Specificity of fault tree-based functional safety indicator definition in emergency shutdown systems

Autor: I. A. Mozhaeva, A. V. Strukov
Rok vydání: 2022
Zdroj: Dependability. 22:45-52
ISSN: 2500-3909
1729-2646
DOI: 10.21683/1729-2646-2022-22-4-45-52
Popis: Aim. The paper aims to analyse the specifics of the use of commercial fault tree (FT)-based software suites as part of engineering practice for the purpose of dependability calculation of emergency shutdown systems (ESS). Standards of the IEC 61508 Functional safety series stress that, in such cases, there is a possibility of incorrect and non-conservative estimates of the mean probability of failure on demand of an ESS safety feature. Incorrect results are primarily caused by the use of approximate and simplified formulas for identifying the dependability indicators of ESS circuit components and calculating the ESS mean unavailability for safety function performance based on the mean unavailability values of its components. In order to correct the FT simulation results, correction factors can be used that take into account the ESS circuit structure along with exact formulas per IEC 61508-6 for calculating the mean probability of failure on demand of the ESS circuit components. Additionally, the type of common cause failure (ССF) model can be chosen. Methods. A comparative analysis was performed as regards the effects of components of hazardous failures that may be detected or not detected by internal diagnostics on the assessment of the mean probability of failure on demand of an ESS circuit components. It was shown that in less dependable components this dependence significantly affects the unavailability value. The efficiency of correction coefficients that take into account the ESS circuit architecture also depends on the dependability of components, and their introduction is justified for those components whose safety integrity level is between 1 and 2. Engineering estimation of the functional safety indicators can be done using a beta-factor model of common cause failures that is employed as part of design analysis of ESS functional safety. Results. An analysis of simplified and approximate formulas for calculating the mean unavailability of the non-redundant elements of an ESS circuit has shown that in the case of an over 90-percent diagnostic coverage the use of simplified formulas causes an underestimation of the unavailability indicator caused by the increased effect of detected hazardous failures on the probability of ESS misoperation. If the FT analysis is used for the purpose of deducing a conservative estimate of an ESS circuit unavailability indicator, correction factors should be used, whose values depend on the ESS channels redundancy parameters. Two models of accounting for CCF were examined that are used when calculating ESS functional safety. It was shown that under any ESS model the system’s dependability indicators decrease. This decrease is defined by the value of the beta factor and the dependability of the ESS system elements.Conclusion. The information presented in the paper indicates the limited applicability of the simplified formula for calculating the mean unavailability of non-redundant ESS elements as the input data for FT construction. When identifying the safety integrity level of an ESS circuit that includes elements with a low dependability, it should be taken into consideration that, if a FT is used, commercial software suites may overestimate the dependability, which is undesirable in respect to functional safety analysis.
Databáze: OpenAIRE