During Layer of Protection Analysis (LOPA) of high hazard scenarios, we often rely on a diversity of protections including instrumented and non-instrumented safeguards.  Invariably, we run into situations where instrumented safeguards must bear the full weight of risk reduction.  Of course, we never want to design a Safety Instrumented Function to a SIL 4 or even SIL 3, so we strive to rely on a combination of separate protection layers from BPCS, the SIS and maybe even hardwired shutdowns.

The new standard for the process industries IEC 61511 Edition 2 (2016)  has some interesting things to say about this situation.  Essentially, the standard writers identified a situation where a risk reduction factor of 10,000 or more is being analyzed — (presumably by LOPA, although the standard certainly doesn’t require this technique).  Clause 9.2 of the standard doesn’t particularly care if I intend to cover that “LOPA Gap” with SIS alone, multiple SIS (including hardwired), or BPCS interlocks, or any combination of those.  The standard recognizes that I’m using instrumentation & controls to cover a risk reduction of 10,000, and this situation prompts extra requirements from the new standard.  Interestingly, this goes way beyond the speed limit on BPCS credit of 0.1 during LOPA, and it drives toward further analyzing the hazard & risk using inherent safety, diversification, and more quantification of risk.

Because the goal of the standard is functional safety, it makes sense; but this also highlights the tension during writing of a Safety Instrumented Systems standard.  Historically, one camp strives to remain agnostic on HOW one goes about selecting a performance target (SIL), and guides the user to design once that target has been identified.  Another camp strives for an SIS standard that places more requirements on process safety practitioners who would typically follow CCPS or other industry practices when doing hazard & risk analysis such as LOPA.

The new standard essentially requires 3 activities once I identify a LOPA gap of 10,000 to be covered solely by instrumented means.

  1. Reconsider inherent safety or use non-instrumented safeguards (Clause 9.2.5).
  2. Reconsider common cause failures between all these instrumented protections (Clause 9.2.6)
  3. As a last resort, design for > 10,000 risk reduction but quantify the dependencies and common cause failure modes between BPCS, SIS and other (hardwired) instrumented protections. (Clause 9.2.7)

Frankly, item 1 and 2 are always considered (and yes reconsidered) during LOPA whenever we are faced with high risk reduction requirements. Item 3 has long been done by Kenexis whenever we are faced with a challenging SIS design. This level of quantification is referred to as a focused quantitative risk analysis (fQRA).  Kenexis uses fault propagation modeling such as Fault Tree Analysis (FTA) to examine common cause failures, common mode failures and dependent mode failures. This addresses failures that could compromise BPCS protection, SIS protection or other instrumented safeguards; and it can be used to demonstrate the required risk reduction can be achieved through combination of these protection layers.  Kenexis’ software tools including Arbor and Vertigo are the backbone of focused QRA.

One example is a hydrocracker reactor within a petroleum refinery.  There is a serious hazard associated with an uncontrolled exothermic reaction, which could lead to release of large quantity of flammable hydrocarbons and hydrogen gas.  The hazard is exclusively protected by instrumentation & controls, including the BPCS and SIS protection layers.  Initiating events are very credible, certainly at last 0.1 per year frequency.  This often leads to a situation where a risk reduction of 10,000 or more is required by the instrumentation — wherever it may be located — including BPCS to quench the reaction and SIS interlocks to isolate and depressure the reactor.  Kenexis has done countless of LOPA/SIL selection that have led into a focused QRA.  The QRA includes fault tree analysis that studies each component failure mode and how that failure could propagate through the system.  Ultimately this leads to a robust design of instrumented safeguards that can be assured to achieve the performance requirements.

For more information on the New IEC 61511 Ed. 2 standard and guidance on how to address high risk reduction situations, contact Kenexis.