You are on page 1of 4


High Integrity Protection Systems (HIPS) Making SIL Calculations Effective

a report by

Jean-Pierre Signoret

Premises In the oil industry, traditional protection systems as defined in American Petroleum Institute (API) 14C are more and more often replaced by high integrity protection systems (HIPS). In particular, this encompasses the well-known high integrity pressure protection systems (HIPPS) used to protect specifically against overpressure. As safety instrumented systems (SIS) they have to be analysed through the formal processes described in the International Electrotechnical Commission (IEC) 61508 and IEC 61511 Standards in order to assess which Safety Integrity Levels (SIL) they are able to claim. What is really important when dealing with safety systems is that the probability of accident is sufficiently low to be acceptable

This proves to be very efficient from organisational point of view but, unfortunately, some problems arise when probabilistic calculations are performed by analysts thinking that it is a very easy job only consisting to apply some magical formulae (found in IEC 61508-Part 6) or to build a kind of Lego from certified SILed elements bought from the shelf. Beyond the fact that sound mathematical theorems (Bellman or Gdel) demonstrate that doing it that way gives no guarantee of good results, this is the complete negation of the spirit developed in the reliability field over the last 50 years that is based on a sound knowledge of the probabilistic concepts and in-depth analysis of systems under study. Therefore, a skilled reliability analyst who aims to use the above standards in a clever and compatible way with the traditional analysis has to solve several difficulties: this is

...we have to keep in mind that calculating a SIL is not an end in itself. It is only a tool among many others to help engineers to master safety through the whole life cycle of the safety systems.
according to the magnitude of the consequences. This can be done in a lot of different ways: applying rules, know-how or standards that may be deterministic, probabilistic, qualitative or quantitative, using reliability analysis and reliability methods and tools, collecting statistics, etc. Among them we find SIL calculations as per IEC 61508 and IEC 61511. Then we have to keep in mind that calculating a SIL is not an end in itself. It is only a tool among many others to help engineers to master safety through the whole life cycle of the safety systems. SIL versus Traditional Concepts
Jean-Pierre Signoret is the Reliability Expert at Total. He is part of the group of pioneers introducing and developing probabilistic methods and tools in France and has worked the past 35 years in this field. On the operational side, he is in charge of the probabilistic calculations in relationship with high integrity protection systems (HIPS) and reliability, availability, maintainability (RAM) studies. On the R&D side, since the 1980s, he has developed the GRIF software package, which encompass all relevant methods and tools needed for operational probabilistic studies in oil industry. He worked for 10 years at the French Atomic Energy Commission (CEA) before moving to ELF in the early 1980s. He belongs to several international standard committees and is the previous vice-chairman of the French Institute for Safety & Dependability (ISdF) and the previous chairman of the European safety and Reliability Association (ESRA).

simple for the relationship between IEC standards probability concepts and those recognised in the reliability field or for the failure taxonomy and definitions which may need improvements; it is more difficult for handling complex tests and maintenance procedures encountered in oil industry; it is almost impossible for some concepts like the Safe Failure Fraction (SFF), which is not really relevant in our field where spurious failures have to be thoroughly considered and avoided.

The size of this article being limited, we will only give some indications about our way to manage SIL calculations in an efficient way for oil production installations. Figure 1 shows the links with the traditional concepts. The first protection layer works in continuous mode and the standards impose to calculate its Probability of Failure per Hour (PFH). This is actually an average frequency of failure. When the number of failures over [0, T] is small compared with 1, PFH may be assimilated to F1(T)/T. When this is not the case, T/MTTF shall be used instead. In these formulae F1(T) is the unreliability of this layer over [0,T] and MTTF its classical Mean Time To Fail. Then, in the general cases, PFH cannot be assimilated to a failure rate. Anyway this gives the demand frequency on the second layer, which runs in low demand mode (if the first layer is efficient). Its Probability of Failure on Demand (PFD) as per the standards is in fact its the average unavailability P2. Then F1(T).P2 is the probability that both



High Integrity Protection Systems (HIPS) Making SIL Calculations Effective

Figure 1: SIL versus Traditional Concepts

Fully independent protection layers

Protection layer n01 Frequency is infinite

Protection layer n02


Unreliability over (0, T) 1-P2 ? F1 PFD average unavailability


Accident probability

RRF = New demand = PFH = F1/T P2 F1.P2 RRF = 1/P2

New demand = PFH = F1.P2/T

Continuous mode

Demand mode

IPLEX R-series Videoscope Range

Meeting your plant inspection needs
Choose from SA, SX and MX models - the most comprehensive range of high performance vidoescopes in the market, offering:
Wide Dynamic Range, for clear images in dark areas Solid-state Media, for still image and voice recording Network Ready - Ethernet & Wireless Control Versatile Inspection System with Interchangeable Probes Truly Portable Systems - 4.4kg in 4mm and 6mm Accurate, Intuitive Measurement Battery Operation LED Illumination

Europe +44 (0)1702 616333

High Integrity Protection Systems (HIPS) Making SIL Calculations Effective

Figure 2: Fault Tree Used for SIL Calculations
Max: 1.4e -2 Mean: 7.3e-3

(due to tests or demands themselves). Another commonly encountered problem is that a superficial reading of the standard leads one to think that every revealed failure becomes automatically safe. This, of course, is not true. It remains unsafe as long as something is done to make it safe. This also has to be considered in the calculations. Now it remains to evaluate the SIL of the safety system under study and the most severe problem arises because IEC 61508Part 6 provides only a list of simplified formulae for some


1.5000e-2 1.4000e-2 1.3000e-2 1.2000e-2 1.1000e-2 1.0000e-2 9.0000e-3 8.0000e-3 7.0000e-3 6.0000e-3 5.0000e-3 4.0000e-3 3.0000e-3 2.0000e-3 1.0000e-3 0.0000e+0 -1.0000e-3 0.0000 1000.0000 2000.0000 3000.0000 4000.0000 5000.0000

2.e -3 0

= 10%


cases but does not indicate the method used to establish them nor the underlying hypotheses. Therefore, an important warning has to be raised here: part 6 is informative, its content is not

1,000 2,000 3,000 4,000 5,000

5.e -2 0 1,000 2,000 3,000 4,000 5,000

= 1.10-4 = 1,000
5.e -2

intended to cope with all problems encountered and there is no obligation to use it. Analysts trusting that they just have to apply this part to obtain relevant results are wrong and softwares

5.e -2 0 1,000 2,000 3,000 4,000 5,000

1,000 2,000 3,000 4,000 5,000

developed on these bases shall be considered very cautiously. As results obtained in this way are likely not to be conservative this is very dangerous indeed and not acceptable from a safety point of view. Part 6 is not really useable to deal with complex

Figure 3: Stochastic Petri Nets System

W !nbF = nbF - 1 End of rep. =0 =0 ?DCC DCC Wait R Repair Rig on location =0 Rig Detection


safety systems such as those installed in oil industry and this is why we have developed the methods and tools just described hereafter.


Failure !nbF = nbF + 1

Methods and Tools for Efficient SIL Calculations. Our HIPS may be split between curative versus preventive and topside versus subsea HIPS. Curative HIPS works on-demand mode and needs PFD calculations when preventive HIPS works in continuous mode and need PFH (unreliability) calculations. As they are easy to test and maintain, the components of topside HIPS are almost independent (from a probabilistic point of view) from each other. It is the opposite for subsea HIPS. Therefore, we have investigated three main techniques to cope with all this various HIPS:

!nbF = nbF + 1



Start rep.

?StR D

Failure detected

fault tree approach very efficient for topside curative HIPS, it is widely used by most of our reliability contractors;

protection layers fail during a given period T. If there is no more protection layer this is the probability of accident. If a third protection layer is installed this will be is the demand frequency on this layer. Note that the Risk Reduction Factor (RRF) is infinite when working in continuous mode. The standard split, the demand mode between low and high according to the demand frequency (lower or greater than 1/year). From probabilistic calculation point of view we prefer to consider the relationship between test and demand frequencies to do that: when the test frequency is big compared with the demand frequency, PFD may be used, on the contrary it is better to use the unreliability, which provides a conservative estimation. From a failure mode point of view the main problem encountered is that the genuine on demand failures are forgotten by the standards. They are likely to occur when the system experiences sudden changes of states. Therefore, they shall be taken under consideration when calculating the PFD, which comprises both hidden failure (occurring within test intervals) and genuine on-demand failures

markovian approach efficient to model small HIPS of any category it is sometimes known by our contractors; and behavioural modelling (Petri nets or AltaRica DF language) and Monte Carlo simulation the only way to deal with industrial sized HIPS implying several interlinked protection layers. Figure 2 shows an example of fault tree used for SIL calculations. As FT does not allow combining PFD averages of individual components, the calculation is performed by imputing the instantaneous unavailabilities (saw tooth curves) and calculating PFDavg as the average of the Top event instantaneous unavailability. On this figure, the tests of individual components have been staggered in order to decrease both the maximum of the saw tooth curve and the impact of common causes failures. The SIL menu of the ARALIA Workshop allows these calculations to be performed. Figure 2 shows that PFDavg is not a good safety indicator. It may be SIL2 when a lot of time is spent in SIL1. This is why, for our HIPS, we



High Integrity Protection Systems (HIPS) Making SIL Calculations Effective

require the calculation of the time spent in the various SIL zone in addition of the average itself. The second tool that we have developed is based on the multiphase markovian approach. The number of states being generally too high to be managed by hand we use a formal language (AltaRica Data Flow implemented in the COMBAVA software) to generate them automatically. Even if our computation engine MAR-XPR is able to handle millions of states this method is really efficient only for small systems and this is why we have developed a third tool based on Conclusion Implementing SIL calculations as per IEC 61508 or IEC 61511 on interest. This method has been in use in our company since the early 1980s when we have begun to develop our GRIF-MOCA-RP software. Mainly used for RAM analysis, it has been adapted to SIL calculations by developing a library of sub Petri nets corresponding to the element encountered in HIPS studies. It has been designed to run very fast and there are no difficulties to reach accurate SIL4 estimations with the present time PCs.

Another commonly encountered problem is that a superficial reading of the standard leads one to think that every revealed failure becomes automatically safe.
behavioural models and Monte Carlo simulation that are virtually without limitations. Our preferred model is stochastic Petri nets like that presented in Figure 3. The method consists in building a finite state automata behaving exactly as the system under study and to perform Monte Carlo simulations on this model. This provides statistical results which are used to calculate the probabilistic parameters under HIPS is not too difficult a task provided that an in depth analysis of the standard is achieved and that alternatives to IEC 61508-Part6 are considered. Traditional approaches such as Fault trees, Markov graphs or Monte Carlo simulation on behavioural models like Petri nets have proven to be very efficient and easy to use for this purpose. This is what we do in TOTAL, where a full set of methods and software tools is available and used daily for our SIL calculations.


Danish Fire Laboratories

VID (Vision Idea Design) The leading company within consulting and custom solutions for fire protection with little water consumptions at low water pressures. Member of IWMA the International Water Mist Association.

DFL (Danish Fire Laboratories) Accreted fire test laboratory for full scale fire tests of extinguishing systems. Member of IWMA the International Water Mist Association.

Svalbardvej 13, DK-5700 Svendborg, Denmark.