Functional safety engineers follow the ISA/IEC 61511 standard and perform calculations based on random hardware failures. These result in very low failure probabilities, which are then combined with similarly low failure probabilities for other safety layers, to show that the overall probability of an accident is extremely low (e.g., 1E-5/yr). Unfortunately, such numbers are based on frequentist assumptions and cannot be proven. Looking at actual accidents caused by control and safety system failures shows that accidents are not caused by random hardware failures. Accidents are typically the result of steady and slow normalization of deviation (a.k.a. drift). It’s up to management to control these factors. However, Bayes theorem can be used to update our prior belief (the initial calculated failure probability) based on observing other evidence (e.g., the effectiveness of the facility’s process safety management process). The results can be dramatic. Click here to view the complete whitepaper

by Lauren J. Caldwell, PE(SC), CFSP, CMSE When performing risk assessments on process equipment, are you reviewing machinery as well? Bag dump stations, conveyors, and various vendor-packaged machinery provided with E-Stops are sometimes evaluated in a Process Hazards Analysis (PHA), but they tend to be reviewed at a high level. Because they do not have process flow, they may not be viewed as having traditional process safety hazards. Machines still have hazards, and there is a need for a deeper dive with respect to machinery-related hazards. Did you know that machinery E-Stops fall under OSHA’s General Duty Clause? In an interpretation letter from April 28, 1999, OSHA noted, “If a serious injury could result from an improperly-designed or installed emergency stop device, a citation under the OSH Act’s General Duty Clause could be issued.” This brings the question – how should machinery without process flow be addressed? There are separate standards available for evaluating machinery hazards and designing their safeguards appropriately: ISO 12100, IEC 62061, and ISO 13849. Fortunately, functional safety of machinery follows a similar workflow to the process safety lifecycle. Similar to identifying risk gaps in a Process Hazards Analysis (PHA), we can identify risk gaps for machinery. We can define risk targets, determine how to best close the risk gaps, specify a design, and verify the risk has been adequately addressed. This paper will present a practical example application to demonstrate machinery safety risk reduction in accordance with machinery safety standards for machinery common to chemical process plants. Click here to view the complete whitepaper

The Process Industry has an established practice of crediting IPLs (Independent Protection Layers) to meet risk reduction targets as part of LOPA (Layer of Protection Analysis) studies. Often the risk targets are calculated to be on the order of 1E-4 per year or lower. Achieving the risk target on paper is one thing, but what is missing from the LOPA calculation is a statement of the confidence in the result. LOPA is an order-of-magnitude method, however, this only reflects the tolerance of error, not the tolerance of uncertainty. It is often stated that LOPA uses generic credits that are conservative, thereby implying the LOPA result should be conservative. By itself this statement is dubious because the generic data used in LOPA did not originate from the facility for which the statistical inferences are being made (which for frequentist-based statistics makes the inference invalid). Worse, when conservative credits are multiplied together to produce a rare-event number, does the conservative property emerge from the combination? There is no way to answer this question without performing IPL Validation (i.e., ensuring the IPL will function when needed). However, IPL Validation and related Safety Life-cycle methods (e.g. functional safety assessments and cyber-security audits related to barrier integrity) are purely qualitative and have no apparent relation to the quantitative risk target. There is a need therefore, to bridge the qualitative results of IPL validation with the quantitative result of the associated LOPA calculation, as a way to establish a site-specific confidence level in the risk target we are trying to achieve. This is where Bayes’ Theorem comes in. Bayes’ Theorem is an epistemological statement of knowledge, versus a statement of proportions and relative frequencies. It is therefore a method that can bridge qualitative knowledge with the rare-event numbers that are intended to represent that knowledge. Bayes’ Theorem is sorely missing from the toolbox of Process Safety practitioners. This paper will introduce Bayes’ Theorem to the reader and discuss the reasons and applications for using Bayes in Process Safety related to IPLs and LOPA. While intended to be introductory (to not discourage potential users), this paper will describe simple Excel based Bayesian calculations that the practitioner can begin to use immediately to address issues such as uncertainty, establishing confidence intervals, properly evaluating LOPA gaps, and incorporating site specific data, all related to IPLs and barriers used to meet LOPA targets. Click here to view the complete whitepaper

by Richard E. Hanner & aeSolutions Technical Team There are many critical activities and decisions that take place prior to and during the Safety Integrity Level (SIL) Verification and other Conceptual Design phases of projects conforming to ISA84 & ISA/IEC 61511. These activities and decisions introduce either opportunities to optimize, or obstacles that impede project flow, depending when and how these decisions are managed. Implementing Safety Instrumented System (SIS) projects that support the long‐term viability of the Process Safety Lifecycle requires that SIS Engineering is in itself an engineering discipline that receives from, and feeds to, other engineering disciplines. This paper will examine lessons learned within the SIS Engineering discipline and between engineering disciplines that help or hinder SIS project execution in achieving the long‐term viability of the Safety Lifecycle. Avoiding these pitfalls can allow your projects to achieve the intended risk reduction and conformance to the ISA/IEC 61511 Safety Lifecycle, while avoiding the costs and delays of late‐stage design changes. Alternate execution strategies will be explored, as well as the risks of moving forward when limited information is available. Click here to view the complete whitepaper Topics Include: IEC 61511, ISA/IEC 61511 , Safety Instrumented Systems (SIS) , Independent Protection Layers (IPL) , Functional Safety Assessment (FSA) , Safety Requirement Specification (SRS) , Safety Lifecycle , Functional Safety Management Plan (FSMP ), Project Execution Plan (PEP), SIS Front‐End Loading (SIS FEL), Layer of Protection Analysis (LOPA ), SIL Verification ​

Human Reliability practitioners utilize a variety of tools in their work that could improve the facilitation of PHA ‐ LOPA related to identifying and evaluating scenarios with a significant human factors component. These tools are derived from human factors engineering and cognitive psychology and include, (1) task analysis, (2) procedures and checklists, (3) human error rates, (4) systematic bias, and (5) Barrier effectiveness using Bow‐tie. Human error is not random, although the absent minded slips we all experience seem to come out of nowhere. Instead, human error is often predictable based on situations created external or internal to the mind. Human error is part of the human condition (part of being a human) and as such cannot be eliminated completely. For example, a task performed at high frequency (e.g., daily or weekly) develops a highly‐skilled operator with an expectation of a low error probability for that task. However, as the operator’ skill increases, their reliance on procedures decreases, leaving them open to memory lapses caused by internal or external distractions. The fact that a skilled operator becomes less dependent on procedures is not a conscious decision. It is part of the human condition. Forcing a skilled operator to read the procedure while performing the task they are skilled at, is like asking you to think about what your feet are doing as you walk down a flight of stairs. In both cases a loss of adroitness will occur. A large portion of this paper will be to describe with practical examples the five tools mentioned above. Task analysis is a talk‐through and walk‐through exercise of a task (typically focusing on one or two critical steps of a procedure) that is used to identify error likely situations (ELS). Quantitative human error rates can be attached to the ELS depending on if the error is associated with skill, rule, or knowledge (SRK) based performance. Systematic biases produced by Type 1 (fast) thinking cause judgment and diagnosis errors related to response to abnormal situations. Having a working knowledge of these five tools will improve a PHA‐LOPA facilitator’s awareness and ability to better evaluate human error related scenarios and Barrier failure. In addition the facilitator will feel confident about recommending the need for a more detailed follow‐up study such as an HRA (Human Reliability Analysis) . Click here to view the complete whitepaper Topics include: Human Factors, Human Error, PHA, LOPA, Facilitator, Task Analysis, Bias, Cognitive Psychology

by Brittany Lampson, PhD & aeSolutions Technical Team Implementing a Safety Instrumented Burner Management (SI‐BMS) can be challenging, costly, and time consuming. Simply identifying design shortfalls/gaps can be costly, and this does not include costs associated with the capital project to target the gap closure effort itself. Additionally, when one multiplies the costs by the total number of heaters at different sites, these total costs can escalate quickly. However, a “template” approach to implementing SI‐BMS in a brownfield environment can offer a very cost effective solution for end users. Creating standard “templates” for all deliverables associated with a SI‐BMS will allow each subsequent SI‐BMS to be implemented at a fraction of the cost of the first. This is because a template approach minimizes rework associated with creating a new SIBMS package. The ultimate goal is to standardize implementation of SI‐BMS in order to reduce engineering effort, create standard products, and ultimately reduce cost of ownership. Click here to view the complete whitepaper What is a BMS? What is Safety Instrumented Function (SIF) What is Function Safety?

by Ken O’Malley , P.E., aeSolutions founder This paper will discuss the issues, decisions, and challenges encountered when attempting to initially apply the concepts of the Safety Lifecycle per ANSI / ISA S84.01 to the design of a Life Safety System at a state of the art fiber optic manufacturing facility. More specifically, the methodology / procedures utilized for identification of Safety Instrumented Functions (SIF) and subsequent Safety Integrity Level (SIL) determination will be discussed in detail. In addition, industry specific issues associated with the design of Life Safety Systems and the use of mitigation versus prevention techniques (typically encountered in the process industry) will also be discussed. Topics include: ANSI / ISA S84.01, Safety Instrumented Systems, Safety Instrumented Functions, Safety Integrity Levels, Life Safety Systems IDENTIFYING REQUIRED SAFETY INSTRUMENTED FUNCTIONS FOR LIFE SAFETY SYSTEMS IN THE HIGH-TECH AND SEMICONDUCTOR MANUFACTURING INDUSTRIES Click here to view the complete whitepaper

Several Recognized and Generally Accepted Good Engineering Practices (RAGAGEPs) exist to help someone make their selection and placement of gas detectors (e.g. ISA-TR84.00.07, NFPA 72, UL-2075). However, there are no real consistent approaches widely used by companies. Historically, gas detection has been selected based on rules of thumb and largely dependent on experience. Over the last several years there has been a growing interest in determining not only the confidence but also the effectiveness of those gas detection systems. In fact, incorrect detector placement far outweighs the probability of failure on demand (of the individual system components) in limiting the effectiveness of the gas detection system. An effective gas detection system has three elements: 1. A comprehensive Gas Detection Philosophy 2. Appropriate Detector Technology Selection 3. Correct Detector Placement The Gas Detection Philosophy clearly specifies the chemicals of concern and the intended purposes, i.e. detection of toxic or combustible levels, voting requirements, alarm rationalization , and control actions. Appropriate Detector Technology Selection includes consideration of the target gas and the required detection concentration levels. The primary approaches for Detector Placement are geographic and scenario-based coverage. Geographic coverage places detectors on a uniform grid, and sometimes areas risk ranked to reduce the number of detectors required. Scenario-based coverage has a range of leak models and places gas detectors based on the dispersion modeling results. All three elements for effective gas detection (philosophy, technology, and placement) are interdependent but understanding their relationships is of paramount importance to design an effective gas detection system. The intention of this paper is to present the main considerations that design engineers and process safety professionals should address for each gas detection system element in order to obtain the best return on your investment when placing your gas detectors. Topics include: Instrumentation, Reduction of Risk, Risk Assessment, Protection, Detection System, Alarms and Operator Interventions, Detector, Gas Detection/Dispersion Prediction Click here to view the complete whitepaper

Often times when a person is blamed for “not thinking,” the reality is they were thinking, but were not aware of it. This is the theory of System 1 (i.e., Fast) versus System 2 (i.e., Slow) thinking that explains we are really two people: Our conscious aware selves (System 2 thinking), and a dominant “fast” subconscious making most of our decisions (System 1 thinking) without being consciously aware of it in the moment (to the point that some have argued there is no such thing as “free will”). The heuristics (i.e., mental short cuts) we use to think in System 1 are necessary to make it through a day (it is exhausting to maintain a continuous conscious stream of thought), and often lead to good outcomes. However, System 1 thinking can make us vulnerable to systematic biases (i.e., mental traps) that arise from the use of those heuristics. It is necessary to be aware of the traps System 1 thinking can create, because often times that is our only defense against them. In this respect, “fast thinking” represents one of the fundamental limits to achieving safe operation. In addition to awareness, there is a need where possible to design operator tasks and the interfaces they use to minimize the likelihood of systematic bias occurring when thinking in System 1. Lastly, it would be useful to provide designs that could increase the potential for the operator to engage System 2 thinking (consciousness) when required, which is less susceptible to biases. This paper proposes a combined approach of discussing the cognitive psychology behind System 1 and System 2 thinking, the types of heuristics we use, the biases that result, and operator task and interface design that can minimize the likelihood of systematic bias. The paper will incorporate the learnings from 5 years of safety critical Task Analysis performed for field and control room tasks. A practical operator response to abnormal situation model will be described that will link the heuristics used and potential biases that may occur, as well as design features to minimize the likelihood of those occurring. As presented at the 2020 AIChE Spring Meeting & 16th Global Congress on Process Safety. Click here to view the complete whitepaper Process Safety Services

By Emily Henry, PE(SC), CFSE & aeSolutions Technical Team When your facility is tasked with industry safety standard compliance, where do you start? What do all those SIS acronyms mean? For OSHA PSM-covered facilities, adherence to a functional safety lifecycle can be a critical step in overall SIS performance assurance. What is hiding under the radar of a plant SIS? Risk assessments define hazard consequences with assumed initiating event frequencies. How do we prevent these consequences? By verifying the reliability and availability assumptions of SIL Verification design parameters. Without understanding the design parameters your SIS is based upon, or without proper maintenance of your SIS equipment, your risk assessment gap closure may be incomplete. What factors into the assumptions of an SIS design? Are your safety devices replaced at their specified asset life, tested at the interval, and tested with the necessary rigor to uncover dangerous failures as specified in your calculations? What does following the Functional Safety Lifecycle entail? Does your facility have a Functional Safety Management Plan, perform Functional Safety Assessments on your SIS Design, and keep records of device failures to evaluate field performance against assumed reliability? This paper illustrates the real consequences of failing to uphold SIS design assumptions or follow the Functional Safety Lifecycle. Click here to view the complete whitepaper Prepared for Presentation at American Institute of Chemical Engineers 2024 Spring Meeting and 20th Global Congress on Process Safety New Orleans, LA March 24-28, 2024

by aeSolutions Technical Team This case study will discuss the application of the safety lifecycle as defined by ANSI/ISA 84.00.01‐2004 (IEC 61511 mod) to two single burner multiple fuel boilers. Each boiler is capable of firing natural gas, oil and/or waste gas, in order to supply the plant header with 1,365 psig steam at a maximum capacity of 310,000 lb/hr. The project team included the end client task force at the manufacturing facility, the engineering firm with design/procurement responsibility, the boiler OEM, the burner/gas train OEM, and the safety instrumented system consultant. This paper will cover: the development of a SIS front end loading package the project cost savings realized attributed to following the safety lifecycle the challenges encountered during the design process associated with the implementation of the safety lifecycle across a diverse project team Click here to view the complete whitepaper https://www.aesolutions.com/terms/burner-management-systems

by Keith Brumbaugh P.E Many operating units have a common reliability factor which is being overlooked or ignored during the design, engineering, and operation of high integrity Safety Instrumented Functions (SIFs) . That is the Human Reliability Factor. In industry, there is an over focus on hardware reliability to the n’th decimal point when evaluating high integrity SIFs (such as SIL 3), all to the detriment of the human factors that could also affect the Independent Protection Layer (IPL) . Most major accident hazards arise from human failure, not failure of hardware. If all that were needed to prevent process safety incidents is to improve hardware reliability of IPLs to some threshold, the frequency of near miss and actual incidents should have tailed off long ago - but it hasn’t. Evaluating the human impact on a Safety Instrumented Function requires performing a Human Factors Analysis . Human performance does not conform to standard methods of statistical uncertainty, but Human Reliability as a science has established quantitative limits of human performance. How do these limits affect what we can reasonably achieve with our high integrity SIFs? What is the uncertainty impacts introduced to our IPLs if we ignore these realities? This paper will examine how we can incorporate quantitative Human Factors into a SIL analysis. Representative operating units at various stages of maturity in human factors analysis and the I EC/ ISA 61511 Safety Lifecycle will be examined. The authors will also share a checklist of the human factor considerations that should be taken into account when designing a SIF or writing a Functional Test Plan. Click here to view the complete whitepaper