Hi All. Just thought I would post in here to get others thoughts on a scenario I have come across recently. I know it’s best practice to avoid a single element being used in multiple SIFs, but are there any factors to take into consideration for the calculation. For example, several vessels have a common feed supply and whilst each have their own level sensor and logic solver, the common feed line overfill trip valve is shared for all vessels. Each SIF will have a calculation of all components, but all are actually using the same valve. My understanding is no common cause can really be applied as all have a 1oo1 output function. On another note, the configuration would also result in more demands on the valve with it being shared. Downtime and maintenance would also be impacted if shared. Again, just to get other thoughts on other factors that should be taken into account in this scenario. Thanks, Craig

Hi everyone, @Noah Tibasiima has raised the following question, but it was added to another post and may have been overlooked. I have been sleeping on this for a while. I would be interested in hearing how others approach the determination of Maximum Out of Service Time (MOST) when a safety function is bypassed. There is a document out there discussing this (I kinda forgot the title) but it is not mainstream FS if I am not mistaken. However it discusses using time at risk to set maximum time that an IPL can be bypassed. An explanation that stuck with me was this: When an IPL or SIF is bypassed, its PFD during that period is effectively 1.0, since it is guaranteed to fail on demand. Because of that, the time spent in bypass cannot be arbitrary. To keep the average PFD of the function within its tolerable target over the proof test interval, the duration of the bypass has to be limited. The way I saw it derived was by essentially equating the risk contribution accumulated during the bypass period with the allowed risk budget allocated to that IPL/SIF over the full interval. In simplified terms, the MOST becomes the maximum time the function can remain bypassed before the average PFD target is exceeded. My questions to those reading this: 1. How are you determining MOST in practice, do you derive it analytically from the SIF PFD target, or do you rely on more conservative procedural limits? 2. Do you treat the bypass state strictly as PFD = 1, or do you incorporate compensating measures (temporary IPLs, administrative controls, etc.) into the calculation? 3. Are there particular company or industry guidelines you have found useful for setting these limits? Curious to hear how others handle this in operating facilities because I can swear I have told someone before go look up the SRS😂, yet they were dealing with a legacy system

Hi all, thanks for accepting. First of all, I am new in functional safety and sorry for my bad english😊. Actually I have some doubt about one of variable in PFDavg calculation namely mission time, couple of question to all: 1. What will happen in the end of mission time?should end user decommissioned the plant?or just replace everything and the mission time will get restarted? 2. If it depend on end user, than based on what consideration usually for them to determine the correct mission time?and what is the reason behind that? 3. Since by the time PFDavg will get derated, and SIL claimed may decreased over the time, shouldn't end user decide to set the mission time before the SIL/RRF drops beyond the rating it should be? Hope you guys can share your knowledge. Thanks,