Switching Markov chains for a holistic modeling of SIS unavailability

https://doi.org/10.1016/j.ress.2014.09.005Get rights and content

Highlights

  • A holistic approach to model the unavailability safety systems using Switching Markov chains.

  • The model integrates several parameters like probability of failure due to the test, the probability of not detecting a failure in a test.

  • The basic concepts of the Switching Markov Chains are introduced and applied to compute the unavailability for safety systems.

  • The proposed Switching Markov Chain allows assessing the effect of each parameter on the chemical reactor performance.

Abstract

This paper proposes a holistic approach to model the Safety Instrumented Systems (SIS). The model is based on Switching Markov Chain and integrates several parameters like Common Cause Failure, Imperfect Proof testing, partial proof testing, etc. The basic concepts of Switching Markov Chain applied to reliability analysis are introduced and a model to compute the unavailability for a case study is presented. The proposed Switching Markov Chain allows us to assess the effect of each parameter on the SIS performance. The proposed method ensures the relevance of the results.

Introduction

In many fields of application, it is necessary to reduce the consequences of hazardous events that could generate potential sources of harms for the environment or the health of persons. The goal of safety systems is to cover such potential hazards. A safety system should provide an independent layer of protection by implementing the safety function through many techniques. In this context, IEC61508 [1] standard is a guide for designing, validating and verifying the safety function realized by Electric, Electronic and Programmable Electronic Systems (E/E/PES). A E/E/PES like Safety Instrumented Systems (SIS) is used to implement the Safety Instrumented Function (SIF). Its goal is to detect hazardous events, to perform the required safety action and to maintain or bring the Entity Under Control (EUC) in a safe situation. The study of SIS is framed by the IEC 61508 standard [1] or its application specific standards which are now recognized as the most important standard concerning E/E/PES in several industry sectors.

Its introduction in 1998 [2] has induced many works to understand the new concepts introduced and the influence of all parameters in the SIS performance assessment. This performance is the unavailability to fulfill the safety function and the confidence of the SIS is defined by the well known 4 Safety Integrity Level (SIL) [3], thanks to the computation of a probabilistic parameter (PFDavg or PFH). SIS in low demand mode, which are the subject of this paper, are a particular case. As they are in low demand mode, latent failures can occur but are discovered only when a demand occurs. To thwart this problem, integrated diagnostics are implemented and repeated proof tests are realized. Finally, whereas SIS have usually a low structure complexity, their study can be more complex than expected.

Dutuit et al. [3] argue that Fault Trees (FT) are easy to handle for the practitioners but provide approximations which sometimes give non-conservative results. They propose the use of Switching Markov Chains to take into account dependencies due to proof testing, common cause failures, etc. The several phases correspond to the different period of functioning (operating, test, etc.). Catelani et al. [4] use a Failure Mode Effect and Diagnostic Analysis (FMEDA) approach to identify several influence parameters and finally use the equation proposed in the appendices of IEC61508 [2] for well known architectures. Nevertheless, they pointed out the problem of quantifying the diagnostic coverage rate and other parameters. For instance, Hokstad and Rausand [5] and Lundteigen and Rausand [6] discuss the significant contribution of Common Cause Failure (CCF) in SIS performance. Rahimi and Rausand [7] discuss the impact of Human and Organizational factors on the quantification of CCF through the β factor model. Xu et al. [8] questioned the impact of parameter uncertainties on the achieved safety integrity.

Oliveira and Abramovitch [9] extend equations to k-out-of-n: F (koon) architectures [10]. But, as analyzed in [11], equations should be used cautiously and a particular attention must be paid to the parameters which should correspond to the real situations. In [12], the authors compute the PFDavg of a SIS by a Reliability Block Diagram (RBD) approach with strong assumptions given the method. For instance, the unavailability is considered as the unreliability and no dependencies due to test are considered. Lundteigen et al. [13] questioned the effect of the SIS structure (Hardware Fault Tolerance) and the Safe Failure Fraction proposed in the standard. In [6], the authors studied the effect of tests according to the common cause failures and their relation with the SIS performance, given that quantifying the CCF parameters remains a problem. Jin et al. [14] propose a Markov model to compute the SIS performance whatever is the demand mode. The main advantage of Markov model is to be more accurate and flexible according to the specific feature of each mode. Nevertheless, as mentioned in [15], [16], establishing the Markov model of koon with a high value of n can be time consuming and error prone [10]. Signoret et al. [17] use Petri Nets to classify SIS. Petri Nets allow us to assess the performance very finely and to take into account several parameters. Nevertheless, Petri Net model of SIS can be difficult to use and the analyst should make efforts to obtain an understandable model. It which is the object of paper [17]. Torres-Echeverria et al. [18], [19] pay more attention to modeling the test strategies and how to compute the SIS performance through Fault Tree for redundant SIS layers or koon SIS layers. They propose a model that integrates several parameters like CCF, Diagnostic Coverage (DC), test instants, etc.

In this paper, we follow the idea of Dutuit et al. in [3] by using Switching Markov Chains for their ability to model precisely and correctly SIS in low demand. The paper proposes the integration of the following parameters : dangerous failure, diagnostic coverage, common cause failure, test interval, repair rate, probability of failure due to the test γ and the probability of not detecting a failure in a test ξ, in a unique equation modeling the unavailability of periodically tested SIS. The test duration is not considered here because it requires a significant change of complexity in the proposed model. In Section 2, we recall basics elements of SIS and useful parameters. Section 3 is devoted to the Markov models and their extension to Switching Markov Chains to compute the PFDavg. Section 4 is devoted to an illustration on a HIPS supervising a chemical reactor [18].

Section snippets

Safety instrumented system

The goal of a SIS is to bring the system it supervises in a safe position i.e. in a situation where it does not create a risk for the environment or people when the Entity Under Control (EUC) goes to a hazardous situation involving a real risk to people or the environment (blast, fire, etc.). A SIS is a system composed of any combination of sensors, logic solvers and final elements for the purpose of taking the supervised process to a safe state when predetermined conditions are violated. A SIS

Unavailability modeling

The SIS unavailability must be quantitatively proven using suitable models. No particular model is recommended in IEC 61508 or in IEC 61511. Nevertheless, some of the well known models are cited in the appendices of the quoted standards. Among these models, one finds faults tree [19], [24], reliability block diagram [41] as well as Markov chains [3], [14], [40], [42].

The assessment is associated with the computation of the safety function unavailability on demand [22], [3]. In this context,

Numerical analysis

We dedicate this section to examples in order to show how Markov chains and their extension to Switching Markov chains computes the unavailability of systems. Our first example is the simulation of a simple system with a 1oo1 architecture to evaluate its performance. The second example is the HIPS previously defined by Torres-Echeveria in [18] to demonstrate the proposed approach.

Conclusion

In this study a new application of Switching Markov chains for modelling and analysis of safety instrumented system is proposed. It is a holistic approach able to consider many parameters and the case of proof test. Nevertheless, it requires many efforts for the analyst who is prone to modeling error.

The safety system performance is modeled with a unique equation by considering several parameters, such as dangerous failure, diagnostic coverage, common cause failure, proof tests, repair rate,

References (44)

  • J.-P. Signoret et al.

    Make your petri nets understandablereliability block diagrams driven petri nets

    Reliab Eng Saf Syst

    (2013)
  • A. Torres-Echeverria et al.

    Modelling and optimization of proof testing policies for safety instrumented systems

    Reliab Eng Syst Saf

    (2009)
  • W.M. Goble et al.

    Using a failure modes, effects and diagnostic analysis (fmeda) to measure diagnostic coverage in programmable electronic systems

    Reliab Eng Syst Saf

    (1999)
  • A. Torres-Echeverria et al.

    Multi-objective optimization of design and testing of safety instrumented systems with moon voting architectures using a genetic algorithm

    Reliab Eng Syst Saf

    (2012)
  • A. Barros et al.

    Estimation of common cause failure parameters with periodic tests

    Nucl Eng Des

    (2009)
  • J.K. Vaurio

    Consistent mapping of common cause failure rates and alpha factors

    Reliab Eng Syst Saf

    (2007)
  • Y. Liu et al.

    Reliability assessment of safety instrumented systems subject to different demand modes

    J Loss Prev Process Ind

    (2011)
  • Y. Langeron et al.

    Combination of safety integrity levels (sils)a study of iec61508 merging rules

    J Loss Prev Process Ind

    (2008)
  • M. Kumar et al.

    Modeling demand rate and imperfect proof-test and analysis of their effect on system safety

    Reliab Eng Syst Saf

    (2008)
  • F. Brissaud et al.

    Reliability analysis for new technology-based transmitters

    Reliab Eng Syst Saf

    (2011)
  • J.L. Rouvroye et al.

    Minimizing costs while meeting safety requirementsmodeling deterministic (imperfect) staggered tests using standard markov models for sil calculations

    ISA Trans

    (2006)
  • H. Guo et al.

    A simple reliability block diagram method for safety integrity verification

    Reliab Eng Syst Saf

    (2007)
  • Cited by (45)

    • Adaptive testing policy for multi-state systems with application to the degrading final elements in safety-instrumented systems

      2022, Reliability Engineering and System Safety
      Citation Excerpt :

      Relying on a certain system health indicator, e.g. leakage rate, closing time for valves [37,38], more performance information can be collected in the tests to reflect the system state. Abundant literature can be found relevant to performance assessment for low-demand SISs with multi-state units relying on the Markov method [26,30,39,40]. Existing studies mainly focus on addressing the testing sequences and maintenance polies [41–45], but the follow-up testing interval is independent with the actual observed system state.

    • Safety barriers: Research advances and new thoughts on theory, engineering and management

      2020, Journal of Loss Prevention in the Process Industries
      Citation Excerpt :

      State transition models, the Markov method and Petri net (PN), are used to reflect the operations of active safety barriers, and then to analyze their integrity. The Markov method is recommended by IEC 61508 (2010) due to its flexibility and has been adopted by many researchers (e.g. Guo and Yang, 2008; Liu and Rausand, 2011, 2013; Cai et al., 2012a, 2012b; Verlinden et al., 2012; Mechri et al., 2015; Zeng and Zio, 2018). He et al. (2016) have combined RBD and the Markov method to construct a model for analyzing SISs in nuclear plants.

    View all citing articles on Scopus
    View full text