General Method for Uncertainty Evaluation of Safety Integrity Level (SIL)

Calculations

Raymond “Randy” Freeman

S&PP Consulting
12303 Lake Shore Ridge
Houston, TX 77041
Voice: 713 856 7143
EMAIL: rafree@yahoo.com

Abstract
The IEC 61511 standard requires a verification calculation that a proposed design for a safety
instrumented function (SIF) achieves the desired safety integrity level (SIL). The evaluation of
the safety integrity level of a new or existing safety instrumented system requires detailed
calculations based on the failure rates of the device and the planned maintenance/testing cycle
for the system. The failure rates of the devices are often taken from standard failure rate
tabulations of equipment. The maintenance and testing plans are developed based on plant
experience. All of the data used in the SIL calculations are uncertain. This paper develops a
general method for uncertainty analysis of the SIL calculations. The general method is based on
the application of probability theory - variance contribution analysis (VCA) – to the equations
presented in ISA TR 84.00.02-2115. An example is worked to demonstrate the methodology.

Background
The calculation of the probability of failure on demand (PFD) is a common engineering task
when designing an interlock or safety system that is to be in compliance with IEC 61511
[Ref. 1]. The calculation of the PFD is often done using approximate equations defined in the
ISA TR84.00.02 technical report [Ref. 2]. The simplified equation method in the ISA report is
commonly used and is based on the use of reliability block diagrams where the field sensors,
Safety Instrumented System (SIS) logic solver and final control elements are considered
independent of each other in the sense of not sharing common devices or systems. The PFD is
then calculated using the failure rates of the devices, planned test intervals, vendor supplied
estimates on diagnostic coverage of the devices and an allowance for the potential for common
cause failures. Almost all of these parameters are uncertain. The failure rate data is often taken
from generic data sources which show wide ranges in the observed values.

Because of the uncertainty in the parameters, the design engineer makes allowances in the design
by the use of safety factors or rules of thumb to improve the chances that the final interlock
installation will work as intended. Since each engineer has a different set of safety factors and
rules of thumb, two designs may differ significantly in the way a hazard is controlled.

A more formal method for handling the underlying uncertainty in the calculation of the PFD of
an interlock is needed. Previously, Freeman and Summers [Ref. 3] published an uncertainity
analysis of the PFD of an interlock. Two different methods were used in this analysis:
 Monte Carlo Simulation
 Variance Contribution Analysis (VCA)

Monte Carlo Simulation requires that the engineer build a model of the interlock using
specialized computer software. The use of VCA requires that the sensitivity of the interlock
model be determined either by numerical methods or by direct analytical calculations. The
Freeman paper demonstrates that VCA can be used for the uncertainty analysis. However, the
paper does not present a complete analysis method that can be applied to any system defined in
the ISA technical report TR84.00.02. The goal of this paper is to develop a general set of
analytical equations that will allow VCA to be used in uncertainty analysis of any interlock
developed per the IEC 61511 standard.

Review of Interlock Design

The IEC standard looks at an interlock as a series of three major components (see Figure 1).
First is the sensor set which sends an indication of an abnormal event to a logic solver. The logic
solver determines is the signal from the sensor meets the conditions required to activate (trip) the
interlock. If the interlock is to be activated, a signal is sent to the final control elements to take
action (stop flow, close valve, etc) to prevent a process safety event from occurring.
Based on the devices selected the design engineer then evaluates whether the proposed interlock
design meets the design criterion for probability of failure on demand. Typically, the design
engineer is given the target PFD as a statement such as “provide a SIL-2 interlock to stop flow
on high level in a vessel.” A SIL-2 interlock requires a PFD of at most 0.01 or a risk reduction
factor of at least 100. The needed risk reduction is often determined in a Layer of Protection
Analysis (LOPA) [ Ref. 4] and represents the managements decision on how risk is to be
managed in a system. The resulting SIL-2 interlock design must have a high likelihood of
achieving the target risk reduction as the LOPA team may be relying on it to be part of an overall
risk reduction plan to prevent a process safety incident.
The ISA technical report (TR 84.00.02) [Ref. 2] provides shortcut methods for the evaluation of
the PFD of an interlock design. Tables 1 and 2 are taken from the ISA technical report [Ref. 2].
Typical parameters need to compute the PFD include:
 DC is the diagnostic coverage;
 DI is the diagnostic interval;
 TI is the proof test interval,
 λD is the dangerous failure rate;
 MTTR is the mean time to restore the system to operation
  is the common cause failure parameter that is always is between 0 and 1
In practice most if not all of these parameters are uncertain. Using parameter values obtained
from plant records, vendor data or generic data bases the design engineer proceeds to develop the
model for the interlock.

What is needed is a means to rapidly evaluate the impact of parameter uncertainty on the
interlock PFD. The remainder of this paper applies the methods of variance contribution analysis
(VCA) to determine the mean (expected value) and the standard deviation of the interlock PFD
for a given design.
 Table 1. Simplified PFD avg formulas for Non-Repairable System
without considering CCF, Diagnostics or MTTR.

Appendix
PFD based on "Average before"
Configuration Function A Equation
failure rate
Number

 D TI 
1oo1 F1 =   2  A-1
 

 D 2 TI 2 
1oo2 F2 = (  )   A- 2
 4 

 D 3 TI 3 
1oo3 F3 = (  )   A-3
 8 

 D 
2oo2 F4 =   TI A-4
 

3  D 2 
2oo3 F5 =  ( )  TI2  A-5
4  

 TI 
3oo3 F6 = 3   D   A-6
 2

Where TI is the proof test interval, λD is the dangerous failure rate.

 Table 2. Simplified PFD avg Formulas for Repairable System
considering CCF, Diagnostics and MTTR

Appendix
A
Configuration Function PFD based on "Average before" failure rate
Equation
Number

 (1  DC)   D  TI DC   D  DI 
1oo1 F7 =
    D  MTTR A-24
 2 2 
2
 (1  DC)  (1   )  D  TI 
  
 2  
 DC  (1   )  D  DI 
  (1   )    MTTR
D

2 
1oo2 F8 =  (1  DC)      TI
D
 A- 25
  
 2 
 DC    D  DI 
      MTTR
D

2 

3
 (1  DC)  (1   )  D  TI 
  
 2  
 DC  (1   )  D  DI 
  (1   )  D  MTTR
2 
1oo3 F9 =  (1  DC)      TI
D
 A-26
  
 2 
 DC    D  DI 
      MTTR
D

2 

 (1  DC)   D  TI DC   D  DI 
2oo2 F 10 = 2     D  MTTR A-27
 2 2 
 Table 2. Simplified PFD avg Formulas for Repairable System
considering CCF, Diagnostics and MTTR

Appendix
A
Configuration Function PFD based on "Average before" failure rate
Equation
Number

2
 (1  DC)  (1   )  D  TI 
  
3  2  
 DC  (1   )  D  DI 
  (1   )    MTTR
D

2oo3 F 11 =
2  A-28
 (1  DC)      TI
D

  
 2 
 DC    D  DI 
      MTTR
D

2 
 (1  DC)  D  TI DC  D  DI 
3oo3 F 12 = 3    D  MTTR A-29
 2 2 
Review of Variance Contribution Analysis (VCA) Methodology
The mean and variance of a function of random variables can be approximated using the method
described by Haugen [Ref. 5] and applied by Freeman [Ref. 3, 6, 7]. Define an arbitrary function
of a set of random variables, xi, as:

Let

Y = F(xi) (Eq 1)

The mean of Y can be estimated using the following approximation:

E(Y) = F[ E(xi)] (Eq 2)

Where:
E(Y) = expected value of random variable Y = mean of Y
E(xi) = expected value of random variable xi = mean of xi

The variance of Y can likewise be estimated as:

 
2
n  Y 
V(Y) = i1   V ( xi ) (Eq 3)
 xi 
 

Where:
V(Y) = variance of random variable Y as defined above in Equation 1
V(xi) = variance of random variable xi as defined above in Equation 1

Note that the variance is simply the square of the standard deviation. Using the variance will
simplify the mathematics that is described below. The contribution of each independent random
variable to the overall variance in the function is:

 
2
 Y 
V(Y from xi) =   V ( xi ) (Eq 4)
 x 
 i

The relative contribution of each term to the overall variance V(Y) is a measure of the
importance in the uncertainty in the particular random variable, xi. In effect, this is a sensitivity
analysis combined with a uncertainty evaluation. The variance contribution combines the
sensitivity in the answer to changes in the uncertain random variable, xi, with a measure of the
uncertainty in the random variable, xi. The overall variance in Y is found by summing the
sensitivity weighted variances from each random variable.

Recommended Interlock PFD Uncertainty Analysis Method

Previously, Freeman and Summers [Ref. 3] suggested a framework for the inclusion of
uncertainty analysis in the calculations completed for a new interlock per the ISA TR [Ref. 2].
The following uncertainty analysis method has been expanded to incorporate critical decisions
that the process management must make in the design process.

1. Complete the interlock design using the methods outlined in IEC 61511 [Ref. 1].

2. Review with the process system management and determine if the proposed interlock
should be considered repairable or non-repairable. A simple flow chart for this decision
making is presented in Figure 2. The basic question is: “can the interlock be repaired
safely while the process operates.” This is a management question and management
should be the one that decides the answer to this important question.

3. Create interlock performance equation as the mathematical model for the combination of
sensor, logic solver and final control elements using the methods outlined in ISA
technical report (TR84.00.02) [Ref. 2]. For non-repairable systems, Table 3 can be used.
For more complex systems such as non-repairable redundant systems with the potential
for common cause failures, use the repairable equations of Table 4 and set DI, DC, and
MTTR all equal to zero. For systems where common cause failures (DCF), Diagnostics
and repair are to be considered, use the recommendations of Table 4.
 Table 3. Roadmap for Mean and Variance of Non-Repairable System
Without Considering CCF, Diagnostics and MTTR

Configuratio Mean PFD Using PFD Variance Using

Function
n Appendix A Equation Appendix A Equation

1oo1 F1 = A-9 A-18

1oo2 F2 = A- 10 A- 19

1oo3 F3 = A-11 A-20

2oo2 F4 = A-12 A-21

2oo3 F5 = A-13 A-22

3oo3 F6 = A-14 A-23

Table 4. Roadmap for Mean and Variance of Repairable System

Considering CCF, Diagnostics and MTTR

Configuratio Mean PFD Using PFD Variance Using

Function
n Appendix A Equation Appendix A Equation

1oo1 F7 = A-30 A-44

1oo2 F8 = A- 31 A- 86

1oo3 F9 = A-32 A-94

2oo2 F 10 = A-33 A-48

2oo3 F 11 = A-34 A-102

3oo3 F 12 = A-35 A-50

Note that in all of the calculations indicated by the equations referenced in Table 4, the expected
value of any the random variables is used to complete the calculations.
4. Define the uncertainty in the parameters and variables of the interlock model specified in
step 2. The uncertainty can be given as the upper and lower range of the possible values
(uniform probability distribution), as the upper, lower and recommended values
(triangular distribution), or as a mean and standard deviation (normal distribution). See
the example above for guidance in the evaluation of safety instrumented system
interlocks.

5. Compute the expected value of each variable in the interlock performance equation. The
equations for the mean and variance for the uniform, triangular and normal probability
distributions are presented for various probability distributions in Vose [Ref. 8]. The
example interlock calculations used a triangular distribution to represent the uncertainty
in the parameters.

6. Compute the expected value or mean of the interlock PFD using the mean value of each
of the variables in Step 5. See Tables 4 and 5 for recommended equations.

7. Compute the sensitivity of the result from the interlock performance equation by use of
the partial derivative of the basic interlock performance equation with respect to each of
the variables as presented in Appendix A.

8. Compute the variance of the interlock performance equation PFD by use of the variance
contribution using equations from Tables 3 or 4. This entails multiplying the variance of
each of the uncertain variables in the basic interlock performance equation by the square
of its sensitivity (obtained in step 7), as evaluated at the variable mean. Sum the resulting
terms to obtain the overall variance of the PFD in the interlock performance equation.
See Tables 4 and 5 for recommended equations.

9. Determine the level of risk that the owner/operator wishes to take that the final interlock
will not work. Note that this is a management decision not an instrument engineer
decision! In this paper, the 95% level of risk reduction has been used:
 5% chance of failure or a 95% chance of the interlock achieving the desired risk
reduction

10. Assuming that the interlock owner operator wishes to take a low risk (5%) of the
interlock failing to achieve its design target PFD, compute the 95% upper confidence
limit on the computed PFD by use of the standard normal factor, Z, [Ref. 9] as:
 𝑥𝑖−𝐸(𝑥)
Z= [ ] (Eq 5)
𝜎

Where:
σ = standard deviation of the PFD of the interlock of interest from the interlock
performance equation obtained from step 7. Note that the variance of a random
variable is the square of the standard deviation of the random variable.
E(x) = the expected value of the PFD of the interlock of interest from the interlock
performance equation obtained from step 5

For the 95% upper limit, Z = 1.645. Rearranging Eq. 5 allows for the direct
calculation of the corresponding value of the 95% upper confidence limit on the
PFD as:

X95% = 1.645 σ + E(x) (Eq 6)

Where:
X95% = the upper 95% limit on the computed PFD of the interlock of interest
from the interlock performance equation.

Compare the 95% upper confidence limit on the PFD of the interlock of concern with that
established as the desired PFD for risk reduction. If the 95% confidence of the RRF is greater
than the desired RRF, the design is complete. If not, revise the design or change inspection test
intervals to achieve the desired RRF. If it is not possible to achieve the desired target RRF
economically, revisit the LOPA study accordingly to incorporate better information obtained in
the uncertainty analysis. Improve the integrity of the LOPA IPLs or identify additional IPLs to
drive the risk to a tolerable level. Continue this process until the computed RRFs are greater
than the desired RRFs for risk reduction and risk management.

Example Interlock Problem

Previously, Freeman and Summers [Ref. 3] published an example in the use of VCA to
determine the likelihood that the interlock would provide the risk reduction desired by the
management and the LOPA team. The process system is shown in Figure 3. The process uses a
compressor to increase the pressure of a process stream prior to additional processing. The gas
being compressed is toxic and flammable. Of concern is a slug of liquid being sent to the
compressor. If a liquid slug is sent to the compressor, significant damage to the compressor is
expected with probable seal damage and a subsequent release of flammable and toxic material
into the work area. A large fire and/or explosion could result if the release were to be ignited. If
the release is not ignited, the nearby workers could be exposed to the toxic gas resulting in death
or injury. A Layer of Protection Analysis (LOPA) review of this system has been completed.
Among several recommendations, the LOPA team recommended the installation of a SIL-2 high
level interlock in the Compressor Knock Out Drum to stop the compressor prior to liquids
entering the system.
Figure 1 shows a simplified diagram for the interlock. Three level sensors are provided in the
Compressor Knock Out Drum. The SIS logic solver will use 2oo3 voting to detect high level in
the Compressor Knock Out Drum. The SIS logic solver will also monitor the difference in level
signal from each of the three level sensors and will activate an alarm if the deviation is excessive.
Two independent methods of stopping the compressor are provided. The SIS will directly signal
the motor controller on the compressor to stop. In addition, the SIS logic solver will also signal
two additional relays to open the power supply to the compressor motor. These two different
shutdown will both be activated in the event of high level in the Compressor Knock Out Drum.
Either one of the two shutdowns is capable of stopping the compressor by turning off the electric
power supply to the motor.

Models
The first step in the calculation of the “goodness” of an interlock is to establish the model to be
used in the calculations. Note that the sensors are 2oo3 voting and the final control elements are
each 1oo1. Appendix A presents the equations for various models that can be used for
describing this system.

The overall probability of failure on demand (PFD) of the interlock is given as:

PFD = PFDs + PFDsis + PFDfce (Eq 7)

Where:
PFD = Probability of failure on demand of the interlock as a whole
PFDs = Probability of failure on demand of the sensors (voting as 2oo3)
PFDsis = Probability of failure on demand of the SIS logic solver
PFDfce = Probability of failure on demand of the final control elements.

Since there are two final control elements arranged in series, the PFDfce = sum of the PFDs of
the final control elements (Relay PFD and MCC PFD).

PFDce = PFDr + PFDmcc (Eq 8)

Where:
PFDr = Probability of failure on demand of the two relays voting as 1oo2 to shutdown gas
compressor.
PFDmcc = Probability of failure on demand of the MCC to shutdown the gas compressor

For this example, the following selections are made to model the performance of the interlock.

Model for Sensors (2oo3)

The sensors are considered repairable as one sensor can be replaced while the other two function
and provide continuous functionality of the interlock. There are three sensors that will be used in
a 2oo3 voting system. From Appendix A, using Equation A-7, the model for the sensors
becomes:

2
 (1  DCs)  (1  s)  Ds  TIs DCs  (1  s)  Ds  DIs 
PFDsavg = 3     (1  s)  Ds  MTTRs +
 2 2 

 (1  DCs)  s  Ds  TIs DCs  s  D  DIs 

   s  Ds  MTTRs (Eq 9)
 2 2 

Where:
PFDsavg is the average probability of failure on demand of the sensors
DCs is the diagnostic coverage for sensor failure
DIs is the diagnostic interval for the sensors
MTTRs is the mean time to restore the sensors to functionality given a sensor failure
TIs is the test interval for the sensors
βs is the common cause failure parameter
λDs is the failure rate to a dangerous condition for the sensors
MTTR is the mean time to restore the system from the time that failure occurs

Model for SIS Logic Solver

Use a fixed probability of failure on demand as specified by the vendor. Unless detailed design
information is provided by the SIS logic solver vendor, this will be the normal default condition
for most studies. For this problem a typical PFD of 1.30 x 10-4 was selected to represent the SIS
Logic Solver.
Model for Final Control Elements
There are two separate paths to shutdown the gas compressor. First is by the SIS logic solver
commanding the MCC to shutdown power to the the gas compressor motor. The second is for
the SIS logic solver to issue a shutdown command to two interposing relays (R1 and R2) which
will cause the power to the gas compressor motor to stop. Two different models are needed to
the final control elements. These two subsystems are considered non-repairable in this analysis,

Model for Interposing Relays (1oo2)

There are two interposing relays (R1 and R2 in the interlock). From Appendix A, use Equation
A-25 setting parameters DC=DI=MTTR=0 for the non-repairable interposing relays, the model
becomes:

2
 (1  r )  Dr  TIr   r  Dr  TIr 
PFDravg =      (Eq 10)
 2   2 
Where:
PFDravg is the average probability of failure on demand of the relays voting 1oo2 to shutoff the
gas compressor.
TIr is the test interval for the relays
βr is the common cause failure parameter
λDr is the failure rate to a dangerous condition for the relays
Model for MCC (1oo1)
From Appendix A and using equation A-1 for the non-repairable MCC, the model becomes:

𝝀𝑫𝒎𝒄𝒄 ∗𝐓𝐈𝐦𝐜𝐜
𝑷𝑭𝑫𝒎𝒄𝒄𝒂𝒗𝒈 = (Eq 11)
𝟐

Where:
PFDmccavg is the average probability of failure on demand of the MCC to shutoff the gas
compressor.
TImcc is the test interval for the MCC
λDmccis the failure rate to a dangerous condition for the MCC

Data
The calculation of the PFD of the interlock requires a set of data to be used to represent the
system. Tables 5, 6, and 7 are taken from the Freeman-Summers paper [Ref. 3] and presents the
data used to represent the interlock system. Note that these data were originally taken from
generic data sources and do not represent any particular device or system.

Table 5. Uncertainty Data for Level Sensors Used in Example Interlock

(All variable probability distributions assumed to be triangularly distributed)
Variable Min Mode Max Mean Variance
λDs- Fail Dangerous
2.84x10-3 Yr-1 5x10-3 Yr-1 8.5x10-3 Yr-1 5.45x10-3 Yr-1 1.36x10-6 Yr-1
Rate
DCs – Diagnostic
0.8 0.9 0.99 0.897 1.51x10-3
Coverage *
DIs – Diagnostic
5.71x10-5 5.71x10-5 5.71x10-5 5.71x10-5 0
Interval **
TIs – Test Interval 4 Yr 5 Yr 6 Yr 5 Yr 5.56x10-2 Yr2
βs- Common Cause
0 0.02 0.1 0.04 4.67x10-4
Failure Fraction *
MTTRs - Mean Time to
1.37x10-3 Yr 8.22x10-3 Yr 1.92x10-2 Yr 9.59x10-3 Yr 1.34x10-5 Yr2
Restore ***
* Unit less
** 0.5 hours, assumed to be deterministic
***Min of 12 hr, Mode of 72 hours, Max of 168 hrs
 Table 6. Uncertainty Data for Relays Used in Example Interlock
(All variable probability distributions assumed to be triangularly distributed)
Variable Min Mode Max Mean Variance
λDr- Fail Dangerous Rate 8.76x10-9 Yr-1 2.00x10-3 Yr-1 4.73x10-2 Yr-1 1.64x10-2 Yr-1 1.19x10-4 Yr-2
DCr – Diagnostic
NA NA NA NA NA
Coverage *
DIr – Diagnostic
NA NA NA NA NA
Interval*
TIr – Test Interval 1 Yr 1 Yr 2 Yr 1.33 Yr 0.056 Yr2
βr- Common Cause
0 0.02 0.1 0.04 4.67x10-4
Failure Fraction
MTTRr - Mean Time to
NA NA NA NA NA
Restore*
* Not used in relay model

Table 7. Uncertainty Data for MCC Used in Example Interlock

(All variable probability distributions assumed to be triangularly distributed)
Variable Min Mode Max Mean Variance
λDr- Fail Dangerous Rate 1.74x10-4 Yr-1 1.31x10-3 Yr-1 3.00x10-2 Yr-1 1.05x10-2 Yr-1 4.76x10-5 Yr-2
DCr – Diagnostic
NA NA NA NA NA
Coverage*
DIr – Diagnostic
NA NA NA NA NA
Interval*
TIr – Test Interval 1 Yr 1 Yr 2 Yr 1.33 Yr 5.6x10-2 Yr2
βr- Common Cause
NA NA NA NA NA
Failure Fraction*
MTTRr - Mean Time to
NA NA NA NA NA
Restore*
* Not used in MCC model
Uncertainty Analysis Results
Using the VCA method to estimate the PFD of the interlock design yields the results shown in
Table 8.

Table 8. Results of VCA on Example Interlock Design

Subsystem Mean PFD Variance of PFD
Sensors 6.41E-5 1.7657E-9
Logic Solver 1.34E-4 0
Relays 5.46E-4 2.0333E-7
MCC 6.98E-3 4.52E-5
Totals 7.73E-3 4.54E-5
Note: Calculations are carried to an adequate number of places to allow for the resulting PFD to
be determined. Rounding to significant number of figures is done at the end.

The mean PFD of 0.00773 implies a mean risk reduction factor of:
RRF = 1/PFD = 1/0.00773 = 129 (Eq 11)

The variance of 4.54E-5 implies a standard deviation in the PFD of

Std Dev = (Variance)1/2 = 0.006737 (Eq 12)

The corresponding 95% level of confidence in the PFD:

X95% = 1.645 std Dev + Mean PFD (Eq 13)

X95% = 1.645 (0.006737) + 0.00773= 0.01881 (Eq 14)

The RRF for 95% certain PFD is

RRF95% = 1/0.01881 => 53 (Eq 15)

This is essentially the same result previously reported by Freeman and Summers [Ref. 3] using
either Monte Carlo Simulation or numerical approximation methods for the VCA sensitivities.
The calculated PFD at the 95% level of 0.01881 indicates that there is only a 5% chance that the
interlock will provide an RRF worse that 53. Since this level is only SIL-1 capable and not
SIL-2 capable as desired by management, a revised design will be needed to achieve the desired
risk reduction or a different protective measure will be needed to control risk.

References
1. International Society of Automation, Functional Safety: Safety Instrumented Systems for
the Process Sector—Parts 1, 2, and 3, ANSI/ISA 84.00.01, 2004 [USA implementation of
IEC 61511].

2. International Society of Automation, Safety Integrity Level (SIL) Verification of Safety

Instrumented Functions, ISA TR84.00.02, Research Triangle Park, NC. (2015).

3. Freeman, R. and Summers, A, “Evaluation of Uncertainty in Safety Integrity Level

Calculations,” Process Safety Progress, Published Wiley Online Library
(wileyonlinelibrary.com). DOI 10.1002/prs.11805, 23 January 2016

4. Center for Chemical Process Safety, Layer of Protection Analysis – Simplified Process
Risk Assessment, AmericanInstitute of Chemical Engineers, New York, 2001

5. Edward B. Haugen, Probabilistic Approaches to Design, John Wiley, New York, 1968

6. R.A. Freeman, “Quantifying LOPA Uncertainty,” Process Safety Progress, Vol 31, No. 3,
pp 240-247, 2012

7. R. A. Freeman, “Simplified Uncertainty Analysis of Layer of Protection Analysis

Results,” Process Safety Progress, Vol. 32, No 4, pp 351-360, December 2013, Published
online in Wiley Online Library (wileyonlinelibrary.com) DOI 10.1002/ prs11585.pdf, 3
June 2013

8. David Vose, Risk Analysis – A Quantitative Guide, 3rd Edition, John Wiley, 2008

9. Paul L. Meyer, Introductory Probability and Statistical Applications, John Wiley, New
York, 1972
 Final Control
Sensors Logic Solver
Element

Pressure Electrical Relay Valve

Temperature PLC Electrical Switch
Flow Computer Relay
Level DCS
Composition Certified SIS
etc

Figure 1. Typical Components of an SIS Interlock

 START
For Each
Component

Failure NO
Non-Repairable
Announced?

YES

NO
Repair
Non-Repairable
Safely?

YES

Repairable

Figure 2. Decision Tree for Determination

of Repairable or Non- Repairable
 Figure 3. P&ID Sketch for Example Interlock

Compressed Gas
To Process

Power to Motor

Gas Compressor

Relay
R1
MCC
Relay
Relays R1 and R2 Vote
R2
1oo2 to activate MCC
Compressor
Knock Out
Drum SIS
Logic
Solver
Level Transmitters LT-1,
Inlet LT-2 and LT-3 Vote 2oo3
Gas on High Level to Activate
Compressor Shutdown
Interlock
LT-1

LT-2

LT-3

Liquids to Recycle
 APPENDIX A -- DEVELOPMENT OF UNCERTAINTY EQUATIONS

NON-REPAIRABLE SYSTEMS
For systems that are considered non-repairable, the simplified equations of Table A.1
(taken from the ISA Technical Report [Ref. 2]) are used for the analysis.

Table A.1 Simplified PFD avg formulas for Non-Repairable System

without considering CCF, Diagnostics or MTTR.

PFD based on "Average before" Equation

Configuration Function
failure rate Number

 D TI 
1oo1 F1 =   2  A-1
 

 D 2 TI 2 
1oo2 F2 = (  )   A- 2
 4 

 D 3 TI 3 
1oo3 F3 = (  )   A-3
 8 

 D 
2oo2 F4 =   TI A-4
 

3  D 2 
2oo3 F5 =  ( )  TI2  A-5
4  

 TI 
3oo3 F6 = 3   D   A-6
 2

Where TI is the proof test interval, λD is the dangerous failure rate.

The expected value of the probability of failure on demand is found by calculating the
PFD using the expected value (mean) of the random variables.
Let y a function of some random variables, xi, as:
y = F(xi) (Eq A-7)

The mean of y can be estimated using the following approximation:

E(y) = F[E(xi)] (Eq A-8)
Where:
E(y) = expected value of random variable y = mean of y
E(xi) = expected value of random variable xi = mean of xi
For the configurations defined in Table A.1, the corresponding expected PFD are presented
in Table A.2.

Table A.2 Expected Value of PFD avg formulas for Non-Repairable System
without considering CCF, Diagnostics or MTTR.

Expected PFD based on "Average Equation

Configuration Function
before" failure rate Number

 E(TI) 
 E ( )  2 
D
1oo1 E(F 1 ) = A-9
 

 E(TI)2 
1oo2 E(F 2 ) = ( E (  D 2
))   A- 10
 4 

 E(TI)3 
1oo3 E(F 3 ) = ( E (  D 3
))   A-11
 8 

 
 E ( )  E (TI)
D
2oo2 E(F 4 ) = A-12
 

3  
2oo3 E(F 5 ) =  ( E (D )) 2  E (TI)2  A-13
4  

 E(TI) 
3   E ( D ) 
2 
3oo3 E(F 6 ) = A-14


Where E(x) is the expected value of random variable x.

The variance of the PFD is found by taking the weighted sum of the variance of the random
variables. The weighting function is the sensitivity of the PFD with respect to random variable.
In mathematical terms the variance of a function may be found in terms of the variance of the
random variables as:
Once again let
y = F(xi) (Eq A-15)

The variance of Y can likewise be estimated as:

𝜕𝑦 2
𝑉(𝑦) = ∑𝑛𝑖=1 [ ] 𝑉(𝑥𝑖 ) (Eq A-16)
𝜕𝑥𝑖

Where:
V(y) = variance of random variable y as defined above
V(xi) = variance of random variable xi as defined above
The sensitivity of y with respect to a random variable 𝑥𝑖 is:
𝜕𝑦
Sensitivity of y with respect to 𝑥𝑖 = [ ] (Eq A-17)
𝜕𝑥𝑖

For the configurations defined in Table A.1, the corresponding variance of the PFD are
presented in Table A.3.
 Table A.3 Variance of PFDavg formulas for Non-Repairable System
without considering CCF, Diagnostics or MTTR.

Variance in Function F i based on Equation

Configuration Function
"Average before" failure rate Number
2
2  D 
 E(TI) 
V (  D
)   E ( )  V (TI )
1oo1 V(F 1 ) =  2   2 
A-18
 
 
2
 D 2 E(TI) 
2

 E (  )  V ( ) 
D

 2 
1oo2 V(F 2 ) = A- 19
2
 D 2 E (TI ) 
 E ( ) 2 
V (TI )

2
 D 2 E(TI) 
3

3  E (  )  V ( ) 
D

 2 
1oo3 V(F 3 ) = A-20
2
3 2
 8 E ( ) E (TI )  V (TI )
D 3

 

2oo2 V(F 4 ) = E (TI ) 2 V (D )  E (D ) 2 V (TI) A-21

2
3 2
 2  E ( )  E (TI)  V ( ) 
D D

 
2oo3 V(F 5 ) = 2 A-22
3 
 2  E ( )  E (TI)  V (TI )
D 2

 
2
3 
 2  E (TI) V ( ) 
D

 
3oo3 V(F 6 ) = 2 A-23
3 
 2  E ( )  V (TI )
D

 

Note that for the calculation of the variance functions, V(Fi), the random variables are evaluated
at the expected value (mean).
REPAIRABLE SYSTEMS
For systems that are considered repairable, the simplified equations of Table A. 4 are used
for the analysis. The expected value of the probability of failure on demand (PFD) is found
by substituting the expected value of each of the random variables into the corresponding
equation. The expected value of the PFD for each of the system configurations is prese nted
in Table A.5
 Table A.4 Simplified PFD avg Formulas for Repairable System
considering CCF, Diagnostics and MTTR

Configuratio Equation
Function PFD based on "Average before" failure rate
n Number

 (1  DC)   D  TI DC   D  DI 
1oo1 F7 =
    D  MTTR A-24
 2 2 
2
 (1  DC)  (1   )  D  TI 
  
 2  
 DC  (1   )  D  DI 
  (1   )    MTTR
D

2 
1oo2 F8 =  (1  DC)      TI
D
 A- 25
  
 2 
 DC    D  DI 
      MTTR
D

2 

3
 (1  DC)  (1   )  D  TI 
  
 2  
 DC  (1   )  D  DI 
  (1   )    MTTR
D

2 
1oo3 F9 =  (1  DC)      TI
D
 A-26
  
 2 
 DC    D  DI 
    D  MTTR
2 

 (1  DC)   D  TI DC   D  DI 
2oo2 F 10 = 2     D  MTTR A-27
 2 2 
2
 (1  DC)  (1   )  D  TI 
  
3  2  
 DC  (1   )  D  DI 
  (1   )    MTTR
D

2oo3 F 11 =
2  A-28
 (1  DC)      TI
D

  
 2 
 DC    D  DI 
      MTTR
D

2 
 Table A.4 Simplified PFD avg Formulas for Repairable System
considering CCF, Diagnostics and MTTR

Configuratio Equation
Function PFD based on "Average before" failure rate
n Number

 (1  DC)  D  TI DC  D  DI 
3oo3 F 12 = 3    D  MTTR A-29
 2 2 

Where:
DC is the diagnostic coverage;
DI is the diagnostic interval;
TI is the proof test interval,
λD is the dangerous failure rate;
MTTR is the mean time to restore the system to operation
 is the common cause failure parameter that is always is between 0 and 1
 Table A.5 Expected PFD Formulas for Repairable System
considering CCF, Diagnostics and MTTR

Configuratio Equation
Function PFD based on "Average before" failure rate
n Number

 (1  E ( DC))  E (D )  E (TI )) E ( DC)  E (D )  E ( DI ) 

1oo1 E(F 7 ) =    A-30
 2 2 
 E (D )  E ( MTTR) 
2
 (1  E ( DC ))  (1  E (  ))  E (D )  E (TI ) 
 
 2 
 E ( DC )  (1  E (  ))  E (D )  E ( DI ) 
   
2
 
(1  E (  ))  E ( )  E ( MTTR) 
D

 
 
1oo2 E(F 8 ) =  (1  E ( DC ))  E (  )  E ( )  E (TI ) 
D A- 31
 
 2 
 E ( DC )  E (  )  E (D )  E ( DI 
 ) 
 2 
 E (  )  E ( )  E ( MTTR) 
D

 
 

3
 (1  E ( DC ))  (1  E (  ))  E (D )  E (TI ) 
 
 2 
 E ( DC )  (1  E (  ))  E (D )  E ( DI ) 
   
2
 
(1  E (  ))  E ( )  E ( MTTR) 
D

 
 
1oo3 E(F 9 ) =  (1  E ( DC ))  E (  )  E (D )  E (TI )  A-32
 
 2 
 E ( DC )  E (  )  E (D )  E ( DI ) 
  
 2 
 E (  )  E ( )  E ( MTTR) 
D

 
 
 Table A.5 Expected PFD Formulas for Repairable System
considering CCF, Diagnostics and MTTR

Configuratio Equation
Function PFD based on "Average before" failure rate
n Number

 (1  E ( DC ))  E (D )  E (TI )) 
 
 2 
 E ( DC )  E (D )  E ( DI ) 
2oo2 E(F 10 ) = 2   A-33
 2 
 E ( )  E ( MTTR) 
D

 
 
2
 (1  E ( DC ))  (1  E (  ))  E (D )  E (TI ) 
 
 2 
 E ( DC )  (1  E (  ))  E (D )  E ( DI ) 
3    
2
 
(1  E (  ))  E ( )  E ( MTTR) 
D

 
2oo3  
E(F 11 ) = A-34
 (1  E ( DC ))  E (  )  E ( )  E (TI ) 
D

 
 2 
 E ( DC )  E (  )  E (D )  E ( DI ) 
  
 2 
 E (  )  E ( )  E ( MTTR) 
D

 
 

 (1  E ( DC ))  E (D )  E (TI )) 
 
 2 
 E ( DC )  E (D )  E ( DI ) 
3oo3 E(F 12 ) = 3   A-35
 2 
 E ( )  E ( MTTR) 
D

 
 
The variance of the PFD of the repairable systems is found in the same manner as that in the
non-repairable cases. Once again let:
y = F(xi) (Eq A-36)

The variance of Y can likewise be estimated as:

𝜕𝑦 2
𝑉(𝑦) = ∑𝑛𝑖=1 [ ] 𝑉(𝑥𝑖 ) (Eq A-37)
𝜕𝑥𝑖

Where:
V(y) = variance of random variable y as defined above
V(xi) = variance of random variable xi as defined above
The sensitivity of y with respect to a random variable 𝑥𝑖 is:
In the case of the repairable systems, there are several more potentially uncertain or random
variables:
 DC is the diagnostic coverage;
 DI is the diagnostic interval;
 TI is the proof test interval,
 λD is the dangerous failure rate;
 MTTR is the mean time to restore the system to operation
  is the common cause failure parameter that is always is between 0 and 1
We must evaluate the partial derivative of the PFD function with respect to each and then
combine them using equation A-37. The partial derivatives of function F7 with respect to each
random variable are found as follows

F7  D  TI D  DI
=  (Eq A-38)
DC 2 2
F7 (1  DC)  TI DC  DI
=   MTTR (Eq A-39)
 D
2 2
F7 (1  DC)  D
= (Eq A-40)
TI 2
F7 DC  D
= (Eq A-41)
DI 2

F7
= D (Eq A-42)
MTTR

We can now compute the variance of function F7 as:

2
𝜕 F7
𝑉 ( F7 ) = ∑𝑛𝑖=1 [ ] 𝑉(𝑥𝑖 ) (Eq A-43)
𝜕𝑥𝑖

2
  D  TI D  DI   (1  DC)  TI DC  DI
2

𝑉 ( F7 ) =    V(DC) +    MTTR V( D )+
 2 2   2 2 
2 2
 (1  DC)  D   DC  D 
  V(TI) +   (DI) +  
D 2
V(MTTR) (Eq A-44)
 2   2 
Equation 44 represents the variance of the probability of failure on demand of the 1001
configuration when the system is repairable. We note the following relationships between the
1001, 2oo2 and 3oo3 configurations:
F10 = 2 F7 (Eq A-45)
F12 = 3 F7 (Eq A-46)

We can directly determine the variance of functions F10 and F12 from the properties of the
variance operator, V(X).
V(F10 )= V( 2 F7) (Eq A-47)
V(F10 )= 4 V(F7) (Eq A-48)
V(F12) = V(3 F7) (Eq A-49)
V(F12) = 9 V(F7) (Eq A-50)

The determination of the variance of functions F8, F10, and F11 is done in a similar manner. To
simplify the presentation of the derivation of variance of functions F8, F10, and F11, we introduce
two functions H and Q as:
 (1  DC )  (1   )  D  TI 
  
H=  2  (Eq A-51)
 DC  (1   )  D  DI 
  (1   )    MTTR
D

2 
  (1  DC)    D  TI DC    D  DI 
Q=      D  MTTR (Eq A-52)
 2 2 
We note the following relationships:
F8 = H 2 + Q (Eq A-53)
F9 = H 3 + Q (Eq A-54)
F11 = 3 H2 + Q (Eq A-55)
The variance of F8, F9 and F11 are found as:
V(F8 ) = V(H2 + Q) (Eq A-56)
V(F9 ) = V(H3 + Q) (Eq A-57)
V(F11)= V(3 H2 + Q) (Eq A-58)
We will need the sensitivity of F8, F9 and F11 to each of the potential random variables.
F8  (H 2 + Q)  (H 2 )  ( Q)
= = + (Eq A-59)
x x x x

Likewise
F9  (H 3 + Q)  ( H 3 )  ( Q)
= = + (Eq A-60)
x x x x

F11 3(H 2 + Q)  (H 2 )  ( Q)
= =3 +3 (Eq A-61)
x x x x

Using the chain rule for partial derivatives, we now write:

F8  (H)  ( Q)
= 2H + (Eq A-62)
x x x

F9  (H)  ( Q)
= 3H2 + (Eq A-63)
x x x

F11  (H)  ( Q)
= 6H + (Eq A-64)
x x x
We now evaluate the derivatives of function H with respect to each potential random variables:
 DC is the diagnostic coverage;
 DI is the diagnostic interval;
 TI is the proof test interval,
 λD is the dangerous failure rate;
 MTTR is the mean time to restore the system to operation
  is the common cause failure parameter that is always is between 0 and 1

 (H)  (1   )  D  TI (1   )  D  DI
=  (Eq A-65)
DC 2 2
 (H) (1  DC)  (1   )  D
= (Eq A-66)
TI 2
 (1  DC)  (1   )  TI 
  
 (H) 2
=   (Eq A-67)
D  DC  (1   )  DI  (1   )  MTTR
 2 
 (H)
= (1   )  D (Eq A-68)
MTTR
 (1  DC)  (1)  D  TI 
  
 (H) 2
=   (Eq A-69)
  DC  (1)  D  DI 
  (1)    MTTR
D

2 
 (H) DC  (1   )  D
= (Eq A-70)
DI 2

In a similar manner we evaluate the partial derivatives of function Q with respect to each
potential random variables.
  (1  DC)    D  TI DC    D  DI 
Q=      D  MTTR (Eq A-71)
 2 2 
 DC is the diagnostic coverage;
 DI is the diagnostic interval;
 TI is the proof test interval,
 λD is the dangerous failure rate;
 MTTR is the mean time to restore the system to operation
  is the common cause failure parameter that is always is between 0 and 1
 (Q) (1)    D  TI   D  DI
=  (Eq A-72)
DC 2 2
 (Q) (1  DC)    D
= (Eq A-73)
TI 2
 (Q)  (1  DC)    TI DC    DI 
=      MTTR (Eq A-74)
 D
 2 2 
 (Q)
=   D  MTTR (Eq A-75)
MTTR
 (Q)  (1  DC)  D  TI DC  D  DI 
=    D  MTTR (Eq A-76)
  2 2 
 (Q) DC    D
= (Eq A-77)
DI 2
We can now determine the sensitivity of the functions F8, F9 , F11 to the random variables of
interest. Restating equation A-62 for sensitivity of F8 with respect to the random variables.

F8  (H)  ( Q)
= 2H + (Eq A-78)
x x x
For F8 we find

F8  (H)  ( Q)
= 2H + (Eq A-80)
x x x

 (1  DC )  (1   )  D  TI 
  
F8 2
=2   [
DC  DC  (1   )  D  DI 
  (1   )  D  MTTR
2 
 (1   )  D  TI (1   )  D  DI
 ]+
2 2

(1)    D  TI   D  DI
 (Eq A-79)
2 2

 (1  DC )  (1   )  D  TI 
  
F8 2 (1  DC)  (1   )  D
=2   [ ]+
TI  DC  (1   )  D  DI  2
  (1   )    MTTR
D

2 
(1  DC)    D
(Eq A-81)
2

 (1  DC )  (1   )  D  TI 
  
F8 2
=2  
MTTR  DC  (1   )  D  DI 
  (1   )    MTTR
D

2 

[ (1   )   ] +   D  MTTR
D
(Eq A-82)
  (1  DC )  (1   )  D  TI 
  
F8 2
=2  
  DC  (1   )  D  DI 
  (1   )    MTTR
D

2  [
 (1  DC)  (1)    TI
D

  
 2  +
 DC  (1)  D  DI 
  (1)  D  MTTR
2 ]
 (1  DC)  D  TI DC  D  DI 
   D  MTTR (Eq A-83)
 2 2 

 (1  DC )  (1   )  D  TI 
  
F8 2 DC  (1   )  D
=2   [ ]+
DI  DC  (1   )  D  DI  2
  (1   )    MTTR
D

2 

DC    D
(Eq A-84)
2

 (1  DC)  (1   )  D  TI   (1  DC)  (1   )  TI 
     
 F8  2 2
 D  = 2     
   DC  (1   )  D  DI   DC  (1   )  DI  (1   )  MTTR
  (1   )    MTTR 
D

2   2
 (1  DC)    TI DC    DI 
+     MTTR (Eq A-85)
 2 2 

Using the sensitivities for F8 calculated above, the variance in F8 due to uncertain or random
variables is found as:

 F   F   F 
2 2 2

V(F8) =  8  V(DC) +  8  V(TI) +  D8  V( D ) +

 DC   TI    
2
 F8   F8   F8 
2 2

 MTTR  V(MTTR) +    V(  ) +  DI  V(DI) (Eq A-86)

     
Using the equation A-63, we now determine the variance of F9.

F9  (H)  ( Q)
= 3H2 + (Eq A-87)
x x x

2
 (1  DC)  (1   )  D  TI 
  
F9 2
=3    [
DC  DC  (1   )  D  DI 
  (1   )  D  MTTR
2 
 (1   )  D  TI (1   )  D  DI
 ]+
2 2

(1)    D  TI   D  DI
 (Eq A-88)
2 2
 2
 (1  DC)  (1   )  D  TI 
  
F9 2 (1  DC)  (1   )  D
=3    [ ]+
TI  DC  (1   )  D  DI  2
  (1   )  D  MTTR
2 

(1  DC)    D
(Eq A-89)
2

2
 (1  DC)  (1   )  D  TI 
  
F9 2
=3    [ (1   )  D ] +
MTTR  DC  (1   )    DI
D

  (1   )  D  MTTR
2 

  D  MTTR (Eq A-90)

2
 (1  DC)  (1   )  D  TI 
  
F9 2
=3   
  DC  (1   )  D  DI 
  (1   )    MTTR
D

2  [
 (1  DC)  (1)    TI
D

  
 2  +
 DC  (1)  D  DI 
  (1)  D  MTTR
2 ]
 (1  DC)  D  TI DC  D  DI 
   D  MTTR (Eq A-91)
 2 2 
 2
 (1  DC)  (1   )  D  TI 
  
F9 2 DC  (1   )  D
=3   [ ]+
DI  DC  (1   )  D  DI  2
  (1   )  D  MTTR
2 

DC    D
(Eq A-92)
2

2
 (1  DC)  (1   )  D  TI 
  
 F9  2
 D  =3    
   DC  (1   )  D  DI 
  (1   )  D  MTTR
2 
 (1  DC)  (1   )  TI 
  
2
 +
 DC  (1   )  DI  (1   )  MTTR
 2 

 (1  DC)    TI DC    DI 
     MTTR (Eq A-93)
 2 2 

Using the sensitivities for F9 calculated above, the variance in F9 due to uncertain or random
variables is found as:

 F   F 
2 2
 F9 
2

 D  V(  ) +
D
V(F9) =  9  V(DC) +  9  V(TI) +
 DC   TI   
2
 F9   F9   F9 
2 2

 MTTR  V(MTTR) +    V(  ) +  DI  V(DI) (Eq A-94)

     

Finally, in a similar manner the variance in F11 is computed as:

F11  (H)  ( Q)
= 6H + (Eq A-95)
x x x

 (1  DC )  (1   )  D  TI 
  
F11 2
=6   [
DC  DC  (1   )  D  DI 
  (1   )  D  MTTR
2 
 (1   )  D  TI (1   )  D  DI
 ]+
2 2

(1)    D  TI   D  DI
 (Eq A-96)
2 2

 (1  DC )  (1   )  D  TI 
  
F11 2 (1  DC)  (1   )  D
=6   [ ]+
TI  DC  (1   )  D  DI  2
  (1   )    MTTR
D

2 
(1  DC)    D
(Eq A-97)
2

 (1  DC )  (1   )  D  TI 
  
F11 2
=6    [ (1   )  D ] +
MTTR  DC  (1   )    DI
D

  (1   )  D  MTTR
2 
  D  MTTR (Eq A-98)
  (1  DC )  (1   )  D  TI 
  
F11 2
=6  
  DC  (1   )  D  DI 
  (1   )    MTTR
D

2  [
 (1  DC)  (1)    TI
D

  
 2  +
 DC  (1)  D  DI 
  (1)  D  MTTR
2 ]
 (1  DC)  D  TI DC  D  DI 
   D  MTTR (Eq A-99)
 2 2 

 (1  DC )  (1   )  D  TI 
  
F11 2 DC  (1   )  D
=6   [ ]+
DI  DC  (1   )  D  DI  2
  (1   )    MTTR
D

2 

DC    D
(Eq A-100)
2

 (1  DC )  (1   )  D  TI 
  
 F11  2
 D  = 6   
   DC  (1   )  D  DI 
  (1   )    MTTR
D

2 
 (1  DC)  (1   )  TI 
  
2
 +
 DC  (1   )  DI  (1   )  MTTR
 2 
 (1  DC)    TI DC    DI 
     MTTR (Eq A-101)
 2 2 

Using the sensitivities for F11 calculated above, the variance in F11 due to uncertain or random
variables is found as:
  F   F   F 
2 2 2

V(  ) +
D
V( F11 ) =  11  V(DC) +  11  V(TI) +  11D 
 DC   TI    
2
 F11   F11   F11 
2 2

 MTTR  V(MTTR) +    V(  ) +  DI  V(DI) (Eq A-102)

     

PROCEDURE FOR DETERMINATION OF VARIANCE FOR REPAIRABLE

1oo2, 1oo3 AND 2oo3 SYSTEMS
Based on the above derivations we may now write the formulas for the variance of various
configurations of repairable equipment.
Step 1. Determine the configuration of equipment to be studied.
Step 2. Evaluate Function H using the expected value of all random or uncertain variables,
equation A-51
Step 3. Evaluate Function Q using the expected value of all random or uncertain variables,
equation A-52
Step 4. Evaluate the sensitivity of function H with respect to the random variables using
equations A-65 thru A-70.
Step 5. Evaluate the sensitivity of function Q with respect to the random variables using
equations A-72 thru A-77.
Step 6. Evaluate the variance as:
a. For 1oo2 systems use equation A-86 for V(F8)
b. For 1oo3 systems use equation A-94 for V(F9)
c. For 2oo3 systems use equation A-102 for V(F11)

The end result of the above calculations is the determination of the mean and variance of the
configuration used in the sensor, logic solver or final control element systems. Table A.6
presents a cross reference roadmap for the determination of the mean and variance of various of
the probability of failure on demand (PFD) of various hardware configurations. The mean and
variance for the particular configuration is then returned to the overall calculations of the PFD of
the interlock.