@Harvey Dearden Thanks for this input and sharing the book you have published on FS. Will look into getting this.

@Tom Atkinson Thanks for the input Tom. Yes each vessel has a routing valve for level control as part of the BPCS (controlled from an LT). The overfill valve is independent from the BPCS and operated by the safety system if a vessel high level switch activates. Each tank has its own high level so 1oo1, but all shut the same overfill valve on the common supply line (upstream of the branch off to each vessel). That’s an interesting one you have mentioned. I think the key thing there, and my understanding as to how you have set it up now is the input side is only a 1oo1, and not a 1oo20 say, as whilst the same valves shut, each tank only has one level switch, so regardless of the other tank switches if that specific tank level rises only one level switch can respond to protect against an overfill scenario. I would also need to know more details on the scenario but just when you mentioned a separate valve for this purpose - I think that’s a key point in the LOPA. I have reviewed sites where they had one inlet valve that was shared between the BPCS and the safety system. They did have a separate safety relay to deenergise but ultimately the same valve and when referencing their LOPA credit had been taken for a BPCS high level trip. In this case not suitable and a modification to correct as not independent.

@Iyan Putra Hi Iyan. I would just echo others comments here already in regard to the setting of the mission time and proof tests to ensure they are realistic to what the Asset will actually adhere to. It’s also got to make sense in terms of not just stating components will be replaced or overhauled to a new condition to improve the calculation. I noted above that a LOPA has been carried out and although no SIL requirement they still want to have safety rated trips. It’s very difficult to do this without really having a target as there are so many other factors that can be taken into account in addition to the mission time. Increasing proof tests and mission time can help with the calculation but it’s also more cost and effort involved when it may not actually be required. The system can then also be more costly to implement in terms of equipment and architecture selected in the design. Just thought I’d mention this when you noted the logic solver was SIL 3 capable as I have come across clients before that think buying SIL rated components make the given system SIL rated.

I agree @Richard Kelly and have also come across this before when looking at PTC values used in calculations, particularly on the final element with valves. Quite often the proof test will check the actuator and valve physically move, but the proof test is carried out during a shutdown, so there would be no indication if the valve wasn’t sealing. Unless there was a flow and differential pressure across the valve being measured or an inline flow transmitter, then if carried out offline the proof test would never capture this. There is guidance for realistic values to use but have again come across some optimistic values edging towards 100%. Testing elements offline can also be very different to when the process is in operation at higher pressures and higher/lower temperatures.

Both