Switching Markov chains for a holistic modeling of SIS unavailability
Introduction
In many fields of application, it is necessary to reduce the consequences of hazardous events that could generate potential sources of harms for the environment or the health of persons. The goal of safety systems is to cover such potential hazards. A safety system should provide an independent layer of protection by implementing the safety function through many techniques. In this context, IEC61508 [1] standard is a guide for designing, validating and verifying the safety function realized by Electric, Electronic and Programmable Electronic Systems (E/E/PES). A E/E/PES like Safety Instrumented Systems (SIS) is used to implement the Safety Instrumented Function (SIF). Its goal is to detect hazardous events, to perform the required safety action and to maintain or bring the Entity Under Control (EUC) in a safe situation. The study of SIS is framed by the IEC 61508 standard [1] or its application specific standards which are now recognized as the most important standard concerning E/E/PES in several industry sectors.
Its introduction in 1998 [2] has induced many works to understand the new concepts introduced and the influence of all parameters in the SIS performance assessment. This performance is the unavailability to fulfill the safety function and the confidence of the SIS is defined by the well known 4 Safety Integrity Level (SIL) [3], thanks to the computation of a probabilistic parameter ( or PFH). SIS in low demand mode, which are the subject of this paper, are a particular case. As they are in low demand mode, latent failures can occur but are discovered only when a demand occurs. To thwart this problem, integrated diagnostics are implemented and repeated proof tests are realized. Finally, whereas SIS have usually a low structure complexity, their study can be more complex than expected.
Dutuit et al. [3] argue that Fault Trees (FT) are easy to handle for the practitioners but provide approximations which sometimes give non-conservative results. They propose the use of Switching Markov Chains to take into account dependencies due to proof testing, common cause failures, etc. The several phases correspond to the different period of functioning (operating, test, etc.). Catelani et al. [4] use a Failure Mode Effect and Diagnostic Analysis (FMEDA) approach to identify several influence parameters and finally use the equation proposed in the appendices of IEC61508 [2] for well known architectures. Nevertheless, they pointed out the problem of quantifying the diagnostic coverage rate and other parameters. For instance, Hokstad and Rausand [5] and Lundteigen and Rausand [6] discuss the significant contribution of Common Cause Failure (CCF) in SIS performance. Rahimi and Rausand [7] discuss the impact of Human and Organizational factors on the quantification of CCF through the β factor model. Xu et al. [8] questioned the impact of parameter uncertainties on the achieved safety integrity.
Oliveira and Abramovitch [9] extend equations to k-out-of-n: F (koon) architectures [10]. But, as analyzed in [11], equations should be used cautiously and a particular attention must be paid to the parameters which should correspond to the real situations. In [12], the authors compute the of a SIS by a Reliability Block Diagram (RBD) approach with strong assumptions given the method. For instance, the unavailability is considered as the unreliability and no dependencies due to test are considered. Lundteigen et al. [13] questioned the effect of the SIS structure (Hardware Fault Tolerance) and the Safe Failure Fraction proposed in the standard. In [6], the authors studied the effect of tests according to the common cause failures and their relation with the SIS performance, given that quantifying the CCF parameters remains a problem. Jin et al. [14] propose a Markov model to compute the SIS performance whatever is the demand mode. The main advantage of Markov model is to be more accurate and flexible according to the specific feature of each mode. Nevertheless, as mentioned in [15], [16], establishing the Markov model of koon with a high value of n can be time consuming and error prone [10]. Signoret et al. [17] use Petri Nets to classify SIS. Petri Nets allow us to assess the performance very finely and to take into account several parameters. Nevertheless, Petri Net model of SIS can be difficult to use and the analyst should make efforts to obtain an understandable model. It which is the object of paper [17]. Torres-Echeverria et al. [18], [19] pay more attention to modeling the test strategies and how to compute the SIS performance through Fault Tree for redundant SIS layers or koon SIS layers. They propose a model that integrates several parameters like CCF, Diagnostic Coverage (DC), test instants, etc.
In this paper, we follow the idea of Dutuit et al. in [3] by using Switching Markov Chains for their ability to model precisely and correctly SIS in low demand. The paper proposes the integration of the following parameters : dangerous failure, diagnostic coverage, common cause failure, test interval, repair rate, probability of failure due to the test γ and the probability of not detecting a failure in a test ξ, in a unique equation modeling the unavailability of periodically tested SIS. The test duration is not considered here because it requires a significant change of complexity in the proposed model. In Section 2, we recall basics elements of SIS and useful parameters. Section 3 is devoted to the Markov models and their extension to Switching Markov Chains to compute the . Section 4 is devoted to an illustration on a HIPS supervising a chemical reactor [18].
Section snippets
Safety instrumented system
The goal of a SIS is to bring the system it supervises in a safe position i.e. in a situation where it does not create a risk for the environment or people when the Entity Under Control (EUC) goes to a hazardous situation involving a real risk to people or the environment (blast, fire, etc.). A SIS is a system composed of any combination of sensors, logic solvers and final elements for the purpose of taking the supervised process to a safe state when predetermined conditions are violated. A SIS
Unavailability modeling
The SIS unavailability must be quantitatively proven using suitable models. No particular model is recommended in IEC 61508 or in IEC 61511. Nevertheless, some of the well known models are cited in the appendices of the quoted standards. Among these models, one finds faults tree [19], [24], reliability block diagram [41] as well as Markov chains [3], [14], [40], [42].
The assessment is associated with the computation of the safety function unavailability on demand [22], [3]. In this context,
Numerical analysis
We dedicate this section to examples in order to show how Markov chains and their extension to Switching Markov chains computes the unavailability of systems. Our first example is the simulation of a simple system with a 1oo1 architecture to evaluate its performance. The second example is the HIPS previously defined by Torres-Echeveria in [18] to demonstrate the proposed approach.
Conclusion
In this study a new application of Switching Markov chains for modelling and analysis of safety instrumented system is proposed. It is a holistic approach able to consider many parameters and the case of proof test. Nevertheless, it requires many efforts for the analyst who is prone to modeling error.
The safety system performance is modeled with a unique equation by considering several parameters, such as dangerous failure, diagnostic coverage, common cause failure, proof tests, repair rate,
References (44)
- et al.
Probabilistic assessments in relationship with safety integrity levels by using fault trees
Reliab Eng Syst Saf
(2008) - et al.
The fmeda approach to improve the safety assessment according to the iec61508
Microelectron Reliab
(2010) - et al.
Common cause failures in safety instrumented systems on oil and gas installations: implementing defense measures through function testing
J Loss Prev Process Ind
(2007) - et al.
The effect of parameter uncertainty on achieved safety integrity of safety system
Reliab Eng Syst Saf
(2012) - et al.
Extension of isa tr84.00.02 pfd equations to koon architectures
Reliab Eng Saf Syst
(2010) - et al.
New pfh-formulas for k-out-of-n:f-systems
Reliab Eng Saf Syst
(2013) - et al.
A simplified procedure for the analysis of safety instrumented systems in the process industry application
Microelectron Reliab
(2011) - et al.
Reliability performance of safety instrumented systemsa common approach for both low- and high-demand mode of operation
Reliab Eng Syst Saf
(2011) Reliability analysis of a fire alarm system
Proc Eng
(2011)- et al.
Automatic creation of markov models for reliability assessment of safety instrumented systems
Reliab Eng Saf Syst
(2008)
Make your petri nets understandablereliability block diagrams driven petri nets
Reliab Eng Saf Syst
Modelling and optimization of proof testing policies for safety instrumented systems
Reliab Eng Syst Saf
Using a failure modes, effects and diagnostic analysis (fmeda) to measure diagnostic coverage in programmable electronic systems
Reliab Eng Syst Saf
Multi-objective optimization of design and testing of safety instrumented systems with moon voting architectures using a genetic algorithm
Reliab Eng Syst Saf
Estimation of common cause failure parameters with periodic tests
Nucl Eng Des
Consistent mapping of common cause failure rates and alpha factors
Reliab Eng Syst Saf
Reliability assessment of safety instrumented systems subject to different demand modes
J Loss Prev Process Ind
Combination of safety integrity levels (sils)a study of iec61508 merging rules
J Loss Prev Process Ind
Modeling demand rate and imperfect proof-test and analysis of their effect on system safety
Reliab Eng Syst Saf
Reliability analysis for new technology-based transmitters
Reliab Eng Syst Saf
Minimizing costs while meeting safety requirementsmodeling deterministic (imperfect) staggered tests using standard markov models for sil calculations
ISA Trans
A simple reliability block diagram method for safety integrity verification
Reliab Eng Syst Saf
Cited by (45)
Performance modeling for condition-based activation of the redundant safety system subject to harmful tests
2022, Reliability Engineering and System SafetyAdaptive testing policy for multi-state systems with application to the degrading final elements in safety-instrumented systems
2022, Reliability Engineering and System SafetyCitation Excerpt :Relying on a certain system health indicator, e.g. leakage rate, closing time for valves [37,38], more performance information can be collected in the tests to reflect the system state. Abundant literature can be found relevant to performance assessment for low-demand SISs with multi-state units relying on the Markov method [26,30,39,40]. Existing studies mainly focus on addressing the testing sequences and maintenance polies [41–45], but the follow-up testing interval is independent with the actual observed system state.
Safety systems for the oil and gas industrial facilities: Design, maintenance policy choice, and crew scheduling
2021, Reliability Engineering and System SafetyStudy of testing and maintenance strategies for redundant final elements in SIS with imperfect detection of degraded state
2021, Reliability Engineering and System SafetySafety barriers: Research advances and new thoughts on theory, engineering and management
2020, Journal of Loss Prevention in the Process IndustriesCitation Excerpt :State transition models, the Markov method and Petri net (PN), are used to reflect the operations of active safety barriers, and then to analyze their integrity. The Markov method is recommended by IEC 61508 (2010) due to its flexibility and has been adopted by many researchers (e.g. Guo and Yang, 2008; Liu and Rausand, 2011, 2013; Cai et al., 2012a, 2012b; Verlinden et al., 2012; Mechri et al., 2015; Zeng and Zio, 2018). He et al. (2016) have combined RBD and the Markov method to construct a model for analyzing SISs in nuclear plants.