The calculation of probability of failure in functional safety systems is an essential tool to reduce the probability of undesired events.

Reducing risk in plants, processes, machinery and devices used in them is a known goal of every safety instrumented system (SIS). For this purpose, SIL certification according to IEC/EN 61508 and the relevant industry standards such as IEC/EN 61511 (chemical, oil&gas), IEC/EN 61513 (nuclear), IEC/EN 62061, IEC/EN 61800-5-2, EN ISO 13849-1/2 (machinery), EN 50402 (fire&gas), EN50126/50128/50129 (railway) are essential.

Depending on the operating mode (continuous / on demand) of each individual SIF (Safety Instrument Function) the probability of dangerous failure per hour (PFH) or the probability of dangerous failure on request of the safety function (PFD) can be calculated. Usually these calculations are the same as the calculation of the probability of failure of a SIS control link including sensor / acquisition chain, controller / logic solver (PLC) and implementation chain / final element.

*Fig. 1 Components of SIS security instrumentation systems (sensor, logic solver, final element)*

In order to calculate the probability of failure of the various elements forming a control loop, calculation techniques specified in IEC 61 508-6 shall be used with all available data for each element of the control ring: failure rate, diagnostic coverage, fraction of common mode failures, average recovery time, intervals between test and demands. If these data are not available, some of them can be derived from the standards or can be extracted from specific databases, using methods such as: Reliability Block Diagram, Fault Tree Analysis and Weibull Analysis.

**Systematic and accidental failure**

When analyzing faults, a distinction must be made between systematic and accidental faults. Systematic failures are due to defects that occur during the development and design phase of a component, e.g. due to errors in the device software. With the adoption of appropriate debugging software techniques, systematic errors can be effectively prevented if not completely eliminated. Accidental failures (e.g. changes in component status, short circuits, disconnections, etc.) are more insidious and can occur without warning during their operational life cycle.

Additionally, to appropriate quality procedures, they should be monitored by calculating their probability of occurrence. This is possible with reference to the failure rate. The probability of failure of a component, F(t), increases steadily over time, until it becomes unitary after a theoretically infinite period. If the failure rate is consistent over time, no components showing premature failure or wear should be considered.

* Fig. 2 Trend over time of the probability of accidental failure of a component*

**Risk reduction**

In an instrumented safety system, the concept of “probability of failure on demand” (PFD) is based on the assumption that the intervention of the safety system is required very sporadically. Over time, there may be a series of events that require the process to be switched off immediately, each of which requires the SIS to intervene immediately in order to bring the process back to a safe state. Unfortunately, at certain intervals, one or more SIS components may be faulty and may not function as they should.

The probability of failure on demand (PFD) is therefore the probability of an event that requires a stop while, at the same time, a failure of the SIS prevents the process from being deactivated. Although these probabilities are very low, they must anyway be taken into account. The PFD of the SIS is the sum of the PFDs of all SIS components (sensors, programmable controllers and actuators).

In terms of SIS design, it is necessary to determine the PFD of each individual component: the probability of failure is determined by the sum of the probability of failure of the individual subsystems. The PFD (or PFH) represents the probability that a device or system is unable to provide the required safety functions. This probability corresponds to a SIL (from a minimum of 1 to a maximum of 4) or PL (Performance Level) expressing the safety integrity level of the device/system in question.

*Tab.1 Levels of risk and probability of failure according to the IEC 61511 standard*