This chapter presents the main findings of this thesis and proposes some topics for further work.
8.1. Main objective
The main objective of this thesis was to identify potential pitfalls that may have resulted from poor change management of SISs. Furthermore, the goal was to propose a method on how to handle modifications of SIS in modification projects.
The main findings are presented in chapter 6.5. These are based on the discussion, suggesting that modifications (e.g. minor, temporary and not-identified) not properly assessed may have a negative impact on safety. In addition, the necessary documents should be updated to reflect the actual configuration of the SIS (facility) and the actual (true) risk level after the modification. To cover the latent functional relationships, failure modes and impacts of modifications, the modification process should be well structured and documented. Several risk and safety assessments should be included as early as possible, to ensure that potential problems can be identified, and appropriate measures implemented as early as possible.
The proposed flowchart for management of change is presented in chapter 7.3.1. This chart is based on the identified issues and the requirements in the ISO-9001 standard. The main purpose of this flowchart is to ensure that the modifications to SIS, or any other part of the facility are under control, and that the safety is not compromised. Furthermore, the procedure aids in providing traceability, during and after the modification process.
8.1.1. Sub-objective 1
The purpose of the first sub-objective was to illustrate how typical modifications may affect the calculated reliability level (PFD) for safety instrumented functions (SIFs), and if the calculated values sufficiently expresses the extent of the modification.
A case was used to provide a better understanding for SISs and their SIFs. The case also presented how PFD can be calculated and how the system can be modified. This case demonstrated that a SIS is subject to continual change and is often rebuilt to handle new challenges. The result for the case illustrated that typical modification to SIF, such as additional HVAC and deluge valves have the potential to effect the calculated PFD, while
81
replacement of components have a negligible effect on the calculated PFD. The results from the case were as expected, however, the focus during the case were only on the calculated PFD value. As it became apparent in the discussion, PFD values can provide useful insight for the decision maker; however, it is important to look beyond the assigned probabilities, since the probabilities may camouflage uncertainties. The circumstances of a modification should always be assessed in addition to the calculated PFD.
The case only focused on the modification to the SIS. However, the SIS may also be modified by a change to the operating prerequisites. The effect of this is often not fully understood during modification projects. Everything on an offshore platform is somehow interrelated.
Therefore, one modification to SIS or any other part of the facility can trigger a need for other modifications, introducing the so-called cascade-effect.
8.1.2. Sub-objective 2
The second sub-objective was to propose a simple alternative approach on how to classify the modifications in a typical SIS modification project. The main findings suggest that there is a need for an alternative description for categorization of modifications. This categorization process should be based on screening and discussion of the modification, at the same time being flexible and allowing for subjective judgment. The main focus should be on the safety significance; however, the magnitude and circumstances of the modification should also be reflected in the categorization process.
Chapter 7.2 presents an alternative approach for classification of modifications in SIS modification projects. Based on the classification used in the nuclear industry, the modification should be categorized with the main consideration to the safety significance. To aid in the categorization, a checklist consisting of several conditions (questions) is presented.
The main purpose of this checklist is to get a better overview of the impact the proposed modification has on the system and risk level. These questions focuses on the impact the modification can have on the humans, system, functions and interface with different systems/functions. The results from the assessment should be evaluated before the modification is categorized.
82 8.2. Further study
This thesis is written within a limited period of time with limited resources and information.
Some topics for further research are presented below.
Human errors in modification projects.
Due to the scope limitations, the human factor was only barely mentioned in this thesis. It is however deemed as necessary to study how, and why human errors may arise during the modification projects. The impact these errors may have on the modification should be studied throughout all phases of a modification project.
Lack of data for components in reliability calculations.
During this thesis and discussion with my supervisors, an additional objective arose.
This is an issue that often arises during modification projects. Appendix F presents an attempt to provide an adequate method. The discussion from the appendix suggests that it doesn’t matter if a component is citified or not, as long as it can be demonstrated that the safety function achieves the necessary risk reduction. To calculate the risk reduction, the components failure (historical) data are needed. Furthermore, as pointed out the best approach to handle components without reliability data is the use of a structured expert judgment. Since their data is mainly based on their background knowledge, the strength of this knowledge has to be expressed
It is proposed that a more thorough literature study should be carried out regarding this objective. Based on the literature study, one could provide a simple step by step approach that can be used in reliability calculations. That approach should incorporate the uncertainty dimension (strength of knowledge), as discussed in appendix F.
Identify a method on how to handle components that are not SIL-certified or lack the necessary reliability data in reliability calculations.
83