01 August 2003

Simplified equations verify SIS

By Paul Gruhn

There are many techniques for analyzing system performance, some more accurate and precise than others. Unfortunately, more accurate predictions can be both misleading and a waste of time, money, and effort. You don't need complex programs to analyze system performance. It's easier than programming a VCR. Simplified assessments and relatively simple models will usually suffice. After all, you can get system benefits (performance versus cost) from the judgment and subsequent follow-up action from even the simplest models (e.g., considering different technologies, redundant devices, more frequent manual testing), not from refining the calculations.

ISA TR84.0.02 describes three methods for modeling safety systems and verifying their safety integrity level (SIL). The methods are simplified equations, fault trees, and Markov modeling. The term "simplified equations" is somewhat misleading; they are relatively simple algebraic equations, but are derived from more complex Markov models. The technical report models the same overall system (redundant sensors, logic box, and final elements) using all three techniques. The results-performance against nuisance trips and dangerous failures-were statistically the same because the assumptions used with all techniques were the same. All involved agree that the simplified equations are the easiest to use and the most popular.


All reliability analyses are based on failure rate data. Such data is highly variable. Allegedly identical components operating under supposedly identical environmental and operating conditions are not realistic assumptions. For a given level of detail, the apparent precision offered by certain modeling methods is not compatible with the accuracy of the failure rate data. In any engineering discipline, it is really important to be able to recognize the degree of accuracy required. Because reliability parameters are pretty widely tolerated, we should make judgments on one- or at best, two-figure accuracy. We benefit from the judgment and subsequent follow-up action, not from refining the calculations.


Consider the case of an imaginary simplified heater as shown below. We control feed using a flow transmitter (FT1), controller (FC1), and valve in the feed line. We control feed temperature using a temperature transmitter (TT2), controller (TC2), and valve in the fuel gas line. Management has decided to retrofit a safety system for safety reasons-a hazard and operability study has revealed the potential for tube failure and a major heater fire. The proposed safety system is shown below. Fuel gas will be shut (XV1) based on low feed flow (FS3). Pilot and fuel gas valves (XV2 and XV1) will be shut based on low pilot gas pressure (PS4). A hand switch (not shown) will be added in the control room for manual initiation of a shutdown.


Initial heater design



Proposed heater changes


Reliability block diagrams are useful visual tools to help you understand system performance. System elements are merely shown as blocks in series (a fault tree OR) or parallel (a fault tree AND).


With simplified equations, the formulas are simple algebraic equations, but they were derived from more complex Markov models. Equations such as the ones shown below have been published in reliability textbooks for decades.

Formula set 1: Mean time between failure, spurious (MTBFsp) calculation

1oo1 1 / λs
1oo2 1 / ( 2 * λs )
2oo2 1 / ( 2 * (λs)2 * MTTR )
2oo3 1 / ( 6 * (λs)2 * MTTR )

where: MTTR = Mean time to repair, MTTF = Mean time to failure
λ = failure rate ( 1 / MTTF )
s = safe (de-energizing) failure


  1. 1oo1 stands for 1 out of 1; 2oo3 stands for 2 out of 3, etc.
  2. The formulas are valid as long as the MTTF is much greater than the repair time.
  3. It is assumed that safe failures are revealed in all systems, even 2oo2 and 2oo3 configurations (through some form of discrepancy alarm).

Formula set 2: Probability of failure on demand, average (PFDavg) calculation for undetected dangerous failures

1oo1 λdu * ( TI / 2 )
1oo2 ( (λdu)2 * (TI)2) / 3
2oo2 λdu * TI
2oo3 (λdu)2 * (TI)2  

where: TI = Manual test interval
λ = failure rate ( 1 / MTTF )
du = dangerous undetected failure IT

Paul Gruhn is president of L&M Engineering in Houston.