Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | mubarik-ali |
View: | 214 times |
Download: | 0 times |
of 40
7/28/2019 Quant Sil
1/40
pyright 2002, exida.com
ida.comeexcellence in dependable-automation
Quantitative SIL Selection
On-line Lesson
Safety IntegrityLevel
SIL 4
SIL 3
SIL 2
SIL 1
Probability of failureon demand, average
(Low Demand mode of operation)
Risk ReductionFactor
>=10-5 to =10-4 to =10-3 to =10-2 to
7/28/2019 Quant Sil
2/40
pyright 2002, exida.com
2
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Prerequisite Lessons
Introduction to Safety InstrumentedSystems
The Safety Lifecycle
It is recommended that the exida on-line lessons Introduction to SafetyInstrumented Systems and The Safety Lifecycle be taken by anyone not wellversed in these topics before proceeding with this lesson.
7/28/2019 Quant Sil
3/40
pyright 2002, exida.com
3
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Companion Lessons
Process Hazards Analysis
ALARP and Tolerable Risk
Consequence Analysis Overview
Introduction to Likelihood Analysis
Layer of Protection Analysis (LOPA)
Qualitative SIL Selection
Since Quantitaive SIL Selection encompasses so many different aspects, itis recommended that the following lessons on specific components of thelarger SIL selection process be used as a companion with this currentlesson to provide a more complete understanding of the overall process.
Process Hazards Analysis
ALARP and Tolerable Risk
Consequence Analysis Overview
Introduction to Likelihood Analysis
Layer of Protection Analysis
Qualitative SIL Selection
7/28/2019 Quant Sil
4/40
pyright 2002, exida.com
4
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Quantitative SIL Selection Overview
Topics:
Risk and the Context of SIL Selection
Safety Instrumented Functions
Consequence
Likelihood
Risk integrals approach
Required risk reduction
leading to SIL assignment
Concept
Overall ScopeDefinition
Hazard & RiskAnalysis
Overall SafetyRequirements
Safety RequirementsAllocation
5
4
3
2
1
SLC
Analysis
Phase
The lesson starts with the safety lifecycle (SLC) context of SIL selection anda brief review of risk. The lesson continues with a brief description of thesafety instrumented functions (SIFs) to which the SILs are to be assigned.Next the lesson addresses the consequence and likelihood components ofrisk in more detail as they relate to identifying the existing level of risk in aprocess or piece of equipment, including how to determine a hazardsconsequence and how the likelihood of a hazard can be quantitativelydetermined. Then the lesson considers the combination of multipleoutcomes based on the risk integrals approach. Finally, based on thedifference between the existing risk and the the tolerable risk level identifiedand approved by the organization in question, the risk reduction requirementfor the specific SIF can be determined and the SIL assignment made.
7/28/2019 Quant Sil
5/40
pyright 2002, exida.com
5
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Detailed
Safety
Lifecycle
ConceptualProcess Design
Develop non-SIS Layers
SISRequired?
No
IdentifyPotential Risks
Assess PotentialRisk Likelihood
Analyze PotentialRisk Magnitude
Process Information
Layer of ProtectionAnalysis
Potential Hazards
SIS Installation,Commissioning
and Pre-startupAcceptance Test
Yes
Validation:Pre-startup
Safety Review
ModifyDe-
commission
Hazard Frequencies
ConsequenceAnalysis
Hazard Consequences
Select TargetSIL
Target SILs
Develop SafetySpecification
Safety Requirements Specification
Functional Description of each SafetyInstrumented Function, Target SIL,Mitigated Hazards, Process parameters,Logic, Bypass/Maintenancerequirements, Response time, etc
SIS Conceptual
Design
SelectTechnology
SelectArchitecture
Determine TestPhilosophy
Reliability, SafetyEvaluation
SILs Achieved
SILAchieved?
No
Yes
SIS DetailedDesign
SIS startup,operation,
maintenance,Periodic
Functional Tests
Modify,
Decommission?
SISDecommissioning
Failure Data
Database
ManufacturersInstallation
Instructions
Safety
Requirements
Allocation
Exit
Operating andMaintenance
Planning
Installation& Commission
Planning
Event History
ConsequenceDatabase
Layers of Protection
Failure Probabilities
Tolerable Risk
Guidelines
HazardCharacteristics
Manufacturers
Failure Data
Detailed Design Documentation -Loop Diagrams, Wiring Diagrams, LogicDiagrams, Panel Layout, PLCProgramming, InstallationRequirements, CommissioningRequirements, etc.
ManufacturersSafety Manual
ValidationPlanning
ANALYSISPhase
(End User / Consultant)
REALIZATION
(Vendor / Contractor /
End User)
OPERATION(End User / Contractor)
This slide shows a more detailed drawing of the safety lifecycle. In theanalysis phase, hazards are identified and risk reduction targets areestablished for each hazard. For some hazards, a safety instrumentedfunction (SIF) is defined in order to reduce risk. In these cases, a SafetyIntegrity Level or SIL is selected for that SIF to achieve the required riskreduction.
7/28/2019 Quant Sil
6/40
pyright 2002, exida.com
6
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
How to Select a SIL
Determine tolerable risk Identify potential hazards
Identify prospective SIF to address thesespecific hazards
Identify existing unmitigated risk based onconsequence and likelihood analysis
Determine how much risk reduction is needed togive a tolerable risk Quantitative methods give specific numerical targets for
risk reduction Qualitative methods group numerical targets into more
broad categories of risk reduction
The SIL selection process is essentially a systematic approach used to:establish the difference between the existing level of risk and that which canbe tolerated; identify specific individual functions to address these risks; andassign the SIL to specify how robust these functions must be to actuallyachieve the required risk reduction.
The quantitative method shown in this lesson will help determine a specificnumerical target for the risk reduction.
NOTE: The qualitative methods introduced in the exida.com on-line lessonQualitative SIL Selection group numerical targets into more broad categoriesof risk reduction to achieve the same general purpose.
7/28/2019 Quant Sil
7/40
pyright 2002, exida.com
7
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk receptors:
Personnel
Environment
Equipment/Property Damage
Business Interruption
What Is Risk?
Risk is a measure of the likelihood andconsequence of an adverse effect, i.e., how oftencan it happen and what will be the effects if it does?
Business Liability
Company Image
Lost Market Share
The definition of risk includes components of likelihood and consequence,which both contribute to the risk for each hazard. Hazardous events oftenhave consequences that cause harm in multiple areas to receptors such aspersonnel, environment, equipment, etc. These different hazardous eventsare identified and characterized as part of a Hazard and Risk Assessmentprocess described in detail as part of the exida Process Hazards Analysison-line lesson.
7/28/2019 Quant Sil
8/40
pyright 2002, exida.com
8
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
ALARP and Tolerable Risk
Negligible Risk
High Risk
10-3/yr(workers) 10-4/yr(public)
10-6/yr
Intolerable Region
ALARP or TolerableRegion
Broadly Acceptable
Region
Since risk is present in all human activities, some level of risk must betolerated in any system. The challenge is in determining what that level ofrisk is for a given organization. The general principle of tolerable risk putforward in the IEC standards is that some risks are completely intolerableand should not be undertaken, some risks are broadly acceptable andshould not be worried about, and some risks fall in the middle. Thesemiddle-level risks should be reduced to a level As Low as ReasonablyPracticable or ALARP. Specific values of these risk levels are often a pointof debate. The values noted in this slide are from the UK Health and SafetyExecutive, the originators of the ALARP concept, and are provided forinformation purposes, not as recommendations for any particular situation.
7/28/2019 Quant Sil
9/40
pyright 2002, exida.com
9
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Paths to Risk Reduction
Increasing
Risk
Consequence
L
ik
ood
Final Riskafter
Mitigation
Risk after
SISMitigation
Inherent
Risk of theProcess(i.e., No
Mitigation)
AcceptableRisk Region
ALARP RiskRegion
UnacceptableRisk Region
Non-SISConsequencereduction, e.g.,containmentdikes
Non-SISlikelihood
reduction,e.g., reliefvalves
SIS RiskReduction
elih
non-
SIL 1
SIL 2
SIL 3
Risk reduction can be accomplished using different techniques, includingmethods to reduce both the consequences and likelihood of any harm. Onespecific method of risk reduction, primarily directed at the likelihood aspect,is through automatic protection systems called Safety InstrumentedSystems. These systems carry out specific functions to bring the process orequipment to a safe state. The ability of these systems to carry out each ofthese functions when required is measured by the corresponding safetyintegrity level (SIL). Thus the SIL corresponds to the level of risk reductionrequired to change the existing unmitigated risk enough to achieve a level ofrisk that can be tolerated by the organization in question.
7/28/2019 Quant Sil
10/40
pyright 2002, exida.com 1
10
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Safety Instrumented Functions
Specific single set of actions and the correspondingequipment needed to identify a single emergencyand act to bring the system to a safe state.
SIL is assigned to each SIF based on requiredrisk reduction
Different from a SIS, which can encompass multiplefunctions and act in multiple ways to prevent multipleharmful outcomes
SIS may have multiple SIF with different individual SIL,so it is incorrect and ambiguous to define a SIL for an entiresafety instrumented system
An individual Safety Instrumented Function (SIF) is designed to identify theneed and then act to bring the system to a safe state for each hazardscenario. The effectiveness of the risk reduction is measured by thefunctions risk reduction factor (often expressed as a Safety Integrity Level).The required risk reduction is the difference between the process risk beforea SIF and the tolerable level of risk to be achieved for that process or pieceof equipment.
It is important to note that a SIF is an individual function and a SIS caninclude multiple functions, so the SIL refers to each SIF rather than to theentire safety instrumented system.
7/28/2019 Quant Sil
11/40
pyright 2002, exida.com 1
11
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Safety Integrity Levels
Safety IntegrityLevel
SIL 4
SIL 3
SIL 2
SIL 1
Probability of failureon demand, average
(Low Demand mode of operation)
Risk ReductionFactor
>=10-5 to =10-4 to =10-3 to =10-2 to
7/28/2019 Quant Sil
12/40
pyright 2002, exida.com 1
12
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Calculating Risk
In quantitative analysis, risk associated with a hazardcan be calculated using the following formula:
Risk = Consequence * Likelihood
Example Hazard: Consequence of harmful outcome is two fatalities
Likelihood of harmful outcome is once every ten years
Risk from the hazard is 0.2 fatalities per year
In quantitative analysis, the risk associated with a hazard can be calculatedby multiplying the consequence of a harmful outcome and the likelihood orfrequency of it taking place.
As an example, assume a hazard with an outcome consequence of twofatalities. Furthermore, assume that the likelihood of the hazard leading tothe harmful outcome is once every ten years.
The risk of the hazard, obtained by simple multiplication, is then 0.2 fatalitiesper year.
7/28/2019 Quant Sil
13/40
pyright 2002, exida.com 1
13
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Basic Consequence Analysis Concepts
One hazard can lead to one or more outcomes withmultiple receptors
Each aspect of the harmful outcome is measured indifferent units Personnel
Fatalities
Injuries
Environment Toxic releases
Clean-up efforts, US $
Equipment/Property Damage US $
Etc.
As shown before, there can be several potential risk receptors for a specifichazard. With a separation column rupture, for example, the rupture energyitself can cause fatalities and injuries to personnel; it might cause a toxicrelease with other injuries or fatalities; environmental clean-up efforts couldbe required after the rupture; and the loss of the column could lead to plantdown time. Each of the aspects of the consequence is measured in its ownunits. Fatalities are measured in number of deaths; injuries may bemeasured in number of injuries scaled by severity; environmental impactsare quantified individually; and clean-up efforts, potential fines, damage tocorporate image, and down time are measured financially.
7/28/2019 Quant Sil
14/40
pyright 2002, exida.com 1
14
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Tolerable Risk Level and
Consequence Receptors
Tolerable risk is a sensitive topic It is difficult to convert between personnel,
environmental, and cost receptors
Organizations often set specific levels oftolerance in each different receptor category
Combining impacts into a single variableallows more rigorous mathematical analysis
Because of the sensitivity of the concept of tolerable risk and the difficulty inconverting between the effects on different receptors, organizations often setdifferent specific risk levels that are tolerable in each different area. In somecases, to enable more rigorous mathematical analysis, all of the differentconsequence impacts can be converted into a single value, which is oftenfinancial cost.
7/28/2019 Quant Sil
15/40
pyright 2002, exida.com 1
15
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Tolerable Risk Level and
Consequence Receptors
Example: Maximum risk tolerance 0.0005 fatal accidents
per person per year, 0.005 injuries per personper year, 0.01 significant environmental releaseper plant per year, $500,000 in business lossper plant per year, etc.
Valuing loss of life at $10,000,000, environmentaldamage at 1.5x clean-up cost, and business
losses at actual value, optimize cost-benefitimpact of all safety systems.
These multiple risk criteria can be expressed on the basis of a plant orindividual as appropriate. In most cases, individual tolerable risk criteria arefollowed for personnel safety. To combine risks into a single cost category,conversion factors must be developed and applied according to uniform,agreed guidelines.
7/28/2019 Quant Sil
16/40
pyright 2002, exida.com 1
16
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Methods of
Consequence Analysis
Consequences can require extremelyinvolved analysis Fire
How much material
What kind of fire
Explosion Pressure energy
Chemical energy
Toxic release Concentration limits
Weather conditions
The detailed methods of consequence analysis are beyond the scope of thislesson. These analyses often involve extremely complex calculations,especially in the cases of explosions, fires, and toxic releases where themagnitude of the consequence depends on the dispersion of material.Further information is available in the exida on-line course ConsequenceAnalysis Overview, although the detailed practice of these techniques oftenrequires months or years of training and experience.
7/28/2019 Quant Sil
17/40
pyright 2002, exida.com 1
17
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Results of Consequence
Analysis
Different potential outcomes identified Magnitude of each outcome from perspective
of each receptor Personnel
Environment
Financial
Group consequence components accordingto safety instrumented function capable of
preventing them
Once one has completed the detailed consequence analysis, there shouldbe a list of potential harmful outcomes and a corresponding list of themagnitude of the harm to each of the different receptor categories. Thesecan then be categorized by the potential safety instrumented functionsidentified in the hazards analysis that could act to prevent these outcomes.
7/28/2019 Quant Sil
18/40
pyright 2002, exida.com 1
18
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Consequence Results:
Column Rupture Case
The consequences of a column rupture aredetermined as follows: Personnel: 3 fatalities (3*10 M$), 15 injuries (15*1.0 M$)
Environment: no exceptional toxic release (0 $ no fine),internal clean-up activities (0.5 M$)
Equipment: new column/installation (4.5 M$)
Business Interruption: 25% lost production 3 months (50 M$)
Business Liability: direct customer contract losses (25 M$)
Company Image: no additional cost not already considered
Lost Market Share: customers go to competitor(s) (15 M$)
Total column rupture hazard consequence is 140 M$
Using the single variable approach, it is possible to express eachconsequence in that variable as shown on this slide. The total hazardconsequence can now be readily determined by adding the consequences ofeach receptor in terms of the single variable. Assuming that the hazard willcause all of these traceable impacts, the total cost of the column ruptureoutcome is ~140 M$.
Note that in this case, the decrease in company image caused by the hazardwas determined to be accounted for in the other categories and no additionalcost was assessed in the analysis.
7/28/2019 Quant Sil
19/40
pyright 2002, exida.com 1
19
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Event Likelihood / Frequency
Event likelihood according to dIEC61511,Part 3
Refers to a frequency such as the number ofevents per year or per million hours
Note this is different from the common Englishdefinition equating it to probability
The likelihood of a hazard is defined as the frequency of the harmfuloutcome event. This is most often expressed in units of events per year orevents per million hours.
7/28/2019 Quant Sil
20/40
pyright 2002, exida.com 2
20
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
LOPA for Column Rupture
No event
No event
No event
No event5/yr
Protection layersInitiating event
#1 #2 #3 #4
Outcome
Loss of
cooling water
Process
design
Operator
response
Pressure
relief valve
No
ignition
Explosion
0.01
0.15
0.05
0.76 2.85*10-4/yr
Column Rupture
Likelihood analysis is often done using Layer of Protection Analysis (LOPA)techniques. The LOPA event tree to determine the likelihood of the columnrupture with explosion is shown in the slide.
The likelihood of the initiating event loss of cooling wateris 5 per yearThere are four independent protection layers, each with a probability offailure.
Inherent safety of the process design, probability of failure is 0.01
Operator response, probability of failure is 0.15
Pressure relief valve, probability of failure is 0.05
No ignition, probability of failure is 0.76
The column rupture likelihood can be determined by multiplying the loss of
cooling water likelihood by the probability of failure of each of the protectionlayers. The resulting column rupture likelihood is then 5/yr * 0.01 * 0.15 *0.05 * 0.76 * = 2.85*10-4 /yr
7/28/2019 Quant Sil
21/40
pyright 2002, exida.com 2
21
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Considering All the Impacts
Outcomes must be expressed in the sameterms as the tolerable risk limits
For the single variable method, this involves theconversion factors mentioned earlier
Risk integral approach
Risk integral approach can also be applied to thepersonnel and financial components of riskindependently of each other
Once the likelihood and consequence analysis results are complete, theymust be combined to determine the existing risk. In order to combine theconsequences of the potential harmful outcomes related to a single SIF andcompare them to the tolerable risk, they must be expressed in the sameterms as the tolerable risk levels. No matter whether the consequence isexpressed as a single overall cost or loss variable or if personnel impactsare kept separate from financial impacts, it is possible to use a risk integralapproach to continue the SIL selection process.
7/28/2019 Quant Sil
22/40
pyright 2002, exida.com 2
22
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Integral Definition
Risk integrals are a measure of the totalexpected loss
A summation of likelihood and consequence for allpotential loss events
Risk integrals are a measure of the total expected loss, i.e., a summation ofthe likelihood and consequence for all potential loss events that are beingconsidered.
In the case of Safety Instrumented System (SIS) design, this would be all ofthe consequences that are prevented by a single Safety InstrumentedFunction (SIF).
7/28/2019 Quant Sil
23/40
pyright 2002, exida.com 2
23
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Integral Equation
The nominal equation for the risk integral is:
RI = risk integral
N = number of hazardous events
C = consequence of the event
(in terms of fatalities for loss of life calculation)
F = frequency of the event
i
n
i
iFCRI
=
=1
In mathematical form, this summation includes a consequence timesfrequency risk contribution to the total for each event in question.
7/28/2019 Quant Sil
24/40
pyright 2002, exida.com 2
24
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Integral Application
Risk integrals require a single loss variable Can be across all receptors converted to
financial terms
Can be across financial receptors only inmonetary cost terms
Can also be across personnel receptorsonly in equivalent or probable loss of life(PLL) terms PLL can take on fractional values
The key requirement for using risk integrals is applying a single loss variableto the system in question. This can easily be done if all of the harm isexpressed or converted to financial units. Risk integrals can also be appliedto personnel safety consequences through the use of probable loss of life orPLL. The important aspect of PLL is that it can take on fractional values, i.e.,an injury event can have a PLL of 0.1 or some other value less than onerepresenting the severity of the event in these probable loss of life terms.
7/28/2019 Quant Sil
25/40
pyright 2002, exida.com 2
25
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Integral Advantages
Risk integrals are a measure of the expected loss A summation of likelihood and consequence forall potential
loss events for the SIF and category in question
Advantages of risk integral targets:
Risk is a single number, ideal fordecision-making
Considers multiple fatality events
Diverse risks expressed on uniform basis,essential for cost-benefit analysis
Risk integrals are only now gaining acceptance in the design-engineeringfield as a means of measuring risk. Risk integrals have several advantagesover other methods for measuring risk:
The single risk variable is easy to use in optimization and decision-making The risk considers the impact of multiple fatality events
Different risks can be considered on a uniform financial basis for cost-benefit analysis
As a result of these advantages, the risk integrals of Potential Loss of Lifefor personnel safety and Expected Value for overall financial impact are idealfor risk reduction design engineering.
7/28/2019 Quant Sil
26/40
pyright 2002, exida.com 2
26
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Integral Personnel Example
Consider the case where the following results areavailable from the consequence and likelihoodanalyses for a group of outcomes that can beprevented by the single SIF:
What is the risk integral for that particular SIF interms of PLL per year?
Outcome Probable Loss Frequency
of Life (PLL) Eve nts pe r ye ar
Vessel rupture with pool fire 0.5 0.1
Vessel rupture with flash fire 1 0.1
Vessel rupture with explosion 6 0.01
Vessel rupture with spill only 0.01 0.2
This heated vessel rupture example considers the different outcomes thatcould be prevented by a SIF that senses an extreme high pressure and actsto open a separate dedicated valve to relieve that pressure to a safe ventingsystem.
7/28/2019 Quant Sil
27/40
pyright 2002, exida.com 2
27
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Integral Personnel Example
Multiplying each consequence by its correspondingfrequency and summing the results at the bottomright gives the total risk integral for this pressure
relief SIF of:PLL=0.21 fatalities per year
Outcome Probable Loss Frequency Risk Component
of Life (PLL) Events per year PLL per year
Vessel rupture with pool fire 0.5 0.1 0.050
Vessel rupture with flash fire 1 0.1 0.100
Vessel rupture with explosion 6 0.01 0.060
Vessel rupture with spill only 0.01 0.2 0.002
Total Risk Integral 0.212
This column rupture example considers the different outcomes that could beprevented by a SIF that senses a high column pressure and acts to open avalve to relieve that pressure to a safe venting system. It is important to notethat the risk calculated here is for the system without the SIF present.
7/28/2019 Quant Sil
28/40
pyright 2002, exida.com 2
28
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Single Event Risk Example
Using the consequence and likelihood valuesdetermined for the single event columnrupture and explosion hazard, calculate theinherent risk.
Consequence = 140 M$
Likelihood = 2.85 x 10-4 per year
For the column rupture example described earlier in the lesson, both theconsequence and the likelihood have been determined as 140 M$ and2.85*10-4 events per year respectively.
7/28/2019 Quant Sil
29/40
pyright 2002, exida.com 2
29
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Single Event Risk Example
Inherent risk = 140 M$ * 2.85*10-4 /yr= 39,900 [US $ / year]
Risk = Consequence * Likelihood
The column rupture inherent risk is simply calculated by multiplying 140 M$and 2.85*10-4, which yields an inherent risk of 39,990 [US $ / year].
7/28/2019 Quant Sil
30/40
pyright 2002, exida.com 3
30
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
What Is the Required Risk Reduction?
Now the required risk reduction factor (RRF)can easily be calculated
Input parameters are:
The unmitigated risk before any safety system
The established tolerable risk level
RRF =unmitigated risk
tolerable risk
Given inherent, unmitigated risks resulting from a consequence andlikelihood analysis along with tolerable risk, the required risk reduction factorthat an SIF needs to achieve can be calculated by dividing the inherent riskby the tolerable risk.
As noted earlier, it is important to make sure that the inherent risk or riskintegral and tolerable risk are expressed in the same units.
7/28/2019 Quant Sil
31/40
pyright 2002, exida.com 3
31
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Reduction Example 1
Given the heated vessel pressure relief SIF examplewith its PLL of 0.21 fatalities per year and a tolerablerisk level of 0.001 fatalities per year, what is therequired risk reduction?
All that is needed for the heated vessel pressure relief SIF example is thetolerable risk in terms of probable loss of life per year.
7/28/2019 Quant Sil
32/40
pyright 2002, exida.com 3
32
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Reduction Example 1
Given the heated vessel pressure relief SIF examplewith its PLL of 0.21 fatalities per year and a tolerablerisk level of 0.001 fatalities per year, what is therequired risk reduction?
RRF =0.21 PLL per year
0.001 PLL per year= 210
Thus dividing the existing unmitigated risk by the tolerable risk gives therequired risk reduction factor of 210.
7/28/2019 Quant Sil
33/40
pyright 2002, exida.com 3
33
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Reduction Example 2
A SIF is being considered to prevent the columnrupture and explosion event described earlier Consequence = 140 M$
Including personnel, environment, equipment, etc.
Likelihood = 2.85*10-4 /yr After accounting for all layers of protection
A low-cost, low-performance SIL 1 SIF can provide a riskreduction factor of 10 for $5,000 per year net cost
A higher-cost, higher-performance SIL 2 SIF can provide arisk reduction factor of 100 for $20,000 per year net cost
Which system should be selected?
Considering the column rupture and explosion example developed earlieralong with the safety system cost data, which SIF option should be chosen?
7/28/2019 Quant Sil
34/40
pyright 2002, exida.com 3
34
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Reduction Example 2
This example can be solved by calculating the annualcost associated with the risk of each option.
For the case with no safety system, the cost of the hazard is $39,900per year
With the first case low-cost system, the RRF of 10 reduces the hazardcost to $39,900/10 = $3,990 per year, while the system itself adds$5,000 per year for a total $8,990 overall annual cost or a net savingsof $30,910 relative to no safety system
Putting each case on an annual cost basis clarifies the choice significantly.Since the first option provides a $31,000 per year savings relative to doingnothing, it has significant potential.
7/28/2019 Quant Sil
35/40
pyright 2002, exida.com 3
35
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Risk Reduction Example 2
Considering the second option in the same way asthe first: For the case with no safety system, the cost of the hazard is $39,900
per year
With the second case higher-cost, higher-performance system, theRRF of 100 reduces the hazard cost to $39,900/100 = $399 per year,while the system itself adds $20,000 per year for a total $20,399 overallannual cost or a net savings of $19,501 relative to no safety system
Thus the SIL 1 SIF is the best option, with the greatest savings of~$31,000 per year relative to doing nothing.
Option Cost of Risk Cost of System Total Cost Total Savings
Do nothing $39,900 $0 $39,900 $0
SIL 1 SIF $3,990 $5,000 $8,990 $30,910
SIL 2 SIF $399 $20,000 $20,399 $19,501
Although the higher performance system reduces the risk cost to only $399per year, its $20,000 per year total cost pushes it to a lower level of savingsthan the SIL 1 SIF option. Thus the SIL 1 SIF is the best option for thissituation.
7/28/2019 Quant Sil
36/40
pyright 2002, exida.com 3
36
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Multiple Receptors per SIF
Occasionally a set of tolerable risk levels and risk estimatesgives different risk reduction factors depending on thepersonnel, environmental, or financial receptors considered
Personnel RRF = 1000
Environmental RRF = 300
Financial RRF = 150
Choose highest RRF = 1000 for specifyingthe system
For multiple receptors per hazard, some companies calculate risk reductionfactors for each receptor. The RRF for the instrumented function in thissituation is chosen to be the highest one, since it will automatically satisfythe other lesser requirements.
7/28/2019 Quant Sil
37/40
pyright 2002, exida.com 3
37
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
SIL Assignment
SIL selection is performed based on the RRFcalculated for the SIF
For the heated vessel case, the RRF = 210
Target SIL = SIL 3 The minimum riskreduction for SIF of 1000guarantees that anySIL 3 system will achievethe required risk
reduction factor
Safety IntegrityLevel
SIL 4
SIL 3
SIL 2
SIL 1
Probability of failureon demand, average
(Low Demand mode of operation)
Risk ReductionFactor
>=10-5 to =10-4 to =10-3
to =10-2 to
7/28/2019 Quant Sil
38/40
pyright 2002, exida.com 3
38
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Quantitative SIL Selection Summary
Topics:
Risk and the Context of SIL Selection
Safety Instrumented Functions
Consequence
Likelihood
Risk integrals approach
Required risk reduction
leading to SIL assignment
Concept
Overall ScopeDefinition
Hazard & RiskAnalysis
Overall SafetyRequirements
Safety RequirementsAllocation
5
4
3
2
1
SLC
Analysis
Phase
The lesson began with the safety lifecycle (SLC) context of SIL selection anda brief review of risk, including the idea of defining a level of tolerable risk.The lesson then presented a brief description of the safety instrumentedfunctions to which the SILs are to be assigned. Next the lesson addressedthe consequence and likelihood components of risk in more detail as theyrelate to identifying the existing level of risk in a process or piece ofequipment, including how to determine a hazards consequence and how thelikelihood of a hazard can be quantitatively determined. Then the lessonconsidered the combination of multiple outcomes based on the risk integralsapproach. Finally, based on the difference between the existing risk and thetolerable risk level identified and approved by the organization in question,the risk reduction requirement for the specific SIF was determined and theSIL assignment made.
To be sure the material is thoroughly understood, please take the time to goback and review any parts of this lesson as needed before moving on to thequiz.
7/28/2019 Quant Sil
39/40
pyright 2002, exida.com 3
39
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Additional Resources
For more information on SIL selection and SafetyInstrumented Systems, consider reviewing thefollowing book:Systematic SIL SelectionWith Layer of Protection Analysis
(coming soon to the exida.com web store)
Also considerexida.com on-line lessons on:9 Process Hazards Analysis
9 ALARP and Tolerable Risk
9 Consequence Analysis Overview
9 Introduction to Likelihood Analysis
9 Layer of Protection Analysis (LOPA)9 Qualitative SIL Selection
More information on both qualitative and quantitative SIL selection and someaspects of SIS design is available from books and other training classes.
The forthcoming exida.com book Systematic SIL SelectionWith Layer of
Protection Analysis provides a detailed description of tolerable risk,likelihood, consequence, and general Safety Instrumented Systems with SILselection process examples.
Also consider reviewing the exida.com on-line lessons on process hazardsanalysis, ALARP and tolerable risk, consequence analysis, likelihoodanalysis, layer of protection analysis, and qualitative SIL selection foradditional information.
7/28/2019 Quant Sil
40/40
40
ida.comeexcellence in dependable-automation
Copyright 2002, exida.com
Questions
Questions: Please send any questions [email protected]. We will respond as soonas possible.
Additional Resources:
Free articles are available to download from theexida.com website. These can be reached athttp://www.exida.com/articles.asp.
Additional resources including books, tools, and reports
are available from the exida on-line store. A productlisting is available at http://www.exida.com/products2/.
If you have any questions, please send them via email to [email protected] refer to this particular lesson, Quantitative SIL Selection.
Additional resources are available from the exida.com website, including a
series of free articles that may be downloaded. Books, reports, andengineering tools are available at the exida on-line store.
exida.com is a knowledge company focused on system reliability and safety.We provide training, tools, coaching, and consulting. For general informationabout exida, please view our website at www.exida.com.
Thank you for your interest. Please consider other lessons in the on-linetraining series from exida.com.