Haward Technology Middle East 1Section 19
Process Control, Instrumentation and Safeguarding
Section 19
Safety Integrity Level
Haward Technology Middle East 2Section 19
Process Control, Instrumentation and Safeguarding
TOPICS
Introduction
Definition
Selection Procedure
Practical Example
Safety Integrity Level
Haward Technology Middle East 3Section 19
Process Control, Instrumentation and Safeguarding
Introduction
Safety Integrity Level
Haward Technology Middle East 4Section 19
Process Control, Instrumentation and Safeguarding
INTRODUCTION
General
A Safety Integrity Level (SIL) is a statistical representation of the integrity of the SIS when a process demand occurs.
It is used in both ANSI/ISA-S84.01 and IEC 61508 to measure the reliability of SIS. Both ISA and IEC have agreed that there are three levels of safety integrity: SILs 1, 2 and 3. IEC also includes an additional level, SIL 4, that ISA does not.
The higher the SIL is, the more reliable or effective the system is.
Safety Integrity Level
Haward Technology Middle East 5Section 19
Process Control, Instrumentation and Safeguarding
The concept of safety integrity levels (SIL’s) was introduced during the development of BS EN 61508 (BSI 2002) as a measure of the quality, or dependability, of a system which has a safety function.
Once the need for a SIF / SIS has been identified, the key is to determine the correct SIL to control process risk to a tolerable level.
The SIL is used as a performance measure ( in terms of the probability of the SIF failing to perform it’s required function on demand ).
INTRODUCTION
General
Safety Integrity Level
Haward Technology Middle East 6Section 19
Process Control, Instrumentation and Safeguarding
SIL 4Very significant impact on the community leading to a reduction in danger from 10000 to 100000
SIL 3Very significant impact on the community and employees leading to a reduction in danger from 1000 to 10000
SIL 2Significant protection of the installation, production and employees leading to a reduction in danger from 100 to 1000.
SIL 1Low protection of the installation and production leading to a reduction in danger from 10 to 100.
SIL CategoriesINTRODUCTION
Safety Integrity Level
Haward Technology Middle East 7Section 19
Process Control, Instrumentation and Safeguarding
SIL’s are correlated to the probability of failure of demand (PFD), which is equivalent to the unavailability of a system at the time of a process demand.
INTRODUCTION
General
Safety Integrity Level
Haward Technology Middle East 8Section 19
Process Control, Instrumentation and Safeguarding
Definition
Safety Integrity Level
Haward Technology Middle East 9Section 19
Process Control, Instrumentation and Safeguarding
DEFINITION
The standards recognise that safety functions can be required to operate in quite different ways.
In particular they recognise that many such functions are only called upon at a low frequency / have a low demand rate.
Safety Integrity Level
Haward Technology Middle East 10Section 19
Process Control, Instrumentation and Safeguarding
Consider a car; examples of such safety functions are:
Anti-lock braking (ABS). (It depends on the driver, of course!).
Secondary restraint system (SRS) (air bags).
On the other hand there are functions which are in frequent or continuous use; examples of such functions are:
Normal braking Steering
DEFINITION
Safety Integrity Level
Haward Technology Middle East 11Section 19
Process Control, Instrumentation and Safeguarding
DEFINITION
Safety Integrity Level
Haward Technology Middle East 12Section 19
Process Control, Instrumentation and Safeguarding
Selection Procedure
Safety Integrity Level
Haward Technology Middle East 13Section 19
Process Control, Instrumentation and Safeguarding
This section discusses the application of two methods of determining SIL requirements
• RISK MATRIX METHOD
• RISK GRAPH METHOD
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 14Section 19
Process Control, Instrumentation and Safeguarding
Risk Matrix Method
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 15Section 19
Process Control, Instrumentation and Safeguarding
This is one of the most commonly used techniques in the process industries to establish target SIL. It uses a risk matrix, which correlates risk severity and risk likelihood for the SIL.
The method allows the consideration of both likelihood and severity of a potential hazardous event during the assignment of SIL.
By correlating SIL values with a corporate-developed risk matrix, there is more consistency compared to the use of the Modified HAZOP methodology.
Risk Matrix
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 16Section 19
Process Control, Instrumentation and Safeguarding
Using this method requires the evaluation of the existing layers of protection and their effects on the risks of the potential hazardous events. The next slide is an illustration of a two-dimensional risk matrix that correlates to various SIL values.
Risk Matrix
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 17Section 19
Process Control, Instrumentation and Safeguarding
Risk Matrix
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 18Section 19
Process Control, Instrumentation and Safeguarding
Risk Matrix Showing Tolerability Bands
Significant
ConsequencesFrequency
/yr CatastrophicMajorMinor
Probable
Possible
Unlikely
Remote
Frequent
10-4
10-3
10-2
10-1
1
10
Tolerable Region
Transitional Region
Unacceptable Region
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 19Section 19
Process Control, Instrumentation and Safeguarding
Risk Graph Method
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 20Section 19
Process Control, Instrumentation and Safeguarding
SELECTION PROCEDURE
Safety Integrity Level
Start
Select SIF
Define the consequence sacristy
Categorize the consequence sacristy
Define the pre-safeguard likelihood
Categorize the pre-safeguard likelihood
Categorize the occupancy
Categorize the avoidance probability
Identify the required risk reduction
List independent protection layers
Calculate required SIL of SIS
No SIF Required
No SIF Required Obtain Expert Review
Document required SIL of SIS
Required SIL O or less?
Required SIL 3 or greater?
Other SIF?
Stop
Haward Technology Middle East 21Section 19
Process Control, Instrumentation and Safeguarding
The SIL Selection process is performed using the risk graph technique in a systematic team approach.
Because the Process Hazard Analysis (PHA) has already been completed, a dedicated SIL selection study is then conducted utilizing the results of the PHA as a screening tool.
Selection of SIL is a team exercise which should include individuals from the original PHA team along with new experienced personnel.
The process utilized is represented by the flowchart shown in Figure 1. The following is a detailed explanation of the SIL selection process.
Risk Graph Method
SELECTION PROCEDURESafety Integrity Level
Haward Technology Middle East 22Section 19
Process Control, Instrumentation and Safeguarding
The study begins with a list of Safety Instrumented Functions which have to be analyzed.
These Safety Instrumented Functions are identified through reviewing the recommendations and safeguards noted in the Process Hazard Analysis reports.
For each Safety Instrumented Function that have been identified, the characteristics of the accident being prevented are defined – see Fig. 2.
Risk Graph Method
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 23Section 19
Process Control, Instrumentation and Safeguarding
Parameter Description
Consequence C Average number of fatalities likely to result from the hazard. Determined by calculating the average numbers in
the exposed area when the area is occupied taking into
account the vulnerability to the hazardous event
Occupancy F Probability that the exposed area is occupied. Determined
by calculating the fraction of time the area is occupied
Probability of
avoiding the
hazard
P The probability that exposed persons are able to avoid the
hazard if the protection system fails on demand. This
depends on there being independent methods of alerting the exposed persons to the hazard and manual methods of
preventing the hazard or methods of escape
Demand rate W The number of times per year that the hazardous event would occur if no SIS was fitted. This can be determined
by considering all failures which can lead to one hazard and estimating the overall rate of occurrence
Fig 2
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 24Section 19
Process Control, Instrumentation and Safeguarding
In sequence, the consequence severity is categorized using the information provided in Figure 3.
The consequence definition and selected category were then documented in a SIL selection worksheet.
Risk Graph Method
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 25Section 19
Process Control, Instrumentation and Safeguarding
Fig 3 CONSEQUENCE SEVERITY CATEGORY
Consequence Range
Qualitative Criteria
Cd Personnel: Multiple critical injuries or fatalitiesPublic: Potential for multiple critical injuries or fatalitiesEnvironment: Unconfined release with major environmental impactProperty: Plant & production loss in excess of $100M
Cc Personnel: Potential for serious injuries or single fatalityPublic: Potential for serious injuries or single fatalityEnvironment: Unconfined release with medium environmental impactProperty: Plant & production loss in the range of $10 to $10M
Cb Personnel: severe injury requiring medical emergency care Public: Potential for severe injury requiring medical emergency careEnvironment: Unconfined release with minor environmental impactProperty: Plant & production loss in the range of $1 to $10M
Ca Personnel: Injury requiring first aidPublic: Odour or noise nuisance, no direct impactEnvironment: Confined release with localized impactProperty: Plant & production loss in the of $100,00 to $1M
Safety Integrity Level
Haward Technology Middle East 26Section 19
Process Control, Instrumentation and Safeguarding
After the consequence has been addressed, the pre-safeguard likelihood of the accident is defined.
The pre-safeguard likelihood is categorized using
information provided in Figure 4.
The pre-safeguard likelihood definition and selected category are then documented in the SIL selection worksheet.
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 27Section 19
Process Control, Instrumentation and Safeguarding
Note the pre-safeguard likelihood category required for SIL selection should only reflect the likelihood of the causes.
For example, one should analyze the severity of a vessel rupture for an exothermic reaction without considering the benefits of a relief valve.
This allows the required effectiveness of the safeguards, including the Safety Instrumented Function, to be analyzed.
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 28Section 19
Process Control, Instrumentation and Safeguarding
Fig 4 LIKLIEHOOD CATEGORISATION
Parameter Range of Values
Demand rate (W). The number of times per year that the hazardous event would occur in the absence of the SIS under consideration.
W1 = Demand rate less than 0.1 D per year
W2 = Demand rate between 0.1 D and D per year
W3 = Demand rate between D and 10D per year
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 29Section 19
Process Control, Instrumentation and Safeguarding
Next, the occupancy and avoidance characteristics in the hazardous zone must be analysed.
The frequency of, and exposure time in, the hazardous zone is categorised using Figure 5, together with avoidance details
The these parameters are then documented in a SIL Selection Worksheet.
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 30Section 19
Process Control, Instrumentation and Safeguarding
Fig 5 OCCUPANCY & AVOIDANCE
CATEGORISATION
Parameter Range of Values
Occupancy (F)This is calculated by determining the length of time the area exposed to the hazard is occupied during a normal working period
Avoidance (P)Possibility of avoiding the hazardous event if the protection system fails to operate5
FA = Rare to more often exposure in the hazardous zone. Occupancy less than 0.1FB = Frequent to permanent exposure in the hazardous zone.
PA = Possible to avoid
Should only be selected if all the following are true:Facilities are provided to alert the operator that the SIS has failedIndependent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to safe areaThe time between the operator being alerted and a hazardous event occurring exceeds 1 hour
PB = Not possible to avoid. Applies if any of PA conditions are not met
Safety Integrity Level
Haward Technology Middle East 31Section 19
Process Control, Instrumentation and Safeguarding
The probability of avoiding the hazardous event has to be analysed.
The probability of avoiding the hazardous event is then categorised using Figure 5.
The probability of avoidance parameter is then documented in a SIL Selection Worksheet.
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 32Section 19
Process Control, Instrumentation and Safeguarding
Once the consequence, pre-safeguard likelihood, occupancy and probability of avoidance are defined, the required risk reduction is determined from Figure 6.
The required risk reduction can take place by any combination of safeguards, either instrumented or non-instrumented.
The required risk reduction is a value that defines the number of order-of-magnitude decreases in either the consequence severity or likelihood of the unwanted accident (usually the likelihood) that are required.
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 33Section 19
Process Control, Instrumentation and Safeguarding
Fig. 6 RISK GRAPH
SELECTION PROCEDURESafety Integrity Level
Haward Technology Middle East 34Section 19
Process Control, Instrumentation and Safeguarding
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 35Section 19
Process Control, Instrumentation and Safeguarding
The required risk reduction is typically accomplished using a combination of instrumented and non instrumented safeguards.
In order to know what amount of risk reduction is required to be performed by the Safety Instrumented Function, one must know the total amount of risk reduction provided by the other protection layers.
This is accomplished by summing the number of independent protection layers that are available to prevent the hazard.
SELECTION PROCEDURE
Safety Integrity Level
Haward Technology Middle East 36Section 19
Process Control, Instrumentation and Safeguarding
Practical
Example
Safety Integrity Level
Haward Technology Middle East 37Section 19
Process Control, Instrumentation and Safeguarding
Determination of SIL by risk parameter chart
This practical exercise requires participants to determine the required SIL of a proposed safety-instrumented system using the basic principles of the Risk Graph method.
PRACTICAL EXAMPLE
Safety Integrity Level
Haward Technology Middle East 38Section 19
Process Control, Instrumentation and Safeguarding
The next diagram shows a reactor with a continuous feed of fuel and oxidant. Two flow control loops are operated under a ratio controller set by the operator to provide matching flows of fuel and oxidant to the reactor.
An explosion can occur inside the reactor if the mixture becomes explosive and a source of ignition is found. In this case we might suppose the source is a hot catalyst inside the reactor. The mixture can become explosive if the fuel flow becomes too high relative to the oxidant flow.
PRACTICAL EXAMPLE
Safety Integrity Level
Haward Technology Middle East 39Section 19
Process Control, Instrumentation and Safeguarding
A safety-instrumented system is proposed with a separate set of flow meters connected to a flow ratio measuring function that is designed to trip the process to safe condition if the fuel flow exceeds the oxidant flow by a significant amount.
The tag number for this function is FFSH- 03.
PRACTICAL EXAMPLE
Safety Integrity Level
Haward Technology Middle East 40Section 19
Process Control, Instrumentation and Safeguarding
PRACTICAL EXAMPLE
Safety Integrity Level
Haward Technology Middle East 41Section 19
Process Control, Instrumentation and Safeguarding
Assume that the following information has been decided for the reactor.
The total frequency of the events leading to an explosive mixture is approximately once every ten years. The consequence of the explosion has been determined by a study to be a vessel rupture with a 1 in 5 chance of death or serious injury to 1 person.
The occupancy in the exposed area is less than 10% of the time and is not related to the condition of the process.
The onset of the event is likely to be to be fast with a worst-case time of 10 minutes between loss of oxidant and the possible explosion.
PRACTICAL EXAMPLE
Safety Integrity Level
Haward Technology Middle East 42Section 19
Process Control, Instrumentation and Safeguarding
PRACTICAL EXAMPLE
Safety Integrity Level
Haward Technology Middle East 43Section 19
Process Control, Instrumentation and Safeguarding
a
1
2
3
4
b
-
-a
1
2
3
W3 W2 W1
CA
CB
CC
CD
FA
PA
PB
PB
PB
PA
PA
PA
PB
- = No safety requirementsa = No special safety requirementsb = A single E/E/PES is not sufficient1,2,3,4 = Safety integrity level
F –OccupancyFA:FB:
Risk Parameters:
C – ConsequenceCA:CB:
CC:CD:
P – Hazard avoidance probabilityPA:
PB:
W – Demand rate in the absence of the SIF under considerationW1:
W2:W3:
Startingpoint
The chance of death is 0.2 per event (Range >0.1 to 1.0) = Cc
Occupancy is
less than 0.1 = FA
The explosion has a rapid onset (< 10 minutes) (Range >0.1 to < 1.0) = PB
Demand rate is estimated at 0.1/yr Gives W2 (Range >0.03 to < 0.3)
-a
1
2
3
4
Safety Integrity Level
Haward Technology Middle East 44Section 19
Process Control, Instrumentation and Safeguarding
Safety Integrity Level