• No results found

Part II Articles

Article 10 on architectural constraints (conference)

4.6 Failure classification

During SIS design, construction, and operation, it is important to avoid intro-ducing failures, to reveal failures, and to correct failures. Failure classification systems are useful means to get more insight into why components fail and what the consequences are. In the following, we briefly discuss some of the main ap-proaches for classifying failure causes and effects.

Failure classification in OREDA

OREDA handbooks [101, 60] include reliability data collected from oil and gas installations. Here, failure causes are classified as either design-related, fabrication/installation-related, operation/maintenance related, or miscellaneous (not identified or covered by the other categories).

Failure effects are split into critical, degraded, and incipient. A critical failure is defined as a failure of an equipment unit which causes an immediate cessation of the ability to perform a required function. In this context, the term “required function ” comprises two elements: The ability to activate on demand and the ability to maintain production when safe (no demands) [114]. This failure cate-gory therefore includes failures that may prevent the execution of a SIF as well as unintended (spurious) activation failures.

Degraded failures and incipient failures are partial failures. For degraded fail-ures, this means that some of the functions have failed, but without ceasing the fundamental functions. A hydraulic leakage in an actuator for a fail-safe (close) valve may, for example, lead to spurious closure of the valve, but will not, while in open position, prevent the valve from closing on demand.

An incipient failure is the onset of a degraded failure, and will, if no correc-tive action is taken, develop into a degraded failure.

Failure classification in IEC 61508 and IEC 61511

IEC 61508 [38] and IEC 61511 [39] distinguish between random hardware fail-ures or systematic failfail-ures for failure causes and safe and dangerous failfail-ures for the failure effects. The relationship between all failure categories used by the IEC standards is illustrated in Fig. 4.5.

Random hardware failures are failures that are due to normal degradation, and which for this reason, may be predicted based on a failure distribution function.

For safety and reliability assessments of SIS, we often assume exponentially distributed time to failure, which means that we use a constant rate of occurrence of failures (“failure rate”).

Systematic failures are failures that are introduced due to design errors, im-plementation errors, installation errors, or operation and maintenance errors. Un-like random hardware failures, their occurrence cannot be predicted. Instead, the

4.6 Failure classification 213

Design errors

Human interaction

errors

Environ-mental stresses

Normal degradation

Systematic failures

Random hardware failures

Safe

Dangerous

Detected

Undetected Detected

Undetected

Detected

Undetected Detected Undetected Safe

Dangerous Causes Effects

Fig. 4.5. Classification of failures

IEC standards suggest a number of methods and requirements for avoidance and control with systematic failures. In practise, systematic failures as well as ran-dom failures are recorded by the oil companies, and we may assume (even if it is not mathematically correct) that failure rates to some extent reflect both failure categories.

A failure type that does not fit entirely into the classification system of sys-tematic or random hardware failures, is the CCFs. Per definition, these failures are dependent failures [108] and cannot be classified as random random hard-ware failure. For this reason, they should belong to the class of systematic fail-ures. A systematic failure is, however, used to classify individual failures, while a CCF includes the failure of more than one component. Still, the causes of sys-tematic failures and CCFs are similar, and defense measures against syssys-tematic failures may therefore also be efficient means to defend against CCFs.

When including CCFs in reliability calculations, we extract a fraction (e.g., β)of the random hardware failure rate and classify it as the CCF rate. This means that we indirectly give CCFs some of the same properties as the random failures, for example a constant failure rate. This is a somewhat contradicting approach, but still widely used in the industry.

IEC 61508 [38] and IEC 61511 [39] distinguish between safe and dangerous failure effects. A dangerous failure is a failure which has the potential to put the

safety instrumented system in a hazardous or fail-to-function state [39], whereas a safe failure does not have this potential. A failure that prevents the valve from closing on demand is defined as a dangerous failures, while a spurious valve closure is defined as a safe failure. This may indicate that the IEC standards consider spurious activation as less safety-critical than OREDA.

Safe and dangerous failures may be further split into detected and undetected failures. A detected failure is a failure that is revealed by online diagnostics [39], and, in some cases, by operators during normal operation [114] and which is corrected or acted upon shortly after its occurrence.

Undetected failures are failures that are only revealed by a function test or upon a demand. The dangerous undetected failures are therefore of vital impor-tance when calculating the SIS reliability as they are a main contributor to SIS unavailability.

Other classification systems

The PDS method [114] also distinguishes between random hardware failures and systematic failures. Here, the aging (normal degradation) failures are related to random hardware failures, while environmental stresses, design failures, and (human) interaction failures are considered to be causes of systematic failures.

In practise, it is often difficult to discriminate between an aging failure or a stress failure [114]. As illustrated with the dotted line in Fig. 4.5, the class of random hardware failures may sometimes include both environmental stress related fail-ures and aging failfail-ures.

The PDS method has adopted the concept of safe and dangerous failures for classifying failure effects. In addition, they use the concept of critical and non-critical failures. The main intention with this amendment is to distinguish between the more “severe” safe failures (i.e. spurious activations) and the less severe ones (e.g., small drift in signal).

The approach taken by the PDS method has some practical benefits, partic-ulary when calculating the safe failure fraction (SFF). The SFF is used in the IEC 61508 and IEC 61511 to determine the required level of hardware fault tol-erance, and is the fraction of safe and dangerous detected failures among all fail-ures. The use of the SFF as a design parameter has been criticized, as it may be manipulated by adding superfluous equipment with high safe failure rates [71].

By extracting the non-critical failures from the safe failure category, the ability to manipulate the SFF is reduced.

Related documents