Following in the footsteps of the blogs published in 2021 and the lecture at the 2021 PS congress, on the subject of ‘practical aspects of the process safety lifecycle’, I would like to take this and the next blog as an opportunity to elaborate on one of these aspects. The aspect I want to explore further is the so-called ‘prior in use’. This topic will be presented by me on the process safety congress, May, 18th, Dordrecht, the Netherlands.
Before I go into more detail on this, I want to use this blog to summarize what was discussed in the 2021 blogs and at the 2021 PS conference in Dordrecht, to introduce the prior in use aspect.
The first blog of 2021 started with the ‘compelling why?’ and can be seen as the kick-off of the following blogs were the in and outs of the safety lifecycle were discussed. As previously mentioned, this Process Safety Lifecycle is comprehensively described in Industry Standard IEC 61511: Functional safety: Safety Instrumented Systems for the process industry sector. The lifecycle consists of several phases and is shown below:
It all starts with the definition phase. In this phase, the risk assessment will be executed to determine the required protection layers needed to arrive at a tolerated residual risk level for a certain scenario. This phase often uses expert judgment from the team members and is often based on assumptions and broadly accepted failure data (typically as defined in the Guidelines For Initiating Events And Independent Protection Layers In Layer Of Protection Analysis by CCPS). During the execution, mistakes can be made which can result in the incorrect specification of the design requirements for the SIF’s through the lack of PHA knowledge and skills; insufficient information, wrong scope, lack of focus and input during the risk study and incorrect allocation of the safeguards.
As mentioned above, errors made in defining the design requirements for the SIF during the initial phase, could result in either an insufficient or over specified implementation for the actual demand rates on the SIF. Additionally there are more issues which can lead to a wrong outcome of the SIL design and verification; lack of knowledge of IEC-61511, poor assumptions, lack of or incorrect data, wrong usage of proven in use or prior use and/or certified data. In the blog ‘The ins and outs of the Safety Lifecycle part 2’ a more in-depth explanation on the possible errors in the definition phase is described. When moving from the definition phase to the implementation phase, many things need to be taken into consideration; selection of parts of the safety loop, independency of the SIF, failure data, process safety time and testing.
When selecting parts of a SIF, several options for reliability data can be chosen: self-assessed prior use, proven in use or independently certified. In the case where certified components are used, it is clearly described what the failure data is and how it should be installed and used. The provided data is determined using FMEDA’s and/or historical information with verified input data which provides the user some additionally certainty when used for the SIF design. No additional historical data needs to be used to verify the SIF with respect to equipment failure rates as long as the process and environmental conditions are within stated limitations on the certificate. Proven in use provide manufacturers data which must be comparable to situation of the user. It is not officially named in IEC 61511 and can only be used together with the plant information to get Prior Use. Prior use needs evidence according IEC-61511 and is using historical failure data out of the field of the company.
According IEC-61511, the SIF needs to be independent from the equipment under control. This means when a failure of the Basic Process Control System (BPCS) occurs, an independent safeguard can still act and prevent a severe scenario.
The failure data provided by the manufacturer is not always the same. Within the certification of a SIF element different data can be shown: λDU, MTTF, B10(d), SFF, SC, etc. A thorough knowledge of the IEC61508 and 61511 is required to select and use the correct data and route for calculating the reliability of the SIF.
All used components in a SIF need a certain time to react, or just do their job. All reaction times added together need to be evaluated with the process safety time. The process safety time is the response time of the process, between the activation of the trip and the occurrence of the dangerous situation.
Regarding testing, both test interval and test-coverage, should be taken into account. The test interval is used to calculate the reliability of the SIF. When the user is not able to test it, a possible deviation from the reliability calculation can occur. The Test coverage is the value used in the SIL calculation which is a measure of the “thoroughness” of the testing of the SIF. That means at least the whole SIF (Sensor – Logic Solver and Final Element) needs to undergo a full loop test within the test interval time
Many issues, which are described above, can lead to incorrect configuration and installation of a SIF when not chosen and implemented correctly. Before taken the SIF into service, it is important to test the SIF’s completely during commissioning.
Operational and Maintenance
After the SIF is taken into service (see: the importance of the implementation phase), the failure rate of a SIF will differ (see fig below). Within the first period of service the failure rate is relatively high due to the so called early ‘infant mortality failures’. These failures are caused by the defects that are not exposed during manufacturing tests. However, electrical and thermal stress during in-field use will eventually degrade the defect to a significant failure in functionality.
During the lifetime of a SIF, wear-out failures can occur due to usage, degradation mechanisms (e.g. corrosion) and external influences. The degree of these failures can depend greatly on how the SIF is tested and maintained.
First aid in preventing errors
To prevent potential failures in the define, implementation and operations & maintenance phase, it is mandatory within the IEC-61511 2nd edition, to perform Functional Safety Assessments (FSA) during each phase. These assessments help the engineer to check if all assumptions and used data is correct and if sufficient safeguarding is in place to meet the standards and results in a tolerable residual risk.
Next to performing an FSA, it is recommended to analyse plant data to monitor the health of the installation and in particular the SIF’s. This plant data can consist of test-data, incident data, alarm and trip data and maintenance data. Together, this data can be used to check if all assumptions made, and data used in the design and implementation phase, is still valid and will contribute to a safe working environment without invisible risks. This required data can be seen and used as ‘prior in use data’
In the next blog I will explain more in depth regarding the use of ‘prior in use’ during the design and operational phase.
Let’s stay in touch! Visit us on the process safety congress, May, 18th, Dordrecht, the Netherlands