Goble05.

book Page 83 Thursday, March 31, 2005 10:39 PM

6
Equipment
Failure Modes

Introduction
A reliability engineer’s first design priority is successful operation. Great
effort must be made to ensure that things work. This priority is certainly
logical for most systems as failure mode is not relevant.
In safety instrumented systems, however, the failure mode is very
important. It makes a difference if the system fails and causes a false trip
versus a failure that prevents the automatic protection.

Actual failures of instruments can be classified as “fail-safe,” “fail-

danger,” or another failure mode. Such failure modes will be defined in
this chapter in the context of an individual instrument. Note that
sometimes the application must be understood before these classifications
can be made. It must be remembered that the safety instrumented function
may or may not fail when one instrument has failed. A redundant
architecture may compensate for instrument failures.

Equipment Failure Modes

Instrumentation equipment can fail in different ways. We call these
“failure modes.” Consider a two-wire pressure transmitter. This
instrument is designed to provide a 4 – 20 milliamp signal in proportion to
the pressure input. Detailed failure modes, effects, and diagnostic analyses
of several of these devices reveal a number of failure modes: frozen
output, current to upper limit, current to lower limit, diagnostic failure,
communications failure, and drifting/erratic output among perhaps
others. These instrument failures can be classified into failure mode
categories when the application is known.

83
Goble05.book Page 84 Thursday, March 31, 2005 10:39 PM

84 Equipment Failure Modes

If a single transmitter (no redundancy) were connected to a safety PLC

programmed to trip when the current goes up (high trip), then the
instrument failure modes could be classified as shown in Table 6-1.
Table 6-1. Transmitter Failure Mode Categories
Instrument Failure Mode SIF Failure Mode
Frozen output Fail-Danger
Output to upper limit Fail-Safe
Output to lower limit Fail-Danger
Diagnostic failure Annunciation
Communication failure No Effect
Drifting / erratic output Fail-Danger

Consider possible failure modes of a PLC with a digital input and a digital
output; both in a de-energize to trip (logic 0) design. The PLC failure
modes can be categorized relative to the safety function as shown in Table
6-2.
Table 6-2. PLC Failure Mode Categories
Instrument Failure Mode SIF Failure mode
Input stuck High Fail-Danger
Input stuck low Fail-Safe
Input circuit oscillates Fail-Danger*
Output stuck high Fail-Danger
Output stuck low Fail-Safe
Improper CPU execution 50% Fail-Safe
50% Fail-Danger
Memory transient failure 50% Fail-Safe
50% Fail-Danger
Memory permanent failure 50% Fail-Safe
50% Fail-Danger
Power supply low (out of tolerance) Fail-Danger*
Power supply high (out of tolerance) Fail-Danger*
Power supply zero Fail-Safe
Diagnostic timer failure Annunciation
Loss of communication link No Effect
Display panel failed No Effect
* unpredictable - assume worst case

Final element components will fail also, and again the specific failure
modes of the components can be classified into relevant failure modes
depending on the application. It is important to know whether a valve will
open or close on trip. Table 6-3 shows an example failure mode
classification based on a close to trip configuration.
Goble05.book Page 85 Thursday, March 31, 2005 10:39 PM

Equipment Failure Modes 85

Table 6-3. Final Element Failure Mode Categories

Instrument Failure Mode SIF Failure mode
Solenoid plunger stuck Fail-Danger
Solenoid coil burnout Fail-Safe
Actuator shaft failure Fail-Danger*
Actuator seal failure Fail-Safe
Actuator spring failure Fail-Danger
Actuator structure failure - air Fail-Safe
Actuator structure failure - binding Fail-Danger*
Valve shaft failure Fail-Danger*
Valve external seal failure No Effect
Valve internal seal damage Fail-Danger
Valve ball stuck in position Fail-Danger
* unpredictable - assume worst case

It should be noted that the above failure mode categories apply to an

individual instrument and may not apply to the set of equipment that
performs a safety instrumented function because the equipment set may
contain redundancy. It should be also made clear that the above listings
are not intended to be comprehensive or representative of all component
types.

Fail-Safe
Most practitioners define “Fail-Safe” for an instrument as a failure that
causes a “false or spurious” trip of a safety instrumented function
unless that trip is prevented by the architecture of the safety
instrumented function. Many formal definitions have been attempted
that include “a failure which causes the system to go to a safe state or
increases the probability of going to a safe state.” This definition is useful
at the system level and includes many cases where redundant
architectures are used.

IEC 61508 uses the definition “failure which does not have the potential to
put the safety-related system in a hazardous or fail-to-function state.” This
definition includes many failures that do not cause a false trip under any
circumstances and is quite different from the definition practitioners need
to calculate the false trip probability. Using this definition, all failure
modes that are NOT dangerous are called “safe.” This definition is not
used in this book as most practitioners require more detail.

Fail-Danger
Many practitioners define “Fail-Danger” as a failure that prevents a
safety instrumented function from performing its automatic protection
function. Variations of this definition exist in standards. IEC 61508
provides a definition similar to the one used herein, which reads: “failure
which has the potential to put the safety-related system in a hazardous or
fail-to-function state.” The definition from IEC 61508 goes on to add a
Goble05.book Page 86 Thursday, March 31, 2005 10:39 PM

86 Equipment Failure Modes

note: “Whether or not the potential is realized may depend on the channel
architecture of the system; in systems with multiple channels to improve
safety, a dangerous hardware failure is less likely to lead to the overall
dangerous or fail-to-function state.” The note from IEC 61508 recognizes
that a definition for a piece of equipment may not have the same meaning
at the safety instrumented function level or the system level.

Annunciation
Some practitioners recognize that certain failures within equipment used
in a safety instrumented function prevent the automatic diagnostics from
correct operation. When reliability models are built, many account for the
automatic diagnostics ability to reduce the probability of failure. When
these diagnostics stop working, the probability of dangerous failure or
false trip is increased. While these effects may not be significant, unless
they are modeled, the effect is not known.

An annunciation failure is therefore defined as a failure that prevents

automatic diagnostics from detecting or annunciating that a failure has
occurred inside the equipment. Note that the failure may be within the
equipment that fails or inside an external piece of equipment designed for
the purpose of automatic diagnostics. These failures would be classified as
“Fail-Safe” in the definition provided in IEC 61508.

No Effect
Some failures within a piece of equipment have no effect on the safety
instrumented function, nor cause a false trip, nor prevent automatic
diagnostics from working. Some functionality performed by the
equipment is impaired, but that functionality is not needed. These may
simply be called “No Effect” failures. They are typically not used in any
reliability model intended to obtain probability of a false trip or
probability of a fail-danger. Per IEC61508, these would be classified as
“Fail-Safe” or may be excluded completely from any analysis depending
on interpretation of the analyst.

Detected/Undetected
Failure modes can be further classified as “detected” or “undetected” by
automatic diagnostics. In this book the classification is done at the
instrument level, and the specific diagnostics are automatically performed
somewhere in the safety instrumented system.

SIF Modeling of Failure Modes

When evaluating safety instrumented function safety integrity, an
engineer must examine more than the probability of successful operation.
The failure modes of the system must be individually calculated. The
Goble05.book Page 87 Thursday, March 31, 2005 10:39 PM

Equipment Failure Modes 87

normal metrics of reliability, availability, and MTTF only suggest a

measure of success. Additional metrics to measure safety integrity include
probability of failure on demand (PFD), average probability of failure on
demand (PFDavg), risk reduction factor (RRF), and mean time to fail
dangerously (MTTFD). Other related terms are probability of failing safely
(PFS) and mean time to fail spuriously (MTTFS).

PFS/PFD
There is a probability that a safety instrumented function will fail and
cause a spurious/false trip of the process. This is called probability of
failing safely (PFS). There is also a probability that a safety instrumented
function will fail such that it cannot respond to a potentially dangerous
condition. This is called probability of failure on demand (PFD).

PFDavg
PFD average (PFDavg) is a term used to describe the average probability
of failure on demand. PFD will vary as a function of the operating time
interval of the equipment. It will not reach a steady state value if any
periodic inspection, test, and repair is done. Therefore, the average value
of PFD over a period of time can be a useful metric if it assumed that the
potentially dangerous condition (also called hazard) is independent from
equipment failures in the safety instrumented function.

The assumption of independence between hazards and safety

instrumented function failures seems very realistic. (NOTE: If control
functions and safety functions are performed by the same equipment, the
assumption may not be valid! Detailed analysis must be done to insure
safety in such situations, and it is best to avoid such designs completely.)
When hazards and equipment are independent, it is realized that a hazard
may come at any time. Therefore, international standards have specified
that PFDavg is an appropriate metric for measuring the effectiveness of a
safety instrumented function.

PFDavg is defined as the arithmetic mean over a defined time interval. For
situations where a safety instrumented function is periodically inspected
and tested, the test interval is correct time period. Therefore:

TI
1
PFDavg (TI ) =
TI ∫ (PFD )dt
0
(6-1)

This definition is used to obtain numerical results in several of the system

modeling techniques. In a discrete time Markov model using numerical
solution techniques, a direct average of the time dependent numerical
values will provide the most accurate answer. When analytical equations
for PFD are obtained using a fault tree, the above equation can be used to
Goble05.book Page 88 Thursday, March 31, 2005 10:39 PM

88 Equipment Failure Modes

obtain equations for PFDavg (See Appendix F, System Architectures, for

examples).

Exercises
6-1. A solenoid is normally energized in normal process operation. It is
de-energized when a dangerous condition is detected and vents air
from a pneumatic actuator. If the solenoid coil fails short circuit
and burns out, the solenoid will de-energize. How should this
failure mode be classified?

6-2. A set of equipment used in a safety instrumented function is non-

redundant (1oo1). The total dangerous detected failure rate is 0.002
failures per year. The total dangerous undetected failure rate is
0.0005 failures per year. Restore time average is 168 hours. The
equipment is inspected and tested every two years with 100% test
coverage. What is the PFD? What is the PFDavg?

6-3. The failure rate (λ) for a pressure transmitter is 1.2 × 10–6 f/hr. The
safe failure mode split is 50%. What is the dangerous failure rate?

6-4. A valve is designed to close on trip in a safety instrumented

function. If this valve had a failure where internal seals were
damaged and could not completely stop flow, how would this
failure be classified?

6-5. A flame detector used in a burner management application falsely

indicates a flame when there is none. How would that failure
mode be classified?

6-6. A gas detector used in a flammable gas shutdown function falsely

indicates the presence of flammable gas. How would that failure
mode be classified?

6-7. A safety PLC communicates shutdown status to the operator via a

communication link. If this link fails to communicate, how would
that failure mode be classified?

6-8. A safety instrumented function has a valve energized and open.

The valve must close when a demand is detected. The valve is
fitted to a piston type pneumatic actuator that has an O-ring seal
around the piston. This seal degrades with time and gets sticky. If
it is left in position a long period of time, it will cause the actuator
to stick in place. How would this failure mode be classified?