As SIS installations age, two concepts become increasingly important: Mission Time (MT) and Useful Life. Confusing or misapplying these parameters can lead to non-conforming SIL ratings and unpredictable maintenance expenditure. This blog explains the relationship between the two, illustrates the impact using a worked example, and provides practical guidance on how to manage SIF component life cycles.

For concise definitions of Mission Time and Useful Life, see our FAQs.

1. Background: Mission Time and Proof Test Coverage

Our blog on ‘SIL-Degradation’ highlighted the importance of selecting Mission Time (MT) when carrying out the SIL-Verification for safety loops. MT is not explicitly defined in IEC 61511 or IEC 61508, but is used in calculations as the intended operational period of a SIF. It is formally defined in VDI/VDE 2180-3 as parameter T2 — the period after which all SIF components must be subject to the equivalent of a proof test with 100% coverage. In practice, it is not realistic to detect all dangerous failures during proof testing, so that CPT is almost always less than 100%. A longer MT results in a higher PFDavg and a correspondingly lower SIL, according to the simplified formula:

PFDavg = CPT λD TI/2 + (1-CPT) λD MT/2

where PFDavg = Average Probability of Failure on Demand, CPT = proof test coverage, λD = dangerous failure rate, TI = proof test interval, and MT = mission time

This effect is demonstrated in the following chart showing the typical sawtooth curve based on regular proof testing. The green curve with CPT set at a realistic value of 85% shows the PFD increasing over time, until after 15 years it exceeds the threshold between SIL 2 and SIL 1: in other words the SIL ‘degrades’ from a planned SIL-2 to a non-conforming SIL-1 function.

Figure 1: PFD vs Time – Effect of Proof Test Coverage (CPT) over a 15-year Mission Time

There is clearly an incentive for Operators to extend MT in order to delay maintenance or replacement expenditure. However, a further constraint is the ‘Useful Life’ of individual SIF components — the period within which the constant failure rate assumption, fundamental to all PFDavg calculations, remains valid. Per IEC 61508-2 (§7.4.9.5, Note 3), once this limit is exceeded, the results of probabilistic calculation methods are invalid. Manufacturers publish useful life limits in the component Safety Manual or SIL-certificate, derived from the underlying failure rate bathtub curve. Alternatively, Operators may justify an extension of useful life through a formal ‘Prior Use’ assessment per IEC 61511-1 (§11.5.3).

So how are these differing time parameters optimised in practice?

2. Worked Example – A Typical SIF

Let us assume a typical safety function: a pressure transmitter acting via a barrier and Logic Solver to close an actuated isolation valve, as illustrated below.

Figure 2: Example Safety Instrumented Function (SIF) – Pressure Transmitter → Barrier → Logic Solver → Solenoid → Actuator/Valve

2.1 Scenario A: Mission Time = 15 Years

Modelling this SIF in ExSILentia with a MT of 15 years, proof test interval (PTI) 12 months and CPT for all components as per the manufacturer’s recommendations results in SIL-2 with a Risk Reduction Factor (RRF) = 212.

Figure 3: ExSILentia result – MT = 15 years, PTI = 12 months. SIL-2 confirmed (RRF = 212)

2.2 Scenario B: Mission Time Extended to 30 Years (No Component Replacement)

In this scenario, we shall try to extend the MT, with the same PTI, CPT and, for the sake of comparison, assuming that the useful life for all devices is also 30 years. Here the PFDavg falls below the SIL-2 threshold, with RRF = 75, i.e. unacceptable for a SIF with required SIL-2. CPT <100% results in the ‘saw-tooth’ curve increasing over time and eventually exceeding the desired SIL threshold.

Figure 4: ExSILentia result – MT = 30 years, component ‘useful life’ assumed 30 years. SIL-2 NOT met (RRF = 75)

2.3 Scenario C: Mission Time = 30 Years with Replacement at Useful Life

Now, let us consider the replacement or overhaul of component devices in line with the manufacturer’s defined useful life. Typical values for the example SIF are shown below.

Component Useful Life
Pressure Transmitter 50 years (i.e. no replacement necessary)
Barrier 10 years
Logic Solver 15 years
Solenoid 8–12 years (10 years assumed)
Actuator/Valve Assembly 10 years

Table 1: Typical useful life values per component (source: manufacturer Safety Manuals / SIL-certificates / Exida SAEL)

ExSILentia allows definition of varying MT for sensor, logic solver and final elements. In the example below, the MT for each component is assumed the same as their useful life, resulting in SIL-2 with RRF = 116 for a 30-year MT for the complete SIF. The downwards step-change in the ‘saw-tooth’ curve every 10 years reflects the ‘reset’ of the PFD-contribution of the valve/actuator: the ‘final element’ is often the largest contributory factor to SIF reliability, and focusing on this component generally gives the largest improvement in PFD.

Figure 5: ExSILentia result – MT = 30 years with component replacement at useful life. SIL-2 confirmed (RRF = 116)

While the SIL-Verification now gives an acceptable mathematical result, how should the useful life be managed in practice?

3. Extending Useful Life

One possibility is for the Operator to demonstrate ‘prior use’ as per IEC 61511-1, §11.5.3. This requires that the end user (as opposed to the manufacturer) documents component suitability via operational evidence, including:

  1. Clear Identification: Evidence that the specific model, hardware / firmware / software versions have been used.
  2. Environment Similarity: Documentation showing that the application is at similar process conditions (e.g., temperature, pressure, vibration, or media properties) to any comparative data.
  3. Manufacturer Quality: Evidence that the manufacturer has implemented a quality management system to minimise systematic faults.
  4. Volume of Experience: Demonstration of a statistically significant number of operating hours. While the standard does not give a specific number, industry best practice often looks for enough hours to calculate a failure rate at a 70% confidence level.
  5. Failure Analysis System: A formal “Management of Change” (MoC) and incident reporting system. The operator must show they have recorded all failures and categorised them (Safe vs. Dangerous, Detected vs. Undetected).
  6. Suitability for SIL: An assessment showing that the historical failure rates support the assumption of failure rate (lambda) made in the SIL-Verification.

Larger organisations often implement ‘prior use’ justification via their Functional Safety Management System. Smaller Operators, however, may find the documentation requirements onerous and the required operating hours difficult to achieve in practice. Section 2.2 of this blog also showed that SIL-degradation may still occur despite extension of useful life, depending on initial failure rate assumptions.

An alternative is to replace SIF components or carry out comprehensive maintenance before the end of ‘useful life’, allowing a ‘reset’ of the individual PFD, equivalent to proof testing with CPT = 100%. Typically, low cost electronic devices such as barriers and relays can be replaced on a ‘like-for-like’ basis. Newer devices often have lower failure rates, and this can be taken into account when updating the SIL-Verification calculation.

Exchange of a Logic Solver (the ‘ESD’, or ‘fail-safe PLC’) represents a larger investment cost, and it is worth obtaining manufacturer input to potentially extend the published ‘useful life’. Typically, the Logic Solver has a low contribution to overall PFDavg, so that the originally defined failure rate, as per the SIL-certificate, can be used without significant ‘SIL-degradation’. Beyond full replacement, additional approaches worth considering are:

  • Modular sub-assembly replacement Rather than exchanging the entire system, it may be possible to replace only the sub-assemblies that drive the useful life limit — typically power supply units, CPU/processor cards, and I/O modules — while retaining the backplane, wiring, and application software. The manufacturer should confirm that this resets or extends the useful life, ideally via an updated SIL-certificate.
  • Manufacturer life extension / obsolescence management programs Major PLC vendors may offer formal life extension assessments for installed legacy systems. This typically involves on-site inspection or audit, resulting in a documented useful life extension statement, as distinct from generic “Proven in Use” data. It is worth proactively engaging the manufacturer’s functional safety team to ask whether such a programme exists.
  • Firmware/software update with revised failure rate data A manufacturer-issued firmware upgrade may result in a lower failure rate and revised SIL-certificate. If this includes confirmation of extended useful life, the revised failure rate can be adopted into the SIL-Verification with no hardware intervention required.

For final elements such as actuator/valve assemblies, manufacturer input should also be sought. A comprehensive ‘overhaul’ is often possible, for instance by replacement of actuator electronic components such as solenoids/relays, as well as on-site repair/maintenance of mechanical wearing parts, such as seals and packing. If carried out by the manufacturer, the upgrade should be supported by an updated SIL-certificate / useful life confirmation. Alternatively, the Operator can self-manage the overhaul via its own workshop, or a trusted maintenance subcontractor, however, adequate documentation must also be prepared to justify extended life and any revised failure rate.

Finally, it is worth considering a partial stroke testing (PST) strategy. While not extending useful life directly, implementing or improving PST increases the effective diagnostic coverage between full proof tests, and provides useful data to support eventual ‘prior use’ justification.

4. Key Takeaways

The following points summarise the main conclusions from this blog:

  1. SIF Mission Time may be extended provided useful life constraints are managed.
  2. Various strategies for replacement or comprehensive overhaul are available. Newer replacement devices often carry lower failure rates, providing an opportunity to improve the SIL-Verification calculation. In case of overhaul, documentation is required to justify extended life and any revised failure rate.
  3. The ‘Prior Use’ route (IEC 61511-1, §11.5.3) is an alternative to physical replacement but requires significant documented operational evidence. Even if useful life is extended, the required PFDavg may not be achieved due to ‘SIL degradation’.
  4. ExSILentia supports component-specific MT assignments, enabling a targeted optimisation of MT while considering the practicalities of useful life constraints.

Standards Referenced

  • IEC 61511-1: Functional Safety – Safety Instrumented Systems for the Process Industry Sector
  • IEC 61508-2: Functional Safety of E/E/PE Safety-Related Systems
  • VDI/VDE 2180-3: Functional Safety in the Process Industry (parameter T₂)

PSC provides analysis and engineering services according to IEC 61511 to define SIL requirements for safety functions and to provide optimum SIF designs considering lifetime O&M costs. Please download our FSM brochure.