White Paper

Safety Availability Versus Process Availability

Introducing Spurious Trip Levels™

Date: 25 May 2006

Author(s): Dr. M.J.M. Houtermans

RISKNOWLOGY B.V.
Brunner bron 2
6441 GX Brunssum
The Netherlands
www.risknowlogy.com

RISKNOWLOGY Experts in Risk, Reliability and Safety

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

© 2002 - 2007 Risknowlogy

All Rights Reserved

Printed in The Netherlands

This document is the property of, and is proprietary to Risknowlogy. It is not to be disclosed in whole or in part and no portion of this document shall be
duplicated in any manner for any purpose without Risknowlogy’s expressed written authorization.

Risknowlogy, the Risknowlogy logo, functional safety data sheet, and spurious trip level are registered service marks.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 2

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Safety Availability Versus Process Availability

Introducing Spurious Trip Levels™™

Dr. Michel J.M. Houtermans 1

Risknowlogy B.V., Brunssum, The Netherlands

1 Introduction
The functional safety industry is driven by the international standards IEC 61508 [1] and IEC 61511
[2]. These standards describe performance levels for safety functions and the devices and systems
that carry out these safety functions. This performance is expressed as the so called safety integrity
level (SIL). In practice there are four levels, SIL 1-4. The required SIL level is directly derived from the
process which needs to be protected with a safety function of certain safety integrity. The more
dangerous the process the more safety integrity is required for the safety function.
The SIL level is a measurement of the qualitative and quantitative performance of the safety function.
The higher the SIL level the more difficult it is for a product supplier to design and manufacture the
safety device and the more difficult it is for end-users and system integrators to integrate safety
devices from different manufactures to a complete safety system. The higher the SIL level the more
safety has been or needs to be built into the devices and systems.
The quantitative part of the SIL level is expressed as the probability of failure on demand. This
means that we need to calculate the probability that the safety function cannot be carried out in case
of a demand from the process. In other words how likely is it that the safety function does not work
when we require it to work? The higher the SIL level the more likely it is that the safety function works.
Besides the demand mode functions the IEC 61511 standard also refers to continuous mode
functions. Compared to demand mode functions these kinds of safety functions have a direct impact
on the process when an internal failure occurs. Therefore continuous mode functions need to be
calculated per hour and not per demand, see Figure 1.

SIL Demand Mode Continuous Mode

PFDavg Risk Reduction PFH
4 ≥10-5 to <10-4 >10,000 to ≤100,000 ≥10-9 to <10-8

3 ≥10-4 to <10-3 >1000 to ≤10,000 ≥10-8 to <10-7

2 ≥10-3 to <10-2 >100 to ≤1000 ≥10-7 to <10-6
1 ≥10-2 to <10-1 >10 to ≤100 ≥10-6 to <10-5

Figure 1 – Safety Integrity Levels – A Measure of Safety Availability

1
Corresponding author: m.j.m.houtermans@risknowlogy.com

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 3

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

2 End-users need safety availability and process availability

The probability of failure on demand (PFD) is a measure of safety availability. Not of process
availability. The PFD helps us get a feeling of how likely it is that the safety function is available or
better not available when we need it. From an end-user and from a safety point of view this is an
important measurement as it directly relates to the achieved risk reduction of running the process. But
a safety function is of no use when it causes too many spurious trips, i.e., undesired process
shutdowns as the process was running normally. These spurious trips are caused by internal
failure(s) of the safety device(s) due to random hardware failures, common cause failures or
systematic failures.
Safety functions that cause spurious trips are undesired for two reasons. First of all the most
dangerous aspects of running a process are during process startup and process shutdown. Especially
the undesired process shutdowns are critical as they are not controlled shutdowns. A safety function
causing undesired process shutdowns is causing more safety problems then that it resolves them. So
we should avoid unnecessary shutdowns as much as possible. Second of all, a spurious process
shutdown results in a production loss and thus in undesired economic loss. It has a direct negative
impact on the economic performance of a company.
For an end-user it is important to have safety functions that offer both sufficient safety availability
and process availability. Unfortunately process availability is of almost no interest in the existing
functional safety standards like IEC 61508 and IEC 61511. These standards defined the SIL level but
do not define performance levels for spurious trips. For this purpose Risknowlogy has defined the so
called Spurious Trip Level™. The purpose of the spurious trip level™ is to give end-users an attribute
that helps them define the desired process availability of safety functions.

3 Spurious Trip Levels™

The =spurious trip level™ (STL) complements the SIL level. The STL level is a measurement of how
often the safety function is carried out without a demand from the process. As of today the STL level
is only expressed quantitatively. There are no qualitative requirements. The quantitative requirements
are listed in Figure 2 and are expressed as the probability of fail safe (PFS). The PFS is the
probability that the safety function causes a spurious trip because of an internal failure of the safety
function. The PFS complements the PFD value. The PFS value is expressed as probability of fail
safe.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 4

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

STL Probability of Fail Safe Per Year

X ≥10-(x+1) to <10-x

… ….

5 ≥10-6 to <10-5

4 ≥10-5 to <10-4

3 ≥10-4 to <10-3
2 ≥10-3 to <10-2
1 ≥10-2 to <10-1

Figure 2 - Spurious Trip Levels™

Unlike the SIL level there are an unlimited number of STL levels. The better the performance of the
safety function the higher the STL level.

4 STL for product suppliers

Today suppliers of safety devices are providing end-users with (third party) statements about the
achieved SIL level for their devices. System integrators are providing end-users with PFD statements
about the complete safety loop. End-users have a good impression about the safety availability of
these devices and complete safety systems. Now the end-users can demand from the suppliers and
system integrators also statements about the probability of fail safe and achieved STL level.

4.1 Example – LNG Level sensor

The following is an example of the PFD and PFS calculations for a level sensor used to measure the
level of LNG in storage tanks. The level sensor itself consists of mechanical hardware, electronic
hardware and software. For a complete description of the level sensors see [3]. The functional safety
characteristics of a single sensor are depicted in Table 1. From this table can be concluded that a
single sensor can be used as a maximum in a SIL 2 application. Because the software of a single
sensor was developed according to the SIL 3 requirements it is possible to use multiple sensors to
achieve SIL 3. Table 2 gives a complete overview of the possible architectures for the level sensor
and their achievable SIL levels according to IEC 61508.

Table 1 – Functional Safety Characteristics single level sensor

Subsystem
Hardware Mechanical Electronics Electronics

Type A A B

Hardware fault tolerance 0 0 0

Safe failure fraction 99.0% 93.2% 95.8%

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 5

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Safe detected failure rate [/h] 1.49E-9 2.00E-7 1.80E-8

Safe undetected failure rate [/h] 1.50E-11 3.86E-8 9.50E-9

Dangerous detected failure rate [/h] 1.32E-7 3.07E-7 1.80E-8

Dangerous undetected failure rate [/h] 1.34E-9 3.97E-8 2.00E-9

Maximum achievable SIL based on hardware 3 3 2

Software
SIL 3

Table 2 – Overview of the possible architectures and their achievable SIL level

Architecture
Attribute 1oo1 1oo2 2oo3
Hardware fault tolerance 0 1 1
Fit for use in SIL 2 3 3

Table 3 gives an overview of the PFD, the PFS and the achieved SIL and STL levels of the LNG level
sensors in the different architectures. This table is particularly useful for end-users and system
integrators as it demonstrates how much the level sensors allocates of the overall SIL level. For
example in order to achieve a SIL 2 safety loop the level sensors only takes 0.18% of the total PFD
value of SIL 2. For SIL 3 the level sensor takes even less, 0.004% and 0.033% respectively for the
1oo2 and 2oo3 configuration. Even when the safety loop is calculated over a period of 10 years the
level sensor allocates only very little of the overall required PFD value. Also the PFS values are
calculated for the different architectures of the level sensor. The best STL level is achieved by the
2oo3 sensor architecture.

Table 3 – Architecture and configuration overview

Architecture
Attribute 1oo1 1oo2 2oo3

PFD after 1 year 1.802e-004 4.404e-008 3.287e-007

Percentage of PFD after 1 year 0.180% 0.004% 0.033%

PFD after 10 years 1.771e-003 4.181e-006 3.201e-005

Percentage of PFD after 10 year 17.7% 0.42% 3.20%

Fit for use in SIL 2 3 3

PFS after 1 year 1.154e-006 9.701e-005 1.918e-010

Fit for use in STL 5 4 9

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 6

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Figure 3 shows how the probability of failure on demand develops over time for all three architectures.
A graphical representation like this can be used by an end user to determine periodic proof test
intervals. This can only be done though if the logic solver and actuating part are also included in the
calculation. The 1oo1 architecture clearly performs the worst of the three architectures. The reason
that the 1oo2 architecture has a better performance then the 2oo3 architecture is because the 2oo3
has more possibilities to fail.

Figure 3 – Probability of Failure on Demand for 1oo1, 1oo2, and 2oo3 architectures.

Figure 4 – Safety availability calculations for 1oo1, 1oo2, and 2oo3 architectures

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 7

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Figure 5 – Process availability calculations for 1oo1, 1oo2, and 2oo3 architectures

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 8

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

5 STL for end-users

End-users can use the STL to specify a safety availability target for their safety instrumented systems.
Specifying the target SIL together with a target STL will assure the end-user that the safety
instrumented system delivers sufficient safety and does not cause unnecessary shutdowns.

5.1 Example – safety instrumented system

The following is an example of the PFD and PFS calculations for a complete safety instrumented
system. In a storage tank liquefied gas is stored which needs to be processed through a vaporizer so
that the actual gas is suitable for consumption by the client. Under no circumstance should liquefied
gas flow to the piping system at the client side. This piping system is not suitable to handle liquefied
gas and would fail instantly not only damaging equipment but also causing a hazardous situation and
loss of production.
The safety instrumented system consists of a sensor section, logic solver section and an actuator
section. The sensor section is a 2oo3 system where each leg consists of an RTD connected to a
threshold relay. Each threshold relay is connected to an input of the logic solver. The architecture of
the logic solver is not clear but the 2oo3 voting of the sensors takes place inside the logic solver. The
logic solver will activate, via four output channels, the actuators if the temperature set point is
reached. The actuator section consists of a 1oo2 valve section. Each leg of the actuator consists of
2oo2 solenoid valves driving a 1oo1 pneumatic valve.

TT TR SOV
FCV
Logic SOV
TT TR Solver
SOV
FCV
TT TR SOV
Figure 6 – Architecture Safety Instrumented System

The following component reliability data has been used for the components listed in Figure 6.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 9

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Table 4 – Equipment reliability data

# Model OFR [/h] SF [%] DDC [%] SDC [%] A SFF Type

1 PT100 1.688E-6 50% 0% 0% 1oo1 50% A

2 TR 1.688E-6 50% 0% 0% 1oo1 50% A

3 Logic solver 4.566E-8 50% 50% 50% 1oo1 75% B

4 SOV 2.000E-6 50% 0% 0% 1oo1 50% A

5 FCV 2.283E-7 50% 0% 0% 1oo1 50% A

The following reliability properties are calculated using Markov modeling:

ƒ PFD: The probability that the safety function has failed upon demand;
ƒ PFDavg: The average probability that the safety function has failed upon demand;
ƒ PFS: The probability that the safety function causes a spurious trip of the process;
ƒ Safety Availability: The probability that the safety function is available to protect the process.

Based on the reliability data and the Markov model the results are presented in Table 5. An overview
of the development of the PFD, PFDavg and Safety Availability is given respectively in Figure 7,
Figure 8, and Figure 9:
Table 5 – Results analysis

Parameter Value

Mission Time 1 Year

PFD 3.916168e-003

PFDavg 1.860371e-003

PFS 2.962833e-003

Safety Availability 9.960626e-001

SIL based on PFDavg 2

STL based on PFS 2

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 10

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Figure 7 – PFD and PFD average

Figure 8 – PFS

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 11

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Figure 9 – Safety Availability

References

1. IEC 61508, Functional safety for electrical, electronic, programmable electronic safety related
systems. Geneva, Switzerland, 1999
2. IEC 61511, Functional safety – Safety instrumented systems for the process industry sector.
Geneva, Switzerland, 2003
3. L. Monfilliette, P. Versluys, M.J.M. Houtermans, Certified Level Sensor For The Liquefied
Natural Gas Industry, TÜV Symposium, Cologne, Germany, May 2006

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 12

White Paper
Dr. M.J.M. Houtermans
Safety Availability Versus Process Availability

Appendix - Frequently Asked Questions

1. Why is the STL level an important property?

The STL level is an important property for two reasons. First of all it gives us an indication of
how many times a devices or safety function will cause a spurious trip. Second of all it allows
us to compare devices and safety functions with each other allowing us to choose the most
appropriate devices and safety function architectures.
2. Our system has a high SIL level and yet it causes a lot of trips. How can that be?
The SIL analysis as required by the standards is a theoretical analysis. If there is a mismatch
between what is calculated in theory and how the system performs in reality then this means
that we need to adjust our theoretical analysis and redo the calculations. On the other hand it
is more a problem of the designers. They need to redesign their safety devices in a way that
they do meet the appropriate SIL level. Their initial analysis was not based on the right
“theory”.
3. What is the difference between PFD and PFS?
The PFD and PFS are both properties of the safety function. The PFD is a measure of safety
availability and is calculated by determining the probability of a failure on demand of the
safety function. The PFS is a measure of process availability and is calculated by determining
the probability of causing a spurious trip failure, i.e., the probability of fail safe.
4. What is the difference between SIL and STL?
The PFD value of a safety loop is one requirement that determines the SIL level of that loop.
The PFS value of a safety loop is one requirement that determines the STL level of that loop.
Both values play an important role. The SIL of a safety functions states how reliability the
safety function needs to be in order to achieve process safety or safety availability. The STL
of a safety function states how reliable a safety function needs to be in order to achieve
process availability.
5. Is the STL defined by the IEC 61508 or 61511 standards?
No, there are no standards that defined STL levels. The STL levels originated from the
Risknowlogy Company who also defined the ranges for the STL levels. The 61511 standard
requires the spurious trip rate to be defined for each safety function but makes not statement
what is should be.
6. Which STL level does my process need?
Like the SIL level the required STL level needs to be determined by the end-users. At the
moment no end-user is setting targets for their STL levels. In the future the desired STL level
will be determined via and be part of the risk analysis just like the desired SIL level.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 13