IEC 61511 mentions systemic errors should be controlled and also estimated in the SIL Verification. But, ISA folks say they found it too complicated to include a calculation method for systemic error in TR84.00.02 guidance; which is why we almost never see it considered in actual practice. There is systemic error for process-related failures (such as pluggage by dust, scale, etc., of level taps, instrument ports, etc.). There are also systemic errors for the human intervention to test the SIF or for returning to automatic service after a bypass. This is especially true for continuous processes where bypasses are needed and where root valves for instruments are needed. We are about to publish a paper on a simple method for estimating system human errors, it is just a simplified estimation of system errors for each software/security bypass and each bypass valve or root valve. The human error probability is of course an “OR gate” for each opportunity for leaving a bypass or valve in the wrong position. The error rate is in turn estimated from standard HRA approaches, but simplified a bit with respec to estimating “error recovery rate.” These are adjusted by the rigor of human factor control at the site and is SITE specific.

There are 10 human factor categories, which need to be estimated for the site to get an adjust of the baseline human error rate to make it fit a specific site. The Best (lowest) error rate we have seen in practice at a chemical plant or refinery or gas plant is about 1 error per 100 steps of on an instruction. But, this is heavily influenced by the human factors of fitness for duty (such as fatigue), miscommunication, quality/accuracy of procedures, use of checklist at each step in the field, etc. We have not found (yet) any facility that had actual data on human error rates, though there are folks moving that way. So, if the actual human error probability is 0.02 for a step and there is a step to open a bypass valve after a test of a final isolation valve (or a a step to re-open a root valve of a level sensor), then that factor would be added to the PFD calc for that portion of the SIF and so the SIL verification would >0.02 for that portion.

Then the next issue is the common cause error for the human error. If the human leaves 1 bypass open (or one root cause closed), it is likely they will make similar mistakes on the same day by the same person. Compound this with the fact that such maintenance/inspection are not staggered (most sites use the same instrument tech on the same day to test/check many SIF) and you can start to see the problem. By the end, it is likely you are adding a 0.01 or 0.02 to the entire hardware SIL calc; obvious in such cases, a SIL 2 or SIL 3 is not possible. But in batch processes, the issue is not the same; and in a conitnuous process, there may be ways for instruments and transmitters and limit switches to detect some of these errors. These have to be accounted for as well. But you cannot ignore the composite human errors for testing/validating SIF; it is the dominating portion of SIL 2 and SIL 3 in most cases we have checked or verified.

The new book from CCPS/AIChE, Guidelines for Independent Protection Layers and Initiating Events, will say the same thing as above; i.e., SIL is not equalvalent to risk reduction factors (inverse of PFD) unless the human error probability is considered in the SIL verification calc. It is the same with other IPLs as well. If you do not account for the human errors in interventions with relief valves, then PFD is not equal to the pop test data. Bottom-line: You can’t hope to be accurate here (since there is not enough plant-specific data); but you also do not want to omit the greatest of the factors.

Come to one of our training courses or download our papers to learn more. www.piii.com