I have been asked this question many times by various clients over the years.  This comes down to whether a perfect proof test is assumed or not.  Let us remember that Mission Time is defined as the amount of time we expect a set of SIF equipment to run until a major overhaul is required, usually based upon the useful life of the devices.  This time is set by the end user.  Some companies are still not appreciating how greatly they will overstate the risk reduction of the Safety Instrumented Function (SIF) by assuming perfect proof testing since Mission Time then has no impact.  

Therefore, what is perfect proof testing and what does this mean?  Simply put, perfect proof testing assumes that you can find and fix ALL dangerous failures in a SIF during the test.  Or, in other words, 100% coverage.  If true, then what happens to the Probability of Failure on Demand (PFD) if we do a test and can find and fix all the dangerous failures?  If there are no dangerous failures, then the probability of failing is zero and we start again until the next test.  This would mean that after each test our probability of failing is zero, so we effectively reset the PFD to zero each time we do a proof test.  Consequently, Mission Time has no effect on the PFD since we reset the PFD to zero after each test.

In reality, this is simply not possible when considering a valve as the final element.  We know that using a partial valve stroke (assuming the device is capable of being moved a certain amount without either tripping or affecting the process), and the valve moves, then it’s not stuck.  This would account for a significant number of dangerous failures since things like stiction, cold welding and binding are all dangerous failures when these devices are static for long periods of time, as in low demand applications (i.e. could be years between operation).  Also, how will we know if the valve fully closes and seats properly? We won’t know by doing a partial stroke; we also won’t know if the valve shaft is damaged or any of the internal seals are damaged even when doing a full stroke.  These types of failures are only ever found when the valve is refurbished and/or dismantled, therefore, cannot be found during a proof test.

If we accept the premise that there is no such thing as 100% proof test coverage, then Mission Time has a direct impact on the PFD.  Let’s consider the math for the moment (more on this in the webinar).  At its simplest, the probability of failure (PF) can be determined to be a function of the failure rate (of the SIF equipment) x the time interval.  When considering doing a proof test then the test interval will be the time, and we would need to know the dangerous failure rates of the devices.  Given that we don’t have perfect proof testing and instead of 100% coverage we can only achieve, for example, 80% coverage (i.e. only able to find 80% of the dangerous failures), then we cannot simply say that our PFD = dangerous failure rate x test interval because now we have to account for the dangerous failures we cannot find, 20% in our example (i.e. 100% – 80% = 20%).  Therefore, we must adjust our simple formula to account for the dangerous failures we can’t find over the Mission Time.  If we think of it logically, for this example, every time we do a proof test, we will not be able to find 20% of the dangerous failures, which will have a cumulative effect on the PFD over the mission time, every time we do a test.  In other words, our PFD does not reset to zero and will increase more quickly over time, with the corresponding risk reduction being reduced.

Consider that our simple PFD (assuming 100% Coverage) = dangerous failures we can find when we test, x Time; with imperfect proof testing, this needs to be adjusted to account for the dangerous failures we can’t find every time we do a test

Therefore, the PFD = portion of dangerous failures we can find when we test x test interval + portion of dangerous failures we can’t find x the mission time (this math will be explained in more detail during the webinar).

From this we can now see that the time we choose for Mission Time, in conjunction with the Time Interval we choose for testing and the effectiveness of the test to find dangerous failures, will all impact the PFD of the SIF.  Hence, SIL verification has to consider these 3 variables with Mission Time being the longest time and potentially having the biggest impact.  Oftentimes, because clients have assumed perfect proof testing, we have found that their calculations have grossly overstated the risk reduction achieved by the SIFs.  When performing SIL verification it is important to understand this relationship and to account for imperfect proof testing, to achieve more realistic PFD results.

If this blog has generated some interest in learning more, then please look out for the upcoming webinar on this topic.


Related Items

exida Functional Safety Services for the Process Industry

exSILentia - Integrated Safety Lifecycle Tool


Tagged as:     Steve Gandy     SIL verification     Mission Time  

Other Blog Posts By Steve Gandy