An exSILentia user just reached out to me inquiring how their SIL verification results changed with changing Site Safety Index (SSI), even though they did not include the SSI in the failure rate selection. Though it is not a frequent question, I can imagine other users of the SILver tool running into the same issue. So let’s have a look at how SSI impacts the probability calculations and how it is implemented in the SILver module.
Site Safety Index
SSI accounts for a site's specific operational practices with regards to maintaining their safety instrumented system. This is reflected in the site’s effectiveness and correctness in the execution of repair and maintenance. In addition, field failure studies show the impact of properly maintaining the safety instrumented system, resulting in lower-than-average failure rates for sites that excel at these tasks. Inversely, sites that manage their safety instrumented system poorly and are unable to keep up with maintenance tasks experience higher failure rates than the average process industry plant.
exida defined 5 SSI levels to allow users to estimate how well they believe their site manages the maintenance and operation of their safety devices. Detailed descriptions for these are provided in the table below. Note that the average process industry plant will meet an SSI 2 level.
| Level | Description |
|---|---|
| SSI 4 | Perfect - Repairs are always correctly performed. Testing is always done correctly and on schedule, equipment is always replaced before end of useful life, equipment is always selected according to the specified environmental limits and process compatible materials, electrical power supplies are clean of transients and isolated, pneumatic supplies and hydraulic fluids are always kept clean, etc. This level is generally considered to be extremely hard to achieve, but possible in some organizations. |
| SSI 3 | Almost Perfect - Repairs are correctly performed. Testing is done correctly and on schedule, equipment is normally selected based on the specified environmental limits and a good analysis of the process chemistry and compatible materials. Electrical power supplies are normally clean of transients and isolated, pneumatic supplies and hydraulic fluids are mostly kept clean, etc. Equipment is replaced before end of useful life, etc. |
| SSI 2 | Good - repairs are usually correctly performed. Testing is done correctly and mostly on schedule, most equipment is replaced before end of useful life, etc. |
| SSI 1 | Medium - Many repairs are correctly performed. Testing is done and mostly on schedule, some equipment is replaced before end of useful life, etc. |
| SSI 0 | None - Repairs are not always done. Testing is not done, equipment is not replaced until failure, etc. |
SSI Impact – Repair Transactions
Consider the definition of SSI 2:
Good - Repairs are usually correctly performed, Testing is done correctly and mostly on schedule, Equipment is mostly replaced before end of useful life, Equipment is often selected according to the specified environmental limits and process compatible materials, Electrical power supplies may have transient voltage spikes and surges, Pneumatic supplies and hydraulic fluids are usually kept clean, etc.
From that description one can see that SSI will impact repair probability. Let’s look at the extremes.
SSI 0: None
With an SSI level 0 selection, you are saying that there is no adherence to functional safety requirements or more specifically, “Repairs are not always done, Testing is not done”. In other words, the probability of correct repair and testing is 0%. Therefore, assuming an SSI level of 0 will have the same impact as assuming that all failures are undetected and that there is no proof testing.
This can be easily seen in the two PFD charts below. The first chart shows PFD as a function of time for a typical process industry plant, assuming an SSI of 2. The second chart shows the exact same configuration but now it is assumed that the SSI is 0. The typical saw tooth behavior in the PFD chart, which shows the impact of any proof testing, completely disappears because of the SSI 0 selection. This makes sense as the SSI 0 selection specifies that no testing is performed, and all failures are assumed to be undetected.
SSI 4: Perfect
With an SSI level 4 selection, you are saying that the adherence to functional safety requirements is perfect. In other words, “Repairs are always correctly performed, Testing is always done correctly and on schedule, etc.” This equates to a probability of correct repair and testing equal to 100%. This does not mean that you are assuming that all proof tests are 100% effective, the proof test coverage is not impacted by this assumption, you are only assuming that when the test is performed it is done perfectly.
We can look at the impact of this assumption by comparing the two PFD charts below. Again, the first chart shows PFD as a function of time for a typical process industry plant, assuming an SSI of 2. The second chart in this case shows the exact same configuration but now it is assumed that the SSI is 4. Though the charts look very similar, you can distinguish a bit deeper saw tooth in the SSI 4 PFD chart, as the testing and repair action are perfect.
SSI Impact – Failure Rates
As described above, field failure studies show that well managed/high adherence to functional safety requirements sites experience lower failure rates than the average process industry plant. On the other hand, poorly managed/low adherence to functional safety requirements sites experience higher failure rates than the average process industry plant. Another way of looking at this is by comparing a benign sheltered and air-conditioned environment with adequate staff to work on issues and an offshore unmanned platform. It will be much easier to ensure equipment is operated and maintained within the assumed environment for the sheltered vs. the offshore scenario.
During a Failure Modes, Effects, and Diagnostic Analysis (FMEDA) exida will evaluate the type and complexity of use of the product to then predict failure rates for the different SSI levels. Below is an example of a device with 5 sets of failure rates, one for each SSI level. Note that the average process industry plant aligns with SSI 2.
SSI in exSILentia SILver
In exSILentia SILver you can specify to consider SSI for test and repair actions separately from the consideration of SSI in failure rates. You can also specify what the SSI level should be for different parts of the SIF, i.e., Sensor, Logic Solver, and Final Element.
The checkbox “Include SSI in Failure Rate Selection” indicates which failure rate set you are using the calculations. If you leave this box unchecked, exSILentia will use the default SSI 2 failure rate set as this represents the typical process industry plant.
The repair probabilities for the various parts of the SIF are impacted by the respective drop-down box selections. So even if you indicate that you do not want to use the SSI in the failure rate selection, SSI will still have an impact on the test and repair activities. Hence, changing SSI will always cause your calculated PFD to change.
If you want to completely ignore SSI in your SIL verification, you will need to assume that all repair and test activities are conducted perfectly, that no mistakes are made, etc. and therefore select SSI 4. We all know that this is far from reality so I would strongly advise against that.
Conclusion
A site's specific operational practices with regards to maintaining their safety instrumented system can have a significant impact on the overall risk reduction achieved for that site. The Site Safety Index allows users to account for real life impact of this culture in their calculated probability of failure.
The SSI impacts repair and test correctness as well as failure rates. In exSILentia SILver users can easily account for this impact via the Site Safety Index selections for the sensor, logic solver, and final element part.
The average typical process industry plant will be at an SSI level of 2.
Related Items
exSILentia - Integrated Safety Lifecycle Tool
Tagged as: SSI SIL Verification FMEDA Failure Rate exSILentia