Calculation of the Dangerous Failure Rate of the Safety Function

Abstract

Each safety-related function must be implemented with a defined safety integrity level (SIL) if the control system implements safety-related functions (SFs) in addition to the standard control functions. The required SIL of the SF depends on the quantity of the risk associated with the failure of this one SF. The SIL against random failure can be expressed through the dangerous failure rate of the SF for an electronic safety-related control system (ESRCS) operating in a continuous mode of operation. The proof must be provided (among other things) that the SIL requirements for the individual SFs are met so the ESRCS can be accepted and implemented. The assessment of the impact of random failures on the SIL of the SF must be performed using the quantitative analysis method. This paper describes the procedure and derives equations for evaluating the impact of random failure on SIL of the SF using Markov chains with two absorption states. The achieved results are presented for SF implemented by ESRCS with dual architecture based on composite fail-safety technique.

1. Introduction

Some activities are associated with hazards. These hazards can cause damage to human health, damage to the environment, or major property damage. Such hazards or their consequences can be prevented by applying safety measures. How “strong” safety measures should be, depends on the results of the risk analysis that is associated with the machinery and equipment used, which are a part of the equipment under control (EUC). The “greater” difference between tolerable risk and the reduction of risk needs the safety measures to be applied “stronger”. Among the so-called active technical safety measures also belong electronic safety-related control systems (ESRCSs). An ESRCS is a system that realizes the safety function (SF). In addition to SFs an ESRCS can (but does not have to) realize standard control functions. The standard [1] defines SF, which is realized by a safety-related system, as a function designed to ensure or maintain the safe state of a controlled system concerning specific hazardous events. SF failure can increase the risk. Therefore, each SF must have fail-safety features.

The following techniques can be used to achieve the fail-safety feature:

• the technique of inherent fail-safety;
• the technique of reactive fail-safety;
• the technique of composite fail-safety.

For ESRCS to be used in practice, written proof must be provided that the specified safety requirements are met.

A characteristic feature of ESRCS that uses the inherent fail-safety technique is the one-channel architecture. The logic of such systems is realized by special logic elements with asymmetric failure features (most often electromechanical relays, so-called safety relays), whose properties are verified by long-term operational experience, as well as using appropriate methods and procedures in the application of these elements. Demonstration of the safety properties of such systems is based on qualitative analysis. Verification of the functional properties of such ESRCSs is based on the checks and tests applied. The impact of faults to the SF of such a system is based on a qualitative analysis, whereas an answer to the question “What happens if...?” is searched for. A safety-related system is considered safe if there does not exist real failure modes (or a combination of real failure modes) that would result in a dangerous ESRCS operation. Failure Modes and Effects Analysis (FMEA) can be successfully used for this purpose [2,3]. FMEA is an inductive method of analysis for technical objects that are implemented from elements for which it is possible to compile a list of real failure modes.

The use of electronic elements in the ESRCS area also led to an effort to avoid using special elements and to apply standard elements that are commonly available on the commercial market, the so-called commercial off the shelf (COTS) products. Increasing the integration of electronic components does not make it possible to compile a list of real failure modes and use only qualitative analysis methods to assess ESRCSs. ESRCS safety assessment requires the application of methods and procedures based on a probabilistic approach. In the case of ESRCS with lower safety requirements, it is possible to use the reactive fail-safety technique (characterized by a one channel architecture and feedback, to compare the actual state of the EUC with the required state of this EUC) in the case of failure.

In the case of ESRCS with higher safety requirements, the composite fail-safety technique must be used when failure appears. The composite fail-safety technique is characterized using a multi-channel architecture, while the safety condition is the independence of the channels and the early fault detection and negation.

A new name, “safety integrity”, is also emerging in the context of ESRCS. Safety integrity is the probability of a safety-related system achieving its required SFs under all the stated conditions within a stated operational environment and within a stated duration [1]. It is a case of one of the basic safety features of the ESRCS. SI is indicated by the safety integrity level (SIL). SIL does not relate to ESRCS, but to SF, which is realized by ESRCS. ESRCS can realize (and usually does) multiple SFs, and each SF may or may not be realized with a different SIL. According to the paper [1], safety integrity (SI) consists of three parts—systematic safety integrity (SystF-SI), software safety integrity (SW-SI), and hardware safety integrity (HW-SI). In general, it is valid that ESRCS hardware can dispose mainly of random failures, but also systematic failures and software have only systematic failures. For this reason, only systematic failure safety integrity (SystF-SI) and random failure safety integrity (RandF-SI) can be taken into account. Because systematic faults have different effects in the different life cycle phases and safety measures are dependent on the specific application, a quantitative SI analysis of the SF is not possible.

SystF-SI forms a non-quantifiable part of SI, and compliance with the requirements for SystF-SI is demonstrated by applying appropriate (prescribed for each SIL) techniques and measures for the avoidance of ESRCS systematic faults, which realizes the given SF.

RandF-SI forms a quantifiable part of SI and is subject to quantitative analysis. The occurrence of random failures over time can be described by reliability parameters (for example, random failure rate). The need to use quantitative methods (probabilistic approach) to evaluate RandF-SI indirectly follows from the SIL-table in the paper [1], which defines the average frequency of dangerous failure of the SF in high-demand mode of operation (PFH) for SIL as follows:

• for SIL 1 is valid 10^–6 h⁻¹ ≤ PFH < 10^–5 h⁻¹;
• for SIL 2 is valid 10^–7 h⁻¹ ≤ PFH < 10^–6 h⁻¹;
• for SIL 3 is valid 10^–8 h⁻¹ ≤ PFH < 10^–7 h⁻¹;
• for SIL 4 is valid 10^–9 h⁻¹ ≤ PFH < 10^–8 h⁻¹.

SI is affected by various factors, as shown in Figure 1. These factors should also include quality management and safety management, which cover all phases of the ESRCS life cycle. It defines phases for these tasks that need to be performed to achieve the specified safety objectives. Other factors (reliability, diagnostics, architecture recovery, and technical independence) belong to the technical and operational parameters of the SRCS.

An appropriate quantitative analysis method should be used for RandF-SI analysis. The most suitable method allows respecting the influence of as many factors as possible that affect RandF-SI. The most used methods include fault tree analysis (FTA) [4] and reliability block diagram (RBD) [5,6]. In the paper [6], the RBD method is used to determine the simplified algebraic expression for the probability of failure on demand (PFD) for a system with architecture 2 out of 4. Simplification relates to respecting the impact of several factors on PFD. A similar problem, but on a more general level, is solved by the paper [7].

The great advantage of these methods is that they are supported by many software tools (PTC Windchill, Item Software, BQR Reliability Engineering Ltd., …), which provide not only tools for analysis but also for creating the presentation of the achieved results. The disadvantage of these static methods is that they do not allow a comprehensive assessment of the impact of several factors (impact of diagnostic coverage, recovery intensity, the impact of SF architecture change…) on the monitored parameter of ESRCS, resp. SF.

FTA and RBD methods are static methods and were originally developed to evaluate the reliability and availability parameters of the system. These methods assume that the system has two states and is in one of these two states at any given time. What states are considered depends on the analysed property (functional—non-functional, up—down, safe—dangerous). Modified versions of these methods (dynamic fault trees analysis (DTFA) in the paper [8] and dynamic reliability block diagram (DRBD) in the paper [9]) largely eliminate these deficiencies. Like support, these methods use Markov chains, Petri nets, Bays nets, or Monte Carlo simulations.

When evaluating RandF-SI, it is appropriate to consider three states of ESRCS, resp. SF (up state; down and safe state; down and dangerous state). The most used state-oriented methods include the continuous-time Markov chains (CTMC) method, either alone the paper [10] or in combination with discrete-time Markov chains (DTMC) in the paper [11]. The effect of random failures on RandF-SI of SF can be modelled using CTMC. By the DTMC, it is possible to model the influence of the online diagnostic mechanism, which works discretely or to model the impact of periodic maintenance. In the paper [11], the basic idea of how to solve a problem related to the evaluation of the differently operating fault detection mechanisms to the RandF-SI of the SF is mentioned. A CTMC/DTMC combination can be used to solve this problem.

A major disadvantage of SF analysis by the Markov chain (MC) is the state space explosion. The paper [12] deals with the mathematical procedure of the creation of the model of E-SRS, which consists of several subsystems. The proposed procedure consists of the suitable merging of models of subsystems into one model of ESRCS. Tensor constructions (the tensor sum and the tensor product) have been used for the merging of CTMCs of subsystems. The state explosion problem, which occurred during the merging of CTMCs of subsystems.

The individual methods for analysis can be suitably combined. For example, the paper [13] deals with the procedure description and the definition of the mathematical relations for creating the model of the complex ESRCS. The proposed procedure consists of the decomposition of ESRCS into the mutually independent subsystems, the calculation of the required parameters of each subsystem by MC, and the creation of the resulting model of the whole ESRCS by the FTA. Subsequently, the dangerous failure rate of the whole ESRCS and the proof test interval of ESRCSs are determined by the FTA and the parameters of the subsystem. Quite often, a combination of FMEA and RBD methods in the paper [5] or a combination of FMEA and FTA methods in the paper [14] can be encountered.

2. CTMCs with Multiple Absorption States

Let us consider a stochastic process that fulfils the Markov property (the probability of moving to the next state depends only on the present state and not on the previous states):

$$Pr\left\{X\left(t\right)\le x| X\left(t_0\right)=x_0, X\left(t_1\right)=x_1, \dots , X\left(t_n\right)=x_n\right\}=Pr\left\{X\left(t\right)\le x| X\left(t_n\right)=x_n\right\}$$

(1)

where $X\left(t\right)$ is the random variable, $t\in T$ (T is the time range) is the time parameter and is valid, and $0\le t_0<t_1<\dots <t_n<t$.

If the value, which is acquired by $X\left(t\right)$, is called state and if a set of states is countable, then the Markov process forms the Markov chain (MC). We distinguish two basic types of the MC:

• discrete-time Markov chain;
• continuous-time Markov chain.

For the homogenous CTMC the transition probability of the system from state $i$ to state $j$ can be calculated as the conditional probability that the system in time $t=t+\Delta t$ goes to state $j$ under the condition that the system in time $t$ was in state $i$, i.e.,

$$p_{ij}\left(t+\Delta t\right)=Pr\left\{X\left(t+\Delta t\right)=j| X\left(t\right)=i\right\}.$$

(2)

The CTMC is completely defined if the transition rate matrix (3) and the initial distribution (4) are defined. The transition rate matrix:

$$\mathbb{Q}=\left(q_{ij}\right) \mathrm{for} i,j\in \left\{1, \dots ,n\right\},$$

(3)

where $q_{ij}$ is the transition rate from state $i$ to state $j$ and $q_{ii}=-{\displaystyle \sum }_{j=1,j\ne i}^n{q}_{ij}$ is the sojourn rate in state $i$. If the CTMC is homogeneous, the transition rates are constant. The initial distribution:

$$\overrightarrow{P_0}=\overrightarrow{P_0\left(t=0\right)}=\left\{p_1\left(t=0\right), p_2\left(t=0\right), \dots , p_n\left(t=0\right)\right\}$$

(4)

where $\overrightarrow{P_0}$ is the initial distribution in time $t=0$, $p_i\left(t=0\right)$ is the probability of state $i$ in time $t=0$.

The CTMC distribution in time $t$ can be calculated as a solution of the differential equations system (5) for the initial distribution (4)

$$\overrightarrow{\frac{dP\left(t\right)}{dt}}=\overrightarrow{P\left(t\right)}·\mathbb{Q}.$$

(5)

Figure 2 shows a CTMC that contains $\left(n-k+1\right)$ transient states and $\left(k-1\right)$ absorption states. $q_{\mathrm{i}j}$ is the intensity of the transition from state $i$ to state $j$.

The CTMC in Figure 2 can be described by a general matrix of transition rates (6):

$$\mathbb{Q}=\left(\begin{array}{ccccccc}-{\displaystyle {\displaystyle \sum }_{l=1,l\ne 1}^n}{q}_{1l}& q_{12}& \dots & q_{1\left(k-1\right)}& \dots & q_{1n}& \\ q_{21}& -{\displaystyle {\displaystyle \sum }_{l=1,l\ne 2}^n}{q}_{2l}& \dots & q_{2\left(k-1\right)}& \dots & q_{2n}& \\ ⋮& ⋮& \ddots & ⋮& \ddots & ⋮& \\ q_{\left(k-1\right)1}& q_{\left(k-1\right)2}& \dots & -{\displaystyle {\displaystyle \sum }_{l=1,l\ne \left(k-1\right)}^n}{q}_{\left(k-1\right)l}& \dots & q_{\left(k-1\right)n}& \\ 0& 0& \dots & 0& \dots & 0& \\ ⋮& ⋮& \ddots & ⋮& \ddots & ⋮& \\ 0& 0& \dots & 0& \dots & 0& \end{array}\right),$$

(6)

where the state $i=1, \dots , \left(k-1\right)$ is from the set of transition states $T$ and state $j=k, \dots , n$ is from the set of absorption states $A$. Because the article solves the problem of calculating the dangerous failure rate of SF, the symbol $\lambda$ will be used instead of the symbol $q$ for the transition rates in the next part of the article.

3. The Dangerous Failure Rate of the SF

Let the ESRCS implement only one SF and all its elements participate in the implementation of this SF, then the SI of safety function (SI-SF) can be identified with the SI ESRCS.

Because random failures occur randomly and continuously over time, CTMCs can be used to analyse the effects of random failures on SI-SF. In general, it is a state-oriented, graphic-mathematical method. The qualitative part of the method is related to the creation of a graphical model, which expresses the relationship between the elements of the considered system and their impact on SI-SF. Model creation is a very important activity in Markov’s analysis. The automatic model generating is theoretically possible (under certain conditions) in paper [12], but practically unusable. The extent to which the developed CTMC model corresponds to the real properties of SF depends on the experience of the analyst and knowledge of the operational and technical characteristics of ESRCS, which implements SF. The quantitative part of the analysis is focused on the mathematical description of the graphical model and the subsequent calculation of the monitored system property—the dangerous failure rate of the SF.

Available sources of information in the papers [15,16,17] consider CTMC-based models with only one absorption state (Figure 3) or no absorption state when analysing the impact of random failures on SI-SF. CTMC without an absorption state is considered when the recovery mechanism is also considered in the modelling. The model without absorption state cannot be used to calculate the dangerous failure of the SF.

If the CTMC contains one absorption state, then this state is considered as a down state and dangerous state (state D) in safety analyses. The ESRCS (which implements the SF) enters this state due to the occurrence of a dangerous failure. If the state probability $p_D\left(t=0\right)=0$, then the probability $p_D\left(t\right)$ has the properties of the distribution function. The transition rate to state D can be interpreted as a dangerous failure rate of SF and is determined by the equation

$${\lambda }_D\left(t\right)=\frac{\frac{d{p}_D\left(t\right)}{dt}}{1-p_D\left(t\right)},$$

(7)

which is consistent with the definition of failure rate for a non-restored object.

Recovery from state D is possible, but it is a special case of recovery. In general, the cause of a dangerous condition needs to be identified, which usually leads to changes in the system, and given the extent of the change, all procedures and measures within each life cycle phase should be applied appropriately as if it were a new system. In such a case, the recovery has its specific features, for example, because these changes are subject to assessment by an independent authority. After the recovery, ESRCS is considered “as good as new” and starts a new operation (RandF-SI of SF re-analysis starts again in time $\left(t=0\right)$).

If ESRCS operates in a continuous mode of operation and has an online mechanism for detecting and negating the fault, then ESRCS can go to the down and safety state (in the next part of this article, this is referred to as state S). Recovery from this state is possible either without interruption of ESRCS operation or after interruption of operation (depending on the ESRCS architecture and the method of organization of the recovery).

However, in many cases, when the down state (state D or state S) is reached, the RandF-SI analysis of SF is required to be completed and the dangerous failure rate of SF (transition rate to state D) is calculated. Since states D and S are absorption states, in this case, Equation (7) cannot be used to calculate the dangerous failure rate of SF (transition rate to state D). Such a situation is shown in Figure 4.

In general, the rate of the transition from state $i$ to state $j$ for time $\Delta t$ is understood as the derivate of the transition probability, i.e.,

$${\lambda }_{ij}=\frac{p_{ij }\left(t,t+\Delta t\right)}{\Delta t}=\frac{P\left(x\left(t+\Delta t\right)=j|x\left(t\right)=i\right)}{\Delta t}=\frac{P\left(\left(x\left(t+\Delta t\right)=j\right){\displaystyle \cap }\left(x\left(t\right)=i\right)\right)}{P\left(x\left(t\right)=i\right)·\Delta t}.$$

(8)

It is also true that

$$\begin{array}{l}{\displaystyle {\displaystyle \sum }_{i=1}^{k-1}}P\left(x\left(t\right)=i\right)+{\displaystyle {\displaystyle \sum }_{j=k}^n}P\left(x\left(t\right)=j\right)=1, \\ {\displaystyle {\displaystyle \sum }_{i=1}^{k-1}}P\left(x\left(t\right)=i\right)=1-{\displaystyle {\displaystyle \sum }_{j=k}^n}P\left(x\left(t\right)=j\right).\end{array}$$

(9)

Let it be true that

$$\begin{array}{l}{\displaystyle {\displaystyle \sum }_{i=1}^{k-1}}P\left(x\left(t\right)=i\right)={\displaystyle {\displaystyle \sum }_{i=1}^{k-1}}{P}_i\left(t\right),\\ {\displaystyle {\displaystyle \sum }_{j=k}^n}P\left(x\left(t\right)=j\right)={\displaystyle {\displaystyle \sum }_{j=k}^n}{P}_j\left(t\right).\end{array}$$

(10)

The rate of transition to state $j$ (state from the set of absorption states $j\ni A$) from the set of transition states

$${\lambda }_j={\displaystyle \sum }_{i=1}^{k-1}{\lambda }_{ij}=\frac{{{\displaystyle \sum }}_{i=1}^{k-1}P\left(\left(x\left(t+\Delta t\right)=j\right){\displaystyle \cap }\left(x\left(t\right)=i\right)\right)}{{{\displaystyle \sum }}_{i=1}^{k-1}p\left(x\left(t\right)=i\right)·\Delta t}=\frac{p_j\left(t\right)}{{{\displaystyle \sum }}_{i=1}^{k-1}p\left(x\left(t\right)=i\right)·\Delta t}=\frac{\frac{d{p}_j\left(t\right)}{dt}}{1-{{\displaystyle \sum }}_{j=k}^n{p}_j\left(t\right)}.$$

(11)

If the system contains one absorption state (state D), then it follows from (11) that

$${\lambda }_D\left(t\right)=\frac{\frac{d{p}_D\left(t\right)}{dt}}{1-p_D\left(t\right)}$$

(12)

Equation (12) corresponds to Equation (7).

If the system contains two absorption states (state D and state S), then it follows from (11) that

$${\lambda }_D\left(t\right)=\frac{\frac{d{p}_D\left(t\right)}{dt}}{1-(p_D\left(t\right)+p_S\left(t\right))},$$

(13)

$${\lambda }_S\left(t\right)=\frac{\frac{d{p}_S\left(t\right)}{dt}}{1-(p_D\left(t\right)+p_S\left(t\right))}.$$

(14)

Another approach can be chosen for the CTMC in Figure 4. This CTMC can be described by a transition rate matrix (15) and a set of differential Equation (16)

$$\mathbb{A}=\left(\begin{array}{ccc}-\left({\lambda }_D\left(t\right)+{\lambda }_S\left(t\right)\right)& {\lambda }_D\left(t\right)& {\lambda }_S\left(t\right)\\ 0& 0& 0\\ 0& 0& 0\end{array}\right).$$

(15)

$$\begin{array}{c}\frac{d{p}_X\left(t\right)}{dt}=-\left({\lambda }_D\left(t\right)+{\lambda }_S\left(t\right)\right). p_X\left(t\right),\\ \frac{d{p}_D\left(t\right)}{dt}={\lambda }_D\left(t\right). p_X\left(t\right),\\ \frac{d{p}_S\left(t\right)}{dt}={\lambda }_S\left(t\right)· p_X\left(t\right).\end{array}$$

(16)

It follows from (16) that

$$\frac{\frac{d{p}_D\left(t\right)}{dt}}{\frac{d{p}_S\left(t\right)}{dt}}=\frac{{\lambda }_D\left(t\right)}{{\lambda }_S\left(t\right)},$$

(17)

$${\lambda }_D\left(t\right)=\frac{\frac{d{p}_D\left(t\right)}{dt}}{p_X\left(t\right)}=\frac{\frac{d{p}_D\left(t\right)}{dt}}{1-(p_D\left(t\right)+p_S\left(t\right))},$$

(18)

$${\lambda }_S\left(t\right)=\frac{\frac{d{p}_S\left(t\right)}{dt}}{p_X\left(t\right)}=\frac{\frac{d{p}_S\left(t\right)}{dt}}{1-(p_D\left(t\right)+p_S\left(t\right))}.$$

(19)

4. Rate of Dangerous Failure of a Safety Function for Dual Architecture with Two Absorption States

In operation, ESRCSs with a two-channel architecture that is based on the technique of composite fail-safety with comparison are very often used. Standard [1] requires RandF-SI to be performed not on the system but separately for each SF. For the sake of clarity of this paper, it is assumed that ESRCS consists of two hardware-identical and physically independent channels—channel R and channel L (Figure 5), which manage the EUC. Let ESRCS implement one SF, then the dangerous failure of ESRCS can be identified with the dangerous failure of SF.

4.1. CTMC for Dual Architecture with Two Absorption States

Let SRES with dual architecture (Figure 5) have the following features:

• the R and L channels are hardware identical, ${\lambda }_R={\lambda }_L=\lambda$, where ${\lambda }_R$ is the failure rate of channel R, and ${\lambda }_L$ is the failure rate of channel L;
• the SRES has a fault detection and negation mechanism, which is characterized by a diagnostic failure coverage coefficient $c$, fault detection time $t_d$, and fault negation time $t_N$;
• SRES operates in continuous operation mode.

To evaluate ESRCS with such properties, the CTMC is shown in Figure 6. The paper [11] also deals with a similar problem.

The characteristic of the individual states of the model in Figure 6 is described in

Table 1. States of the model from Figure 6.

State	Characteristics
OK	ESRCS is fault-free; neither channel is in a fault due to a random failure. ESRCS is in up state.
2	Channel R or channel L is in an undetectable fault due to the occurrence of one random failure or due to the occurrence of several random failures. ESRCS is in up state.
3	Channel R or channel L is in a detectable fault due to the occurrence of one random failure (transition from state OK to state 3) or due to the occurrence of several random failures (transition from state OK to state 2 and subsequent transition from state 2 to state 3). ESRCS is in up state.
S	The safe state that the ESRCS enters after the fault detection and negation of channel R or channel L. ESRCS is in a down state.
D	Dangerous state—both channels are faulty. ESRCS is in a down state.

.

The rate of the transition from state 3 to state S (induction of a safe ESRCS response because of the fault detection and negation) can be expressed by the relationship (20).

$$\delta =\frac{1}{t_d+t_N}.$$

(20)

The CTMC in Figure 6 can be described by a system of differential equations:

$$\begin{array}{c}\frac{d{p}_{OK}\left(t\right)}{dt}=-2\lambda ·p_{OK}\left(t\right), \\ \frac{d{p}_2\left(t\right)}{dt}=2\lambda ·\left(1-c\right)·p_{OK}\left(t\right)-\lambda ·\left(1+c\right)·p_2\left(t\right), \\ \frac{d{p}_3\left(t\right)}{dt}=2\lambda ·c·p_{OK}\left(t\right)+\lambda ·c·p_2\left(t\right)-\left(\lambda +\delta \right)·p_3\left(t\right),\\ \frac{d{p}_S\left(t\right)}{dt}=\delta ·p_3\left(t\right),\\ \frac{d{p}_D\left(t\right)}{dt}=\lambda ·p_2\left(t\right)+\lambda ·p_3\left(t\right).\end{array}$$

(21)

If at time $t=0$ the ESRCS is in the OK state (Figure 6), then the initialization vector is:

$$\overrightarrow{P\left(t=0\right)}=\left\{1, 0, 0, 0, 0\right\}.$$

(22)

Then the probabilities of each state are:

$$\begin{array}{c}{p}_1\left(t\right)=e^{-2\lambda t},\\ p_2\left(t\right)=-2·e^{-2\lambda t}+2·e^{-\left(1+c\right)\lambda t},\\ p_3\left(t\right)=\frac{2\lambda c}{\left(\lambda c-\delta \right)}·\left(e^{-\left(\lambda +\delta \right)t}-e^{-\left(1+c\right)\lambda t}\right),\\ p_4\left(t\right)=p_D\left(t\right)=e^{-2\lambda t}-1+\frac{2\delta }{\left(\lambda c-\delta \right)·\left(1+c\right)}·\left(e^{-\left(1+c\right)\lambda t}-1\right)-\frac{2c{\lambda }^2}{\left(\lambda c-\delta \right)·\left(\lambda +\delta \right)}·\left(e^{-\left(\lambda +\delta \right)t}-1\right),\\ p_5\left(t\right)=p_S\left(t\right)=\frac{2\delta c}{\left(\lambda c-\delta \right)·\left(1+c\right)}·e^{-\left(1+c\right)\lambda t}-\frac{2c\lambda \delta }{\left(\lambda c-\delta \right)·\left(\lambda +\delta \right)}·e^{-\left(\lambda +\delta \right)t}+\frac{2\delta c}{\left(\lambda +\delta \right)·\left(1+c\right)}.\end{array}$$

(23)

4.2. Dangerous Failure Rate of the SF for Dual Architecture with Two Absorption States

Based on Equations (13) and (14), for the CTMC in Figure 6 deduce that

$${\lambda }_D\left(t\right)=\frac{\frac{d{p}_D\left(t\right)}{dt}}{1-(p_D\left(t\right)+p_S\left(t\right))}=\frac{-2\lambda \left(\lambda c-\delta \right)·e^{-2\lambda t}-2\delta ·\lambda ·e^{-\left(1+c\right)\lambda t}+2c{\lambda }^2· e^{-\left(\lambda +\delta \right)t}}{-\left(\lambda c-\delta \right)·e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2\delta ·e^{-\left(1+c\right)\lambda t}},$$

(24)

$${\lambda }_S\left(t\right)=\frac{\frac{d{p}_S\left(t\right)}{dt}}{1-(p_H\left(t\right)+p_S\left(t\right))}=\frac{2c\lambda \delta ·e^{-\left(\lambda +\delta \right)t}-2\delta c\lambda ·e^{-\left(1+c\right)\lambda t}}{-\left(\lambda c-\delta \right)·e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2\delta ·e^{-\left(1+c\right)\lambda t}}.$$

(25)

By merging states 1, 2, and 3 into state X (Figure 6), the CTMC from Figure 6, can be replaced by CTMC that corresponds to the CTMC in Figure 4. CTMC with merged states is shown in Figure 7.

For the probability of state X, it is valid that:

$$p_X\left(t\right)=p_1\left(t\right)+p_2\left(t\right)+p_3\left(t\right)=\frac{-\left(\lambda c-\delta \right)·e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2·\delta ·e^{-\left(1+c\right)\lambda t}}{\left(\lambda c-\delta \right)},$$

(26)

$$\frac{d{p}_X\left(t\right)}{dt}=\frac{2\lambda ·\left(\lambda c-\delta \right)·e^{-2\lambda t}-2\lambda c·\left(\lambda +\delta \right)e^{-\left(\lambda +\delta \right)t}+2\delta ·\lambda ·\left(1+c\right)·e^{-\left(1+c\right)\lambda t}}{\left(\lambda c-\delta \right)}$$

(27)

If the applied substitution is correct, then it must be true that:

$$\frac{d{p}_X\left(t\right)}{dt}=-\left({\lambda }_D\left(t\right)+{\lambda }_S\left(t\right)\right)· p_X\left(t\right)$$

(28)

After inserting Equations (24)–(26) to Equation (28), we get:

$$\begin{array}{l}-\left({\lambda }_D\left(t\right)+{\lambda }_S\left(t\right)\right)· p_X\left(t\right)\\ =-(\frac{-2\lambda \left(\lambda c-\delta \right)·e^{-2\lambda t}-2\delta ·\lambda ·e^{-\left(1+c\right)\lambda t}+2c{\lambda }^2· e^{-\left(\lambda +\delta \right)t}}{-\left(\lambda c-\delta \right)·e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2\delta ·e^{-\left(1+c\right)\lambda t}}\\ +\frac{2c\lambda \delta ·e^{-\left(\lambda +\delta \right)t}-2\delta c\lambda ·e^{-\left(1+c\right)\lambda t}}{-\left(\lambda c-\delta \right).e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2\delta ·e^{-\left(1+c\right)\lambda t}})·\frac{-\left(\lambda c-\delta \right)·e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2·\delta ·e^{-\left(1+c\right)\lambda t}}{\left(\lambda c-\delta \right)}\\ =\frac{2\lambda \left(\lambda c-\delta \right).e^{-2\lambda t}+2\delta ·\lambda ·\left(1+c\right)·e^{-\left(1+c\right)\lambda t}-2c\lambda \left(\lambda +\delta \right)· e^{-\left(\lambda +\delta \right)t}}{\left(\lambda c-\delta \right)}=\frac{d{p}_X\left(t\right)}{dt}\end{array}$$

(29)

Which confirms the correctness of this reasoning.

By merging states S and D to state Y in the CTMC in Figure 7, a CTMC with two states is formed (Figure 8).

If it is true that

$$p_Y\left(t\right)=p_D\left(t\right)+p_S\left(t\right),$$

(30)

then the rate of the transition from state X to state Y can be expressed by:

$${\lambda }_Y\left(t\right)=\frac{\frac{d\left(p_D\left(t\right)+p_S\left(t\right)\right)}{dt}}{1-\left(p_D\left(t\right)+p_S\left(t\right)\right)}=\frac{\frac{d{p}_D\left(t\right)}{dt}}{1-\left(p_D\left(t\right)+p_S\left(t\right)\right)}+\frac{\frac{d{p}_S\left(t\right)}{dt}}{1-\left(p_D\left(t\right)+p_S\left(t\right)\right)}={\lambda }_D\left(t\right)+{\lambda }_S\left(t\right)$$

(31)

4.3. Practical Application of the Equation for the Dangerous Failure Rate of the SF

Let SF be implemented by a dual architecture based on complex safety in case of comparison failure, as shown in Figure 6. Let:

• $\lambda ={\lambda }_L={\lambda }_R={1.10}^{-6} {\mathrm{h}}^{-1}$ (hardware identical channels);
• the fault detection and negation mechanism is characterized by the coefficient of diagnostic coverage of faults $c=0.99$ and the fault detection time $t_d=2$; the fault negation time $t_N$ is negligible with respect to the value $t_d(t_N\ll t_d)$;
• the considered time interval in which the rate of a dangerous SF disorder is calculated is 20 years (standard considered useful life ESRCS).

The calculations are performed in the software environment Wolfram Mathematica 11.

In Figure 9, the time dependence $p_D\left(t\right)$ calculated according to Equation (23) is shown. It is a function that is increasing, but it holds that $p_D\left(t\to \infty \right)<1$, i.e., does not meet the requirements for the distribution function. This trend can also be observed in the data presented in

Table 2. Probability $p_D\left(t\right)$ for CTMC in Figure 6; $\lambda ={1.10}^{-6}{ \mathrm{h}}^{-1}$, $c=0.99$, $\delta =0.5{ \mathrm{h}}^{-1}$.

$t \left[\mathrm{year}\right]$	0	20	200	1000	10,000	100,000	1,000,000
$p_D\left(t\right)[-]*{10}^{-3}$	0	0.244572	4.341654	5.027113	5.027115	5.027115	5.027115

. In Figure 10, the time dependence ${\lambda }_D\left(t\right)$ calculated according to (23) for $\delta =0.5$ ${\mathrm{h}}^{-1}$ and, in Figure 11, the time dependence ${\lambda }_D\left(t\right)$ calculated according to (23) is shown, but assuming that $\delta =0{ \mathrm{h}}^{-1}$. From a comparison of Figure 10 and Figure 11, it is possible to judge the influence of the mechanism of negation of the fault on the value of the rate of the dangerous failure SF. This fact ultimately has a positive effect on prolonging the time interval between the proof tests. The effect of online diagnostics in combination with a proof test on SI-SF is described in paper [11].

4.4. Merging of Absorption States

Let us convert a model with two absorption states (Figure 6) to a model with one absorption state by putting state D and state S into one state—state Y (Figure 12).

The probability of state Y (Figure 12) is:

$$p_Y\left(t\right)=1+e^{-2\lambda t}-\frac{2\lambda c·e^{-\left(\lambda +\delta \right)t}}{\left(\lambda c-\delta \right)}+\frac{2·\delta ·e^{-\left(1+c\right)\lambda t}}{\left(\lambda c-\delta \right)}.$$

(32)

The equation calculating of the rate of the transition to the Y state and the adjustment according to (24) and (25) is

$$\begin{array}{c}{\lambda }_Y\left(t\right)=\frac{\frac{d{p}_Y\left(t\right)}{dt}}{1-p_Y\left(t\right)}=\frac{-2\lambda \left(\lambda c-\delta \right)·e^{-2\lambda t}-2·\lambda ·\delta ·\left(1+c\right)·e^{-\left(1+c\right)\lambda t}+2·\lambda ·c·\left(\lambda +\delta \right)· e^{-\left(\lambda +\delta \right)t}}{-\left(\lambda c-\delta \right)·e^{-2\lambda t}+2\lambda c·e^{-\left(\lambda +\delta \right)t}-2\delta ·e^{-\left(1+c\right)\lambda t}}\\ {\lambda }_Y\left(t\right)=\frac{\frac{d{p}_Y\left(t\right)}{dt}}{1-p_Y\left(t\right)}={\lambda }_D\left(t\right)+{\lambda }_S\left(t\right).\end{array}$$

(33)

Figure 13 shows the time dependence $p_Y\left(t\right)$ calculated according to (32), and Figure 14 shows the time dependence ${\lambda }_Y\left(t\right)$ calculated according to (33).

5. Discussion and Conclusions

Different approaches can be encountered in analyses of the impact of random failures on SI-SF. If the system consists of components connected in a simple serial architecture with a defined SIL, then the simplified relations given in the standards can be used. An example of such a system is the application published in paper [18]. However, in more complex cases, simplified relationships from standards cannot be used, and it is necessary to create a suitable model. One of the tools used to create such a model is the CTMC. The available literature and scientific publications consider the use of CTMC for the safety analysis with one absorption state. The transition of SF to this state is interpreted as the occurrence of a dangerous fault of SF and means the transition of a system that implements a SF to a down state. The fact is that ESRCS can also enter the down state due to the fault detection and negation, which leads to the creation of a CTMC with two absorption states. The problematics of the influence of fault detection and negation mechanisms on the safety properties of SF and related problems are analysed in paper [11]. However, in paper [11], the analysis ends at the level of calculating the probability of occurrence of individual absorption states. The standard [1] requires the calculation of the SF dangerous failure rate for the SF in continuous operation mode. This paper directly solves this issue. The results can be used directly in the safety analysis of SF implemented on hardware with fault detection and subsequent fault negation. From the point of view of CTMC analysis, such hardware leads to multiple absorption states. In this paper, the relations are applied to the calculation of the dangerous failure rate of the dual architecture with two absorption states (Section 4.1, Section 4.2, Section 4.3). In Section 4.4, the results are verified by merging the absorption states. Verification confirms the correctness of the derived equations.

The procedure for calculating the SF dangerous failure rate was designed to develop a real ESRCS (system with architecture 2oo3), intended for use in railway transport. This procedure has been assessed and accepted by an independent organization with international accreditation to assess the safety of SRCS for railway applications.

Comparing the results presented in this article with other publicly available scientific articles is problematic because the available literature solves this problem with only one absorption state (e.g., paper [19]).

Further development aims to extend this approach for use in ESRCS safety integrity assessment, which has a learning feature and can restart in uninterrupted operation. It is an ESRCS with a 2oo3 architecture. After identifying a failure state in one channel, this channel is isolated, and the system goes into a degraded mode (it works in the 2oo2 architecture). If it was a short-term fault condition, automatic recovery to full mode (without interruption of operation) is required. However, this activity must not lead to a reduction in safety integrity, which must be demonstrated.

This procedure could be applied to analyse other RAMS (reliability, availability, maintainability, and safety) parameters of ESRCS. However, creating a suitable CTMC for each property would be necessary. This contention constitutes some limitation of the presented approach, so further research in this area will focus on linking the results published in paper [11] and this paper to assess the RAMS parameters of the ESRCS comprehensively. The intention is to create a comprehensive model for typical architectures that will be useful in analysing all RAMS parameters.

The terms used in this paper are consistent with the terminology used in the standard [1], which is the internationally accepted standard that outlines the requirements, principles, and methods for safety assessment.