Ensuring safe, ongoing operations at processing and asset-intensive facilities is more than “Work Smart” programs. To effectively meet the challenge of a holistic, sustainable approach to safety that follows best practices including IEC 61508, IEC 61511 and ISA84, we start with creating a safety plan that includes a framework for functional safety and incorporates process safety – from conception to decommissioning. OESuite® supports key functional components and process safety management requirements via efficient, integrated, mobile-enabled modules. Designed from the ground-up to facilitate intuitive use, easy data input and analysis, the platform helps organizations standardize risk tolerances, implement best practices and standard operating procedures, and protect people, facilities, and processes for the long term.
OESuite® offers a Safety Lifecycle solution with a focus area between the Distributed Control System and Emergency Response. The integration of our Process Risk (also referred to as PHA/LOPA), SIS (partner bolt-on via OS Connector), Management of Change (MOC), Audit, Procedure Management, and Alarm Management Modules gives you insight into the health of your Independent Protective Layers. Couple this with our Calibration and Testing function to ensure that you have adequate engineered and administrative safeguards to run your plant.
Traditional Safety Lifecycle Management centers on the DCS, PHA/LOPA, SIS, Alarm Management, and Emergency Response. Often, these are silos in disparate technology solutions. The key is to advance beyond the binder on the shelf — from traditional PHA/LOPA studies to a living, breathing PHA study with a strong MOC function in between the 5-year revalidation period. Couple that with real-time risk exposure on the SIS tied to Alarms and Computerized Maintenance Management System (CMMS).
The real goal is to put all these together to improve production, while understanding the risk implications of bypassing, eliminating, or not adequately maintaining SIS and non-SIS safeguards while seeking maximum production throughput.
Operational Sustainability® puts that all together in OESuite® to help you manage your process risks while maximizing production capacity.
PHA starts with defining the system boundaries and the equipment to be included in the hazard/risk analysis. Typical PHA studies use a qualitative risk assessment methodology such as a Hazard and Operability Study (HAZOP) to identify hazardous events, initiating causes, event severity, and initiating likelihood. HAZOP does not address whether safeguards are independent from one another, however. A team’s subjective perception of the integrity of a specific safeguard may lead to inconsistency in the number of safeguards recommended to adequately mitigate risk.
To eliminate subjective safeguards, LOPA is used to indicate whether adequate risk reduction can be achieved. LOPA provides specific criteria and restrictions for evaluating Independent Protective Layers (IPLs). Ideally protection layers are independent from one another so that any one will perform its function regardless of the initiative event or the action or failure of any other protection layer.
LOPA provides a method for evaluating the risk of hazard scenarios and comparing those risks with risk tolerance criteria to decide if existing safeguards are adequate. LOPA builds upon the information developed in the PHA. LOPA addresses safeguards that are IPLs, including:
SIS are also called interlocks, trip and alarm systems, and emergency shutdown systems. SIS are control systems that act to return a process to a safe state upon detection of conditions that may be hazardous, or could eventually give rise to a hazard if no action is taken. SIS perform Safety Instrumented Functions (SIF) by acting to prevent a hazard or to mitigate its consequences.
The degree of confidence that can be placed in the SIS to reliably perform its intended function is known as its safety integrity. Safety integrity is graded into four distinct bands known as Safety Integrity Levels (SIL) and these SIL numbers correspond to four levels of Risk Reduction Factor (RRF). We use RRF as a measure of safety integrity.
|Risk Reduction Factor
|Probability of failure on demand (PFD)
|>10,000 to <100,000
|>10-5 to <10-4
|>1,000 to >10,000
|>10-4 to <10-3
|>100 to <1,000
|>10-3 to <10-2
|>10 to <100
|>10-2 to <10-1
A SIS is chosen based on achieving a SIL that matches the required level of risk reduction, but the SIS is only one of the IPLs in a plant’s overall risk reduction strategy.
Alarm systems have a very close relationship to SIS but they don’t have the same function. Alarms are designed to draw an operator’s attention to a condition outside of the desired range of conditions for normal operation – something requiring operator intervention. In contrast, SIS doesn’t require a response from the operator… the SIS will act to return the process to a safe state (up to an including shutdown) if conditions warrant.
Alarm management continues to be essential due to the complexity of control system design and issues such as alarm floods (a period of multiple, often overlapping alarms). ISA 18.2 models the entire alarm management lifecycle. Key components such as Management of Change (i.e. alarm setpoint changes), alarm design, alarm rationalization, state based and dynamic alarming need to be addressed in any alarm management plan. In addition, plant personnel need to be trained to develop and maintain the system.
OESuite® is compliant with ISA 18.2, EEMUA 191, and API RP 1167.