(164c) The SIS Just Broke! What Now?

The safest approach to responding to detected failure in a safety system is to take the process equipment under protection to a safe state. Likewise, it is inherently safer to perform testing of SIS equipment when the process is shut down. However, what if the facility wants to keep operating while the SIS is undergoing testing or repair? Willfully continuing operation with known deficiencies in SIS equipment can result in the peak risk for severe hazardous events being higher than the company’s risk tolerance limits. To operate safely, the process safety risk during this transient period needs to be carefully managed.

Compensating measures are used when bypassing or detected failures within the SIS result in a gap in risk reduction. Designing these measures can be challenging. The process operation during SIS bypass can be dynamic, with a possibility of increasing the likelihood of human error. For optimum effectiveness, compensating measure hardware and procedures should be identified during detailed design of the SIS. This paper will discuss some of the challenges posed by continuing operation despite a portion of the SIS being out of service and illustrate how these challenges may be overcome. A case study will show how a system in bypass, without proper compensating measures, can lead to a severe injury event.