Professional Documents
Culture Documents
com
excellence in dependable-automation
On-line Lesson
SIL 4 >=10-5 to <10-4 100000 to 10000
Prerequisite Lessons
Companion Lessons
4
Overall Safety Phase
leading to SIL assignment Requirements
Safety Requirements
5
Allocation
The lesson starts with the safety lifecycle (SLC) context of SIL selection and
a brief review of risk. The lesson continues with a brief description of the
safety instrumented functions (SIFs) to which the SILs are to be assigned.
Next the lesson addresses the consequence and likelihood components of
risk in more detail as they relate to identifying the existing level of risk in a
process or piece of equipment, including how to determine a hazard’s
consequence and how the likelihood of a hazard can be quantitatively
determined. Then the lesson considers the combination of multiple
outcomes based on the risk integrals approach. Finally, based on the
difference between the existing risk and the the tolerable risk level identified
and approved by the organization in question, the risk reduction requirement
for the specific SIF can be determined and the SIL assignment made.
e ida.com
Process Design Process Information
Event History
Identify
excellence in dependable-automation Potential Risks Potential Hazards
Layers of Protection
Analyze Potential
Hazard Risk Magnitude Consequence
Characteristics Analysis
Hazard Consequences
“ANALYSIS”
Consequence
Database
Requirements
SIS No
(End User / Consultant) Functional Description of each Safety
Allocation
Required? Exit
Safety
Instrumented Function, Target SIL,
Yes Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
Develop Safety requirements, Response time, etc
Specification
Select
Technology
SIS Conceptual
Select
Architecture
“REALIZATION”
Detailed
Design
(Vendor / Contractor /
Manufacturer’s
Failure Data
Determine Test
Philosophy
Failure Data
Database
No SIL End User)
Safety Achieved? Reliability, Safety SILs Achieved
Evaluation
Yes
Manufacturer’s
Safety Manual
SIS Detailed
Lifecycle
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
SIS Installation,
Manufacturer’s
Installation Programming, Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission and Pre- startup Requirements, etc.
Planning Acceptance Test
Validation:
Validation
Pre- startup
Planning
Safety Review
SIS startup,
“OPERATION”
operation,
Operating and
maintenance,
Maintenance
Periodic
Planning
Functional Tests (End User / Contractor)
5 Modify,
Decommission?
SIS
Decommissioning
Copyright © 2002, exida.com
Modify
De-
commission
This slide shows a more detailed drawing of the safety lifecycle. In the
analysis phase, hazards are identified and risk reduction targets are
established for each hazard. For some hazards, a safety instrumented
function (SIF) is defined in order to reduce risk. In these cases, a Safety
Integrity Level or SIL is selected for that SIF to achieve the required risk
reduction.
What Is Risk?
High Risk
Intolerable Region
-3/yr -4/yr
10 (workers) 10 (public)
ALARP or Tolerable
Region
10-6/yr
Broadly Acceptable
Region
Negligible Risk
8 Copyright © 2002, exida.com
Since risk is present in all human activities, some level of risk must be
tolerated in any system. The challenge is in determining what that level of
risk is for a given organization. The general principle of tolerable risk put
forward in the IEC standards is that some risks are completely intolerable
and should not be undertaken, some risks are broadly acceptable and
should not be worried about, and some risks fall in the middle. These
middle-level risks should be reduced to a level “As Low as Reasonably
Practicable” or ALARP. Specific values of these risk levels are often a point
of debate. The values noted in this slide are from the UK Health and Safety
Executive, the originators of the ALARP concept, and are provided for
information purposes, not as recommendations for any particular situation.
k
Non-SIS
e SIL 1
Non-SIS
Consequence
likelihood
reduction,
l reduction, e.g.,
containment
e.g., relief
i SIL 2 dikes
valves
o Final Risk
d Acceptable
Risk Region
after
Mitigation
ALARP Risk
Region
Consequence
9 Copyright © 2002, exida.com
Calculating Risk
• Example Hazard:
– Consequence of harmful outcome is two fatalities
– Likelihood of harmful outcome is once every ten years
As shown before, there can be several potential risk receptors for a specific
hazard. With a separation column rupture, for example, the rupture energy
itself can cause fatalities and injuries to personnel; it might cause a toxic
release with other injuries or fatalities; environmental clean-up efforts could
be required after the rupture; and the loss of the column could lead to plant
down time. Each of the aspects of the consequence is measured in its own
units. Fatalities are measured in number of deaths; injuries may be
measured in number of injuries scaled by severity; environmental impacts
are quantified individually; and clean-up efforts, potential fines, damage to
corporate image, and down time are measured financially.
Because of the sensitivity of the concept of tolerable risk and the difficulty in
converting between the effects on different receptors, organizations often set
different specific risk levels that are tolerable in each different area. In some
cases, to enable more rigorous mathematical analysis, all of the different
consequence impacts can be converted into a single value, which is often
financial cost.
• Example:
– Maximum risk tolerance 0.0005 fatal accidents
per person per year, 0.005 injuries per person
per year, 0.01 significant environmental release
per plant per year, $500,000 in business loss
per plant per year, etc.
– Valuing loss of life at $10,000,000, environmental
damage at 1.5x clean-up cost, and business
losses at actual value, optimize cost-benefit
impact of all safety systems.
15 Copyright © 2002, exida.com
The detailed methods of consequence analysis are beyond the scope of this
lesson. These analyses often involve extremely complex calculations,
especially in the cases of explosions, fires, and toxic releases where the
magnitude of the consequence depends on the dispersion of material.
Further information is available in the exida on-line course Consequence
Analysis Overview, although the detailed practice of these techniques often
requires months or years of training and experience.
Once one has completed the detailed consequence analysis, there should
be a list of potential harmful outcomes and a corresponding list of the
magnitude of the harm to each of the different receptor categories. These
can then be categorized by the potential safety instrumented functions
identified in the hazards analysis that could act to prevent these outcomes.
Once the likelihood and consequence analysis results are complete, they
must be combined to determine the existing risk. In order to combine the
consequences of the potential harmful outcomes related to a single SIF and
compare them to the tolerable risk, they must be expressed in the same
terms as the tolerable risk levels. No matter whether the consequence is
expressed as a single overall cost or loss variable or if personnel impacts
are kept separate from financial impacts, it is possible to use a risk integral
approach to continue the SIL selection process.
Risk integrals are a measure of the total expected loss, i.e., a summation of
the likelihood and consequence for all potential loss events that are being
considered.
In the case of Safety Instrumented System (SIS) design, this would be all of
the consequences that are prevented by a single Safety Instrumented
Function (SIF).
The key requirement for using risk integrals is applying a single loss variable
to the system in question. This can easily be done if all of the harm is
expressed or converted to financial units. Risk integrals can also be applied
to personnel safety consequences through the use of probable loss of life or
PLL. The important aspect of PLL is that it can take on fractional values, i.e.,
an injury event can have a PLL of 0.1 or some other value less than one
representing the severity of the event in these probable loss of life terms.
This heated vessel rupture example considers the different outcomes that
could be prevented by a SIF that senses an extreme high pressure and acts
to open a separate dedicated valve to relieve that pressure to a safe venting
system.
This column rupture example considers the different outcomes that could be
prevented by a SIF that senses a high column pressure and acts to open a
valve to relieve that pressure to a safe venting system. It is important to note
that the risk calculated here is for the system without the SIF present.
For the column rupture example described earlier in the lesson, both the
consequence and the likelihood have been determined as 140 M$ and
2.85*10-4 events per year respectively.
unmitigated risk
RRF =
tolerable risk
All that is needed for the heated vessel pressure relief SIF example is the
tolerable risk in terms of probable loss of life per year.
Thus dividing the existing unmitigated risk by the tolerable risk gives the
required risk reduction factor of 210.
Putting each case on an annual cost basis clarifies the choice significantly.
Since the first option provides a $31,000 per year savings relative to doing
nothing, it has significant potential.
Although the higher performance system reduces the risk cost to only $399
per year, its $20,000 per year total cost pushes it to a lower level of savings
than the SIL 1 SIF option. Thus the SIL 1 SIF is the best option for this
situation.
For multiple receptors per hazard, some companies calculate risk reduction
factors for each receptor. The RRF for the instrumented function in this
situation is chosen to be the highest one, since it will automatically satisfy
the other lesser requirements.
SIL Assignment
• SIL selection is performed based on the RRF
calculated for the SIF
• For the heated vessel case, the RRF = 210
• Target SIL = SIL 3
– The minimum risk
reduction for SIF of 1000 Safety Integrity
Level
Probability of failure
on demand, average
Risk Reduction
Factor
guarantees that any
(Low Demand mode of operation)
The final step in the personnel case is to select the target Safety Integrity
Level for the Safety Instrumented Function based on the required risk
reduction factor. Here the RRF of 210 indicates that a target of SIL 3 is
required for the SIF.
Note: Even though the risk reduction factor for SIL 2 ranges from 100 to
1000, SIL 3 was selected. If a target SIL of SIL 2 were selected, the SIF
designed may have an actual RRF of 100, which suits SIL 2 requirements
but would not be enough for the heated vessel example, as a RRF of 210 is
required.
4
Overall Safety Phase
leading to SIL assignment Requirements
Safety Requirements
5
Allocation
The lesson began with the safety lifecycle (SLC) context of SIL selection and
a brief review of risk, including the idea of defining a level of tolerable risk.
The lesson then presented a brief description of the safety instrumented
functions to which the SILs are to be assigned. Next the lesson addressed
the consequence and likelihood components of risk in more detail as they
relate to identifying the existing level of risk in a process or piece of
equipment, including how to determine a hazard’s consequence and how the
likelihood of a hazard can be quantitatively determined. Then the lesson
considered the combination of multiple outcomes based on the risk integrals
approach. Finally, based on the difference between the existing risk and the
tolerable risk level identified and approved by the organization in question,
the risk reduction requirement for the specific SIF was determined and the
SIL assignment made.
To be sure the material is thoroughly understood, please take the time to go
back and review any parts of this lesson as needed before moving on to the
quiz.
Additional Resources
• For more information on SIL selection and Safety
Instrumented Systems, consider reviewing the
following book:
Systematic SIL Selection—With Layer of Protection Analysis
(coming soon to the exida.com web store)
• Also consider exida.com on-line lessons on:
9 Process Hazards Analysis
9 ALARP and Tolerable Risk
9 Consequence Analysis Overview
9 Introduction to Likelihood Analysis
9 Layer of Protection Analysis (LOPA)
9 Qualitative SIL Selection
More information on both qualitative and quantitative SIL selection and some
aspects of SIS design is available from books and other training classes.
The forthcoming exida.com book Systematic SIL Selection—With Layer of
Protection Analysis provides a detailed description of tolerable risk,
likelihood, consequence, and general Safety Instrumented Systems with SIL
selection process examples.
Also consider reviewing the exida.com on-line lessons on process hazards
analysis, ALARP and tolerable risk, consequence analysis, likelihood
analysis, layer of protection analysis, and qualitative SIL selection for
additional information.
Questions
Questions: Please send any questions to
info@exida.com. We will respond as soon
as possible.
Additional Resources:
Free articles are available to download from the
exida.com website. These can be reached at
http://www.exida.com/articles.asp.
Additional resources including books, tools, and reports
are available from the exida on-line store. A product
listing is available at http://www.exida.com/products2/.
40 Copyright © 2002, exida.com
If you have any questions, please send them via email to info@exida.com.
Please refer to this particular lesson, Quantitative SIL Selection.
Additional resources are available from the exida.com website, including a
series of free articles that may be downloaded. Books, reports, and
engineering tools are available at the exida on-line store.
exida.com is a knowledge company focused on system reliability and safety.
We provide training, tools, coaching, and consulting. For general information
about exida, please view our website at www.exida.com.
Thank you for your interest. Please consider other lessons in the on-line
training series from exida.com.