William M. Goble

Using Markov models for safety analysis of programmable electronic systems

Abstract Markov Models (diagrams showing failure states) can easily represent the operation of a fault tolerant programmable electronic system (PES) as various system compenents fail and/or are repaired. These models can account for multiple failure rates as a function of failure state, common cause failures, on-line diagnostic capability of a PES, multiple failure modes, and different repair rates as a function of failure state. Further, the same physical system may behave differently in different operating modes and this can be accounted for by different Markov models. Such models can be constructed simply and accurately when a systematic method is used. This paper describes the systematic method and shows examples of the reliability and safety analysis developed for a new fault tolerant control system under two different operating modes. The importance of including the operating mode in the modeling and analysis is clearly demonstrated. One operating mode is substantially safer than the other.

Verifying common-cause reduction rules for fault tolerant systems via simulation using a stress-strength failure model.

Redundant programmable electronic systems are commonly used in many industrial processes for safety protection and high availability process control. Common-cause failures can significantly reduce the benefits of the redundancy designed into this equipment. To improve on this situation, a number of qualitative design rules for reducing common cause failures have been put forth. However, these rules have not previously been subjected to quantitative verification. It is important to understand the magnitude of common cause failures and how this varies with design changes. This information can be used to show how system designs can be improved by lowering common cause failure rates. A stress-strength simulation was created to simulate the failures of a programmable electronic system under different design scenarios and the common cause failure rate was computed for each case. The simulation results not only confirm that the qualitative design rules lowered common cause failure rates but also provide some quantitative assessment of how large the improvements can be in various cases.

Development of a Mechanical Component Failure Database

In this paper, we present a methodology to derive component failure rate and failure mode data for mechanical components used in automation systems based on warranty and field failure data as well as expert opinion. We describe a process for incorporating new component information into the database as it becomes available. The method emphasizes random mechanical component failures of importance in the world of safety analysis as opposed to the wear-out and aging mechanical failures that have dominated mechanical reliability analysis. The method provides a level of accuracy significantly better than warranty failure data analysis alone. The derived database has the same form as that for electrical/electronics databases used in FMEDA analyses used to show compliance with international performance-based safety standards. Thus, the mechanical database can be used in conjunction with existing electrical/electronics databases to perform required probabilistic safety analysis on automation systems comprised of both electrical and mechanical components.

Analysis of pressure relief valve proof test data

This article reports on our statistical analysis of pressure relief valve (PRV) proof test data for the failure mode, fail‐to‐open, i.e., the PRV remains closed when actual pressure reaches or exceeds 150% of set pressure. Three data sets, from two Fortune 500 operating companies, which met the intent of the quality assurance of proof test data as documented by the Center for Chemical Process Safety Process Equipment Reliability Database (CCPS PERD) 1 initiative, were analyzed. Although the original intent of our analysis focused solely on estimating the failure rate during the “useful life” 2 of the equipment, it became apparent that the probability of failure on initial installation or reinstallation after proof test, and the need to address what constituted end of useful life were very significant. This article provides three important findings that are summarized as follows: 1 The statistical analysis of each data set predicted a 1–1.6% probability of initial failure where initial failure is understood to be at the time of initial installation or reinstallation after a proof test. This implies that most of the failures found during the useful life via proof test are pre‐existing failures from the time of installation or reinstallation rather than failures that occurred randomly after installation or reinstallation of the PRV. 2 Our calculations, based on the three independent data sets, led to consistent estimates of PRV useful‐life failure rates between 10−8 and 10−7 failures/h. Additionally, we compared our estimates from data analysis to the prediction of useful‐life failure rate for a particular PRV model using the Failure Modes Effects and Diagnostics Analysis (FMEDA) method. The prediction was consistent with the data estimates. 3 The data further indicated that the low useful‐life failure rate was not supported beyond a 4–5 year proof test interval as the threshold of wear‐out seemed to be approached.

How diagnostic coverage improves safety in programmable electronic systems

Abstract Programmable Electronic Systems (PES) are a potentially good solution for safety protection applications. But a PES must utilize special circuits and special architectures to reduce the chances of it failing dangerously. There are several parameters design parameters to measure the effectiveness of these systems. Diagnostic ‘Coverage Factor’ is one of these parameters that affects all architectures. This paper explains the tools used to measure and verify the diagnostic capability of a PES.

Validation of a mechanical component constant failure rate database

This paper reports on our successful efforts to validate statistically certain constant failure rate data in a mechanical component constant failure rate and failure mode database. To accomplish this, we use a Failure Modes, Effects, and Diagnostic Analysis (FMEDA) to predict the constant failure rate, λD, for the fail-to-open condition of a particular series of pressure relief valves (PRV) using the failure rates from the mechanical component database. Next, we apply the quantal response method to four sets of PRV proof test data to calculate four estimates, λD, for λ, the true value of the failure rate. Finally, using each data estimate we test the hypothesis H0: λ = λD vs H1: λ ≫ λD. Each proof test data set supports the FMEDA prediction at a 30% significance level, implying a 70% upper confidence limit. Further we show that the probability that this result could have been obtained by chance alone given reasonable alternative values of λ is about 2.5% or less. While this does not validate the entire mechanical component database, it strongly supports its validity at least with respect to the component failure modes responsible for the PRV fail-to-open condition and, by extension, to the techniques used to create the database.

High availability systems for safety and performance—the “coverage” factor

Abstract High Availability Systems are needed in many applications not only for safety purposes but also good economic performance. “Coverage” is a measure of how well the automated testing in such systems detects failures. The coverage factor is considered by many to be the most important measure of availability in fault tolerant architectures. The control system designer can create better logic control systems by understanding the “hows” and “whys” of coverage.

Predictive analytics: Assessing failure rate accuracy & failure mode completeness

This paper introduces a benchmarking technique we call predictive analytics (PA). The benchmark for the constant failure rate (λ) of a specific failure mode of an element (e.g., pressure transmitter, microprocessor, valve, etc.) used to implement a safety instrumented function (SIF) is predicted using the failure modes, effects and diagnostic analysis (FMEDA) technique supported by a database of constant failure rates and failure mode distributions for the components which comprise the element. This benchmark represents the λ of that failure mode inherent in the element during its useful life. The λ for the same failure mode of the element is estimated from field failure data (FFD) and compared to the benchmark. It is not uncommon for the benchmark λ and estimated λ to differ considerably. PA provides a procedure for exploring explanations of these differences and assessing the accuracy of the estimated element λ with respect to the benchmark λ of the element. PA can often determine the source of that portion of the estimated λ value not inherent to the element but likely due to random failures of infant mortality, wear out, or initial failures, to systematic failures, or to application or site specific issues. This site specific element λ is the portion of the estimated λ the end user needs to address to improve operational reliability and safety. PA can also assess the quality of FFD and can facilitate the discovery of previously unknown element failure modes.

Properly assessing mechanical component failure rates

This paper overviews various methods by which a mechanical components dangerous failure rate, λD, is est imated or predicted for mechanical components used in safety applications. The methods are critically evaluated and the advantages and disadvantages of each are discussed. It is important to note that the same mechanical component may have different values for λD based on the safety application(s) in which the component will be used. Different methods for estimating or predicting λD are more appropriate for some safety applications than for others. An example is provided indicating the inaccuracies that can arise if a method that is well suited for one safety application produces a value for λD that is then used to compute a safety rating for the same component used in a very different way in another the safety application.

Probability of Initial Failure for Spring Operated Relief Valves

We present clear and convincing evidence that, for new spring operated relief valves (SORV) that are not proof tested by the user shortly before installation, there is a non-trivial probability that the SORV will be installed in the fail-to-open (stuck shut) failure mode. Using the results of over 4800 new ASME Boiler and Pressure Vessel Code Section VIII SORV proof tests, we estimate the probability of initial failure (PIF) due to manufacturer/assembly anomalies, as well as PIF due to in-storage aging of SORV based on their material composition. We indicate how PIF can be reduced by various preinstallation activities that may be undertaken by the user. We show how to compute values of PIF to be used in calculating the average probability of fail danger (PFDavg) (as required by IEC61508 and similar safety standards in order to determine a safety integrity level (SIL)) which accounts for both the SORV material composition and the pre-installation activities undertaken. For four typical SORV of different material compositions we show how pre-installation activities influence the achievable SIL. We discuss the implication of these findings for estimating PIF for used (previously installed) SORV. We close with recommendations to further address PIF.Copyright