In my last blog on soft errors I promised that the next blog would be on the topic of PFH and PFD. However, since that promise it occurred to me that I should first cover low and high demand mode.
Within IEC 61508 there are basically two types of safety functions, high demand and low demand. A high demand safety function is for a demand which occurs more often than once per year (e.g. once per day) and a low demand is for something which has an expected demand rate of less than once per year (e.g. once every 10 years).
Determining whether a safety function is low or high demand has implications including:
· The key reliability metric – could be PFH of PFD (see next blog in series)
· The suitable methods to determine the required SIL of any safety function
· The measures which must be taken to prevent the introduction of design errors (systematic errors)
· The diagnostic rate
There is no definition of “demand” in IEC 61508, but IEC TR 631161 defines a demand as an “event that causes the safety control system to perform the safety control function." Within the process industry, a demand may also be referred to as a process update or a process deviation.
IEC 61508 defines a third mode of operation called continuous mode, but the requirements are similar to high demand mode. In low and high demand modes two things need to happen for someone to get hurt. 1) the safety system needs to fail and 2) a demand must occur while the safety system is in the failed state. In continuous mode, an incident happens as soon as the safety system fails dangerously as it is the safety system which is maintaining safety.
Figure 1 - Continuous mode vs demand mode according to ISO/TR 12489:2013
While IEC 61508 as a basic standard needs to cover both low and high demand mode this is not the case for sector specific standards. For instance, machinery only has high demand and process control has mostly low demand. Something like an airbag sub-system has high and low demand safety functions although ISO 26262 does not have modes of operation at all making all safety functions effectively high demand (the low demand safety function deploy airbag when you crash, the high demand safety function is to prevent inadvertent deployment.)
Figure 2 - how to calculate demand rate from IEC 63161
The above figure is from a draft of IEC 63161 where it calculates demand rate as DR=IR.Pr.Fr.(1-AV)
In the next blog I will deal with the PFH (high demand) and PFD (low demand) metrics.
The demand rate can be used to determine the SIL in terms of the systematic requirements. Suppose the maximum acceptable risk is deemed to be 1e-5/y. And suppose only 1 in 100 events leads to a fatality => can allow a demand to occur 100 times more frequently => 1e-3/y without exceeding the 1e-5/y number. Further suppose that the EUC (equipment under control) will fail only once every 5 years (0.2/y). Then the average failure of demand on the safety system needs to be a maximum of 1e-3/0.2 =5e-3 which is 1 in 200 which is in the SIL 2 range according to IEC 61508-1:2010 table 2.
Therefore, the system needs to achieve a RRF (risk reduction factor) of 200 and meet the systematic requirements for SIL 2 – Note an RRF of 100 to 999 would give a SIL 2 requirement in terms of the systematic requirements (also known as systematic capability SC 1 to SC 4). However, the PFH and PFD (see next blog) must still be sufficient to achieve a risk reduction factor of 200.
In regards to setting the diagnostic test rate see IEC 61508-2:2010 clauses 7.4.4.1.4 and 7.4.4.1.5. In effect for a non-redundant system it states that the sum of the diagnostic test interval (inverse of diagnostic test rate) plus the time to achieve the safe state should be less that the process safety time OR the ratio of the diagnostic test rate to the demand rate equals 100. For low demand safety functions there is no minimum diagnostic test rate but once/day or once/shift is generally taken as conservative and should allow the hardware reliability metric to be met (PFD).
This blogs video discusses airbags – see https://www.youtube.com/watch?v=SSz6y-W-R_A
For next time, the discussion will be on the “PFH and PFD”.
If you wish to read more on the topic the following papers are good but you will need motivation and stamina to persist:
1) SIL Determination – Dealing with the unexpected by Alan G King
2) Reliability of safety-critical systems: Theory and application – section 2.6
3) IEC 63161
4) ISO/TR 12489:2013 clause 3.2.13 and others
5) Functional Safety – an IEC 61508 SIL 3 compliant development process section E.7