SIF Design: Meeting the Targets

What to do if your SIF Design fails to meet it's SIL Target after performing a SIL Verification

SIF Design: Meeting The Targets

Performing a Random Hardware Failures Assessment (commonly known as Safety Integrity Level Verification, or SIL Verification) on a Safety Instrumented Function (SIF) is a key requirement, which falls under Phase 4 of the Functional Safety Lifecycle detailed in IEC 61511. In other words, your SIF Design needs to meet the required Target Failure Measure; either Average Probability of Failure on Demand (PFDavg) for low demand SIFs or Average Frequency of a Dangerous Failure (PFH) for high demand or continuous SIFs.

Equally important is meeting the minimum requirements for hardware fault tolerance (system architecture).

Seems simple enough, but what if you discover that your SIF Design fails to meet its PFDavg / PFH and corresponding SIL Target?

So what can you do if your SIF Design fails to meet it’s SIL Target?

Well, before the panic sets in and you scrap everything, it’s worth looking and exploring a few options which could impact and potentially increase the reliability of a device/sub-system.  The following options are worth looking at, however before implementing any changes, you must investigate the impact that these changes may have on any other safety systems or processes (i.e. ensuring no additional hazards are introduced!) So what can you do? Take a look at:

Who’s the main culprit?!

The first step is to identify which device or subsystem in your SIF is impacting the reliability the most i.e. which device is the ‘weakest link’ and causing the SIF to fail? Is this failing to meet the target in terms of the PFH / PFDavg or the Architecture or maybe even both?

Proof Test Interval

Reducing the interval (i.e. increasing the frequency) at which you carry out your proof testing can increase the SIF reliability as the mean down time of the failed device will decrease, thus decreasing the PFDavg.  ESC’s ProSet® Optimisation Tool allows users to conduct a sensitivity analysis to assess the impact of varying the proof test interval and proof test coverage on the overall PFDavg and hence determine the optimal proof testing parameters for each device(s).

Proof Test Coverage (PTC)

Just how robust are your proof testing procedures (see our previous blog on this very topic “Is your Safety Instrumented System being proof-tested correctly?“)? What proportion of dangerous failures do you think are revealed by proof test?  As a default, one might apply a figure of 90%… Is this too conservative? Of course, increasing the robustness of your proof test can increase your proof test coverage and hence improve the overall reliability of your SIF.  I should point out here though that, as a responsible SIS Engineer, one should be pushing as close as possible to 100% PTC through robust procedures regardless of PFDavg.  A less arduous PFDavg target is NOT justification for poor proof testing procedures!

Redundancy

Implementing an additional device to your sub-system in a redundant configuration can improve the PFH / PFDavg as well as increase the allowable SIL in terms of Architectural Constraints due to the increase in Hardware Fault Tolerance (HFT). If this option is viable, possible common mode failures between the devices need to be considered and included in the modelling.

Additionally, by staggering your proof testing on redundant devices, you can increase the likelihood of detecting common cause failures and hence decrease the overall PFDavg of the sub-system, specifically the PFDavg due to common mode failures.

Review the technology of each device

By reviewing the type of device you are using it may be possible to select one with an either a higher reliability or one with greater diagnostic capability.  For example, a mechanical limit switch might be replaced with a more-reliable proximity switch or change a Pallister gas detector for an Infra-Red detector.

Also, using device-specific failure rate data instead of data for a generic device may improve your numbers and will also provide a better and more accurate reflection of your system.

Furthermore, by using a SIL capable device which has been assessed by a competent organisation for the defined safety function, you will have a greater confidence that the safety related system you are using is compliant with the requirements of IEC 61508 in achieving the specific safety function with a SIL ‘n’ requirement.   ESC have the expertise to guide you through the Assessment / Certification process, in line with the relevant standard, to achieve compliance for the specified SIL both in terms of Random Hardware and Systematic Capability, whilst ensuring complete traceability for end-users.

Partial Stroke Testing

If the final element is a shutdown valve, consideration can be given to the introduction of partial stroke testing at regular intervals with the aim of testing a certain percentage of failure modes which will be revealed during this test without having to fully close the valve. Again, the Optimisation Tool included as part of the ESC ProSET® package can calculate the effects of Partial Stroke Testing, without modifying your base calculations.

SIL 4 Targets

On a final note, it is worth mentioning that although the above methods can potentially improve the overall reliability of a SIF, if your SIF Design has a SIL 4 Target, it is probably best to take a step back and look at your design and process to consider additional means of risk reduction instead of relying solely on one SIF which is expected to function correctly at least 9999 out of 10000 times!