In a couple of recent projects and discussions, I have come across something extremely concerning. Engineers are very good at performing accurate calculations, and the PFDavg and PFH computations for SIL performance verification are improving in precision all the time. Unfortunately, there is often such a focus on the details of the calculation that some critical big-picture items go missing. Although it is important to properly estimate the effects of partial proof test coverage, redundant architectures and high diagnostic coverage on the PFDavg and PFH to get a precise result, we miss the basic question: “Should we believe the numbers?”
The first thought is, why shouldn’t we? There is now a wide range of reliable failure rate data for all sorts of safety components, along with established software tools that make the detailed calculation easy and reproducible, which is great.
Unfortunately, the part that tends to fall by the wayside is whether or not the random failure rate data will actually match the performance in a particular plant.
What if the component vendor got a good deal on some steel castings for the new valve bodies from a “friend” somewhere?
What if the design contract was awarded on low bid to a company with good standard controls experience but no experience with the safety lifecycle?
What if the software is also configured from a similar perspective?
What if the installation and commissioning run behind schedule so that the safety elements do not all get fully tested/validated before the plant starts up?
What if the maintenance program operates on a run-to-fail repair schedule, which guarantees all components will fail in service?
What if no one ever bothers to check if the actual performance of the plant or the safety system matches the performance estimates from the safety requirements specification, if there even is one?
Any of these potential systematic problems can lead to systematic failures that make all our calculations worse than useless. I realize that worse than useless is a severe statement, but it is true. Useless just means zero value. These systematic failures are much worse since they come at us when we believe we are in good shape but actually are in grave, imminent danger. The old road runner cartoons come to mind, when the coyote is standing out in midair but has not yet realized there is no ground underneath. Not a fun place to be.
So, yes, do the PFDavg and PFH calculations as part of verifying the SIL, but also check the component vendors for systematic failure management 61508 compliance and also follow through on all the 61511 / ISA 84.01-2004 user safety lifecycle requirements so you can actually believe the numbers.