Probability of Failure on Demand (PFD)

The Probability of Failure on Demand (PFD) is a critical metric in safety and reliability engineering. It quantifies the likelihood that a system or Safety Instrumented Function (SIF) will fail to perform its intended function when needed. PFD is particularly significant in the context of Safety Integrity Levels (SIL) and process safety risk assessments.

The PFD is the probability that, when challenged, the IPL will fail to perform its required function and, therefore, the scenario will continue toward the undesired consequence despite the presence of that IPL.

While PFDavg, is the probability of failure on demand averaged over the entire lifetime of the SIF.

PFD values used within an organization should be applied consistently although variations between different facilities are appropriate if justified by differences in design, construction, installation, inspection or maintenance. The PFD values should also be consistent with the failure rates used to develop initiating event frequencies and risk tolerance criteria.

Frequent testing is required to achieve the claimed PFD value (documentation that such testing has been performed satisfactorily at the required interval must be maintained). The PFD of an IPL is usually related to its test frequency. The longer the period between testing, the higher the PFD. The assumed PFD of an IPL must be consistent with the actual test frequency.

What Is PFD (Probability of Failure on Demand)?

PFD represents the probability that a system will fail dangerously and cannot perform its safety function during demand. It can be measured as an average probability (PFDavg) or maximum probability over a specified time frame. Standards such as IEC 61508/61511 and ISA 84.01 use PFDavg to define SIL ratings. Each SIL level is associated with a specific PFDavg value, increasing by an order of magnitude with higher SIL levels.

For example:

• A SIL 1 system corresponds to a PFDavg between 0.1 and 0.01.
• A SIL 2 system requires a PFDavg between 0.01 and 0.001.

This ensures that as the SIL level increases, the risk of failure decreases significantly.

The PFD for an IPL is the probability that, when demanded, it will not perform the required task. Failure to perform could be caused by

• a component of an IPL being in a failed or unsafe state when the initiating event occurs; or
• a component failing during the performance of its task, or
• human intervention failing to be effective, etc.

The PFD is intended to account for all potential failure to danger modes. Failure to danger means the IPL fails such that it cannot perform the required task on demand.) Thus, it is a simplified concept and must be applied with caution. In particular, the PFD for a BPCS function includes factors such as human error in programming, bypassing interlocks, and the typical security systems that are in place to control access to the BPCS logic solver.

How Is PFD Calculated?

To calculate PFD, the failure rates of individual components in the Safety Instrumented System (SIS) must be evaluated. This includes:

• Sensors
• Logic solvers
• Final elements (e.g., valves or actuators)

The calculation also depends on:

• System architecture
• Redundancy implementation
• Test intervals and repair times

The formula typically uses probabilities ranging from 0 to 1, where lower values indicate greater reliability. For instance, if a system must reduce accident rates by a factor of 100, it must not fail more than once in 100 demands, requiring a PFDavg of 0.01.

Key Facts About PFD

1. Defined by Standards: PFDavg target levels are outlined in IEC 61508 for low-demand modes. High/continuous demand modes use a different metric called Probability of Failure per Hour (PFH).
2. Simplified Calculations: PFDavg can be calculated using as few as two variables or as many as nine, depending on system complexity.
3. Certification Requirement: Achieving a specific PFDavg is one of three design barriers necessary for SIL certification.
4. Device Performance:
   • Smart Type B devices, like logic solvers, generally have low PFDavg values, enabling high SIL ratings.
   • Final element assemblies may only meet SIL 1, though improvements in diagnostics and proof testing can elevate them to SIL 2.
5. Inverse Relationship with Risk Reduction Factor (RRF):
   • PFDavg = 1/RRF
   • Lower PFDavg values correspond to higher RRFs, reducing risk.

PFD and Safety Integrity Levels (SIL)

SIL ratings categorize systems based on their PFDavg values:

• SIL 1: PFDavg between 0.1 and 0.01
• SIL 2: PFDavg between 0.01 and 0.001
• SIL 3: PFDavg between 0.001 and 0.0001
• SIL 4 (if applicable): PFDavg below 0.0001

Each SIL level corresponds to a defined Risk Reduction Factor (RRF) range, emphasizing the system’s ability to mitigate risks effectively.

Final Thoughts

Understanding Probability of Failure on Demand (PFD) is essential for achieving and maintaining process safety in industries like oil and gas, chemical engineering, and manufacturing. By adhering to standards such as IEC 61508, engineers can design systems that meet required SIL levels, ensuring operational reliability and safety.

Optimizing PFDavg calculations, improving diagnostics, and performing regular proof tests are practical steps to enhance a system’s reliability and safety integrity.

Top References

1. Safety Instrumented Systems Verification: Practical Probabilistic Calculations by William M. Goble Harry Cheddie
2. https://www.exida.com
3. Safety Integrity Level Selection, Systematic Methods Including Layer of Protection Analysis Edward M. Marszal, P.E., C.F.S.E., Dr. Eric W. Scharpf, MIPENZ
4. Layer of Protection Analysis, Simplified Risk Assessment by CCPS.
5. Practical Industrial Safety, Risk Assessment and Shutdown Systems by Dave MacDonald
6. www.petrotask.com