You are on page 1of 19

Lloyds Register Energy Conference

Safety-driven performance 2012

Understanding Safety Integrity Levels (SILs)


Trygve Leinum, Department Manager
Anne stdahl, Principal Consultant
Scandpower Risk Management
October 18, 2012

Short introduction to terminology

Safety Integrity Level (SIL)

Demand :

When the safety function is needed !

Safety Instrumented Function

Process upsets / deviations beyond


limits for normal operation
conditions.

External hazardous events

SIL Measure: Probability of Failure on


Demand (PFD)

Safety Integrity Levels


Definition from IEC 61508 (simplified)

Probability of failure on
demand
SIL 4

SIL 3

< 1 / 10 000

IEC 61508 Defines 4 SIL levels for a Safety Function

< 1 / 1000

The SIL levels, SIL1, SIL2, SIL3 and SIL4 correspond to a


range of safety integrity values (i.e. probabilities), where
SIL4 is the strictest level.

SIL 2

< 1 / 100
SIL 1

< 1 / 10

Safety Instrumented Function (IEC 61511)


Safety function which can be either a safety instrumented protection function or a safety
instrumented control function.
PSD
(PLC)

PSH

SDV

PSH

PSD
(PLC)
SIL Requirement

SDV

Understanding Safety Integrity Levels (SILs)

Understanding SIL?

What?

How?

Why?

An ambitious title for a 45 minutes speech,


so this 45 minutes are limited to the authors subjective opinion of

Why SIL?
The point of view is based on experiences from working within the risk and reliability field on the
Norwegian Continental Shelf.

After the Piper Alpha Disaster - 1988


The Piper Alpha disaster led to a new regime
for application of quantitative risk analyses
(QRAs) on offshore installation.
The QRAs brought valuable knowledge.
Especially to conceptual layouts mitigating
consequences of fire and explosions.

Design in accordance with engineering standards

Before the early 90s, the use of API RP 14 ruled the ground for design of Safety Systems for offshore
production platforms.

API RP 14 C

Did the QRAs at that time (early 90s) reflect the


reliability of specific process safety and emergency shut
down systems?

What is the effect of our triple barrier X-mas trees?

Have you given credit to our sophisticated built in self test function?

What about our

Distributed Supervisory, Control and Safety Systems?

High Reliability Central Processing Units?

High Integrity Pressure Protection Systemetc.. etc.. ?

Need to know questions from enthusiastic system engineers were limitless !

And the correct answer to these questions was

All safety systems are assumed to be design in accordance with good engineering
practices and relevant standards.

Integration of QRAs and Reliability Studies

Still early 90s: A new era for reliability analyses and comprehensive verification studies

Reliability of safety function, defined as:

The ability to perform the required safety function, and the complementary event
loss of safety function

Quantitative measure: Probability of Failure on Demand - PFD

The general approach justification by comparing:

reliability figures for the new design A, are equal or better than figures for existing
accepted design B.

Introduction of Safety Integrity Levels - SILs

A typical and simple example from reliability calculations:

The probability of failure in shutting of well-stream on a 40-well platform is approximately 10


time as high as for a 4-well platform.

Not a big surprise, but anyhow not sufficiently covered in API-RP 14 C.

API-RP 14 C was considered to origin from an environment with rather small installations compared
to the biggest installations in the North Sea.

There was an industry-pull for reliability requirement as a supplement to the engineering standard

The understanding of - WHY SIL ? -

took root

Safety Integrity Standards


Probability of failure on
demand

Today, two decades later, the excellent


standard API RP 14 C is still a basic engineering
norm, but supplemented by the functional
safety standards:
-

IEC 61508 Generic standard

IEC 61511 For process industry

Defining 4 safety integrity levels for


Instrumented Functions

SIL 4

SIL 3

< 1 / 10 000

< 1 / 1000

SIL 2

< 1 / 100

SIL 1

< 1 / 10

Example - Xmas tree valves upon PAHH on separator


Can SIL 2 be achieved for PAHH by closing Wing and Master on 17 Xmas trees?
I.e. replacing the SDV with 17 x WV and MV.
PSD
(PLC)

PSH

SDV

PSH

PSD
(PLC)
SIL Requirement

SDV

SIL 2 requirement: PFDavg < 1 x 10-2


With 50 % of PFD allocated to final
element:
PFDavg < 5 x 10-3

Pitfalls in SIL assessment

Reliability data

Reliability data from manufacturers are often much better than operational
experiences.

This is partly compensated for by proven in use requirements

Guidelines provides generic data collected from existing installation

Some model uncertainties

Selection of common cause failure fractions

Complex architecture..

Manipulation of figures and results will always be possible !

Capitalization from the SIL approach

A quantitative scientific approach - i.e. not opinion based

Gives engineers the chance of optimizing, i.e. more safety for the money

balancing production uptime and safety performance

(or same safety for less money )

Final and self-convinced statement:


The approach stimulates to innovation, which on a long term is a competitive advantage
for those who have joined !

Lloyds Register Energy Conference


Safety-driven performance 2012

Any questions?

The Group at a glance

278 offices delivering services in 228 countries

Some 7,500 employees of 90 nationalities

101 companies

Celebrating our 250 year anniversary this year

Four business divisions:

Marine

Transportation (rail sector)

Energy (ModuSpec, Scandpower)

Management Systems (LRQA)

Anticipated annual turnover $1.0bn

Lloyds Register Energy Conference


Safety-driven performance 2012

For more information, please contact:


Trygve Leinum
Department Manager / Principal Engineer
Scandpower AS, Norway
T +47 90 79 73 74
E tle@scandpower.com
W www.scandpower.com
w www.lr.org