Storage Tank SIL Selection and Verification Spreadsheet
Designed by Kenexis Consulting Corporation
2929 Kenny Rd Suite 225 Columbus OH 43221 USA www.kenexis.com admin@kenexis.com This document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. This document may be circulated for distribution, but it may not be circulated as part of a commercial product under any circumstances. IT IS CRITICAL THAT THE FAILURE RATES USED IN THIS SPREADSHEET BE REVIEWED AND CONFIRMED (OR REVISED) TO ACCOUNT FOR YOUR OWN FACILITY. THIS CAN BE DONE THROUGH REVIEWING INDUSTRY/LOCATION SPECIFIC INFORMATION, EQUIPMENT VENDOR DATA, LOCAL MAINTENANCE RECORDS, OR OTHER METHODS. IF THIS IS NOT DONE THE RESULTS WILL NOT NECESSARILY REFLECT THE RISK REDUCTION ACHIEVED AT YOUR SITE! Instructions on Using the Spreadsheet The purpose of the spreadsheet is to assist in SIL Selection and SIL Verification for a high-high storage tank level safety function. Each safety function should be analyzed using its own spreadsheet. This spreadsheet should ONLY be used for simple functions whose SIL target is 2 or less. Complex functions can't be handled by this spreadsheet; a safety specialist should be consulted. SIL Selection must be conducted with a multidisciplinary team including a representative from process engineering, instrumentation, operations and specialists as required. It should be the same kind of team normally used for a PHA. Review the accompanying presentation that further discusses related aspects of safety engineering. Read the information in the "Usage Notes" tab of this spreadsheet. The team should start at the "SIL Selection" tab and describe the function, hazard the function is intended to prevent, and consequences. The spreadsheet has capability for three different initiating events. All initiating events and protection layers should be identified, then check the RRF Required and SIL Rating for the function. In general, purple spreadsheet cells are user entered and light brown spreadsheet fields are automatically calculated by the spreadsheet. You can click the in-spreadsheet links that are in underlined blue text to get more information on the item in question. On the "SIL Verification" tab enter the equipment details for the function. REVIEW THE FAILURE DATA to be sure it matches your site experience. Failure rate data can be modified on the "Data" tab. If your equipment is not listed you can enter a custom equipment and failure rate on the "Data" tab. Review and print the "SIL Assumptions" tab to make sure that the relevant assumptions are being used on your function. Verify the RRF Achieved is greater than or equal to the RRF Required, and also make sure each equipment subsystem's fault tolerance requirements are satisfied. Complete and print the report cover letter that should have come with this spreadsheet. Keep documentation that justifies failure rate information, initiating event frequencies and protection layer risk reduction factors. STEP 1: Provide Safety Function background, Hazard Prevented, Consequence and TMEL: In general, the purple spreadsheet fields are user entered and the light brown spreadsheet fields are calculated by the spreadsheet Service Tank #219, West Facility Safety Instrumented Function (SIF) Description High-High Storage Tank Level closes tank inlet valve Hazard Prevented High-high tank level could result in overfilling of tank with petrol, which could result in loss of containment. Loss of containment with continued filling could result in large cloud of flammables, which if ignited could result in fire or explosion. Consequence Fire or explosion could result in multiple injuries to on-site and possibly off-site personnel. Consequence Rating High (potential life-threatening injury) TMEL Equivalent, per year: 0.00001 Event period (==1/TMEL), years: 100,000 STEP 2: Initiating Events and Protection Layers Initiating Event #1: Description Operator error during filling process (wrong setpoint) Frequency Medium (once per ten years) Frequency, in years 0.1 Independent Protection Layer (IPL) for Initiating Event #1: Description IPL RRF NOTES Operator Intervention 10 BPCS (Control Loop) 10 Occupancy (<10%) 10 Other 1 None 1 Initiating Event #1 Mitigated Frequency, in years 1.00E-04 Initiating Event #2: Description BPCS Failure Frequency Medium (once per ten years) Frequency, in years 0.1 Independent Protection Layer (IPL) for Initiating Event #2: Description IPL RRF NOTES Operator Intervention 10 Occupancy (<10%) 10 None 1 None 1 None 1 Initiating Event #2 Mitigated Frequency, in years 1.00E-03 Initiating Event #3: Description Frequency Frequency, in years Independent Protection Layer (IPL) for Initiating Event #3: Description IPL RRF NOTES None 1 None 1 None 1 None 1 None 1 Initiating Event #3 Mitigated Frequency, in years STEP 3: Check Safety Integrity Level (SIL) of SIF SIF RRF Required 110 SIL Rating SIL 2 In general, the purple spreadsheet fields are user entered and the light brown spreadsheet fields are calculated by the spreadsheet STEP 1: Provide information about SIF Hardware SENSOR LOGIC SOLVER FINAL ELEMENT (FE) FE INTERFACE Equipment Tag LAHH-69 Relay panel XV-69 SV-69 Voting 1oo2 1oo1 1oo2 1oo2 Type Generic Radar Generic SIL-3 PLC Generic Ball or Globe valve Generic 3-way solenoid Description Generic radar, overrange and underrange PLC diagnostics, vote to trip on error Generic SIL 3 Certified PLC, with diagnostics Generic air actuated ball or globe valve, spring return, fail safe Generic solenoid operated valve, 3-way, DTT Failure Rate, dangerous undetected, per hr 5.00E-07 1.00E-08 1.35E-06 8.00E-07 Test Interval, years 1 1 1 1 Max SIL Approved 2 3 2 2 Probability of Failure on Demand (PFD): 0.0002 0.0000 0.0006 0.0004 *** SEE SIL VERIFICATION CALCULATION ASSUMPTIONS HERE *** STEP 2: Check function meets SIL target Achieved Target SIF PFD 0.0013 0.009 SIF RRF 785 110 Does Function meet RRF Required? YES Is Fault Tolerance Achieved? YES SIL Verification Assumptions If the safety function does not meet all the applicable assumptions the calculation may not represent the true risk reduction factor! If a radar sensor is used, overrange and underrange diagnostics are assumed. These diagnostics may be employed at the PLC level. In general, diagnostics should detect when the signal input is outside of normal range (typically 4-20 mA or 1-5 V) and perform fail safe action, voting in direction of trip. Other sensors included in this spreadsheet do not include provision for diagnostics of any kind. All relays are assumed to be de-energize to trip (DTT) All relays are assumed to be standard DTT relays, with a safe failure fraction (SFF) of 80%. If SIL 3 certified PLC is used, full diagnostics to achieve SIL 3, as prescribed by the PLC manufacturer, are assumed. This includes I/O, PLC, terminal assembly, software, and any other system-specific diagnostics needed. If air operated shutoff valve is used, valve is assumed to be air-to-open with a spring closed return. Valve safe state is assumed to be when valve is in closed position. If air operated control valve is used, valve is assumed to be air-to-open with a spring closed return. Valve safe state is assumed to be when valve is in closed position. Valve is assumed to be frequently used for active control, and valve is independent of all initiating events and protection layers for this hazard. If motorized valve is used, valve is assumed to be electrically activated, fail-in- place, without battery backup or other special features. If pump motor starter is used, device is assumed to be DTT. If solenoid operated valve (SOV) is used, device is assumed to be 3-way DTT. Loss of power to solenoid coil will change valve state, thereby releasing actuator air to atmosphere through solenoid valve. If interposing relay is used as final element interface device, it is assumed to be dry contact. When 1oo2 and 2oo3 voting is used, common cause failures (beta factor) are expected to be 10% of total dangerous undetected failure rate. Test interval is the maximum time expected between full functional proof test. The process services are assumed to be clean and/or the process connections are suitably designed for their application such that the process connection itself is not a significant source of SIF failure. All SIF operate in the low demand mode of operation. Equipment is assumed to be replaced before the end of its useful life as specified by the manufacturer. Failure rates include random hardware failures during the useful life, and not wear out failures that occur beyond the end of the useful life. Equipment is maintained and installed according to manufacturer recommendations and procedures. SPREADSHEET NOTES Service Enter service tag of tank here Safety Instrumented Function (SIF) Description Enter the description of the SIF This is the set of minimum necessary and sufficient actions the SIF must make to prevent the hazard. The function may take other auxiliary actions (such as stopping a pump, generating an alarm, etc) but those actions may not be necessary to prevent the hazard the SIF is trying to prevent. The description should start with the sensing action that takes place (ex, high-high level) and it ends with the output action (ex, closes a valve). Hazard Prevented Enter the hazard the SIF is employed to prevent The user should "tell the story" of how an out-of-bounds conditions could progress to a specific credible hazard. The description should follow a clear linear sequence so that later readers can follow the team's description of the scenario. As part of the scenario do NOT account for protection layers or conditional modifiers, as those will be included later in the spreadsheet. The description should start with the abnormal condition (ex, high-high level), follow a logical sequence, and end with the hazard (ex, fire or toxic cloud). It should not YET include the impact of the hazard (injuries, damage). The impacts are described in the "Consequences" section. Consequence Enter the consequences that would arise from the hazard in the outlined scenario Describe the consequences to "receptors" as a result of the hazard. Receptors at the minimum should include personnel; many organizations also require the team to detail environmental, societal and commercial receptors. Consult your organization's specifications and guidelines to determine which receptor categories should be considered. With respect to safety, the consequence should include the most likely credible result if an individual were in the immediate area of the hazard, and should NOT include factors like occupancy rate or time-at-risk. Such probability modifiers can be accounted for in the IPL section of this spreadsheet. Consequence Rating Enter the consequence category outlined in your organization's risk management guidelines. This is so the consequence used as part of these calculations can be cross-referenced with your oganization's risk management guidelines. TMEL Equivalent TMEL = Target Maximum Event Likelihood Enter the numerical value that represents the maximum event likelihood deemed permissible for this type of event, per your organization's risk management specifications and guidelines. The number must be the event frequency, in years. For organizations where the TMEL method is the adopted risk management philosophy, this may be identified very clearly. For example, your organization may state that an event likelihood for a serious injury is 1x10-4 years, once in 10,000 years. For organizations that use a Risk Matrix method, you may need to determine the TMEL indirectly from the matrix. Most Risk Matrices are simple 2-dimensional tables, with one axis the initiating event frequency and the other axis the consequence category. The value at each intersection of the matrix is the number of orders of magnitude in risk reduction required for that initiating event frequency / consequence pair. If the above describes your organization's risk matrix, you may be able to determine the effective TMEL by selecting your consequence category on one axis and observing how much risk reduction is required if the initiating event frequency were yearly. *** WARNING *** The TMEL is a critical component in determining the integrity level of the SIF so consult a risk professional if you are not certain of what number to enter in this field. Tolerable incident rates vary by organization and by consequence. They could also be set by national or local authorities. Many organizations use between 1x10-4 and 1x10-6 as a TMEL when life-threatening injuries are possible. Event Period This is 1/TMEL, or the average minimum number of years expected between events Initiating Event Description An initiating event is an event that starts the sequence of events in motion that, if unmitigated, will result in a hazard. Something like an alarm or a lack of operator response is not an initiating event, although a control loop failure or procedure misoperation could be initiating events. Frequency Enter the frequency category outlined in your organization's risk management guidelines. This is so the frequency used as part of these calculations can be cross-referenced with your oganization's risk management guidelines. Frequency, in years Each initiating event should have its own frequency entered. The frequency units is 1/years. IEC-61511 states that the frequency of a Basic Process Control System (BPCS) loop should not be assumed to be less than 1 / 10 years, unless the loop has been designed like a safety system. BPCS loops that have stated failure frequencies lower than 1 / 10 years are extremely rare. The 1 / 10 year failure frequency for a BPCS loop takes into account all components of the loop (sensors, logic solver, outputs). So you do not need to enter one initiating event for the transmitter, and another for the valve, etc Operator error is another common initiating event. This could include lining up the wrong tank, entering the wrong loading setpoint or other errors. A common industry practice is to claim an error rate of once per 100 to 1000 opportunities for an operator to incorrectly follow a procedure. This assumes a non-stressed, adequately trained and experienced operator who is going through an established routine. One way to determine an annual operator error frequency is to count the number of times per year a procedure is done to that one tank, then multiplying by the probability of operator error. The user should confirm that the resulting calculation is realistic with respect to actual operating conditions. Independent Protection Layer (IPL) An IPL is a protection layer that serves to stop a sequence of events that can result in a hazard. It does not prevent an initiating even from occurring, it serves its function after an initiating event has occurred. If an IPL is considered it must be able to completely prevent the hazard in question, not just slow it down or reduce the severity. Avoid claiming preventative maintenance, good practices and procedures and administrative controls as IPLs because it is assumed that those practices are already occurring and have already been "baked into" the given numbers. Four common characteristics of an IPL: Specificity - The IPL must be specifically designed to address and prevent the hazard. Independence - The IPL must be independent from the cause (initiating event) and other IPLs. Particularly, do not claim an IPL from a control loop where that control loop is the initiating event for the hazard! Dependability - It should be repeatable and expected to function atleast 90% of the time for a single IPL credit. Auditability - The device can be tracked and measured to verify it provides the stated level of protection. Common IPLs BPCS (Control Loop) BPCS loop RRF should not be greater than 10 unless it has been designed to the same standard as a SIF. Do not include a BPCS loop (or alarm) as an IPL if it is taken from the same transmitter that is causing the initiating event! Occupancy (<10%) Occupancy, or time-at-risk, is not strictly an IPL but it is included with the IPLs so the user can account for as part of the SIL selection process. If the probability of an operator being in the area at the time the hazard occurs is less than 10% then this credity may be considered. The user should support some documentation to justify the credit, such as a breakdown of how frequently an operator is near it for normal rounds, how frequently a maintenance person is in the area, etc... Operator Intervention For Operator Intervention to be claimed the alarm should be annunciated to a continuously manned location and there should be proper training for operator response. The operator should be able to recognize, diagnose and respond within a reasonable amount of time before the hazard happens. Some sources use a rule of thumb of 20 minutes as the minimum time needed for an operator to respond to an alarm, in order to justify the credit. Do not take credit for operator intervention if the alarm is taken from the same BPCS loop that is the initiating event! Other This is a user-entered field. Provide description and justification for this credit in the Notes field. IPL Description Select the IPL from the list. Included are common IPLs and the capability to enter a user-defined IPL. More details about IPLs IPL Risk Reduction Factor (RRF) RRF is a measure of how much mitigation that protection layer provides, by reducing the probability the initiating event will propogate to the full hazard. For example, a protection layer with a RRF of 10 decreases the probability of a hazard occurring by a factor of 10. The higher the RRF the better protection the IPL provides. When an IPL is selected the spreadsheet will fill in a RRF commonly used for that IPL. The user can modify the RRF by entering the desired RRF in the spreadsheet. More details about IPLs IPL Notes Enter any description or notes that may be helpful to identify or clarify the use of the IPL More details about IPLs SIF RRF Required RRF = Risk Reduction Factor The RRF Required is the amount of function integrity needed in order to reduce the overall hazard risk to an acceptable level. The higher the RRF Required the higher integrity needed for the function. This functional integrity can be increased by a combination of factors, including testing frequency, device type, device diagnostics and voting arrangement. It correlates to the SIL Rating as show below: Safety Integrity Level (SIL) Probability of Failure on Demand (PFD) for the function Risk Reduction Factor SIL Rating SIL = Safety Integrity Level The SIL is a measure of functional integrity needed in order to reduce the overall hazard risk to an acceptable level. It is correlated to the SIF RRF (above). The higher the SIL level the higher integrity needed for the function. This functional integrity can be increased by a combination of factors, including testing frequency, device type, device diagnostics and voting arrangement. Equipment Tag Enter the equipment identification for all equipment used by the SIF Voting This is the architecture of the equipment subsystem. Although there are many possible architectures, this spreadsheet is programmed to include only the most likely for each subsystem. These include 1oo1, 2oo2, 1oo2 and 2003. Each subsystem can have its own architecture. For example, a single SIF could have 2oo3 sensors, 1oo1 logic solver and 1oo1 final elements. What is an EQUIPMENT SUBSYSTEM? Type Select the equipment type that is currently used for each equipment subsystem in the SIF. This spreadsheet is programmed to include only some of the most likely for each subsystem. The user can also supply their own information by completing the "Custom" fields on the "Data" tab. What is an EQUIPMENT SUBSYSTEM? Description Once the user has selected the equipment type this field will be automatically filled with the device description. Also included in the description are some of the assumptions made when estimating the failure rates. If the function is not developed per the description then the integrity calculation may not calculate the integrity of your function. Be sure to check all the SIL Verification Assumptions to ensure your function is being modeled properly! Failure Rate, dangerous undetected, per hr The equipment failure rate is the rate at which an undetected, function inhibiting failure will occur. When you select a piece of equipment its tentative failure rate is automatically put into this field. The Failure rates included in this spreadsheet are for "generic" devices for each type. They are a conglomeration of industry experience, field data, publically printed information and Failure Modes & Effects studies. They may be MORE or LESS conservative than what you experience at your facility. They should only be used as an approximation and should be replaced by data from your organization, which is tailored to your specific usage, environment and maintenance pattern. The failure rate information can be modified through the "Data" tab. Failure rate is one key component in determining the Risk Reduction Achieved for the SIF. The higher the failure rate the lower the risk reduction achieved and thus the lower the performance. IT IS CRITICAL THAT THE FAILURE RATES USED IN THIS SPREADSHEET BE REVIEWED AND CONFIRMED (OR REVISED) TO ACCOUNT FOR YOUR OWN FACILITY. THIS CAN BE DONE THROUGH REVIEWING INDUSTRY/LOCATION SPECIFIC INFORMATION, EQUIPMENT VENDOR DATA, LOCAL MAINTENANCE RECORDS, OR OTHER METHODS. IF THIS IS NOT DONE THE RESULTS WILL NOT NECESSARILY REFLECT THE RISK REDUCTION ACHIEVED AT YOUR SITE! Test Interval, years Test inteval is the maximum time expected to elapse between full functional test of the SIF. It is a value that must be entered by the user. This spreadsheet assumes a single functional test will be performed that checks starting at the sensing element, through the sensor, through the logic solver and to the final element, where the output action will be observed. Testing should not be done simply by forcing the sensor signal through a device communicator and by forcing the output by manipulating it locally. Test interval is one key component in determining the Risk Reduction Achieved for the SIF. The more frequent the test interval the higher the risk reduction achieved and thus the higher the performance. Max SIL Approved The Max SIL Approved is the highest SIL capable for each subsystem. For sensors, final elements and final element interfaces the Max SIL is determined primarily by what voting has been selected. Not accounting for the benefit of diagnostics, only 1oo2 and 2oo3 voting can be approved for SIL 2 functions. Max SIL Approved is automatically determined by the spreadsheet. In practice the Max SIL also depends on the device type, diagnostic elements, safe-to-dangerous failure ratio and "prior use" claim. For logic solvers these factors ARE included in determining Max SIL. For sensors, final elements and final element interfaces, this spreadsheet does not account for all those factors in determining Max SIL. Refer to IEC-61508 for more details. EACH equipment subsystem must be greater than or equal to the Selected SIL in order for the function to be capable for that SIL level. What is an EQUIPMENT SUBSYSTEM? Probability of Failure on Demand (PFD): The PFD is calculated by the spreadsheet based on the voting arrangement, equipment dangerous failure rate and test interval. The calculation is done as described in the IEC-61511 Technical Reports. The PFD is determined for EACH equipment subsystem for informational purposes. For the complete SIF PFD, the subsystem PFDs are summed. What is an EQUIPMENT SUBSYSTEM? SIF PFD SIF Probability of Failure on Demand (PFD) is the combined PFD for all equipment subsystems that comprise the SIF. It represents the probability that a demand will be placed on the function and the function will fail to respond. The lower the PFD the better safety performance of the function. SIF PFD is dependent upon the voting arrangement, equipment failure rate and test interval for the function. SIF RRF SIF Risk Reduction Factor (RRF) is a measure of the amount of hazard protection that the safety function provides. It is equal to (SIF PFD)^-1. The higher the RRF the better safety performance of the function. SIF RRF is dependent upon the voting arrangement, equipment failure rate and test interval for the function. Does Function meet RRF Required? In order for the function be compatible with IEC-61511 design standards, the function RRF achieved must be greater than or equal to the RRF required. ALSO, the function must have Fault Tolerance criteria satisfied. The function RRF achieved must be greater than or equal to the RRF required because that demonstrates that the function provides sufficient risk reduction for the hazard, as determined by the SIL selection team. Is Fault Tolerance Achieved? In order for the function be compatible with IEC-61511 design standards, the function RRF achieved must be greater than or equal to the RRF required. ALSO, the function must have Fault Tolerance criteria satisfied. Fault Tolerance is a concept that describes how many individual components in the system can fail without compromising the function performance. It is primarily based on architecture, although device characteristics such as safe-to-dangerous failure ratio, diagnostics and device type will also have some impact on Fault Tolerance. As an example (and ignoring device characteristics), 1oo1 and 2oo2 architecture have 0 level of fault tolerance. If any component fails the function will fail to operate. 1oo2 and 2oo3 architecture have 1 level of fault tolerance. Each component has some redundancy so a single failure will still allow the function to operate. IEC-61511 requires that, again ignoring device characteristics, any function that is SIL 2 must have 1 level of fault tolerance, regardless of the RRF achieved. When device characteristics are included it is possible for high- performance subsystems to satisfy this requirement even though a single device is employed. This spreadsheet ignores the effects of diagnostics and other device characteristics for purposes of faul tolerance determination for sensors, final elements and final element interfaces. It is included for logic solvers. Equipment Subsystem A SIF is comprised to four subsystems, Sensor, Logic Solver, Final Element and Final Element Interface. They operate together to provide a response when an abnormal and potentially hazardous situation happens. SENSOR A sensor is the name of the subsystem that directly touches the process material and provides a measurement of atleast one of its properties. Common sensors include level switches, level transmitters, pressure switches/transmitters and thermocouples. LOGIC SOLVER A logic solver is the name of the subsystem that detects the input and allows an action to a final element. A "logic solver", as used in this spreadsheet, can be a programmable or a non-programmable device. Common logic solvers include a PLC, relay or trip amp. FINAL ELEMENT (FE) A final element is the name of the subsystem that takes action to prevent the hazard. It is usually either contacting the process fluid or is as close as possible to contacting the process fluid. Common final elements include a valve or a pump motor starter. FE INTERFACE A final element interface is the name of the subsystem that interposes between the logic solver and final element. It sometimes transduces a signal from one physical form to another. It does not directly contact the process fluid. Common final element interfaces include a solenoid (that dumps air from a shutoff valve) or relay (that closes a motorized valve or stops a pump). 1 2 3 4 10%-1% 1%-0.1% 0.1%-0.01% <0.01% 10-99 100-999 1,000-9,999 >10,000 Sensor List: Ldu Description Generic Float Switch 1.25E-06 Level switch, generic, float type Generic Mechanical Switch 3.60E-06 Level switch, generic, mechanical limit type Generic Radar 5.00E-07 Generic radar, overrange and underrange PLC diagnostics, vote to trip on error Generic Servo Gauge 1.00E-06 Generic servo gauge, mechanical, no diagnostics Other - Custom 1.10E-06 <description of device here> LS List: Ldu Description Max SIL Approved Generic PLC, not SIL rated 6.47E-06 Generic Industrial PLC, no special safety diagnostics 1 Generic Relay 3.00E-07 Generic electromechanical relay, DTT 2 Generic Relay with Trip Amp 5.50E-07 Generic electromechanical relay, DTT, with trip amplifier 1 Generic SIL-3 PLC 1.00E-08 Generic SIL 3 Certified PLC, with diagnostics 3 Other - Custom 1.10E-06 <description of device here> 1 Final Element (FE) List Ldu Description Generic Ball or Globe valve 1.35E-06 Generic air actuated ball or globe valve, spring return, fail safe Generic control valve 4.50E-07 Generic control valve, frequently used for control, indep of initating event Generic motor actuated valve 5.00E-06 Generic motor operated valve Generic pump motor starter 3.00E-07 Generic motor starter circuit, DTT Other - Custom 1.10E-06 <description of device here> FE Interface List Ldu Description Generic 3-way solenoid 8.00E-07 Generic solenoid operated valve, 3-way, DTT Generic interposing relay 1.60E-07 Generic interposing relay, dry contact Other - Custom 1.10E-06 <description of device here> IPL List RRF BPCS (Control Loop) 10 None 1 Occupancy (<10%) 10 Operator Intervention 10 Other 1 Sensor, LS Voting List Max SIL Approved (from IEC Fault Tolerance Table) 1oo1 1 1oo2 2 2oo2 1 2oo3 2 FE, FE Interface Voting List 1oo1 1 1oo2 2 Generic radar, overrange and underrange PLC diagnostics, vote to trip on error Max SIL Approved Generic control valve, frequently used for control, indep of initating event