.3 Unavailability due to planned downtime

Unavailability due to known or planned downtime is caused by components either taken out for repair or for
testing/maintenance. This contribution will depend heavily on the operating philosophy, on the configuration of the
process plant as well as the configuration of the system itself. Often, temporary compensating measures will be
introduced while a component is down for maintenance or repair. Other times, when the component is considered too
critical to continue production (e.g., a critical shutdown valve in single configuration), the production may simply be
shut down during the restoration and testing period. On the other hand there may be test- or repair-situations where
parts of or the whole safety system is bypassed while production is being maintained. An example may be that selected
fire and gas detectors are being inhibited while reconfiguring a node in the fire and gas system.

Downtime unavailability is often expressed by mean time to restoration (MTTR) or mean repair time (MRT). MRT
encompasses the time elapsing from the failure is detected until the component is put back into operation. MTTR also
encompasses the time to detect the failure (in addition to the time elapsing from the failure is detected until the
component is put back into operation). Further description of and suggested formulas for downtime unavailability are
given in the PDS method handbook, where downtime unavailability is denoted DTU.

Note that often the downtime unavailability is small compared to the PFD contributions from undetected failures given
in Table 3.2., i.e., usually MTTR << τ, and then the downtime contribution is neglected. This is, however, not always
the case; e.g., for subsea production equipment the MTTR could be rather long.

D.1.4 PFD calculations in multiple safety systems

Redundant safety systems are commonly referred to as independent protection layers (e.g., in the LOPA terminology)
and the total protection system may be referred to as a multiple safety system. Normally when having multiple safety
systems, it is sufficient that one of the systems works successfully in order to have a successful safety action. When
addressing the total reliability of multiple safety systems, one often calculates the average PFD of each system
independently, and combines the results to find the total PFD of the multiple system by simply taking the product of
the individual PFD. This is appropriate as long as the PFDs of the systems are totally independent, but independence is
rarely the case and then the total PFD becomes non-conservative. Dependencies exist between the systems, as well as
between components within a system, due to e.g., simultaneous proof testing, close location or common utility sources
(hydraulic, electricity, etc.).

The analytical formulas described above are developed and applicable for a limited range of voting arrangements and
may fall short when considering multiple safety systems and complex architectures. Instead, for more complex cases,
where dependencies between multiple protection layers should be modelled in detail, reference is made to methods
such as time dependent fault trees and Petri nets as described in IEC 61508-6 appendix B and in ISO/TR 12489.

In the PDS method handbook a simplified approach towards modelling dependencies between multiple protection layers
has been suggested; using a correction factor (CF) for multiple systems. Basically this correction factor caters for the
 Norwegian Oil and Gas Association
Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry
(Recommended SIL requirements)
165 of 237
No.: 070 Established: February 2001 Revision no.: 03 Date revised: June 2018

systemic dependency which is introduced by the fact that systems are often proof tested simultaneously (and not
staggered). For multiple systems, when the structure of each system is disregarded, correction factors are given by Table
D.3.

Table D.3: Correction factors for multiple systems when the structure of each system is disregarded.
Equal test intervals are assumed for all equipment involved

Number of SISs 𝐂𝐂𝐂𝐂

1 1

2 1.33

3 2

It should be noted that the application of the correction factor may in some rare cases give slightly non-conservative
PFD figures. However, this is normally not a problem. For more details concerning the use of such correction factors
Reference is made to the PDS 2013 method handbook, chapter 7.

D.1.5 Non-perfect testing

It is widely accepted that proof testing is not always 100% perfect, i.e. all DU failures will not necessarily be detected
during a proof test. Such situations can be modelled by introducing the test coverage (TC) or by introducing a test
independent failure (TIF) probability. A brief discussion of both alternative approaches is given below.

D.1.5.1 Test independent failures (TIF)

A test independent failure (TIF) is a failure not detected during proof testing but revealed upon a true demand.

For a single component, 𝑃𝑃TIF expresses the likelihood of a component having just been proof tested, to fail on demand
(irrespective of the proof test interval). For redundant components, voted 𝑀𝑀oo𝑁𝑁 (𝑀𝑀 < 𝑁𝑁), the TIF contribution to loss
of safety is given by the general formula: C𝑀𝑀oo𝑁𝑁 ⋅ β ⋅ PTIF . Thus, the total PFD consists of contribution from both DU-
failures and TIF as illustrated in Figure D.1.

PFD
Average PFD

λDU ·τ/2

PTIF
τ 2τ 3τ 4τ 5τ t
Figure D.1: Non-perfect testing with TIF

D.1.5.2 Reduced test coverage (TC)

The Test Coverage (TC) is the fraction of failures detected during proof testing.

When incorporating the TC the rate of dangerous undetected failures can be regarded as having two constituent parts: