PFDavg (Average Probability of Failure on Demand)
PFDavg is the average probability that a safety instrumented function (SIF) will fail to perform its safety action when demanded. It is the central metric of SIL verification under IEC 61511 and IEC 61508 for low-demand-mode SIFs (where the demand frequency is less than once per year). PFDavg is calculated from the dangerous undetected failure rate of each component in the SIF, the voting architecture (1oo1, 1oo2, 2oo2, 2oo3), the proof-test interval, the proof-test coverage, and the common-cause beta factor. The achieved PFDavg determines the achieved SIL: SIL 1 = 0.1 to 0.01, SIL 2 = 0.01 to 0.001, SIL 3 = 0.001 to 0.0001, SIL 4 = 0.0001 to 0.00001.
How does voting architecture affect PFDavg?.
1oo1 (one out of one) is a single channel: PFDavg ≈ (lambda_du × T) / 2, where lambda_du is the dangerous undetected failure rate and T is the proof-test interval. 1oo2 (one out of two) uses two channels with either channel sufficient to actuate; both channels must fail to disable the SIF, so PFDavg ≈ (lambda_du × T)^2 / 3 + lambda_du × MTTR (the second term dominates if MTTR is significant). 2oo2 requires both channels to vote for actuation; either channel failing disables the SIF, so PFDavg ≈ 2 × lambda_du × T / 2 (worse than 1oo1). 2oo3 requires two out of three channels; PFDavg is similar to 1oo2 for the dangerous-undetected fraction, and significantly better than 1oo1 for the spurious-trip fraction.
What is proof-test coverage (PTC)?.
Proof-test coverage is the fraction of dangerous undetected failures that the proof test detects. A proof test that exercises the SIF from sensor demand to final-element response will detect most dangerous failures (PTC > 90%). A proof test that bypasses the sensor (injecting a simulated signal at the logic solver input) misses sensor failures and has lower PTC. Proof tests that only verify the logic solver (no sensor or final element) have very low PTC. Lower PTC increases the PFDavg because undetected failures accumulate across multiple proof-test intervals.
What is the common-cause beta factor?.
The common-cause beta factor (β) accounts for failures that affect multiple channels of a voted architecture simultaneously. A 1oo2 architecture nominally improves PFDavg by squaring the single-channel failure probability, but the improvement is bounded by the fraction of failures that are common to both channels. Typical β values are 5% to 10% for redundant identical channels; lower (2-5%) for diverse redundant channels (different sensor technologies). The PFDavg calculation adds the common-cause contribution (β × lambda_du × T / 2) to the redundant-channel contribution.
Frequently asked.
What is the difference between PFDavg and PFH?
PFDavg applies to low-demand-mode SIFs (demand frequency less than once per year). PFH (probability of failure per hour) applies to high-demand-mode and continuous-mode SIFs (demand frequency greater than once per year, or continuous demand). The SIL bands for PFH are different from PFDavg: SIL 1 PFH = 1e-6 to 1e-5 per hour, SIL 2 PFH = 1e-7 to 1e-6, SIL 3 PFH = 1e-8 to 1e-7. Most process-industry SIFs are low-demand-mode and use PFDavg.
Where do dangerous undetected failure rates come from?
Failure rate databases (exida Safety Equipment Reliability Handbook, SINTEF OREDA, ISA-TR84.00.02, vendor failure rate certificates). Vendors of SIL-certified equipment publish failure-rate certificates that the SIL verification calculation uses. Operating companies may supplement with company-specific failure data from in-service experience.
How does the proof-test interval affect PFDavg?
PFDavg increases roughly linearly with the proof-test interval (longer interval = more time for undetected failures to accumulate). Halving the proof-test interval halves the PFDavg contribution from undetected failures. Extending the proof-test interval (to reduce maintenance burden) requires re-verifying that the achieved SIL still meets the target.
Can PFDavg be calculated by hand?
For simple architectures (1oo1 with typical assumptions), yes - the closed-form formula above suffices. For complex architectures (2oo3 with diagnostic coverage, partial-stroke proof testing, common-cause analysis), commercial tools (exida exSILentia, SIS-PRO, Sphera SafeTech) implement the IEC 61508-6 Annex B procedure. Hand calculations are useful for sanity-checking the tool output.