# e ida.

com
excellence in dependable-automation

Quantitative SIL Selection
Safety Integrity Level Probability of failure on demand, average
(Low Demand mode of operation)

Risk Reduction Factor

SIL 4 SIL 3 SIL 2 SIL 1

>=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1

100000 to 10000 10000 to 1000 1000 to 100 100 to 10

On-line Lesson

Welcome to the exida.com online lesson on Quantitative Safety Integrity Level Selection. In this lesson, we will present the concept of a Safety Integrity Level (SIL) as well as the quantitative approach in establishing SIL selection.

1

e ida.com
excellence in dependable-automation

Prerequisite Lessons
¾ ¾

Introduction to Safety Instrumented Systems The Safety Lifecycle

2

It is recommended that the exida on-line lessons Introduction to Safety Instrumented Systems and The Safety Lifecycle be taken by anyone not well versed in these topics before proceeding with this lesson.

2

e ida.com
excellence in dependable-automation

Companion Lessons
¾ ¾ ¾ ¾ ¾ ¾

Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis (LOPA) Qualitative SIL Selection

Since Quantitaive SIL Selection encompasses so many different aspects, it is recommended that the following lessons on specific components of the larger SIL selection process be used as a companion with this current lesson to provide a more complete understanding of the overall process. Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis Qualitative SIL Selection

3

e ida.com
excellence in dependable-automation

Quantitative SIL Selection Overview
Topics: • Risk and the Context of SIL Selection • Safety Instrumented Functions • Consequence 1 Concept • Likelihood Overall Scope 2 Definition • Risk integrals approach Hazard & Risk 3 Analysis • Required risk reduction Overall Safety 4 Requirements leading to SIL assignment
5 Safety Requirements Allocation

SLC Analysis Phase

4

The lesson starts with the safety lifecycle (SLC) context of SIL selection and a brief review of risk. The lesson continues with a brief description of the safety instrumented functions (SIFs) to which the SILs are to be assigned. Next the lesson addresses the consequence and likelihood components of risk in more detail as they relate to identifying the existing level of risk in a process or piece of equipment, including how to determine a hazard’s consequence and how the likelihood of a hazard can be quantitatively determined. Then the lesson considers the combination of multiple outcomes based on the risk integrals approach. Finally, based on the difference between the existing risk and the the tolerable risk level identified and approved by the organization in question, the risk reduction requirement for the specific SIF can be determined and the SIL assignment made.

4

operation. a Safety Integrity Level or SIL is selected for that SIF to achieve the required risk reduction. Commissioning Requirements. Response time. Panel Layout. For some hazards. etc.e ida. exida. Installation Requirements.com 5 . No SIL Achieved? Yes SIS Detailed Design Manufacturer’s Safety Manual Manufacturer’s Installation Instructions Installation & Commission Planning Validation Planning SIS Installation.startup Acceptance Test Validation: Pre. a safety instrumented function (SIF) is defined in order to reduce risk.startup Safety Review SIS startup. Wiring Diagrams. Safety Evaluation Detailed Safety Lifecycle Manufacturer’s Failure Data Failure Data Database SIS Conceptual Design “REALIZATION” (Vendor / Contractor / End User) SILs Achieved Detailed Design Documentation Loop Diagrams. Logic. Bypass/Maintenance requirements. Target SIL. exida. PLC Programming. Commissioning and Pre.com excellence in dependable-automation Conceptual Process Design Event History Process Information Identify Potential Risks Layer of Protection Analysis Layers of Protection Failure Probabilities Potential Hazards Assess Potential Risk Likelihood Analyze Potential Risk Magnitude Hazard Frequencies Hazard Characteristics “ANALYSIS” Phase (End User / Consultant) Consequence Analysis Select Target SIL Consequence Database Tolerable Risk Guidelines Hazard Consequences Target SILs Develop nonSIS Layers Safety Requirements Allocation SIS Required? Yes Develop Safety Specification No Exit Safety Requirements Specification Functional Description of each Safety Instrumented Function. hazards are identified and risk reduction targets are established for each hazard. Process parameters. etc Select Technology Select Architecture Determine Test Philosophy Reliability. Periodic Functional Tests Modify.com This slide shows a more detailed drawing of the safety lifecycle. Copyright 2002. In these cases. maintenance. In the analysis phase. Mitigated Hazards. Logic Diagrams. Decommission? Decommission Operating and Maintenance Planning (End User / Contractor) SIS Decommissioning “OPERATION” Modify 5 Copyright © 2002.

exida. identify specific individual functions to address these risks. The quantitative method shown in this lesson will help determine a specific numerical target for the risk reduction. Copyright 2002. and assign the SIL to specify how robust these functions must be to actually achieve the required risk reduction.com excellence in dependable-automation How to Select a SIL • Determine tolerable risk • Identify potential hazards • Identify prospective SIF to address these specific hazards • Identify existing unmitigated risk based on consequence and likelihood analysis • Determine how much risk reduction is needed to give a tolerable risk – Quantitative methods give specific numerical targets for risk reduction – Qualitative methods group numerical targets into more broad categories of risk reduction 6 Copyright © 2002.e ida.com on-line lesson Qualitative SIL Selection group numerical targets into more broad categories of risk reduction to achieve the same general purpose. NOTE: The qualitative methods introduced in the exida. exida.com 6 .com The SIL selection process is essentially a systematic approach used to: establish the difference between the existing level of risk and that which can be tolerated.

e.com The definition of risk includes components of likelihood and consequence. which both contribute to the risk for each hazard.e ida. exida. exida.. how often can it happen and what will be the effects if it does? Risk receptors: • Personnel • Environment • Equipment/Property Damage • Business Interruption • Business Liability • Company Image • Lost Market Share 7 Copyright © 2002. These different hazardous events are identified and characterized as part of a Hazard and Risk Assessment process described in detail as part of the exida Process Hazards Analysis on-line lesson.com 7 . Copyright 2002. Hazardous events often have consequences that cause harm in multiple areas to “receptors” such as personnel. environment.com excellence in dependable-automation What Is Risk? • Risk is a measure of the likelihood and consequence of an adverse effect. i. etc. equipment.

com excellence in dependable-automation ALARP and Tolerable Risk High Risk Intolerable Region 10 -3/yr (workers) 10 -4/yr (public) ALARP or Tolerable Region 10-6/yr Broadly Acceptable Region Negligible Risk 8 Copyright © 2002.com 8 .com Since risk is present in all human activities. The values noted in this slide are from the UK Health and Safety Executive. not as recommendations for any particular situation. and some risks fall in the middle. some level of risk must be tolerated in any system. the originators of the ALARP concept. some risks are broadly acceptable and should not be worried about. These middle-level risks should be reduced to a level “As Low as Reasonably Practicable” or ALARP. The challenge is in determining what that level of risk is for a given organization. exida. exida.e ida. Copyright 2002. and are provided for information purposes. Specific values of these risk levels are often a point of debate. The general principle of tolerable risk put forward in the IEC standards is that some risks are completely intolerable and should not be undertaken.

com excellence in dependable-automation Paths to Risk Reduction Risk after non-SIS Mitigation Inherent Risk of the Process (i.com 9 .e. primarily directed at the likelihood aspect. One specific method of risk reduction.com Risk reduction can be accomplished using different techniques. These systems carry out specific functions to bring the process or equipment to a safe state. exida. exida. e. No Mitigation) L i k e l i h o o d Increasing Risk SIL 1 SIL 2 SIL 3 Acceptable Risk Region Non-SIS Consequence reduction. The ability of these systems to carry out each of these functions when required is measured by the corresponding safety integrity level (SIL). e.e ida. Thus the SIL corresponds to the level of risk reduction required to change the existing unmitigated risk enough to achieve a level of risk that can be tolerated by the organization in question.. relief valves Unacceptable Risk Region Final Risk after Mitigation ALARP Risk Region Consequence 9 Copyright © 2002. Copyright 2002. is through automatic protection systems called Safety Instrumented Systems. containment dikes SIS Risk Reduction Non-SIS likelihood reduction. including methods to reduce both the consequences and likelihood of any harm.g..g..

com An individual Safety Instrumented Function (SIF) is designed to identify the need and then act to bring the system to a safe state for each hazard scenario. The required risk reduction is the difference between the process risk before a SIF and the “tolerable level” of risk to be achieved for that process or piece of equipment. so the SIL refers to each SIF rather than to the entire safety instrumented system. The effectiveness of the risk reduction is measured by the function’s risk reduction factor (often expressed as a Safety Integrity Level). exida. It is important to note that a SIF is an individual function and a SIS can include multiple functions.com 10 .com excellence in dependable-automation Safety Instrumented Functions • Specific single set of actions and the corresponding equipment needed to identify a single emergency and act to bring the system to a safe state. Copyright 2002. • SIL is assigned to each SIF based on required risk reduction • Different from a SIS. so it is incorrect and ambiguous to define a SIL for an entire safety instrumented system 10 Copyright © 2002. exida. which can encompass multiple functions and act in multiple ways to prevent multiple harmful outcomes – SIS may have multiple SIF with different individual SIL.e ida.

com excellence in dependable-automation Safety Integrity Levels Safety Integrity Level Probability of failure on demand. Copyright 2002. and the SIL number itself represents the minimum number of orders of magnitude of risk reduction that the SIF will provide.000 10.000 1. The key measure of a system’s integrity is how well it can be counted on to do what it is supposed to do when it is supposed to do it. For the High Demand mode common in machinery applications. since the systems used are required to act more frequently than they are tested and repaired.com 11 .com The Safety Integrity Level is a measure defined in the IEC61508 standard.000 to 1. the average probability of failure on demand (PFDavg) is the variable that defines the SIL.000 to 10. The risk reduction factor is the reciprocal of the PFDavg. SIL relates to the frequency of unsafe failures of the SIF per hour.000 to 100 100 to 10 Copyright © 2002. For the Low Demand mode operation common in the process industry. exida. average (Low Demand mode of operation) Risk Reduction Factor SIL 4 SIL 3 SIL 2 SIL 1 >=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1 11 100. exida.e ida. as shown in the table on this slide.

the risk associated with a hazard can be calculated by multiplying the consequence of a harmful outcome and the likelihood or frequency of it taking place. exida.2 fatalities per year 12 Copyright © 2002. Copyright 2002. Furthermore. assume a hazard with an outcome consequence of two fatalities. assume that the likelihood of the hazard leading to the harmful outcome is once every ten years. As an example. exida.com In quantitative analysis.e ida. obtained by simple multiplication. The risk of the hazard.com excellence in dependable-automation Calculating Risk • In quantitative analysis.2 fatalities per year.com 12 . risk associated with a hazard can be calculated using the following formula: Risk = Consequence * Likelihood • Example Hazard: – Consequence of harmful outcome is two fatalities – Likelihood of harmful outcome is once every ten years • Risk from the hazard is 0. is then 0.

US \$ – Equipment/Property Damage • US \$ – Etc.com As shown before. it might cause a toxic release with other injuries or fatalities. and the loss of the column could lead to plant down time. exida.e ida.com 13 . potential fines. Copyright 2002. With a separation column rupture. exida. for example. Each of the aspects of the consequence is measured in its own units. the rupture energy itself can cause fatalities and injuries to personnel. environmental clean-up efforts could be required after the rupture. 13 Copyright © 2002. damage to corporate image. injuries may be measured in number of injuries scaled by severity. Fatalities are measured in number of deaths. and clean-up efforts. there can be several potential risk receptors for a specific hazard.com excellence in dependable-automation Basic Consequence Analysis Concepts • One hazard can lead to one or more outcomes with multiple receptors • Each aspect of the harmful outcome is measured in different units – Personnel • Fatalities • Injuries – Environment • Toxic releases • Clean-up efforts. environmental impacts are quantified individually. and down time are measured financially.

e ida. environmental. to enable more rigorous mathematical analysis.com excellence in dependable-automation Tolerable Risk Level and Consequence Receptors • Tolerable risk is a sensitive topic • It is difficult to convert between personnel. exida. which is often financial cost. and cost receptors • Organizations often set specific levels of tolerance in each different receptor category • Combining impacts into a single variable allows more rigorous mathematical analysis 14 Copyright © 2002. exida.com Because of the sensitivity of the concept of tolerable risk and the difficulty in converting between the effects on different receptors. In some cases.com 14 . all of the different consequence impacts can be converted into a single value. organizations often set different specific risk levels that are tolerable in each different area. Copyright 2002.

0. etc. – Valuing loss of life at \$10. To combine risks into a single cost category. In most cases.005 injuries per person per year. conversion factors must be developed and applied according to uniform. exida.000. environmental damage at 1. and business losses at actual value. optimize cost-benefit impact of all safety systems.com These multiple risk criteria can be expressed on the basis of a plant or individual as appropriate. exida. 15 Copyright © 2002. 0. \$500. Copyright 2002. agreed guidelines.000 in business loss per plant per year.01 significant environmental release per plant per year.0005 fatal accidents per person per year.5x clean-up cost. individual tolerable risk criteria are followed for personnel safety.000.com excellence in dependable-automation Tolerable Risk Level and Consequence Receptors • Example: – Maximum risk tolerance 0.e ida.com 15 .

exida.e ida. Copyright 2002. although the detailed practice of these techniques often requires months or years of training and experience.com The detailed methods of consequence analysis are beyond the scope of this lesson. fires. especially in the cases of explosions. Further information is available in the exida on-line course Consequence Analysis Overview. and toxic releases where the magnitude of the consequence depends on the dispersion of material. exida.com 16 .com excellence in dependable-automation Methods of Consequence Analysis • Consequences can require extremely involved analysis – Fire • How much material • What kind of fire – Explosion • Pressure energy • Chemical energy – Toxic release • Concentration limits • Weather conditions 16 Copyright © 2002. These analyses often involve extremely complex calculations.

exida. These can then be categorized by the potential safety instrumented functions identified in the hazards analysis that could act to prevent these outcomes. there should be a list of potential harmful outcomes and a corresponding list of the magnitude of the harm to each of the different receptor categories.e ida. exida. Copyright 2002.com Once one has completed the detailed consequence analysis.com 17 .com excellence in dependable-automation Results of Consequence Analysis • Different potential outcomes identified • Magnitude of each outcome from perspective of each receptor – Personnel – Environment – Financial • Group consequence components according to safety instrumented function capable of preventing them 17 Copyright © 2002.

exida. 15 injuries (15*1. Copyright 2002. exida. the total cost of the column rupture outcome is ~140 M\$. The total hazard consequence can now be readily determined by adding the consequences of each receptor in terms of the single variable. the decrease in company image caused by the hazard was determined to be accounted for in the other categories and no additional cost was assessed in the analysis.5 M\$) – Business Interruption: 25% lost production 3 months (50 M\$) – Business Liability: direct customer contract losses (25 M\$) – Company Image: no additional cost not already considered – Lost Market Share: customers go to competitor(s) (15 M\$) • Total column rupture hazard consequence is 140 M\$ 18 Copyright © 2002.com 18 .com Using the single variable approach.e ida. it is possible to express each consequence in that variable as shown on this slide. Note that in this case.5 M\$) – Equipment: new column/installation (4.0 M\$) – Environment: no exceptional toxic release (0 \$ no fine). Assuming that the hazard will cause all of these traceable impacts. internal clean-up activities (0.com excellence in dependable-automation Consequence Results: Column Rupture Case • The consequences of a column rupture are determined as follows: – Personnel: 3 fatalities (3*10 M\$).

exida.com 19 . exida. Part 3 – Refers to a frequency such as the number of events per year or per million hours – Note this is different from the common English definition equating it to probability 19 Copyright © 2002.e ida.com excellence in dependable-automation Event Likelihood / Frequency • Event likelihood according to dIEC61511. Copyright 2002.com The likelihood of a hazard is defined as the frequency of the harmful outcome event. This is most often expressed in units of events per year or events per million hours.

The LOPA event tree to determine the likelihood of the column rupture with explosion is shown in the slide.76 The column rupture likelihood can be determined by multiplying the loss of cooling water likelihood by the probability of failure of each of the protection layers.15 • Pressure relief valve. exida.05 0. each with a probability of failure. The resulting column rupture likelihood is then 5/yr * 0. • Inherent safety of the process design.76 * = 2.e ida.85*10-4 /yr Copyright 2002. probability of failure is 0.01 * 0.15 0.com Likelihood analysis is often done using Layer of Protection Analysis (LOPA) techniques.05 * 0. probability of failure is 0.85*10-4/yr 5/yr No event 20 Copyright © 2002. exida.15 * 0. probability of failure is 0.05 • No ignition. The likelihood of the initiating event loss of cooling water is 5 per year There are four independent protection layers.com 20 .com excellence in dependable-automation LOPA for Column Rupture Column Rupture Initiating event #1 Loss of cooling water Process design Protection layers #2 Operator response #3 Pressure relief valve #4 No ignition 0.76 0.01 • Operator response.01 No event No event No event Outcome Explosion 2. probability of failure is 0.

they must be expressed in the same terms as the tolerable risk levels. they must be combined to determine the existing risk. In order to combine the consequences of the potential harmful outcomes related to a single SIF and compare them to the tolerable risk.com excellence in dependable-automation Considering All the Impacts • Outcomes must be expressed in the same terms as the tolerable risk limits – For the single variable method.com Once the likelihood and consequence analysis results are complete. Copyright 2002. exida.e ida. it is possible to use a risk integral approach to continue the SIL selection process. this involves the conversion factors mentioned earlier • Risk integral approach – Risk integral approach can also be applied to the personnel and financial components of risk independently of each other 21 Copyright © 2002.com 21 . No matter whether the consequence is expressed as a single overall cost or loss variable or if personnel impacts are kept separate from financial impacts. exida.

. a summation of the likelihood and consequence for all potential loss events that are being considered.com Risk integrals are a measure of the total expected loss. In the case of Safety Instrumented System (SIS) design. i. this would be all of the consequences that are prevented by a single Safety Instrumented Function (SIF). exida.com excellence in dependable-automation Risk Integral Definition • Risk integrals are a measure of the total expected loss – A summation of likelihood and consequence for all potential loss events 22 Copyright © 2002.e ida. Copyright 2002.com 22 .e. exida.

com 23 .com excellence in dependable-automation Risk Integral Equation • The nominal equation for the risk integral is: RI = ∑ C i Fi RI N C F = risk integral = number of hazardous events = consequence of the event (in terms of fatalities for loss of life calculation) = frequency of the event 23 Copyright © 2002.e ida. Copyright 2002. this summation includes a consequence times frequency risk contribution to the total for each event in question. exida. exida.com n i =1 In mathematical form.

e ida. This can easily be done if all of the harm is expressed or converted to financial units. The important aspect of PLL is that it can take on fractional values. Copyright 2002.com excellence in dependable-automation Risk Integral Application • Risk integrals require a single loss variable • Can be across all receptors converted to financial terms • Can be across financial receptors only in monetary cost terms • Can also be across personnel receptors only in equivalent or probable loss of life (PLL) terms – PLL can take on fractional values 24 Copyright © 2002. Risk integrals can also be applied to personnel safety consequences through the use of probable loss of life or PLL.. an injury event can have a PLL of 0. exida.1 or some other value less than one representing the severity of the event in these probable loss of life terms. i. exida.com 24 .com The key requirement for using risk integrals is applying a single loss variable to the system in question.e.

e ida.com Risk integrals are only now gaining acceptance in the design-engineering field as a means of measuring risk. ideal for decision-making • Considers multiple fatality events • Diverse risks expressed on uniform basis. exida. Risk integrals have several advantages over other methods for measuring risk: • The single risk variable is easy to use in optimization and decision-making • The risk considers the impact of multiple fatality events • Different risks can be considered on a uniform financial basis for costbenefit analysis As a result of these advantages.com 25 . exida. essential for cost-benefit analysis 25 Copyright © 2002. Copyright 2002. the risk integrals of Potential Loss of Life for personnel safety and Expected Value for overall financial impact are ideal for risk reduction design engineering.com excellence in dependable-automation Risk Integral Advantages • Risk integrals are a measure of the expected loss – A summation of likelihood and consequence for all potential loss events for the SIF and category in question Advantages of risk integral targets: • Risk is a single number.

com excellence in dependable-automation Risk Integral Personnel Example • Consider the case where the following results are available from the consequence and likelihood analyses for a group of outcomes that can be prevented by the single SIF: Outcome Vessel rupture with pool fire Vessel rupture with flash fire Vessel rupture with explosion Vessel rupture with spill only Probable Loss of Life (PLL) 0.2 • What is the risk integral for that particular SIF in terms of PLL per year? 26 Copyright © 2002.1 0.1 0.com 26 .e ida.01 0. exida. exida. Copyright 2002.5 1 6 0.01 Frequency Events per year 0.com This heated vessel rupture example considers the different outcomes that could be prevented by a SIF that senses an extreme high pressure and acts to open a separate dedicated valve to relieve that pressure to a safe venting system.

exida.5 1 6 0. It is important to note that the risk calculated here is for the system without the SIF present.212 • Multiplying each consequence by its corresponding frequency and summing the results at the bottom right gives the total risk integral for this pressure relief SIF of: PLL=0.com 27 . exida.060 0.002 0.050 0. Copyright 2002.com excellence in dependable-automation Risk Integral Personnel Example Outcome Vessel rupture with pool fire Vessel rupture with flash fire Vessel rupture with explosion Vessel rupture with spill only Total Risk Integral Probable Loss of Life (PLL) 0.01 0.1 0.100 0.com This column rupture example considers the different outcomes that could be prevented by a SIF that senses a high column pressure and acts to open a valve to relieve that pressure to a safe venting system.2 Risk Component PLL per year 0.1 0.01 Frequency Events per year 0.21 fatalities per year 27 Copyright © 2002.e ida.

85*10-4 events per year respectively.85 x 10-4 per year 28 Copyright © 2002. exida. exida. both the consequence and the likelihood have been determined as 140 M\$ and 2. • Consequence = 140 M\$ • Likelihood = 2.e ida.com 28 .com For the column rupture example described earlier in the lesson. calculate the inherent risk.com excellence in dependable-automation Single Event Risk Example • Using the consequence and likelihood values determined for the single event column rupture and explosion hazard. Copyright 2002.

990 [US \$ / year].e ida.com The column rupture inherent risk is simply calculated by multiplying 140 M\$ and 2.900 [US \$ / year] Risk = Consequence * Likelihood 29 Copyright © 2002. Copyright 2002. exida. exida.com excellence in dependable-automation Single Event Risk Example • Inherent risk = 140 M\$ * 2.85*10-4.com 29 .85*10-4 /yr = 39. which yields an inherent risk of 39.

com 30 . Copyright 2002. As noted earlier.com excellence in dependable-automation What Is the Required Risk Reduction? • Now the required risk reduction factor (RRF) can easily be calculated • Input parameters are: – The unmitigated risk before any safety system – The established tolerable risk level RRF = unmitigated risk tolerable risk 30 Copyright © 2002. exida. it is important to make sure that the inherent risk or risk integral and tolerable risk are expressed in the same units. unmitigated risks resulting from a consequence and likelihood analysis along with tolerable risk.e ida. the required risk reduction factor that an SIF needs to achieve can be calculated by dividing the inherent risk by the tolerable risk. exida.com Given inherent.

Copyright 2002. what is the required risk reduction? 31 Copyright © 2002.com excellence in dependable-automation Risk Reduction Example 1 • Given the heated vessel pressure relief SIF example with its PLL of 0. exida.e ida.001 fatalities per year.com All that is needed for the heated vessel pressure relief SIF example is the tolerable risk in terms of probable loss of life per year.21 fatalities per year and a tolerable risk level of 0. exida.com 31 .

com excellence in dependable-automation Risk Reduction Example 1 • Given the heated vessel pressure relief SIF example with its PLL of 0. exida. exida.21 PLL per year 0.com Thus dividing the existing unmitigated risk by the tolerable risk gives the required risk reduction factor of 210.com 32 .001 fatalities per year.e ida. Copyright 2002.21 fatalities per year and a tolerable risk level of 0.001 PLL per year = 210 32 Copyright © 2002. what is the required risk reduction? RRF = 0.

com 33 .com Considering the column rupture and explosion example developed earlier along with the safety system cost data.000 per year net cost – A higher-cost. which SIF option should be chosen? Copyright 2002. low-performance SIL 1 SIF can provide a risk reduction factor of 10 for \$5. higher-performance SIL 2 SIF can provide a risk reduction factor of 100 for \$20. equipment. – Likelihood = 2. environment.com excellence in dependable-automation Risk Reduction Example 2 • A SIF is being considered to prevent the column rupture and explosion event described earlier – Consequence = 140 M\$ • Including personnel.000 per year net cost • Which system should be selected? 33 Copyright © 2002.e ida. etc.85*10-4 /yr • After accounting for all layers of protection – A low-cost. exida. exida.

the RRF of 10 reduces the hazard cost to \$39.000 per year savings relative to doing nothing.900/10 = \$3. • • For the case with no safety system.900 per year With the first case low-cost system.990 overall annual cost or a net savings of \$30.990 per year. while the system itself adds \$5. exida. it has significant potential. exida.910 relative to no safety system 34 Copyright © 2002.com 34 . Copyright 2002. the cost of the hazard is \$39.000 per year for a total \$8.com Putting each case on an annual cost basis clarifies the choice significantly.com excellence in dependable-automation Risk Reduction Example 2 • This example can be solved by calculating the annual cost associated with the risk of each option. Since the first option provides a \$31.e ida.

000 per year total cost pushes it to a lower level of savings than the SIL 1 SIF option. exida.501 • 35 Copyright © 2002.com 35 .900 per year With the second case higher-cost. Option Do nothing SIL 1 SIF SIL 2 SIF Cost of Risk \$39. higher-performance system.000 Total Cost \$39.399 Total Savings \$0 \$30.com excellence in dependable-automation Risk Reduction Example 2 • Considering the second option in the same way as the first: • • For the case with no safety system. while the system itself adds \$20.900/100 = \$399 per year. the RRF of 100 reduces the hazard cost to \$39.990 \$20. Thus the SIL 1 SIF is the best option for this situation.900 \$3. Copyright 2002.e ida.000 per year relative to doing nothing. the cost of the hazard is \$39. with the greatest savings of ~\$31. its \$20.501 relative to no safety system Thus the SIL 1 SIF is the best option.990 \$399 Cost of System \$0 \$5.com Although the higher performance system reduces the risk cost to only \$399 per year.910 \$19. exida.900 \$8.000 \$20.399 overall annual cost or a net savings of \$19.000 per year for a total \$20.

or financial receptors considered • Personnel RRF = 1000 • Environmental RRF = 300 • Financial RRF = 150 • Choose highest RRF = 1000 for specifying the system 36 Copyright © 2002. environmental.com 36 .com excellence in dependable-automation Multiple Receptors per SIF • Occasionally a set of tolerable risk levels and risk estimates gives different risk reduction factors depending on the personnel. exida. Copyright 2002.com For multiple receptors per hazard. exida. some companies calculate risk reduction factors for each receptor. since it will automatically satisfy the other lesser requirements. The RRF for the instrumented function in this situation is chosen to be the highest one.e ida.

com excellence in dependable-automation SIL Assignment • SIL selection is performed based on the RRF calculated for the SIF • For the heated vessel case. average (Low Demand mode of operation) Risk Reduction Factor SIL 4 SIL 3 SIL 2 SIL 1 >=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1 100000 to 10000 10000 to 1000 1000 to 100 100 to 10 37 Copyright © 2002. If a target SIL of SIL 2 were selected. SIL 3 was selected.e ida. Here the RRF of 210 indicates that a target of SIL 3 is required for the SIF. exida.com The final step in the personnel case is to select the target Safety Integrity Level for the Safety Instrumented Function based on the required risk reduction factor. exida. the RRF = 210 • Target SIL = SIL 3 – The minimum risk reduction for SIF of 1000 guarantees that any SIL 3 system will achieve the required risk reduction factor Safety Integrity Level Probability of failure on demand.com 37 . Copyright 2002. the SIF designed may have an actual RRF of 100. Note: Even though the risk reduction factor for SIL 2 ranges from 100 to 1000. as a RRF of 210 is required. which suits SIL 2 requirements but would not be enough for the heated vessel example.

com excellence in dependable-automation Quantitative SIL Selection Summary Topics: • Risk and the Context of SIL Selection • Safety Instrumented Functions • Consequence 1 Concept • Likelihood Overall Scope 2 Definition • Risk integrals approach Hazard & Risk 3 Analysis • Required risk reduction Overall Safety 4 Requirements leading to SIL assignment 5 Safety Requirements Allocation SLC Analysis Phase 38 Copyright © 2002. To be sure the material is thoroughly understood. the risk reduction requirement for the specific SIF was determined and the SIL assignment made.com 38 . exida. please take the time to go back and review any parts of this lesson as needed before moving on to the quiz. Then the lesson considered the combination of multiple outcomes based on the risk integrals approach. based on the difference between the existing risk and the tolerable risk level identified and approved by the organization in question. including the idea of defining a level of tolerable risk. Next the lesson addressed the consequence and likelihood components of risk in more detail as they relate to identifying the existing level of risk in a process or piece of equipment.com The lesson began with the safety lifecycle (SLC) context of SIL selection and a brief review of risk. including how to determine a hazard’s consequence and how the likelihood of a hazard can be quantitatively determined. The lesson then presented a brief description of the safety instrumented functions to which the SILs are to be assigned. Copyright 2002. Finally.e ida. exida.

layer of protection analysis. ALARP and tolerable risk. Copyright 2002.com web store) • Also consider exida.com on-line lessons on: 9 9 9 9 9 9 Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis (LOPA) Qualitative SIL Selection 39 Copyright © 2002. exida. and qualitative SIL selection for additional information. consequence analysis. likelihood. and general Safety Instrumented Systems with SIL selection process examples. The forthcoming exida. Also consider reviewing the exida. likelihood analysis. consequence.com excellence in dependable-automation Additional Resources • For more information on SIL selection and Safety Instrumented Systems.com book Systematic SIL Selection—With Layer of Protection Analysis provides a detailed description of tolerable risk. consider reviewing the following book: Systematic SIL Selection—With Layer of Protection Analysis (coming soon to the exida.e ida.com on-line lessons on process hazards analysis.com 39 .com More information on both qualitative and quantitative SIL selection and some aspects of SIS design is available from books and other training classes. exida.