Oftentimes when this comes up during class it’s clear that there’s a misunderstanding as to how these three variables can impact the PFDavg calculations. Mission Time is defined as the period of time over which a set of Safety Instrumented Function (SIF) equipment is expected to operate without major overhaul or replacement. Many people often get confused between Mission Time and Useful Life. Within a SIF there will be different manufacturers devices, with each one potentially having a different Useful Life, therefore, it’s up to the End User to establish Mission Time. For example, they may set this to be when the Valves need to be overhauled or replaced, which could be 10 years based upon the Useful Life. However, the actuator may only have a 5-year Useful Life, so these would need to be replaced at the end of 5 years before Mission Time expires. It is not up to the Engineering Company to set the Mission Time since it’s highly dependent upon End User practices. Some End Users may tie this into a turnaround, say every 5 years, where they will do the necessary replacement and refurbishment. Again, this will be down to End User preference.
The Proof Test Interval is another variable that needs to be carefully considered, depending upon the Mission Time and target SIL. For example, if Mission Time is set high (e.g. 30 years) and the Proof Test Interval fixed at 5 years, then it will be very difficult to achieve any SIL 2 SIFs with a target Risk Reduction Factor (RRF) over 400, especially if the Proof Test Coverage is relatively low (e.g. 65%). Therefore, these 3 variables need to be considered carefully and must be taken into consideration with the End User practices. It is important for designers not to design in isolation. We had an example where the SIS designers had to set the Proof Test Interval to 3 months to meet the target SIL, because the Mission Time was set too high. The End User could not perform Proof Testing every 3 months since they didn’t have the manpower and so were set up to fail. In the end the Mission Time had to be significantly reduced since the Proof Test Interval was fixed against a turnaround and couldn’t be changed.
The reason Mission Time has such a bearing on the PFDavg is because of imperfect Proof Testing. The Proof Test Coverage is a measure of the effectiveness of the Proof Test to help find dangerous failures that automatic diagnostics have not been able to find. It is represented from 0 to 100%, where 100% is perfect Proof Testing. In other words, if you are claiming 100% then you are saying you can find and fix all the dangerous failures every time you do a Proof Test, in which case Mission Time has no bearing because the PFDavg would be zero after every Proof Test. This of course is fallacy.
Consider for a moment, we have a safety function that uses a butterfly valve and a pneumatic single action actuator to implement a close to trip function. A full stroke proof test of an actuator valve assembly is done with visual confirmation of the rotation. Are there any potential undetected dangerous failures? Yes, of course, there are because you could have a damaged seal, a damaged shaft, a damaged butterfly, etc. You will only be able to discover this once the valve is disassembled. If anyone tries to tell you otherwise, then they are just deluding themselves.
If we now agree that Proof Testing is “Imperfect”, then we must account for the fact that we will always have a percentage of dangerous failures that we will not be able to find after each proof test. This can be illustrated using a simple approximation formula for PFDavg based upon a HFT = 0 in Low Demand:
PFDavg ≈ (PTC x λD x PTI)/2 + ((1−PTC) x λD x MT)/2
Where:
λD= Dangerous Failure rate
PTC = Proof Test Coverage (0 to 100%)
(1-PTC) = % of dangerous failures not found
PTI = Proof Test Interval
MT = Mission Time
In this simplified formula you can see the impact of imperfect Proof Test over Mission Time since the undetected dangerous failures (identified as (1-PTC)) accumulate over Mission Time. Ergo Mission Time has a significant impact on the PFDavg. This impact will be directly dependent upon the effectiveness of the Proof Test governed by Proof Test Coverage and the time between tests governed by the Proof Test Interval. Therefore, if Mission Time is high in conjunction with a long Proof Test Interval, then the PFDavg will be higher with lower risk reduction (i.e. RRF = 1/PFDavg).
The cumulative effect of Imperfect Proof Testing can be seen in the diagram below, as over time, the PFDavg increases and eventually crosses the threshold from one SIL level down to the next; in this example, from SIL 3 to SIL 2.
In summary, we need to take care when selecting Mission Time and Proof Test Interval in conjunction with the achievable Proof Test Coverage. The manufacturers’ safety manuals will provide a recommended Proof Test and Proof Test Coverage for each of the SIF equipment. SIS designers need to create an overall SIF Proof Test from this information and document the Proof Test Interval in the SRS. The End User will need to follow the Proof Test Interval defined in the SRS and to track Useful Life of each of the SIF devices, along with Mission Time, if the SIFs are to maintain their performance targets.
If you’d like to understand this in more detail, then check out our webinar on this topic:"The Importance of Mission Time, Proof Test and Proof Test Coverage - How They Impact PFDavg and SIL"
Tagged as: SIF verification proof test intervals Proof Test Coverage PFDavg Mission Time IEC 61511 Functional Safety