My proposed topic for discussion: I have experience in conducting a SIL requirement assessments for furnace burning systems. Each client of such analyses have a little bit different approach and risk assessment procedures which I should follow. However as an analyst and session leader I don't agree with them sometimes. It is always a challenge for me, as analyzing such a system raises many questions about the validity of decisions made during the LOPA. Briefly: This particular protection system consists of many instrumented safety functions protecting the furnace, like low and high pressure of the fuel gas, low pressure of combustion air, loss of flame, overpressure in the combustion chamber, wrong air/fuel ratio, CO/O2 flue gas detection, flue gas damper closure detection and some others depending on specific technology used. So the first issue of this SIL analysis is related to the layers of protection. In the most conservative case, we can't take any additional layers of protection independent of the analyzed function. Why? Because all possible other actions are still the same: close the double shutoff valves at the fuel supply line to the burners. The same valves which are part of the SIF we are talking about. What's more it's not always possible to ensure a low personnel presence rate in the hazardous area. This of course results in very high SIL requirements. But I always wonder if this approach is practical and not too conservative? The second question is whether each of these SIFs really needs to be analyzed separately, when most of them protect the furnace from loss of flame and a chamber from the formation of an explosive atmosphere. Perhaps some functions can actually be considered as a one SIF with redundancy and diversification of measurement systems detecting different physical quantities? This case is much closer to my approach of practical side of functional safety. By the way, I've got also a third point of view but maybe I will describe it a little bit later during a discussion.

A new Hydrogen project involving H2 generation, Storage and Power Generation is under consideration at a major Natural Gas Storage location. This first of a kind plant has some interesting challenges, I would like to highlight my thoughts and open discussion to the community. H2 generation was from a bank of industrial Electrolysers , storage was repurposing an existing deep salt cavern, power generation was from GT H2 compatible. Projects identify one stage 3 assessment ( HAZOP) but this is never enough unless it is a well proven design and is therefore a significant risk to the overall project delivery. Consider several HAZOP and Design reviews (DR). The Electrolyser was an OEM design protection design from machinery directives, but then multiple units were used in combination to generate the capacity required and this is now a process plant with its own dynamics and process safety requirements which need HAZID and HAZOP. These identify new hazards which need design changes to the original ‘machine’, consider a DR following the initial HAZID but the DR can take the form of a HAZOP. The output from the Electrolyser needs compression to store in the salt cavern from atmospheric pressures of the Electrolyser to 250Bar storage pressure introduces significant hazards requiring safety function development. High Pressure H2 need a specialised chock valve to reduce to 30 Bar operational pressure of the GT. The power generated (nominally 50MW) can be used by the existing storage plant therefore having electrical interface and introducing further hazards. The control of the existing storage plant needs integration of the new plant, from cavern management and power utilisation. With so many changes to the existing plant and introduction of new hazards requires a multi-stage HAZOP/DR this is an iterative approach, HAZID, DR, HAZOP, HAZID DR HAZOP….. until a final process can be achieved. In addition, consideration of system flows, not just process flows; we need to expand the Process HAZOP with an Electrical HAZOP and a Control HAZOP, how do these separate systems interact and introduce different hazards?

Hi everyone, @Noah Tibasiima has raised the following question, but it was added to another post and may have been overlooked. I have been sleeping on this for a while. I would be interested in hearing how others approach the determination of Maximum Out of Service Time (MOST) when a safety function is bypassed. There is a document out there discussing this (I kinda forgot the title) but it is not mainstream FS if I am not mistaken. However it discusses using time at risk to set maximum time that an IPL can be bypassed. An explanation that stuck with me was this: When an IPL or SIF is bypassed, its PFD during that period is effectively 1.0, since it is guaranteed to fail on demand. Because of that, the time spent in bypass cannot be arbitrary. To keep the average PFD of the function within its tolerable target over the proof test interval, the duration of the bypass has to be limited. The way I saw it derived was by essentially equating the risk contribution accumulated during the bypass period with the allowed risk budget allocated to that IPL/SIF over the full interval. In simplified terms, the MOST becomes the maximum time the function can remain bypassed before the average PFD target is exceeded. My questions to those reading this: 1. How are you determining MOST in practice, do you derive it analytically from the SIF PFD target, or do you rely on more conservative procedural limits? 2. Do you treat the bypass state strictly as PFD = 1, or do you incorporate compensating measures (temporary IPLs, administrative controls, etc.) into the calculation? 3. Are there particular company or industry guidelines you have found useful for setting these limits? Curious to hear how others handle this in operating facilities because I can swear I have told someone before go look up the SRS😂, yet they were dealing with a legacy system

I’ll be running the first Playbook Decision Review next week. 📅 Monday 16 March 2026⏱️ ~40 minutes Scenario we’ll review A SIF designed to meet SIL 2 was verified assuming independence. During installation review it’s discovered that the installation didnt meet the design requirements — increasing potential common cause failure. The plant is nearly complete and correcting the installation would cost millions. So the question becomes: What would you recommend as the functional safety engineer? Options we’ll pressure-test: - Accept the installation and justify the assumptions - Recalculate the SIL verification with updated CCF assumptions - Require corrective changes despite the cost The aim of the session is simple:Walk through how experienced engineers frame and defend decisions when the standards don’t give a clear answer. 🔒 Attendance is available to premium members. Recording available to all members If you’d like to attend, check out the calendar, comment below or message me and I’ll send the meeting link.

Something that always makes me pause when reviewing designs… Proof test coverage that somehow always ends up being 100% effective. On paper it looks great. The numbers work nicely. The SIL calculation passes comfortably. But in the real world I always find myself thinking: Can we really detecting every dangerous failure with that test? In my experience, this is a major cause of rework. If the design progresses to the point where commissioning documents are written and then a FSA or design review reveals overly optimistic proof test coverage it’s a lot of work to correct. Anyone else experiencing this?