My proposed topic for discussion: I have experience in conducting a SIL requirement assessments for furnace burning systems. Each client of such analyses have a little bit different approach and risk assessment procedures which I should follow. However as an analyst and session leader I don't agree with them sometimes. It is always a challenge for me, as analyzing such a system raises many questions about the validity of decisions made during the LOPA. Briefly: This particular protection system consists of many instrumented safety functions protecting the furnace, like low and high pressure of the fuel gas, low pressure of combustion air, loss of flame, overpressure in the combustion chamber, wrong air/fuel ratio, CO/O2 flue gas detection, flue gas damper closure detection and some others depending on specific technology used. So the first issue of this SIL analysis is related to the layers of protection. In the most conservative case, we can't take any additional layers of protection independent of the analyzed function. Why? Because all possible other actions are still the same: close the double shutoff valves at the fuel supply line to the burners. The same valves which are part of the SIF we are talking about. What's more it's not always possible to ensure a low personnel presence rate in the hazardous area. This of course results in very high SIL requirements. But I always wonder if this approach is practical and not too conservative? The second question is whether each of these SIFs really needs to be analyzed separately, when most of them protect the furnace from loss of flame and a chamber from the formation of an explosive atmosphere. Perhaps some functions can actually be considered as a one SIF with redundancy and diversification of measurement systems detecting different physical quantities? This case is much closer to my approach of practical side of functional safety. By the way, I've got also a third point of view but maybe I will describe it a little bit later during a discussion.

Hi all. I would like to hear everyone’s views and opinions on having one valve for control and one valve for safety, Or if they would have one valve that does both. If you have one valve what’s are your argument for, independence, CCF, and control system errors.

Hi all (again), I am currently working with a Client which has asked me to carry out a C&I compliance assessment on vendor skid coming from China. The skid is fair size (approx. 400m²) as it contains a full Pyrolysis unit along with it's own BPCS Control System and Independent Fail Safe Controller. Among all the other C&I compliance checks I am doing, the Functional Safety checks is one of the main items on my radar. My initial TQ's to this particular vendor contain queriers around how they have managed their SIL rated trips, i.e. which Safety Standard have they complied with? and also what lifecycle documentation they can provide, i.e. Hazard Study Reports, SRS, SIL Verification Calcs, SIF Validation evidence etc? (I am awaiting their response) .. I often hear that we should treat Vendor packages as black boxes, however I believe there must be some level of assessment which must be carried out by the Principal Designer to ensure the equipment being supplied is compliant to our standards, and has followed robust safety lifecycle? My question to the team is, what sort of assessment would you carry out on 3rd party skids the size of this? Again, any opinions on this one would be hugely appreciated!

A new case study has been added to the classroom. Scenario: A 1998 installed SIS with unknown diagnostic coverage is still in service. The asset owner believes it achieves SIL2 based on vendor documentation. Your task: Determine whether the claim is credible. Full case study here: [link] Questions: • What is the first thing you would check? • How would you deal with missing failure rate data? • Would you accept prior-use evidence?

Hi All, I am currently writing a proof test procedure for a High-High Temperature SIF. The sensor is 3-wire RTD. After carrying out all the proof testing checks, I have included for an RTD Calibration check to be carried out at the end, using a decade box or loop calibration device e.g. Fluke 754). Reason being, I wanted to ensure the loop was functioning correctly still after disconnecting sensor wires etc, during the proof test. However, my Client has requested this to be removed from the Proof Test as this is done as part of other existing maintenance routines. Just want to get anyone's thoughts on this, as to whether it is overkill to include an RTD check, and I should simply just ask the user to check the RTD is within it's prescribed calibration date? Any opinions on this would be appreciated!