Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | josethompson |
View: | 215 times |
Download: | 0 times |
of 14
7/29/2019 3-4sil
1/14
Safety IntegrityLevel (SIL)
DR. AAProcess Control and Safety Group
7/29/2019 3-4sil
2/14
SIS
Safety instrumented systems (SIS) are used to provide safe controlfunctions for processes, e.g. emergency shutdown (ESD), fire
detection and blowdown functions. SIS typically are composed of
sensors, logic solvers and final control elements
A Safety Instrumented System is designed to prevent or mitigate
hazardous events by taking a process to a safe state whenpredetermined conditions are violated.
Other common terms for SISs are safety interlock systems,
emergency shutdown systems (ESD), and safety shutdown
systems (SSD). Each SIS has one or more Safety Instrumented
Functions (SIF).
7/29/2019 3-4sil
3/14
SIL SIL stands for Safety Integrity Level. A SIL is a measure of safety
system performance, in terms of probability of failure on demand
(PFD).
A SIL is a statistical representation of the reliability of the SIS when
a process demand occurs
The higher the SIL is, the more reliable or effective the system is.
To perform its function, a SIF loop has a combination of logic
solver(s), sensor(s), and final element(s). Every SIF within a SIS
will have a Safety Integrity Level (SIL). These SIL levels may be the
same, or may differ, depending on the process.
It is a common misconception that an entire system must have the
same SIL level for each safety function.
7/29/2019 3-4sil
4/14
SIS and SIL In the Safety Life Cycle outlined in ISA-S84.01-1996 (ISA, 1996),
steps are included to determine if a SIS (Safety Instrumented
System) is needed and to determine the target SIL (Safety Integrity
Level) for the SIS
Safety
IntegrityLevel (SIL)
Probability of
Failure on DemandAverage Range
(PFD Average)
Risk Reduction Availability (%)
1 10-1 to 10-2 10 to 100 90 to 99
2 10-2 to 10-3 100 to 1000 99 to 99.9
3 10-3 to 10-4 1000 to 10,000 99.9 to 99.99
4 Below 10-4 10,000 to 100,000 99.99 to 99.999
7/29/2019 3-4sil
5/14
What do these numbers mean in the realworld? SIL 1 means that a dangerous failure is probable once
every 11.5 to 114 years of continuous operation
SIL 2 means that a dangerous failure is probable once
every 114 to1,141 years of continuous operation
SIL 3 means that a dangerous failure is probable once
every 1,141 to 11,410 years of continuous operation
SIL 4 is defined but is unnecessarily high for machine
safety applications and is considered economically notpractical(unless you are in the nuclear .
7/29/2019 3-4sil
6/14
SIL levelsEvent Likelihood Consequence
Catas-trophic Major Severe Minor
Frequent SIL 4 SIL 3 SIL 3 SIL 2Probable SIL 3 SIL 3 SIL 3 SIL 2
Occasional SIL 3 SIL 3 SIL 2 SIL 1Remote SIL 3 SIL 2 SIL 2 SIL 1
Improbable SIL 3 SIL 2 SIL 1 SIL 1Negligible / Not Credible SIL 2 SIL 1 SIL 1 SIL 1
7/29/2019 3-4sil
7/14
SIL Misconception It is a very common misconception that individual products or
components have SIL ratings. Rather, products and components
are suitable for use within a given SIL environment, but are not
individually SIL rated. SIL levels apply to safety functions and
safety systems (SIFs and SISs).
The logic solvers, sensors, and final elements are only suitable foruse in specific SIL environments, and only the end user can
ensure that the safety system is implemented correctly.
The equipment or system must be used in the manner in which it
was intended in order to successfully obtain the desired risk
reduction level. Just buying SIL 2 or SIL 3 suitable components
does not ensure a SIL 2 or SIL 3 system.
7/29/2019 3-4sil
8/14
Standards and Regulations relating to SIL Analysis ANSI/ISA-SP-84.01, "Application of Safety Instrumented Systems
for the Process Industries," Instrument Society of America
Standards and Practices, 1996.
IEC-61508,"Functional Safety: Safety Related Systems,"
International Electrotechnical Commission,Technical Committee
(1998).
IEC-61511, "Functional Safety: Safety Instrumented Systems for
the process industry sector", International Electrotechnical
Commission, Technical Committee (Draft).
"Programmable Electronic Systems in Safety RelatedApplications", Health and Safety Executive, U.K., 1987.
29 CFR Part 1910, "Process Safety Management of Highly
Hazardous Chemicals; Explosives and Blasting Agents",
Occupational Safety and Health Administration, 1992.
7/29/2019 3-4sil
9/14
Question !!! ENGINEER: "Why is this existing interlock SIL 2?
RISK ANALYST: "I don't know off the top of my head.
What does the documentation say?"
ENGINEER: "It was set in a safety review. And you werethere!"
RISK ANALYST: "Beats me! It doesn't look like it should
be SIL 2 when I look at it now.
So, how do we determine the required SIL?
7/29/2019 3-4sil
10/14
Target SIL ANSI/ISA S84.01 and IEC 61508 require that companies
assign a target SIL for any new or retrofitted SIS.
The assignment of the target SIL is a decision requiring
the extension of the Process Hazards Analysis (PHA).
The assignment is based on the amount of risk
reduction that is necessary to mitigate the risk
associated with the process to an acceptable level.
All of the SIS design, operation and maintenancechoices must then be verified against the target SIL.
7/29/2019 3-4sil
11/14
How do we determine the right SIL-1 The modified HAZOP method in CCPS (1993) and in the informative
annex of S84.01 depends on the team comparing the consequence
and frequency of the impact event with similar events in their
experience, and then choosing an SIL.
If the event being analyzed is worse or more frequent, then they
would choose a higher SIL. It is very much in the experience andjudgment of the team.
Thus, the SIL chosen may depend more on whether a team
member knows of an actual impact event like the one being
analyzed, and it may depend less on the estimated frequency of
the event.
7/29/2019 3-4sil
12/14
How do we determine the right SIL-2 The safety layer matrix listed in CCPS (1993) and in the
informative annex of S84.01 (p49) uses categories of
frequency, severity, and effectiveness of the protection
layers.
The categories are described in general terms andsome calibration would be needed to get consistent
results.
The matrix was originally developed using quantitative
calculations tied to some numeric level of unacceptablerisk (Green, 1993).
7/29/2019 3-4sil
13/14
How do we determine the right SIL-3 The consequences-only method (mentioned in S84.01)
evaluates only the severity of the unmitigated
consequence.
If the severity is above a specified threshold, a
specified SIL would be required.
This method does not account for frequency of
initiating causes; it assumes all causes are "likely".
It is recognized that this method may give a higherrequired SIL than other methods.
The perceived trade-off is reduced analysis time. On
other hand, for events whose causes have a high
frequency, this method could give a lower SIL.
7/29/2019 3-4sil
14/14
How do we determine the right SIL - 4 The fault tree analysis (FTA) method quantitatively
estimates the frequency of the undesired event for a
given process configuration.
If the frequency is too high, an SIS of a certain SIL is
added to the design and incorporated into the FTA. TheSIL can be increased until the frequency is low enough
in the judgment of the team.
FTA requires significant resources.