Glossary term
Probability of Failure on Demand
Engineering definition of probability of failure on demand covering PFDavg, low-demand protection, proof-test interval and validation evidence.
Definition
metricProbability of failure on demand is the probability that a protective or backup function will fail to perform its required action when a demand occurs.
Probability of failure on demand, often reported as PFD or average PFD, is used for low-demand protection layers such as interlocks, shutdown valves, alarms with credited operator response, standby systems and safety functions. It links dangerous undetected failure rate, proof-test interval, diagnostic coverage and protection-layer credit. It should be tied to a specific function, demand definition, test boundary and validation evidence.
Probability of failure on demand is the probability that a protective, standby or backup function fails when it is demanded. In low-demand safety and reliability work it is often reported as PFD or average probability of failure on demand, PFD_avg.
The metric is used when a function is not operating continuously but must work when a hazardous or mission-critical demand occurs. Examples include shutdown valves, safety interlocks, relief activation paths, backup power starts, alarms with credited operator response, medical-device safeguards and emergency ventilation functions.
Low-Demand Meaning
A demand is the event that requires the function to act. For example, high reactor temperature may demand feed isolation, a guard opening may demand hazardous motion removal, and utility loss may demand standby power.
For low-demand functions, the key question is not ordinary availability during every second. It is:
The demand definition must be stated. A function can appear reliable in normal operation while still failing under the exact demand condition that matters.
Simplified PFDavg Screen
For a dangerous undetected failure rate:
and proof-test interval:
a common first screen is:
This assumes constant dangerous undetected failure rate, effective proof testing, low demand rate, independent failures and no dominant systematic contribution. The approximation is useful for engineering reasoning, not a full functional-safety analysis.
Protection-Layer Credit
If an initiating event frequency is:
and a credited independent protection layer has probability of failure on demand:
then a simple mitigated event frequency is:
For independent layers:
This multiplication is only defensible when independence, common-cause behavior, bypass state, maintenance state and proof-test evidence support the claim.
Worked Example
A low-demand protective function has:
and:
The simplified average probability of failure on demand is:
The initiating event frequency is:
With this protection layer:
If a second independent layer has:
then:
and:
The calculation is powerful, but only if both layers are genuinely independent and remain available under the same scenario.
Boundary With Availability
Availability and PFD are related but not interchangeable. Availability often describes whether a system is up at a random time. PFD describes whether a credited function succeeds when demanded. A standby device can have high apparent availability but poor PFD if hidden failures are not tested.
For continuously demanded functions, other measures may be more appropriate. The metric must match the operating mode.
What PFD Does Not Prove
A low PFD value does not prove that the hazardous scenario is fully controlled. The calculation may omit common-cause failures, human response limits, bypass exposure, maintenance errors, systematic design faults, wrong proof-test boundaries, environmental stress, demand-rate changes or final-element failure behavior.
The value should therefore be reviewed with the protection-layer architecture. A shutdown valve PFD is weak if the valve is left bypassed during startup. An alarm PFD is weak if operator response time is not validated. A relay PFD is weak if the downstream actuator cannot reach the safe state. PFD is an input to a risk argument, not the whole argument.
The demand scenario also matters. A protection layer may perform well for steady operation and fail during startup, cleaning, maintenance, manual mode or degraded operation. The PFD claim should match the scenario being credited.
Validation Evidence
Useful evidence includes demand definition, failure-mode list, dangerous undetected failure rate basis, proof-test interval, proof-test coverage, diagnostic coverage, bypass records, common-cause review, final-element test records, operator-response evidence where credited, independence argument, maintenance history and configuration control.
Common mistakes include multiplying PFD values without proving independence, using generic failure rates without installed-condition review, crediting an alarm without response-time evidence, ignoring bypass exposure, treating proof testing as perfect, and using annual test intervals by habit. A defensible PFD claim states the function, demand, failure modes, interval, detection basis, independence limits and validation evidence.