Inhibit SIFs for fast developing hazards - What to do when your Process Safety Time

is close to zero.

Neil Wakeling BA MA CEng FInstMC FIET (CFSE),

Group Technical Authority for Functional Safety and ICSS, SBM Offshore, Monaco

Abstract

In process plants, the majority of SIFs are reactive functions – to prevent a hazardous event, final elements are commanded to

move to a particular state when a measured variable exceeds a pre-determined set-point. For the preparation of the SRS, the

Process Safety Time is calculated, and the SIF is designed to be quick enough to prevent the hazard. However, particularly for

some high pressure hazards where the initiating event is human error, it may not be possible to design a reactive SIF to

perform its function quickly enough. Where the human error is a remote operation, the solution required may be an Inhibit

Instrumented Function to prevent the mistake. For local operations, such as the opening of a manual valve out of sequence,

other risk-reduction solutions must be considered, but many of the same issues apply.

Drawing from experience in oil and gas, notably from the riser depacking overpressure scenario, this paper explores the

specific challenges relating to the application of Functional Safety to fast developing hazards where Inhibit SIFs are required.

Aspects covered include:

•

The challenges of estimating human error probability, and how better design or operating procedures can reduce this

probability.

•

The need for terms of reference for process safety time calculations.

•

The specific challenges of how to develop the SRS for inhibit functions.

•

How to proof test an inhibit function is also discussed; where a failed test must not be allowed to result in provoking a

hazardous situation.

1. Introduction

In order to produce the Safety Requirements Specification (SRS), a Process Safety Time

must be calculated. The SIS Response time included in the SRS should ideally be

approximately half of the Process Safety Time (ref [1]). It is essential to verify whether this

SIS Response time can be achieved by the Safety Instrumented Function (SIF) as designed.

In other words, can the SIF do its job quickly enough, with some margin, to ensure that the

hazard is prevented?

This paper draws upon lessons learnt addressing fast developing hazards across a number

of FPSO projects. For many of these hazards, the initiating event is human error, and a

traditional reactive SIF cannot be designed to be quick enough to prevent the hazard. The

paper addresses challenges posed during all Safety lifecycle phases, and what to do next if

the SIS response time cannot be achieved.

1.1

What is an FPSO?

A Floating Production Storage and Offloading vessel is usually a ship either purpose built or

converted from an oil tanker. FPSOs are typically around 300m long, and are moored in

offshore locations where they perform the same functions as offshore production platforms.

These include the separation and treatment of produced hydrocarbons and the injection of

treated seawater and gas into the reservoir. Unlike fixed platforms which generally pump

produced oil into a pipeline or to a remote loading terminal, the FPSO can store crude oil on

board, periodically offloading it directly to a shuttle tanker.