Simply defined, MTTR is the average time for a SIF to be restored back to operation after a fault, repair or replacement and be able to perform its defined safety function from the non-operative mode.
Understanding the significance of the MTTR value and what it covers is highly imperative during the specification, design, operation and maintenance of the SIF. The declared MTTR includes the time required to detect that a failure has occurred (A), the time spent before starting the repair (B), the effective time to carry out the repair (C) and the time required to ensure that the SIF device or component is put back in operation (D).
MTTR is frequently confused with Mean Repair Time (MRT), which relates to the average time to perform a repair. The MRT value includes the average time spent for detection & identification of the failure (B), the effective time to repair (C) and the time needed to return the device into operation (D).
As highlighted in Figure 1 above, unlike MTTR, MRT does NOT
include ‘the average time required to detect that a failure has occurred’.
Consequently, MTTR can also be defined as the time during
which the SIF is not available to perform a safety function, making it a key
value when calculating SIF reliability and availability.
A versatile value
The MTTR value also impacts on other parameters of the SIF
such as the design of bypass configurations, architectural requirements, time
for SIF degraded mode of operation, requirements for any operator actions, the
design of any compensating measures and spares availability.
MTTR values are typically used when designing the bypass functionality for a
SIF (for redundant architectures) as this determines the
average time for the SIF to be in bypass mode, after which the SIF may either be
restored into operation or generate an alarm alerting operation or maintenance
personnel to perform the necessary restoration action.
During the safety requirements specification and
transposition into design & engineering, if the analysis of the SIF or its
associated devices reveals they could not be repaired and restored within the
specific MTTR time, then this would potentially identify the need for the
development of redundant channels of operation. In this case, the SIF devices
may need to be configured in a particular voting arrangement, e.g. 1oo2 or 2oo3
loops. Also, a long MTTR value may require redundant channels to be used for
SIF subsystems in order to meet the target failure measure for the SIF.
Depending on the architectural constraints and the
redundancy configured for the SIFs, the MTTR value can define the average time
for the SIF loop to operate in a degraded mode of operation without
compromising on its integrity. If the time for degraded operation of the SIF has
exceeded the MTTR, then depending on the integrity of the SIF and the process
requirements, the SIF can either be forced to achieve a safe state or to
initiate an operator action by alarm generation.
The MMTR value is also one of the design factors for
implementation of compensating measures for a SIF. Typically, a low MTTR value
may lead to implementation of a low risk reduction compensating measure and
vice versa. This is required to ensure that functional safety is not
compromised when the SIF is either operating in bypass mode or in a degraded
mode of operation.
Another key consideration would be the spares requirement
for such SIFs. Certain spares may be deemed critical and would need to be
managed at a higher priority, so that, should devices be identified as faulty, the
parts needed to fix them would be guaranteed to be available within local
stores, enabling the SIF to be restored within the specified MTTR value.
In availability calculations, the MTTR value is used as one
of the key mathematical factors. In these calculations, the MTTR value is
inversely proportional to the Availability factor of the SIF, such that the
lower the mean time to restore, the higher the availability of the SIF to
perform a safety function and vice versa. The MTTR value therefore not only impacts
on the reliability calculation directly, but also has an impact on the ‘availability’
calculations as well.
Are your
SRS, design and engineering, corrective maintenance and spares philosophy activities
capturing the necessary requirements for successful SIF management in your
safety lifecycle management requirements?
Related reading:
Related reading:
0 comments :
Post a Comment