SIF Failure Rate Data: What Your Calculations Aren't Telling You

There is a moment in every functional safety lifecycle where the numbers begin to look deceptively clean. A failure rate here, a proof test interval there, and on paper, the Safety Instrumented Function (SIF) appears to achieve the required SIL. Yet, as highlighted in Pieter Poldervaart’s recent webinar, such results often mask a deeper issue: failure rate data is being treated as a static input rather than a reflection of how well the system, and its operating context, is truly understood.

At its core, the failure rate (λ), typically expressed as failures per unit time, is a simplification. We take a complex, time-dependent phenomenon and compress it into a constant value so that probabilistic models can function. This simplification is rooted in the “useful life” portion of the well-known bathtub curve, where failure behavior stabilizes. It’s a necessary abstraction, but one that comes with responsibility. Because the moment you forget what sits behind that constant, you start designing against assumptions instead of reality.

One of the most persistent misconceptions in SIF design is the idea that a sensor is just a sensor, or a valve is just a valve. Datasheets reinforce this thinking. They give you neat λ values, often broken down into λ_DU, λ_DD, λ_SU, and λ_SD, and invite you to plug them directly into your calculations. But as Pieter rightly emphasized, and as field experience repeatedly confirms, a SIF element is never just the device listed on the tag.

Take a differential pressure (DP) level measurement as an example. On paper, you may be working with a pressure transmitter, complete with manufacturer-provided failure rate data. But in reality, that transmitter is only one component in a much larger measurement chain. Impulse lines, remote seals, isolation valves, and manifold assemblies all form part of the sensing function. Each introduces its own failure modes, such as blockages, leaks, fouling, and mechanical degradation – none of which are captured in the transmitter’s datasheet.

This is where many SIF designs become dangerously optimistic. When you rely solely on manufacturer data, you are effectively modeling an idealized device operating in isolation. What industry data sources consistently show, however, is that once you account for the full hookup, failure rates increase, sometimes significantly.

This is a correction, not a discrepancy.

A recurring theme in the webinar is the gap between vendor-supplied failure rates and those derived from industry databases. Sources such as OREDA, SYNTEF, and EXIDA consistently report higher failure rates than manufacturers. This is not because vendors are misleading, but because their visibility is inherently limited.

Manufacturers typically derive failure rates from returned equipment and shipment volumes. But in real operations, failed instruments are often replaced and discarded rather than returned. Production uptime takes precedence over forensic analysis. The result is underreporting of failures at the source and, consequently, overly optimistic reliability data.

Industry databases, on the other hand, aggregate field data across operators, environments, and configurations. They capture the messy reality like partial failures, installation issues, environmental effects, and, critically, the impact of the full equipment assembly. That’s why they tend to sit higher on the failure rate spectrum.

From a design perspective, this is not a reason to discard vendor data, but a clear signal to contextualize it. IEC 61511 is explicit on this point: failure data must be credible, traceable, documented, and based on field feedback from similar applications.

Credibility is not achieved by precision alone. It comes from representativeness.

What the equipment hookup discussion ultimately exposes is a broader truth: SIF performance is determined by systems, not components. A sensor subsystem includes far more than the sensing element. The final element is more than the valve body; it includes actuators, solenoids, linkages, and air-supply integrity. Each layer adds both functionality and failure potential.

This is where experienced engineers tend to diverge from textbook approaches. Rather than asking, “What is the failure rate of this device?”, the better question becomes, “What are all the ways this safety function can fail to act when demanded?”

That shift in thinking changes everything. It forces you to look beyond catalog values and into installation practices, maintenance regimes, environmental conditions, and design consistency across the plant.

It also explains why two seemingly identical SIFs can exhibit very different reliability in operation.

One of the more pragmatic insights from the webinar, often overlooked in purely theoretical discussions, is the value of standardization. In environments where multiple vendors, configurations, and hookup designs coexist, complexity increases exponentially. Not just in design calculations, but in proof testing, maintenance, and failure analysis.

Standardizing SIS equipment and configurations does more than simplify engineering. It creates consistency in failure behavior, enables repeatable proof testing procedures, and improves the quality of failure data collected over time.

Experience across functional safety applications consistently shows that variability is the enemy of reliability. The more unique configurations introduced, the harder it becomes to fully understand and confidently rely on failure rate assumptions.

There’s a final point Pieter made that deserves emphasis, because it captures a mindset every seasoned engineer eventually develops: when failure rate data looks too good to be true, it usually is.

This is not cynicism; it’s pattern recognition. Overly optimistic data often signals incomplete modeling, like missing components, unaccounted failure modes, or unchallenged assumptions. And while such data may help achieve a target SIL in calculations, it does little to ensure that the SIF will perform when it is actually needed.

In functional safety, credibility always outweighs convenience.

The webinar effectively brings failure rate data back into its proper context, grounded in physical systems, real operating conditions, and sound engineering judgment. It shifts the focus away from abstract calculations toward a more integrated understanding, where assumptions are made explicit and continuously tested against reality.

For experienced practitioners, this serves as a valuable recalibration. For those earlier in the discipline, it underscores a foundational principle: the integrity of a Safety Instrumented Function depends not on the elegance of its calculations, but on the depth of understanding behind them.

And in practice, that understanding is often defined by the details, frequently beginning at the level of the hookup, where design intent and operational reality first intersect.