A safe failure of a Safety Instrumented Function (SIF) results in the system being placed in a safe state, such as an emergency stop, even if the SIF fails to perform its primary task. Conversely, a dangerous failure prevents the SIF from operating as needed, leaving the machine in a hazardous state and failing to achieve the required safe condition. These failure types are categorized as detected (diagnosed) or undetected, and their rates are crucial for determining a SIF’s Safety Integrity Level (SIL).
Safe Failures
- Definition: The failure of a component leads to the SIF activating to a safe state. Safe Failure determines the spurious operation of the safety function to bring the EUC (or part of it) into a safe state or maintain a safe state.
- Safe Failures result in a loss of production of services, but not a loss of safety.
A spurious activation of an SIS will normally result in the safe state of the equipment under control (EUC). However, spurious activations may be unwanted due to:
- Generation of unnecessary production losses.
- Generation of “false alarms”, which may again lead to loss of confidence in the SIS
- Increased risk of dangerous events following a spurious activation; for example, during start-up
- Excessive stress on components and systems during shutdown and start-up
- Spurious activation can also create a dangerous event. For example, spontaneous airbag deployment while driving.
Example:A power contactor failing open, even though the control signal is present, resulting in an emergency stop of the machine.
Sub-types:
-
- Safe Detected: A safe failure that is identified by the system’s diagnostic measures.
Examples, Pressure Transmitter: Fail output high > 21.5 mA, Fail output low < 3.6 mA,
-
- Safe Undetected: A safe failure that is not detected by diagnostics. It is detected by preventive maintenance or during proof testing.
- Pressure transmitter: Fail output frozen, Fail output drifting
Dangerous Failures
Definition: A failure that stops the SIF from performing its safety function when it’s needed, potentially leaving the system in a hazardous condition. A dangerous failure prevents the Safety Instrumented Function (SIF) from performing its intended job, and the SIF cannot achieve the safe state if needed. d.
- It causes the failure of a safety function so that the EUC is put into a dangerous or potentially dangerous state.
- Decreases the probability that the safety function functions correctly when required
- Failures lead to a loss of safety.
Examples: A pressure sensor failing to sense a high-pressure condition, allowing the dangerous movement to continue.
- A valve stem sheared from the ball
- Solenoid signal not alerting the actuator
- Pressure sensor not sensing high pressure
- Major internal leak
- A valve getting stuck in the open position in a closed-on-trip application
- A Transmitter shorting – (even if you know about it, but cannot do anything about it)
- Output to upper limit
Sub-types:
-
- Dangerous Detected: A dangerous failure that is noticed and reported by the system’s diagnostics.
-
- Dangerous Undetected: A dangerous failure that goes unnoticed by the diagnostics, making it a significant safety concern.
Why it Matters
- Safety Integrity Level (SIL): The rate of dangerous, undetected failures is a key factor in determining a SIF’s SIL, which represents the required level of safety for a given hazard.
- Diagnostic Coverage: High diagnostic coverage (detecting dangerous failures) is essential to reduce the probability of dangerous undetected failures, thereby lowering the overall risk and leading to a lower PFDavg (Probability of Failure on Demand average).
- System Design: Understanding these failure types helps engineers design systems with appropriate redundancy and diagnostic capabilities to ensure they meet the required safety targets.