Verification of the IEC 61508 PFH formula for 2oo3 configuration using Markov chains and Petri nets

Purpose: The purpose of this paper is to check the consistency of the IEC 61508 standard formula related to the average failure frequency (PFH: the probability of dangerous failure per hour) for a commonly used safety instrumented system (SIS) architecture in the process industry: 2-out-of-3 voting (2oo3), also known as Triple Modular Redundancy (TMR). Design/methodology/approach: IEC 61508 standard provided PFH formulas for different SIS architectures, without explanations, assuming that the SIS puts the equipment under control into a safe state on the detection of dangerous failure. This assumption renders the use of classical reliability approaches such as fault trees and reliability block diagrams impractical for PFH calculation. That said, the consistency verification was performed thanks to a dynamic and flexible reliability approach, namely Markov chains following these steps: (1) developing the multi-phase Markov chains (MPMC) model for 2oo3 configuration, (2) deducing the related classical Markov chains (CMC) model and (3) deriving a new PFH formula for the 2oo3 architecture based on the CMC model and thoroughly comparing it to that given in the IEC 61508. Moreover, 2oo3 architecture has been modeled through Petri nets for numerical comparison purposes. That comparison has been carried out between the numerical results obtained from IEC 61508 formula, the newly derived formula, Markov chains and Petri nets models. Findings: The newly obtained formula for 2oo3 configuration contains extra terms compared with the IEC 61508 one. Therefore, this latter formula induces an underestimated PFH results, which is dangerous from a safety point of view. This fact was corroborated by the numerical comparison. Research limitations/implications: This paper does not consider the different configurations given in IEC 61508. Originality/value: In our knowledge, no verification works have been conducted before on the IEC 61508 PFH formulas with shutdown capability. Therefore, the nonaccuracy of the PFH formula related to the 2oo3 has not been stated before. This paper proposes a new and more accurate formula.