This blog is written as an introduction for the lecture at the Process Safety Congress in Dordrecht on May 18th, 2022. The subject I like to discuss in this blog and at the congress is ‘prior use’ assessment. This documented assessment is used during the implementation phase of a Safety Instrumented Function (SIF). This phase is discussed in my 3rd blog in preparation of my lecture at the 2021 PS congress. When selecting parts within a SIF, several options can be chosen:
- Proven in use demands data provided by the manufacturer and must be comparable to the situation of the user. This means that service, configuration, application, firmware, etc. of the SIF at the user side is exactly the same as how the manufacturer prescribes it his documentation. Proven in use is not officially named in IEC 61511. It can be used together with the plant information to get Prior use
- In case components are used which are independently Certified to comply with IEC 61508, it is clearly described what the failure data is and how it should be installed and used. The provided data is verified which should give the user a realistic basis in determining whether the SIF could safely be used during its lifetime. No historical data needs to be used to verify the SIF with respect to failures rates other than validating its application to the specific process and the environment.
- Prior use needs evidence according to IEC 61511 and is using historical failure data out of the field from the user. It should be noted though that prior use is telling about failures in the past but still do not a guarantee that the same type of failures could occur in the future.
Prior Use requirements for the selection of devices
When one part within a SIF is not based on a certified component, a prior use assessment can be made to validate this component. Therefor it is required, according IEC 61511, to collect the right data and collect appropriate evidence that the device is suitable for use within a safety rated application. This evidence is needed to prove that the dangerous systematic faults of the device have been reduced or is limited to meet the required SIL capability. According IEC 61511 the evidence include the following:
- Consideration of the manufacturer’s quality, management and configuration management systems; This evidence requires proper information regarding the manufacturer quality systems and their certification. Even when the device is not designed according IEC 61508, the manufacturer will still have to provide evidence regarding the development process followed and the reliability of the device. A minimum requirement could be an ISO 9001 certification to show their quality of the management systems.
- Adequate identification and specification of the devices; Not all devices can be used within the assessment. According the IEC 61511, several requirements are elaborated which are the minimum to meet within the assessment. In the below chapter I will discuss this in more detail.
- Demonstration of the performance of the devices in similar operating environments; When selecting data of a device using prior use, these devices should be installed within the same operating conditions like service (fouling, non -fouling), temperature, humidity. Also corresponding degradation mechanisms, like corrosion, should be taken into account in collecting the right data
- The volume of the operating experience: The higher the amount of similar devices and the higher the amount of observation time, the better the results of the assessment. The amount of operational experience to gain credible statistical reliability data is typically much higher compared to the operational experience necessary to get evidence of prior use. This topic will be explained in more detail in the section below.
- Monitoring device performance: When no proper monitoring is in place, no reliable evidence can be obtained within the assessment. This monitoring includes the minimum of proof of maintenance, repair, incidents, and trip monitoring.
Adequate identification and specification of the devices
When selecting a device for using within a prior use assessment, the level of detail of the evidence could be in accordance with the complexity of the considered device as well as the SIL rate of the SIF.
- For all devices a minimum specification of the device is needed:
- Proof of manufacturer’s quality management and conﬁguration system
- Available safety manual including constraints for operation, maintenance and fault detection shall be available covering the typical conﬁgurations of the device and the intended application proﬁles;
- Within the assessment, both type A as type B devices can be included. The type A devices requires less information, since they are seen as simple, not programmable devices. When using type B devices only fixed program language (FPL) or limited variability language (LVL) are allowed. Full variability language (FVL) is not allowed for devices within the assessment. Examples of FPL devices are smart sensors and smart final elements without control algorithms. Next to the requirements for type A devices, for type B devices also evidence of the used software by a formal assessment is required.
- For application with a higher SIL demand (e.g. SIL 2 or 3), more evidence is needed to meet the assessment requirements
The volume of the operating experience:
When a documented assessment has shown that there is appropriate evidence, the next step is collecting data for failure rate estimation. This data collection and the following calculations of the failure rates is required to meet the minimum requirements within IEC 61511-1:
- The reliability data uncertainties can be evaluated according to:
- Statistical approaches
- Engineering judgement techniques to estimate the reliability data uncertainties.
- Undertaking specific techniques like Failure Mode Effect Analysis (FMEA) where information is available only for the subcomponents of the device being analyzed.
- The amount of field feedback (less field feedback results in more uncertainty) or/and exercise of expert judgement. Reliability data used in the calculation of the failure measure shall be determined by an upper bound statistical confidence limit of no less than 70 %.
- The amount of field feedback depends on the choice of statistical approach. When a small set of data is available, a χ2distribution (Chi-squared) is required. For large size both χ2 and normal distribution can be used (see fig below). A χ2distribution shows a more conservative approach than the normal distribution and is recommended by IEC 61511-2
- From a sample of n failures observed over a cumulated observation time T the confidence upper bound can be calculated by using the χ2 function: For example λ70 % can be evaluated by:
where T is the total observation time and n the observed failures.
- The previous approach implies only one calculation of the probabilistic target (i.e., Average Probability of Failure on Demand (PFDavg)) but the level of conservativeness is not known. Therefore another approach may be used if this level of conservativeness has to be known. This consists in using the whole distribution of the input reliability parameters instead of only single values like λ70 %. The so-called “Monte Carlo” simulation can be used for doing that:
- using random numbers to simulate the probabilistic distributions of the values of the input reliability parameters; and
- achieving several (e.g., 100) calculations of the probabilistic target which different sets of random numbers.
- Nevertheless a chi-squared approach is sufficient for most cases used for estimation of the failure rate.
The above mentioned approach using Chi-squared distribution can also be used to evaluate plant data to return failure data. Especially when the amount of observed failures are known, the failure rate can be calculated by extrapolation in time.
At the process safety congress, May, 18th, Dordrecht, the Netherlands I will show more examples how Chi-squared will contribute to the calculation of failure rates for a SIF. Hope to meet you there!