Hi @Richard Kelly . Thanks for the reply. Agreed on the spurious trip rate and yes, the scenario will involve stopping production once per year for all tests to be completed given the shared valve wouldn't allow production to continue (so not great from an operational perspective!). I have come across this a few times also, and on this occasion it has followed on from a HAZOP and LOPA when a new process has been added on a brownfield project. Overall the desired targets are being met for the SIF's with a 1oo1 architecture, and whilst the common valve is shared across several SIF's, my understanding from the standard is there would be no change to the demand mode, as the demand mode relates to demands on the complete SIF and not taking account for the fact the shared component can be activated by several. It is something to consider but is allowed. My overall feeling though is whilst the standard references how shared components can be used across SIF's, each scenario would really need to be risk assessed for the accumulative risk associated with failure of the shared component. For example, considering how many SIF's would failure of the shared component impact, what would the likelihood of a demand be (e.g. 10 with a demand rate of 0.1 meaning 1 would likely activate within the year between proof tests and potentially not work), and what would the consequence be of the SIF failing to operate.

Thanks @Richard Kelly In this scenario it is a shared component across SIFs so the common valve acts as a 1oo1 architecture for the output element, but that same output valve used for several different vessels, so nowhere to apply any common cause factor in this case. For calculating the common cause in other scenarios though I also use this type of method. The ExSilentia software has a list of questions that are answered relating to the arrangement and it provides a factor to use based on the overall score.

I agree @Richard Kelly and have also come across this before when looking at PTC values used in calculations, particularly on the final element with valves. Quite often the proof test will check the actuator and valve physically move, but the proof test is carried out during a shutdown, so there would be no indication if the valve wasn’t sealing. Unless there was a flow and differential pressure across the valve being measured or an inline flow transmitter, then if carried out offline the proof test would never capture this. There is guidance for realistic values to use but have again come across some optimistic values edging towards 100%. Testing elements offline can also be very different to when the process is in operation at higher pressures and higher/lower temperatures.

Both