Julia V. Bukowski

Modeling and analyzing the effects of periodic inspection on the performance of safety-critical systems

This paper presents a method for incorporating into Markov models of safety-critical systems, periodic inspections and repairs which occur deterministically in time. Both perfect and imperfect inspections and repairs can be modeled. Based on this new modeling technique, closed-form solutions are derived for a variety of important performance indexes including MTTF, MTTF/sub D/, MTTF/sub S/, average availability, and average probability of failing dangerously. The solutions are applied to an example system to illustrate how the method can be used to study the effects on performance of: (a) choices of the time-length between periodic inspections and repairs, and (b) improvements in inspection and repair techniques.

Using Markov models for safety analysis of programmable electronic systems

Abstract Markov Models (diagrams showing failure states) can easily represent the operation of a fault tolerant programmable electronic system (PES) as various system compenents fail and/or are repaired. These models can account for multiple failure rates as a function of failure state, common cause failures, on-line diagnostic capability of a PES, multiple failure modes, and different repair rates as a function of failure state. Further, the same physical system may behave differently in different operating modes and this can be accounted for by different Markov models. Such models can be constructed simply and accurately when a systematic method is used. This paper describes the systematic method and shows examples of the reliability and safety analysis developed for a new fault tolerant control system under two different operating modes. The importance of including the operating mode in the modeling and analysis is clearly demonstrated. One operating mode is substantially safer than the other.

Incorporating process demand into models for assessment of safety system performance

The paper presents a simple model of a safety instrumented system (SIS) that explicitly incorporates process demand in addition to including both the detected and undetected modes of the fail dangerous state, and shows the impact of process demand on SIS performance. The research concludes that the explicit incorporation of process demand is necessary to assess SIS safety performance appropriately, and that a simple arbitrary division between low demand and high demand is insufficient. The study also suggests a method of using the model to determine an appropriate value of TI, the time to periodic inspection and maintenance of the SIS, so as to achieve a suitable level of SIS safety performance. The paper notes the limitations of the present work, and provides suggestions for future research in this area

A comparison of techniques for computing PFD average

This paper compares two techniques for computing PFDavg-the use of Markov models and simplified equations-and applies each to 10 different system configurations. Results show that Markov models, when properly constructed and interpreted, give exactly the same results as those obtained from classical probability techniques. Claims that Markov model results are incorrect as reported in work by others are unfounded. In fact, they provide exact solutions not only for simple models but also for more realistic, complex models that are not covered by the simplified equations. However, Markov models require greater understanding for correct use. Simplified equations are much easier to use for rough estimates but the simplifications required to keep them easy to use may result in significant errors. These errors in the estimates can be quite large for undetected failures.

Using markov models to compute probability of failed dangerous when repair times are not exponentially distributed

Members of standards committees for safety instrumented systems (SIS) are debating the relative merits of different modeling techniques for assessing the appropriateness of safety system design. One argument against the use of Markov models is that they represent repair times by exponential densities but that repair times are not exponentially distributed. In this paper, we use a simple Markov model with typical non-exponential repair times and calculate, by simulation methods, both the transient and steady state probabilities of the failed dangerous detected (FDD) state over a range of values for failure rates. We compare these results to those obtained using two different Markov models that assume exponentially distributed repair times. We show that the steady state probabilities from all three models are identical though the transients show some differences. We conclude that, to the extent that steady state probability of the FDD state is considered an appropriate measure of system safety, simple Markov models with exponential repair-time densities can be used and will give the same results as more complicated non-exponential repair-time densities

Verifying common-cause reduction rules for fault tolerant systems via simulation using a stress-strength failure model.

Redundant programmable electronic systems are commonly used in many industrial processes for safety protection and high availability process control. Common-cause failures can significantly reduce the benefits of the redundancy designed into this equipment. To improve on this situation, a number of qualitative design rules for reducing common cause failures have been put forth. However, these rules have not previously been subjected to quantitative verification. It is important to understand the magnitude of common cause failures and how this varies with design changes. This information can be used to show how system designs can be improved by lowering common cause failure rates. A stress-strength simulation was created to simulate the failures of a programmable electronic system under different design scenarios and the common cause failure rate was computed for each case. The simulation results not only confirm that the qualitative design rules lowered common cause failure rates but also provide some quantitative assessment of how large the improvements can be in various cases.

Impact of proof test effectiveness on safety instrumented system performance

This paper addresses the effectiveness of proof tests that are performed on safety instrumented functions (SIF) to reveal any failures undetected by automatic diagnostics. The paper focuses on low demand mode applications where an achieved Safety Integrity Level (SIL) is determined by a SIFs average Probability of Failure on Demand (PFDavg). Functional safety standards [1, 2], which require periodic proof tests, assume that proof tests are performed perfectly, i.e., all proof tests are 100% complete (all hidden failures are tested for), and 100% correct (all hidden failures are correctly identified; all indentified failures are completely repaired). Practical experience however easily shows that proof tests are typically neither 100% complete nor 100% correct. This paper proposes a measure of proof test effectiveness (PTE) which takes into account both proof test correctness and completeness. It shows how the SIF performance degrades over successive proof test intervals if the PTE is less than 100%. Consequently, a SIF may suffer a degradation of SIL level over time, a feature not recognized by current standards. Several examples using different levels of proof test completeness and correctness highlight the impact of PTE.

Development of a Mechanical Component Failure Database

In this paper, we present a methodology to derive component failure rate and failure mode data for mechanical components used in automation systems based on warranty and field failure data as well as expert opinion. We describe a process for incorporating new component information into the database as it becomes available. The method emphasizes random mechanical component failures of importance in the world of safety analysis as opposed to the wear-out and aging mechanical failures that have dominated mechanical reliability analysis. The method provides a level of accuracy significantly better than warranty failure data analysis alone. The derived database has the same form as that for electrical/electronics databases used in FMEDA analyses used to show compliance with international performance-based safety standards. Thus, the mechanical database can be used in conjunction with existing electrical/electronics databases to perform required probabilistic safety analysis on automation systems comprised of both electrical and mechanical components.

Analysis of pressure relief valve proof test data

This article reports on our statistical analysis of pressure relief valve (PRV) proof test data for the failure mode, fail‐to‐open, i.e., the PRV remains closed when actual pressure reaches or exceeds 150% of set pressure. Three data sets, from two Fortune 500 operating companies, which met the intent of the quality assurance of proof test data as documented by the Center for Chemical Process Safety Process Equipment Reliability Database (CCPS PERD) 1 initiative, were analyzed. Although the original intent of our analysis focused solely on estimating the failure rate during the “useful life” 2 of the equipment, it became apparent that the probability of failure on initial installation or reinstallation after proof test, and the need to address what constituted end of useful life were very significant. This article provides three important findings that are summarized as follows: 1 The statistical analysis of each data set predicted a 1–1.6% probability of initial failure where initial failure is understood to be at the time of initial installation or reinstallation after a proof test. This implies that most of the failures found during the useful life via proof test are pre‐existing failures from the time of installation or reinstallation rather than failures that occurred randomly after installation or reinstallation of the PRV. 2 Our calculations, based on the three independent data sets, led to consistent estimates of PRV useful‐life failure rates between 10−8 and 10−7 failures/h. Additionally, we compared our estimates from data analysis to the prediction of useful‐life failure rate for a particular PRV model using the Failure Modes Effects and Diagnostics Analysis (FMEDA) method. The prediction was consistent with the data estimates. 3 The data further indicated that the low useful‐life failure rate was not supported beyond a 4–5 year proof test interval as the threshold of wear‐out seemed to be approached.

How diagnostic coverage improves safety in programmable electronic systems

Abstract Programmable Electronic Systems (PES) are a potentially good solution for safety protection applications. But a PES must utilize special circuits and special architectures to reduce the chances of it failing dangerously. There are several parameters design parameters to measure the effectiveness of these systems. Diagnostic ‘Coverage Factor’ is one of these parameters that affects all architectures. This paper explains the tools used to measure and verify the diagnostic capability of a PES.