ISO/TR 12489: Reliability modelling & calculation of ...€¦ · TC67/ WG4 Overall framework of...
Transcript of ISO/TR 12489: Reliability modelling & calculation of ...€¦ · TC67/ WG4 Overall framework of...
PETROBRAS Rio, November 2014
TC67
WG4
ISO/TR 12489: Reliability modelling & calculation of safety systems.Presentation and applications
Jean-Pierre SIGNORETISO/TR 12489 project leader
Reliability expert, TOTAL
Jean-Pierre SIGNORETISO/TR 12489 project leader
Reliability expert, TOTAL
PETROBRAS Rio, November 2014
TC67
WG4
Presentation of ISO/TR 12489
TR prepared by ISO TC67 WG4/Project Group 3PG3 leader : Jean Pierre Signoret (Total)WG4 Convenor: Runar Østebø (Statoil)
TR prepared by ISO TC67 WG4/Project Group 3PG3 leader : Jean Pierre Signoret (Total)WG4 Convenor: Runar Østebø (Statoil)
3 - PETROBRAS Rio, November 2014TC67/ WG4
Background
Numerous safetysystems (SS) in
industrialinstallations
Numerous safetysystems (SS) in
industrialinstallations
Needs for accurate
reliability models & probabilistic
calculations
Needs for accurate
reliability models & probabilistic
calculations
More than 50 years of research & development
More than 50 years of research & development
ISO TC 67/WG4Reliability
Engineering and Technology
ISO TC 67/WG4Reliability
Engineering and Technology
IEC TC 65Functional Safety
standards
IEC TC 65Functional Safety
standards
Extensive expertiseexists in the field ofreliability modelling
& probabilisticcalculations
Extensive expertiseexists in the field ofreliability modelling
& probabilisticcalculations
Need to share expertise to fill the gaps and fulfill the
needs
Need to share expertise to fill the gaps and fulfill the
needsNo standardsfocused on
safety system
No standardsfocused on
safety system
Over simplifiedapproaches (*)
Over simplifiedapproaches (*)
Plenty ofavailable accurate
approaches
Plenty ofavailable accurate
approaches
(*) this has been improved in new editions (*) this has been improved in new editions
ISO/TR12489
ISO/TR12489
With regard tosafety
With regard tosafety
With regard toproduction
With regard toproduction
Launched in2008
Launched in2008
Developedfrom scratchDeveloped
from scratchDeveloped in parallelof the maintenance
of IEC 61508and IEC 61511
Developed in parallelof the maintenance
of IEC 61508and IEC 61511
FRFRNONO
UKUK
BRBR
BEBE
NINICHNCHN
USUS
NENE
Proposed andachieved by ISOTC67/WG4/PG3
Proposed andachieved by ISOTC67/WG4/PG3
ITIT
SPSP
Published inNov. 2013
Published inNov. 2013
Keptin line withIEC 61508-6
annex B
Keptin line withIEC 61508-6
annex B
4 - PETROBRAS Rio, November 2014TC67/ WG4
ISO/TR 12489 outline
Reliability modelling & calculation of safety systems
This document dealswith reliability modelling
& calculations
This document dealswith reliability modelling
& calculations
This document dealswith safety systems
This document dealswith safety systems
Simplified &non-simplified
approaches
Simplified &non-simplified
approaches
SafetyInstrumented
Systems(SIS)
SafetyInstrumented
Systems(SIS)
This is aTechnical Report
This is aTechnical Report
Onlyinformative
matters
Onlyinformative
matters
Atechnical reportis obviously"technical"!
Atechnical reportis obviously"technical"!
OrdinarySafety
Systems
OrdinarySafety
Systems
Spurious actionsSpurious actions
Implementation of systemic approaches
Implementation of systemic approaches
Impact onDependability
Impact onDependability
Aims toprovide guidelines
Aims toprovide guidelines
Mathematical development of
formulae
Mathematical development of
formulae
Not explainedelsewhere
Not explainedelsewhere
Not developedelsewhere
Not developedelsewhere
Failure of safety actions
Failure of safety actions
Impact onsafety
Impact onsafety
Production availability
(ISO 20815)
Production availability
(ISO 20815) Simple& complexsystems
Simple& complexsystems
Reliabilitydata collection
(ISO 14224)
Reliabilitydata collection
(ISO 14224)
5 - PETROBRAS Rio, November 2014TC67/ WG4
Overall framework of ISO/TR 12489
Risk management
Risk assessment
With regards to:safety,environment,production,operations,etc.
With regards to:safety,environment,production,operations,etc. Risk identificationRisk identification
Risk analysis
Modelling& calculations
Modelling& calculations
ISO/TR12489
ISO/TR12489
Reliability analysis
Risk evaluationRisk evaluation
ISO 31000ISO 31000
6 - PETROBRAS Rio, November 2014TC67/ WG4
GeneralmattersGeneralmatters
General &methodological
matters
General &methodological
matters
Target users of ISO/TR 12489
ManagementManagement Technical staff
Technical staff
OperatorsOperators
ManufacturersManufacturers
ConsultantsConsultants
Reliability engineersReliability engineers
Various stakeholders
Various stakeholders
Certification bodies
Certification bodies
Safety authoritiesSafety authorities UniversitiesUniversities
Teachers & students
Teachers & students
Coreof the
document
Coreof the
documentAnnexesAnnexes
7 - PETROBRAS Rio, November 2014TC67/ WG4
Some examples of safety systems covered by ISO/TR 12489 (instrumented or not)
Emergency / Processshutdown
Emergency / Processshutdown
Overpressureprotection systems
Overpressureprotection systems
Fire & gassystems
Fire & gassystems
Process controlsystems
Process controlsystems
Public alarmsystems
Public alarmsystems
Emergencypreparedness systems
Emergencypreparedness systems
Marineequipment
Marineequipment
Electrical & telecom.systems
Electrical & telecom.systems
Other utilitiesOther utilities
Drilling & wellsDrilling & wells
SubseaSubsea
ESDESDPSDPSD EDPEDP
HIPSHIPS HIPPSHIPPS Pressurerelief
Pressurerelief
Gasdetection
Gasdetection
Fire fightingsystem
Fire fightingsystem
Fire watersystem
Fire watersystem
Control &monitoringControl &
monitoringChemicalinjection
Chemicalinjection
Emergencycommunication
Emergencycommunication
Evacuationsystem
Evacuationsystem
Discon-nectionsystem
Discon-nectionsystem
StationkeepingStationkeeping Ballast
waterBallastwater
UPSUPS Telecom.Telecom.
FlaresystemFlare
systemHVACHVAC
MaterialhandlingMaterialhandling
Wellintegrity
Wellintegrity
Wellcompletion
Wellcompletion
ESDESDPSDPSD
HIPPSHIPPS
IsolationIsolation DivingDiving
Etc.Etc.
31 systemsidentified inthe TR
31 systemsidentified inthe TR
8 - PETROBRAS Rio, November 2014TC67/ WG4
Part 7Part 7
ISO/TR 12489 versus IEC 61508/511 and IEC TC56
ISO/TR12489
ISO/TR12489
IEC61508IEC
61508
IEC61511IEC
61511
IEC TC65Process Sector - Safety Instrumented Systems
IEC TC65Process Sector - Safety Instrumented Systems ISO TC 67/WG4
Reliability Engineeringand Technology
ISO TC 67/WG4Reliability Engineering
and Technology
Part 1Part 1Part 2Part 2
Part 3Part 3
Part 4Part 4
Part 5Part 5
Part 6Part 6
Part 1Part 1
Part 2Part 2
Part 3Part 3
Part 6annex B
Probabilisticcalculations
Part 6annex B
Probabilisticcalculations
Part 3annex J
Probabilisticcalculations
Part 3annex J
Probabilisticcalculations
Approximatedformulae
Approximatedformulae
"Alternative"approaches
"Alternative"approaches
Multiplesafety systems
Multiplesafety systems
Bring the methodology to the state of the art
Bring the methodology to the state of the art
Detailed explanations of proposed solutions to reliability engineers
Detailed explanations of proposed solutions to reliability engineers
Identification and explanations of weaknesses
Identification and explanations of weaknesses
Consolidation of simplified approaches
Consolidation of simplified approaches
Demystification of systemic approaches & provision of
extensive solutions
Demystification of systemic approaches & provision of
extensive solutions
In line withIEC 61508 &IEC 61511
In line withIEC 61508 &IEC 61511Extension
to spuriousfailures
Extensionto spurious
failures
Any kindof safetysystems
Any kindof safetysystems
Self containeddocument
Self containeddocument
Extension tocomplex systems
Extension tocomplex systems
IEC TC56Dependability
IEC TC56DependabilityMethodsMethods
Link with
ISO 20815
Link with
ISO 20815
9 - PETROBRAS Rio, November 2014TC67/ WG4
Distribution of the topics within the 260 pages of ISO/TR 12489
GeneralmattersGeneralmatters
ApproachesApproachesMiscellaneousMiscellaneous
Typicalapplications
Typicalapplications
FormulaFormula
BooleanBooleanMarkovMarkov
Petri netsPetri nets
DefinitionsDefinitions
GeneralanalyticsGeneralanalytics
Human factor
Human factor
CCFCCF
Monte CarloMonte Carlo
UncertaintyUncertainty
SafetysystemsSafety
systems
Reliability dataReliability data
41%
32%
21%
6%
5%
28%
7%
8%
34%3%
14%5%
30%
26%
29%
26%
OverallcontentOverallcontent
ApproachesApproaches
GeneralmattersGeneralmatters
More than 30safety systemsare identified
More than 30safety systemsare identified
PETROBRAS Rio, November 2014
TC67
WG4
Introduction to functional safety concepts
11 - PETROBRAS Rio, November 2014TC67/ WG4
3rdProtection
layer
3rdProtection
layer
RRF = 10 to 100RRF = 10 to 100
ALARP : Minimumneeded reductionALARP : Minimumneeded reduction
SIL Principle: identification of Risk Reduction needed
44
33
22
11
Dangerous event
frequencies
Dangerous event
frequencies
Processrisk
ProcessriskTolerable
riskTolerable
risk
1stProtection
layer
1stProtection
layer2ndProtection
layer
2ndProtection
layer
Risk Reductionwith conventional means
Risk Reductionwith conventional means
Dangerous events
consequences
Dangerous events
consequences
Risk without SISRisk without SIS
R2R2 R1R1
RRF = 100 to 1000RRF = 100 to 1000
RRF = 1000 to 10 000RRF = 1000 to 10 000
RRF > 10 000RRF > 10 000
RiskReductionFactor: R1/R2
RiskReductionFactor: R1/R2
SafetyIntegrityLevel: SIL
SafetyIntegrityLevel: SIL
HIPSHIPS
Con
sequ
ence
Frequency
Maxreduction
allowable ifnon SIF
=> 10
Maxreduction
allowable ifnon SIF
=> 10
4 sets ofrequirements
4 sets ofrequirements
12 - PETROBRAS Rio, November 2014TC67/ WG4
From conventional Safety system to Safety Instrumented System
PT3
PT2
PT1
L1 L2
Over-
PressureOver-
Pressure
IEC 61508IEC 61511IEC 61508IEC 61511API 14CAPI 14C
Relief ValveRelief Valve
SafetyInstrumented
System
SafetyInstrumented
System
CostCost
SizeSize
HighIntegrity
(Pressure)ProtectionSystem
HighIntegrity
(Pressure)ProtectionSystem
Conventionalsafetysystem
Reliability?Reliability?
13 - PETROBRAS Rio, November 2014TC67/ WG4
Low demandmode of operation
Low demandmode of operation
PFDavgPFDavg
Types of Safety Instrumented Systems (SIS)
Demand frequency1 Year1 Year
Average of theProbability ofFailure onDemand
Average of theProbability ofFailure onDemand
High demand or continuous mode of operation
High demand or continuous mode of operation
Continuousmode of operation
Continuousmode of operation
High demandmode of operation
High demandmode of operation
PFHPFH
Probability ofFailure perHour
Probability ofFailure perHour
Functionalsafety
standards
Functionalsafety
standards
Averageunavailability
U(T)
Averageunavailability
U(T)
Reliabilityengineering
Reliabilityengineering
Averagefailure frequency
w(T)
Averagefailure frequency
w(T)
14 - PETROBRAS Rio, November 2014TC67/ WG4
SIL
PFH
(SIL0)SIL1SIL4 SIL3 SIL2
SIL- summary & difficulties
Applies toSafetyInstrumentedFunction
Applies toSafetyInstrumentedFunction
Deterministicconstraints
10-4/h10-8/h 10-7/h 10-6/h 10-5/h
10-010-4 10-3 10-110-2
PFD
SFF
HFT
SFF
HFT
Relevancefor safety?Relevance
for safety?
SimplifiedcalculationsSimplifiedcalculations
Definitions Definitions
RRFRRF
links withPFD/PFHlinks withPFD/PFH
Splittinglow / highdemandmodes
Splittinglow / highdemandmodes
SafeFailureFraction
SafeFailureFraction
HarwareFaultTolerance
HarwareFaultTolerance
Spuriousfailures
Spuriousfailures
Proposed clarifications, explanations & improvements in ISO/TR 12489
Proposed clarifications, explanations & improvements in ISO/TR 12489
Organizationof the worksthrough the
life cycle
Organizationof the worksthrough the
life cycle FormalProcess
PETROBRAS Rio, November 2014
TC67
WG4
Introduction to the methods developed into ISO/TR 12489 for
PFDavg calculations
Lowdemand
mode safetysystems
Lowdemand
mode safetysystems
Average of theProbability ofFailure onDemand
Average of theProbability ofFailure onDemand
Functionalsafety
standards
Functionalsafety
standards
Reliabilityengineering
Reliabilityengineering
Averageunavailability
U(T)
Averageunavailability
U(T)
16 - PETROBRAS Rio, November 2014TC67/ WG4
Formulae
Taylor'sexpansionTaylor's
expansion
FTRBD
State Transition models(finite state automata)
Probabilistic models overviewProbabilistic models overview
Analyticalmethods
Analyticalmethods
Monte Carlosimulation
Monte Carlosimulation
Generictools
Generictools
SpecificformulaeSpecificformulae
Behavioralmodels
Behavioralmodels
PetrinetsPetrinets
FormallanguagesFormal
languages
50 years of
experience
50 years of
experience
Markovianapproach
Markovianapproach
BooleanapproachBoolean
approach
State ofthe art
State ofthe art
Developedwhen
computersdidn't exist
Developedwhen
computersdidn't exist
Computeroriented
Computeroriented
FT / RBDdriven Markov
processes
FT / RBDdriven Markov
processes
RBDdriven
Petri Nets
RBDdriven
Petri Nets
PETROBRAS Rio, November 2014
TC67
WG4
Simplified analytical approach
18 - PETROBRAS Rio, November 2014TC67/ WG4
2 parameters:λλλλ : Failure rateττττ : test interval
2 parameters:λλλλ : Failure rateττττ : test interval
OKOK KOKO
τ / 2τ / 2τ / 2τ / 2
ττττ
ButBut
2
τλτδ .≈unv
Proba. ofhiddenfailures
Proba. ofhiddenfailures
Averagehidden failure
duration
Averagehidden failure
duration
2
λττ
δ=≈ unv
avgPFD
Simplest approximation of the PFDavg
00
=→
avgLim PFD τ
22
11 2
0
λτλττ
δλδτ
ττ
==≈= ∫ dUavg .)(PFD
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
Unavailabilityduration
Unavailabilityduration
AA
The mostfamous formula
in functionalsafety
The mostfamous formula
in functionalsafety
Notrealistic!
Notrealistic!
λδλδδ ≈−−= )exp()( 1U
19 - PETROBRAS Rio, November 2014TC67/ WG4
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
KOKO
ττττ
ButBut2
τλτδ .≈unv
µλλτ
τδ
+=≈2
unvavgPFD
Approximation of the PFDavgfrom IEC 61508
µλτ 1
.+
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
Unavailabilityduration
Unavailabilityduration
AA
1/µµµµ
Averagerepair
duration
Averagerepair
duration
Proba. ofhiddenfailures
Proba. ofhiddenfailures
1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ
IEC 61508formula
IEC 61508formula
Influentparametersare missing
Influentparametersare missing
OKOK
Uof revealed
failures
Uof revealed
failures
τµ
τ ≈− 1
20 - PETROBRAS Rio, November 2014TC67/ WG4
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test durationψ ψ ψ ψ : reconfiguration error
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test durationψ ψ ψ ψ : reconfiguration error
ττττ
τψπµ
γµ
λττλτδ ... ++++≈ 11
2unv
ψτπ
τµγ
µλλτ
τδ
++++=≈.
PFD2
unvavg
Approximation of the PFDavg with more parameters (ISO/TR 12489) τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
Unavailabilityduration
Unavailabilityduration
AA
1/µµµµ
1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τOKOK
ττττ
ππππKOKO
π << τπ << τπ << τπ << τπ << τπ << τπ << τπ << τ
ττττ
ππππ
etc.etc.
Taylorexpansion formore complex
cases
Taylorexpansion formore complex
cases
γγγγ
ψψψψ
OKOK KOKO
KOKOτπτ ≈−
21 - PETROBRAS Rio, November 2014TC67/ WG4
Test interval ττττTest interval ττττ
Average unavailability U ≡≡≡≡ PFDavgAverage unavailability U ≡≡≡≡ PFDavg
1
0
Limit average unavailability versus test interval
ττττ1ττττ1 ττττ2
ττττ2
OptimumOptimumττττo ≈≈≈≈ 2222γγγγ/(/(/(/(λµλµλµλµ))))
γγγγ increases
γγγγ increaseslog-loggraphiclog-loggraphic
Flat in thevicinity of
the minimum
Flat in thevicinity of
the minimum
Not enoughtests
Not enoughtests
Too muchtests
Too muchtests
Two testintervals
for the sameU
Two testintervals
for the sameU
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure due to a demand
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure due to a demand
AA
Need fordata collectionto estimate γγγγ
Need fordata collectionto estimate γγγγ
22 - PETROBRAS Rio, November 2014TC67/ WG4
2 parameters:λλλλ : Failure rateττττ : test interval
2 parameters:λλλλ : Failure rateττττ : test interval
Simplest approximation of the PFDavg for redundant systems
22
11 2
0
λτλττ
δδλτ
ττ
==≈= ∫ dUavg ..)(PFD A
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
AA
OKOK KOKO
τ / 2τ / 2τ / 2τ / 2
ττττ
OKOK KOKO
τ / 3τ / 3τ / 3τ / 3
ττττAA
BB
44
11 343
0
3 )().()(PFD ABC
λττλτ
δδλτ
ττ
==≈= ∫ dUavg
OKOK KOKO
τ / 4τ / 4τ / 4τ / 4
ττττ
AA
BB
CC
Even for simplest systems, each case implies specific
Taylor expansion development
Even for simplest systems, each case implies specific
Taylor expansion development
Averagehidden failure
duration
Averagehidden failure
duration
Taylor expansionλδλδλδλδ <<1
Taylor expansionλδλδλδλδ <<1
)().().()(),().()( CBAABCBAAB τττττττ UUUUUUU ≠≠
Notpossible to
combineformulae!
Notpossible to
combineformulae!
Catalog ofad hoc formulae
Catalog ofad hoc formulae
33
11 232
0
2 )().()(PFD AB
λττλτ
δδλτ
ττ
==≈= ∫ dUavg
Effect of systemicdependencies
Effect of systemicdependencies
Not in linewith reliability
analysisphilosophy
Not in linewith reliability
analysisphilosophy
PETROBRAS Rio, November 2014
TC67
WG4
Multi-phase Markovian approach
24 - PETROBRAS Rio, November 2014TC67/ WG4
Multi phase Markov model
)(*])[*()( 0ii MEXP PrPrPrPr
PrPrPrPr
δδ =
∫=τ
δδτ0
d).()( ii PrPrPrPr
AST
AST
AST
AST
τττ /)(1)( Aavg AST
AST
AST
AST
−== UPFD
λλλλ
µµµµA
DU
R
A
DU
R
A
DU
R
1
1
1
Linkingmatrix
[C]
Linkingmatrix
[C]
ττττ δδδδ
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
AA
AvailableAvailable
Dangerousundetected
failure
Dangerousundetected
failure
RepairRepair
Markovmatrix[M]
Markovmatrix[M]
Behaviorduring test
intervals
Behaviorduring test
intervals
Effect ofthe test
Effect ofthe test
λλλλ
µµµµA
DU
R
A
DU
R
A
DU
R
1
1
1
AccumulatedSojournTimes
AccumulatedSojournTimes
TestTest
)(].[)( τ10 −= ii PrPrPrPr
CCCCPrPrPrPr
)()()( A δδδ PrPFD −== 1U
Repairstarts as soonas the fault is
detected
Repairstarts as soonas the fault is
detected
25 - PETROBRAS Rio, November 2014TC67/ WG4
Typical saw -tooth curves for a singleperiodically tested component
Classical saw-tooth curve
Classical saw-tooth curve
λ λ λ λ ����λ λ λ λ ����
1/µ 1/µ 1/µ 1/µ ����1/µ 1/µ 1/µ 1/µ ����
1/µ 1/µ 1/µ 1/µ ��������1/µ 1/µ 1/µ 1/µ ��������
τ τ τ τ ����τ τ τ τ ����
ττττ ����0Idem revealed
faults
ττττ ����0Idem revealed
faults
AA
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ
U(t)
U(T)
T
U(t)
U(T)
T
U(t)
U(T)
T
Ut)
U(T)
T
U(T)
U(t)
T
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test duration
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test duration
26 - PETROBRAS Rio, November 2014TC67/ WG4
U(t)
T
U(T)
γγγγ
1 - γγγγ
Modeling the probability of failure due to the demand itself and the test duration
γγγγA
R
DU
A
R
DU
Test
1U(t)
ππππ
Failure dueto tests ( γγγγ)
Failure dueto tests ( γγγγ)
Testduration
Testduration
T
PETROBRAS Rio, November 2014
TC67
WG4
Fault tree approach
28 - PETROBRAS Rio, November 2014TC67/ WG4
Indisponibilitédes feuilles
Indisponibilitédes feuilles
Fault tree driven Markov processes: principle for unavailability calculation.
Top
E1
E2 E3
t
U1(t)
t
U2(t)
t
U3(t)
t
US(t)
ti
ti
titi
Calculate N results distributedover the time interval [0, T]
Calculate N results distributedover the time interval [0, T]
Calculate the systemunavailability at ti (Top)Calculate the system
unavailability at ti (Top)
Select an instant tiSelect an instant ti
Calculate each leaf unavailability of at ti
Calculate each leaf unavailability of at ti
Systemunavailability
Systemunavailability
US(t)US(t)FT driven Markov
processesFT driven Markov
processes
Establish Uk(t) foreach leaf.
Establish Uk(t) foreach leaf.
Independentcomponents Independentcomponents
Markovprocesses
Markovprocesses
Leavesunavailabilities
Leavesunavailabilities
29 - PETROBRAS Rio, November 2014TC67/ WG4
1 2
TOP
1 2
TOP
λλλλ : 1e-4ττττ : 1000 λλλλ : 1e-4ττττ : 1000 Max : 1.81 10 -1
Mean : 9.37 10 -2Max : 1.81 10 -1
Mean : 9.37 10-2Max : 1.39 10 -1
Mean : 9.01 10 -2Max : 1.39 10 -1
Mean : 9.01 10-2
1 2
1 2
Hips Unavailability
0 1000 2000 3000 4000
1e-1
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
Hips Unavailability
0 1000 2000 3000 4000
1e-1
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
Staggering
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
9.75 10-29.75 10-2
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
• No Max value• Staggering not
possible
• No Max value• Staggering not
possible
• Conservative• Conservative
UsualCalculations
UsualCalculations
CorrectCalculations
CorrectCalculations
PFDi(t)PFDi(t)PFDavgPFDavg
Becautious
Becautious
Independentcomponents
PFD(t)PFD(t)??!??!
OR gate
PFDavgPFDavg
1 2
TOP
30 - PETROBRAS Rio, November 2014TC67/ WG4
2
1
UsualCalculations
UsualCalculations
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
2.25 10-32.25 10-3
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
1 2
TOP
Non conservativeNon conservative
λλλλ : 1e-4ττττ : 1000 λλλλ : 1e-4ττττ : 1000
11 22
No max valueNo max valueCorrect
CalculationsCorrect
Calculations
Max : 9.05 10 -3
Mean : 3.13 10 -3
Max : 9.05 10 -3
Mean : 3.13 10 -3Max : 4.6 10 -3
Mean : 1.92 10 -3
Max : 4.6 10 -3
Mean : 1.92 10 -3
1 2
TOP
1 2
TOP
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
Unavailability
0 1000 2000 3000 4000
5e-3
Unavailability
0 1000 2000 3000 4000
2e-34e-35e-3
Staggering
Staggering not possible
Staggering not possible
PFD(t)PFD(t)PFDavgPFDavg
Be verycautiousBe verycautious
PFD(t)PFD(t)
PFDavgPFDavg
Independentcomponents
AND gate
31 - PETROBRAS Rio, November 2014TC67/ WG4
Parameters of a periodically tested component (dangerous undetected failures)
DU Failurerate
DU Failurerate
Failure rateduring testFailure rateduring test
Repairrate
Repairrate
TestdurationTest
duration
TestintervalTest
interval
Date of 1st testDate of 1st test
Probabilityof failure dueto the test
Probabilityof failure dueto the test
Availabilityduring testAvailabilityduring test
TestcoverageTest
coverageProba. of
reconfigurationfailure
Proba. ofreconfiguration
failure
ClassicalparametersClassical
parameters
Teststaggering
Teststaggering
Big PFDcontributor
when unavailable
Big PFDcontributor
when unavailable
Genuine PFDGenuine PFD
GenerallyneglectedGenerallyneglected
Smallcontributor
Smallcontributor
Failuresnever tested
Failuresnever tested Should be
discovered atthe next test
Should be discovered atthe next test
Generallyignored
Generallyignored
Simplestmodels
Simplestmodels
IEC61508
IEC61508
32 - PETROBRAS Rio, November 2014TC67/ WG4
FT driven Markov processes:application to safety systems.
E1, E2 & E3reasonably
independent
Top
E1
E2 E3
0
0.025
0.075
0.1
0 10000 20000 30000 40000
t
U1(t)
0
0.4
0.81
0 10000 20000 30000 40000
t
U2(t)
00.04
0.12
0.2
0 10000 20000 30000 40000
t
U3(t)
0
0.1
0.2
0.3
0 10000 20000 30000 40000
t
US(t)
Multi-phaseMarkov processes
Multi-phaseMarkov processes
Fault treeinputs
Fault treeinputs
- On demand failure ( γγγγ)- Test coverage ( σσσσ) - On demand failure ( γγγγ)- Test coverage ( σσσσ)
-Test duration ( ππππ)- unavailable during tests-Test duration ( ππππ)- unavailable during tests
Simplesaw-tooth curve
Simplesaw-tooth curve
Systemunavailability
Systemunavailability
PFDavgPFDavg
Describedin IEC
61508 Ed2
Describedin IEC
61508 Ed2
PETROBRAS Rio, November 2014
TC67
WG4
RBD driven Petri net and Monte Carlo simulation
approaches
34 - PETROBRAS Rio, November 2014TC67/ WG4
Simulation of any probability law
1
0
F(x)
x
F(x)=P(X≤x)
X: wanted distribution
(cdf)
X: wanted distribution
(cdf)
0 z
P(Z ≤ z)
Z: Uniform distributionZ: Uniform distribution
1
1
1
2
3 1
Randomnumber
Randomnumber
x = F-1(z) distributedalong to F(x)
x = F-1(z) distributedalong to F(x)
λδ )(zLN−=
ex: delay δδδδexponentiallydistributed
ex: delay δδδδexponentiallydistributed
Cumulateddistribution
function(cdf)
Cumulateddistribution
function(cdf)
35 - PETROBRAS Rio, November 2014TC67/ WG4
Random number generators
PhysicalmethodsPhysicalmethods
Decimals of ππππDecimals of ππππ
Pseudo randomnumber generators
Pseudo randomnumber generators Xn+1= (a.Xn+b) mod mXn+1= (a.Xn+b) mod m
Linear congruential generators
Linear congruential generators
3,1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 82148086513282306647093844609550582231725359408128 ...
3,1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 82148086513282306647093844609550582231725359408128 ...
ComputerComputer
J. Von Neumann
Trajectoryof the bouleTrajectory
of the boule
Zenerdiode
Thermalnoise
Thermalnoise
Several billons are known
Several billons are known
Length ofone revolution
Length ofone revolution
Widelyused
Widelyused
36 - PETROBRAS Rio, November 2014TC67/ WG4
Periodically tested component
OKOK
DUDU
RR
??MT==true !Ci=false
AvailableAvailable
Non detectedfault
Non detectedfault
RepairRepair
!!Ci=true
Assertion:State of thecomponent
Assertion:State of thecomponent
µµµµ
δ= τδ= τδ= τδ= τ−−−− t mod(τ(τ(τ(τ))))
DDDD
Detectedfault
Detectedfault
!! MT=false
!!MT=true
FailureFailure
TestTest
Start ofrepair
Start ofrepair
End ofrepair
End ofrepair
δ= 0δ= 0δ= 0δ= 0
Predicate:availability of the
maintenance team
Predicate:availability of the
maintenance team
Place:local state
Place:local state
Transition:event
Transition:event
Token:actual local
state
Token:actual local
state
Arcs:links place/transitions
Arcs:links place/transitions
Statevariable Ci
Statevariable Ci
37 - PETROBRAS Rio, November 2014TC67/ WG4
OK
DU
R
??MT==true
DD
!! MT=false
!!MT=true
test
Repair team mobilization
nM
MOL
ωωωω
OK
DU
R
DD
test
2/3 O1
A
BE
FDO1 O2 S
C
RBD driven PN modelling: applicationto SIL calculations
Simple periodicallytested component
Simple periodicallytested component
SIS modelSIS model
O1=A.B+A.C+B.C
O2= O1.D
S= O2.(E+F)
!-A
! A
IEC 61508ISO/TR 12489
IEC 61508ISO/TR 12489
•Reliability•Availability•Frequency
•Reliability•Availability•Frequency
StatisticsStatistics
-PFDavg-PFH-PFDavg-PFH
GlobalassertionGlobal
assertion
!-E
! E
Monte carlosimulation
Monte carlosimulation
VirtualRBD
VirtualRBD
Statevariable A
Statevariable A
Statevariable E
Statevariable E
λλλλDDµµµµ
DD
OK
!-D
! D
Statevariable D
Statevariable D
Simple componentwith revealed failuresSimple component
with revealed failures
!!NbR=NbR+1
!!NbR=NbR-1
OL
M
??NbR>0
??NbR==0
- Nb. component failed: !NbR- Repair resources on location: OL- Repair team mobilized: M
- Nb. component failed: !NbR- Repair resources on location: OL- Repair team mobilized: M
Simple periodicallytested component with
repair team mobilization
Simple periodicallytested component with
repair team mobilization
SS
38 - PETROBRAS Rio, November 2014TC67/ WG4
Parameter calculations: The magic sub PN!
OK
KO
AvailabilityAvailability
UnavailabilityUnavailability
UnreliabilityUnreliability
MTTFMTTF
Detectionof the first
failure
Detectionof the first
failure
PFDavg =Mean markingPFDavg =
Mean marking
PFD(t) =KO marked at tPFD(t) =
KO marked at t
PFH = failure frequency
(not ultimate layer)
PFH = failure frequency
(not ultimate layer)
PFH≈≈≈≈ 1/MTTF
(ultimate layer)
PFH≈≈≈≈ 1/MTTF
(ultimate layer)
Single shotSingle shot PFH≈≈≈≈ F(T)/T
(ultimate layer)
PFH≈≈≈≈ F(T)/T
(ultimate layer)
?? S=0?? S=0
?? S=1?? S=1
S=1S=1S=0S=0S=1S=1
Beware
of this
formula
Beware
of this
formula
VirtualRBD
output
VirtualRBD
output
39 - PETROBRAS Rio, November 2014TC67/ WG4
Example of Monte Carlo output(50 000 histories)
2/3 O1
AA
BBEE
FFDDO1 O2 S
CC O1=A.B+A.C+B.CO1=A.B+A.C+B.C
O2= O1.DO2= O1.D
S= O2.(E+F)S= O2.(E+F)Sensors availability
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Availability of 3 sensors in 2oo3
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Logic solver with revealed failures
0.9984
0.9988
0.9992
0.9996
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Avalability of safety valves
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
SIS availability
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
SIS unavailability – PFD( t)
0
0.2
0.4
0.6
0 5000 10000 15000 20000 25000 30000 35000
Time
Not SNot S
PFDavgPFDavg
SS
40 - PETROBRAS Rio, November 2014TC67/ WG4
Monte Carlo simulation uncertainties
90%confidence
interval
90%confidence
interval
Unavailability(500 histories)
0
0.1
0.2
0.3
0.4
0.5
0.6
0 5000 10000 15000 20000 25000 30000 35000
Time
A(t)A(t)
PFDavgPFDavg
41 - PETROBRAS Rio, November 2014TC67/ WG4
Other possible outputs
Unreliability
0
0.2
0.6
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Time to failure
0
2000
4000
6000
0 5000 10000 15000 20000 25000 30000 35000
Time
Accumulated number of failures
0
2
4
6
0 5000 10000 15000 20000 25000 30000 35000
Time
Average failure frequency
0
0.00004
0.00012
0.0002
0 5000 10000 15000 20000 25000 30000 35000
Time
Average failure frequency
0.00016
0.000162
0.000166
0.00017
0 5000 10000 15000 20000 25000 30000 35000
Time
MTTFMTTF
PETROBRAS Rio, November 2014
TC67
WG4
Multiple safety systems
43 - PETROBRAS Rio, November 2014TC67/ WG4
Two simple SIS acting in sequence
SIS1SIS2 Situation
Perfect functioningYes
Hazardous eventNo
NoYes
Degraded functioning
Processdemand
Safestates
ww
demandfrequency
F1(t)= λλλλ1111tF1(t)= λλλλ1111tww
λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ
λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τ
U1(t)≈λλλλ1111....t
U2(t)≈λλλλ2222t
F2(t)= λλλλ2222....tF2(t)= λλλλ2222....t 3)()(
22
21τλλδδλλ
τδδδ
τττ 210
210
11wdwdw == ∫∫ FFHEFS
ww PFD1= λλλλ1111τ τ τ τ / 2PFD1= λλλλ1111τ τ τ τ / 2 PFD2= λλλλ2222τ τ τ τ / 2PFD2= λλλλ2222τ τ τ τ / 24
..2
21τλλ 21ww == PFDPFDHEFS
Simplistic calculation(e.g. LOPA)
Simplistic calculation(e.g. LOPA)
Notconservative
Notconservative
Multiple SISMultiple SIS
Probabilityof failure at δδδδProbability
of failure at δδδδ
Probability offailure at t
Probability offailure at t
HazardousEventFrequency
HazardousEventFrequencyAverage
probabilityof failure
Averageprobabilityof failure
Riskreduction
over estimatedby 25%
Riskreduction
over estimatedby 25%
Effect dueto systemic
dependencies
Effect dueto systemic
dependencies
44 - PETROBRAS Rio, November 2014TC67/ WG4
U2(t)≈(λλλλ2222....t)2
Two Redundant SIS acting in sequence
SIS1SIS2 Situation
Perfect functioningYes
Hazardous eventNo
NoYes
Degraded functioning
Processdemand
Safestates
ww
demandfrequencydemand
frequency
F1(t)= (λλλλ1111t)2F1(t)= (λλλλ1111t)2ww F2(t)= (λλλλ2222....t)2F2(t)= (λλλλ2222....t)2
5)()()(
44
21τλλδδλλ
τδδδ
τττ 2
22
12
021
0
11wdwdw == ∫∫ FFHEFS
ww PFD1= (λλλλ1111ττττ)2 / 3PFD1= (λλλλ1111ττττ)2 / 3 PFD2= (λλλλ2222τ τ τ τ )2 2 2 2 / 3PFD2= (λλλλ2222τ τ τ τ )2 2 2 2 / 39
..4
21τλλ 2
22
1ww == PFDPFDHEFS
Simplistic calculation(e.g. LOPA)
Simplistic calculation(e.g. LOPA)
Notconservative
Notconservative
Multiple SISMultiple SIS
Probabilityof failure at δδδδProbability
of failure at δδδδ
Probability offailure at t
Probability offailure at t
HazardousEventFrequency
HazardousEventFrequencyAverage
probabilityof failure
Averageprobabilityof failure
λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ
λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τ
λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τU1(t)≈(λλλλ1111....t)
2
Riskreduction
over estimatedby 44%
Riskreduction
over estimatedby 44%
The effectof systemic
dependenciesincreases when
redundancyincreases
The effectof systemic
dependenciesincreases when
redundancyincreases
45 - PETROBRAS Rio, November 2014TC67/ WG4
PDFavgPDFavg
Scenariosprobabilities
Initiatingevent
Protectionlayer 1
Protectionlayer 2
Protectionlayer 3
yes
Noyes
No yes
No
p1(t)
1-p1(t)
p2(t)
1-p2(t)
p3(t)
1-p3(t)
Event tree (multiple SIS) or fault tree (redundant SIS) calculation difficulties
1-p11-p1
p1(1-p2)p1(1-p2)
p1.p2.p3p1.p2.p3
p1.p2(1-p3)p1.p2(1-p3)
CommonCause
Failures
CommonCause
Failures
Constantprobabilities
Constantprobabilities
AsymptoticprobabilitiesAsymptoticprobabilities
Instantaneousprobabilities
Instantaneousprobabilities
Averageprobabilities
Averageprobabilities
Popularcalculation
Popularcalculation
p1(ττττ).p2(ττττ).p3(ττττ).dττττp1(ττττ).p2(ττττ).p3(ττττ).dττττ1
T 0
T
1-p1(t)1-p1(t)
p1(t) [1-p 2(t)]p1(t) [1-p 2(t)]
p1(t).p2(t).p3(t)p1(t).p2(t).p3(t)
p1(t).p2(t) [1-p 3(t)]p1(t).p2(t) [1-p 3(t)]
Nonconservative
results
Nonconservative
results
Explained in IEC 61511and ISO/TR 12489
Explained in IEC 61511and ISO/TR 12489
Systemicdependen-
cies
Systemicdependen-
cies
55 - PETROBRAS Rio, November 2014TC67/ WG4
That's allFolks...
That's allFolks...
Anyquestions
?...
Anyquestions
?...
PETROBRAS Rio, November 201456-
SIL Bridge ! PFDavg is not reallya good indicator for worker in operation
PFDavg is not reallya good indicator for worker in operation