Discussion point #1:
The formulas for PFDavg and PFH calculation given in IEC61508-6 standard are 'approximate' formulas. To achieve a meaningful result, we should meet all the assumptions which were used to derive the PFDavg / PFH equations.
First, we need to take a closer look at the PFDavg measure. IEC61508-1 Table 2 states that a target failure measure for low demand mode is the average probability of dangerous failure on demand (PFDavg). IEC61508-4 defines low demand mode as "where the safety function is only performed on demand, in order to transfer the EUC (Equipment Under Control) into a specified safe state, and where the frequency of demands is no greater than one per year."
Unfortunately, many engineers make their PFD vs PFH choice based on SIF demand frequency only and do not consider further conditions for PFD/PFH formulas provided within IEC61508-6 Annex B. Clause B.3.1 of this Annex B explains that, for low demand mode, one of the assumptions for probabilistic calculations is that the expected interval between demands is at least an order of magnitude greater than the proof test interval.
So are you taking this into consideration in your calculations?
Discussion Point #2:
IEC61511-1 edition 2: 2016 advises deeper analysis when selecting a target failure measure. IEC61511-1 Table 4 specifies that the PFDavg measure can be used for a SIF working in 'demand mode'. Please note that in this standard's edition, the term 'demand mode' stands for both low and high demand SIFs. This yields to the conclusion that the second edition accepts that sometimes PFDavg might be used for high demand mode SIFs as well.
So is this change a good approach?
Consider the following example: SIF A is classified as high demand mode with a demand rate of one per 10 months and the proof test interval is 1 month. Can the target failure measure for this example be expressed as PFDavg? Yes, when the proof test interval is less than the demand rate credit can be taken for proof testing activity. In this example, credit can be given to the proof test activity because the SIF A failure is likely to be detected by a proof test and not by a real process demand.
IEC61511-1 Table 5 seems to provide a wider view on PFH applicability. As per this table, PFH can be used for a SIF working in demand mode or 'continuous mode', i.e. low demand, high demand and continuous mode! This means the standard assumes it might be justifiable to use PFH for a SIF, which by definition, is classified as low demand mode.
Consider the following example: SIF B is classified as low demand mode with a demand rate of one per year and proof test interval of 2 years. Can the target failure measure for this example be expressed as PFDavg? No, since the proof test interval os greater than the demand rate, credit cannot be taken for proof testing activity. The credit cannot be given to the proof test because the SIF failure is likely to be revealed by a real process demand rather than by the proof test. Therefore, PFH may be appropriate.
Discussion Point #3:
For any SIF mode, both PFDavg and PFH can be calculated. From probability math, there is no barrier to use PFH for low demand mode. The question we should ask ourselves is; 'Is the calculated measure relevant from a safety point of view?'. In fact, a better safety indicator for industry incidents would be the 'average dangerous event frequency', which, for low demand can be calculated as PFDavg x demand frequency. For high demand, a complex formula shall be used; and for continuous mode, average dangerous event frequency equals to PFH. Unfortunately, the IEC61508 approach is different. ISO/TR 12489 addresses reliability modelling and calculation of safety systems much better than IEC61508 and may therefore constitute a more focused source of information.
In concluding the above, we should remember that PFD and PFH equations as derived in IEC61508 are 'approximation formulas' and their use must be justified for each SIF to achieve a meaningful safety indicator. The selection process between PFDavg and PFH for a specific SIF shall include consideration if a credit for the proof test or diagnostic can be given to a certain SIF and if all assumptions for calculation validity are fulfilled.
The takeaway question:
What is the basis for PFDavg PFH selection in your project? Do you consider all the conditions from IEC61508-6 Annex B, or maybe you are using one of the non-approximated methods for calculation of your target failure measure? If you want to find out more, contact us or post a comment.