Contact Us

Spurious Trip Rate Explained: 6 Facts Every Functional Safety Engineer Should Know

Refinery or chemical plant with distillation columns and pressure vessels, viewed from across a water channel under clear blue skies.

Introduction

When engineers think about functional safety and IEC 61511, they often focus on probability of failure on demand (PFDavg). But another metric—spurious trip rate (STR)—directly affects plant uptime, productivity, and costs. Unlike PFDavg, STR doesn’t measure safety performance. Instead, it reflects how often a Safety Instrumented Function (SIF) causes unwanted shutdowns. In this article, we’ll break down STR, introduce its inverse (MTTFsp), show how it’s calculated, and explain why balancing STR with PFDavg is essential for effective SIF design.

What Is Spurious Trip Rate?

Spurious trip rate (STR) is the frequency of unwanted or false trips of a Safety Instrumented Function (SIF).

These aren’t dangerous failures—they’re safe failures that cause a SIF to shut down the process when no actual demand exists. STR is usually expressed in failures per hour (1/hr) and then converted to years between trips for practical interpretation.

To clarify:

  • Dangerous failures → drive safety risk and are addressed through PFDavg.
  • Safe failures (that force shutdowns) → drive nuisance trips and are captured in STR.

Why STR Matters in Functional Safety

Unnecessary shutdowns don’t just reduce production—they can create safety hazards of their own. Restarting equipment introduces operational risk, and frequent nuisance trips erode operators’ trust in SIS performance. IEC 61511 requires that designers consider both safety integrity (via PFDavg) and availability (via STR), even though the standard does not prescribe numeric STR limits.

A SIF with an overly high STR might meet its SIL target but still be unacceptable to operations because of lost uptime. Spurious trips matters because it links functional safety design to real-world economics.

Alternatively, there are some operations that are so automated that recovering from a SIF trip is only a minor problem. It just depends.

STR and Its Inverse: MTTFsp

STR is expressed in trips per unit time—often failures per hour. But that can be difficult to interpret. So, engineers often use its inverse: MTTFsp (Mean Time to Spurious Trip) .

  • MTTFsp = 1 / STR
  • Example: STR = 0.01 trips/year → MTTFsp = 100 years

Both terms are useful:

  • STR highlights frequency of nuisance trips.
  • MTTFsp highlights how long, on average, a SIF runs without a false trip.

At SIL Safe, we always calculate both terms in verification reports. It makes it easier for both engineers and managers to understand the balance between reliability and uptime.

How STR Is Calculated

The first step is defining the λsp (spurious failure rate). This aggregates all relevant failure modes in the SIF path that can drive a false trip:

  • If a detected failure is configured to vote-to-trip, it contributes to λsp.
  • If a detected failure is configured to notify-only, it does not contribute.
  • If there are no diagnostics, then the diagnostic terms are already 0.

So, the voting philosophy directly affects which categories—safe detected (SD), safe undetected (SU), dangerous detected (DD)—feed into λsp. Dangerous undetected (DU) never contributes to STR.

  • 1oo1 SIF: STR = λsp (per unit time).
  • 1ooN SIF: STR increases with more elements in parallel (anyone can trip the system).
    • STR=N*λsp
  • MooN SIF (M > 1): STR decreases because multiple channels must trip simultaneously (e.g., 2oo3 cuts nuisance trip probability). This is through the often-confusing MooN equation which is beyond the scope here.

Contrast: PFDavg calculations focus on dangerous undetected failures (DU), while STR calculations focus on safe or detected failures that cause spurious trips.

Example Calculations

Case A – 1oo1, No Diagnostics

  • Assumptions: Single-channel SIF, no diagnostics.
  • Failure rates per channel:
    • λDU = 1E-6 /hr⁻(listed for completeness; not in calculation)
    • λDD = 0 /hr
    • λSU = 2E-6 /hr
    • λSD = 0 /hr
  • λsp definition: As there are no diagnostics, DD and SD are not applicable.  DU is never applicable.  Thus, λsp = λSU = 2E-6 /hr
  • Results:
    STR = 2E-6 /hr
    MTTFsp = 1 / (λsp × 8,760) = ≈ 57.1 years (≈ 1 trip every 57 years per channel)

Case B – 1oo2 Sensors, Diagnostics with Vote-to-Trip

  • Assumptions: Dual-channel 1oo2 sensor architecture; online diagnostics present; detected faults (SD and DD) vote-to-trip. Only sensor portion considered.
  • Failure rates per channel:
    • λDU = 1.0E-6 /hr (listed for completeness; not in calculation)
    • λDD = 2.0E-7 /hr
    • λSU = 4.0E-7 /hr
    • λSD = 8.0E-7 /hr
  • λsp per channel: λsp = λSD + λSU + λDD = 1.4E-6 /hr
  • System results:
    STR = 2 × 1.4E-6 = 2.8E-6 /hr
    MTTFsp = 1 / (STR × 8,760) = ≈ 40.8 years (≈ 1 trip every 41 years for sensor portion)

Key takeaway: architecture, diagnostics, and voting logic can drastically change nuisance trip rates. Presenting both STR and MTTFsp highlights the trade-offs clearly.

Who Decides What STR Is Acceptable?

Many plants rely on guidance from firms like SIL Safe to set realistic STR expectations.  Unlike SIL targets, there is no universal STR requirement. Acceptability is decided by plant management and operations during safety design reviews. It’s typically documented in the Safety Requirements Specification (SRS).

  • Typical ranges: MTTFsp of 10–100 years per channel is often considered reasonable in industry.
  • Higher MTTFsp expectations: High-availability processes (e.g., refineries, offshore platforms).
  • Lower MTTFsp expectations: Non-critical utilities or batch processes.
  • Unrealistic targets: “Once every million years” is neither achievable nor useful.  However, this does happen as new people are introduced to functional safety.

The point: STR goals are practical business decisions, not dictated by IEC 61511.  The standard IEC 61511-1 requires the team to consider it against safety and PFDavg.

Balancing Safety Integrity and Availability

The art of SIF design is balancing safety integrity (low PFDavg) with availability (low STR):

  • Use redundancy wisely (2oo3 voting can cut STR).  This is the primary reason 2oo3 is so common.
  • Apply diagnostics carefully (vote-to-trip vs notify-only matters).
  • Base calculations on realistic failure data, not overly optimistic assumptions.

A SIS with perfect safety but terrible availability—or vice versa—fails its mission.

Conclusion

Spurious Trip Rate doesn’t affect whether a plant is safe, but it absolutely affects whether it runs. That’s why STR is as important as PFDavg in practice. Engineers must present both STR and MTTFsp to give operators a realistic picture of system performance. The best designs find the balance: safe enough and reliable enough.

Q&A Section

1. Is a low STR always better?
Yes for uptime, but not if it compromises safety. STR must be balanced against PFDavg.

2. Does IEC 61511 require specific STR values?
No. It requires that availability and spurious trips be considered, but it does not prescribe limits.

3. Can proof testing increase STR?
Yes. Poorly planned tests (e.g., cycling valves without bypass) can cause nuisance trips. This temporarily raises STR and lowers MTTFsp.

4. Which devices dominate STR?
Final elements (valves) often contribute the most to spurious trips because of high safe failure rates.

5. How does redundancy reduce STR?
Voting architectures (like 2oo3) allow one sensor to fail without tripping the system, lowering STR.

6. Where is acceptable STR documented?
Usually in the Safety Requirements Specification (SRS) or reliability design basis documents.

7. Can STR goals cause conflict between engineers and operations?
Absolutely. Operations may push for fewer nuisance trips, while safety engineers emphasize conservatism. Finding balance is key.  The stakeholders need to discuss it together.

Learn More

SIL Safe has a full glossary here and a much shorter entry for spurious trip rate here.  

IEC main reference here