My proposed topic for discussion: I have experience in conducting a SIL requirement assessments for furnace burning systems. Each client of such analyses have a little bit different approach and risk assessment procedures which I should follow. However as an analyst and session leader I don't agree with them sometimes. It is always a challenge for me, as analyzing such a system raises many questions about the validity of decisions made during the LOPA. Briefly: This particular protection system consists of many instrumented safety functions protecting the furnace, like low and high pressure of the fuel gas, low pressure of combustion air, loss of flame, overpressure in the combustion chamber, wrong air/fuel ratio, CO/O2 flue gas detection, flue gas damper closure detection and some others depending on specific technology used. So the first issue of this SIL analysis is related to the layers of protection. In the most conservative case, we can't take any additional layers of protection independent of the analyzed function. Why? Because all possible other actions are still the same: close the double shutoff valves at the fuel supply line to the burners. The same valves which are part of the SIF we are talking about. What's more it's not always possible to ensure a low personnel presence rate in the hazardous area. This of course results in very high SIL requirements. But I always wonder if this approach is practical and not too conservative? The second question is whether each of these SIFs really needs to be analyzed separately, when most of them protect the furnace from loss of flame and a chamber from the formation of an explosive atmosphere. Perhaps some functions can actually be considered as a one SIF with redundancy and diversification of measurement systems detecting different physical quantities? This case is much closer to my approach of practical side of functional safety. By the way, I've got also a third point of view but maybe I will describe it a little bit later during a discussion.

Hi all. I would like to hear everyone’s views and opinions on having one valve for control and one valve for safety, Or if they would have one valve that does both. If you have one valve what’s are your argument for, independence, CCF, and control system errors.

Hi all, Question on HFT ... As an example, If during design your SIF is required to have a minimum HFT of 1 (i.e. the system can withstand one dangerous failure to one channel) is 1oo2 still considered HFT = 1? Although I always believed this to be the case, I have seen an argument to say that this is actually not true as if one channel fails, you cannot continue to perform the safety function with one dangerous failure present, i.e. it then becomes a 1oo1 when a single fault occurs .... unless you have good enough Diagnostic Coverage (DC%) in each channel to detect the fault early; then this can be classed as 1oo2D (with diagnostics) and still claim HFT =1. Just wondering what other peoples thoughts are on this and if the above statement is correct? and if it is correct, then what kind of DC% would you be looking for to qualify your voted system as 1oo2D?

Good Morning All! Just wanted to have a discussion based on Phase 9 of the IEC 61511 lifecycle; ‘Verification’. I often see this phase been overlooked and only ever hear the word ‘Verification’ associated with SIL Calcs. Within the standard it specifies that at the end of each lifecycle phase, there should be a Verification check done to ensure the required outputs satisfy the defined requirements for the appropriate phases as identified by the verification plan. I think a good project FSMP should include a Verification Plan, but I often see this section being missed from most. I guess my question here is what experience does everyone here have with Phase Verification, and how do you normally implement it throughout a project?

Hi all, thanks for accepting. First of all, I am new in functional safety and sorry for my bad english😊. Actually I have some doubt about one of variable in PFDavg calculation namely mission time, couple of question to all: 1. What will happen in the end of mission time?should end user decommissioned the plant?or just replace everything and the mission time will get restarted? 2. If it depend on end user, than based on what consideration usually for them to determine the correct mission time?and what is the reason behind that? 3. Since by the time PFDavg will get derated, and SIL claimed may decreased over the time, shouldn't end user decide to set the mission time before the SIL/RRF drops beyond the rating it should be? Hope you guys can share your knowledge. Thanks,