Search
-
Recent Posts
Recent Comments
- Gabi Spencer on The importance of Process Hazard Analysis studies
- Ephraim Gasitene Phonela on The importance of Process Hazard Analysis studies
- Gabi Spencer on ESC’s TÜV Rheinland Cyber Security Training Program
- David Dewdney on ESC’s TÜV Rheinland Cyber Security Training Program
- David Balfour on Functional Safety (FS) for Technicians – Proposed CompEx modules
Archives
- May 2022
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- January 2020
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- November 2018
- August 2018
- April 2018
- March 2018
- February 2018
- November 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- August 2015
- June 2015
- May 2015
- February 2015
- November 2014
- September 2014
- July 2014
- April 2014
Categories
SIF Design: Meeting the Targets
SIF Design: Meeting The Targets
Performing a Random Hardware Failures Assessment (commonly known as Safety Integrity Level Verification, or SIL Verification) on a Safety Instrumented Function (SIF) is a key requirement, which falls under Phase 4 of the Functional Safety Lifecycle detailed in IEC 61511. In other words, your SIF Design needs to meet the required Target Failure Measure; either Average Probability of Failure on Demand (PFDavg) for low demand SIFs or Average Frequency of a Dangerous Failure (PFH) for high demand or continuous SIFs.
Equally important is meeting the minimum requirements for hardware fault tolerance (system architecture).
Seems simple enough, but what if you discover that your SIF Design fails to meet its PFDavg / PFH and corresponding SIL Target?
So what can you do if your SIF Design fails to meet it’s SIL Target?
Well, before the panic sets in and you scrap everything, it’s worth looking and exploring a few options which could impact and potentially increase the reliability of a device/sub-system. The following options are worth looking at, however before implementing any changes, you must investigate the impact that these changes may have on any other safety systems or processes (i.e. ensuring no additional hazards are introduced!) So what can you do? Take a look at:
Who’s the main culprit?!
The first step is to identify which device or subsystem in your SIF is impacting the reliability the most i.e. which device is the ‘weakest link’ and causing the SIF to fail? Is this failing to meet the target in terms of the PFH / PFDavg or the Architecture or maybe even both?
Proof Test Interval
Reducing the interval (i.e. increasing the frequency) at which you carry out your proof testing can increase the SIF reliability as the mean down time of the failed device will decrease, thus decreasing the PFDavg. ESC’s ProSet® Optimisation Tool allows users to conduct a sensitivity analysis to assess the impact of varying the proof test interval and proof test coverage on the overall PFDavg and hence determine the optimal proof testing parameters for each device(s).
Proof Test Coverage (PTC)
Just how robust are your proof testing procedures (see our previous blog on this very topic “Is your Safety Instrumented System being proof-tested correctly?“)? What proportion of dangerous failures do you think are revealed by proof test? As a default, one might apply a figure of 90%… Is this too conservative? Of course, increasing the robustness of your proof test can increase your proof test coverage and hence improve the overall reliability of your SIF. I should point out here though that, as a responsible SIS Engineer, one should be pushing as close as possible to 100% PTC through robust procedures regardless of PFDavg. A less arduous PFDavg target is NOT justification for poor proof testing procedures!
Redundancy
Implementing an additional device to your sub-system in a redundant configuration can improve the PFH / PFDavg as well as increase the allowable SIL in terms of Architectural Constraints due to the increase in Hardware Fault Tolerance (HFT). If this option is viable, possible common mode failures between the devices need to be considered and included in the modelling.
Additionally, by staggering your proof testing on redundant devices, you can increase the likelihood of detecting common cause failures and hence decrease the overall PFDavg of the sub-system, specifically the PFDavg due to common mode failures.
Review the technology of each device
By reviewing the type of device you are using it may be possible to select one with an either a higher reliability or one with greater diagnostic capability. For example, a mechanical limit switch might be replaced with a more-reliable proximity switch or change a Pallister gas detector for an Infra-Red detector.
Also, using device-specific failure rate data instead of data for a generic device may improve your numbers and will also provide a better and more accurate reflection of your system.
Furthermore, by using a SIL capable device which has been assessed by a competent organisation for the defined safety function, you will have a greater confidence that the safety related system you are using is compliant with the requirements of IEC 61508 in achieving the specific safety function with a SIL ‘n’ requirement. ESC have the expertise to guide you through the Assessment / Certification process, in line with the relevant standard, to achieve compliance for the specified SIL both in terms of Random Hardware and Systematic Capability, whilst ensuring complete traceability for end-users.
Partial Stroke Testing
If the final element is a shutdown valve, consideration can be given to the introduction of partial stroke testing at regular intervals with the aim of testing a certain percentage of failure modes which will be revealed during this test without having to fully close the valve. Again, the Optimisation Tool included as part of the ESC ProSET® package can calculate the effects of Partial Stroke Testing, without modifying your base calculations.
SIL 4 Targets
On a final note, it is worth mentioning that although the above methods can potentially improve the overall reliability of a SIF, if your SIF Design has a SIL 4 Target, it is probably best to take a step back and look at your design and process to consider additional means of risk reduction instead of relying solely on one SIF which is expected to function correctly at least 9999 out of 10000 times!
Certificate No.