A recently published study by Great Britain’s HSE broke the safety lifecycle into three major areas:
- Hazards Assessment/SIF Specification
- SIF Design and Verification
- Operation and Maintenance
Not surprisingly the study concluded that 44% of all SIS/SIF related errors occurred during the hazards assessment/specification phase of the lifecycle. The study goes further to state that many of these errors occurred because the SIF/SIS designer incorrectly considered the interactions of one SIF to the rest of the process. In essence, the activation of one SIF whether demand or spuriously based which then caused unforeseen demands, and hazards in other areas of the process.
During a recent panel discussion, one of the panelists challenged the audience with the question “Why are they called shut-down systems, shouldn’t we really call them keep running systems?” His premise was that the engineering discipline as a whole had become enamored with or “sold on” the “fail-safe” design. Not only is this not required by the standard, but as mentioned above spurious activation of a SIF can in fact cause hazards elsewhere that may not have been considered during the hazards assessment/SIF specification phase of the lifecycle.
If the user has a comparative process indication that is independent of the initiating event, it is possible to design the SIF to be “fault tolerant” without increasing hardware count or cost. In the example below, you can see that SIF-003 is a 2oo2 voted sensor arrangement, which based strictly on voting architecture is an extremely reliable design. Also note that there is an independent high pressure sensor and associated high pressure alarm. In this case the SIF designer could have used a 1oo1 voting architecture for SIF-003. By using the comparative process indication the engineer could have implemented a deviation alarm based on any difference between the SIF sensor indication and the comparative BPCS sensor indication. Not only would that arrangement be significantly safer, it would be almost as reliable, with 1/3 less cost to install and maintain.
Below is a list of common initiating events that should be considered during the hazards assessment/SIF specification phase of the lifecycle. How well we manage or reduce the probabilities associated with initiating events such as these, means taking a pro-active view of risk. (e.g. plan for the best, but prepare for the worst).
Type of Initiating Event
Examples
External Events
- High Wind
- Seismic Event
- Flooding
- Lightning
- Vehicle Impact
- Fire or Explosion in an adjacent area
Equipment Failures
- BPCS (basic process control system) component failure.
- Utility failure.
- Vessel/Piping failure due to wear, fatigue, or corrosion.
- Vessel/Piping failure caused by specification, design, or manufacturing defect.
- Vessel/Piping failure caused by over or under pressurization.
- Vibration induced failure (e.g. rotating equipment)
- Failures caused by inadequate maintenance/repair.
- Failures caused by temperature extremes.
- Failures resulting from flow surge or hydraulic hammer.
Human Failures
- Failure to properly execute a task, by omitting steps, or improperly sequencing steps of a task.
- Failure to observe or respond appropriately to conditions or prompts by the system or process.
At this point it is necessary to differentiate initiating events from latent or root causes. Initiating events are distinctly different from root or latent causes. In general, root or latent causes create latent weaknesses in a system. When a challenge arises or a demand is made on the system, these weaknesses give rise to an initiating event. For example:
• “Inadequate operator training” is not an initiating event, but is a potential underlying cause of an initiating event of the ‘human failure’ type.
• “Inadequate test and inspection” is not an initiating event, but is a potential underlying cause of an initiating event of the ‘equipment failure’ type
One of the most common “silos” in industry today exists between the group responsible for process safety management and the group that manages instrumentation and controls. Ensuring that these two groups can pass information, and work “hand-in-glove” means that the two need to share the responsibility of hazards assessment and SIF specification, which can best be enabled by working from a common management platform. APM’s Asset Safety work process is enabled through the complete integration of hazards analysis with a TUV certified SIF design verification and periodic validation platform that encompasses the entire lifecycle. Common mistakes associated with requirements specification can be reduced, functional safety can be improved and lifecycle costs can be optimized, through the application of a little common sense and a work platform that pro-actively manages the entire scope of the lifecycle.
Meridium's Webcast on Asset Safety will be taking place January 17th at 11am (EST). Click here to learn more and register!
