Simply defined, MTTR is the average time for a SIF to be restored back to operation after a fault, repair or replacement and be able to perform its defined safety function from the non-operative mode.
Understanding the significance of the MTTR value and what it covers is highly imperative during the specification, design, operation and maintenance of the SIF. The declared MTTR includes the time required to detect that a failure has occurred (A), the time spent before starting the repair (B), the effective time to carry out the repair (C) and the time required to ensure that the SIF device or component is put back in operation (D).
MTTR is frequently confused with Mean Repair Time (MRT), which relates to the average time to perform a repair. The MRT value includes the average time spent for detection & identification of the failure (B), the effective time to repair (C) and the time needed to return the device into operation (D).
As highlighted in Figure 1 above, unlike MTTR, MRT does NOT include ‘the average time required to detect that a failure has occurred’.
Consequently, MTTR can also be defined as the time during which the SIF is not available to perform a safety function, making it a key value when calculating SIF reliability and availability.
A versatile value
The MTTR value also impacts on other parameters of the SIF such as the design of bypass configurations, architectural requirements, time for SIF degraded mode of operation, requirements for any operator actions, the design of any compensating measures and spares availability.
MTTR values are typically used when designing the bypass functionality for a SIF (for redundant architectures) as this determines the average time for the SIF to be in bypass mode, after which the SIF may either be restored into operation or generate an alarm alerting operation or maintenance personnel to perform the necessary restoration action.
During the safety requirements specification and transposition into design & engineering, if the analysis of the SIF or its associated devices reveals they could not be repaired and restored within the specific MTTR time, then this would potentially identify the need for the development of redundant channels of operation. In this case, the SIF devices may need to be configured in a particular voting arrangement, e.g. 1oo2 or 2oo3 loops. Also, a long MTTR value may require redundant channels to be used for SIF subsystems in order to meet the target failure measure for the SIF.
Depending on the architectural constraints and the redundancy configured for the SIFs, the MTTR value can define the average time for the SIF loop to operate in a degraded mode of operation without compromising on its integrity. If the time for degraded operation of the SIF has exceeded the MTTR, then depending on the integrity of the SIF and the process requirements, the SIF can either be forced to achieve a safe state or to initiate an operator action by alarm generation.
The MMTR value is also one of the design factors for implementation of compensating measures for a SIF. Typically, a low MTTR value may lead to implementation of a low risk reduction compensating measure and vice versa. This is required to ensure that functional safety is not compromised when the SIF is either operating in bypass mode or in a degraded mode of operation.
Another key consideration would be the spares requirement for such SIFs. Certain spares may be deemed critical and would need to be managed at a higher priority, so that, should devices be identified as faulty, the parts needed to fix them would be guaranteed to be available within local stores, enabling the SIF to be restored within the specified MTTR value.
In availability calculations, the MTTR value is used as one of the key mathematical factors. In these calculations, the MTTR value is inversely proportional to the Availability factor of the SIF, such that the lower the mean time to restore, the higher the availability of the SIF to perform a safety function and vice versa. The MTTR value therefore not only impacts on the reliability calculation directly, but also has an impact on the ‘availability’ calculations as well.
Are your SRS, design and engineering, corrective maintenance and spares philosophy activities capturing the necessary requirements for successful SIF management in your safety lifecycle management requirements?