Hazardous event frequency is only used 4 times across all the parts of the IEC 61508 series. All those uses are in the rarely read part 5. The term hazardous event rate is used just once in IEC 61508-1:2010. Therefore, if you are a product developer as opposed to an end user, you shouldn’t feel too bad if you haven’t heard of it. Yet it is a very important term.
Figure 1:The only use of hazardous event rate in all of IEC 61508
The first of the above bullet points is for low demand (RRF – risk reduction factor is 1/PFD), and the other is for high demand.
Hazardous event rate refers to the frequency of adverse events that your safety system is designed to prevent. Examples include the frequency of:
- Explosions
- Hands being crushed in machines
- Robots crashing into people
You design a safety system according to IEC 61508 with a sufficiently low PFH or PFD to reduce the HER (hazardous event rate) to an acceptable level (see, for instance, the paper – The Tolerability of risk from nuclear power stations).
Note – HER is often written as HR
Figure 2 - Safety function limiting the hazardous event rate
Another view takes into account the probability of occurrence, the exposure, and the avoidability factor. This view will resonate easily with our automotive colleagues doing ASIL determination.
Figure 3: Hazardous event rate mitigated by a safety function
IEC TR 63161 (Assignment of a safety integrity requirements - Basic rationale) has a good discussion on this topic and describes the Henley Kumamoto equation as HR = PFHD*(1-exp(-DR*TI/2))
Where DR = demand rate, TI = proof test interval, and PFHD is the metric for a continuous or high demand safety function from the IEC 61508 series where it is called PFH.
IEC 61508 has two different metrics for safety functions depending on whether it is high demand/continuous or low demand. IEC 61508 sets the switch over from low demand to high demand at 1 demand/year, or roughly 1 demand every 10k hours. Machinery and automotive, according to ISO 26262 and ISO 13489, only have high demand/continuous and process control according to IEC 61511, which generally has low demand. Continuous is essentially the worst-case scenario for high demand.
Looking at a low demand safety function, we will have something like the following below. There is an unmitigated hazardous event rate if you had no safety function. As the demand rate rises, the hazardous event rate rises. A safety function will mitigate the risk by an RRF (risk reduction factor) so that the hazardous event rate is reduced by at least a factor of 10 for a SIL 1 safety function, 100 for a SIL 2 safety function, and 1000 for a SIL 3 safety function.
Figure 4: Illustration of a safety function characterized by a low demand safety function
If something occurs at the worst-case rate of 1/year for low demand, then the mitigated hazardous event rate will be once per 10 years for SIL 1, once per 100 years for SIL 2, and once per 1000 years for SIL 3, which sounds pretty good. But what if the demand rate increases above once per hour (might be higher than this in machinery), then the hazardous event rate would be roughly once per shift for SIL 1, once per fortnight for SIL 2, and once per year for SIL 3, which is unacceptable. Therefore, the PFD metric is clearly not useful for high demand.
This is why we have instead the PFH metric. According to IEC 61508 this metric is used when the demand rate exceeds once per year. Even though P sounds like it should stand for probability, the meaning of PFH is “average frequency of dangerous failure per hour. This represents the dangerous failure rate of the high demand safety function and for a single channel system with no proof testing it is equivalent to λDU the dangerous undetected failure rate of the safety function.
Figure 5: High demand / continuous mode hazardous event rate for a single channel safety function with no proof testing
The hazardous event rate cannot exceed the dangerous undetected failure rate of the safety function. This includes continuous mode.
So now if your PFH = 1e-5/h (maximum for SIL 1) you will have a hazardous event rate of once every 10 years, if it’s 1e-6/h (maximum for SIL 2) your hazardous event rate will be once roughly every 100 years for SIL 2 which sounds tolerable.
Note – the two metrics PFH and PFD give the same result when the demand rate is 1 per 10000 hours (roughly once/year).
In a future blog, I will explore whether using the high demand metric PFHD for a low demand safety function is conservative or dangerous.
Further Reading
1. IEC TR 61361 – Assignment of safety integrity requirements – Basic Rationale
2. The excellent paper “SIL determination – Dealing with the unexpected”
For a previous blog related to diagnostics on your diagnostics see here.
For previous blogs in this series, see here.
For the full suite of ADI blogs on the EngineerZone platform, see here.
For the full range of ADI products, see here.