Optimising the proof test burden

Where instrumented systems are used to provide a significant amount of the risk reduction (more than a factor of 10), then international functional safety standard, IEC 61511, is considered to be the current best practice and guidance.

At the same time, operators are seeking ways to optimise productivity by minimising shutdown durations and reducing the overall maintenance load. A significant contributor to the maintenance and shutdown work-scope is the regular proof testing of Safety Instrumented Functions (SIFs).

The SIL Calculation

The amount of risk reduction provided by the instrumented system is denoted by the Safety Integrity Level (SIL). This is calculated by working out the average Probability of Failure on Demand (PFDavg).

In its simplest form, the PFDavg is a function of instrument failure rates and test intervals.

Variants of the PFDavg calculations vary in complexity; however there are only ever three parameters that can be manipulated:

• The target PFDavg
• The instrument failure rates
• The testing interval

For existing SIFs, to determine if the test interval can be potentially extended, or whether there is an opportunity to reduce interruption to on-line production, then each of these parameters should be considered.

Target PFDavg

Potentially the most cost effective option is to review the target PFDavg. IEC61511 Ed 2 encourages the end user to collect data from plant upsets and demands. With this increased understanding and experience of operating the plant, the target SIL determination (generally Layer of Protective Analysis [LOPA]) can be revisited. Values used in the initial study can be expressed more realistically and, using the latest data, it is possible that the target PFDavg may be reduced. A less onerous target PFDavg will directly result in extended test intervals.

Alternately, the target PFDavg may be reduced if additional, independent protective layers can be identified or installed. The use of an experienced LOPA leader is required to ensure that the protective layer is truly independent of the initiating cause and that the risk reduction claimed, especially by humans, is not over-optimistic.

Instrument failure rates

There are a number of different strategies that may be considered to reduce the instrument failure rate leading to extended test intervals.

• Reviewing the original PFDavg calculation to verify that the failure rates used were appropriate for the process conditions and environment
• Replacing old instrumentation with modern equipment that contains in-built diagnostics to reduce the dangerous, undetected failure rate – remembering that you must define the actions to be undertaken on detection of a failure by the diagnostics
• Replace digital sensors (switches) with analogue instruments and use other, existing measurements to track the readings and provided deviation alarms – a form of diagnostics
• Put in more instruments in a voting configuration (1oo2, 1oo3, 2oo3) to reduce the failure rate and potentially enable testing while the asset remains on-line
• Start collecting instrument data for your facility. If you have used generic failure data (such as Offshore Reliability Equipment Database Association [OREDA]) for your PFDavg calculation, then IEC61511 Ed 2 quotes statistical reliability models and confidence levels that may be used to derive your own instrument failure rates, often these are better than the generic data

Benefits:

Extended test intervals, or minimising process interruptions while testing, are possible by applying a number of proven strategies. However, it is relatively easy to make the ‘numbers’ fit the desired result. Experienced functional safety specialists assist in ensuring that any gains are justifiable, reflect the local process and environmental conditions and that the required risk reduction is realistically attained.

Paul Lucas, is principal safety consultant, ABB Ltd