“Take time to deliberate, but when the time for action has arrived, stop thinking and go in.” Napolean Bonaparte
Can operator responses to unsafe conditions be considered part of safety instrumented functions? The question frequently arises during a Layer of Protection Analysis (LOPA) as operators consider their existing safeguards and Independent Layers of Protection (IPLs). The short answer is that operator response to unsafe conditions is certainly a safeguard, and under the right circumstances, may be part of an IPL. Strictly speaking, operator response to unsafe conditions cannot be considered part of a safety instrumented function (SIF), which must act automatically.
For those that want to take credit for operator response in an IPL, there are two issues to consider. First, is the operator response suitable for inclusion in an IPL? Second, if the operator response is suitable, how much credit can be taken for the response?
Suitability of including operator response
For operator response to be claimed as part of an IPL, there are three questions that must be answered:
- How will the unsafe condition or event be detected? This question needs to be resolved at the time of the analysis. Not only must the means of detection be simple and straightforward, but also it must always be clear and available to the operator, even under emergency conditions.
- How will the decision to act be made? An emergency is not a time to impose complex decision-making on an operator. Human decision-making should not require anything more than simple calculations and should not require complicated diagnostics. Moreover, if operator response is to be claimed as part of an IPL, balancing the cost of production interruption against safety can never be part of the decision.
An operator’s decision-making should not be confounded by a workload that interferes with acting as part of an IPL. By the same token, an operator should not be expected to perform other tasks at the same time, including responding to other alarms.
- What action will be taken to deflect the hazardous outcome, preventing the consequence? Just as the method by which the unsafe condition or event is detected must be defined in advance, the operator response must be defined in advance, too. If operator response is to be claimed as part of an IPL, training on recognizing and responding to hazards must be performed regularly and it must be documented.
For operator response to be claimed as part of an IPL, the time available must be adequate. This includes
- Time for the sensor to detect and for the operator to become aware of the unsafe condition
- Time for the operator to decide
- Time for the operator to act
- Time for the process to respond to the operator action
When a review of the time required shows that it exceeds the time available, then clearly operator response should not be claimed as part of an IPL.
It is not enough to have enough time. An operator may be able to shut a system down in 5 minutes, but if the available time is exactly 5 minutes that means the operator must act perfectly. In general, when an operator has less than 10 minutes to respond, the probability of failure on demand quickly approaches 100%. The probability of failure on demand decreases, as more time is available to take action to a limit of about 5 hours, at which point additional time does not help.
Credit for Operator Response
Once an analysis of the IPL shows that it is appropriate to take credit for operator response, another important question remains – how much credit can be taken for the response? In other words, what is the probability that in an emergency the operator will do the right thing—what is the average probability of failure on demand (PFDAVG)?
There are a few factors that determine what PFDAVG for an operator response should be used in reliability calculations.
- Means of notifying operator: (A) field conditions, (B) field indication, (C) BPCS indication, or (D) SIS indication
- Buffer time: (A) more than 10 minutes, (B) more than 40 minutes, or (C) more than 5 hours. If the response time is less than 10 minutes, credit for operator response requires an extraordinary level training.
- Trouble-shooting or diagnostics before taking action: (A) complex, (B) minor, or (C) none. If the trouble-shooting or diagnostics before taking action is complex, no credit for operator response should be claimed.
In the table that follows, there are a number of cases described, along with the PFDAVG for cases reported generally in the literature, and a median default value for PFDAVG that is neither overly conservative nor overly optimistic.
What does this mean?
While credit for operator response typically should not be claimed in SIFs, credit certainly can be claimed in IPLs. Incidentally, when IPLs are credited as simple orders of magnitude, then the indication should come from a reliable system like an SIS. However, in more detailed layers of protection analysis, greater credit can be taken for the actual circumstances. Taking credit for human actions as an IPL requires a case-by-case evaluation of what is occurring in a given scenario. It greatly relies on your plant knowing the amount of response time personnel are given for a specific scenario, as well as, how knowledgeable (and comfortable) your personnel are with the process they are working with. The knowledge and comfort of the process personnel feel is largely impacted by the rigor of your company’s training program.