Modifying SIL-Certified Equipment Failure Rates on the Basis of Deployment

To Identify Estimates of Equipment Failure Rates, You Must Calculate the Probability of Failure on Demand

By Harvey T. Dearden

1 of 3 < 1 | 2 | 3 View on one page

In order to calculate the probability of failure on demand (PFD) it is necessary to identify estimates of equipment failure rates. One approach is to rely on failure rate data declared in a Safety Integrity Level (SIL) certificate from a vendor or independent test house. These figures may however be optimistic in that they are typically for reference conditions which cannot necessarily be guaranteed to apply on an uninterrupted basis.

Deployment effects

In the real world, equipment may fail due to:

  • Being stood upon
  • Being dripped upon
  • Scaffold strikes
  • Lightning strikes/voltage spikes
  • Process excursions
  • Process connection failures
  • Compromised ingress protection
  • Environmental extremes
  • Inappropriate modification/adjustment.

We might categorize these influences as being due to deployment. They are likely to be difficult to quantify, but may well dominate the actual failure rate of a function. It might be argued that these influences lead to systematic failures rather than random hardware failures, but although they may be systematic (in that they are '…related in a deterministic way to a certain cause' per BS EN 61508), they may still arise on a random basis, (unlike other systematic causes such as errors in the safety requirements specification) and would be revealed by a proof test. Unless they are specifically designed out, any PFD calculation that does not make allowance for these concerns is likely to be unrealistic. You might well see equipment with certified mean time between failure (MTBF) figures of, say 200 years, with a safe failure fraction of 80%, implying that the MTBF for dangerous failures will be 800 years. This might well be an optimistic claim for real-world circumstances where deployment influences might undermine the certified failure rate.

The SINTEF reliability data handbook [1] makes the point that "vendor estimates of dangerous undetected failure rate are often an order of magnitude (or even lower) than that reported in generic data handbooks. In their estimates of failure rate, they identify a parameter r as the fraction of dangerous undetected failure rate arising from random hardware failures. Values of r for field equipment (sensors and final elements) typically vary between 30% and 50%. It can be seen that systematic failures may be very significant and indeed will typically dominate. Although identified in the SINTEF handbook as a proportion of the overall dangerous undetected failure rate, that is not to say that the random hardware failures and systematic failures will be in a fixed ratio. I suggest that the contribution from systematic influences may be characterised as fixed for a given equipment type, installation and environment, and essentially independent of the inherent random hardware failure rate of the equipment.

Failure mode effects analysis (FMEA) is often deployed as an evaluation tool as part of a certification process; it will examine the impact of component failures, but does NOT include any of the real-world influences listed above. The equipment is assumed to be operating at reference conditions. It is from these considerations that we might well come to have greater faith in reliability figures derived directly from plant history and associated judgments rather than declarations on certificates. What such judgments lack in rigor they make up for in being grounded in real experience. It could be argued that the real value of SIL certificates lies in the assessment of systematic capability (SC) rather than of failure rate.

Vulnerability categories

An initial figure might be adopted where the manufacturer's certified figure for an equipment item is combined with default figures for deployment on the basis of vulnerability; i.e., susceptibility to additional factors. For these purposes, the level of vulnerability may be assessed on the basis of three categories: environment, duty and exposure, as detailed in Table 1.

Table 1: Vulnerability Level and Vulnerability Categories
Vulnerability Category
Vulnerability Level
benign - well within capability, IP rating not critical to suitability, not subject to excursions beyond capability
Not having a 'Reduced' vulnerability in any ONE category; environment, duty or exposure
Not having a 'Reduced' vulnerability in MORE than one category
benign - clean, non-aggressive (or not susceptible to fouling/attack) or not process wetted, little vibration, not subject to excursions beyond capability
Limited - no exposed process connections/ isolation points (e.g., impulse lines, press tx, valve manifold, capillary tubing) or protected from


Logic solvers and non-field equipment will typically be located in equipment/auxiliary rooms and not subject to the same range of influences as the plant sensors and final elements. They will, however, remain susceptible to unauthorised interference (probably well-intentioned, but perhaps ill-advised). Some equipment will be less susceptible to such interference, and it is here suggested that vulnerability levels may be assigned on the basis of security, together with an assessment of whether the assumption of benign duty and environment is valid.

1 of 3 < 1 | 2 | 3 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments