I am working on a SIL verification project and just had to share some observations.
For this project, the customer decided to choose a logic solver for which no data is listed in the exida Safety Equipment Reliability Handbook (SERH). One could ask:
Well the simple answer is that we have contacted this particular manufacturer multiple times and we have been met with silence. Apparently there is no interest from the manufacturer to have their product listed in the database. Do they think that an exida analysis of the data would identify potential issues?
- What now?
The SERH database fortunately contains “generic” components for all equipment categories. One can select these generic components if there is no data for a specific component or if it is not decided what the final equipment item is going to be.
After completing my SIL verification using the exSILentia® tool, the customer provided a calculation sheet from the manufacturer. When reviewing the calculation sheet, I had to conclude that the information provided was not sufficient to be included in the exSILentia® models for the project: no failure data, no proof test coverage, no mission time, etc. The manufacturer calculation results raised some concerns, specifically since the calculated PFDAVG (7.7E-6) suggested that the total dangerous undetected failure rate of the logic solver was about equal to the failure rate of a single resistor when assuming that all undetected failures will be revealed during a proof test (highly unrealistic). Is the logic solver really this good? This must be the best thing ever…
The calculation sheet suggests that the calculations have been reviewed by one of the TÜV organizations in Germany, however in this case this is the same organization that suggests failure rates for solenoid valves are lower than the failure rate of a single resistor; as such this only discredits the calculation sheet in my opinion.
So what is the best path forward for this SIL verification project? Well the problems in SIF are usually always in the final elements, i.e. this is the largest PFDAVG contributor. For one of the SIFs the achieved Risk Reduction Factor was 127 when using the Generic SIL 3 PLC failure rate data in the SIL verification calculations. I ran a simple calculation to demonstrate that if one assumes that the complete SIF is only made up off the final element part (i.e. the PFDAVG of the sensor and logic solver are 0), the achieved Risk Reduction Factor was 128. The problem really is in the final elements.
Why are manufacturers suggesting their logic solvers fail less frequent than a resistor? Don’t these logic solvers have any resistors themselves? Why do 3rd parties accept these kinds of claims? Your lesson learned: If it sounds too good to be true, it probably is. Don’t blindly accept data provided from any source without some healthy scrutiny of the results.