View
258
Download
8
Category
Preview:
Citation preview
Safety Integrity Level (SIL)
DR. AAProcess Control and Safety Group
SIS
• Safety instrumented systems (SIS) are used to provide safe control
functions for processes, e.g. emergency shutdown (ESD), fire
detection and blowdown functions. SIS typically are composed of
sensors, logic solvers and final control elements
• A Safety Instrumented System is designed to prevent or mitigate
hazardous events by taking a process to a safe state when
predetermined conditions are violated.
• Other common terms for SISs are safety interlock systems,
emergency shutdown systems (ESD), and safety shutdown
systems (SSD). Each SIS has one or more Safety Instrumented
Functions (SIF).
SIL
• SIL stands for Safety Integrity Level. A SIL is a measure of safety
system performance, in terms of probability of failure on demand
(PFD).
• A SIL is a statistical representation of the reliability of the SIS when
a process demand occurs
– The higher the SIL is, the more reliable or effective the system is.
• To perform its function, a SIF loop has a combination of logic
solver(s), sensor(s), and final element(s). Every SIF within a SIS
will have a Safety Integrity Level (SIL). These SIL levels may be the
same, or may differ, depending on the process.
• It is a common misconception that an entire system must have the
same SIL level for each safety function.
SIS and SIL
• In the Safety Life Cycle outlined in ISA-S84.01-1996 (ISA, 1996),
steps are included to determine if a SIS (Safety Instrumented
System) is needed and to determine the target SIL (Safety Integrity
Level) for the SIS
Safety Integrity
Level (SIL)
Probability of Failure on Demand
Average Range (PFD Average)
Risk Reduction Availability (%)
1 10-1 to 10-2 10 to 100 90 to 99
2 10-2 to 10-3 100 to 1000 99 to 99.9
3 10-3 to 10-4 1000 to 10,000 99.9 to 99.99
4 Below 10-4 10,000 to 100,000 99.99 to 99.999
What do these numbers mean in the real
world?
• SIL 1 means that a dangerous failure is probable once
every 11.5 to 114 years of continuous operation
• SIL 2 means that a dangerous failure is probable once
every 114 to1,141 years of continuous operation
• SIL 3 means that a dangerous failure is probable once
every 1,141 to 11,410 years of continuous operation
• SIL 4 is defined but is unnecessarily high for machine
safety applications and is considered economically not
practical(unless you are in the nuclear .
SIL levels
Event Likelihood Consequence
Catas-
trophic
Major Severe Minor
Frequent SIL 4 SIL 3 SIL 3 SIL 2
Probable SIL 3 SIL 3 SIL 3 SIL 2
Occasional SIL 3 SIL 3 SIL 2 SIL 1
Remote SIL 3 SIL 2 SIL 2 SIL 1
Improbable SIL 3 SIL 2 SIL 1 SIL 1
Negligible / Not Credible SIL 2 SIL 1 SIL 1 SIL 1
SIL Misconception
• It is a very common misconception that individual products or
components have SIL ratings. Rather, products and components
are suitable for use within a given SIL environment, but are not
individually SIL rated. SIL levels apply to safety functions and
safety systems (SIFs and SISs).
• The logic solvers, sensors, and final elements are only suitable for
use in specific SIL environments, and only the end user can
ensure that the safety system is implemented correctly.
• The equipment or system must be used in the manner in which it
was intended in order to successfully obtain the desired risk
reduction level. Just buying SIL 2 or SIL 3 suitable components
does not ensure a SIL 2 or SIL 3 system.
Standards and Regulations relating to SIL Analysis
• ANSI/ISA-SP-84.01, "Application of Safety Instrumented Systems
for the Process Industries," Instrument Society of America
Standards and Practices, 1996.
• IEC-61508,"Functional Safety: Safety Related Systems,"
International Electrotechnical Commission,Technical Committee
(1998).
• IEC-61511, "Functional Safety: Safety Instrumented Systems for
the process industry sector", International Electrotechnical
Commission, Technical Committee (Draft).
• "Programmable Electronic Systems in Safety Related
Applications", Health and Safety Executive, U.K., 1987.
• 29 CFR Part 1910, "Process Safety Management of Highly
Hazardous Chemicals; Explosives and Blasting Agents",
Occupational Safety and Health Administration, 1992.
Question !!!
• ENGINEER: "Why is this existing interlock SIL 2?“
• RISK ANALYST: "I don't know off the top of my head.
What does the documentation say?"
• ENGINEER: "It was set in a safety review. And you were
there!"
• RISK ANALYST: "Beats me! It doesn't look like it should
be SIL 2 when I look at it now.“
• So, how do we determine the required SIL?
Target SIL
• ANSI/ISA S84.01 and IEC 61508 require that companies
assign a target SIL for any new or retrofitted SIS.
• The assignment of the target SIL is a decision requiring
the extension of the Process Hazards Analysis (PHA).
• The assignment is based on the amount of risk
reduction that is necessary to mitigate the risk
associated with the process to an acceptable level.
• All of the SIS design, operation and maintenance
choices must then be verified against the target SIL.
How do we determine the right SIL-1
• The modified HAZOP method in CCPS (1993) and in the informative
annex of S84.01 depends on the team comparing the consequence
and frequency of the impact event with similar events in their
experience, and then choosing an SIL.
• If the event being analyzed is worse or more frequent, then they
would choose a higher SIL. It is very much in the experience and
judgment of the team.
• Thus, the SIL chosen may depend more on whether a team
member knows of an actual impact event like the one being
analyzed, and it may depend less on the estimated frequency of
the event.
How do we determine the right SIL-2
• The safety layer matrix listed in CCPS (1993) and in the
informative annex of S84.01 (p49) uses categories of
frequency, severity, and effectiveness of the protection
layers.
• The categories are described in general terms and
some calibration would be needed to get consistent
results.
• The matrix was originally developed using quantitative
calculations tied to some numeric level of unacceptable
risk (Green, 1993).
How do we determine the right SIL-3
• The consequences-only method (mentioned in S84.01)
evaluates only the severity of the unmitigated
consequence.
• If the severity is above a specified threshold, a
specified SIL would be required.
• This method does not account for frequency of
initiating causes; it assumes all causes are "likely".
• It is recognized that this method may give a higher
required SIL than other methods.
• The perceived trade-off is reduced analysis time. On
other hand, for events whose causes have a high
frequency, this method could give a lower SIL.
How do we determine the right SIL - 4
• The fault tree analysis (FTA) method quantitatively
estimates the frequency of the undesired event for a
given process configuration.
• If the frequency is too high, an SIS of a certain SIL is
added to the design and incorporated into the FTA. The
SIL can be increased until the frequency is low enough
in the judgment of the team.
• FTA requires significant resources.
Recommended