I have seen several questions recently in online forums where engineers were unclear about the differences and relationships among useful life, mission time, and proof test interval. These concepts are very important for properly understanding and interpreting SIL calculations. In this post, we will define these terms and give practical guidance on how they impact Safety Instrumented Function (SIF) design.
It doesn’t help that neither IEC 61508 nor IEC 61511 formally define any of these terms. I will first give some general “textbook” definitions of the terms:
- Proof Test Interval: The period of time between proof tests (duh). A proof test is a periodic test to detect previously undetected dangerous failures in the SIS so that they may be repaired.
- Mission Time: The period of time between when the SIF (or device) is put into service and when it is replaced or completely refurbished to “as-new” condition.
- Useful Life: The period of time after early life failures (i.e. burn-in, infant mortality) and before end-of-life failures (i.e. wear-out) during which the failure rate can be assumed to be relatively constant under certain conditions.
None of these definitions should be shocking to anyone who has dealt with SIS or reliability for a while. But a newcomer to the field might ask “OK fine, but what does that all mean?”. I will try to give some practical interpretation of these definitions next.
The first thing to realize is that for each device in a SIF, the following should nearly always be true:
Proof Test Interval < Mission Time < Useful Life
If your mission time is less than or equal to your proof test interval, then there is technically no need to proof test the device you are about to replace, unless you are just curious. If your useful life is less than your mission time, then the assumption of constant failure rates used by all common SIL calculation methods is incorrect, and your SIL calculations are meaningless. If your design does not follow the equation above, it should be cause for serious reflection.
About Useful Life
The key thing to understand about useful life is that it is a property of the device in the environment where it is deployed. The useful life is an implicit assumption you make in the reliability model. It is not a design choice or a maintenance strategy. It is very common to see useful life confused or conflated with mission time, which is a design choice (more below).
Many vendors give estimates of useful life in safety manuals, SIL certificates, or other documents. Some examples are given below:
However, it is important to keep in mind that the application environment can have enormous impact on the useful life. For example, both the process fluid temperature and the ambient temperature can affect useful life of electronics. A rule of thumb is that capacitor life is halved for each 10°C increase in electronics temperature. Vendor guidance is helpful, but the best guidance comes from gathering failure rate data in your own application environment.
IEC 61508 has strong words on the importance of useful life:
“Beyond their useful lifetime (i.e. as the probability of failure significantly increases with time) the results of most probabilistic calculation methods are therefore meaningless.”IEC 61508
Because useful life is an implicit assumption in the SIL calculations, it has no explicit impact on the calculations. Just remember that if you do not manage useful life and you employ a run-to-failure approach, your SIL calculation are essentially “meaningless” per IEC 61508.
About Mission Time
Unlike useful life, mission time is a design decision that is documented in the SRS and included in the SIL calculations.
Mathematically, whenever proof test coverage is less than 100%, then undetectable (or never detected (ND)) dangerous failures can potentially occur that will never be detected by testing. The latent failures will remain in the device until either a demand occurs or the device is replaced at the end of mission time. As shown below, the probability of a latent failure accumulates with time, regardless of the proof test interval. Only replacing the device will reset the PFD curve to zero.
For these reasons, mission time is an important parameter in the SIL calculation model. Perhaps counterintuitively, increasing the mission time in the calculations makes the calculations more conservative (i.e. will result in a higher PFDavg). However, the mission time should match the planned timing of device replacement (or in the case of valves, refurbishment), and there should be a clear maintenance and refurbishment plan in place to support this assumption.
Some popular software packages only support mission time for the entire SIF in their calculations, but mission time should be considered on a device-by-device basis. Assuming the longest device mission time in the calculations is a conservative approach.
A common way for the uninitiated or the unscrupulous to “fudge” SIL calculations is to make unrealistic assumptions about mission time that don’t match actual maintenance practices. This parameter should always be checked when reviewing calculations done by others.
About Proof Test Interval
Once you understand useful life and mission time, selecting a proof test interval should be pretty straightforward and is largely driven by your SIL requirements.
One thing to keep in mind is that the proof tests should be at least twice as frequent as the SIF demand rate for your calculations to be accurate. See more on that here from the folks at AESolutions.
Another factor to keep in mind is that regardless of the published failure rate, “objects at rest tend to stay at rest”. Choosing an excessively long proof test interval based on your calculations may leave you open to failure modes that were never considered in an FMEDA!
Here is my bottom line message: Useful life, mission time, and proof test intervals matter! I have seen some cases where engineers select “standard” values for these variables in their SIL calculations without a lot a thought. That is the path toward “meaningless” calculations.
Unfortunately, there are no standard or easy answers in this area. It requires effort to understand your equipment, operating environment, maintenance practices. That engineering effort will be repaid with meaningful SIL calculations!
I hope you found this post useful. Please post your questions or comments and don’t forget to follow us on LinkedIn. Thank you! Please checkout other popular FunctionalSafetyEngineer.com posts, including:
- Online Resources for Safety Instrumented Systems
- Where To Find Failure Data
- Hierarchical Bayesian Prior Use