by Keith Brumbaugh Is our industry stuck in the past? The current industry trend is to only look at random hardware failures in safety integrity level (SIL) probability of failure on demand (PFD) ca lculations. No one would appear to be updating assumptions as operating experience is gained. Hardware failure rates are generally fixed in time, assumed to be average point values (rather than distributions), and either generic in nature or specific to a certain set of hardware and/or conditions which the vendors determine by suitable tests or failure mode analysis. But are random hardware failures the only thing that cause a safety instrumented function (SIF) to fail? What if our assumptions are wrong? What if our installations do not match vendor assumptions? What else might we be missing? How are we addressing systematic failures? One obvious problem with incorporating systematic failures is their non-random nature. Many functional safety practitioners claim that systematic errors are addressed (i.e., minimized or eliminated) by following all the pro cedures in the ISA/IEC 61511 standard. Y et even if the standard were strictly adhered to, could anyone realistically claim a 0% chance of a SIF failing due to a human factor? Some will say that systematic errors cannot be predicted, much less modeled. But is that true? This paper will examine factors which tend to be ignored when performing hardware-based reliability calculations. Traditional PFD calculations are merely a starting point. This paper will examine how to incorporate systematic errors into a SIF’s real-world model. It will cover how to use Bayes theorem to capture data after a SIF has been installed — either through operating experience or industry incidents — and update the function’s predicted performance. This methodology can also be used to justify prior use of existing and non-certified equipment. Click here to view the complete whitepaper

by Jacob Lindler Effective Process Hazard Analysis (PHA) facilitators combine soft skills with technical knowledge to guide PHA teams through a thorough identification and analysis of process hazards. PHAs for complex processing units place a significant demand on the time of valuable engineering, design, and operations personnel, so conducting an efficient PHA is key to minimizing team fatigue and maximizing available resources. Inevitably, there are hazard scenarios at which the team’s discussion begins to swirl, circling around multiple consequence definitions or risk rankings without coming to agreement. Facilitators should consider the following examples of tools successfully used to stop the swirl by providing the PHA team with the right information at the right time. Click here to view the complete whitepaper PHA studies are the core of process safety and risk management programs. They help companies identify hazard scenarios that could lead to a release of highly hazardous chemicals that can cause negative impact on people, the environment, and property. PHA is required by OSHA's PSM (29 CFR 1910.119) and EPA's RMP (40 CFR 68) regulations in the US and process safety and risk management regulations around the world. Companies that handle or process highly hazardous chemicals have a responsibility to protect employees, the public and the environment from exposure to accidental releases. aeSolutions specializes in various PHA methodologies, such as Hazard and Operability Studies (HAZOP) , Control Hazard and Operability Studies (CHAZOP) , Hazard Identification (HAZID), What-If, Checklist, Bowtie, and Failure Modes and Effects Analysis (FMEA) to meet regulatory and client requirements. Our experienced, trained facilitators specialize in the process safety lifecycle to fully integrate assessment, design, and operation of the facility.

by Sarah Manelick ‘Evergreen’ and ‘lifecycle’ have become two common buzz words in our industry. They are thrown around in a variety of topics, processes, and philosophies as descriptions of how management plans should be set up. But what does it really mean to have an evergreen process? How does one keep a lifecycle alive? This is especially relevant when it comes to topics such as alarm management, where it is commonly touted that once a plant rationalizes their entire system, they have completed alarm management. This paper will deconstruct the alarm management lifecycle and pinpoint key aspects that can be integrated into process safety management systems and work processes that already exist. Tying the alarm management lifecycle to what is already being done as part of process safety and good engineering practice will help to ensure it remains ‘evergreen’ and delivers the intended benefits. Click here to view the complete whitepaper aeSolutions offers services and systems to bring the client’s alarm management practices into compliance with the current ISA 18.2 standard s. Our services are designed to support our clients’ desires to encourage a culture of sustainable alarm management as an important component to their overall process safety strategy. Learn more here.

by Ron Nichols Abstract: This paper discusses the identification, selection, implementation and management of Non-SIF IPLs through the process lifecycle . 1. Layer of Protection Analysis Layers of Protection Analysis (LOPA) in conjunction with the Process Hazard Analysis (PHA) is now a key tool used by the chemical, oil and gas industries to assist companies in identifying, implementing and managing the critical safeguards needed to achieve their risk tolerance targets. The LOPA is used to identify the number of Independent Protection Layers (IPLs) and their integrity needed to reduce the likelihood to an acceptably low frequency that an initiating cause will progress to an undesired consequence. 2. Lifecycle Management of IPLs Since the acceptance of ISA 84.00.01 / ISA/IEC 61511, the life cycle management of safety instrumented systems is now being implemented throughout industry. The required safety integrity level (dependability) for the safety instrumented functions (SIFs) are obtained by closing the LOPA gaps between the existing mitigated event likelihood (MEL) and the company’s target mitigated event likelihood (TMEL). Often a SIF is combined with non-SIF IPLs to achieve the risk reduction gap closure, reducing the SIL requirement assigned to that SIF. To maintain acceptable risk targets, all IPLs, not just SIFs, must be managed through the lifecycle of the process. This is because many LOPA gaps are closed by only non-SIF IPLs the SIL assignment for many SIFs depend on the use of non-SIF IPLs used in that LOPA. Click here to view the complete whitepaper

by Richard E. Hanner & Tab Vestal ​ The history of high consequence incidents in industry reveals that most accidents were the result of systematic failures, not hardware failures. However, a higher degree of focus in engineering is often on the quantifiable failures of hardware. Process Safety risk gaps are often closed or reduced by several types of Independent Protective Layers (IPLs). Two common types are Safety Instrumented Functions (SIFs) and Basic Process Control System (BPCS) functions. The SIFs typically reside within a SIL-rated programmable logic controller, and their achieved quantitative performance is calculated based on random hardware failures of the SIF hardware components. Conversely, BPCS protective layers are assigned generic industry-accepted probability of failure credits. The BPCS generic industry-accepted probabilities of failure are conservatively assigned and consider unquantifiable human-induced systematic failures. In either case, the likelihood of systematic failures can be reduced by recognizing design, specification, maintenance, and operations activities that are potential sources, and applying measures to prevent or reduce them. By reducing systematic failures, you reduce the risk in the industrial process and increase confidence in meeting the intended integrity requirements. This technical paper will discuss the common sources of systematic failures and preventative or mitigative measures to prevent their occurrence. Topics Included in Whitepaper: Systematic failure , random hardware failure , Independent Protective Layer, IPL, SIF, SIS, BPCS , common cause, Human Factor Analysis , SIL Verification Click here to view the complete whitepaper

by Warren Johnson, PE, PMP ​ In 2005, aeSolutions recognized an industry need for Fire and Gas panels based on a SIL capable PLC safety control platform. Large industrial clients were looking for a system capable of monitoring and controlling Fire system 1/0, combustible gas, toxic gas, and oxygen depletion detectors, initiating suppression release, controlling HV AC, and performing process safety shutdowns. To develop the Fire and Gas system requirements needed by industry, we first needed to understand the regulatory requirements, applicable industry standards, and the types of fire and gas systems currently in use .. Here are some of the key regulatory requirements mandated by OSHA. - OSHA 1910.155 Fire Detection- 3rd party approval by Nationally recognized laboratory - OSHA 1910.164 Fire Detection Systems - Circuit Supervision - OSHA 1910.165 Employee Alarm Systems - Circuit supervision - Power Supply Monitoring Other key drivers are determining which industry standards are applicable. Are the standards mandatory? Many local and state codes reference the International building code. This code requires the use of NFPA 72 for fire alarm signaling systems. The authority having jurisdiction (AHJ) in each jurisdiction has the final authority in determining the applicable standards that the fire alarm system must meet. Click here to view the complete whitepaper

by Keith A. Brumbaugh, PE During a Safety Instrumented System (SIS) implementation project at a plant site new to the ANSI/ ISA 84 process safety lifecycle world, we discovered the importance of utilizing graphic diagrams in the development of SIS ‐related documentation to support the on‐site team meetings and document decisions. In a room full of plant operators and engineers accustomed to working “hands on” in the field, it was often far easier to keep the team on track when they were provided with a drawing to discuss, as opposed to having the team look at a screen full of text. The graphic diagrams also provided the design team with equal benefits as we received greater focused team member feedback, allowing for more efficient and thorough updates to documentation. This method of capturing team member input also enabled concise integration of the team input into various SIS‐related documents during and after the meetings. Examples of these graphic diagrams included the following: ​​ - A logic solver block diagram ‐ used to quickly identify which Logic Solver Safety PLCs, Independent Protection Layers (IPLs), Logic Narratives, and Equipment were related to each other. - Logic flow diagrams for heaters and boilers ‐ used to visualize the order in which light off permissive would be met, which statuses would cause a partial or complete trip, and related IPLs. - SIF Diagrams ‐ used to depict complex SIF architecture to keep track of how a SIF would function. The author will present examples of the different types of graphic diagrams, methods in which the diagrams were utilized, and the benefits that each provided in the implementation of certain phases of an ANSI/ ISA 84 SIS lifecycle project. These diagrams were considered to be valuable process safety information and part of the final SIS Front End Loading design. Click here to view the complete whitepaper

Is our industry addressing the problems facing it today? We idealize infinitesimally small event rates for highly catastrophic hazards, yet are we any safer? Have we solved the world’s problems? Layers of protection analysis (LOPA) drives hazardous event rates to 10-4 per year or less, yet industry is still experiencing several disastrous events per year. If one estimates 3,000 operating units worldwide and industry experiences approximately 3 major incidents per year, the true industry accident rate is a staggering 3 / 3,000 per year (i.e. 10-3). All the while our LOPA calculations are assuring us we have achieved an event rate of 10-6. Something is not adding up! Rather than fussing over an unobtainable numbers game; wouldn’t it be wiser to address protection layers which are operating below requirements? We are (hopefully) performing audits and assessments on our protection layers and generating findings. Why are we not focusing our efforts on the results of these findings? Instead we demand more bandages (protect layers) for amputated limbs (LOPA scenarios) instead of upgrading those bandages to tourniquets. Perhaps the dilemma is we cannot effectively prioritize our corrective actions based on findings. Likely we have too much information and the real problems are lost in the chaos. What if there was a way to decipher the information overload and visualize the impact of our short comings? Enter Bayes rule to provide a means to visualize findings through a protection layer health meter approach; to prioritize action items and staunch the bleeding. by Keith Brumbaugh Topics include: Bayes, Bayes rule, Bayes theory, LOPA, IPL, SIS, SIF, SIL Calculations, systematic failure, human factors, human reliability, operations, maintenance, IEC 61511, ANSI/ISA 61511, hardware reliability, proven in use, confidence interval, credible range, safety lifecycle , functional safety assessment , FSA stage 4, health meter. Click here to view the complete whitepaper

Awarded Best Paper Award at the 2025 TEES Mary Kay O'Connor Process Safety Center-TAMU (MKO) Safety & Risk Conference Abstract November 2025 — Greg Pajak, aeSolutions Senior Specialist, ICA — A midstream facility implemented a systematic alarm rationalization program across two critical units, achieving unprecedented reductions in urgent alarm loads. Unit A reduced urgent alarms from 45% to 7% (84% reduction), while Unit B decreased from 62% to 5% (92% reduction). This paper presents the methodology, implementation approach, and quantified results of applying the ANSI/ISA-18.2-2016 alarm management lifecycle in a brownfield LNG facility. The comprehensive approach integrated automation, process safety, and operations perspectives, resulting in significant improvements in operator effectiveness and process safety performance. Cross-functional teams utilized the Maximum Severity Method for consistent, risk-based prioritization across 48,156 potential alarm points in Unit A and 7,009 points in Unit B. The project eliminated over 5,900 nuisance urgent alarms in Unit A and 1,960 in Unit B, transforming alarm systems from sources of operator overload into effective tools for abnormal situation management. Results demonstrate that properly implemented alarm management programs can achieve transformational improvements in operational safety and efficiency, providing a replicable model for the LNG industry. 1. Introduction The liquefied natural gas (LNG) industry faces unique operational challenges due to cryogenic processes, flammable materials, and complex interdependencies between process units. Effective alarm management becomes critical for maintaining safe operations while preventing operator overload during abnormal situations. Despite widespread recognition of alarm management importance following major incidents like Texas City (2005) and Buncefield (2005), many facilities struggle to fully implement comprehensive alarm management lifecycles. This Facility recognized that partial alarm management efforts yield limited benefits and committed to systematic implementation of the complete ANSI/ISA-18.2-2016 lifecycle. As a brownfield site with existing legacy systems, the facility faced additional challenges requiring thorough re-evaluation of alarm configurations across multiple platforms including Honeywell Experion DCS, SCADA systems, and Safety Manager. This paper presents results from two major alarm rationalization projects: Unit A and Unit B The scope encompassed all facility alarms interacting with normal process operations, excluding only fire and gas system alarms addressed separately. The rationalization effort aimed to ensure each alarm met the fundamental definition: "An audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a response." 2. Background and Literature Review 2.1 Alarm Management Standards Evolution The process industries have developed comprehensive standards for alarm management, with ANSI/ISA-18.2-2016 and IEC 62682:2022 representing current best practices. These standards define a complete lifecycle approach encompassing ten stages: Philosophy, Identification, Rationalization, Detailed Design, Implementation, Operation, Maintenance, Monitoring and Assessment, Management of Change, and Audit. Research demonstrates that facilities implementing partial lifecycle elements achieve limited improvements, while comprehensive implementation yields transformational results. The Abnormal Situation Management (ASM) Consortium estimates that poor alarm management contributes to $20 billion annually in lost production and incidents across the process industries. 2.2 LNG Industry Specific Challenges LNG facilities present unique alarm management challenges due to: Cryogenic temperature operations requiring precise control Vapor management systems with rapid dynamics Integration between liquefaction, storage, and regasification Stringent environmental compliance requirements Post-incident regulatory scrutiny These factors necessitate alarm systems that support rapid, accurate operator response while minimizing cognitive load during upset conditions. 2.3 Quantifying Alarm Management Performance Industry benchmarks established by the Engineering Equipment and Materials Users Association (EEMUA) Publication 191 define acceptable alarm system performance metrics: Average alarm rate: <1 alarm per 10 minutes Peak alarm rate: <10 alarms per 10 minutes Alarm priority distribution: ~80% Low, ~15% Medium, ~5% High However, many facilities operate far outside these guidelines, with urgent/critical alarms often comprising 30-60% of total alarm load, creating conditions where operators cannot effectively respond to genuine process upsets. 3. Methodology 3.1 Project Scope and Timeline The alarm rationalization encompassed two major operational units: Unit A : Conducted January 29 - March 26, 2024 Unit B:  Conducted March 11-15, 2024 Both projects utilized hybrid in-person and remote participation via Webex to accommodate team members across multiple locations. 3.2 Team Composition Cross-functional teams included: Process Controls Engineering Process Engineering Operations personnel Operations Management Third-party facilitators (Applied Engineering Solutions) experienced in alarm rationalization methodology This diverse composition ensured comprehensive evaluation incorporating technical design, operational experience, and process safety perspectives. 3.3 Rationalization Methodology The team employed a knowledge-based Maximum Severity Method for alarm prioritization. This approach evaluates each alarm against multiple consequence categories:    Table 1: Severity Level Matrix Severity Level Safety/Environmental Economic Impact Equipment Damage Catastrophic Fatality/Major Environmental Release >$10M Total Loss Severe Lost Time Injury/Reportable Release $1M-$10M Major Damage Moderate Medical Treatment/Minor Release $100K-$1M Significant Repair Minor First Aid/No Release <$100K Minor Repair The highest severity across all categories determines final alarm priority, ensuring conservative risk assessment. 3.4 Documentation and Analysis Tools The rationalization process utilized: Existing Honeywell Experion alarm database exports Current Piping and Instrumentation Diagrams (P&IDs) aeAlarm software (Sphera PHA-Pro® based) for systematic documentation Historical alarm activation data to validate setpoints Each credible alarm was documented with: Purpose and process deviation addressed Consequence of no operator action Required operator response Time available for response Priority assignment rationale    3.5 Alarm Qualification Criteria Alarms were evaluated against the site's Alarm Management criteria: Does the condition require operator action? Is the operator the primary respondent? Is there sufficient time for operator response? Will the operator know what action to take? Can the operator take the required action? Points failing these criteria were reclassified as events, journals, or removed entirely. 4. Results and Discussion 4.1 Unit A Alarm Reduction Results This rationalization achieved dramatic improvements in alarm system performance: Table 2: Unit A: Alarm Distribution - Before and After Rationalization Priority Pre-Rationalization Post-Rationalization Reduction Urgent 6,473 45% 571 7% 91.2% High 541 4% 405 5% 25.1% Low 7,259 51% 6,674 87% 8.1% Total 14,273 100% 7,650 100% 46.4% The 91.2% reduction in urgent alarms represents elimination of 5,902 nuisance or improperly classified alarms that previously competed for operator attention during critical situations.   Figure 1: Unit A Alarm Priority Distribution Transformation   4.2 Unit B Results Unit B demonstrated even more dramatic improvements: Table 3: Unit B Alarm Distribution - Before and After Rationalization Priority Pre-Rationalization Post-Rationalization Reduction Urgent 2,036 62% 76 5% 96.3% High 377 12% 202 14% 46.4% Low 853 26% 1,164 81% -36.5%* Total 3,266 100% 1,442 100% 55.8% *Low priority alarms increased as urgent alarms were properly reclassified The 96.3% reduction in urgent alarms eliminated 1,960 improperly configured alarms, dramatically improving the signal-to-noise ratio for genuine process upsets.       Figure 2: Unit B Alarm Priority Distribution Transformation   4.3 Systematic Improvements Identified The rationalization process identified 129 total action items across both units: UNIT A: 58 action items UNIT B: 71 action items Common improvement categories included: Elimination of redundant alarms on single process deviations Proper configuration of alarm deadbands and delay timers Reclassification of informational points to events/journals Integration of alarm response procedures with operator training Correction of alarm priority inversions 4.4 Operational Impact Assessment The rationalized alarm system has fundamentally transformed the operating environment at this facility. While specific quantitative metrics are proprietary, the qualitative improvements in operational performance have been significant. The dramatic reduction in alarm load, particularly in the urgent category, has created a calmer, more focused control room environment where operators can effectively manage the process rather than simply reacting to constant alarms. Compliance and Documentation Benefits 100% of remaining alarms now have documented response procedures Full traceability established for regulatory audits Alarm system performance now aligns with EEMUA 191 guidelines Complete audit trail maintained through aeAlarm documentation 5. Implementation Lessons and Best Practices 5.1 Critical Success Factors 1. Executive Sponsorship and Resource Commitment  Full lifecycle implementation requires significant time investment from operations and engineering personnel. Executive support ensured adequate resource allocation and schedule priority. 2. Operator Engagement Throughout Process  Including experienced operators in every rationalization session captured critical institutional knowledge and ensured practical response procedures. 3. Systematic Methodology Application  Consistent application of the Maximum Severity Method prevented subjective priority assignment and ensured conservative risk assessment. 4. Integration with Existing PSM Systems  Linking alarm rationalization with Management of Change, PHA revalidation, and operator training programs embedded improvements in operational practice. 5.2 Common Challenges and Solutions Challenge 1: Securing Adequate Time from Key Personnel   Solution : The primary challenge was obtaining large blocks of time from busy operational staff. The project succeeded by using flexible scheduling, breaking sessions into manageable durations, and emphasizing the long-term operational benefits of participation. Challenge 2: Resistance to Removing "Historical" Alarms   Solution : Data-driven demonstration of alarm flooding impact during actual events convinced stakeholders to eliminate non-critical alarms. The involvement of extremely knowledgeable staff who understood both process and operations proved invaluable in making these decisions smoothly. Challenge 3: Data Consistency Across Systems   Solution : Careful verification processes ensured alignment between disparate PLC systems and the master alarm database, preventing loss or duplication of critical alarm information. 5.3 Technology and Tool Considerations The aeAlarm rationalization tool proved essential for: Maintaining consistency across multiple sessions Tracking action items and implementation status Generating operator response documentation Supporting regulatory audit requirements Integration with existing Honeywell Experion systems required careful configuration management to preserve rationalization decisions during system updates. 6. Industry Applications and Recommendations 6.1 Scalability to Other LNG Facilities The methodology demonstrated here scales effectively to other facilities by: Adapting severity matrices to site-specific risk tolerances Adjusting team composition based on organizational structure Phasing implementation based on unit criticality Leveraging common control system platforms 6.2 Recommended Implementation Approach Based on our experience, optimal implementation follows this sequence: Phase 1: Foundation (Months 1-2) Develop site-specific alarm philosophy Establish performance baselines Form cross-functional team Select rationalization tools Phase 2: Pilot Implementation (Months 3-4) Select representative unit/system Complete full rationalization cycle Validate methodology and tools Refine procedures based on lessons learned Phase 3: Full Deployment (Months 5-12) Systematically address remaining units Implement approved changes Train operators on new alarm schemes Establish monitoring systems Phase 4: Sustainment (Ongoing) Monthly performance reviews Quarterly alarm health assessments Annual philosophy updates Continuous improvement initiatives 6.2 Return on Investment Considerations While specific project costs are proprietary, the business case for alarm rationalization is compelling. The investment in this project is minor compared to the potential costs of: Operator hours spent managing nuisance alarms Extended troubleshooting time during process upsets Potential incidents resulting from operator overload Regulatory penalties for non-compliance with RAGAGEP Industry benchmarks demonstrate typical returns including: Reduced operator errors through improved situational awareness Decreased unplanned downtime from better upset management Lower incident investigation costs Invaluable improvement in regulatory compliance position 7. Conclusions This alarm rationalization project demonstrates that systematic implementation of the ANSI/ISA-18.2-2016 lifecycle can achieve transformational improvements in alarm system performance. The 84-92% reductions in urgent alarm loads across two major units significantly exceed typical industry achievements, validating the comprehensive approach. Key conclusions from this implementation: Full lifecycle implementation is essential  - Partial efforts yield marginal benefits while comprehensive programs achieve step-change improvements. Cross-functional engagement drives success  - Integration of operations, engineering, and process safety perspectives ensures practical, sustainable solutions. Quantified baselines enable continuous improvement - Detailed before/after metrics demonstrate value and guide ongoing optimization. Brownfield challenges are surmountable  - Legacy systems can be successfully rationalized with proper methodology and commitment. Operator effectiveness improvements justify investment  - Enhanced situational awareness and response capability directly improve process safety performance. The dramatic reductions achieved here establish new benchmarks for alarm management excellence in the Midstream industry. As facilities face increasing operational complexity and regulatory scrutiny, comprehensive alarm rationalization becomes not just best practice but operational necessity. 8. Future Work Building on current achievements, future initiatives include: Advanced Alarm Management Techniques   Implementation of state-based alarming for startup/shutdown Dynamic alarm suppression during known process transitions Predictive analytics for alarm flood prevention Integration with Digital Transformation   Incorporation of machine learning for nuisance alarm identification Real-time alarm performance dashboards Mobile operator notification systems Industry Collaboration   Development of LNG-specific alarm management guidelines Benchmarking studies across multiple facilities Knowledge sharing through industry forums Continuous Improvement Metrics   Correlation of alarm performance with safety incidents Operator workload quantification studies Economic impact validation The success achieved through systematic alarm rationalization provides a foundation for continued advancement in operational excellence and process safety performance. References ANSI/ISA-18.2-2016, Management of Alarm Systems for the Process Industries, International Society of Automation, Research Triangle Park, NC. IEC 62682:2022, Management of alarm systems for the process industries, International Electrotechnical Commission, Geneva, Switzerland. EEMUA Publication 191, Alarm Systems - A Guide to Design, Management and Procurement, 3rd Edition, Engineering Equipment and Materials Users Association, London, UK, 2013. Rothenberg, D.H., "Alarm Management for Process Control: A Best-Practice Guide for Design, Implementation, and Use of Industrial Alarm Systems," Momentum Press, New York, 2018. Hollifield, B., and Habibi, E., "The Alarm Management Handbook: A Comprehensive Guide," PAS, Houston, TX, 2011. U.S. Chemical Safety and Hazard Investigation Board, "Investigation Report: Refinery Explosion and Fire," Report No. 2005-04-I-TX, Washington, DC, 2007. Health and Safety Executive, "The Buncefield Incident 11 December 2005: The final report of the Major Incident Investigation Board," Bootle, UK, 2008. Abnormal Situation Management Consortium, "Effective Alarm Management Practices," Honeywell Process Solutions, Phoenix, AZ, 2019. Center for Chemical Process Safety, "Guidelines for Safe Automation of Chemical Processes," 2nd Edition, AIChE, New York, 2017. Stauffer, T., and Sands, N.P., "Alarm Management and ISA-18.2: Management of Alarm Systems for the Process Industries," ISA Automation Week Proceedings, 2014. Acknowledgments The authors acknowledge the dedication of operations and engineering personnel who committed extensive time to the rationalization process. Special recognition goes to Applied Engineering Solutions for their expert facilitation and the operations teams who provided invaluable institutional knowledge. This project's success reflects the organization's commitment to operational excellence and process safety leadership.

by Keith Brumbaugh , P.E., CFSE ​ Achieving Safety Integrity Level (SIL) targets can be difficult when proof test intervals approach turnaround intervals of five years or more. However, some process units have planned and predictable unplanned shutdowns multiple times a year. During these shutdowns, it may be possible to document that the safety devices functioned properly. This can be incorporated into SIL verification calculations to show that performance targets can now be met without incorporating expensive fault tolerance , online testing schemes, etc. This can result in considerable cost savings for an operating unit. The problem If a process plant is following the ANSI/ ISA 84.00.0 1 process safety lifecycle (i.e. ISA 84) or similar, as part of the allocation of safety functions to protection layers phase, a SIL assessment (e.g., a Layers of Protection Analysis (LOPA)) would be undertaken to assign Safety Integrity Levels (SIL) targets to a Safety Instrumented Function (SIF) . A scenario could occur in the design and engineering phase of the ISA 84 safety lifecycle when performing the SIL verification calculations, that the team discovers the SIFs do not meet their performance target. Assuming the calculation was done properly using valid data and assumptions, something would need to change in order to meet or exceed the required performance targets. This issue could occur in a Greenfield plant when first designing a SIF, but is more likely to be discovered during a revalidation cycle of a brownfield plant. Click here to view the complete whitepaper

Functional Safety & Bayesian Networks Functional safety engineers fol low the ISA/IEC 61511 standard & perform calculations based on random hardware failures. These result in low failure probabilities, which are then combined with similarly low failure probabilities for other safety layers, to show that the overall probability of an accident is extremely low (e.g., 1E-5/yr). Unfortunately, such numbers are based on frequentist assumptions and cannot be proven. Looking at actual accidents caused by control and safety system failures shows that accidents are not caused by random hardware failures. Accidents are typically the result of steady and slow normalization of deviation (a.k.a. drift). It’s up to management to control these factors. However, Bayes theorem can be used to update our prior belief (the initial calculated failure probability) based on observing other evidence (e.g., the effectiveness of the facility’s process safety management process). The results can be dramatic. For example, ass uming a safety instrumented function w ith a risk reduction factor of 5,000 (i.e., SIL 3 performance), and a process safety management program with a 99% effectiveness, results in the function actually having a risk reduction factor of just 98 (i.e., essentially the borderline between SIL1 and SIL 2). The key takeaway is that the focus of functional safety should be on effectively following all the steps in the ISA/IEC 61511 safety lifecycle and the requirements of the OSHA PSM regulation, not the math or certification of devices. Both documents were essentially written in blood through lessons learned the hard way by many organizations. To learn more about the use of Bayesian networks in functional safety , read the full paper here. Click here to view the complete whitepaper

As the share of green energy continues to increase worldwide, the demand for hydrogen is projected to grow rapidly. Production rates in 2022 of nearly 100 mT [1] are expected to triple to 300 mT by 2030 [2]. With such a rapid growth rate, many new players are entering the hydrogen production market. Hydrogen vapors are especially hazardous due to their large flammability range, high reactivity, and low minimum ignition energy. A great need therefore exists for process safety knowledge sharing that is focused on hydrogen safety at such facilities. Hydrogen behaves very differently from other materials. While hydrogen vapors are known to rapidly rise due to its very low molecular weight, liquefied hydrogen (LH2) is known to stay low to the ground including just after evaporating like other cryogenic liquids. Hydrogen has other unique characteristics as well due to a very low normal boiling point. The viscosity of LH2 becomes very low, allowing it to flow with minimal losses of kinetic energy. Altogether, a flammable vapor cloud from a LH2 release can travel a far distance even though it does not form a liquid pool. Advances in hydrogen safety are forthcoming and continue to evolve. In addition, several software vendors have specifically focused on more accurately modeling the properties and consequences of hydrogen releases. A selection of case studies will be shared in which hypothetical indoor and outdoor liquid and vapor hydrogen releases from new hydrogen facilities were evaluated. The case study selection will include an analysis of selection and placement of gas and flame detectors for hydrogen releases and a review of potential hazard preventions and mitigations. Click here to view the complete whitepaper