Another mistake that I commonly run into when reviewing HAZOP/LOPA studies (i.e., studies where the SIS is included as a protection as opposed to LOPA/SIL where the SIS is not considered an IPL so that its performance target can be determined) is the unrealistic use of the SIS in multiple protection layers. This is a clear violation of the “separation” criteria of a protection layer that often gets neglected due to inexperienced analysts focus on “sensors” instead of entire SIF. The best rule of thumb for including a SIS as an IPL in a LOPA is that the “SIS can only be used as a protection layer once per scenario”. Granted, the SIL target may be high (e.g., SIL 2 or SIL 3 – with corresponding failure probability of 1% and 0.1%), but credit can only be taken once.
Let me clarify this rule with an example of an analysis that was done very poorly, and the correct assessment of the situation. Consider the hazard of overfilling a compressor knockout drum with liquid which subsequently could be carried over into the machine causing damage to the machine and potential loss of containment through damaged seals. The assessment team, lead by an inexperienced facilitator with little understanding of how SIS worked listed the following IPL.
1. High Level Shutoff
2. High Vibration Shutoff
3. High/Low Motor Current Shutoff
4. and strangely, High Pressure Shutoff
Furthermore, the team stated that since the facility used a SIL 3 rated logic solver, all of these protection layers afforded three orders of magnitude of risk reduction, resulting in an overall protection level of 12 orders of magnitude of risk reduction.
Incredibly safe? Hardly. This analysis was a comedy of errors that I will now dissect. The first thing to note is the amateur description of the SIS IPL that only includes the sensor and not the action taken. This is usually a dead giveaway that the analysis was put together by a rookie who doesn’t understand the SIS IPL. While each one of these “protection layers” does indeed use a separate sensors, they all share the same logic solver (with the possible exception of the over/undercurrent trip) and all share the same final element, i.e., the compressor’s motor starter. In reality you don’t have four SIF’s, you have one SIF with four sensors (at least that is what the team alleges.
Furthermore, the “high pressure” SIF blatantly violates the “specificity” criteria of an IPL. You can’t argue that the high pressure shutdown in the separator vessel was “specifically designed” to detect an overfill condition. Even high current and vibration trips are of dubious credibility with respect to an overfill condition, but are still somewhat commonly used. In this scenario, the team theorized that if the separator drum were to overfill it would also result in a high pressure, which would be detected by the high pressure switch. This is in fact not true, in addition to being not “specific” and not “separate”.
Finally, while a SIL 3 logic solver may be a good thing, that doesn’t mean that every loop that goes through the logic solver is SIL 3. In fact, most of the failure probability is associated with field equipment, which in this case was blind switches – capable of achieving SIL 1, but not more.
Ultimately, all of the protection layers that were listed by the team fell very much short of reaching the purported 12 orders of magnitude of risk reduction. The most restrictive interpretation of an IPL would only allow credit for the high level SIF (the others are not really specific, and not really separate), which can only provide one order of magnitude of risk reduction. If you additionally took credit for the vibration and/or under/overcurrent sensing, these are not additional protection layers, but could be considered as additional sensors for the single SIF that protects the compressor. If these multiple sensors are considered as part of the SIF, then the SIF could likely achieve SIL 2, but no more.
The final result – not 12 orders of magnitude of risk reduction, but at most 2.