During the recent ISA 84 committee meetings related to the ISA TR84.00.02 which discusses SIL verification calculations I was made aware of an effort to attempt to quantify the amount of error in SIL calculations. The objective of this effort was to determine how much of a margin of error should be placed in the acceptance of a SIL verification calculation. For instance, if a SIL 2 function is desired and the calculation shows a risk reduction factor of 102 was achieved, is that good enough? The theory being proposed is that you should establish a limit on what RRF value is acceptable based on the amount of error that is present. So, for instance, if you determine that your SIL verification calculation has an error of +/- 5, then a calculation of an RRF of 102 is really an RRF of between 97 and 107, since the 97 does not achieve the SIL 2 target you should modify the design until the full range, including worst case error, is within the SIL band.
Sounds reasonable right?
Not to me.
We’ve already larded up the SIL verification process with so many safety factors that adding another one here is going to cross from very conservative over to comical. Additionally, this approach violates the spirit and philosophy of how we have performed SIL verification calculations since the advent of IEC 61508. Engineers, in general, are taught to perform rigorous calculations to obtain precise numbers. While this works well for things that can be known precisely, such as temperatures, pressures and flow rates, it is not realistic for risk. As a risk analyst, you must have a different and more humble approach. When performing a risk calculation, you give up on the concept of knowing something precisely, and instead, set boundaries with a degree of confidence. As risk analyst, you don’t say that I KNOW that the frequency of an accident is precisely 1.53E-3 per year, instead you say that I am CONFIDENT that the frequency is less than 1.53E-3. A subtle, but very important distinction. In one case you are claiming precision that risk analysis can never really have, in the other you are setting a boundary that you are confident will not be violated.
SIL verification calculations, since their inception, have used this approach of setting a confidence boundary. In IEC 61508 (and the current version of IEC 61511) there are several references to a 70% single-sided confidence limit when determining failure rates. When using this approach, you are essentially saying that, for an instrument, I am confident (to the degree of 70%) that the failure rate is below a certain number. Again, this is different from claiming that I know exactly what the failure rate is. It is this 70% confidence limit that is now, and always has been the “margin of safety” factor employed to ensure that SIS designs are conservative and include a conservative factor to account for uncertainty in numbers. Adding more uncertainty analysis is unnecessary and counter-productive.