ROLE OF FUNCTIONAL SAFETY IN

FACILITY LIFECYCLE
(SHORT COURSE)
BWO Singapore
June 2024

Leading the Way | Your partners in Risk, Safety, Environmental Engineering & Management
 AGENDA
1. VRSA Company introduction
2. Safety Moment
3. General Overview
4. HAZOP and SIL in Lifecycle
5. Why having SIL Assessment?
6. SIL Assessment by LOPA Methodology Brief/Specific Rule Sets
7. SIL Verification and Validation
8. Safety Instrumented Functions (SIF) Assurance Through Lifecycle
9. Functional Safety Assessment in Operation
10. Conclusions & Discussions

Course Presenters:
Zoran Sekulic, Principal Consultant
Aliff Sohaimi, Senior Risk & Safety Engineer
VRSA COMPANY INTRODUCTION
 VANGUARD – ABOUT US
Vanguard Risk & Safety Asia based in Singapore, affiliated company to Vanguard Solutions Group
• Vanguard Solutions Group other offices in Perth and Dubai. Specialists in HSE Systems Design, Process
Safety & Risk Management focusing on Oil & Gas Industry.
Services include:
• Safety Engineering & Risk Management
• HSE Studies, Assessments and Safety Cases
• Reliability & Maintainability Studies
• HSE MS, Process Safety & Risk Assessment Training Courses
• Outsourcing of Specialist Personnel (Secondments)
• Presenter – Zoran Sekulic
• Over 40 + years of professional experience in process safety/risk management and design specialising in
Safety, Risk, Loss Prevention and Process Design for Chemical Process Industry.
• Facilitating 130+ HAZID/HAZOP/SIL studies since 1992 (trained by ICI Engineering Risk Management).
Chaired HAZID/HAZOP/SIL/ALARP studies for number of major projects and FPSOs (White Rose, PSVM, Glen
Lyon, Kracken, TEN, MV-18/24/26, Woodside GED, Ichthys, Bacalhau, Opal, etc.) and other O&G facilities.
SAFETY MOMENT
16 July 2024 6
 INSTRUMENTATION IN DESIGN
(INCIDENTS DO HAPPEN)?
What is common factor in incident below?
Safety incidents occur during every phase of operations:
1. Milford Haven (UK) startup, shutdown, process upsets and malfunctions,
• Activation of the pressure relief system – No High- maintenance activities (e.g.., cleaning), product transfer and
Pressure trip handling (e.g.., loading/unloading equipment), and emergency
2. Texas City (USA) response activities (e.g.., firefighting).
• During the startup, Operations personnel pumped
flammable liquid hydrocarbons into the tower for over
three hours Process Safety Incident Management Practices
• Critical alarms and control instrumentation provided
false indications that failed to alert the operators of 1. Understanding/recognising hidden hazards
the high level in the tower PHA techniques (HAZID/Bow-tie, HAZOP, SIL Assessment, etc.)
2. Establishing Safety Culture
Clearly Defined Roles and Responsibilities
Competency and Training
3. Audits and Inspections
Compliance Monitoring
Audits and inspection (FSA in operation)
4. Continuous Improvement and Lessons Learned
Incidents - implementing Corrective Actions
Sharing Lessons Learned

Reduced risk = Increased value

3. Buncefield (UK)
GENERAL OVERVIEW – FS LIFECYCLE
PROCESS UNIT LIFE CYCLE
Concept development
FEED stage
Detailed Design

Well A B C D E F G H I
Commission
8

Operate & Maintain

1 2 6
3 7 11

4 4 9
1 15
10 14
4 1 3
LAT
2
5 5

De-commission
 FUNCTIONAL SAFETY LIFECYCLE
• According to IEC 61511 the purpose of a Functional Safety
Assessment (FSA) is to confirm that the Safety Instrumented
System (SIS) is compliant with IEC 61511.
• Stage 1 FSA is carried out once Hazard and Risk
Assessment studies completed and the Safety
Requirements Specification (SRS) is written

• Stage 2 FSA is carried out once the SIS Design and the
Factory Acceptance Test (FAT) have been completed

• Stage 3 FSA is carried out following Installation,

Commissioning and final Validation (Site Acceptance
Test) of the new SIS.

• Stage 4 FSA is carried out at defined intervals to look

into the functional safety activities of the Operation and
Maintenance of the SIS
IEC 61511
• Stage 5 FSA is required when a Modification is made to Functional Safety
a SIS. Lifecycle
OVERVIEW – HAZOP & SIL
 HAZOP AND SIL ASSESSMENT OBJECTIVES
The following are the objectives of the HAZOP & SIL Assessment:
• To identify process hazards and major operability problems related to the design/process that
could directly threaten the safety of the personnel, impact to the environment or cause operational
problems;
• To identify engineering and procedural safeguards already incorporated into the design that will
help reduce impacts of consequences related to the identified problems;
• To evaluate the adequacy of existing engineering and procedural safeguards;
• To recommend additional safeguards or operational procedure, where necessary; and.
• To further evaluate risk from nominated HAZOP hazardous scenario and if required to assign SIL
targets for SIFs or ensure that there are sufficient layers of protection in absence of the Safety
Instrumented Function (SIF) for the hazardous event consequences
Note: The main purpose of the SIL Determination Study by LOPA is to check whether the risk from hazardous
events with specified severities is at an acceptable level. The aim is to establish risk reduction measures
requirements or recommendations for further assessment so to manage the hazards to ALARP level.
HAZOP METHODOLOGY BRIEF
 HAZOP - HAZARD AND OPERABILITY STUDY
• 1963: ICI used technique to study a new Phenol project .
• asked Method Study group to make a recommendation
• The primary purpose of a
• they decided design for normal operation was usually good HAZOP is:
• suggested a team needed to address deviations from
normal • to identify and evaluate Hazards within a
• introduced a set of guidewords to identify possible
Process or Operation
deviations
• Mastered by Trevor Kletz - the 'founding father' of • to facilitate Safe start-up and Operation
inherent safety “What you don’t have, can’t leak…Try to
change situations, not people…” • to minimise modifications
• 1974: Chemical Industries Association publishes “A Guide to
Hazard and Operability Studies” • to optimise on-line Time
• Worldwide acceptance
• OSHA, API, IChemE, CCPS
 HAZOP DEFINITION
• ORIGINAL HAZOP DEFINITION
• “The application of a formal
systematic critical examination to the
process and engineering intentions of
new facilities to assess the hazard
potential of maloperation or
malfunction of individual items of
equipment and the consequential
effects on the facility as a whole”
• (CIA Guidelines - 1975)
Confusing ?
• HAZard and OPerability Study
• Structured analysis of a system,
process or operation
• Carried out by a multi disciplinary team
• Line by line/System by system
examination of a firm design
• Using guide words to stimulate
creative thinking
• To identify deviations from the
intended
A design
practical HAZOP definition!
 HAZOP METHODOLOGY BRIEF
1. Identify and mark up Nodes on the P&ID drawings (Preselected)
2. A process engineering overview and functionality provided to the HAZOP Team for each Node
3. The Node definition process parameters checked for consistency (pre-populated prior to the workshop start)
4. The Deviation being assessed is selected. Brainstorming of all causes within the Node for the Deviations identified
and recorded. If no causes identified, it is stated into the worksheet.
5. Once all the causes are recorded, each cause is individually analysed, and the relevant consequences (Hazardous
or Risk Events) detailed without any benefit of safeguards.
6. Severities for Safety, Environment and Asset (if required) captured in line with Risk Matrices
7. Safeguards defined on the P&ID’s or in associated issued Project documents are recorded.
8. Any recommendation required added to the worksheet and assigned to a relevant company and
department/discipline.
9. The next cause is then analysed in the same way until all the causes, consequences and safeguards have been
assessed.
10. Once completed the next deviation is selected and the whole process is repeated until all Nodes have been fully
assessed.
 HAZOP SAFEGUARDING

The safeguards are established as:

• the engineering system (as defined in
the P&IDs and other
engineering/design documentation)
• the administrative controls (such as
operator response to alarms)
• procedures that can cope safely with
the consequences of all deviations.
The HAZOP also should address if
operability is impaired and whether the
design could be improved to give the
operator better information or facilities to
prevent / control /mitigate the
consequences of the deviation
HAZOP GUIDEWORDS
Deviations Guide Word Parameter
1. No/Less Flow No/Less Flow
2. More Flow More Flow
3. Reverse/Misdirected Flow Reverse Flow
4. More Pressure High Pressure
5. Less Pressure Low Pressure
6. More Temperature High Temperature
7. Less Temperature Low Temperature
8. More Level High Level
9. No/Less Level No/Low Level
10. Composition/Phase/Contamination/Deposition Other than Composition
11. Other Operations (Modes, Startup / Shutdown, Maintenance , etc. Other than Operability
12. Simplicity Other than Operability
13. Relief/Blowdown Other than Operability
14. Corrosion / Erosion Other than Operability
15. Sampling/ Testing Other than Operability
16. Control / Instrumentation Other than Operability
17. Ignition Sources Other than Operability
18. Others Other than
 HAZOP WORKSHEET
NODE:
P&ID Number:
Consequence
Deviation Causes Safeguards SIF Recommendation Resp Comments
Description Safety Env

No/Less Flow
More Flow
Reverse/Misdirected
Flow/Leak
More Pressure
Less Pressure
More Temperature

Less Temperature

More Level
No/Less Level
Composition/Phase/
Contamination/Deposition

Other Operations (Modes,

Startup / Shutdown,
Maintenance , etc.

Corrosion / Erosion

Sampling/Testing

Control / Instrumentation

Others
BAROSSA RISK MATRIX
 CONSEQUENCE SEVERITY AND SIL INPUTS
Consequence Consequence (Environment) SAFETY ENVIRONMENT
(Safety) Severity TMEL Severity TMEL
(per year) (per year)
Moderate (Harm to Moderate (Significant impact SIII 1.0E-02 EIII 1.0E-02
personnel/Medium to local population/
term impairment industry/ecosystem)
Major (Severe Harm Major (Long-term impact to SIV 1.0E-03 EIV 1.0E-03
to personnel / Long local population/
term impairment) industry/ecosystem)
Severe (Single Severe (Complete loss of local SV 1.0E-04 EV 1.0E-04
Fatality) population/ industry
/ecosystem factors)
Critical (Multiple Critical (Irreversible impact to SVI 1.0E-05 EVI 1.0E-05
Fatalities) regional population/industry
ecosystem factors)

Santos RM inputs for calibration of risk criteria for Target Mitigated Event Likelihood (TMEL).
 HAZOP RULE SETS
 Failures of protective systems are not considered as a cause of deviation, e.g.., PSV failure to open on demand, etc.

 Failures of Control of Work (COW) related actions are not considered as a cause of deviation, e.g.., ILC/LC/LO valve inadvertent
action, removable spool/spectacle blind/blank flange maloperation, etc.

 A single check valve (NRV) not specified as safety related device is not given credit for reverse flow scenario in the case of Safety,
Environmental or a significant Operability impact, unless otherwise justified.

 In the case of having two (2x100 %) or more identical trains or equipment items of a system, only one train / equipment item is
assessed during the review. The relevant recommendations raised for a typical train, shall be applicable for the other identical train.

 Simultaneous occurrence of two or more unrelated incidents (double/multiple jeopardy) are not considered as a probable cause.

 Rupture/Leak of equipment is not considered as a cause, except for tube rupture of a tube/boundary failure in an exchanger.

 Escalation can be considered by the HAZOP team only if its occurrence is established by other studies input. The initial and
escalated consequences need to be written separately.

 Causes are sought only within the node reviewed but consequence/safeguards could be outside the node.

 Causes can be listed together providing consequences and safeguards are identical. Note: If there is no credible cause proposed, it
shall be recorded as “No credible causes identified” within the HAZOP Worksheets.

 If the discussion on particular cause and its consequences/safeguards cannot reach the team consensus, the facilitator is to curtail
further discussions and the issue will be either parked (“parked Items’) or a recommendation raised for further review
 HAZOP SAFEGUARDING - IPL
1. HAZOP gives a list of agreed and documented safeguards
2. Independent Protection Layer (IPL) is to be designed to prevent a postulated accident sequence from proceeding (e.g.., PSHH, PSV)
3. Safety Instrumented Function (SIF) chosen based on Severity (e.g.. Sev V)

4. There could be more than one SIF available but having the same actions – one SIF chosen (e.g.. LSLL) with or without other IPL
THE HAZOP CHALLENGE
• How do we ensure that
our HAZOP studies are
transformed into a
success story ?

• . . . . . where people wish

to actively participate in
HAZOP’s ?

25
REVIEW OF HAZOPS REVEALS …..

Scope of study Duration and timing

-‘Utility’ systems excluded - Extended days (ETP
- Vendor packaged units not recommends 6hrs / day
covered - Limited duration or breaks
- Differences between ‘repeat
designs’ not evaluated
General
- Limited use of guidewords
- Full recording not
Available documentation
practiced.
- Key documents such as cause - Software, Quality of
& effects charts not available
team/facilitator/scribe, etc.
or updated

Causes – not comprehensively listed All contribute to impair the

Evaluation of consequences effectiveness of the HAZOP to
Stop at the initial cause – not developed provide the expected rigorous
through to ultimate impact / quantified design integrity assurance.
 MAJOR INDUSTRIAL DISASTERS IN THE
TWENTIETH CENTURY
Date Location Substance Facility Killed Injured

1921 Opau ammonium Stockpile 561 -

nitrate

1947 Texas City ammonium Ship 552 ~3000

nitrate

1958 Signal Hill oil froth Tanks 2 18

1966 Feyzin propane Storage 18 81

1974 Flixborough cyclohexane Plant 28 104

INCIDENT SPECTRUM
100 F
Technical
Safety
10 F
S
E
1F
V
E
R DIS
I Occupational
T Safety
Y LTI

MTI
0.001 0.01 0.01 1 10 100 1000
FREQUENCY
SIL ASSESSMENT ASPECTS
 HAZOP LINKAGE TO SIL DETERMINATION
BY LOPA
• The key information needed from HAZOP is as follows:
• Initiating causes
• Consequence and severity category.
• Safeguards (as IPLs)
• LOPA relies on the result of HAZOP further evaluated by the
team
• LOPA review is concerned with hazardous events of specific
Severities related SIF/IPL whereas a HAZOP may include
safeguards that are not SIF.
• Assessment of Safety Instrumented Functions (SIF)s by SIL
Determination or adequacy of IPLs to match risk target for
specified hazardous event scenario.
 SIL DETERMINATION METHODOLOGY
• Following IEC 61511 standards requirements
• Typically addresses Safety and Environmental consequence
demand in line with specified RM
• Determination by Layer of Protection Analysis (LOPA)
• Establishing risk reduction measures requirements
• For SIF in demand
• Could also require assurance that there are sufficient layers of
protection in absence of the SIF for the hazardous event consequences
• If required to put forward recommendations for further assessment to
manage the hazards to ALARP level.
• Software programs e.g.. PHAPro have special LOPA Module,
which could be tailored to a company or project requirements
 CONCEPTS USED
Safety Instrumented Function (SIF) is
a function with a specified safety
integrity level which is necessary to
achieve functional safety typically as
a safety instrumented protective
function
Safety Instrumented System (SIS)
used to implement one or more SIFs.
A SIS is composed of any
combination of sensor (s), logic
solver (s), and final element (s).
Integrated Control and Safety System
(ICSS) combines elements of process
control and functional safety into a
single architecture (Separation of
Functional Safety and Control is
achieved within an architecture in
line with IEC 61508/11
requirements).
 SAFETY INSTRUMENTED FUNCTION

SIF = Safety Instrumented Function

One or more One or more

initiators Logic solver final elements

Purpose - to prevent a hazard by:

• sensing abnormal conditions;
• automatically returning the process to a safe condition.
 LOPA - MAIN STANDARDS & REFERENCE
MATERIAL
• IEC61508/11-Functional safety of
electrical/electronic/programmable
electronic safety-related systems
/Functional safety – Safety instrumented
systems for the process industry sector
• ISA TR84.00.02, Safety Instrumented
Functions (SIF) - Safety Integrity Level
(SIL) Evaluation Techniques - Parts 1 to 5.
• Centre for Chemical Process Safety
(CCPS), Concept Book, Layer of Protection
Analysis: Simplified Process Risk
Assessment
• CCPS, Guidelines For Enabling Conditions
And Conditional Modifiers In Layer Of
Protection Analysis
• OREDA, SINTEF for frequency/failure rates
35
LAYERS OF PROTECTION ANALYSIS (LOPA)
• LOPA is a method for evaluating the effectiveness of
protection layers in reducing the frequency and/or
consequence severity of hazardous events
• LOPA can be used to determine the target SIL for
SIF as a demand for protection against consequece
(s) of the hazardous events
• LOPA evaluates whether a protection layer can be
considered independent
• LOPA determines the performance required for
independent SIFs and non-SIS layers of protection
LOPA ADVANTAGES & LIMITATIONS
LOPA advantages
• Effective in resolving disagreements related to risk.
• Determines whether SIF or alternative means of
protection are required and associated SIL if SIF is
chosen.
• Conforms to industry standards.
• Facilitates the analysis of protective layers addressing
health and safety and environmental and may also be
applied to risks due to equipment damage and business
value lost.
LOPA Limitations
• Not a method for identifying hazards.
• May be excessive for simple or low risk decisions.
• May be overly simplistic for complex systems.
• Not a method to analyse escalation events
 LOPA EXCLUSIONS
• Escalation events (e.g.., activation of protective devices on demand, external fire, domino effects from
other parts of the unit or adjacent plants) and related mitigation layers such as deluge, gas detection,
emergency response systems since these systems become active after an event has occurred
• General fires and gas releases not associated with a specific process parameter deviation causes.
• Activities related to or governed by Control of Work (e.g.., procedural steps part of Control of Work,
locked devices activation, lock out/tag out, confined space entry, crane lifts, and vehicle impacts).
• Health, industrial hygiene and occupational safety hazards (e.g.., diseases, food contamination, slips,
trips, and falls, pinch points, ergonomics, accessibility, hot surfaces, etc.)
• Inherently safe designs or recommendations that will lead to those.
• Design error (e.g.., wrong sizing, wrong material selection, wrong instrumentation, etc.) as an initiating
cause. However, LOPA may be utilised to identify interim risk reduction measures while a design is being
corrected.
• General corrosion, erosion, improper maintenance, inspection, or other integrity management issues.
• Natural phenomena such as: floods, earthquakes, tornadoes, storms, lightning strikes, etc.
• Terrorism and sabotage
 INDEPENDENT PROTECTION LAYER (IPL)
• IPL (e.g.., SIF) shall have the following objectives:
• Specificity: Designed to prevent a postulated accident
sequence from proceeding to a defined, undesirable endpoint
(e.g.., Overpressure by PSHH and/or PSV).
• Independence: IPL is independent of all other protection
layers associated with identified potentially hazardous event
(PSHH vs. PSV).
• Dependability: Protection provided reduces identified risk by
known and specified amount (Risk Reduction Factor, RRF =
1/PFD; e.g., RRF>10 for SIL 1, RRF =100 for PSV).
• Auditability: Designed to enable periodic validation of
protective function (SIF-Proof Testing, PSV as per PSs).
• IPL may be active (BPCS, SIS, Mechanical relief, etc.) or
passive (vent, overflow, bund, etc.,)
 SIL DETERMINATION PARAMETERS

• The hazardous event risk by evaluating the risk that would obtain in the
absence of the SIF (using available IPLs) comparing outcome to applicable
criteria for tolerability of the risk as Target Mitigated Event Likelihood
(TMEL).
• Establishing Unmitigated Event Frequency (UEF) resulting from Initiating
Events (IE) in presence of the Modifiers and Enabling Conditions
• Ignition probability (for flammable and high flash point hazards. Refer to ToR)
• Time at risk (a fraction of time the hazard is present. Specific batch operations)
• Occupancy factor (fraction of time that the hazard zone is not occupied. Rule Set for Barrosa
Safety Studies)
• Enabling event probability (a condition that must be present during the initiating event to
progress to the consequence(s) of the event)
• The Independent Protection Layer (IPL)
• Assessment of IPLs shall be performed to determine amount of risk reduction provided by
each, its dependability, and its independence from other IPLs.
 LOPA METHOD STEPS (BRIEF)
• Preparation steps (Input from HAZOP)
• Identify hazardous events for the LOPA Scenario that result in consequence Severity
levels requiring a LOPA
• Identify initiating causes of the hazardous events - Check HAZOP causes
• Identify any existing SIFs and IPLs- Check HAZOP safeguards
• Prepopulation and LOPA Review
• Determine the initiating cause frequency of failure (likelihood) – ToR
• Consider frequency modifiers (Occupancy factor, Ignition probability, Time at Risk,
Enabling Conditions)

• Verify the consequence level targets in terms of Safety/Environment – Agree Severity for
TMEL

• Determine IPLs that can mitigate the initiating causes – ToR Rule Sets

• Determine IPL’s Probability of Failure on Demand (PFD) – ToR

• Determine SIF’s PFD/Risk Reduction Factor (RRF) – Software Algorithm

• Proceed to the next scenario until analysis of all scenarios is completed

 RECOMMENDED PRACTICE (HC SYSTEMS)
Note 1: Overpressure ratio taken between a
maximum overpressure source design
pressure (by a PSV setting) to a design
rating of affected system
Note 2: Severity impact based on releases
form HC systems at pressures up to 100
barg. Systems at higher pressures should be
assessed in discretion of the team
Note 3: Pipelines, other atmospheric design
tanks (COTs included) and non-metallic
vessels/pipework are not included in this
consideration. Specific ratios will be
generated on case-to-case basis
Extent of Overpressure/Impact Hazard Severity (Note 2) Comment for SIL Review
(Note 3)
Major loss of integrity Impact in MULTIPLE RUPTUREs (e.g.. Flare System, Cargo Multiple fatalities Occupancy as a frequency
wide area with possible escalation Tanks) (SVI) modifier should NOT be
effects. taken into consideration
Impact of FIV/AIV with dislocated flare system
due to potential for large
pipework and releases in various areas could
area impact
result in engulfing fire or explosion of number of
plant areas. Breach of COTs integrity and large
area leak/oxygen ingress
Overpressure >3 x design. Basis is RUPTURE (VESSEL) Multiple fatalities Occupancy as a frequency
rapid pressure rise (minutes or (SVI) modifier should NOT be
less). Pressure rated equipment
Process vessel rupture or ≥ 4” process pipework
taken into consideration
rupture could result in large jet or pool engulfing
AND Large equipment item - vessel due to potential for impact
fire and/or explosion in large area.
or line >4”. Note1 to adjacent areas
Overpressure >3 x design (any RUPTURE (PIPING) Single fatality (SV) Occupancy can be
rate). Pipework <4” lines. Note1 considered as a frequency
Major process equipment flange releases or < 4”
pipework release could result in a jet/flash/ pool
modifier
fire and/or explosion in the area and adjacent
modules.
Process overpressures >2 to <3x MAJOR LEAK Single fatality (SV) Occupancy can be
design (any rate). Note: Definite considered as a frequency
Major process equipment (e.g.., flange) releases
failure of vessel attachments (e.g.. modifier
or > 4” pipework release could result in a in a
flanges). Note1
jet/flash/ pool fire and/or explosion in the local
area.
Process overpressures >2 to <3x MAJOR LEAK/LEAK Single fatality/ Major Occupancy can be
Design (any rate). Pipework <4” Injuries/ Disabilities considered as a frequency
Major process equipment flange releases or < 4”
lines. Note: Definite failure of (SV /SIV) modifier
pipework release could result in local fire.
gasket flanges etc., leakage,
pipework. Note 1
Process overpressures 1.3 - 2 x MINOR LEAK Injuries (SIII / SII) Occupancy as a frequency
design. All equipment and modifier should NOT be
Minor gasket/flange release. Minor fire or No fire
pipework. Note1 taken into consideration
consequence if ignition source is not present in
due to potentially lower
any ventilated area.
severities impact
Process overpressures < 1.3 x
design. All equipment and
NO IMPACT
pipework. Note1
 SIL DETERMINATION RULE SETS
 The SIL Determination assumes that there will be an adequate maintenance and
inspection plan in place to ensure the integrity of equipment, instrumentation and piping
when the FPSO is placed in operations;
 Human error for manipulating manual valves – one error taken for one system (low
likelihood of multiple errors for trained and not stressed operators)
 Control functions failures – One BPCS failure taken per system (e.g.., one control failure
for liquid and gas side respectively, one failure taken at each adjacent equipment, etc.).
 No credit is given for specific passive IPL’s or post-LOC mitigation and controls (e.g..,
fire and gas (F&G) or personal protective equipment (PPE) during the evaluation of
whether personnel are able to avert danger.
 Probability that the exposed area is occupied at the time of the hazardous event shall
take in to account the possibility of an increased likelihood of persons being in the
exposed area in order to investigate abnormal situations which may exist during the
build-up to the hazardous event (e.g.., response to alarms). If the hazard being analysed
is related to an operation which requires personnel to be present in the affected area to
perform the operation, then no credit for occupancy shall be selected
 FAILURES -UNREVEALED VS. REVEALED
• What is an unrevealed failure?
• A failure that may lie dormant in the system and only be
discovered as a result of a thorough diagnostics or testing
procedure.
• Variation being hidden failure, a failure that is not immediately
evident that has the potential for failure of equipment to perform
an on-demand function
• In general, related to fixed equipment e.g.., Check valves (both
directions), mechanical regulators, etc.
• What is a revealed failure?
• Failures that are immediately obvious (diagnosed) are called
revealed failures.
• In general, related to instrumentation, Control/shutdown valves,
human errors (e.g.., the block valve downstream of a control
valve is left closed, but the failure is not revealed until the
control is needed/used followed by an alarms, etc.

What are 4 famous revealed failures?

1. Steven Spielberg was rejected from film school three times.
2. John Grisham's first book, A Time to Kill, was rejected 28 times.
3. Albert Einstein had the label "mentally slow" put on his permanent school record.
4. Henry Ford's first two automobile companies failed.
 IE FREQUENCY
EQUIPMENT INITIATING CAUSES
Initiating Event (IE) Failure Frequency
(events / year)
BPCS instrument loop failure 0.1
Mechanical regulator failure 0.1
SIS operated / blowdown valve (spuriously moves to fail safe state) 0.05
Non-return valve stuck closed 0.01
Non-return valve passing 0.1
Strainer blocked (not commissioning) 0.1 - 0.2
Fixed equipment failure (e.g.., exchanger tube failure) 0.01
Pumps and other rotating equipment 0.1
Cooling water failure (e.g.., redundant cold-water pumps, diverse drivers) 0.1
Loss of power 0.1
PSV spurious activation 0.01
API pump seal failure (single mechanical) 0.1
API pump seal failure (double mechanical with ability to detect primary seal failure and resulting 0.01
action)
Unloading / loading hose failure (full rupture), non-vibrating service 0.01
Unloading / loading hose failure (full rupture), vibrating service 0.05
Unloading / loading hose failure (leak), non-vibrating service 0.1
HUMAN ERROR FREQUENCY FOR ACTIONS TAKEN AT LEAST ONCE PER MONTH
Conditions Probability of Error
Operator well trained with stress 1 / yr
Operator well trained with no stress 0.1 / yr
Operator well trained with no stress, and with independent verification 0.01 / yr

HUMAN ERROR FREQUENCY FOR ACTIONS TAKEN LESS THAN ONCE PER MONTH
Conditions Probability of Error
Operator well trained with stress 0.1 / opportunity
Operator well trained with no stress 0.01 / opportunity
Operator well trained with no stress and with independent verification 0.001 / opportunity
MODIFIERS - IGNITION PROBABILITIES
Ignition Probability Rule Set Value Comments

Releases reaching auto-ignition temperatures, for

pyrophoric materials, naked flame in the area, 1 No credit given for ignition probabilities
catastrophic vessel failures Note 2, etc.
Wide area release or multiple releases (e.g..,
Probability for large footprint over site or plant
0.5 Flare/COT Systems), plant safe areas or delayed
unclassified area releases
ignition
Probability of ignition of flammable fluid when a
pressure piping/vessel impact (no full rupture). Vessel burst will give a short term release rate > 50
0.2 - 0.5
kg/s. See below. Note 1

Hydrocarbon (HC) Rate of release through joint

Probability of ignition flammable fluid when a joint fails 0.03 - 0.15
failure is 1- 50 kg/s. See below

Probability of ignition flammable fluid when a joint HC Rate of release through joint failure is < 1kg/s.
0.0025 -0.05
(gasket) or rotating machinery mechanical seal fails See below

Based on typical heavy condensate/crude oil

Probability of ignition HC Liquid (C5+) 0.003 - 0.028
pressurised releases of > 1kg/s
High Flash Point products atmospheric releases Based on diesel or fuel oil atmospheric releases of
0.001-0.002
(tanks) > 1kg/s. Note 2

Note 1: Ignition probability modifier does not normally apply to catastrophic vessel failure (full rupture)
Note 2: Ignition probability should be increased 10 times for releases to safe (non-classified) plant areas
Note 3: No credit for toxic gas impact
 MODIFIERS – OTHERS
• Time at risk (T@R)- The hazardous event risk can occur continuously or during specific time event.
• A fraction of time the hazard is present can be applied to limit duration of the hazard (e.g. offloading
operations)
• Used only for revealed failures – Prior to start of the operation need to test equipment related to use of T@R
• “Time-at-risk considerations can only be applied when systems have been put in place to reliably ensure that potential failures that
could lead to incident scenarios are detected and corrected before the beginning of the time-at-risk state…”. Ref. CCPS, Guidelines
For Enabling Conditions And Conditional Modifiers In Layer Of Protection Analysis

• Occupancy factor - fraction of time that the hazard zone is not occupied. Rule Set for Opal (impact of
HCs releases)
• Single module (Sev IV & V) – 10 % for topside/hull areas as a conservative approach (5 % + as per FPSO
distribution)
• Multiple Modules (Sev VI) – 20 % as per additional personnel (group)
• Large area (Sev VI) – FPSO wide exposure (e.g. Flare System/Cargo Tanks ruptures) – No occupancy credit
• Start-up/Shutdown event, Human error at location (any Severity) – At location impact - No occupancy credit

• Enabling event probability - a condition that must be present during the initiating event to progress
to the consequence(s) of the event
• Rarely used – difficult to establish probability e.g., single or multiple train operation
• Specific with certainty of confidence interval (Opal - use of HC vs. IG blanketing)
 ICSS IPL
IPL PFD Comments
Basic process 1 x 10-1 Can be credited as independent protection layer if not associated with
control system initiating event being considered.
control loop – IEC 61511 places limit of 0.1 for PFD of BPCS, unless BPCS is designed
Safety Related and maintained as safety system in accordance with IEC 61511(also refer
Control (SRC) to BPCS Section). SRC to meet specific set of requirements as per the
ToR.
Safety >= 1 x 10-1 Includes No Special Safety Functions required (SIL a) and No Safety
instrumented (to < 1) Function (NSF) required if residing in SIS.
function (in SIS Note: SIL a could use Control System functionality. Refer to IEC 61508
with no SIL rating) and IEC 61511 for lifecycle requirements and additional discussion
SIL 1 SIS >= 1 x 10-2 to Typically consists of single sensor, single logic solver, and single
<1 x 10-1 final element.
SIL 2 SIS >= 1 x 10-3 to Typically consists of multiple sensors (for fault tolerance), multiple
<1 x 10-2 channel logic solver (for fault tolerance), and multiple final element
(for fault tolerance).
SIL 3 SIS >=1 x 10 to Typically consists of multiple sensors, multiple channel logic solver,
-4

< 1 x 10-3 and multiple final elements. Requires careful design and frequent
proof tests to achieve low PFD figures.
Note: If the SIL level has been verified for a specific SIS, that value should be used as opposed to the range
listed.
 MECHANICAL RELIEF IPL
IPL Conditions PFD
Relief Valve PSV sized to mitigate the scenario 0.01
Multiple full-load PSVs are available to mitigate the scenario 0.001

Multiple partial-load PSVs are available and sized such that more than one 0.01
PSV would need to fail for the scenario to occur
N number of partial-load PSVs required to mitigate the full load. This includes N x 0.01
staged release PSVs.
Plugging service with no protection. An unprotected PSV used in plugging 1
service is not considered sufficient for consideration as an IPL.
Plugging service with protection. The design is based on prior history in similar 0.01
services and may include the use of specially designed PRVs, inlet header
purges, and close coupled rupture discs.

PSV with two dissimilar NRV’s installed in series for a reverse flow protection - 0.01
likelihood reducing factor and an aid to PSV sizing factor (10 % flow area)
Vacuum breaker Designed for the hazard and inspected periodically 0.01
Rupture Disc / Designed to mitigate scenario (non-plugging service) 0.01
Buckling Pin
 OTHER IPL
Risk Reduction Measures PFD Comments
Single NRV 1 x 10-1 Based on regular test frequency for a single NRV. Note 1

Two dissimilar NRVs 1 x 10-2 Based on a regular test frequency of two dissimilar NRVs. Note 1

Will reduce frequency of large consequences (widespread spill) of

Dike/Bund 1 x 10-2
tank overfill/ rupture/spill.
Will reduce frequency of large consequences (widespread spill) of
Underground drainage system 1 x 10-2
tank overfill/ rupture/spill.
Open vent (no obstructions) clean
1 x 10-3 Will prevent overpressure if sized for required conditions.
vapour service
Will reduce rate of heat input and provide additional time for
Fireproofing 1 x 10-2
depressurising/firefighting. Note 3
Will reduce frequency of large consequences of explosion by
Blast wall/bunker 1 x 10-3
confining blast and protecting equipment/buildings. Note 3
If properly designed, installed, and maintained, will eliminate
Flame/detonation arrestors 1 x 10-2 potential for flashback through piping system or into vessel or
tank. Note 3
Mechanical stops 1 x 10-2 Non-adjustable, stop set and verified. Note 2
Tank overflow (no obstructions),
1 x 10-2 Shall be on a defined maintenance routine. Note 2
Flow restriction orifice

Note 1: Check valves may be used as a layer of protection only if leakage is tolerable
Note 2: Given as “Fixed Equipment Failure”
Note 3: Not used as preventative IPLs but as post-event for specific LOPA (F&G, EERA, survivability, etc.,)
 SIL DETERMINATION WORKSHEET (LOPA)

Conditional Enabling Events

LOPA Scenarios Initiating Event IPLs LOPA GAP
Modifier or Condition

UEF MEF LOPA

SIF S TMEL (1/yr) Recommendations Resp
(1/yr) (1/yr) Remark
IPL
Ite Descripti Freq Descript Descripti
Description Comment Prob Prob Descripti Code PFD RRF PFD IL
m on (1/yr) ion on
on

or
 ALARM IPL
Operator response to alarm – Safety Related Alarm (SRA)
 Operator has at least 15 minutes for intervention before SIF activation or an event (response time
< Time to Event, whichever comes first)
 An intervention by operator shall be independent to any credited IPL final elements action
 Alarm is independent of cause and is independent of any BPCS control loop claimed as an IPL.
 BPCS control loop claimed as an IPL and alarm that share the same input card or processor
are not independent.
 Operator is always present and available at alarm point (e.g.., at CCR as continuously manned).
 Alarm is allocated a priority and gives clear indication of hazard.
 The alarms shall be designated as at least High Priority which is highlighted on the HMI.
 Operator detects alarm among potentially many other alarms.
 Operator is trained in proper response and operations procedures associated with alarm state
 ALARM MANAGEMENT/RATIONALISATION
• International standards (EEMUA 191 – 2007, ISA-18.2-
2008) provide guidance how to implement and maintain an
alarm system
• Alarm management activities are structured to follow IEC
61508/11 Lifecycle approach
• The first stage of the alarm management lifecycle involves
the creation of an alarm philosophy document.
• Rationalisation involves reviewing and justifying potential
alarms to ensure that they meet the criteria
• Defining the attributes of each alarm - activation time,
priority, classification, and type, as well as documenting the
cause, consequence, response time and operation action.
• Opal Configuration includes:
• First Out Alarms - Where a final element can be
tripped by more than one initiator, the SIS captures
the initiating cause of a trip via a first-out alarm
indication in HMI.
• Safety Related Alarms - All Alarms credited as an IPL
within the SIL assessment have been added to the
alarm list as Safety Related (High Priority).
 ALARM SAFETY RESPONSE TIME
The definition of Urgency = Time To Consequence (TTC) is the difference between the
Time to Event (TTE) and the Operator Response Time (ORT)
• The ORT will be based on a generic rule set that shall take into account the location of the required response
(such as control room, aft machinery space) and the task required of the operator upon reaching the
equipment (such as line-up of equipment).
• For the TTC, where specific durations are not available, a similar rule set shall be established and agreed by
all team members (such as high Differential Pressure across a filter, increased bearing temperature).

Urgency TTE – ORT

Immediate < 3 mins
Prompt 3 mins to 10 mins
Soon > 10 mins (or operator convenience)
 PROCESS SAFETY TIME
Per IEC 61511 Part 1 Section 3.2.52.1, Process Safety Time is defined as, “the time period
between a failure occurring in the process or the basic process control system (with the
potential to give rise to a hazardous event) and the occurrence of the hazardous event if
the safety instrumented function is not performed”.
• The time from an initiating event to the occurrence of an incident.
• The response time for a SIF will be from detection at the sensor to completion of the
final element action.
SIL VERIFICATION/VALIDATION BRIEF
SUMMARY OF IEC 61508
• A “good” (Engineering) process is insufficient by itself
to produce safe and reliable software
• To achieve safety and reliability, certain planning,
design, analysis and verification activities must take
place
• The achievement of safety and reliability should be
measured throughout the life-cycle by a combination
of product, process and people/resource metrics both
quantitatively and qualitative
• Safety and reliability are engineering specialties which
require specialized knowledge, skills and experience
 IEC 61508 FEATURES
• Development of a “unified approach” within
a rapidly developing technology
Residual Tolerable EUC
• Independent of industry sectors and risk risk risk
application domains. Facilitate development
of application-specific standards

• Goal: achieve required functional safety

• System risk + acceptance criteria Necessary risk reduction Increasing

→ required reliability of Safety Functions for risk
EUC (Equipment Under Control). Actual risk reduction
• Focus on Technology and Processes Part of risk Part of risk Part of risk
covered by covered by covered by
• Focus on Hardware and Software other tech. E/E/PE external [Part 5, Annex A]
systems systems facilities
• Focus on the whole Product Lifecycle
(concept → decommissioning)

58
 SIMPLE EXAMPLE: FIRE RISK
Case: Oil & Gas Facility: fire consequence & risk
Without protection system:

Consequence of fire escalation: Catastrophic

Frequency of fire development: Probable

→ Unacceptable risk

Install fire protection system:

Consequence of fire: Still catastrophic if not detected

Frequency of fire development becomes improbable, since it can be shown that 99% of all fire
developments can be detected and extinguished in early stage

Requirements on Fire Protection: Unavailability < 1%

→RRF = 100 is SIL 2 (SIL 2 typically achieved by F&G Systems)

 SAFETY LIFECYCLE PHASES
• SIL Determination
• SIL is a measure of the risk
reduction claimed for a Safety
Instrumented Function (SIF). IEC
61511 Clause 9 includes the
requirement for determination of
safety integrity level of a safety
instrumented function by
considering the risk reduction that
is to be provided by that function.
• As per the IEC 61511 Safety Life
Cycle guidelines, this activity
follows Project Hazards and Risk
Assessment Studies with a focus on
Hazard and Operability Study
(HAZOP) and provides input to
Safety Instrumented System
Requirement Specification (SRS).
• SIL Verification/Validation
• IEC 61511 Clause 11& 12 specifies
requirements of a safety instrumented
system (SIS) to meet the selected SIL
levels.
• It is necessary to carry out a SIL
Verification study in order to verify the
reliability of a SIS for a safety function
against the target SIL determined for the
function.
• SIL Validation is to systematically Review,
Check, Test, Demonstrate and ensure that
the SIS / SIF are designed, procured &
installed to meet the Functional
Requirements and are capable to meet the
Performance Requirements indicated in the
SRS
• Functional Safety Assessment (FSA) Stages
are to assure Final SIS design, installation
and maintenance shall account for the SIL
Verification/Validation, and
recommendations of FSA
 SIL VERIFICATION / RELIABILITY
ANALYSIS
• Once the required SILs are determined a reliability analysis of the
SF’s is performed to obtain a probability of failure for each of the
functions.
• If the required SIL exceeds the current SIL (RRF) the SF
improvement measures have to be defined and the reliability
evaluation process repeated.
• IEC 61508 / IEC 61511
• Focuses on safety unavailability
• Probability of Failure on Demand (PFD)
• Only contribution from random failures are quantified
• β-Factor Model (λ D = β * λ) – Common mode failure
 SIL VERIFICATION INPUTS
• Proof Test Intervals
• Specific data on test intervals for various components by the SRS
requirements - Opal default to 1/yr
• Probability of Failure on Demand (PFD)
• The component failure rates with each of the various test intervals
are used to calculate the PFD for each of the components within a
system
• PFDs are then used in the system calculation to determine the
overall system PFD
• Opal – Inputs chosen from SILver (EXSILentia database) for
selected vendors having SIL certificate or in absence as generic
components
 SIF ARCHITECTURE
Architectural Constraints
 SIF is limited by the hardware safety integrity architectural
constraints.

 The architectural constraints place requirements on the

Minimum Hardware Fault Tolerance (HFT) in a SIF.
Architectural constraints of the SIFs assessed as part of the
SIL Verification analysis based on IEC 61508.

 Depending on the equipment type and Hardware Fault

Tolerance (HFT), pe, Safe Failure Fraction (SFF) the
achieved SIL of the SIF is limited to the SIL as represented
in the tables below for example Type A
 SIL VERIFICATION ALGORITHMS
SIL Verification Analysis & Techniques
 Markov Models (Used by EXSILentia)
 Reliability Block Diagrams
 Fault Tree Analysis (FTA)

Inlet Line HIPS

Failure Markov Model State Transition Diagram for a 1oo1 and 1oo2 SIF
-5
6.07 x 10

TMR
Pressure Sensors Logic
ZV Failure Failure Controller
Failure
-5 -6 -5
4.02 x 10 1.29 x 10 1.92 x 10

ZV0014 Failure ZV0015 Failure FC1 FC2 FC3

-3 -3 -7 -7 -7
6.34 x 10 6.34 x 10 4.32 x 10 4.32 x 10 4.32 x 10

PIT PIT PIT PIT PIT PIT

Valve Solenoid Valve Solenoid 0002A 0002B 0002A 0002C 0002B 0002C
Fails Open Fails Fails Open Fails Fails Fails Fails Fails Fails Fails
-3 -3 -3 -3 -4 -4 -4 -4 -4 -4
4.38 x 10 1.97 x 10 4.38 x 10 1.97 x 10 6.57 x 10 6.57 x 10 6.57 x 10 6.57 x 10 6.57 x 10 6.57 x 10

Simplified FTA for HIPPS

 FAILURE RATE AND RELIABILITY

• Software such as EXSILentia (EXIDA) Probability of Failure on Demand

(PFD) or Fractional Dead Time (FDT)
• Databases
for individual components is calculated
• OREDA
• PDS as:
• CCPS Process Equipment Reliability Data 1
• Lees PFD( FDT )    T
2
• Pressure Sensors: λ = 3.00E-07 / hour Where:
• Level Sensors: λ = 6.00E-07 / hour
• PSD/ESD Valve: λ = 1.00E-06 / hour λ – failure rate, 1/yr
• Solenoid: λ = 9.00E-07 / hour T – test period in Yrs
• Logic Solver (LS): λ = < 1.00E-07 / hour
 SIL VERIFICATION EXAMPLE

OPAL SIL VERIFICATION – EXSILentia

(present other examples – live)
 SYSTEMATIC CAPABILITY
 What Is Systematic Safety Integrity?
 Defined as the ‘probability of an E/E/PE safety-related
system satisfactorily performing the specified safety
functions under all the stated conditions within a stated
period of time’..
 Systematic Capability (SC) has been added as a method
to describe what level of systematic integrity the
element/component has been designed to meet and help
guide how systematic integrity should be applied.
 For Opal two routes to reach hardware SC:
 Route 1S. This route covers the requirement for
elements and components designed in accordance
with IEC 61508 and has been described above (SIL
certificate available).
 Route 2S. This route covers components that are
used based on proven-in-use IEC 61508-2, 7.4.10 (SIL
certificate not available – generic component used).
Note: If a proven-in-use route is chosen instead of a purpose designed
element/ component, the systematic integrity is assumed based on previous
experience; however, the product may be missing useful failure detection and
control mechanisms that would provide protection against systematic failures
67
introduced in the new application.
 SAFETY REQUIREMENTS SPECIFICATION
(SRS)
• SRS is typically prepared to elaborate on SIS requirements for having
incorporated all the SIFs.
• The SRS in accordance with the international functional safety
standard IEC 61511 (Clause 10.3.2).
• SIS functional requirements necessary to terminate each specified hazard.
• SIL for each function, including the consequence categories involved if function fails
to operate on demand.
• Required risk reduction
• Mode of operation of the SIS function in accordance with IEC 61511
• Spurious failure consequences
• Description of other functions needed to ensure orderly shutdown or fast start-up.
• Sufficient detail to facilitate final validation before start-up

OPAL SRS (present sample SIFs)

 SIF DESIGN PARAMETERS – OPAL SRS
• Proof Test Interval (PTI)
• SIFs shall be designed to meet their integrity targets with a minimum 12-month PTI
• Partial Stroke Testing (PST) - All topside and turret emergency shutdown valves (ESDVs) shall have PST capabilities. No PST capability for XVs.
• Proof Test Coverage
• A measure (percentage) of dangerous undetected random failures that are revealed by regular manual proof testing (IEC 61508-6, B3. 2.5) –
Given by a component SIL Certificate
• The test coverage factor reflects the effectiveness of testing and maintenance activities in detecting and preventing failures within the SIF. It
quantifies the probability that a diagnostic test will detect a dangerous failure before it affects the SIF’s performance.
• SIF Response Time
• See Process Safety Time slide
• For actuated valves as final elements a margin of at least 20 % shall be allowed for degradation of valve stroke time with age.
• SIF Failure Modes
• Field Instruments (sensors) - On diagnosed detected dangerous fault, the SIS shall be configured to trip the respective input channel (e.g..,
1oo1 to trip)
• SIS (LS) – keep operating in degraded mode or bring the process to the safe state if fault is not rectified within the MTTR/there is insufficient
redundancy to continue to operate safety.
• Final elements (e.g.. shutdown valves, relays) - energy loss (e.g.. power, air supply) the FE shall move the process to the safe state.
• Mean Time to Repair (MTTR)
• Sensors : 72 hrs
• Logic Solver : 12 hrs
• Final Element : 72 hrs.
• Misson Time
• Mission time for each element/component is typically 20 years
 SIL VALIDATION
• As part of the Validation activity, the SIS shall be functionally verified and tested
Lifecycle FSA Stage#2 & 3
• Factory Acceptance Test (FAT)
• Each SIF operates under normal and identified abnormal operating modes such a,
start-up and shutdown
• Instruments have been properly calibrated
• Trip set points are correct
• Start-up, automatic, manual, semi-automatic, steady state of operation function are
as per design
• Operation of SIF is not adversely affected by abnormal behavior of the BPCS, such as
loss of communications
• Communication with other systems functions correctly
• Trip reset functions operated correctly
• Maintenance overrides and manual operator overrides function as designed and alert
the operator correctly
• Manual trips function per design
• Reasonably foreseeable abnormal conditions (degraded / upset conditions), perform as
anticipated
• The HMIs, including alarms, displays and associated diagnostics work correctly
• Final elements operate correctly within the specified response time
• The logic solver functions as specified, including functional logic, computations and
signal conditioning
• Documentation and Maintenance Procedure are duly made
 SIL VALIDATION (SITE)
TYPICAL CHECK LIST
(Extract)
SIS Functional Validation at Site:
• The SIS Site Functional validation
includes initial testing of SIF shutdown
logical functions / Override functions /
Reset functions / Etc. as indicated in the
SRS, FDS and the other design
documents.
• This has to be done at site with all the
components of the SIF, including the
Sensors / Logic Solvers / Final Elements
fully installed and duly integrated.
• The SIF Loop’s critical performance
related function, i.e. SIF Response time,
as indicated in the SRS shall be actually
tested at site for each SIF.
SIF/IPL TESTING & MODIFICATIONS
SIF TESTING – WHAT IS IN IEC 61511?
Lifecycle FSA Stage#4
SIF TESTING – WHAT IS IN IEC 61511?
Lifecycle FSA Stage#4
 SIF TESTING REQUIREMENTS

Proof Test Implementation

• An appropriate test strategy shall be defined and documented for each SIF SIL 1 and higher
• Duty of the elements and the appropriate level of test coverage required to reveal potentially dangerous failures.
• Requirements defined within manufacture safety manuals and end user test standards.
• The test strategy shall also consider the practicality of tests e.g.., where certain elements cannot be easily or
successfully tested in practice.

• Perfect proof testing proof test – 100 % coverage where

EVERY SINGLE undetected failure would be revealed – Not
practical
• Over time the impact of imperfect proof testing will result in a
gradual increase of PFD which may eventually lead to not
meeting the PFD requirement/reaching an unacceptable level.
• The effect of Proof Test will ‘restore’ the device to as new
condition and will reset the PFD to its original value (80 – 90
% coverage average)
• Segmental (component testing) proof test in different interval
could be performed but overall SIF PFD required shall not be
breached – Show EXSILentia
• Partial Proof Testing (PPT) - Brings PFD back to a percentage
of the original PFD (currently not in Opal SRS).
 OTHER IPL TESTING (GOOD PRACTICES)
Do we need to test IPLs? (Credit taken in SIL Assessment by
LOPA)
• An appropriate test strategy should also be defined and documented
for all IPLs based on PFD credited in SIL assessments
• Non-SIL rated SIFs (e.g.., permissives or I/Ls) can be test on PTI 5-
10 yrs or on opportunistic basis (TARs)
• Other IPLs default frequency of testing can be established by
relation of 1
PFD( FDT )    T
2
• Optimally PFD credited in the LOPA should be equalised against λ –
failure rate (1/yr) for T – test period (yrs) - 2 years test
• Dissimilar NRVs part of PSV sizing should be either tested with a
frequency matching PSVs or related to its PFD (if not related to PSV)
• BPCS permissives or I/Ls not involving Control valves – only Primary
instrument PM inspection/testing
• No requirements for testing Static IPLs (e.g.., vents, ROs) but to be
covered under PM and inspections
• The test strategy shall also consider the practicality of tests
SIF MODS – WHAT IS IN IEC 61511?
Lifecycle FSA Stage#5
 SIF MODS – REVALIDATION PRACTICES
Revalidation of a SIS is done during the Operation and Maintenance phase of the
Safety Life cycle usually when:

• Management of Change (MoC) to cover any changes affecting SIF lifecycle

• Additional SIFs may get added, or existing SIFs may get modified or deleted, during
the next cycle of a Process Hazard Analysis (usually every 5 years) or during a
system audit or assessment.
• Modification of an existing SIF based on Operational feedback, for example – too
many spurious trips, too many demands etc.
• Change of SIS logic Solver or other SIF components due to excessive Random and /
or Systematic failures
• Extent of Revalidation of SIS Logic Solver - based on IEC61508, Part 3, Table A.8
(extract)
 Thank You
Any Questions?

Vanguardasia.com.sg
sportwest.com.au