Hi everyone, @Noah Tibasiima has raised the following question, but it was added to another post and may have been overlooked. I have been sleeping on this for a while. I would be interested in hearing how others approach the determination of Maximum Out of Service Time (MOST) when a safety function is bypassed. There is a document out there discussing this (I kinda forgot the title) but it is not mainstream FS if I am not mistaken. However it discusses using time at risk to set maximum time that an IPL can be bypassed. An explanation that stuck with me was this: When an IPL or SIF is bypassed, its PFD during that period is effectively 1.0, since it is guaranteed to fail on demand. Because of that, the time spent in bypass cannot be arbitrary. To keep the average PFD of the function within its tolerable target over the proof test interval, the duration of the bypass has to be limited. The way I saw it derived was by essentially equating the risk contribution accumulated during the bypass period with the allowed risk budget allocated to that IPL/SIF over the full interval. In simplified terms, the MOST becomes the maximum time the function can remain bypassed before the average PFD target is exceeded. My questions to those reading this: 1. How are you determining MOST in practice, do you derive it analytically from the SIF PFD target, or do you rely on more conservative procedural limits? 2. Do you treat the bypass state strictly as PFD = 1, or do you incorporate compensating measures (temporary IPLs, administrative controls, etc.) into the calculation? 3. Are there particular company or industry guidelines you have found useful for setting these limits? Curious to hear how others handle this in operating facilities because I can swear I have told someone before go look up the SRS😂, yet they were dealing with a legacy system

I’ll be running the first Playbook Decision Review next week. 📅 Monday 16 March 2026⏱️ ~40 minutes Scenario we’ll review A SIF designed to meet SIL 2 was verified assuming independence. During installation review it’s discovered that the installation didnt meet the design requirements — increasing potential common cause failure. The plant is nearly complete and correcting the installation would cost millions. So the question becomes: What would you recommend as the functional safety engineer? Options we’ll pressure-test: - Accept the installation and justify the assumptions - Recalculate the SIL verification with updated CCF assumptions - Require corrective changes despite the cost The aim of the session is simple:Walk through how experienced engineers frame and defend decisions when the standards don’t give a clear answer. 🔒 Attendance is available to premium members. Recording available to all members If you’d like to attend, check out the calendar, comment below or message me and I’ll send the meeting link.

Something that always makes me pause when reviewing designs… Proof test coverage that somehow always ends up being 100% effective. On paper it looks great. The numbers work nicely. The SIL calculation passes comfortably. But in the real world I always find myself thinking: Can we really detecting every dangerous failure with that test? In my experience, this is a major cause of rework. If the design progresses to the point where commissioning documents are written and then a FSA or design review reveals overly optimistic proof test coverage it’s a lot of work to correct. Anyone else experiencing this?

Hi all, thanks for accepting. First of all, I am new in functional safety and sorry for my bad english😊. Actually I have some doubt about one of variable in PFDavg calculation namely mission time, couple of question to all: 1. What will happen in the end of mission time?should end user decommissioned the plant?or just replace everything and the mission time will get restarted? 2. If it depend on end user, than based on what consideration usually for them to determine the correct mission time?and what is the reason behind that? 3. Since by the time PFDavg will get derated, and SIL claimed may decreased over the time, shouldn't end user decide to set the mission time before the SIL/RRF drops beyond the rating it should be? Hope you guys can share your knowledge. Thanks,

Hi everyone it will be great to share experiences, interpretations and understanding of functional safety.