SIL 2 and SIL 3, to be that reliable, must account for end-user human error probabilities

The real issue is will your SIL 2 SIF lower the risk of the final consequence by a factor of 100 and similarly will your SIL 3 SIF lower the risk by a factor of 1000. If not, and if a SIL 2 or 3 SIF was required for your scenario to reach tolerable risk, then you have not accomplished your duty to lower the risk to tolerable levels. One way to see the problem is to consider the system boundary illustration below:

Currently, more than 95% of the SIL Verifications we have reviewed, and nearly ALL of the internal company standards for the calculations of SIL Verification miss the systemic error and the specific human error and especially miss the huge contribution of human errors during maintenance and process startups after outages. Because of these omissions, the End Users (owners) have bought and installed supposedly high integrity systems that will in practice perform no better than a BPCS loop or SIL 1 SIF. Some companies now realize this, but the standards and technical reports (guidance) from the international committees for SIS have not yet been amended to account for such human errors. Of the systemic and specific human errors, the major ones that degrade the SIL is the time zero probability of leaving an entire SIF in bypass (intentionally or unintentionally) and the probability of leaving a root valve on a sensor/transmitter in bypass. Given normal baseline human error rates, such probabilities are greater than 0.01 and so the PFD of the entire SIF is greater than 0.01 and so a SIL 2 (let alone a SIL 3) cannot be achieved in actual use of the SIF.

On the other hand, if the SIL Verification protocol required specific (descrete) consideration of systemic error, and especially human error probability for interventions, then it is likely that some of the errors can be made detectable and therefore minimized. But note in many applications, it has not been possible to a achieve a SIL 3 (with a PFD < or = 0.001) when there is a system bypass (soft or hard bypass) available to the end users. You can download a free paper on this issue, with a couple of worked examples, from: http://www.process-improvement-institute.com/_downloads/Accounting_for_Human_Systematic_Error_During_SIL_Verification_website.pdf

In addition, the very new book from CCPS/AIChE, Guidelines for Initiating Events and Independent Protection Layers, 2012 (at the publishers now) notes the same issue with high integrity safety systems (such as SIL 2 and higher and such a relief systems) and demotes the PFD available from such systems, unless the systemic error has been accounted for and addressed.

To learn more, see the courses and consulting services from PII. www.piii.com

By | 2016-12-07T01:33:36+00:00 March 29th, 2012|Uncategorized|0 Comments

About the Author:

Leave A Comment