Pressure sensors fail to detect
COMMON CAUSE FAILURES 443
Pressure sensors
Pressure sensors fail independently
Random failure of pressure sensor 1
Random failure of pressuresensor 2
Fig. 10.17
Explicitmodeling of common cause failure of asystemwith twopressuresensors.
(Adapted from Summers and Raney 1999.) is the percentage of common causeDU failuresamong all DU failuresof acomponent.
Similarly, the spurious trip rate AST may be written as where
A
is the rate of independent ST failures that only affects one component, and
AKA is the rate of common cause ST failures that will cause failure of all the system components at the same time. The common cause factor is the percentage of common cause ST failures among all ST failures of a component.
Since there may be different failure mechanisms leading to DU and ST failures,
and
BST
need not be equal.
Diagnostic Self-Testingand Common Cause failures Common cause failures may be classified in two main types:
1.
Multiple failures that occur at the same time due to a common cause
2.
Multiple failures that occur due to a common cause, but not necessarily at the same time
As an example of type 2, consider a redundant structure of electronic components that are exposed to a common cause: increased temperature. The components will fail due to the common cause, but usually not at the same time. If we have an SIS with an adequate diagnostic coverage with respect to this type of failure, we may be able to detect the first common cause failure and take action before the system fails.

444 RELIABILITY OF SAFETY SYSTEMS
A system failure due to the common cause may therefore be avoided.
If the common cause, increased temperature,is due to a cooling fan failure, this should be explicitly modeled as illustrated in Example 10.12. Monitoring the condition of the cooling fan would in this case give an earlier warning than diag- nostic testing of the electronic components, and a higher probability of successful shutdown before a system common cause failure occurs.
A similar example is dis- cussed in IEC 61508-6withoutmentioningany explicitmodelingof the cooling fan.0
When we have identified the causes of potential common cause failures ( e g , by applying a checklist), we should carefully split the potential common cause failures in the two types (1 and 2) above. For each cause leading to failures of type 2 we should evaluate the ability of the diagnostic self-testing to reveal the failure (or the failure cause), the time required to take action, and the probability that this action will prevent a system failure.
It seems obvious that the common cause factor ,!?
for an SIS good diagnostic coverage should be lower than for a system with no, or a poor, diagnostic coverage.
Weshouldthereforebe carefuland not useestimatesfor from old-fashionedsystems when analyzing a modern SIS with good diagnostic coverage.
10.13
Reconsider the parallel system of two firedetectorsin Example 10.4,and assume that
DU failures occur with a common cause factor
BDU.
The PFD of the parallel system is from (10.10) and (10.13) approximately
With respect to spurious trips, the system is a series system, and the trip rate is therefore
The rate of spurious trips will therefore decrease when
BST increases.
By using the same data as in Example 10.4, A.DU
= 0.21
.
lop6 hours-' and t =
2190 hours, and
=
BST
= 0.10,we get form (10.27)
PFD(BDu)
%
5.71
.
+
2.30. lo-'
%
2.31
.
lo-'
We observe that with realistic estimates of ADU and t, PFDDu is dominated by the common cause term in (10.27). We may therefore use the approximation when
h D u T
is small.
0

COMMON CAUSE FAILURES 445
Example 10.14 2-out-of-3 System
The probability of failure on demand for a 2-out-of-3 system is from (10.12) and
(10.13)
With a local alarm on the logic solver we may avoid almost all independent spurious
(10.29) trips. All common cause failures will, on the other hand, result in a system spurious trip, and we therefore have k e 3 (BST) = B S T ~ S T
With the same data as in Example 10.13 we get from (10.29)
PFD(@Du)
%
1.71
.
+
2.30. lop5
RZ
2.32. lop5
(10.30)
As in Example 10.13 we observe that with realistic estimates of ADU and t, P F D D ~ is dominated by the common cause term in (10.29). We may therefore use the ap- proximation when h ~ u ist small.
In Example 10.13and Example 10.14we saw that the PFDDu
was dominated
0 by the common cause term of the expressions (10.27) and (10.29), respectively when k ~ u is t small. It is straightforward to show that the same applies to all koon systems, where n 3 2, and k 5 n .
We will therefore have that
(10.31) when k ~ u ist small. When @DU > 0, we will therefore get approximately the same result for all types of koon configurations, and the result is nearly independent of the number n of components, as long as n 3 2. This may not be a realistic feature of the
@-factormodel.
A more realistic alternative to the B-factor model has been proposed as part of the PDS approach that is described in Section 10.7.
IEC61508 recommends using the @-factormodel with a single "plant specific" @ that is determined by using a checklist for all voting configurations (see IEC61508-6, appendix D). This makes a comparison between different voting logics rather mean- ingless. Corneliussen and Hokstad (2003) have criticized the @-factormodel and introduced a multiple @-factor(MBF) model, that is a generalization of the @-factor model.
Remarks
0
Some reliability data sources (see Chapter 14) present the total failure rates, while other data sources only present the independent failure rates. The data in