The importance of the Implementation Phase

This is a sequel to the blogs in a series of the Safety Lifecycle that EnricoLammers and I wrote in preparation of my keynote at the PS congress, October 1st in the Netherlands. In this third blog I want to elaborate further on the second phase i.e. implementation phase of the Safety Lifecycle. As I did mention in the second blog, the safety lifecycle consists of the following steps (see fig):
  • Risk assessment
  • SIL verification & design
  • Installation & commissioning
  • Operations & Maintenance
  • Modification
  • Decommissioning

  There are many things to take into consideration when starting with the implementation of a Safety Instrumented Function (SIF) into a process. These considerations are partly based on the Definition phase of the Safety Lifecycle and partly on the IEC-61508 and 61511

The Implementation phase

Notwithstanding the potential pitfalls as described in the previous blog, let’s assume that the definition phase of the SIF is done correctly. All the required information regarding the SIF is stored and described correctly in the Safety Requirement Specification (SRS). There are several parts, described in the SRS, which needs some extra attention though: 1 – Selected parts When selecting parts of a SIF, several options can be chosen: proven in use, prior use  or certified.

Proven in use demands data provided by the manufacturer and must be comparable to the situation of the user. This means that service, configuration, application, firmware, etc. of the SIF at the user side is exactly the same as how the manufacturer prescribes in his documentation. Proven in use is not officially named in IEC 61511. It can be used together with the plant information to get prior use.

Prior use ineeds evidence according IEC-61511 and is using historian failure data out of the field of the company. Therefore, it is required to collect the right data and take several points into account:

    • how long does the history data go back?
    • have parts already been replaced?
    • is the lifetime (bath-tub model) taken into account?

Prior use is telling you more about failures in the past but do not guarantee that the same type of failures occur in the future.

In case certified components are used, it is clearly described what the failure data is and how it should be installed and used. The provided data is verified and gives the user a good and safe use during the lifetime of the SIF. No historical data needs to be used to verify the SIF with respect to failure rates 2 – Independency According IEC-61511, the SIF needs to be independent from the equipment under control. This means when a failure of the Basic Process Control System (BPCS) occurs, an independent safeguard can still act and prevent a severe scenario. In some cases, it is seen that the final element (e.g. a valve) is both used by the BPCS and by the SIF. For example, this valve is closed during operation (but not used for controlling the process) and is also used by the SIF to stop a possible severe scenario. In general, a SIF is used in low demand. When a final element is also used by the BPCS, the low demand of the valve will turn into high (or continuous) demand. This means different failure rates and sometimes invalid component if the SIF only is certified within low demand 3 – Proof test Regarding proof-testing, two parameters are important to consider: test interval and test coverage. SIF prooftesting

Test interval: During the verification, often a one year test interval is used to calculate the reliability of the SIF. Even if it is not always necessary according to the reliability calculation, this one year interval is used. That means, the user needs to test the SIF yearly (according to the SRS data). When the user is not able to test it, a possible deviation from the reliability calculation can occur. Therefor it can be useful to calculate the reliability of a SIF with several test intervals and select the one which meets the maintenance/testing schedule of the plant the most. This will save time and money and still no under-protection of the SIF occurs.

Test coverage is the value used in the SIL calculation which is a measure of the “thoroughness” of the testing of the SIF. That means at least the whole SIF (Sensor – Logic Solver and Final Element) needs to undergo a full loop test within the test interval time. Within this test all necessary tests provided by the manufacturer needs to be executed and evaluated to detect the present dangerous faults. The more possible dangerous faults are detected, the higher the Test Coverage Factor. All test points will be described and mentioned within the test-plan which needs to be adjacent to the SRS. If the tests will not be done as described the SIF-reliability can gradually reduce in time and can lead to an under-protection of a unit

4 – Failure Data

The failure data provided by the manufacturer is not always the same. Within the certification of a SIF element different data can be shown: λDU, MTTF, B10(d), SFF, SC, etc. A thorough knowledge of the IEC61508 and 61511 is required to select and use the correct data and route for calculating the reliability of the SIF

5 – Process Safety time All used components in a SIF need a certain time to react, or just do their job. All reaction times added together need to be evaluated with the process safety time. The process safety time is the response time of the process, between the activation of the trip and the occurrence of the dangerous situation. For example: the time between 97% level (High-high level trip setting) in a storage tank and overflow of the tank (100% level) is 5 minutes. In some cases, especially to prevent liquid hammering, the reaction time of a valve can be quite long (e.g. 30 sec or more is possible). Therefore the setpoint of the SIF needs to be adjusted to match the process safety time. Sometimes the selected SIF will not be suitable if the reaction time and the process safety time do not fit. Then, a redesign is needed for the SIF or sometimes for the process. The next step in the safety lifecycle is to start using the system and rely on the installed SIF(s). As described in this and previous blog, the reliability of the SIF depends on several assumptions, general accepted industry data and, in some cases, historical data of the system. To ensure the chosen and installed SIF(s) will still guarantee people’s, environmental and equipment safety, real plant data is needed to evaluate the SIF’s and check if they still are suitable to protect for severe scenario’s. In the next blog we will look into this next phase of the Process Safety Lifecycle, the Operations & Maintenance (O&M) phase. We will be presenting on the Process Safety congress in Dordrecht, the Netherlands on October, 1st the practical aspects of the Process Safety Lifecycle and like to brainstorm with you what your experience is in the implementation of the standard (if any). Marcel de Winter, Sr. Process safety Consultant Inspired and want to know more about Process Safety Lifecycle? please visit this page. Abonneren op de blogs over process safety, process engineering en procesoptimalisatie? Dat kan via