Facts At Your Fingertips

Safety Instrumented Systems and Risk

Department Editor: Scott Jenkins
TABLE 1. SIL CATEGORIES FOR INTERMITTENT OPERATION
ithin the chemical process SIL class Probability ol failure on demand (PFO) Risk reduction factor (RRF)

W
industries (CPI), the need SIL 1 0.1-0.01 1 td100

to design safety systems to SIL 2 0.01-0.001 100 to 1,000

SIL 3 0.001-0.0001 1.000 to 10.000
prevent process failures from occur­
SIL 4 0.0001-0.00001 10,000 to 100,000
ring, or to control them when they
do, is well recognized, as is the im­ TABLE 2. SIL CATEGORIES FOR CONTINUOUS OPERATION
portance of having confidence in the SIL class Probability of dangerous failure per Risk reduction factor (RRF)
safety systems that are put in place. hour of operation (PFH)

However, when formalized, the spe­ SIL 1 10-Md 10-c 100,000 to 1.000,000
SIL 2 10-a to 10-v 1.000,000 to 10,000.000
cific terminology, definitions and con­
SIL 3 10-'to 10-8 10,000,000 to 100,000,000
cepts are sometimes misunderstood, 10-o 10-9
SIL 4 100,000,000 to 1,000,000,000
misinterpreted or implemented incor­
rectly. Provided here is a review of (SIS) is the safety system used to im­ it achieves the risk reduction that is
terms and definitions related to deter­ plement a SIF. The safety integrity lev­ sought. Having components that are
mining safety integrity levels (SILs). el (SIL) is a measure of safety system suitable for SIL 3, for example, does
performance, in terms of the probabil­ not, on its own, ensure that the sys­
Functional safety standards ity of failure on demand (PFD). SIL is tem will achieve SIL 3.
Functional safety refers to the ability intended as a shorthand indicator for Risk tolerance is subjective and
of safety-relevant electronic devices quantifying the risk-reduction capac­ site-specific. Each owner/operator
to respond reliably and verifiably to ity of a safety system. The SIL catego­ needs to determine the acceptable
signals that they receive. Industry ry of a system is generated by com­ level of risk to personnel and capital
experts have addressed functional bining the likelihood of a safety failure assets based on company philoso­
safety and formalized an approach with the consequences of a failure. phy, insurance requirements, bud­
for reducing risk in process plants There are four discrete integrity levels gets, and a variety of other factors. A
through the development of indus­ associated with SIL: SIL 1, SIL 2, SIL risk level that one owner determines
try consensus standards. Those 3 and SIL 4. The higher the SIL level, is tolerable may be unacceptable to
most relevant for the CPI include IEC the higher the associated safety level, another owner.
61508, IEC 61511, and ANSI/ISA 84, and the lower probability that a sys­ When determining which SIL is
developed by the International Elec­ tem will fail to perform properly. As the needed for a given system, the first
trotechnical Commission (IEC; Gene­ SIL increases, typically the installation step is often conducting a process
va, Switzerland; www.iec.ch) and the and maintenance costs increase, as hazard analysis (PHA). This will assist
International Society of Automation does the complexity of the system. in determining the functional safety
(Research Triangle Park, N.C.; www. To determine SIL categories, a risk need and in identifying the tolerable
isa.org). IEC says the aim of functional matrix is constructed that matches risk level. The degree of risk reduc­
safety is to reduce safety risks to tol­ likelihood of occurrence against the tion and mitigation due to the basic
erable levels and reduce the negative consequences of the event. The likeli­ process control system (BPCS) and
impacts of safety failures. The stan­ hood ranges from frequent to incred­ other layers of protection are taken
dards mentioned here emphasize ible, and the consequences range into account. Then, plant operators
quantitative risk reduction, lifecycle from negligible consequences to compare the residual risk against
considerations and general practices, catastrophic. The four SIL categories their risk tolerance. If the risk level
while acknowledging that a system are shown in Tables 1 and 2. For sys­ remains unacceptably high, a risk-
with zero risk is not possible. Func­ tems that operate intermittently, PFD reduction factor (RRF) is determined
tional safety is measured by assess­ is used, while probability of failure per and a SIS/SIL requirement is calcu­
ing how likely it is that a particular ad­ hour (PFH) is used for continuously lated (RRF is the inverse of the PFD
verse safety-risk event will occur and operating systems. for the SIF/SIS). ■
how severe it would be (how much
harm it could cause). End-user responsibility References
A SIL rating applies to SIFs and SISs, 1, McIntyre, C and Hedrick, N„ Managing SIS Process
Measurement Risk and Cost, dm. Eng.. August
SIF, SIS and SIL and is not assigned to individual prod­
2016. pp. 51-57.
A safety instrumented function (SIF) ucts or components. Rather, prod­ 2, Klein, M., The V&kje ot Safety Instrumented Systems,
refers to the means by which the risk ucts and components are said to be Chem. Eng., March 2019, pp. 50—51.
of a particular safety hazard is re­ suitable for use within a given SIL en­ 3, International Electrotedincal Commission (IEC), Func­
tional Safety, IEC Brochure, IEC Geneva, Switzerland,
duced automatically by the sensors, vironment. The end user of the sen­
wyiw.iecch, 2015.
logic solvers and final elements (for sors, logic solvers and final elements 4, General Monitors Inc. SIL Information, published at:
example, safety relief valve) that are are responsible for implementing wvrw.gmigasandllame.com/silJnfoJ01 html. 2008.
used. A safety instrumented system the safety system correctly, so that 5, Pierce, S, United Electric Controls, Introduction to Safety
Instrumented Systems. Webinar Slides 2014.
28 CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM OCTOBER 2019