Hi All, Just read an interesting article on the recent introduction of an ISA standard which provides guidance on the management of Independent Protection Layers - Low Integrity Protection Layers: ANSI/ISA-84.91.03-2025 Explained. This is an interesting subject as IPL's are an essential aspect when working out the target RRF of a SIF, however they are often forgotten about once the plant goes back into operation. Some sites do manage the maintenance of IPL's differently to non-safety loops, via a maintained IPL register, IPL validation and more stringent testing routines. However this is not always the case and a lot of the time IPL's just fall into the normal maintenance system as this article suggests. Would be interesting to hear from the group your thoughts on this subject .....

My proposed topic for discussion: I have experience in conducting a SIL requirement assessments for furnace burning systems. Each client of such analyses have a little bit different approach and risk assessment procedures which I should follow. However as an analyst and session leader I don't agree with them sometimes. It is always a challenge for me, as analyzing such a system raises many questions about the validity of decisions made during the LOPA. Briefly: This particular protection system consists of many instrumented safety functions protecting the furnace, like low and high pressure of the fuel gas, low pressure of combustion air, loss of flame, overpressure in the combustion chamber, wrong air/fuel ratio, CO/O2 flue gas detection, flue gas damper closure detection and some others depending on specific technology used. So the first issue of this SIL analysis is related to the layers of protection. In the most conservative case, we can't take any additional layers of protection independent of the analyzed function. Why? Because all possible other actions are still the same: close the double shutoff valves at the fuel supply line to the burners. The same valves which are part of the SIF we are talking about. What's more it's not always possible to ensure a low personnel presence rate in the hazardous area. This of course results in very high SIL requirements. But I always wonder if this approach is practical and not too conservative? The second question is whether each of these SIFs really needs to be analyzed separately, when most of them protect the furnace from loss of flame and a chamber from the formation of an explosive atmosphere. Perhaps some functions can actually be considered as a one SIF with redundancy and diversification of measurement systems detecting different physical quantities? This case is much closer to my approach of practical side of functional safety. By the way, I've got also a third point of view but maybe I will describe it a little bit later during a discussion.

Partial Valve Stroke Test. The Exida model (exSILentia) says that partial proof test coverage affects a main proof test coverage factor. I've been using and still following their model for many years. You can find an explanation of this model here: https://www.exida.com/blog/why_does_my_proof_test_coverage_change_with_partial_stroke_testing I'm curious what your approach to this topic is in your PFDavg calculations?

Hi all thanks for the add, this looks like a really good way to share experience in the functional safety world. Thanks for setting up Richard. I have a question for you all on the requirements when adding a new SIF to an existing SIL2 system that was designed over 40 years ago and was never designed to 61508. What things would we consider to make this possible without a full system redesign.

Hi all, thanks for accepting. First of all, I am new in functional safety and sorry for my bad english😊. Actually I have some doubt about one of variable in PFDavg calculation namely mission time, couple of question to all: 1. What will happen in the end of mission time?should end user decommissioned the plant?or just replace everything and the mission time will get restarted? 2. If it depend on end user, than based on what consideration usually for them to determine the correct mission time?and what is the reason behind that? 3. Since by the time PFDavg will get derated, and SIL claimed may decreased over the time, shouldn't end user decide to set the mission time before the SIL/RRF drops beyond the rating it should be? Hope you guys can share your knowledge. Thanks,