We are often asked to assess or specify safety trips as part of risk assessments or through the design processes we deliver for clients. Often there is an assumption that a safety trip will need to be “independent” of the normal control system but with no appreciation of how reliable they actually need to be.
As part of our design safety processes, IDEA have the tools to properly define safety trip reliability as well as provide clients further support that may be required.
The reliability of safety trips needs to be established as part of the design process and the best practice method defined by the HSEx in the UK for this is with Layers of Protection Analysis (LOPA). The Buncefield incident in 2008 helped solidify the place LOPA plays in process safety management, as well as setting some clear requirements for the rules of engagement and outputs of these studies. LOPA studies generally follow on from a Hazard and Operability Study, which will have defined the consequences and severity of an event, as well as all the safeguards protecting against the event.
Typically we recommend taking any scenarios to LOPA if they result in a potential fatality event, with an instrumented system protecting against the event escalation. LOPA then takes those events and focusses on the independence of each “layer” to determine how far from a “Broadly Acceptable” – read “Low” risk the design currently is. This includes consideration of many factors, including operator responses, control system alarms and trips, mechanical design safeguards (for example relief valves or bursting discs in the case of over-pressure events) and other conditions such as occupancy factors and likelihood of ignition (in the case of fire or explosion events).
There can be several outcomes from a LOPA for a particular trip, it can tell you:
– the trip does not need to be independent of the normal control system.
– or the trip needs to be independent but not SIL rated (see below).
– or that the trip needs enhanced reliability (more than one order of magnitude risk reduction) and needs to be rated to a “SIL” rating.
There is a common misconception that if an instrument or device is stated as being “SIL rated” that the requirements stop there, however it is the whole control loop including sensing element, logic solver and final element that needs to be considered and shown to be reliable enough to meet the SIL rating and probability of failure on demand identified in LOPA.
When a SIL rated trip is identified, the specification, design, commissioning and testing of the trip must follow functional safety standards IEC 61508 and 61511 (other standards exist for non process sector industries). This requires a functional safety management framework to be followed, with competent personnel used throughout the lifecycle.
Specially qualified “Functional Safety” Engineers must be used to sign off documentation and designs.
IDEA have in house trained and experienced Functional Safety Engineers, capable of specifying, designing and maintaining SIL rated trips, as well as designing appropriate functional safety management systems for our clients.
Owen.Llanwarne@idea-ltd.co.uk
