Modifying SIL-Certified Equipment Failure Rates on the Basis of Deployment

All sorts of qualifications might be introduced into the analysis of vulnerability, but given the levels of uncertainty in so many aspects of functional safety, there is limited value in refining the analysis. The important thing here is to recognise that the "raw" figure supplied by the vendor is not likely to be representative of the actual performance of the equipment in the field, and it is prudent to make some allowance in recognition of the influence of deployment.

Comparison of Field and Certificate Data

As a means of establishing a suitable allowance, we may compare nominal field values with vendor figures and identify the difference as being due to deployment. Table 3 compares some generic field values for field equipment, with nominal values representative of those typically found from vendor certification.

From consideration of these "ranging shots" and other database values, it is here suggested that a nominal figure of 300 years MTBF for dangerous failures be adopted in respect of "standard" vulnerability deployment.

From inspection of a range of database values, and as a matter of judgement, a factor 3.0 shift in values for field equipment is here suggested in respect of different categories of vulnerability. It is acknowledged there is little enough science here, but having identified that equipment will be more or less vulnerable depending on the circumstances of the deployment, it is appropriate to make some corresponding allowance, and the above is suggested as a starting point. Ultimately, the figures assumed should be validated by monitoring of the ongoing performance of the equipment.

Logic solvers and non-field equipment typically operate on benign duties in benign environments, but there will be some remaining vulnerability to the likes of voltage spikes, environmental control failures, electromagnetic and electrostatic effects, as well as unauthorized or misjudged interference. Given this residual vulnerability we may look for correspondence of the deployment element of standard vulnerability logic solvers and reduced vulnerability field equipment. In nominating the same value as for reduced vulnerability field equipment, the implication is that these residual influences represent 33% of the contribution to standard field equipment vulnerability, which does not appear unreasonable.

Suggested figures for dangerous failure rates due to deployment are given in the table below.

The values in this table should be regarded as indicative rather than definitive. Users may wish to compile their own values, based on an evaluation of their specific applications' susceptibilities to real-world influences, particularly if site-specific field data is available. A more comprehensive table might be compiled for individual equipment types, considering a range of generic database values and a range of vendor figures, but given the uncertainty in the data, there may be limited value to be gained. (Functional safety is NOT an exact science; we seek to establish the right order of risk reduction commensurate with the circumstances.)

Use of deployment figures

It is suggested that the raw safe failure fraction (as declared on the certificate) is assumed to apply to the deployed equipment unless there is specific evidence to the contrary.

So if we have a pressure transmitter with an MTBF (dangerous) of 750 years (failure rate 0.0013 yr-1) on a "standard" deployment, we would combine this figure with the default deployment failure rate of 0.0033 to give an overall figure of 0.0013 + 0.0033 = 0.0046 (217 years MTBFd). With reduced vulnerability deployment the corresponding figure would be 0.0013 + 0.0011 = 0.0024 (417 years MTBFd).

Note that a "perfect" item of equipment would never have a "real" (deployed) MTBF of better than the default deployment figure. A perfect pressure transmitter on standard deployment could not be claimed to offer an in-service figure better than 300 years MTBFd. Where redundancy is claimed, the usual approaches to common mode failures may be adopted. The intention here is to simply qualify the individual device failure rate figure.

This approach is proposed as a default; specific values might be identified for individual items on an exceptional basis, the implication being that the user should identify why any exception is considered appropriate.

As a sanity check on the values and the approach, we may examine a notional final element sub-system consisting of a solenoid valve driver barrier, a solenoid valve, an actuator and remotely operated valve, with respective certified MTBF dangerous figures of 10000, 200, 200, 200 years.

With standard deployment we have a sub-system MTBFd of 38 years:

(0.0001 + 0.0011) + (0.005 + 0.0033) x 3 = 0.0261/year.

If we allocate 50% of the function PFD to this final element sub-system, we would need to test every 1.2 years to meet a mid-SIL1 target for the function of 0.0316. If the vulnerability was "reduced," the corresponding MTBFd would be 53 years:

(0.0001 + 0.00037) + (0.005 + 0.0011) x 3 = 0.0188/year, 

with a corresponding test interval of 1.7 years.

For a pressure transmitter, repeater barrier and trip amplifier, with certified MTBFd figures of 1000, 2000, and 1250 years and standard deployment, the sensor sub-system MTBFd would be 128 years:

(0.001 + 0.0033) + (0.0005 + 0.0011) + (0.0008 + 0.0011) = 0.0078/year.

If we allocated 35% of function PFD to this sub-system, we would need to test every 2.8 years to meet the same mid-SIL1 target. With increased vulnerability, the sub-system MTBFd would be 53 years with a corresponding test interval of 1.17 years.

(0.001 + 0.01) + (0.0005 + 0.0033) + (0.0008 + 0.0033) = 0.0189/year

These results appear sensible; in essence they show that there would typically be no difficulty in meeting SIL1 with a single channel with standard deployment and that SIL2 would be a realistic prospect, provided vulnerability was reduced or testing frequency was increased.

References

^[1]Reliability Data for Safety Instrumented Systems, PDS Data Handbook 2010 Edition, SINTEF