General Definition of Risk Reduction Factor

The term Risk Reduction Factor (RRF) is very commonly used in discussions related to functional safety and safety instrumented systems. When asked “what does RRF mean?” most functional safety practitioners will simply provide a mathematical equation in response, specifically.

RRF = 1/PFDavg (Eq. 1)

Where PFDavg is the average probability of failure on demand of a safety instrumented function. Put in words, the risk reduction factor is the inverse of the failure probability of a safeguard. While this response is very common, it is not completely correct. In fact, the equation shown above is only true under a narrow and specific set of circumstances.

Instead of the specific equation for RRF, which is usually used as a metric that defines the performance of a safety instrumented function, one should consider a broader interpretation of risk reduction factor. Risk reduction factor, in its most general sense, is the number of times that risk is reduced when comparing one situation against another. One situation will be a baseline level of risk and the other situation includes some modifications to the situation that alters the risk profile. As an equation you could represented it as follows.

RRF = Risk (baseline) / Risk (modified) (Eq. 2)

In the narrow case where a safeguard is entirely preventive, meaning that if the safeguard successfully activates the consequence will not occur, then the RRF of the “modified case” (i.e., after addition of the safeguard) will indeed be equal to the inverse of the PFDavg of the safeguard. This result can be derived from the general definition of risk reduction because the modified risk is equal to the baseline risk multiplied by the probability of failure of the safeguard.

Risk (modified) = Risk (baseline) * PFDavg (preventive safeguard) (Eq. 3)

If equation 3 is substituted back into equation 2, the following result is obtained.

RRF = Risk (baseline) / Risk (baseline) * PFDavg (preventive safeguard) (Eq. 4)

If the numerator and denominator of equation 4 are both divided by the baseline risk, the specific situational result shown in equation 1 is derived.

While equation 1 is so commonly used it is often considered a definition, it in fact is only a special case of risk reduction factor and in some cases the risk reduction factor will actually not be equal to the inverse of the failure probability of the safeguard. This would be the case for any mitigative safeguard and would also include situations where a failure of the safeguard affects the risk profile in ways other than simply the probability that it will not prevent the consequence. This second situation is true where components of the safeguard are utilized for purposes other than safeguarding, such as basic process control. If a component of a safeguard is used as basic process control whose failure will generate a consequence, then that component contributes to the PFDavg of the safeguard, but it also contributes to the baseline risk. The result of this situation is that the PFDavg of the safeguard and baseline risk cannot be separated from each other, which prevents the simplifications shown in equations 3 and 4 from being valid.

In order to understand these theoretical concepts better, let us look at them in a specific example. Consider the situation where a process pump is subject to a seal failure and fire if a valve on the discharge of the pump fails to the closed position. This is shown in the following figure.

Figure 1 – Pump with Valve at Outlet

If we assume that the a fire at the pump will result in a $1 million USD financial loss, valve failure occurs at a frequency of once in ten years, and that there is a probability of ignition of the material released from the seal failure of 30%, then the risk can be calculated as follows.

Risk = consequence x frequency (Eq. 5)

Consequence (baseline) = $1,000,000 per fire
Frequency (baseline) = 0.1 X 0.3 = 0.03 fires/year
Risk (baseline) = $30,000 per year

If we were to modify the risk profile of this situation by adding a preventive safeguard that will detect loss of flow at the pump discharge and stop the pump, before the seal failure, completely preventing the consequence, then risk will be reduced. The amount of risk reduction is calculated by first calculating the risk after application of the safeguard, and then calculating the ratio of risk before and after safeguard application. Assuming the probability of failure of the safeguard is 10%, this is calculated as follows.

Consequence (modified) = $1,000,000 per fire (i.e., the safeguard does not modify the consequence)
Frequency (modified) = Frequency (baseline) * PFDavg (safeguard)
Frequency (modified) = 0.03 fires/year * 0.1 = 0.003 fires/year
Risk (modified) = $3,000 per year

We can now calculate the RRF in its general sense by dividing risk (baseline) by risk (modified) as follows.

RRF = risk (baseline) / risk (modified) = $30,000 / $3,000 = 10

So, as expected, the risk reduction factor generated by the application of a preventive and independent safeguard whose PFDavg is 0.1 is 10, as predicted in Equation 1. But this will not always be true. Consider the situation where the instead of a preventive shutdown safeguard, a mitigative safeguard were used. If instead of using a pump shutdown, the site elected to install a fire detector and water deluge to extinguish any fire that is detected. In this case, the consequence of $1 million USD will stay the same if the fire detection and deluge fails to work (assume it has a PFDavg of 0.1), but even if the fire detector and deluge does work, there will still be the smaller consequence that the fire generates in the time that elapses between when the fire starts and when it is extinguished. Let us assume that this mitigated consequence is only $50,000 to clean up and repair minor damage from the smaller fire.

For this second situation, the baseline risk will stay the same, $30,000 per year. The modified risk is a bit more complex to calculate because there is a consequence whether or not the safeguard works. To calculate the risk you need to sum the risk where the safeguard fails with the risk where the safeguard is successful. This is shown as follows.

Risk (modified, safeguard fails) = Consequence (unmitigated) * Frequency (safeguard fails)
Risk (modified, safeguard operates) = Consequence (mitigated) * Frequency (safeguard operates)

Entering in the values from the example.

Risk (modified, safeguard fails) = $1,000,000 * (0.1 * 0.3 * 0.1) = $3,000 per year
Risk (modified, safeguard operates) = $50,000 * (0.1 * 0.3 * 0.9) = $1,350 per year

Resulting in a total modified risk as shown below.

Risk (modified) = $3,000 + $1,350 = $4,350 per year

Now when the risk reduction factor is calculated the result is $30,000/$4,350 or 6.9. The actual risk reduction factor of 6.9 is not the inverse of the PFD of the safeguard which would have been 10, it is significantly less because the safeguard does not reduce all of the risk, only a portion.

Now that an example has been given of where the actual amount of risk reduction is not the inverse of PFD, let us derive another equation that is a special case of the general form of risk reduction factor that we can apply to scenarios where the frequencies of the baseline and modified events can vary, but the consequences stay the same. This special situation equation would apply only to safeguards that are completely preventive. If we start with the general form of risk reduction factor from equation 2, we can expand the definition of risk as shown in equation 5.

RRF = Consequence (baseline) * Frequency (baseline) / Consequence (modified) * Frequency (modified)

For preventive safeguards, the consequence is not modified by the safeguard, only the frequency of occurrence. This means that baseline consequence and the modified consequence are the same. Since they are the same we can divide the numerator and denominator by consequence and end up with the following new special case equation defining risk reduction factor.

RRF = Frequency (baseline) / Frequency (modified) (Eq. 6)

If we use this equation to calculate the risk reduction factor of the first example we looked at, where a preventive SIF was used to safeguard against a pump seal failure and fire, we would calculate the RRF is follows.

Frequency (baseline) = 0.1 X 0.3 = 0.03 fires/year
Frequency (modified) = 0.03 fires/year * 0.1 = 0.003 fires/year
RRF = 0.03 / 0.003 = 10

As expected, equation 6 was able to accurately calculate the risk reduction factor in this case, consistently with the other equations. The reason that this equation is useful is that it allows for the calculation of effective risk reduction for situations where the RRF cannot be calculated simply by inverting the PFDavg of the safeguard. Inverting the PFDavg of the safeguard is only appropriate if the safeguard is entirely independent of the all other aspects of the frequency.

Consider again the case of the pump that is subject to a blocked outlet. If the valve on the discharge of the pump was part of a flow control loop, then failure of that flow control loop would result in generation of the hazardous condition. If we then chose to use the flow transmitter of that control loop as the sensor for a SIF that would stop the pump, that would create a safeguard that is not independent of the initiating cause of the hazardous event. Since the transmitter is not independent the frequency cannot be calculated by multiplying the frequency of the initiating event by the PFDavg of the safeguard. The PFDavg of the safeguard is only correct if the logic solver or the valve subsystems are the cause of the control loop failure that is the initiating event. If the sensor is the cause of the initiating event the SIF provides no protection, as a result the risk reduction provided by this arrangement will not be the inverse of the PFDavg of the SIF. The frequency in this situation can only be calculated using a fault tree that accounts for the fact that the sensor is both an initiator and a safeguard. Once the frequency, both before and after the application of the safeguard, are known, then equation 6 can be utilized to determine that actual amount of risk reduction that is provided.