Recently a question was posted on the ISA regarding what metrics are available for determining if your SIS bypass activity is acceptable. This is an interesting question in that it furthers some of the “operational” phase work of the SIS safety lifecycle that is not currently being done by a lot of operating companies. The answer to this question lies in the original design basis. As with most operational phase activities, the amount of bypassing that is acceptable is a function of what was assumed in the original design. Before digging into my reply I have to emphasize that bypasses should never be taken lightly, and should always be done in strict accordance with a good bypass management program.
More information on good bypass management programs is available on the Kenexis web site in the resources section. Specifically, we have document templates for allowing/disallowing bypasses, performing a bypass risk assessment if the bypass involves significant risk, and establishing an “alternate protection plan” for the systems and people that will perform the function of the bypassed SIS component when it is out of service.
The document templates are available at: http://184.108.40.206/~kenexisc/resources/ in the document tools section (items SS06,07, and 08).
In addition, Kenexis provides a full day training class on proper implementation of bypasses, more information is available on our website at: http://220.127.116.11/~kenexisc/training/
Once you’ve established a good bypass management program, incorporating metrics to ensure that bypasses are being used properly are critical. These performance metrics can also identify weaknesses in the equipment that you have purchased and problems in your maintenance program much faster than reviewing test records after the fact. A “dashboard” item for a manager that shows the SIS bypass activity and compares it against expectations can be a valuable tool to predict problems before they occur.
As I mentioned earlier, performance metrics that are employed during the operational phase can and should be based on the assumptions that were made about equipment and operations during the design phase of the SIS lifecycle. Specifically, during the design phase assumptions were made about the failure rate of SIS equipment and the mean time to repair of that equipment. Those figures can be used to generate an expectation of how frequently items are in bypass.
Consider a typical process plant that includes 100 SIS instruments. Further assume that a good bypass management program is in place and that bypasses are only performed to repair failed or failing instruments. Further assume that a failure rate of 1/20 per year and a mean time to repair of 72 hours was used in the SIL verification calculations. Based on these figures 5 instrument failures should occur each year (i.e., 100 * 1/20), resulting a total bypass duration of 360 hours. If instruments are bypassed for a longer duration than this, one of three things is occurring.
1) Instrument failure rate is higher than assumed
2) Instrument mean time to repair is higher than assumed
3) Illegitimate bypasses are occurring.
If any of these conditions exist in a plant, it is incumbent upon management to resolve the issues. Having a metric to review and follow up on will go a long way in helping management address discrepancies between design and actual operation in an expeditious manner, making the plant safer.