A review of SIL theory and a demonstration on the need to truncate the exponential distribution for the generation of SIS failures: Example for a 1oo1 channel architecture

HAL Id: hal-01149814

https://hal.archives-ouvertes.fr/hal-01149814

Submitted on 7 May 2015

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from

L’archive ouverte pluridisciplinaire

HAL, est

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de

A review of SIL theory and a demonstration on the need to truncate the exponential distribution for the

generation of SIS failures: Example for a 1oo1 channel architecture

Laurent Cauffriez

To cite this version:

Laurent Cauffriez. A review of SIL theory and a demonstration on the need to truncate the exponential distribution for the generation of SIS failures: Example for a 1oo1 channel architecture. QUALITA’

2015, Mar 2015, Nancy, France. �hal-01149814�

A review of SIL theory and a demonstration

on the need to truncate the exponential distribution for the generation of SIS failures

Example for a 1oo1 channel architecture

Laurent CAUFFRIEZ

LAMIH/Intelligent & Cooperative Systems UMR CNRS 8201- University of Valenciennes Le Mont Houy, F-59313, Valenciennes Cedex 9, France

laurent.cauffriez@univ-valenciennes.fr

Abstract — This paper deals with the modelling of Safety Instrumented System (SIS) in order to assess the SIL level of this latter one. At first, the underlying mathematical theory is presented focusing mainly on expected value and exponential distribution. Due to SIL theory and related mathematical assumptions, the need to truncate exponential distribution for the generation of failures with Monte Carlo simulation is demonstrated in case of SIS architectures being periodically tested. Two Stochastic P-temporised Petri Nets are proposed to illustrate this small but crucial difficulty of modelling. Through to the implementation of both proposed Petri Nets, the ability of the truncated exponential distribution for the generation of failures with Monte Carlo simulation within the time interval between two tests is demonstrated. Finally, simulations and experimental results are given.

Index Terms — Safety Integrated Level, Safety Instrumented System, Safety architecture, IEC 61508, Self-diagnostic components, Probability of Failing Dangerously, Truncated exponential distribution, Periodic test, PFD, SIL, SIS.

I. INTRODUCTION

The demand of a Safety Instrumented System (SIS) depends on the failure of the so called Equipment Under Control (EUC) which is an equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities [1]. The principle of SIS demand is given in Figure 1. The role of the SIS is to bring the EUC into a safe state when all safety barriers have failed (ultimate safety level) and to do it preventively when the SIS itself fails (integrity of the safety function).

Table I gives an overview of possible SIS architectures according to IEC 61508 standards [1]. Please note that for 1oo1 channel, any dangerous failure leads to a failure of the safety function when a demand arises. Two types of intrinsic failures can affect the well functioning of a SIS channel:

Dangerous failure and Safe Failure. Dangerous failures are defined by [2] as failures that can provoke accidents because

the failed SIS is unable to face a potentially dangerous event for the equipment under control. Safe failures of the SIS denote failures that have no consequence in terms of safety for the equipment under control.

Fig. 1. Principle of the demand of SIS

TABLE I.ARCHITECTURES OF SAFETY INSTRUMENTED SYSTEMS

As a SIS is equipped with a self-diagnostic system, it is thus possible to detect intrinsic failures leading to a specific Safety Integrity Level of the SIS (SIL level of the SIS): the performance of the diagnostic depends on the ability of the diagnosis to care with some type of failures or not.

As described by [2], the tree of figure 2 gives the decomposition of the types of failures λ (λ is usually called failure rate and its unit is h^-1 or year^-1). Please note that all the SIL theory developed in IEC 61508 standards make a strong assumption: failure distributions are assumed to be exponential and failure rates are therefore constant regardless of the type of SIS architectures i.e. 1oo1, 1oo2, 1oo2D, 2oo2, 2oo3.

On this point of view, the architecture 1oo1 is the reference for theoretical SIL calculation. For the other types of architectures, SIL levels are usually deduced from the 1oo1 architecture by applying conventional probabilities for events i.e. P(Channel1

∩

Channel2) for 1oo2 architecture and, P(Channel1∪Channel2) for 2oo2 architecture,…

Fig.2. Classification of failures Please note that:

- We are not interested in this paper to separate the dangerous failure rateλD intoλDD+λDU (Dangerous Detected failure rate and Dangerous Undetected failure rate) as proposed in the standard IEC 61508-6 [2]. Indeed, this way of modelling is based on a specific decomposition of the channel into two hardware parts: one part failing dangerously without being detected, and one part failing dangerously and being detected. In the rest of the paper, the dangerous failure rate of the SIS is denotedλD .

- As we only want to validate in this paper the model for the failures process, the repair duration is assumed to be equal to 0h. In this particular case, the PFD is equal to the unreliability of the SIS and not to its unavailability. For a PFD equal to the unavailability, the Mean Time To Repair (MTTR) in Fig. 3 must be taken into account. For more details, please see the very good discussions made by [3]

and [4].

- We consider in this paper only SIS having a low demand mode.

A number of reliability techniques are usable for the analysis of safety integrity of SIS architectures. Indeed, the safety integrity of a SIS depends on several parameters: its type of architecture (1oo1, 1oo2, 1oo2D, 2oo2, and 2oo3), failure rates for the components constituting the SIS and the time interval between two tests. Classically, these techniques are sorted according to the two following point of views:

- static (boolean) versus dynamic (states/transitions) models,

- analytical versus Monte Carlo simulation calculations.

In this paper, we consider analysis based on Monte Carlo simulation and we focus on a small point of the SIS modelling but an essential one by giving an answer to the following question:

“How to generate with a Monte Carlo simulation Time To Failures (TTF) within the time interval between two tests for a SIS having a small constant failure rate and therefore a great exponential mean value?”

Indeed, for a SIS periodically tested with a period T1, the theory points out that the mean value of Time To Failure in the channel is equal to the half of the testing period T1 (assuming an exponential distribution for the failures).

This theoretical result must be found by Monte Carlo simulation. This paper demonstrates the need to truncate the exponential distribution in order to verify the theory by simulation.

II. THEORY A. Reminder on probabilities

Denote by random variable T the lifetime. Then, the unreliability F(t) is the probability of failure to age t (inclusive or exclusive). The difference F(T1)-F(0), (T1>0) is the probability of failure during the interval [0,T1] and is the area under the curve obtained by integrating the failure density function f(t) between ages 0 and T1. (See equation (1)).

[ ]

^F(t)T1₀ ^{F(T1) F(0)}

T1 0

dt f(t) T1) T

P(0≤ ≤ = ∫ ⋅ = = − (1)

In the field of SIL level assessment, the failure distribution is exponential because of the assumption of a failure rate λD constant. Thus, the unreliability of the SIS during a specified time interval [0, T1] is given in (2):

∫ − ⋅

⋅

=

∫ ⋅

=

≤

≤ T1

0 e dt

t λD λD

T1 0

dt f(t) T1) T P(0

e λD T1 e 1

λD

1 λD t T1 0 λD

− − ⋅ = − − ⋅

⋅

=

 





 





(2) Similarly, the reliability given in (3) is the probability of no failure to age T1 (inclusive or exclusive):

∫ ⋅

−

=

≤

≤

−

=

> T1

0 dt f(t) 1 T1) T P(0 1 T1)

P(T (3)

e λD T1 T1

0 e dt

t λD λD 1

^∫ − ⋅ = − ⋅

⋅

−

= ⁽⁴⁾

Because the SIS either remains normal or experiences its first failure during the time interval [0,T1],

1 F(t)

R(t)+ = (5)

B. Reminder on expected value E(T)

In probability theory, one interesting quantity is the expected value of the random variable T, often noted by E(T), and given in (6). The quantity E(T) gives the mean value of the random variable T between ages a and b.

∫ ^{⋅ ⋅}

=

b

a

dt f(t) t

E(T)

(6)

The MTTF (Mean Time To Failure) is directly derived from the expected value E(T) for the time interval

[0,+∞ [

λD

MTTF 1 dt

f(t) t E(T)

0

=

=

⋅

⋅

=

^+∞

∫

⁽⁷⁾

C. Application of expected value on SIL assessment

Suppose X the random variable measuring the lifetime until the SIS experiences its first failure on the time interval [0, A].

An assumption is that X follows an exponential distribution with a λD constant failure rate. The probability of failure is therefore given in (8).

dt A

0 e

t λD λD

A 0

dt f(t) A) X

P(0 ∫ − ⋅ ⋅

⋅

=

∫ ⋅

=

≤

≤ (8)

If we want to quantify the mean value of the time to failure on the time interval [0, A], we have to calculate the integral (9) corresponding to the expected value of X.

dt A

0

e t λD λD

t A

0

dt f(t) t

I(A) ∫ − ⋅ ⋅

⋅

⋅

=

∫ ⋅ ⋅

= (9)

A solution of equation (9) is obtained by making an integration by parts (equation 10) and choosing u=t and

e λ t

v'=λ⋅ − ⋅ ^{i.e. v}=−^e−^λ⋅^t

∫u⋅v'=u⋅v−∫u'⋅v (10)

The integral I(A) is therefore equal to equation (11)

[

^{− ⋅ − ⋅}

]

⁻

^{∫ (}

^{− − ⋅}

⁾

^⋅

=

∫ ⋅ ⋅

= A

0

e λD t dt e λD t

t A

0 A

0

dt f(t) t I(A)

e λD A e λD A A

λD 1 λD

1

−

⋅ − ⋅

−

⋅ − ⋅

=

⁽¹¹⁾

Reminding that

lim e − = 0

+∞

→

t

t

and

lim ⋅ − e = 0

+∞

→

t t

t

, equation (11) tends to the value

λD

I(A)= 1 for

t → +∞

. Thus, equation (7) is confirmed because

λD MTTF 1 E(T)

I(A)= = = .

But the simplification of equation (11) by applying the infinity limit cannot be done for SIL assessment because time t does not grow without bound and is limited by T1.

Please note that the time interval T1 between two tests is defined and fixed during the design of the SIS. Therefore, the expected value of X during [0,T1] is equal to :

e λD T1 1

e λD T1 T λD

1 λD

I(T1) =

1 − ⋅ − ⋅ − ⋅ ^{− ⋅ (12)}

and I(T1) quantifies the mean value of time to failure during the time interval [0,T1].

D. Concrete example

In this paragraph, we take a discrete example in order to be pedagogical. Due to the design of the SIS, the main assumptions are the following:

- the probability that the SIS fails dangerously during the time interval [0,T1] separating two tests is equal to

e λD T1 1

F(t)= − − ⋅ at age T1. Note that the value of F(t) is very small because of the design choices: the dangerous failure rate λD takes a low value (usually

-1] -3h -1,10 -9h [10

λD∈ ). The time interval between two

tests is also chosen small per design in order to reduce greatly the probability of failure during [0,T1].

- the occurrence of the failure will be at the time t_i with t_i

∈ [0, T1]

^,

- as the probability that the SIS fails dangerously during the time interval [0,T1] is very very small, experience shows that there is only one failure of the SIS during

[0, T1]

. This last assumption is a specificity of SIL level assessment for safety architectures. Indeed, we know that for a long time of observation, the total number of times ni that the SIS experiences a failure at time ti for N separate time intervals [0,T1], lead to the situation presented in Table II.

TABLE II. TOTAL NUMBER OF TIMES ni THAT A FAILURE OCCURS AT TIME ti

WITHIN N SEPARATE [0,T1] INTERVALS

total number of times n_i

Failure at time ti

n₁ n₂ n₃

n_i

… …

n_j

… …

n_k

Let g an ℝ to ℝ function and denote by random variable T the lifetime. Random variable T takes values t1, t2,…, tn, with probability p1, p2,…, pn. Thus, the random variable g(T) takes values g(t1), g(t2),…,g(tn) with probability p1,.., pn. The expected value for a discrete random variable T is thus equal

to

⁼ ∑ ^⋅

i

g(ti) pi

E(g(T))

(13)

Applied to Table II, equation (13) is transformed into equation (14).

N tk ... nk N t

... n N t t n N

E(g(T)) = n

¹

⋅

¹

+

²

⋅

²

+ +

ⁱ

⋅

ⁱ

+ + ⋅

⁽¹⁴⁾

Taking the assumption made in [2] that each time belonging to interval [0,T1] has the same probability p to be observed, it leads to equation (15)

N p ... nk N ... n N ... n N n N

n

¹

=

²

= =

ⁱ

= =

^j

= = =

⁽¹⁵⁾

Equations (14) and (15) are transformed into equation (16).

) j

i 2

1

t ... t ... t ... tk

(t p

E(g(T)) = ⋅ + + + + + + +

∑

⋅

=

i

ti

p

(16)

As the probability p in equation (16) is equal for the SIS to e λD T1

1

F(t)= − − ⋅ at age T1, the expected value thus become

∑

∑

=

=

⋅

=

⋅

=

− ^{− ⋅}

1 1

ti (

ti p

E(g(T))

1 e λD T1)

i i

(17) Please note that for continuous case, equation (13) must be transformed into

E(T) ⁼ ∫

f(^t)⋅g(t)⋅dt , f(t) being the density function and g(t) a measurable function of random variable T.

E. Mean value of time tc1 for which the SIS is unreliable Since integral I(T1) given in (12) is equal to the expected value given in (17), equation (18) is transformed into equation (19). And equation (20) is directly derived from equation (19).

dt 0

e λDt λD t I(T1)

T1

∫ − ⋅ ⋅

⋅

⋅

= (18)

∑

⋅ ⋅

− −

=

⋅

∫ − ⋅

⋅

⋅

=

i

ti (

T1

e λD T1) 1

dt 0

e t λD λD t

I(T1) (19)

∑

⋅ ⋅

− −

⋅ =

⋅ −

⋅ −

⋅ −

−

i

ti (

1 e λD T1) e λD T1

1 e λD T1 T λD

1 λD

1

(20)

Equation (20) becomes equation (21) by replacing

∑

i

ti

by

ta.

e λD T1 1

dt 0

e t λD λD t

T1 ti

ta

− − ⋅

⋅

∫ − ⋅

⋅

⋅

=

∑ =

i

e λD T1 1

e λD T1 1

e λD T1 T λD

1 λD

1

⋅

− −

⋅

⋅ −

⋅ −

⋅ −

= − ⁽²¹⁾

Please note that the SIS is reliable on time interval [0,ta]

and unreliable on [ta, T1] i.e. tc1 (See figure 3 according to [5]). Therefore, the value of ta given by equation (21) is the time to use for calculating the average probability to dangerous failure for the SIS within [0,T1]. Comparing equation (22) published by [6] with equation (21), it is obvious that those both equations are identical.

dt 0

f(t) dt 0

f(t) t

T1 T1 ta

⋅

∫

⋅

∫ ⋅

=

⁽²²⁾

The interest of the previous study is to demonstrate the source of equation (22) which is sometimes difficult to

understand for someone starting with SIL studies. Please note that this equation (22) comes from a direct application of the

“Second mean-value theorem for the integral” as described by [7].

By applying power series of the exponential function,

∞

<<

∀ + + + + +

= ... x

n!

xn 2! ...

x2 1!

1 x

ex , reference [6] points

out that 2

ta≈ T1and therefore the mean value of time tc1 for which the channel is unreliable on interval [0,T1] (see Fig. 3.) is equal to

2 ta T1 - T1

tc1= ≈ (23)

But, we prefer to use the exact value of ta given in equation (21) which is easy to calculate with scientific

software.

Fig. 3. Definition of the mean value of time tc1 for dangerous failure in [0,T1]

F. Probability of failing dangerously for the SIS architecture The average probability of failing dangerously for the SIS architecture within the interval [0,T1] is thus given in equation (24).

e λD t 1

PFDavg= − − ⋅ a ⁽²⁴⁾

Applying simplifications proposed by [6] i.e.

2 ta≈ T1and

2 1

λD⋅T1<< , equation (24) become equation (25) which agrees with the one given in IEC standard 61508-6 for 1oo1 channel architecture. The corresponding value of SIL is found in Table III as defined by the standard IEC61508 [2].

2 λD T1

e 2

λD T1 - 1

PFDavg ≈ ⋅

⋅

−

= ⁽²⁵⁾

TABLEIII.SAFETY INTEGRITY LEVELS ACCORDING TO PFD SIL

4 10-5≤ PFD <10-4

3 10-4≤ PFD <10-3

2 10-3≤ PFD <10-2

1 10-2≤ PFD <10-1

III. NEED TO TRUNCATE THE EXPONENTIAL DISTRIBUTION FOR THE GENERATION OF SIS FAILURES

Markov models [6], Cause-consequence diagrams [8], Stochastic Petri Nets models [9]-[10] or Fault Tree models [11]- [12] have already been proposed to asses the SIL level of safety systems architecture. As it concerns low probability and low failure rate, it is a fact that simulation results are sometimes difficult to validate and interpret [3]. Indeed, there is a lack of objectivity concerning two modelling points:

a) One must keep in mind that a SIS architecture is designed to fail rarely,

b) If the SIS architecture fails, the failure must appear within the current [0,T1] interval and not in a future and far away test interval (if it is not possible to generate intermediate results into a data file during the simulation, this last point is difficult to verify at the end of the Monte Carlo simulation).

Below are discussed these two modelling difficulties:

a) the probability of failure for a SIS architecture is in fact directly linked with the choices made during the design concerning:

- the length of the interval between two tests i.e. the length of [0,T1] interval. The longer the interval is, the greater the probability of failure is important (see equation (1)).

- the value of the failure rate λD (failure rate whose unit is mainly h^-1 or year^-1). The smaller the value of λD is, the more the SIS architecture is reliable.

Consequently, simulating the SIS architecture over a long series of histories must converge to those observations.

b) Simulation software or tools are based on Monte Carlo simulations and are proposing a conventional exponential function EXPO(λ) to generate an exponential failure

distribution. Thus, the software inverse the cumulative failure distribution

U = 1 − e

^−λ⋅tby generating a random variable U uniform in [0,1] i.e. UNIF(0,1). The time to the next failure event t_event is obtained by inversing the exponential failure distribution as given in (26):

∀ U

∈ [0,1]

^{, ln(1 U)}

λ 1

t ^{⋅ −}

= −

event (26)

Fig. 4. Principle of inversing an exponential cumulative failure distribution For periodic tested system, the conventional exponential function EXPO(λ) usually proposed by software or tools cannot be used for the generation of failure event. Indeed, there is one constraint for SIS study due to the periodic testing: if a failure occurs, it must appear within the time interval [0,T1].

Demonstration: Determination of min and Max limits of the truncated exponential function:

For tevent=0, e-λtevent U 0 Umin -

1

U= ⋅ => = =

For tevent=T1,

e-λT1 - 1 F(T1) UMax

e-λtevent -

1

U≤ ⋅ => ≤ = ⋅

Therefore, the entire curve F (t) can not be scanned for the generation of t_event, and only the part between Umin=0 and

- e 1

U

Max≤ ^-λ⋅T1 must be considered as described by the truncating process of Fig. 5. Thus, we propose to build for any Monte Carlo simulation applied to periodic tested system a new exponential function distribution which is truncated and

denoted EXPO(λ,T1). The algorithm for inversing EXPO(λ, T1) is the following:

∀ U

∈ [0, UMax]

^with

U

Max≤

F(T1) = 1 - e

^-λ⋅T1 )

U 1 ln(

λ 1

t ^{⋅ −}

= −

event (27),

the value of λ and T1 being fixed during the design of the system periodically tested. Note that for the algorithm of truncated exponential function given in (27), the uniform probability density function U is no more equal to UNIF(0,1) as it is the case for conventional exponential function, but is reduced to UNIF(0,Umax).

This way of modelling EXPO(λ,T1) aims to improve the reliability of the tested system by forcing the tested system to work in a reduced unreliability area which is defined by

[Umin, UMax]= [0,

1 - e

^-λ⋅T1] for t∈[0,T1]. This reduced unreliability area must be applied for all sliding time windows [(k-1)⋅T1, k⋅T1] with k ∈[1,N] (N being the maximal test number at the end of the Monte Carlo simulation).

Please note that the need to truncate the failure distribution by the inversing process is in contradiction with the recommendations of the standard IEC 61508 [2], in page 78, which recommends to inverse the whole distribution by generating U between [0,1].

Fig. 5. Truncation of the exponential failure distribution F(t)

IV. PROPOSITION OF A STOCHASTIC P-TEMPORISED PETRI NET TO MODEL THE BEHAVIOUR OF A SIS ARCHITECTURE 1oo1

Stochastic P-temporised Petri Nets of Fig. 6 and 7 are proposed to illustrate the difficulty for failures generation with Monte Carlo simulation applied to SIS architectures being periodically tested.

Fig. 6. Stochastic P-temporised Petri Net: First way of modelling the generation of failures for a 1oo1 SIS architecture

For Stochastic P-temporised Petri Net of figure 6, place P1 and P10 are marked at the beginning of the interval [0,T1]. The failure of the SIS is generated with the exponential distribution function EXPO(λD ) and place P2 is marked. After a duration d1 equal to the duration of the periodic test interval [0,T1], the temporized place P10 evolves in place P11 which models the duration of the testing and repair process of the SIS assumed to be equal here to 0h. The synchronization between Stochastic P-temporised Petri Nets -a- and -b- of figure 6 is made by the new arrival of the token in place P10.

Fig. 7. Stochastic P-temporised Petri Net: Second way of modelling the generation of failures for a 1oo1 SIS architecture

For Stochastic P-temporised Petri Net of figure 7, place P1 and P10 are marked at the beginning of the interval [0,T1].

Place P1 evolves either in the state P2 (no failure occurs with a probabilityp=e−λD⋅T1) or in the state P3 (a failure occurs with a probability1−p=1−e−λD⋅T1^).

If the SIS experiences a failure within [0,T1] interval, the failure is generated with the truncated exponential distribution function EXPO(λD,T1) and place P4 is marked.

After a duration d1 equal to the duration of the periodic test interval [0,T1], the temporized place P10 evolves in place P11 which models the duration of the testing and repair process of the SIS assumed to be equal here to 0h. The synchronization between Stochastic P-temporised Petri Nets -a- and -b- of figure 7 is made by the new arrival of the token in place P10.

V. EXPERIMENTAL RESULTS

To implement a Monte Carlo simulation for the above Stochastic P-temporised Petri Nets, we need a tool which:

1) can generate intermediate reports giving exactly the occurrence of failure events during the whole Monte Carlo simulation in order to verify failures appear within current time interval [(k-1)⋅T1, k⋅T1] with k ∈[1,N].

2) implements the truncation of the failure distribution F(t) described in Fig. 5.

We have not found such Petri Nets open source software and we have therefore implemented the two proposed Stochastic P-temporised Petri Nets with SIMAN/ARENA discrete event simulation tool. Indeed, this tool allows to define user defined distribution functions and to generate intermediate reports during Monte Carlo simulation.

Two experimental campaigns have been processed for 1oo1 architecture with λD=10^-4 h^-1, d1=T1=100h, d2=0h, and Monte Carlo simulation duration equal to 100 years i.e. 876000h.

For these input values, the theory gives h

92 . 49 ta

e λD T1 1

e λD T1 1

e λD T1 T λD

1 λD

1

=

= − − ⋅

⋅

⋅ −

⋅ −

⋅ −

− and a

PFDavg equal to −e−10-4⋅49.92=

1 4.979229E-03.

Following Table III, this is equivalent to a SIL 2.

i) For the first experimental campaign, the Stochastic P-temporised Petri Net of figure 6 is implemented: the failure event is generated with conventional exponential distribution failure EXPO(λD) i.e. an exponential with a mean value of

λD

1 . Experimental results in Table IV point out that the SIS fails for each test interval (continuous sequence of test interval, see test number in column 1) and outside the current test interval [(k-1)⋅T1, k⋅T1] (see column 4 and 5). As the experimental results are erroneous, we do not give all the values generated by the simulation in Table IV because they have no interest.

The way of modelling the generation of failures for a 1oo1 SIS architecture in accordance with Petri Net of figure 6 is therefore wrong.

TABLEIV. ERRONEOUS TIME TO FAILURE OF SIS WHICH ARE OUTSIDE [0,T1] TEST INTERVAL

Test Number

[0,T1]

Test Interval (h)

Time to failure (h)

SIS fails at time (h) during the

simulation

1 0 100 3461.52 3461.52

2 100 200 4452.21 4552.21

3 200 300 2702.36 2902.37

4 300 400 601.71 901.71

5 400 500 1406.77 1806.77

6 500 600 1248.92 1748.93

7 600 700 28553.42 29153.42

8 700 800 7917.74 8617.74

9 800 900 19195.32 19995.32

10 900 1000 18426.98 19326.98

… … … …

Mean value of TTF >>

T1/2

ii) For the second experimental campaign, the Stochastic P-temporised Petri Net of Fig. 7 is implemented. The failure event is generated with the proposed truncated exponential distribution failure EXPO(λD,T1). In this case, the periodic test forces the system to work in the reduced unreliability area[0, UMax] with UMax equal to1−e−λD⋅T1.

Experimental results in Table V point out that the SIS fails within the test interval [0, T1]. The way of modelling the failures process for the 1oo1 SIS architecture is thus the good one because the Time To Failures of column 4 in Table V are all less or equal than T1.

During the 100 years simulation, a total of 8760 tests were observed and 92 failures were counted. 0ver the whole Monte Carlo simulation duration, the SIS was 1.05% unreliable (92 failures/8760 tests) and 98.95% reliable (8668 /8760). This agrees, for λD=10^-4 h^-1 and T1=100h values, with the theoretical input probability of the model: F(t)=0.995 %and R(t)= 99.005% with a small deviation of 3.9E-04.

The experimental PFDavg is equal to 5.105944E-03 and the system is of SIL2 following Table III. Thus, experimental results confirm the theory with a small deviation of 1.2E-04.

TABLEV. GOOD TIME TO FAILURE OF SIS BECAUSE THEY ARE WITHIN [0,T1] TEST INTERVAL

Test Number

[0,T1]

Test Interval

Time To Failure (h)

PFD

23 2200 2300 84.06 1.594376E-01

96 9500 9600 81.52 1.848217E-01

100 9900 10000 9.10 9.089988E-01

176 17500 17600 48.07 5.192712E-01 238 23700 23800 37.39 6.261053E-01 248 24700 24800 75.41 2.459117E-01 412 41100 41200 32.08 6.792226E-01 507 50600 50700 1.31 9.868997E-01 584 58300 58400 41.29 5.871261E-01 701 70000 70100 36.82 6.318485E-01 746 74500 74600 71.61 2.838973E-01 781 78000 78100 42.96 5.703924E-01 952 95100 95200 49.82 5.017655E-01 955 95400 95500 33.65 6.635316E-01 986 98500 98600 77.64 2.235981E-01 1275 127400 127500 81.54 1.845796E-01 1465 146400 146500 14.78 8.522437E-01 1535 153400 153500 0.23 9.976733E-01 1670 166900 167000 51.92 4.808169E-01 1672 167100 167200 66.13 3.386907E-01 1768 176700 176800 23.09 7.690551E-01 1905 190400 190500 25.00 7.499942E-01 1991 199000 199100 63.82 3.618244E-01 2019 201800 201900 8.67 9.133125E-01 2294 229300 229400 50.54 4.946475E-01 2426 242500 242600 34.69 6.530522E-01 2453 245200 245300 42.32 5.768020E-01 2749 274800 274900 89.88 1.011708E-01 2804 280300 280400 0.51 9.949065E-01 2848 284700 284800 86.12 1.387505E-01 2905 290400 290500 95.69 4.309211E-02 2947 294600 294700 96.46 3.536756E-02 3007 300600 300700 67.00 3.300151E-01 3043 304200 304300 94.29 5.712056E-02 3133 313200 313300 6.36 9.363520E-01 3157 315600 315700 86.84 1.315986E-01 3234 323300 323400 9.45 9.055269E-01 3266 326500 326600 90.33 9.672078E-02 3377 337600 337700 0.09 9.991400E-01 3394 339300 339400 48.08 5.191721E-01 3438 343700 343800 95.93 4.065819E-02 3699 369800 369900 84.79 1.520574E-01 3897 389600 389700 61.93 3.807421E-01 3908 390700 390800 13.18 8.682319E-01 3967 396600 396700 52.28 4.771935E-01 4114 411300 411400 50.47 4.953060E-01 4139 413800 413900 43.09 5.691366E-01 4156 415500 415600 72.41 2.758825E-01 4163 416200 416300 49.86 5.013709E-01 4177 417600 417700 14.32 8.568168E-01 4204 420300 420400 10.50 8.949735E-01 4250 424900 425000 46.86 5.313926E-01

4353 435200 435300 25.35 7.464863E-01 4539 453800 453900 28.19 7.180715E-01 4582 458100 458200 49.19 5.080805E-01 4674 467300 467400 91.82 8.181913E-02 4758 475700 475800 86.51 1.349112E-01 4802 480100 480200 77.74 2.226396E-01 4851 485000 485100 62.07 3.793400E-01 5079 507800 507900 81.37 1.862670E-01 5216 521500 521600 33.29 6.670640E-01 5271 527000 527100 13.86 8.613881E-01 5300 529900 530000 13.31 8.668626E-01 5504 550300 550400 20.65 7.934665E-01 5572 557100 557200 47.30 5.269961E-01 5626 562500 562600 58.88 4.111829E-01 5965 596400 596500 49.35 5.065090E-01 6010 600900 601000 44.00 5.600337E-01 6148 614700 614800 41.46 5.854275E-01 6150 614900 615000 79.40 2.059609E-01 6187 618600 618700 47.60 5.240243E-01 6264 626300 626400 14.38 8.561860E-01 6409 640800 640900 80.94 1.906060E-01 6567 656600 656700 77.62 2.237576E-01 6597 659600 659700 92.10 7.902604E-02 6681 668000 668100 72.65 2.734826E-01 6756 675500 675600 8.67 9.132884E-01 6978 697700 697800 15.95 8.404897E-01 7144 714300 714400 60.48 3.952068E-01 7245 724400 724500 66.56 3.344074E-01 7468 746700 746800 15.71 8.428926E-01 7551 755000 755100 86.34 1.365940E-01 7580 757900 758000 93.19 6.808577E-02 7608 760700 760800 32.28 6.772105E-01 7616 761500 761600 54.54 4.546127E-01 7825 782400 782500 64.25 3.575081E-01 8187 818600 818700 65.81 3.419434E-01 8327 832600 832700 49.76 5.023637E-01 8429 842800 842900 81.83 1.816883E-01 8574 857300 857400 69.67 3.032867E-01 8729 872800 872900 37.30 6.269889E-01 8756 875500 875600 83.63 1.636997E-01 Total of

8760 tests

Mean value of TTF

=51.38h

≈ T1/2

PFDavg=

5.105944E-03

VI. CONCLUSION

In this paper, a review of mathematical theory for the SIL assessment of 1oo1 SIS architecture has been firstly presented.

It concerns mainly the notion of expected value and exponential distribution. This study demonstrates the need to truncate the exponential distribution for the generation of failure events in case of a system periodically tested. Indeed, in opposite to conventional exponential distribution EXPO(λD), a truncated exponential distribution function EXPO(λD,T1) is required to model the failures process of a 1oo1 SIS architecture. Two Stochastic P-temporised Petri Nets have been proposed to clearly explain the reason why an exponential truncated function must be used. The next step of this study was to implement with a discrete event simulation tool the

proposed modelling approaches for the generation of failure events for the SIL level study of safety instrumented system.

Experimental results point out the ability of a truncated exponential distribution function EXPO(λD,T1) to generate failure events in a manner in accordance with the SIL theory.

Indeed, due to the periodicity T1 of the test, the mean value of Time To Failures during the Monte Carlo simulation must be equal to the half of the testing period T1. On this point of view, before making a SIL study with a stochastic simulation software or tool, modellers must verify that the software has in library a truncated exponential distribution or that this one can be build easily.

REFERENCES

[1] IEC 61508-6. “Functional safety of electrical/electronic

/programmable electronic safety-related systems.” NF EN 61508-6. AFNOR Standard, January 2011.

[2] W.M Goble, “Control Systems Safety Evaluation and Reliability (2nd ed.).” Research Triangle Park (NC): ISA (The Instrumentation, Systems, and Automation Society), 1998.

[3] I. Farès, Y. Dutuit, M. Chebila, “Safety and operational integrity evaluation and design optimisation of safety instrumented systems”, In Reliability Engineering & System Safety, Vol. 134, pp 32–50, 2015.

[4] I. Farès, “Contribution à la modélisation des systèmes instruments de sécurité et à l’évaluation de leurs performances – Analyse critique de la norme CEI 61508”, Phd, Université de Bordeaux I, 2008.

[5] I. Farès, Y. Dutuit, M. Djebabra, “Analyse critique des formules de base données dans la norme internationale CEI 61508-6, Qualita 2005, 16-18 March, Bordeaux, France, 2005.

[6] T. Zhang, W. Long, Y. Sato, “Availability of systems with self- diagnostic components - applying Markov model to IEC 61508- 6”. In Reliability Engineering & System Safety, Vol. 80(2), pp.

133–141, 2003.

[7] V.A. Zorich, Mathematical Analysis I”, ISBN 3-540-40386-8 Springer-Verlag, Berlin, 574 pages, 2004.

[8] J. Beugin, D. Renaux, L. Cauffriez, “A SIL quantification approach based on an operating situation model for safety evaluation in complex guided transportation systems”, In Reliability Engineering and System Safety, Vol. 92, pp. 1686–

1700, 2007.

[9] P.J. Cacheux, S. Collas, Dutuit Y., C. Folleau, J.P. Signoret, P.

Thomas, “Assessment of the expected number and frequency of failures off periodically tested systems”, In Reliability Engineering and System Safety, Vol. 118, pp. 61–70, 2013.

[10] J.P. Signoret, Y. Dutuit, P.J. Cacheux, C. Folleau, S. Collas, P.

Thomas. “Make your Petri nets understandable: Reliability block diagrams driven Petri nets”, In Reliability Engineering and System Safety, Vol. 113, pp. 61–75, 2013.

[11] F. Brissaud, D. Charpentier, A. Barros, C. Bérenguer, “Design of complex safety-related systems in accordance with IEC 61508”, In Reliability, Risk and Safety: Theory and applications, Guedes Soares & Martorell (Eds), Taylor &

Francis Group, London, ISBN 978-0-415-55509-8, 2010.

[12] Dutuit Y, Innal F, Rauzy A, Signoret J-P. “Probabilistic assessments in relationship with safety integrity levels by using fault trees”. Reliability Engineering and System Safety, Vol. 93, pp. 1867–1876, 2008.