Chapter 8.

PFD formulas in IEC 61508

Mary Ann Lundteigen Marvin Rausand

RAMS Group
Department of Mechanical and Industrial Engineering
NTNU

(Version 0.1)

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 1 / 26

 Introduction

Learning Objectives

The main learning objectives associated with these slides are to:
I Introduce and explain the simplified formulas in IEC 61508, part 6 for
calculating the average probability of failure on demand (PFDavg )
I Introduce and discuss some of the related concepts and assumptions

The slides include topics from Chapter 8 in Reliability of Safety-Critical

Systems: Theory and Applications. DOI:10.1002/9781118776353.

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 2 / 26

 Introduction

Outline of Presentation

1 Introduction

2 General Assumptions for Analytical Formulas in IEC 61508

3 Equivalent Mean Downtime

4 Group failure frequency

5 PFD formulas

6 Inclusion of CCFs

7 Markov

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 3 / 26

 Introduction

Remark

IEC 61508 formulas may be explained in different ways, and the approach
selected in the following slides is not the only one. A more thorough
explanation of background for formulas in IEC 61508 is provided by Dr.
Fares Innal in his PhD thesis:
I Innal, F. (2008) Contribution to modeling safety instrumented systems
and to assessing their performance. Critical analysis of IEC 6|508
standard. PhD thesis. University of Bordeaux, Bordeaux, France.

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 4 / 26

 General Assumptions for Analytical Formulas in IEC 61508

General Assumptions
IEC 61508 (part 6) presents simplified formulas for selected voted configurations,
derived with basis in the following assumptions:
(G)
PFDavg = λ D,G tGE

where λ D,G is the Group failure frequency of dangerous failures, λ D,G and tGE is the
Group-equivalent mean downtime. Assumptions underlying formulas:
I Any parallel structure of channels constitutes identical components.
I Time to failure and repair times are exponentially distributed.

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 5 / 26

 General Assumptions for Analytical Formulas in IEC 61508

Visualization I: RBD
Recall that the average unavailability. Aavg , (from Chapter 5) of a system could be
expressed as:

Aavg = λ S · MDTS

where the system is represented by as “super item” with failure rate λ S mean
downtime MDTS .

In IEC 61508 formulas, Aavg corresponds to PFDavg , λ S to λ D,G and MDTS to tGE .

PFDavg=λD,G.tGE

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 6 / 26

 Equivalent Mean Downtime

Equivalent mean downtimes

IEC 61508 refers to tGE as the equivalent mean downtime.

There are three main categories of equivalent mean downtimes:

I Channel equivalent mean downtime, tCE , calculated for a single dangerous
(D) failure
I Group equivalent mean downtime (while system in the failed state), tGE ,
calculated for the lowest combination of D failures that result in system
failure
I Group equivalent downtime in degraded mode, tGjE for j = 1..n − k,
associated with any multiplicity of D failures j < n − k + 1
Note that for j = 1 (i.e. for single channel), we use tCE as the notation instead of
tG1E .

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 7 / 26

 Equivalent Mean Downtime

Example: Single System

For a single channel, the super-item may be split up into two sub-items,
representing the failure rate and the associated conditional mean downtime, tCE ,
for DU and DD failures.

λD,G.tGE

λDU λDD
Channel

τ/2 + MRT MTTR

MDT1 MDT2

We note that:

tCE = λD
{
λ DU

τ
2

+ MRT + λ DD
λD
tCE

· MTTR

where λ D = λ DU + λ DD
Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 8 / 26
 Equivalent Mean Downtime

Formulas for Equivalent Mean Downtimes

Channel equivalent mean downtime, tCE :

λ DU τ λ DD
!
tCE = + MRT + MTTR
λD 2 λD

Group equivalent mean downtime, tGE :

λ DU τ λ DD
!
tGE = + MRT + MTTR
λD n − k + 2 λD

Group equivalent mean downtime in degraded mode, tGjE , j = 2..(n − k) 1 :

λ DU τ λ DD
!
tGjE = + MRT + MTTR
λD j + 1 λD

For the group we assume that the downtime of DD failures is not affected by how
many channels being down.

1 We skip j = 1, since we use tCE

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 9 / 26
 Equivalent Mean Downtime

Visualization II: Markov

Visualization using Markov (see illustration below):
I Recall that a koon system fails when n − k + 1 up to n components fail.
I The largest contributor to unavailability is the state corresponding to the (n − k + 1)
(considering independent failures) and state corresponding to nth failure in case of
CCFs
I An approximation for PFDavg would therefore be the average time spent in these
states. The question is how to quantify λ D,G and tGE .

PFDavg = λD,G.tGE

(c)
λD,G
(i)
λD,G
nλD

0 1 n-k n-k+1 n-1 n

tCE
tG(n-k)E (c)
(i)
tGE
tGE

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 10 / 26

 Equivalent Mean Downtime

Explanation for DU failures: 1oo3 voted system

This system can experience from one to three failures
I The first DU failure will on the average be down τ /2
I The second DU failure will on the average be down τ /3
I The third DU failure will on the average be down τ /4
..assuming equal distribution. This can be illustrated as follows:

1oo3 system
Upon first failure: F

OK
τ

τ/2 (i.e. tCE) OK

Upon second failure: F

F
τ

τ/3 (i.e. tG2E) OK

Upon third failure: F

F
τ

τ/4 (i.e. tGE) F

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 11 / 26

 Group failure frequency

Dangerous group frequency, λ D,G

The dangerous group frequency, λ D,G , is the average system failure rate.

This means that λ D,G is:

I ...the sum of all transitions into a failed state (corresponding to states
n − k + 1, . . . , n in a nook system
I ...dominated by the transitions into the (n − k + 1)th state for
independent failures
I ...dominated by the transition into the nth state for CCFs (standard
beta factor model)

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 12 / 26

 Group failure frequency

How to Determine λ D,G ? 1oo2 system

Consider a 1oo2 system with identical and independent channels with failure rate
λ D . As the channels are independent, they will not fail at exactly the same time.
I The first D failure occurs with rate 2λ D , since any of the two components may
fail first. The mean downtime of a single channel is tCE .
I A dangerous group failure occurs if the second channel fails while the first
channel is unavailable.
This means that the group failure rate for a 1oo2 system is:
(1oo2)
λ D,G ≈ (2λ D tCE ) · λ D = 2λ2D tCE

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 13 / 26

 Group failure frequency

Illustration: 1oo2 System

The creation of super-item for a 1oo2 system is illustrated below:

Average unavailaility of
λDU λDD ONE channel
1oo2 system
2λD.tCE

Dangerous frequency of

{
tCE TWO channels:
(2λD.tCE) .(λD)

First channel
is down
Second channel
fails
“Super-item” λD,G = 2λ2D,G.tCE

tGE

λ DU τ λ DD
 
Note that tCE is as before and tGE = λD 3 + MRT + λD · MTTR

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 14 / 26

 Group failure frequency

How to Determine λ D,G ? 2oo3 System

For a 2oo3 system with identical and independent channels with failure rate λ D , we
may assume that:
I The first (D) failure occurs with rate 3λ D , since any of the three components
may fail first. This first channel is down tCE
I A dangerous group failure occurs when a second channel fails while first
channel is unavailable.
This means that:
(2oo3)
λ D,G ≈ (3λ D · tCE ) · (2λ D ) = 6λ2D · tCE

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 15 / 26

 Group failure frequency

How to Determine λ D,G ? 1oo3 System

For a 2oo3 system with identical and independent channels with failure rate λ D , we
may assume that:
I The first (D) failure occurs with rate 3λ D , since any of the three components
may fail first. This first channel is down tCE
I The second (D) failure occurs with rate 2λ D , since any of the two remaining
components may fail. This second channel is down tG2E
I A dangerous group failure when a third channel fails while two are already
failed.
This means that:
(1oo3)
λ D,G ≈ (3λ D · tCE ) · (2λ D tG2E ) (λ D ) = 6λ3D · tCE · tG2E

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 16 / 26

 Group failure frequency

What is λ D,G ? koon system

Now consider a koon system.

I The first failure occurs with rate nλ D . The probability that the second failure
occurs while the first one is down is (n − 1)λ D tCE , the probability that a third
failure occurs while two are down is (n − 2)λ D tGE2 , and so on till the group
failure (involving n-k+1 failures) occurs with probability that
(n − k + 1)λ D tGE(n−k) .

n−k
Y
(koon)
λ D,G ≈ λn−k+1
D k (n − j + 1)tGjE
j=1

where tGjE is the equivalent downtime due to the jth failure:

λ DU τ λ DD
tGjE = ( + MRT ) + MTTR
λD j + 1 λD
Note that tG1E is what we previously have defined as tCE .

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 17 / 26

 Group failure frequency

What is λ D,G ? Example equations

The equation developed for koon may be used to set up the equations for specific
combinations of k and n:

k/n Group failure frequency

1oo1 λD
1oo2 2λ2D tCE
1oo3 6λ3D tCE tG2E
2oo3 6λ2D tCE
1oo4 4
24λ D tCE tG2E tG2E
2oo4 24λ3D tCE tG2E

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 18 / 26

 PFD formulas

What is PFDavg ?
Recall that the general equation for PFDavg was:

PFDavg = λ D,G tGE

We may expand this equation for a selection of systems:

k/n PFDavg tGE

λ DU τ λ DD
1oo1 λ D tGE λD ( 2 + MRT ) + λ D MTTR
λ DU τ λ DD
1oo2 2λ2D tCE tGE λD ( 3 + MRT ) + λ D MTTR
λ DU τ λ DD
1oo3 6λ3D tCE tG2E tGE λD ( 4 + MRT ) + λ D MTTR
λ DU τ λ DD
2oo3 6λ2D tCE tGE λD ( 3 + MRT ) + λ D MTTR
λ DU τ λ DD
1oo4 24λ4D tCE tG2E tG3E tGE λD ( 5 + MRT ) + λ D MTTR
λ DU τ λ DD
2oo4 24λ3D tCE tG2E tGE λD ( 4 + MRT ) + λ D MTTR

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 19 / 26

 Inclusion of CCFs

Inclusion of CCFs
IEC 61508 includes the contribution from CCFs due to DU as well as DD failures
using the standard beta factor model.
I The fraction of the DD failure rate that is CCFs is denoted β D :
(i) (c)
λ DD = (1 − β D )λ DD and λ DD = β D λ DD

I The fraction of the DU failure rate that is CCFs is denoted β

(i) (c)
λ DU = (1 − β )λ DU and λ DU = βλ DU

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 20 / 26

 Inclusion of CCFs

Inclusion of CCFs
CCFs are included as a virtual functional block in the reliability block diagram, one
for the CCFs associated with DD failures and one for CCFs associated with DU
failures.
1 2
DUind DDind DUind DDind

1 3
DUind DDind DUind DDind CCFDU CCFDD

2 3
DUind DDind DUind DDind

Figure: A RBD of a 2oo3 system with CCFs included

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 21 / 26

 Inclusion of CCFs

Inclusion of CCFs
Because CCFs are represented by single functional blocks, it is rather straight
forward to set up the contribution toPFDavg from CCFs (note that λ D(c) = λ DU
(c) (c)
+ λ DD :

 λ (c) τ ! (c)
λ DD 
CCF
PFDavg = (c)
λ D(c) tCE =λ D(c) DU
+ MRT + MTTR
λ D(c) 2 λ D(c)
τ
!
= βλ DU + MRT + β D λ DD MTTR
2
The contribution to PFD from the independent part remains as before, except that
the fraction (1 − β ) and (1 − β D ) must be extracted for the DU and DD failure rate
respectively.

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 22 / 26

 Inclusion of CCFs

Inclusion of CCFs: Example

Consider a 1oo3 system of identical components that may be subject to CCFs.
I The PFDavg becomes:
(i) (i) (i)
PFDavg = 6((1 − β D )λ DD + (1 − β )λ DU ) 3 tCE t t
! GE2 GE
τ
+ β D λ DD MTTR + βλ DU + MRT
2

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 23 / 26

 Markov

IEC formulas using Markov approach

The same formulas may be derived using Markov methods, (or more precisely using
approximate Markov steady state models based on multiphase Markov models).

Consider figure 3.19 in Fares Innal master thesis. This diagram can be modified for
different architectures, but this one is used to illustrate derivation of formula for a
xoo3 system.

Figure: Source: F. Innal PhD thesis (2008)

Note: The repair/restoration rates (µ i ) are not all going back to state 1. For the
approximations on the next slide, the result would be the same once truncated.
Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 24 / 26
 Markov

IEC formulas using Markov approach

For a 1oo3 system, the PFDavg corresponds to the steady state probability
of state 4:
6λ D 3 6λ D 3
PFDavg = P4 (∞) = ≈
6 λD 3 + 6 λD 2 µ3 + 3 λD µ2 µ3 + µ1 µ2 µ3 µ1 µ2 µ3

For a 2oo3 system, the PFDavg corresponds to the steady state probability
of state 3 and 4 (but probability of state 3 is the dominating):

6λ D 2 µ 3 6λ D 2
PFDavg ≈ P3 (∞) = ≈
6 λD 3 + 6 λD 2 µ3 + 3 λD µ2 µ3 + µ1 µ2 µ3 µ1 µ2

Note: These equations may be time consuming to derive by hand. Here, the
software Maple was used to derive symbolic equations.

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 25 / 26

 Markov

Meaning of µ i

The meaning of µ i is identical to the meaning of tGEi :

I µ 1 = tG1E = tCE
I µ 2 = tG2E (which is tGE for 2oo3 system)
I µ 3 = tG3E (which is tGE for 1oo3 system)
Remarks:
I tCE is always used when the equivalent mean downtime concerns a
single channel
I tGE is always used when the equivalent mean downtime concerns the
whole group (at (n-k+1)th failure)
I tGjE is otherwise used to represent multiple failures up to the (n-k)th
failures.

Lundteigen& Rausand Chapter 8.PFD formulas in IEC 61508 (Version 0.1) 26 / 26