The ins and outs of the Safety Lifecycle part 2: the pitfalls of the Definition Phase of a SIF

This is a sequel to the first blog in a series of the Safety Lifecycle: that we wrote in preparation of my keynote at the PS congress, September 15th in the Netherlands. In this second blog I want to elaborate further on the first phase i.e. the definition phase of the Safety Lifecycle. 
The safety lifecycle consists of the following steps (see fig):

  • Risk assessment
  • SIL verification & design
  • Installation and commissioning
  • Operations & Maintenance
  • Modification
  • Decommissioning

The definition phase is the design phase within the Safety Lifecycle. On one hand, determining the risks by carrying out HAZOP studies and on the other hand, the allocation of the safeguards through the LOPA study. The definition phase often uses expert judgment from the team members and is often based on assumptions and broadly accepted failure data (typically as defined in the Guidelines For Initiating Events And Independent Protection Layers In Layer Of Protection Analysis by CCPS). During the execution of a HAZOP and or LOPA study, the following mistakes can be a major cause of incorrect data input in the Safety Lifecycle:

  • Time: if insufficient time is taken to carry out a safety study, mistakes can quickly be made in the assessment of the risks;
  • Insufficient information available: When insufficient information is available, one will have to make assumptions more often, which can result into an incorrect risk assessment;
  • Wrong scope: if the scope is too large, the time factor will play a role, which may lead to incorrect risk estimates being made
  • Focus: if during the study there is no focus on the subject, it is easy to make wrong assumptions with possible incorrect risk assessment;
  • Input: The input of a risk study must be done in a way that there is room for brainstorming and that the discussions are sufficiently challenged. As a result, all possible scenarios are covered and there is room for discussions; A challenge would be to “read the room” and assess if all participants may be part of the brainstorm.
  • Assumptions: When failure rates of equipment are based on general used data and not on actual failure data, a wrong risk estimation can be made, giving the wrong allocation of safeguards
  • Allocation of safeguards: if there is insufficient knowledge and understanding of and how the safeguards present must and can be allocated, a risk assessment may be based on incorrect assumptions;
  • Recommendations: if an insufficiently protected risk is determined, one or more recommendations need to be described to make the risk acceptable. If these recommendations are described incompletely, there is a possibility that the action to be performed is not understood completely afterwards and insufficiently solved. This will result in the fact that certain residual risk remains.
  • Engineering: if too much engineering is done during the risk study, less time will be left for a good discussion. This can lead to wrong assumptions leading to a possible incorrect risk assessment.
  • General knowledge of HAZOP and LOPA: when the team is not well known how to perform a risk study, many mistakes (see above) can be made and results in insufficient data to be used in the Process Safety Lifecycle.

The contribution of errors in the SIF design stage

The next step in the Safety Lifecycle is to verify the allocated Safety Instrumented Functions (SIF’s). Based on the LOPA risk calculation, the SIL demand value of a SIF can be determined. When it is based on incorrect values due to above mentioned issues, the SIL verification will lead to incorrect demand rates. Next to this issue there are more issues which can lead to a wrong outcome of the SIL verification:

  • Lack of knowledge of IEC61511: When the knowledge of IEC-61511 standard is poor, many mistakes can occur during the verification of a SIF. (one notorious example is that SIL is a range, rather than an absolute value. If the LOPA requires for example a Risk Reduction Factor (RRF) of 79 and the SIL verification outcome of that specific SIF is 12, the RRF criterium is not achieved, though both are SIL-1!)
  • Poor assumptions: the verification of a SIF needs to be done from pipe-to pipe. So all equipment, from sensor to final element needs to be included into the SIL verification. When parts of the SIF-loop are missed, incorrect results can be achieved;
  • Lack of or incorrect data: To perform a sound SIL verification, much data is required. Some parameters need to be calculated from other available data. Next to this, some data can only be used based on the architecture of the SIF. When the knowledge is poor, a mistake is made easily when performing a SIL verification
  • Usage of ‘Prior use’: in many cases, parts of the SIF do not have a SIL certification but only general failure data available. If these values are used, this may result in wrong verification data. In cases you want to use ‘prior use’ data, the prerequisites of the IEC are mandatory, but not always being followed.

When a SIF is already in place or will be installed, the above mentioned errors can lead to system failures due to incorrect safety measures in place. In the pie-chart below it can be seen that 59% of all mistakes occur during the definition phase and can lead to system failures. The majority (44%) occurs during the specification of the SIF.

Health and Safety Executive, Out of Control – Why Control System go wrong and how to prevent Failure – 2ndEdition 2003 – Page 31

First aid in preventing design errors

To prevent these failures, it is mandatory within the IEC-61511 2nd edition, to perform Functional Safety Assessments (FSA) during each stage of the design phase. These assessments help the engineer to check if all assumptions and used data is correct and if sufficient safeguarding is in place to meet the standards and results in a tolerable residual risk.
In the next blog we will look into the next phases of the Process Safety Lifecycle and will discuss the possible mistakes within installation, operation, maintenance and change-management
In a sequence of blogs we will expand further on this subject. 
We will be presenting on the Process Safety congress in Dordrecht, the Netherlands on the 15th September the practical aspects of the Process Safety Lifecycle and like to brainstorm with you what your experience is in the implementation of the standard (if any). 

Interested in how we handle a SIF? Check this page for more information. Or our process safety services in general? Please see our service page