Most common errors in the SIS
The aim of this article is to review some of the most common errors in the SIS (Safety Instrumented System) that can serve as a guide and reason for reflection for all those involved in its design, implementation and maintenance.
Both IEC 61508 and IEC 61511 indicate the great importance of the concept of “SIS Life Cycle” which is fundamental for the application of these Standards. The 3 Phases of this life cycle are important and mark the itinerary to follow for the execution of the project.
1-Errors in the Analysis Phase
–HAZOP is poorly planned (incorrect estimated duration, unavailable or incomplete documentation, etc.) This leads to a bad HAZOP and a lot of time lost.
-During the HAZOP analysis we forgot some relevant cause-consequence. The reason may be the participants’ lack of knowledge of the process. On the other hand, the fact that a given scenario has never occurred in the Plant does not mean that it cannot occur.
-Errors in assigning credits to non-SIS layers. When in doubt it is better to be conservative.
–Non-independent layers are used and/or inappropriate safeguards are considered (local instrument that nobody checks, alarm without sufficient reaction time, pressure relief system without guarantees for the studied scenario, etc.)
–Excessive credit is assigned to human intervention. Take into account the specific situation of the project studied (staff experience, limited resources, etc.)
-The frequency of the initiating event and / or the consequences are poorly evaluated.
-Errors inherent to the misuse of the methodology used (HAZOP, Risk Graph, LOPA, etc.)
–Little discipline in HAZOP sessions (interruptions due to phone calls, urgent emails not related to HAZOP, etc.)
–Errors in the SRS (Safety Requirement Specification) or incomplete document.
2-Errors in the Design & Implementation Phase
-Bad selection of the technology and architectures of the SIFs.
-Errors in the Data Sheets of the instruments and valves.
-Use of components of SIFs without Systematic Capability (eg: products not certified or “proven in use”). Some still believe that to satisfy the SIL requirement of a SIS-layer it is sufficient to use SIL certified products.
-Errors in P&IDs, C&E matrix, drawings, etc. Too often we find discrepancies between documents.
-Errors in manufacturing, construction, software, calibration and/or installation.
–Little rigor in the SIS Tests (FAT & SAT). This is one of the most serious mistakes. It should be borne in mind that if the tests are exhaustive and complete, many of the above errors are detected and can be resolved before the process starts. It is especially important to test the software rigorously.
-Errors in the SIL Verification of the SIFs: Failure Rates too low, unrealistic PTC parameters (“Proof Test Coverage”), errors in the use of the calculation tool due to low knowledge of the SIS concepts, errors in configuring the complex architectures, very low or no common cause Beta parameter, Route 2H is used with products certified only for Route 1H, etc. It is good practice to check if the DU failure rate is within the ranges indicated by Exida (http://silsafedata.com/ ).
-Excessive credit to the partial valve stroke test (PVST). There are many ways to perform this test and the benefits obtained are very different depending on how it is done.
–Safety margin too low in the probability of failure, especially if the calculation parameters used are not realistic.
3-Errors in the Operation & Maintenance Phase
–Incomplete and/or unclear SIS procedures.
–Low training of the personnel involved in the O&M of the SIS.
-The parameters defined in the previous phases and used in the SIL verification are not met.
-The effectiveness of SIS maintenance is low. Proof Testing is not performed correctly.
-There is no clear procedure on the use of the bypass.
-No regular audits and assessments of the SIS are carried out.
–SIS modifications are made without re-verification and/or re-validation.
-Focusing too much on hardware failures and not so much on Systematic Failures that are the cause of most accidents.
-Use a “super tool” to calculate the SIL achieved by entering unrealistic or incorrect parameters and data.