Maximum Out of Service Time (MOST) · Functional Safety Play Book

Maximum Out of Service Time (MOST)

Hi everyone,

has raised the following question, but it was added to another post and may have been overlooked.

I have been sleeping on this for a while.

I would be interested in hearing how others approach the determination of Maximum Out of Service Time (MOST) when a safety function is bypassed.

There is a document out there discussing this (I kinda forgot the title) but it is not mainstream FS if I am not mistaken. However it discusses using time at risk to set maximum time that an IPL can be bypassed.

An explanation that stuck with me was this:

When an IPL or SIF is bypassed, its PFD during that period is effectively 1.0, since it is guaranteed to fail on demand. Because of that, the time spent in bypass cannot be arbitrary. To keep the average PFD of the function within its tolerable target over the proof test interval, the duration of the bypass has to be limited.

The way I saw it derived was by essentially equating the risk contribution accumulated during the bypass period with the allowed risk budget allocated to that IPL/SIF over the full interval.

In simplified terms, the MOST becomes the maximum time the function can remain bypassed before the average PFD target is exceeded.

My questions to those reading this:

How are you determining MOST in practice, do you derive it analytically from the SIF PFD target, or do you rely on more conservative procedural limits?
Do you treat the bypass state strictly as PFD = 1, or do you incorporate compensating measures (temporary IPLs, administrative controls, etc.) into the calculation?
Are there particular company or industry guidelines you have found useful for setting these limits?

Curious to hear how others handle this in operating facilities because I can swear I have told someone before go look up the SRS😂, yet they were dealing with a legacy system

8 comments