The values in this table should be regarded as indicative rather than definitive. Users may wish to compile their own values, based on an evaluation of their specific applications' susceptibilities to real-world influences, particularly if site-specific field data is available. A more comprehensive table might be compiled for individual equipment types, considering a range of generic database values and a range of vendor figures, but given the uncertainty in the data, there may be limited value to be gained. (Functional safety is NOT an exact science; we seek to establish the right order of risk reduction commensurate with the circumstances.)
Use of deployment figures
It is suggested that the raw safe failure fraction (as declared on the certificate) is assumed to apply to the deployed equipment unless there is specific evidence to the contrary.
So if we have a pressure transmitter with an MTBF (dangerous) of 750 years (failure rate 0.0013 yr-1) on a "standard" deployment, we would combine this figure with the default deployment failure rate of 0.0033 to give an overall figure of 0.0013 + 0.0033 = 0.0046 (217 years MTBFd). With reduced vulnerability deployment the corresponding figure would be 0.0013 + 0.0011 = 0.0024 (417 years MTBFd).
Note that a "perfect" item of equipment would never have a "real" (deployed) MTBF of better than the default deployment figure. A perfect pressure transmitter on standard deployment could not be claimed to offer an in-service figure better than 300 years MTBFd. Where redundancy is claimed, the usual approaches to common mode failures may be adopted. The intention here is to simply qualify the individual device failure rate figure.
This approach is proposed as a default; specific values might be identified for individual items on an exceptional basis, the implication being that the user should identify why any exception is considered appropriate.
As a sanity check on the values and the approach, we may examine a notional final element sub-system consisting of a solenoid valve driver barrier, a solenoid valve, an actuator and remotely operated valve, with respective certified MTBF dangerous figures of 10000, 200, 200, 200 years.
With standard deployment we have a sub-system MTBFd of 38 years:
(0.0001 + 0.0011) + (0.005 + 0.0033) x 3 = 0.0261/year.
If we allocate 50% of the function PFD to this final element sub-system, we would need to test every 1.2 years to meet a mid-SIL1 target for the function of 0.0316. If the vulnerability was "reduced," the corresponding MTBFd would be 53 years:
(0.0001 + 0.00037) + (0.005 + 0.0011) x 3 = 0.0188/year,
with a corresponding test interval of 1.7 years.
For a pressure transmitter, repeater barrier and trip amplifier, with certified MTBFd figures of 1000, 2000, and 1250 years and standard deployment, the sensor sub-system MTBFd would be 128 years:
(0.001 + 0.0033) + (0.0005 + 0.0011) + (0.0008 + 0.0011) = 0.0078/year.
If we allocated 35% of function PFD to this sub-system, we would need to test every 2.8 years to meet the same mid-SIL1 target. With increased vulnerability, the sub-system MTBFd would be 53 years with a corresponding test interval of 1.17 years.
(0.001 + 0.01) + (0.0005 + 0.0033) + (0.0008 + 0.0033) = 0.0189/year
These results appear sensible; in essence they show that there would typically be no difficulty in meeting SIL1 with a single channel with standard deployment and that SIL2 would be a realistic prospect, provided vulnerability was reduced or testing frequency was increased.
Reliability Data for Safety Instrumented Systems, PDS Data Handbook 2010 Edition, SINTEF