Instrumentation and control engineers have been taught, no, conditioned through repetition, to design separate taps for each instrument that is associated with a safety instrumented function. The core idea is to minimize the probability of a common cause failure that will cause multiple and otherwise independent portions of a safety instrumented function from failing at the same time from a single stressor. It makes sense. So much so that most engineers, myself included, haven’t given it a second thought. But is it really safer?

Today (10 Nov 2013) I am attending the ADIPEC conference in Abu Dhabi and have just come from a session related to managing risks in sour gas operations where I presented a paper on use of scenario coverage mapping in the design of H2S detection systems in sulfur recovery units. Another speaker in the session was Alfred Kruijer, a Principal Technology Engineer with Shell. His paper, entitled, “Leak Path Reduction in High-Sour Plant Design”, caused me to rethink the idea of separate taps.

Summarizing Alfred’s recommendations, which are given from the point of view of a mechanical engineer who is trying to prevent leaks, plants are safer when there are fewer “joints” in the pressure containing equipment. He presented statistics that he had gathered that indicated that >93% of leaks were not the result of erosion, corrosion, or other mechanism that caused degradation of the pressure containing material, but the failure of joints in pressure containing equipment. In order to reduce leak frequency, the number of joints needs to be reduced. How do you reduce the number of joints? Well, one of the ways is to reduce the number of instrument taps that you have by combining them… Advice that is diametrically opposed to what us instrumentation and control engineers have been conditioned to believe.

So who’s right? That’s a good question that needs some further exploration. While I don’t have the answer at the moment, I do know the approach to use to solve the problem. You simply calculate the expected value of loss for both cases and apply the design with the lower expected value of loss. The expected value of loss is the consequence – put in numerical terms – multiplied by the frequency. So, you need to calculate the consequence and frequency of a leak of the instrument tap and compare that against the consequence and frequency of an incident that would occur as the result of a common cause tap plugging failure. As I said, I don’t have the numbers prepared, but my gut tells me that the leak rate of a separate tap is going to be higher than the common cause failure rate (let alone the resulting accident) of plugged taps in most relatively clean services – making our common design practice completely wrong.

I promise to do some more digging into this issue with numbers. Stay tuned…