Calculations for verifying a Safety Instrumented Function (SIF) with Safety Integrity Level (SIL) performance requirement are standard in the process industry these days. You will find examples in both the IEC 61508 and IEC 61511 standards and Functional Safety (FS) training courses like those available on this site.
There are also several software tools available that can help do these calculations for you, as outlined in this blog. However, no matter how good your spreadsheet or software tools are, the basis for any SIL calculation being good starts with reliable failure rate data.
How to check device failure rate data
SIS design engineers worry about some of the unrealistic failure rate numbers provided by vendors for their SIL capable products. They often seem to be just too good to be true. If we use very optimistic numbers, how can we check if these can be valid in our SIL calculations?
Failures often get presented in FITS, which stands for "Failures-In-Time, " meaning the failure rate of a device expected in one billion (109) device-hours of operation. For example,1000 devices for 1 million hours, or 1 million devices for 1000 hours each, or some other combination.
A quick check to get a feeling if the failure rates are reasonable is to compare dangerous undetected (DU) failures for the same product from multiple vendors.
Suppose all compared devices are within the same order of magnitude, for example, 400 and 900 DU FITS, there is a good chance that the data is valid.
On the other hand, if there is an outlier such as a DU failure rate of 5 FITS, then this is a good indication of an over-optimistic value that should not get used. In such a case, ask more questions of the vendor. If they cannot give you acceptable answers, you need to think twice before purchasing their product as a SIF device. The user will ultimately be responsible for justifying its use.
The worst DU failure rate number I have seen was 0.15 FITS for a trunnion ball valve. Yes, that is 1.5 x 10-10, which means one failure in every 6.67 billion hours or 761,035 years! It does not take long to search the internet to find similar trunnion ball valves used in shutdown applications typically have DU rates of between 400 and 900 FITS.
There are some free resources where you can check typical failure rates for devices used in SIF applications. One such site is silsafedata which is a free page offered by exida. I often use this for a quick check to see if a failure rate looks a bit too good to be true.
Sources of failure rate data
Prior Use Justification
The IEC 61511 definition of "prior use" is a documented assessment by a user that a device is suitable for use in a safety system and can meet the required functional and safety integrity requirements. The review should be based on data from previous operating experience in similar operational environments.
Real-life field failure data is by far the best data you can use if available, and the IEC standards are pushing in this direction. Many of the major oil & gas companies now have excellent field failure rate data based on recording actual demand rates, proof test results, and most importantly, actual failures.
Prior use does require the end-user to take responsibility for claiming a device is suitable for a SIL duty. Unless enough data and documentation have been collected and maintained, it may be challenging to justify SIL performance. Small to medium-sized companies may find they do not have sufficient data or are not comfortable taking responsibility for prior use data.
Prior use data is valuable when you have access to it. Still, often it is not available to process plant package suppliers or systems integrators who also need to meet specified SIL Targets with their equipment.
Typically, these package suppliers and smaller manufacturing companies will rely on the manufacturers of the SIF devices they purchase to help them with failure rate data to meet the specified SIL verification targets in their SIS/SIF designs as in the following items 2 & 3.
Manufacturer Declaration of Conformance
Conformance declarations based on the manufacturer's design are another source of possible failure rate data. Such declarations get produced from a design basis for the device (e.g. temperature limit, vibration limit, corrosion limit, desired maintenance support).
Manufacturer declarations are very different to a prior use justification, but they have some clear advantages. Firstly, the manufacturer takes responsibility for their accuracy, and secondly, the data does not rely on having previous operating experience. This opens up the possibility of using newer products with more advanced performance and self-diagnostics that have never been tried before.
Manufacturers will often use returned field device numbers to help make proven-in-use justifications. Be wary that these numbers are sometimes optimistic in that they may not include all returned devices when equipment is relatively low cost. It may take six months to two years to enter into service on larger projects for higher-cost devices, so it's also essential to check that this is factored into the analysis.
Generally, I treat manufacturer declarations with caution. While some manufacturers can do these well, many do not. Always do a comparison check with similar devices from other manufacturers if possible.
Non-Accredited SIL Certificates
Some SIL certificates are from individuals or independent companies who gain a reputation in assessing products or other companies to meet the IEC 61508 and IEC 61511 functional safety standard requirements. This is not illegal, but it should be clear that that a certificate is not the same as a certification by an accredited body.
Some of these organisations may do this well, but many fall short. You will often find they accept device manufacturer returns warranty data and publish it as acceptable to meet a particular SIL. Treat this with caution, and if in doubt, ask for the report to the certificate. If the analysis method is dubious or numbers seem too optimistic, you should look at other options.
Accredited Certifying Body (ACB)
Companies like CSA Group, exida and the many competing bodies using the TÜV title are Accredited Certification Bodies (ACB) in one or more fields. This means that a governmental National Accreditation Services (NAS) independently audits the certification scheme. The NAS services are signatories to the IAF – International Accreditation Forum. These accreditation body members must declare their common intention to join the IAF Multilateral Recognition Agreement, recognising the equivalence of other members' accreditations to their own.
For functional safety, the accreditations typically rely on the certifier demonstrating to the NAS that they follow the requirements of ISO/IEC17065 (certifying products, processes and services) and/or ISO/IEC 17025 (testing). This gets regularly audited, so there is some extra level of assurance that the ACB is doing a sound job.
Does this mean that a “SIL capable certification” stamped by an ACB can be trusted without question? Sadly not, but it does mean you can request information from the ACB that the manufacturer may otherwise not like to give you.
When you see failure rate data from any source that seems too good to be true, then be immediately wary. Check equivalent devices from several sources to see if the data is potentially trustworthy.
If your company has a history of field failures available from multiple sites and similar applications, then prefer using that data rather than relying on certificates.If you need to trust a “SIL capable” certificate or manufacturer declaration, ask for copies of the reports which are referenced on the certificate, and get someone competent with functional safety to make a judgement about the credibility.