ABB Limited
Please reply to:
Tel: +44(0)1642 372000
Website:
www.abb.comRegistration no:
Registered Office:
Pavilion 9, Byland Way
3780764 England
Daresbury Park
Belasis Hall Business Park
Fax: +44(0)1642 372111
E-mail:
info@gb.abb.comDaresbury, Warrington
Billingham TS23 4EB
VAT Reg No:
Cheshire WA4 4BT
United Kingdom
668 1364 13
United Kingdom
The functional safety implications of many of the examples above are clear with instances of: people
performing safety critical tasks without understanding the significance of these tasks and the hazards
they are protecting against; protective systems not designed with an adequate understanding of the
scale of consequences they need to protect against; and management systems not identifying and
rectifying shortcomings.
There are also economic implications from silo thinking such as: people recreating information that
exists in another silo; protective systems that are over specified and expensive to maintain; and
management systems that don’t identify the true risks and therefore fail to focus scarce resources on
the areas of greatest concern.
This last point can be seen following the analysis of another re-validation exercise performed on a
European refinery.
Number prior to re-validation Number post re-validation
Downgraded 1 SIL Upgrade 1 SIL
SIL 1 SIFs
402
83
4
SIL 2 SIFs
161
9
Prior to re-validation
Post re-validation
Number of annual Proof Test
1795
367
This analysis shows that 20% of SIL 1 loops had been over engineered and could have been
implemented outside of the SIS. It also shows that there the was a small number of SIF which were
specified with insuffient risk reduction for the MAH they are protecting against.
There are capital expenditure implications to the above over-engineering of the SIFs, which
unfortuneatley can no longer be removed, however this exercise has highlighted that there is often
significant maintenance activities which are being carried out, without fully understanding the
rationale for the SIF – ‘is it safety critical or not?’ – a consistant finding from within the PSM
shortcomings.
The analysis of the PSM shortcomings also identified a similar weakness in defining which alarms are
safety critical. PHA and SIL determination activities may identify an alarm as a layer of protection.
Alarms identified during such activities are then collated along with other activities such as P&ID
reviews, development of operating narratives etc. If the importance of these safety critical alarms is
not highlighted during the transfer to the design phase, then these critical alarms are likely to be
implemented similar to the other alarms, and the importance of the alarm then lost.
IEC61511-2 8.2.1 requires that where risk reduction of ≤10 is claimed for an alarm should be
supported by:
·
documented description of the necessary response for the alarm
·
confirmation that there is sufficient time for the operator to take the corrective
·
assurance that the operator will be trained to take the preventive actions