Recently I had a customer request Kenexis conduct SIL verification analysis on several safety functions implemented in a safety-configured, general purpose controller.  This was associated with a new capital project at the customer facility.  There was a modest SIL 1 required on each Safety Instrumented Function (SIF).  The client had previously determined the target SIL, so our work only involved evaluating the capability of the SIS design and testing program to achieve the target SIL.  A significant amount of effort was focused on ensuring the safety-configuration of the SIS logic solver was sufficient to meet SIL 1.  It was only very late in our work process that we were made aware of the possibility that the SIS logic solver was also being used for basic process control.  This was an immediate concern because of the requirements in ANSI/ISA 84.00.01-2004 to separate BPCS from SIS.   We requested the risk analysis to examine the causes of demands on the SIF.  The risk analysis was a PHA/LOPA study that had not been updated recently.  Most of the demands identified in the PHA/LOPA were related to operator errors, since in this process there was very little closed-loop basic process control.  In these circumstances there is no need for separation of BPCS and SIS controllers.  From a hazard and risk analysis standpoint this is only necessary when there is a potential for a single failure to simultaneously inhibit the SIF as well as place a demand on the SIF.  Where the demands are not related to BPCS controller malfunctions, this criterion is not satisfied, so BPCS / SIS separation can be considered optional.  

 

While the PHA/LOPA is insightful, it is prudent to be cautious in making assumptions that PHA has completely identified all hazards.  In this case, the study was out-of-date.  As the capital project progressed after PHA, changes to the control scheme had been made so that closed loop control had been implemented in the controller.  This gave rise to the possibility that a single controller malfunction could both inhibit and create a demand on a SIF.  This eventually lead us to remove several SIF from the controller, and implement in them in a separate hardwired safety-relay system. 

 

The learning here is to ensure that PHA and LOPA/SIL studies be updated at milestones during a capital project.  Changes to process design are key drivers to update a PHA; however, changes to the control scheme can also give rise to new hazards, or possibly change the findings of the LOPA/SIL study.  Some of the impacts could include;  increase (or decrease) in target SIL, change to validity of independent protection layers (IPLs), and change in requirements for separation of BPCS and SIS logic solvers.   It is important to carefully examine these potential changes that impact the SIS design and testing program. 

 

Please contact Kenexis if you have questions about how and when to analyze process hazards, conduct LOPA for the purpose of SIS design basis development, and revalidate those analyses.