Quant Sil PDF

e ida.
com
excellence in dependable-automation
Quantitative SIL Selection
Safety Integrity Probability of failure Risk Reduction

Level on demand, average Factor
(Low Demand mode of operation)
On-line Lesson
SIL 4 >=10-5 to <10-4 100000 to 10000
SIL 3 >=10-4 to <10-3 10000 to 1000
SIL 2 >=10-3 to <10-2 1000 to 100
SIL 1 >=10-2 to <10-1 100 to 10
Welcome to the exida.com online lesson on Quantitative Safety Integrity

Level Selection. In this lesson, we will present the concept of a Safety
Integrity Level (SIL) as well as the quantitative approach in establishing SIL
selection.
Copyright 2002, exida.com 1

e ida.com
Prerequisite Lessons
¾ Introduction to Safety Instrumented

Systems
¾ The Safety Lifecycle
2 Copyright © 2002, exida.com
It is recommended that the exida on-line lessons Introduction to Safety

Instrumented Systems and The Safety Lifecycle be taken by anyone not well
versed in these topics before proceeding with this lesson.

e ida.com
Companion Lessons
¾ Process Hazards Analysis

¾ ALARP and Tolerable Risk
¾ Consequence Analysis Overview
¾ Introduction to Likelihood Analysis
¾ Layer of Protection Analysis (LOPA)
¾ Qualitative SIL Selection
Since Quantitaive SIL Selection encompasses so many different aspects, it

is recommended that the following lessons on specific components of the
larger SIL selection process be used as a companion with this current
lesson to provide a more complete understanding of the overall process.
Process Hazards Analysis
ALARP and Tolerable Risk
Consequence Analysis Overview
Introduction to Likelihood Analysis
Layer of Protection Analysis
Qualitative SIL Selection

e ida.com
Quantitative SIL Selection Overview

Topics:
• Risk and the Context of SIL Selection
• Safety Instrumented Functions
• Consequence 1 Concept
• Likelihood Overall Scope
• Risk integrals approach

2
Definition
SLC
3
Hazard & Risk
Analysis
• Required risk reduction
Analysis
4
Overall Safety Phase
leading to SIL assignment Requirements
Safety Requirements
5
Allocation
The lesson starts with the safety lifecycle (SLC) context of SIL selection and
a brief review of risk. The lesson continues with a brief description of the
safety instrumented functions (SIFs) to which the SILs are to be assigned.
Next the lesson addresses the consequence and likelihood components of
risk in more detail as they relate to identifying the existing level of risk in a
process or piece of equipment, including how to determine a hazard’s
consequence and how the likelihood of a hazard can be quantitatively
determined. Then the lesson considers the combination of multiple
outcomes based on the risk integrals approach. Finally, based on the
difference between the existing risk and the the tolerable risk level identified
and approved by the organization in question, the risk reduction requirement
for the specific SIF can be determined and the SIL assignment made.

Conceptual
e ida.com
Process Design Process Information
Event History
Identify
excellence in dependable-automation Potential Risks Potential Hazards
Layers of Protection
Failure Probabilities Layer of Protection

Assess Potential
Analysis
Risk Likelihood Hazard Frequencies
Analyze Potential
Hazard Risk Magnitude Consequence
Characteristics Analysis
Hazard Consequences
“ANALYSIS”
Consequence
Database
Tolerable Risk Select Target Target SILs

Develop non- SIL
Phase
Guidelines
SIS Layers
Safety Requirements Specification
Requirements
SIS No
(End User / Consultant) Functional Description of each Safety
Allocation
Required? Exit
Safety
Instrumented Function, Target SIL,
Yes Mitigated Hazards, Process parameters,
Logic, Bypass/Maintenance
Develop Safety requirements, Response time, etc
Specification
Select
Technology
SIS Conceptual
Select
Architecture
“REALIZATION”
Detailed
Design
(Vendor / Contractor /
Manufacturer’s
Failure Data
Determine Test
Philosophy
Failure Data
Database
No SIL End User)
Safety Achieved? Reliability, Safety SILs Achieved
Evaluation
Yes
Manufacturer’s
Safety Manual
SIS Detailed
Lifecycle
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
SIS Installation,
Manufacturer’s
Installation Programming, Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission and Pre- startup Requirements, etc.
Planning Acceptance Test
Validation:
Validation
Pre- startup
Planning
Safety Review
SIS startup,
“OPERATION”
operation,
Operating and
maintenance,
Maintenance
Periodic
Planning
Functional Tests (End User / Contractor)
5 Modify,
Decommission?
SIS
Decommissioning
Copyright © 2002, exida.com
Modify
De-
commission
This slide shows a more detailed drawing of the safety lifecycle. In the
analysis phase, hazards are identified and risk reduction targets are
established for each hazard. For some hazards, a safety instrumented
function (SIF) is defined in order to reduce risk. In these cases, a Safety
Integrity Level or SIL is selected for that SIF to achieve the required risk
reduction.

e ida.com
How to Select a SIL
• Determine tolerable risk

• Identify potential hazards
• Identify prospective SIF to address these
specific hazards
• Identify existing unmitigated risk based on
consequence and likelihood analysis
• Determine how much risk reduction is needed to
give a tolerable risk
– Quantitative methods give specific numerical targets for
risk reduction
– Qualitative methods group numerical targets into more
broad categories of risk reduction
The SIL selection process is essentially a systematic approach used to:

establish the difference between the existing level of risk and that which can
be tolerated; identify specific individual functions to address these risks; and
assign the SIL to specify how robust these functions must be to actually
achieve the required risk reduction.
The quantitative method shown in this lesson will help determine a specific
numerical target for the risk reduction.
NOTE: The qualitative methods introduced in the exida.com on-line lesson
Qualitative SIL Selection group numerical targets into more broad categories
of risk reduction to achieve the same general purpose.

e ida.com
What Is Risk?
• Risk is a measure of the likelihood and

consequence of an adverse effect, i.e., how often
can it happen and what will be the effects if it does?
Risk receptors:
• Personnel • Business Liability
• Environment • Company Image
• Equipment/Property Damage • Lost Market Share
• Business Interruption
The definition of risk includes components of likelihood and consequence,

which both contribute to the risk for each hazard. Hazardous events often
have consequences that cause harm in multiple areas to “receptors” such as
personnel, environment, equipment, etc. These different hazardous events
are identified and characterized as part of a Hazard and Risk Assessment
process described in detail as part of the exida Process Hazards Analysis
on-line lesson.

e ida.com
excellence in dependable-automation ALARP and Tolerable Risk
High Risk
Intolerable Region
-3/yr -4/yr
10 (workers) 10 (public)
ALARP or Tolerable
Region
10-6/yr
Broadly Acceptable
Region
Negligible Risk
Since risk is present in all human activities, some level of risk must be
tolerated in any system. The challenge is in determining what that level of
risk is for a given organization. The general principle of tolerable risk put
forward in the IEC standards is that some risks are completely intolerable
and should not be undertaken, some risks are broadly acceptable and
should not be worried about, and some risks fall in the middle. These
middle-level risks should be reduced to a level “As Low as Reasonably
Practicable” or ALARP. Specific values of these risk levels are often a point
of debate. The values noted in this slide are from the UK Health and Safety
Executive, the originators of the ALARP concept, and are provided for
information purposes, not as recommendations for any particular situation.

e ida.com
Paths to Risk Reduction
Risk after Inherent

non-SIS Risk of the
L Mitigation Process
(i.e., No Increasing
i Mitigation) Risk
k
Non-SIS
e SIL 1
Non-SIS
Consequence
likelihood
reduction,
l reduction, e.g.,
containment
e.g., relief
i SIL 2 dikes
valves
h SIL 3 SIS Risk

Unacceptable
o Reduction
Risk Region
o Final Risk
d Acceptable
Risk Region
after
Mitigation
ALARP Risk
Region
Consequence
Risk reduction can be accomplished using different techniques, including

methods to reduce both the consequences and likelihood of any harm. One
specific method of risk reduction, primarily directed at the likelihood aspect,
is through automatic protection systems called Safety Instrumented
Systems. These systems carry out specific functions to bring the process or
equipment to a safe state. The ability of these systems to carry out each of
these functions when required is measured by the corresponding safety
integrity level (SIL). Thus the SIL corresponds to the level of risk reduction
required to change the existing unmitigated risk enough to achieve a level of
risk that can be tolerated by the organization in question.

e ida.com
Safety Instrumented Functions
• Specific single set of actions and the corresponding

equipment needed to identify a single emergency
and act to bring the system to a safe state.
• SIL is assigned to each SIF based on required
risk reduction
• Different from a SIS, which can encompass multiple
functions and act in multiple ways to prevent multiple
harmful outcomes
– SIS may have multiple SIF with different individual SIL,
so it is incorrect and ambiguous to define a SIL for an entire
safety instrumented system
An individual Safety Instrumented Function (SIF) is designed to identify the

need and then act to bring the system to a safe state for each hazard
scenario. The effectiveness of the risk reduction is measured by the
function’s risk reduction factor (often expressed as a Safety Integrity Level).
The required risk reduction is the difference between the process risk before
a SIF and the “tolerable level” of risk to be achieved for that process or piece
of equipment.
It is important to note that a SIF is an individual function and a SIS can
include multiple functions, so the SIL refers to each SIF rather than to the
entire safety instrumented system.

e ida.com
excellence in dependable-automation Safety Integrity Levels
Safety Integrity Probability of failure Risk Reduction

Level on demand, average Factor
SIL 4 >=10-5 to <10-4 100,000 to 10,000
SIL 3 >=10-4 to <10-3 10,000 to 1,000
SIL 2 >=10-3 to <10-2 1,000 to 100
SIL 1 >=10-2 to <10-1 100 to 10
The Safety Integrity Level is a measure defined in the IEC61508 standard.

The key measure of a system’s integrity is how well it can be counted on to
do what it is supposed to do when it is supposed to do it. For the Low
Demand mode operation common in the process industry, the average
probability of failure on demand (PFDavg) is the variable that defines the
SIL, as shown in the table on this slide. The risk reduction factor is the
reciprocal of the PFDavg, and the SIL number itself represents the minimum
number of orders of magnitude of risk reduction that the SIF will provide.
For the High Demand mode common in machinery applications, SIL relates
to the frequency of unsafe failures of the SIF per hour, since the systems
used are required to act more frequently than they are tested and repaired.

e ida.com
Calculating Risk
• In quantitative analysis, risk associated with a hazard

can be calculated using the following formula:
Risk = Consequence * Likelihood
• Example Hazard:
– Consequence of harmful outcome is two fatalities
– Likelihood of harmful outcome is once every ten years
• Risk from the hazard is 0.2 fatalities per year
In quantitative analysis, the risk associated with a hazard can be calculated

by multiplying the consequence of a harmful outcome and the likelihood or
frequency of it taking place.
As an example, assume a hazard with an outcome consequence of two
fatalities. Furthermore, assume that the likelihood of the hazard leading to
the harmful outcome is once every ten years.
The risk of the hazard, obtained by simple multiplication, is then 0.2 fatalities
per year.

e ida.com
Basic Consequence Analysis Concepts
• One hazard can lead to one or more outcomes with

multiple receptors
• Each aspect of the harmful outcome is measured in
different units
– Personnel
• Fatalities
• Injuries
– Environment
• Toxic releases
• Clean-up efforts, US $
– Equipment/Property Damage
• US $
– Etc.
As shown before, there can be several potential risk receptors for a specific
hazard. With a separation column rupture, for example, the rupture energy
itself can cause fatalities and injuries to personnel; it might cause a toxic
release with other injuries or fatalities; environmental clean-up efforts could
be required after the rupture; and the loss of the column could lead to plant
down time. Each of the aspects of the consequence is measured in its own
units. Fatalities are measured in number of deaths; injuries may be
measured in number of injuries scaled by severity; environmental impacts
are quantified individually; and clean-up efforts, potential fines, damage to
corporate image, and down time are measured financially.

e ida.com
excellence in dependable-automation Tolerable Risk Level and
Consequence Receptors
• Tolerable risk is a sensitive topic

• It is difficult to convert between personnel,
environmental, and cost receptors
• Organizations often set specific levels of
tolerance in each different receptor category
• Combining impacts into a single variable
allows more rigorous mathematical analysis
Because of the sensitivity of the concept of tolerable risk and the difficulty in
converting between the effects on different receptors, organizations often set
different specific risk levels that are tolerable in each different area. In some
cases, to enable more rigorous mathematical analysis, all of the different
consequence impacts can be converted into a single value, which is often
financial cost.

e ida.com
excellence in dependable-automation Tolerable Risk Level and
Consequence Receptors
• Example:
– Maximum risk tolerance 0.0005 fatal accidents
per person per year, 0.005 injuries per person
per year, 0.01 significant environmental release
per plant per year, $500,000 in business loss
per plant per year, etc.
– Valuing loss of life at $10,000,000, environmental
damage at 1.5x clean-up cost, and business
losses at actual value, optimize cost-benefit
impact of all safety systems.
These multiple risk criteria can be expressed on the basis of a plant or

individual as appropriate. In most cases, individual tolerable risk criteria are
followed for personnel safety. To combine risks into a single cost category,
conversion factors must be developed and applied according to uniform,
agreed guidelines.

e ida.com
excellence in dependable-automation Methods of
Consequence Analysis
• Consequences can require extremely

involved analysis
– Fire
• How much material
• What kind of fire
– Explosion
• Pressure energy
• Chemical energy
– Toxic release
• Concentration limits
• Weather conditions
The detailed methods of consequence analysis are beyond the scope of this
lesson. These analyses often involve extremely complex calculations,
especially in the cases of explosions, fires, and toxic releases where the
magnitude of the consequence depends on the dispersion of material.
Further information is available in the exida on-line course Consequence
Analysis Overview, although the detailed practice of these techniques often
requires months or years of training and experience.

e ida.com
excellence in dependable-automation Results of Consequence
Analysis
• Different potential outcomes identified

• Magnitude of each outcome from perspective
of each receptor
– Personnel
– Environment
– Financial
• Group consequence components according
to safety instrumented function capable of
preventing them
Once one has completed the detailed consequence analysis, there should
be a list of potential harmful outcomes and a corresponding list of the
magnitude of the harm to each of the different receptor categories. These
can then be categorized by the potential safety instrumented functions
identified in the hazards analysis that could act to prevent these outcomes.

e ida.com
Consequence Results:
Column Rupture Case
• The consequences of a column rupture are

determined as follows:
– Personnel: 3 fatalities (3*10 M$), 15 injuries (15*1.0 M$)
– Environment: no exceptional toxic release (0 $ no fine),
internal clean-up activities (0.5 M$)
– Equipment: new column/installation (4.5 M$)
– Business Interruption: 25% lost production 3 months (50 M$)
– Business Liability: direct customer contract losses (25 M$)
– Company Image: no additional cost not already considered
– Lost Market Share: customers go to competitor(s) (15 M$)
• Total column rupture hazard consequence is 140 M$

Using the single variable approach, it is possible to express each

consequence in that variable as shown on this slide. The total hazard
consequence can now be readily determined by adding the consequences of
each receptor in terms of the single variable. Assuming that the hazard will
cause all of these traceable impacts, the total cost of the column rupture
outcome is ~140 M$.
Note that in this case, the decrease in company image caused by the hazard
was determined to be accounted for in the other categories and no additional
cost was assessed in the analysis.

e ida.com
Event Likelihood / Frequency
• Event likelihood according to dIEC61511,

Part 3
– Refers to a frequency such as the number of
events per year or per million hours
– Note this is different from the common English
definition equating it to probability
The likelihood of a hazard is defined as the frequency of the harmful

outcome event. This is most often expressed in units of events per year or
events per million hours.

e ida.com
LOPA for Column Rupture

Column Rupture
Protection layers
Initiating event Outcome
#1 #2 #3 #4
Loss of Process Operator Pressure No Explosion
cooling water design response relief valve ignition
0.76 2.85*10-4/yr
0.05
No event
0.15
No event
0.01
No event
5/yr
No event
Likelihood analysis is often done using Layer of Protection Analysis (LOPA)

techniques. The LOPA event tree to determine the likelihood of the column
rupture with explosion is shown in the slide.
The likelihood of the initiating event loss of cooling water is 5 per year
There are four independent protection layers, each with a probability of
failure.
• Inherent safety of the process design, probability of failure is 0.01
• Operator response, probability of failure is 0.15
• Pressure relief valve, probability of failure is 0.05
• No ignition, probability of failure is 0.76
The column rupture likelihood can be determined by multiplying the loss of
cooling water likelihood by the probability of failure of each of the protection
layers. The resulting column rupture likelihood is then 5/yr * 0.01 * 0.15 *
0.05 * 0.76 * = 2.85*10-4 /yr

e ida.com
Considering All the Impacts
• Outcomes must be expressed in the same

terms as the tolerable risk limits
– For the single variable method, this involves the
conversion factors mentioned earlier
• Risk integral approach
– Risk integral approach can also be applied to the
personnel and financial components of risk
independently of each other
Once the likelihood and consequence analysis results are complete, they
must be combined to determine the existing risk. In order to combine the
consequences of the potential harmful outcomes related to a single SIF and
compare them to the tolerable risk, they must be expressed in the same
terms as the tolerable risk levels. No matter whether the consequence is
expressed as a single overall cost or loss variable or if personnel impacts
are kept separate from financial impacts, it is possible to use a risk integral
approach to continue the SIL selection process.

e ida.com
Risk Integral Definition
• Risk integrals are a measure of the total

expected loss
– A summation of likelihood and consequence for all
potential loss events
Risk integrals are a measure of the total expected loss, i.e., a summation of
the likelihood and consequence for all potential loss events that are being
considered.
In the case of Safety Instrumented System (SIS) design, this would be all of
the consequences that are prevented by a single Safety Instrumented
Function (SIF).

e ida.com
Risk Integral Equation
• The nominal equation for the risk integral is:

n
RI = ∑ C i Fi
i =1
RI = risk integral
N = number of hazardous events
C = consequence of the event
(in terms of fatalities for loss of life calculation)
F = frequency of the event
In mathematical form, this summation includes a consequence times

frequency risk contribution to the total for each event in question.

e ida.com
Risk Integral Application
• Risk integrals require a single loss variable

• Can be across all receptors converted to
financial terms
• Can be across financial receptors only in
monetary cost terms
• Can also be across personnel receptors
only in equivalent or probable loss of life
(PLL) terms
– PLL can take on fractional values
The key requirement for using risk integrals is applying a single loss variable
to the system in question. This can easily be done if all of the harm is
expressed or converted to financial units. Risk integrals can also be applied
to personnel safety consequences through the use of probable loss of life or
PLL. The important aspect of PLL is that it can take on fractional values, i.e.,
an injury event can have a PLL of 0.1 or some other value less than one
representing the severity of the event in these probable loss of life terms.

e ida.com
Risk Integral Advantages
• Risk integrals are a measure of the expected loss

– A summation of likelihood and consequence for all potential
loss events for the SIF and category in question
Advantages of risk integral targets:

• Risk is a single number, ideal for
decision-making
• Considers multiple fatality events
• Diverse risks expressed on uniform basis,
essential for cost-benefit analysis
Risk integrals are only now gaining acceptance in the design-engineering

field as a means of measuring risk. Risk integrals have several advantages
over other methods for measuring risk:
• The single risk variable is easy to use in optimization and decision-making
• The risk considers the impact of multiple fatality events
• Different risks can be considered on a uniform financial basis for cost-
benefit analysis
As a result of these advantages, the risk integrals of Potential Loss of Life
for personnel safety and Expected Value for overall financial impact are ideal
for risk reduction design engineering.

e ida.com
Risk Integral Personnel Example
• Consider the case where the following results are

available from the consequence and likelihood
analyses for a group of outcomes that can be
prevented by the single SIF:
Outcome Probable Loss Frequency
of Life (PLL) Events per year
Vessel rupture with pool fire 0.5 0.1
Vessel rupture with flash fire 1 0.1
Vessel rupture with explosion 6 0.01
Vessel rupture with spill only 0.01 0.2
• What is the risk integral for that particular SIF in

terms of PLL per year?
This heated vessel rupture example considers the different outcomes that
could be prevented by a SIF that senses an extreme high pressure and acts
to open a separate dedicated valve to relieve that pressure to a safe venting
system.

e ida.com
Risk Integral Personnel Example
Outcome Probable Loss Frequency Risk Component

of Life (PLL) Events per year PLL per year
Vessel rupture with pool fire 0.5 0.1 0.050
Vessel rupture with flash fire 1 0.1 0.100
Vessel rupture with explosion 6 0.01 0.060
Vessel rupture with spill only 0.01 0.2 0.002
Total Risk Integral 0.212
• Multiplying each consequence by its corresponding

frequency and summing the results at the bottom
right gives the total risk integral for this pressure
relief SIF of:
PLL=0.21 fatalities per year
This column rupture example considers the different outcomes that could be
prevented by a SIF that senses a high column pressure and acts to open a
valve to relieve that pressure to a safe venting system. It is important to note
that the risk calculated here is for the system without the SIF present.

e ida.com
Single Event Risk Example

• Using the consequence and likelihood values
determined for the single event column
rupture and explosion hazard, calculate the
inherent risk.
• Consequence = 140 M$
• Likelihood = 2.85 x 10-4 per year
For the column rupture example described earlier in the lesson, both the
consequence and the likelihood have been determined as 140 M$ and
2.85*10-4 events per year respectively.

e ida.com
Single Event Risk Example

• Inherent risk = 140 M$ * 2.85*10-4 /yr
= 39,900 [US $ / year]
Risk = Consequence * Likelihood
The column rupture inherent risk is simply calculated by multiplying 140 M$

and 2.85*10-4, which yields an inherent risk of 39,990 [US $ / year].

e ida.com
What Is the Required Risk Reduction?

• Now the required risk reduction factor (RRF)
can easily be calculated
• Input parameters are:
– The unmitigated risk before any safety system
– The established tolerable risk level
unmitigated risk
RRF =
tolerable risk
Given inherent, unmitigated risks resulting from a consequence and

likelihood analysis along with tolerable risk, the required risk reduction factor
that an SIF needs to achieve can be calculated by dividing the inherent risk
by the tolerable risk.
As noted earlier, it is important to make sure that the inherent risk or risk
integral and tolerable risk are expressed in the same units.

e ida.com
Risk Reduction Example 1

• Given the heated vessel pressure relief SIF example
with its PLL of 0.21 fatalities per year and a tolerable
risk level of 0.001 fatalities per year, what is the
required risk reduction?
All that is needed for the heated vessel pressure relief SIF example is the
tolerable risk in terms of probable loss of life per year.

e ida.com

• Given the heated vessel pressure relief SIF example
with its PLL of 0.21 fatalities per year and a tolerable
risk level of 0.001 fatalities per year, what is the
required risk reduction?
0.21 PLL per year

RRF = = 210
0.001 PLL per year
Thus dividing the existing unmitigated risk by the tolerable risk gives the
required risk reduction factor of 210.

e ida.com

• A SIF is being considered to prevent the column
rupture and explosion event described earlier
– Consequence = 140 M$
• Including personnel, environment, equipment, etc.
– Likelihood = 2.85*10-4 /yr
• After accounting for all layers of protection
– A low-cost, low-performance SIL 1 SIF can provide a risk
reduction factor of 10 for $5,000 per year net cost
– A higher-cost, higher-performance SIL 2 SIF can provide a
risk reduction factor of 100 for $20,000 per year net cost
• Which system should be selected?

Considering the column rupture and explosion example developed earlier

along with the safety system cost data, which SIF option should be chosen?

e ida.com
• This example can be solved by calculating the annual

cost associated with the risk of each option.
• For the case with no safety system, the cost of the hazard is $39,900
per year
• With the first case low-cost system, the RRF of 10 reduces the hazard
cost to $39,900/10 = $3,990 per year, while the system itself adds
$5,000 per year for a total $8,990 overall annual cost or a net savings
of $30,910 relative to no safety system
Putting each case on an annual cost basis clarifies the choice significantly.
Since the first option provides a $31,000 per year savings relative to doing
nothing, it has significant potential.

e ida.com

• Considering the second option in the same way as
the first:
• For the case with no safety system, the cost of the hazard is $39,900
per year
• With the second case higher-cost, higher-performance system, the
RRF of 100 reduces the hazard cost to $39,900/100 = $399 per year,
while the system itself adds $20,000 per year for a total $20,399 overall
annual cost or a net savings of $19,501 relative to no safety system
• Thus the SIL 1 SIF is the best option, with the greatest savings of
~$31,000 per year relative to doing nothing.
Option Cost of Risk Cost of System Total Cost Total Savings
Do nothing $39,900 $0 $39,900 $0

SIL 1 SIF $3,990 $5,000 $8,990 $30,910
SIL 2 SIF $399 $20,000 $20,399 $19,501
Although the higher performance system reduces the risk cost to only $399
per year, its $20,000 per year total cost pushes it to a lower level of savings
than the SIL 1 SIF option. Thus the SIL 1 SIF is the best option for this
situation.

e ida.com
Multiple Receptors per SIF

• Occasionally a set of tolerable risk levels and risk estimates
gives different risk reduction factors depending on the
personnel, environmental, or financial receptors considered
• Personnel RRF = 1000
• Environmental RRF = 300
• Financial RRF = 150
• Choose highest RRF = 1000 for specifying

the system
For multiple receptors per hazard, some companies calculate risk reduction
factors for each receptor. The RRF for the instrumented function in this
situation is chosen to be the highest one, since it will automatically satisfy
the other lesser requirements.

e ida.com
SIL Assignment
• SIL selection is performed based on the RRF
calculated for the SIF
• For the heated vessel case, the RRF = 210
• Target SIL = SIL 3
– The minimum risk
reduction for SIF of 1000 Safety Integrity
Level
Probability of failure
on demand, average
Risk Reduction
Factor
guarantees that any
SIL 3 system will achieve SIL 4 >=10-5 to <10-4 100000 to 10000
the required risk SIL 3 >=10-4 to <10-3 10000 to 1000
reduction factor SIL 2 >=10-3 to <10-2 1000 to 100
SIL 1 >=10-2 to <10-1 100 to 10
The final step in the personnel case is to select the target Safety Integrity
Level for the Safety Instrumented Function based on the required risk
reduction factor. Here the RRF of 210 indicates that a target of SIL 3 is
required for the SIF.
Note: Even though the risk reduction factor for SIL 2 ranges from 100 to
1000, SIL 3 was selected. If a target SIL of SIL 2 were selected, the SIF
designed may have an actual RRF of 100, which suits SIL 2 requirements
but would not be enough for the heated vessel example, as a RRF of 210 is
required.

e ida.com
Quantitative SIL Selection Summary

Topics:
• Risk and the Context of SIL Selection
• Safety Instrumented Functions
• Consequence 1 Concept
• Likelihood Overall Scope
• Risk integrals approach

2
Definition
SLC
3
Hazard & Risk
Analysis
• Required risk reduction
Analysis
4
Overall Safety Phase
leading to SIL assignment Requirements
Safety Requirements
5
Allocation
The lesson began with the safety lifecycle (SLC) context of SIL selection and
a brief review of risk, including the idea of defining a level of tolerable risk.
The lesson then presented a brief description of the safety instrumented
functions to which the SILs are to be assigned. Next the lesson addressed
the consequence and likelihood components of risk in more detail as they
relate to identifying the existing level of risk in a process or piece of
equipment, including how to determine a hazard’s consequence and how the
likelihood of a hazard can be quantitatively determined. Then the lesson
considered the combination of multiple outcomes based on the risk integrals
approach. Finally, based on the difference between the existing risk and the
tolerable risk level identified and approved by the organization in question,
the risk reduction requirement for the specific SIF was determined and the
SIL assignment made.
To be sure the material is thoroughly understood, please take the time to go
back and review any parts of this lesson as needed before moving on to the
quiz.

e ida.com
Additional Resources
• For more information on SIL selection and Safety
Instrumented Systems, consider reviewing the
following book:
Systematic SIL Selection—With Layer of Protection Analysis
(coming soon to the exida.com web store)
• Also consider exida.com on-line lessons on:
9 Process Hazards Analysis
9 ALARP and Tolerable Risk
9 Consequence Analysis Overview
9 Introduction to Likelihood Analysis
9 Layer of Protection Analysis (LOPA)
9 Qualitative SIL Selection
More information on both qualitative and quantitative SIL selection and some
aspects of SIS design is available from books and other training classes.
The forthcoming exida.com book Systematic SIL Selection—With Layer of
Protection Analysis provides a detailed description of tolerable risk,
likelihood, consequence, and general Safety Instrumented Systems with SIL
selection process examples.
Also consider reviewing the exida.com on-line lessons on process hazards
analysis, ALARP and tolerable risk, consequence analysis, likelihood
analysis, layer of protection analysis, and qualitative SIL selection for
additional information.

e ida.com
Questions
Questions: Please send any questions to
info@exida.com. We will respond as soon
as possible.
Additional Resources:
Free articles are available to download from the
exida.com website. These can be reached at
http://www.exida.com/articles.asp.
Additional resources including books, tools, and reports
are available from the exida on-line store. A product
listing is available at http://www.exida.com/products2/.
If you have any questions, please send them via email to info@exida.com.
Please refer to this particular lesson, Quantitative SIL Selection.
Additional resources are available from the exida.com website, including a
series of free articles that may be downloaded. Books, reports, and
engineering tools are available at the exida on-line store.
exida.com is a knowledge company focused on system reliability and safety.
We provide training, tools, coaching, and consulting. For general information
about exida, please view our website at www.exida.com.
Thank you for your interest. Please consider other lessons in the on-line
training series from exida.com.

Quant Sil PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quant Sil PDF

Uploaded by

Copyright:

Available Formats

e ida.

Quantitative SIL Selection

Safety Integrity Probability of failure Risk Reduction

SIL 3 >=10-4 to <10-3 10000 to 1000

SIL 2 >=10-3 to <10-2 1000 to 100

SIL 1 >=10-2 to <10-1 100 to 10

Welcome to the exida.com online lesson on Quantitative Safety Integrity

Copyright 2002, exida.com 1

¾ Introduction to Safety Instrumented

2 Copyright © 2002, exida.com

It is recommended that the exida on-line lessons Introduction to Safety

Copyright 2002, exida.com 2

¾ Process Hazards Analysis

3 Copyright © 2002, exida.com

Since Quantitaive SIL Selection encompasses so many different aspects, it

Copyright 2002, exida.com 3

Quantitative SIL Selection Overview

• Likelihood Overall Scope

• Risk integrals approach

4 Copyright © 2002, exida.com

Copyright 2002, exida.com 4

Failure Probabilities Layer of Protection

Tolerable Risk Select Target Target SILs

Safety Requirements Specification

Copyright 2002, exida.com 5

How to Select a SIL

• Determine tolerable risk

The SIL selection process is essentially a systematic approach used to:

Copyright 2002, exida.com 6

• Risk is a measure of the likelihood and

7 Copyright © 2002, exida.com

The definition of risk includes components of likelihood and consequence,

Copyright 2002, exida.com 7

Copyright 2002, exida.com 8

Risk after Inherent

h SIL 3 SIS Risk

Risk reduction can be accomplished using different techniques, including

Copyright 2002, exida.com 9

Safety Instrumented Functions

• Specific single set of actions and the corresponding

An individual Safety Instrumented Function (SIF) is designed to identify the

Copyright 2002, exida.com 10

Safety Integrity Probability of failure Risk Reduction

SIL 4 >=10-5 to <10-4 100,000 to 10,000

SIL 3 >=10-4 to <10-3 10,000 to 1,000

SIL 2 >=10-3 to <10-2 1,000 to 100

SIL 1 >=10-2 to <10-1 100 to 10

11 Copyright © 2002, exida.com

The Safety Integrity Level is a measure defined in the IEC61508 standard.

Copyright 2002, exida.com 11

• In quantitative analysis, risk associated with a hazard

Risk = Consequence * Likelihood

• Risk from the hazard is 0.2 fatalities per year

12 Copyright © 2002, exida.com

In quantitative analysis, the risk associated with a hazard can be calculated

Copyright 2002, exida.com 12

Basic Consequence Analysis Concepts

• One hazard can lead to one or more outcomes with

Copyright 2002, exida.com 13

• Tolerable risk is a sensitive topic

14 Copyright © 2002, exida.com

Copyright 2002, exida.com 14

These multiple risk criteria can be expressed on the basis of a plant or