Properly Assessing Diagnostic Credit in Safety Instrumented Functions Operating in High Demand Mode

Properly Assessing Diagnostic Credit in Safety Instrumented Functions Operating in High Demand Mode Julia V. Bukowski, PhD Department of Electrical & Computer Engineering Villanova University julia.bukowski@villanova.edu William M. Goble, PhD, CFSE exida, LLC wgoble@exida.com Feb 2017 V1.1 Copyright exida.com L.L.C. 2016 2017

EXECUTIVE SUMMARY According to the basic functional safety standard IEC61508:2010 Part 2 [1], when assessing the safety performance of a safety instrumented function (SIF) operating in high demand mode, full credit can be given for the positive effects of automatic selfdiagnostics (ASD) in SIF devices provided the frequency of ASD execution is 100 times (100X) or more the demand rate on the SIF and the SIF is configured to convert dangerous failures into safe failures via an automatic shutdown. However, no credit may be given for the positive safety effects of ASD if the frequency of ASD execution is less than 100X the demand rate. This paper shows that the 100X requirement is quite excessive and that significant positive safety effects accrue even when the ASD frequency is much smaller than the 100X stipulation. The theory, which provides reasonable justification for assigning some degree of partial diagnostic credit (PDC) for ASD based on the ratio of ASD frequency to demand rate, is developed under two different assumptions: Scenario 1 which is extremely conservative and Scenario 2 which is more realistic. It is shown that even under the most conservative assumption, a frequency of ASD execution of as little as 2X the rate of demand on the SIF deserves at least 60% PDC. Under the realistic assumption, the 2x frequency of ASD execution deserves at least 78% PDC. Further, ASD execution frequencies of 10X deserve at least 90% PDC under the most conservative assumption and at least 95% PDC under the more realistic assumption. These findings suggest that a SIF operating in high demand which currently is not receiving any PDC for its ASD may be reassessed at a lower PFD(t)/hr and perhaps a higher SIL level. Furthermore, manufacturers that may have been reluctant to include ASD in devices used in SIF construction because of the likelihood that the ASD execution frequency would not qualify for PDC in a SIL assessment, may wish to reconsider given that reasonable justification for assigning at least some PDC for the positive effects of ASD is now possible. Copyright exida.com LLC 2000-2016 Page 2

INTRODUCTION According to Part 2, clause 7.4.5.3 of IEC 61508: 2010 [1], when assessing the safety performance of a safety instrumented function (SIF) operating in high demand mode, full credit can be given for the positive effects of SIF automatic self diagnostics (ASD) provided the frequency of ASD execution is 100 times (100X) or more the demand rate on the SIF and the SIF is configured to convert dangerous failures into safe failures via an automatic shutdown. However, no credit may be given for the positive safety effects of ASD in any device comprising the SIF if the frequency of ASD execution is less than 100X the demand rate. This paper shows that the 100X requirement is excessive and that significant positive safety effects accrue even when the ASD frequency is much smaller than the 100X requirement. The theory, which provides reasonable justification for assigning some degree of partial diagnostic credit (PDC) for SIF ASD based on the ratio of ASD frequency to demand rate, is developed under two different assumptions: Scenario 1 which is extremely conservative and Scenario 2 which is more realistic. Following a Notation section, this paper provides sufficient background information to make the paper self contained illustrates the two basic models that comport to the standard s requirements for assessing a SIF s SIL with a threshold test that assigns the positive safety effects of ASD either full or no credit proposes a unified model which, unlike the current models, assesses PDC for ASD executed at a frequency of less than 100X the demand rate derives the PDC to be assessed to the SIF based on the ratio λ DIAG /λ DEMAND illustrates the impacts of the unified model in assessing SIL level of a SIF based on the ratio λ DIAG /λ DEMAND draws conclusions about the impacts of the unified model on existing SIF and SIF of future construction which may operate in high demand mode includes two appendices that provide derivations for the conditional probability density function required for the development of Eqn. 2 and simulation results supporting the conclusions of the paper. It is the authors intent that this paper provides sufficient information to allow the reader to reproduce the results presented. Anyone with questions regarding any aspect of the derivations or simulations is encouraged to contact the authors. NOTATION ASD automatic self diagnostics exp[ x] e x FD fail dangerous FDD fail dangerous detected Copyright exida.com LLC 2000-2016 Page 3

FDU FIT FS IEC koon koond MTTR S PDC PDC i PFD(t) PFD(t)/hr SIF SIL T Diag λ D λ DD λ Demand λ Diag λ DU λ S λ T μ S fail dangerous undetected 1 x 10 9 failures/hr fail safe International Electrotechnical Commission k out of n architecture k out of n architecture with ASD, which not only alerts to the presence of an FDD condition but also actively converts the FDD into an FS mean time to restore from state FS partial diagnostic credit partial diagnostic credit computed under the i th scenario instantaneous probability of SIF failure on demand derivative of PFD(t) also called PFH D in standards safety instrumented function safety integrity level deterministic period of ASD execution = 1/λ Diag constant failure rate of dangerous failures = λ DD + λ DU constant failure rate of dangerous detected failures rate at which demands are presented to the SIF deterministic frequency of ASD execution = 1/T Diag constant failure rate of dangerous undetected failures constant failure rate of safe failures constant total failure rate = λ D + λ S rate of restoration from state FS BACKGROUND SIF s, Demands, Demand Modes As illustrated in Figure 1, a SIF is a collection of one or more devices (a device typically being a sensor, a logic solver, relay or other final element device). A SIF typically monitors industrial processes for abnormal operational conditions which are not being properly controlled or corrected by the process control system and intervenes to mitigate those conditions if and when they occur. For example, a SIF may monitor process pressures and shut down the process if the pressures exceed a set limit for a set amount of time. Another typical use for a SIF is processes involving machine safety. For example, a SIF may monitor a machine press and prevent its action if the SIF sensors detect an unexpected object (e.g., operator appendage) in the press area. Copyright exida.com LLC 2000-2016 Page 4

Figure 1. Conceptual representation of a SIF The conditions which require the SIF to intervene are known as demands on the SIF or simply demands. Overpressure events, abnormal temperatures, gas leakage are but a few examples of demands that SIF may encounter. Processes which present demands on the SIF at a rate of once a year or less are called low demand processes and the SIF is said to operate in low demand mode. Processes with more frequent demands are called high demand processes and the SIF is said to operate in high demand mode. The demand rate is designated λ Demand and is assumed to be constant. Types of SIF Failures A SIF may experience a failure and be unable to carry out its function. Generally, two types of failures are recognized. A safe failure occurs when the SIF erroneously determines that an abnormal condition exists and the SIF intervenes, inappropriately interfering with a correctly functioning process. Safe failures are usually designated FS (for fail safe) and are assumed to occur randomly with a constant failure rate, λ S. A FS condition is generally easy to recognize because it interrupts a correctly operating process. A dangerous failure occurs when the SIF fails so that it is unable to intervene should intervention be required. Dangerous failures are usually designated FD (for fail dangerous) and are assumed to occur randomly with a constant failure rate, λ D. A FD condition does not overtly manifest itself as long as the process does not present a demand on the SIF. SIF Automatic Self Diagnostics Because of the hidden nature of the SIF FD condition, SIF devices often contain ASD which periodically monitor the health of the SIF and can be used to improve safety performance. Such ASD can identify some, but generally not all, SIF FD conditions. FD failures which are detected by the ASD are called FD detected (FDD) failures while FD failures which are undetected by the ASD are called FD undetected (FDU) failures. These two sub classifications of FD failures are assumed to occur randomly with constant failure rates, λ DD and λ DU, respectively. The sum of λ DD and λ DU equals λ D. Copyright exida.com LLC 2000-2016 Page 5

Architectures for SIF with Automatic Self Diagnostics Operating in High Demand Mode Safety standards [1, 2] require that a SIF with ASD operating in high demand mode be configured as a koond architecture. The difference between a koon and a koond architecture is that in a koond architecture, when ASD detect a FD condition, the SIF must automatically transition to the FS state. A general Markov model of a 1oo1D SIF as shown in Figure 2 illustrates this concept. Figure 2. Simple Markov model of a 1oo1D SIF The SIF is normally in the state OK with all components functioning normally. If any component fails safe, the SIF transitions to the FS state where it remains until it is repaired and restarted. The repair rate, μ S, is generally expressed as 1/MTTR S, where MTTR S is the mean time to restore from a FS failure and is generally on the order of 24 hours or less. On the contrary, if any component fails in a FDU mode, then the SIF transitions from the OK state to the FDU state. The FDU state is undetectable to the ASD, but could be discovered during periodic inspection and manual proof testing as required by the standards. The final possibility is a component failure in the FDD mode and the SIF transitions from the state OK to the state FDD. It remains in the state FDD for a time less than or equal to the deterministic ASD period, T Diag, at which time the ASD will identify the FDD state and cause an immediate transition to the FS state. Thus, while a 1oo1 architecture with ASD will alert to a FDD state, a 1oo1D architecture will not only alert to an FDD state but also transition the SIF to the state FS. This is true for Copyright exida.com LLC 2000-2016 Page 6

other koond architectures as well. This paper will deal only with the 1oo1D architecture as it is the most common of the koond architectures deployed in industry. SIF Safety Performance Measure for High Demand Operation The instantaneous probability of failure on demand, denoted PFD(t), measures the probability that the SIF is in state FDD or state FDU when a demand occurs. In general, for a SIF operating in high demand mode, PFD(t) depends on: SIF architecture (amount of redundancy) Particular mathematical model used to describe PFD(t) Failure rates of SIF components ASD effectiveness / ASD Coverage ASD frequency, λ Diag Other variables SIF safety performance in high demand mode is measured by PFD(t)/hr, i.e., the derivative of PFD(t). Under assumptions which will normally be easily met for the 1oo1D architecture being considered, PFD(t) is approximately linear over the time intervals of interest and PFD(t)/hr is the slope of PFD(t). Standards Requirements for SIF Operation in High Demand Mode A SIF operating in high demand mode is assigned a safety integrity level (SIL) based on the assessed value of PFD(t)/hr. SIL levels are order of magnitude measures of safety performance. Table 1 shows the PFD(t)/hr required for the various SIL levels. Table 1. Conversion of PFD(t)/hr to SIL SIL PFD(t)/hr 1 > 10 6 to < 10 5 2 > 10 7 to < 10 6 3 > 10 8 to < 10 7 4 > 10 9 to < 10 8 MODELS FOR ASSESSING SIL FOR SIF OPERATING IN HIGH DEMAND MODE When assessing the safety performance of a safety instrumented function (SIF) operating in high demand mode, Part 2 of IEC61508:2010 states that full credit may be given for the positive effects of SIF ASD provided the frequency of ASD execution is 100 times (100X) or more the demand rate on the SIF. IEC 61508 further states that no credit may be given for the positive safety effects of SIF ASD if the frequency of ASD execution is less than 100X the demand rate. This gives rise to two different PFD(t) for Copyright exida.com LLC 2000-2016 Page 7

the same SIF depending on the ratio λ DIAG /λ DEMAND. Figures 3a and 3b show Markov models corresponding to the two different cases. Compared to Figure 2, Figure 3a (where it is assumed that the frequency of ASD execution is at least 100X the demand rate) shows a transition due to a FDD failure from the state OK directly to the state FS, eliminating the state FDD and eliminating the possibility that a demand may occur while the SIF is in the state FDD (in Figure 2). Thus the model in Figure 3a is slightly optimistic. Figure 3a. Simplification of Figure 2 assuming full diagnostic credit is assessed Figure 3b. Simplification of Figure 2 assuming no diagnostic credit is assessed Compared to Figure 2, Figure 3b (where it is assumed that the frequency of ASD execution is less than 100X the demand rate) shows a transition due to a FDD failure from the state OK directly to the state FDU, thus ignoring any of the positive safety effects of the ASD. Thus the model in Figure 3b is pessimistic. Copyright exida.com LLC 2000-2016 Page 8

PROPOSED UNIFIED MODEL Safety standards do not prescribe particular methods or models for SIF safety analysis and they do permit flexibility if the choices are well justified. Thus, a unified model which gives PDC for ASD based on the ratio of frequency of ASD execution to rate of demand on the SIF, i.e., based on λ Diag /λ Demand, is proposed. Two possible scenarios are considered: Scenario 1 is a worst case, very conservative scenario and Scenario 2 is based on realistic assumptions. For both scenarios, focus is placed on the state FDD (see Figure 4) and on the probability that a transition to state FS will occur prior to the presentation of a demand on the SIF. This probability is equal to the amount of PDC assessed. The alternative is that the SIF will be in FDD when the demand occurs but this is mathematically equivalent to a transition to the state FDU with probability 1 PDC. Note that a set of SIF equipment has a response time. This is the time between detection of a fault and initiation of the automatic trip mechanism. This time period is not relevant to the PDC analysis and is not considered in this analysis. PDC PDC Figure 4. Focusing on state FDD and the probability of transitioning to state FS Copyright exida.com LLC 2000-2016 Page 9

Development of PDC for Scenario 1 The timeline for Scenario 1, the worst case and conservative scenario, is depicted in Figure 5. j th ASD Cycle Complete FDD Failure Occurs, State FDD Is Entered j T Diag (j+1)t Diag Figure 5. Timeline for developing PDC under Scenario 1 The j th ASD cycle is complete and immediately thereafter a FDD failure occurs placing the SIF in state FDD. This failure will not be detected until the (j+1) th ASD cycle at a time T Diag later. Thus, the SIF is vulnerable to a demand for a time period of T Diag after which it will transition to state FS if a demand has not occurred. Thus, the probability that it will transition to state FS is PDC 1, the probability that no demand will occur during the time interval T Diag. Assuming a constant demand rate, λ Demand, PDC 1 = P(no demand on time interval of length T Diag ) PDC 1 = exp[ λ Demand T Diag ] = e[ λ Demand /λ Diag ]. (1) Development of PDC for Scenario 2 The timeline for Scenario 2, the realistic scenario, is depicted in Figure 6. j th ASD Cycle Complete Next Time FDD Can Be Discovered FDD Failure Occurs, State FDD Is Entered Next Time FDD Can Be Discovered j T Diag (j T Diag + t ) (j+1)t Diag Figure 6. Timeline for developing PDC under Scenario 2 Here the j th ASD cycle is complete and sometime thereafter (at jt Diag + t) and before the next ASD cycle begins, a FDD failure occurs placing the SIF in state FDD. This failure will not be detected until the (j+1) th ASD cycle at a time T Diag t later. Thus, the SIF is vulnerable to a demand for a time period of length T Diag t after which it will transition to state FS if a demand has not occurred. Given that the probability distribution of (j Copyright exida.com LLC 2000-2016 Page 10

T Diag + t) (the time of the FDD failure) is approximately 1/T Diag (see Appendices A and B), then PDC 2 the probability that the SIF will transition to the state FS is approximately PDC 2 (1/T Diag ) exp[ λ Demand (T Diag t)] dt PDC 2 (1/T Diag ) (1/λ Demand ) exp[ λ Demand (T Diag t)] 0 PDC 2 (1/T Diag ) (1/λ Demand ) (1 exp[ λ Demand T Diag ]) T Diag PDC 2 (λ Diag /λ Demand ) (1 exp[ λ Demand /λ Diag ]). (2) A unified model, which encompasses both the models of Figures 3a and 3b as special cases, is portrayed in Figure 7. Note that PDC i is computed from Eqns. 1 or 2 depending on the assumed scenario. PDCi PDCi ) DIAGNOSTIC CREDIT 0 < PDC i < 1 Figure 7. Unified model encompassing models in Figures 3a and 3b as special cases EFFECTS OF ASSIGNING PARTIAL PDC IN SIF SAFETY ASSESSMENT Figure 8 plots PDC i from Eqns. 1 and 2 vs the ratio (λ Diag /λ Demand ). Note that for a ratio of λ Diag /λ Demand as small as 2X, i.e., with ASD executed only twice per anticipated demand cycle, the ASD deserve 60% PDC under the more conservative Scenario 1 and 78% PDC under the more realistic Scenario 2. Similarly, for a ratio of λ Diag /λ Demand of 10X, i.e., with ASD executed 10 times per demand cycle, the ASD deserve 90% PDC under the more conservative Scenario 1 and 95% PDC under the more realistic Scenario 2. Lastly even at a ratio of λ Diag /λ Demand as large as 100X, the ASD deserve slightly less than full credit under both scenarios. These values are shown in Table 2. Copyright exida.com LLC 2000-2016 Page 11

Figure 8. Plot of PDC vs λ Diag /λ Demand Table 2. PDC Comparison between Conservative Scenario 1 and Realistic Scenario 2 λ Diag /λ Demand PDC: Scenario 1 PDC: Scenario 2 PDC: IEC 61508 2X 60% 78% 0% 10X 90% 95% 0% 100X 99% 99% 100% To illustrate the effects of PDC on SIF safety performance, PFD(t) was calculated from the unified model in Figure 7 with varying values of PDC i including PDC i = 0 (no diagnostic credit), 1 (full credit) and intermediate PDC i values associated with credit for ratios of λ Diag /λ Demand of 2X, 5X, and 10X. Table 3 shows the parameter values used in the calculations. They are based on a total failure rate, λ T, of 5000 FITS (1 FIT = 10 9 failures/hr). The ratio of λ S :λ D is 60:40 and the ratio of λ DD :λ DU is 70:30. MTTR S equals 24 hrs. These values are representative of SIF deployed in high demand processes. Table 3. Parameter Values Used in the Computation of PFD(t) in Figures 9 and 10 Parameter Assigned Value λ T 5000 FITS λ S 3000 FITS λ D 2000 FITS λ DD 1400 FITS λ DU 600 FITS 1/24 hrs μ S The effects of PDC i are graphically illustrated in Figure 9 (Scenario 2). Recall that the slope of PFD(t) is approximately PFD(t)/hr and that this latter quantity determines the SIL level. In Figure 9, the dotted lines have slopes which demarcate the limits of SIL 1 and SIL 2. The solid lines are plots of PFD(t) for varying ratios of λ Diag /λ Demand as labeled. Copyright exida.com LLC 2000-2016 Page 12

Also plotted are lines of PFD(t) for PDC i = 0 (no diagnostic credit) and PDC i = 1 (full diagnostic credit). Figure 9. Plots of PFD(t) vs t calculated from the unified model under Scenario 2 along with dotted lines which demarcate the limits of SIL 1 and SIL 2 Note how in Figure 9, where PFD(t) is computed for the realistic Scenario 2, for all the calculated values of PDC 2, i.e., for ratios of 2X or greater the example SIF s SIL level remains unchanged compared to the case of full credit per the standards. CONCLUSIONS These findings suggest that a SIF operating in high demand which currently is not receiving credit for its ASD may be reassessed at a lower PFD(t)/hr and perhaps a higher SIL level. Furthermore, manufacturers that may have been reluctant to include ASD in equipment used in SIF construction because of the likelihood that the ASD execution frequency would not qualify the ASD for PDC in a SIL assessment, may wish to reconsider given that reasonable justification for assigning at least some PDC for the positive effects of ASD is now possible. REFERENCES 1. IEC 61508, Functional Safety of electrical / electronic / programmable electronic safety related systems, Geneva, Switzerland, 2010. 2. IEC 61511, Application of Safety Instrumented Systems for the Process Industries, Geneva, Switzerland, 2nd edition, 2016. Copyright exida.com LLC 2000-2016 Page 13

APPENDIX A Eqn. 2 above was derived based on the assumption that the conditional probability density function for a FDD failure to occur at time t such that j T Diag < t < (j+1) T Diag is well approximated by 1/ T Diag, where T Diag is the length of the ASD cycle and j is the ASD cycle number. This appendix provides the necessary derivation details. Because λ DD is assumed to be constant, the probability density function, f T (t), for the time to FDD failure is f T (t) = λ DD exp[ λ DD t] 0 < t <. (A1) Clearly, the probability density function for FDD failure conditioned on the failure occurring during the time interval j T Diag < t < (j+1) T Diag is f T (t j T Diag < t < (j+1) T Diag ) = f T (t)/p(j T Diag < t < (j+1) T Diag ). (A2) Now the denominator of Eqn. A2 is given by Therefore (j+1)t Diag P(j T Diag < t < (j+1) T Diag ) = λ DD exp[ λ DD t] dt j T Diag = exp[ λ DD j T Diag ] (1 exp[ λ DD T Diag ]). (A3) f T (t j T Diag < t < (j+1) T Diag ) = λ DD exp[ λ DD t] / {exp[ λ DD j T Diag ] ( 1 exp[ λ DD T Diag ])}. (A4) To establish an approximate value for f T (t j T Diag < t < (j+1) T Diag ), consider its value at the endpoints of the interval of interest. Substituting t = j T Diag into Eqn. A4 gives f T (t t = j T Diag ) = λ DD exp[ λ DD j T Diag ] / {exp[ λ DD j T Diag ] (1 exp[ λ DD T Diag ])} and cancelling the shaded terms gives f T (t t = j T Diag ) = λ DD / (1 exp[ λ DD T Diag ]). (A5) Because λ DD T Diag is generally less than 0.01 for SIF operating in high demand mode, the denominator of Eqn. A5 is well approximated by λ DD T Diag. Thus, f T (t t = j T Diag ) λ DD / (λ DD T Diag ) Copyright exida.com LLC 2000-2016 Page 14

f T (t t = j T Diag ) 1 / T Diag. (A6) Substituting t = (j+1)t Diag into Eqn. A4 gives f T (t t = (j+1) T Diag ) = λ DD exp[ λ DD (j+1) T Diag ] / {exp[ λ DD j T Diag ] (1 exp[ λ DD T Diag ])} and dividing exp[ λ DD j T Diag ] from the denominator into the numerator gives f T (t t = (j+1) T Diag ) = λ DD exp[ λ DD T Diag ] / (1 exp[ λ DD T Diag ]). (A7) Again, because λ DD T Diag is generally less than 0.01 for SIF operating in high demand mode, the denominator of Eqn. A7 is well approximated by λ DD T Diag and now the term exp[ λ DD T Diag ] in the numerator is well approximated by (1 λ DD T Diag ). Thus f T (t t = (j+1) T Diag ) λ DD (1 λ DD T Diag ) / (λ DD T Diag ) f T (t t = (j+1) T Diag ) (1 / T Diag ) λ DD. (A8) Because λ DD is generally very small f T (t j T Diag < t < (j+1) T Diag ) 1 / T Diag (A9) and Eqn. 2 above follows. Copyright exida.com LLC 2000-2016 Page 15

APPENDIX B This appendix outlines the algorithm used in the simulations studies stipulates the ranges of parameter values for λ DD and λ Demand deemed reasonable for SIF functioning in high demand mode and the underlying reasoning for the ranges provides a table of results for 75 simulations using different combinations of relevant parameters λ DD, λ Demand, and λ Diag /λ Demand graphically illustrates the differences of simulation results relative to theoretical results vs λ Diag /λ Demand. OUTLINE OF ALGORITHM USED IN SIMULATION STUDIES A simulation run is designed to estimate probability of transitioning from FDD to FS before a demand is encountered. The simulation results presented in this appendix were generated by carrying out the following steps: 1) Establish values of parameters that are fixed for a simulation run. a. decide on number of trials to be considered b. decide on ratio of λ Diag /λ Demand c. decide on value of λ DD d. decide on value of λ Demand e. set value of λ Diag = λ Demand x ratio of (λ Diag /λ Demand ) f. set T Diag = 1/λ Diag. 2) For each trial, generate an exponentially distributed time to DD failure, T DD, based on the parameter λ DD. 3) For each trial, based on T DD, determine the length of the interval of vulnerability during which the SIF is in state FDD because it has not yet transitioned to state FS. a. divide T DD by T Diag and round to the next highest integer b. multiply the result of step 3a by T Diag to establish the time for the beginning of the next diagnostic interval after T DD occurs and when transition to FS will take place c. subtracting T DD from the result of step 3b thereby determining the length of the interval of vulnerability 4) For each trial, generate a Poisson distributed random variable based on the parameter (interval of vulnerability x λ Demand ). This represents the number of demands which occur on the interval of vulnerability. 5) Count the number of trials with a non zero number of demands in step 4. 6) An estimate of the probability of transitioning from FDD to FS is given by 1 (results of step 5)/(total number of trials for simulation run). Copyright exida.com LLC 2000-2016 Page 16

REASONABLE PARAMETER VALUES FOR SIF FUNCTIONING IN HIGH DEMAND MODE A SIF functioning in high demand mode will typically have a λ T in the range of 5,000 to 10,000 FITS. Typically, the ratio of λ S to λ D will be 60:40. This means a typical range for λ D of 2,000 to 4,000 FITS. The ratio of λ DD to λ DU is typically between 50:50 and 70:30. Thus the range for λ DD would reasonably be 1,000 to 2,800 FITS. Typical values for λ Demand range from 1/10 seconds to 1/month. SIMULATION RESULTS Each of the simulation results in Table B1 represents an estimate of the probability of transitioning from FDD to FS assuming a DD failure has occurred. Each result is based on 10,000,000 trials. Three values of λ DD were considered, viz., 1,000, 2,000, and 3,000 FITS. For each of these values of λ DD, λ Demand was varied over five values, viz., 1/(10 seconds), 1/hr, 1/day, 1/week (1 week = 168 hrs), and 1/month (1 month = 720 hrs) while the ratio λ Diag /λ Demand was varied over five values, viz., 2, 5, 10, 50, and 100. Thus there were a total of 75 simulation runs with varying combination of values of the parameters. The authors have not plotted the results in Table B1 because on such a plot there would be no discernible differences between the simulation results for any parameter combination and the theoretical results which are based on Eqn. 2. However, the difference of each simulation result relative to the theoretical result from Eqn. 2 was computed according to the formula relative difference = (simulation result theoretical result)/(theoretical result) (B1) and plotted as a percentage verses the ratio λ Diag /λ Demand for all 75 simulations. This is illustrated in Figure B1. Clearly, while the percentage differences vary with the ratio λ Diag /λ Demand the percentage differences are always less than 0.031%. This supports the use of the approximation 1/T Diag for the conditional probability density used to develop Eqn. 2. Copyright exida.com LLC 2000-2016 Page 17

λdd = 1000 FITS Table B1. Summary of Simulation Results and Theoretical Results for Probability of Transitioning from FDD to FS λ Diag /λ Demand 2X 5X 10X 50X 100X Theoretical 7.8694E 01 9.0635E 01 9.5163E 01 9.9007E 01 9.9502E 01 λ Demand 1/10 sec 7.8703E 01 9.0615E 01 9.5172E 01 9.9006E 01 9.9502E 01 1/hr 7.8694E 01 9.0643E 01 9.5160E 01 9.9010E 01 9.9503E 01 1/day 7.8719E 01 9.0652E 01 9.5167E 01 9.9010E 01 9.9502E 01 1/week 7.8705E 01 9.0638E 01 9.5153E 01 9.9007E 01 9.9502E 01 1/month 7.8710E 01 9.0641E 01 9.5166E 01 9.9007E 01 9.9503E 01 λdd = 2000 FITS λdd = 3000 FITS 1/10 sec 7.8691E 01 9.0626E 01 9.5167E 01 9.9004E 01 9.9504E 01 1/hr 7.8686E 01 9.0633E 01 9.5173E 01 9.9005E 01 9.9498E 01 1/day 7.8696E 01 9.0639E 01 9.5162E 01 9.9004E 01 9.9504E 01 1/week 7.8695E 01 9.0648E 01 9.5161E 01 9.9003E 01 9.9501E 01 1/month 7.8689E 01 9.0631E 01 9.5160E 01 9.9007E 01 9.9502E 01 1/10 sec 7.8700E 01 9.0642E 01 9.5161E 01 9.9004E 01 9.9501E 01 1/hr 7.8698E 01 9.0650E 01 9.5168E 01 9.9008E 01 9.9503E 01 1/day 7.8692E 01 9.0645E 01 9.5185E 01 9.9010E 01 9.9504E 01 1/week 7.8708E 01 9.0629E 01 9.5158E 01 9.9004E 01 9.9499E 01 1/month 7.8691E 01 9.0646E 01 9.5161E 01 9.9008E 01 9.9503E 01 Figure B1. Plot of Difference of Simulation Value Relative to Theoretical Value for Probability of Transitioning to State FS from State FDD Copyright exida.com LLC 2000-2016 Page 18