A customer noted that some operating companies limit the extension of their test intervals so that the test interval is at least half of the expected demand rate. For instance, if a safety instrumented function (SIF) is intended to prevent against a hazard whose initiating event rate is once in ten years, then the test interval for that function will be no longer than once in five years. I was asked to explain the basis for this decision process, so I will share my response here…
The limitation placed on the test interval is essentially a mechanism to ensure that the SIF is operating a demand mode instead of continuous mode. When a SIF operates in demand mode, the benefits of testing can be taken into consideration in the calculation of average probability of failure on demand, allowing for easier achievement of higher SIL targets with lower redundancy requirements. A SIF can only be considered to be operating in demand mode, though, if demands are placed on the system infrequently in comparison to tests. In this case, it is more likely that a failure of a SIF would be identified by a test than an actual process demand, giving value to the testing. This is “Demand Mode” operation.
If, on the other hand, demands occur frequently in relation to tests, then it is more likely that a failure of the SIF will be evidenced by the hazardous event that the SIF was intended to protect against than by a test of the SIF. In this mode of operation, which the standards call the “Continuous Mode”, testing does not provide significant value because it is too infrequent to allow repair of the failed SIF before a demand is placed on the function. As a result, the effect of testing is ignored, and the failure rate of the overall SIF is calculated to verify that the rate of failure is tolerable, instead of the probability of failure on demand.
When an operating company does a LOPA and identifies that a SIF will have a demand placed on it once every ten years, then it is credible to say that this demand rate falls into the demand mode regime only if testing is “much more” frequent than once every ten years. Deciding that once every five years is “much more” frequency than once every ten years is a judgment call that each operating company will need to make for itself, but the assumption generally considered valid in industry. If, on the other hand, a facility desires to push test intervals to 7 or even ten years, making the claim that testing is “much more” frequent than demands begins to fall flat. At that point, the functionality begins to move into the Continuous Mode regime, changing how achievement of SIL targets is verified, and how the functions are installed, tested, and maintained.