Safety Instrumented System

Imagine there is excessive foaming in an absorber. The level holds up near the top tray, and the level control valve is tuned such that it is taking time to control the sharp decrease, and a low-level alarm appears. The operator has asked the field operator to verify the level in the field, followed by the instruction. However, since the field operator got late for reaching due to any reason, the level went down further to a dangerously low level, causing gas breakthrough from the absorber to the flash vessel. The design pressure of the flash vessel is <5 times the absorber operating pressure. The Pressure Safety Valve (PSV) installed on the flash vessel is the only hope to protect against a catastrophic rupture. But wait...

Before the gas breakthrough occurs, there is an additional barrier called the Emergency Shutdown System. It is also known as SIS (Safety Instrumented System). The SIS implements one or many safety instrumented functions. In our case, the SIS would be implementing the absorber low-level cut-out interlock (SIF). The low-low level on the absorber should have actuated a logic called I-111, which would immediately close the absorber liquid outlet XV towards the flash vessel, thus preventing the gas breakthrough.

Caution: It is not mandatory to have an SIF as a layer of protection. The decision is solely based on risk assessment, the type of consequence, and the required risk reduction

Upon study you came to know that the SIF was there but it didn't worked....Here are the possible reasons

• Inadequate Proof testing-Proof test effectiveness

Proof testing is one of the key tools to identify and address random failures; however, having an inadequate regime of proof testing can be costly. It is good to have the following elements during proof testing:

1. Proof testing procedure (which is being followed)
2. Proof test frequency based on the Safety Requirement Specification (SRS) of every Safety Instrumented Function (SIF) (In this case, the Low-Level Cutoff (LLCO))
3. Proof test coverage: What is the effectiveness of proof testing, whether only transmitters have been checked up to the logic diagram or end-to-end. Moreover, up to what detail the testing has been carried out (such as the closing time of a final control element). The proof testing effectiveness should be assigned by a competent person as it is crucial. A proof testing effectiveness of 1 (or 100%) would mean that the SIF is back to the original state; however, in reality, that is not the case. The effectiveness will always remain below 100%.

The following graph shows an example of PFD and PFDavg variations in case the roof test is carried out once a year with 70% effectiveness: SIL 2 level is maintained only for about 4 years; the SIF then downgrades to SIL 1.

• Unathorized over ride

The override of any Safety Instrumented Function (SIF) must be controlled, and it should only be allowed against a specific special procedure for a limited time. The override can be a requirement for start-up, shutdown, or preventive maintenance. In all cases, the operator should be well aware of what is missing and what needs to be done in the event of a scenario building up for a demand of this SIF. Plant operators should know that defeating an SIF is adding risk (subtracting the risk reduction provided by the SIF). Unintended overrides should be dealt with as incidents. A good safety system should have management of safety-critical overrides.

• Greater than required MTTR

Once a dangerous failure has been identified, the time it takes to return it to a normal state depends on various factors such as the availability of spares, resources, and the condition of the plant. Some Safety Instrumented Functions (SIFs) cannot be restored online. The Mean Time To Repair (MTTR) is a critical component of the Safety Requirement Specification (SRS). Non-compliance with the specified MTTR needs correction. It's essential to note that this time is defined and is part of the formula used for the calculation of the Average Probability of Failure on Demand (PFDavg).

• Random error (Dangerous failure of SIF sub system)

Random errors are those that depend on the type of material being used. There are Type-A and Type-B materials as per IEC-61511, each with defined failure rates. Manufacturers provide failure rates based on analyses such as Failure Modes, Effects, and Diagnostic Analysis (FMEDA), or they can be assumed based on use. However, according to IEC-61511, the failure data should be credible, reliable, and auditable. Using incorrect data can result in a higher perceived risk reduction, which may not reflect the actual case in real life.

• Systematic fault

Systematic faults are the one incuured due to failure of complaince to safety lifecycle as per IEC-61508. In other words these are issues which can't be predicted or calculated and can only be addressed through a systematic way. The issue can be an hardware , incompatibality of hardware with the process ,operatign environment or an issue left in application program. A senior instrument technician has resigned and now a junior one is doing proof testing exactly the opposite of what is required is also a systematic fault.

More on SIL Rating:

Before you claim that your SIF has achieved a SIL rating, make sure that the design of a safety function meets three specific criteria as per IEC-61511/61598 standard.

1-Systematic capability: It measures how confident we are that a safety element meets Safety Integrity Level (SIL) requirements. It deals with human errors in design, engineering, and operation that can cause persistent faults. Systematic integrity is the defense against such failures.IEC 61511 offers two ways to show systematic safety integrity: using certified devices or justifying prior use. Certified devices follow strict guidelines with tables indicating compliance. These devices undergo third-party audits, and SIL certificates show their systematic capability level.

2-Architercal constrains: Architectural constraints in functional safety standards address challenges in obtaining accurate failure rate data for electronic devices. Historical data inconsistencies and optimistic manufacturer failure rates led to potentially unsafe designs.

To overcome this, safety standards introduced hardware fault tolerance (HFT) based on Safety Integrity Level (SIL). HFT involves adding redundant elements to enhance safety system design.

IEC 61511 provides three routes for meeting architectural constraints:

• IEC 61508 Route 1H: For new devices without historical data, it determines HFT based on device type and Safe Failure Fraction (SFF) calculation.
• IEC 61508 Route 2H: This approach, adopted by IEC 61511, determines HFT based on the quality of historical field reliability data, requiring a high confidence level (90%) in the data.
• IEC 61511 Clauses 11.4.5 to 11.4.9 (Derived from IEC 61508 Route 2H): It specifies requirements for HFT based on historical field reliability data quality, emphasizing expert judgment and specific tests. Both IEC 61508 Route 2H and IEC 61511 can be used, but thorough understanding, documentation, and validation of the evidence supporting these approaches are crucial.

3-Random hardware integrity-SIL: Random hardware integrity is associated with random hardware failures in safety systems. Achieving 100% reliability is impossible, so it's crucial to quantify the likelihood of a safety function failing when subjected to a demand. Safety Instrumented Functions (SIFs) in "Low Demand" mode use Average Probability of Failure On Demand (PFDavg), while "High" or "Continuous Demand" SIFs use Probability of Failure per Hour (PFH).

To calculate the Average Probability of Failure on Demand (PFDavg) for a Safety Instrumented Function (SIF), assess its components using failure analysis techniques like FMEDA. Consider variables such as device failure rates, mission time, proof test intervals, and redundancy factors to obtain an accurate result.