This document discusses safety-instrumented systems and how fault tree analysis can be used to evaluate them. It provides examples of how fault trees can be constructed to model the logic and failure modes of a safety instrumented system. Fault trees are used to calculate reliability metrics like probability of failure on demand and mean time to failure of spurious trips. The document also discusses how common cause failures, importance analysis, and sensitivity analysis can be incorporated into the fault tree modeling.

1. Safety-Instrumented Systems
A Fault Tree Approach
Joseph Belland, Isograph Inc.
David Wiseman, Isograph Ltd.

2. Safety-Instrumented Systems
 Critical Processes or systems
 Found in many different industries
 Malfunction may cause risk
 Safety, environmental, or financial
 Examples:
 Chemical reactor
 Nuclear generator
 Airbag

3. Safety-Instrumented Systems
 Mitigate risks of critical systems
 Restores system to safe state in event of
hazardous condition
 Three elements
 Inputs: Monitor system, detect hazardous
conditions
 Logic solver: interprets inputs
 Final elements: halt the system or process or
restore it to failsafe state

4. SIS Example: HIPPS

5. Example Fault Tree
OR
Top event
(hazard)
VOTE
2
Vote gate
AND
Logic gate
EV2
Basic event
EV3
Dormant
event
EV4
Basic event
EV5
Basic event
EV6
Basic event

6. Construction Logic
 SIS terminology: vote to trip
 Fault Trees: failure logic
SIS trip logic 1ooN NooN MooN
Fault Tree Gate
AND OR (N-M+1)

7. Construction Logic Example
VALVES
Both valves
fail open
VALVE1
Block valve
1 fails open
VALVE2
Block valve
2 fails open
XV XV
VALVES1
Either valve
fails open
VALVE3
Block valve
1 fails open
VALVE4
Block valve
2 fails open

8. Generic SIS Tree
PFD
SIS failed
dangerous
INPUTS LOGIC SOLVER FINAL ELEMENTS

9. HIPPS Fault Tree
HIPPS PFD
HIPPS fails to
stop over-
pressurization
PTS
2
2 of 3 pressure
transmitters fail
to register a high
pressure
VALVES
Both valves
fail open
LS
Logic Solver
fails to send
trip signal
PT1
Pressure
Transmitter 1
fails low
PT2
Pressure
Transmitter 2
fails low
PT3
Pressure
Transmitter 3
fails low
VALVE1
Block valve
1 fails open
VALVE2
Block valve
2 fails open

10. Failure Data
λ SD
λ SU
λ DU
λ DD

11. Failure Data
 Fault Trees constructed for a single
hazard
 Basic events contribute to that hazard
 Dangerous or Safe failures only

12. Failure Data
 Commonly-used data
 Failure rate
 MTTR
 Test interval
 Dangerous failure %
 Diagnostic coverage
 Proof test coverage
 Used in equation to solve PFD

13. Common Cause Failures
 Affect multiple components
simultaneously
 Reduce effectiveness of redundancy
 Beta factor
 Percent of failures due to CCF
 FT assumes independence
 CCFs must be accounted for
 Separate basic event
 Implicit inclusion

14. Explicit CCF Inclusion
SYS
System
failure
IND
Both
components fail
independently
COMP CCF
Components
fail due to
CCF
COMP1 IND
Component 1
independent
failure
COMP2 IND
Component 2
independent
failure

15. Implicit CCF Inclusion
SYS2
System
failure
COMP1
Component
1 failure
COMP
CCF
COMP2
Component
2 failure
COMP
CCF

16. Logic and PFDAVG
 FT methods:
1. Solve component PFDAVG
2. Apply system logic to calculate system
PFDAVG
 IEC 61508-6
1. Apply system logic
2. Solve PFDAVG
𝑓(𝑥) ∙ 𝑓(𝑥) ≠ 𝑓(𝑥) ∙ 𝑓(𝑥)

17. HIPPS Example
 Block valves
 IEC 61508-6: 3.949E-3
 FT: 3.348E-3
 Optimistic
 Compensating algorithm needed
 Markov analysis
 FT program with compensation: 3.913E-3

18. HIPPS Analysis
 SIL 2
PFDavg λ (/hour) MTBF
(hours)
RRF
4.7E-3 6.193E-7 1,622,000 212.8

19. Spurious Trip Analysis
 How often SIS engages unnecessarily
 “Safe” failures
 FT used to quantify MTTFspurious
 Failure data: safe failure rate
 Logical reverse of PFD Fault Tree

20. HIPPS Spurious Trip FT
HIPPS SPURIOUS
MTTF=1.622E+05
HIPPS
engages
unnecessarily
PTS
2
2 of 3 pressure
transmitters
falsely register
high pressure
VALVES
Valve system
engages
unnecessarily
LS
Logic Solver
fails to send
trip signal
PT1
Pressure
Transmitter
1 fails high
PT2
Pressure
Transmitter
2 fails high
PT3
Pressure
Transmitter
3 fails high
VALVE1
Block valve
1 fails closed
VALVE2
Block valve
2 fails closed

21. Optimization
 Advantage of computer programs
 How can we improve reliability?
 Importance Analysis
 Sensitivity Analysis

22. Importance Analysis
 Event contribution to system failure
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Block valves Pressure
transmitters
Logic solver

23. Sensitivity Analysis
 Repeated changes of events to see
effect on TOP gate
 Test different basic event inputs
 Example
 Different block valve test intervals
τ
(months)
4 6 8 12 18 24
PFDavg 1.028E-3 1.274E-3 1.547E-3 2.174E-3 3.314E-3 4.700E-3

24. Conclusion
 Fault Tree Analysis
 Useful tool for evaluating SIS
 Well-developed methodology
 Plenty of programs exist
 Can model complex system logic
 Can model PFD/Spurious trips
 CCFs taken into account
 Importance and sensitivity considerations

25. Questions?
JBelland@isograph.com
DWiseman@isograph.com