Section-19 Safety Integrity Level

Haward Technology Middle East 1Section 19

Process Control, Instrumentation and Safeguarding

Section 19

Safety Integrity Level



TOPICS

Introduction

Definition

Selection Procedure

Practical Example




Introduction




INTRODUCTION

General

A Safety Integrity Level (SIL) is a statistical representation of the integrity of the SIS when a process demand occurs.

It is used in both ANSI/ISA-S84.01 and IEC 61508 to measure the reliability of SIS. Both ISA and IEC have agreed that there are three levels of safety integrity: SILs 1, 2 and 3. IEC also includes an additional level, SIL 4, that ISA does not.

The higher the SIL is, the more reliable or effective the system is.




The concept of safety integrity levels (SIL’s) was introduced during the development of BS EN 61508 (BSI 2002) as a measure of the quality, or dependability, of a system which has a safety function.

Once the need for a SIF / SIS has been identified, the key is to determine the correct SIL to control process risk to a tolerable level.

The SIL is used as a performance measure ( in terms of the probability of the SIF failing to perform it’s required function on demand ).

INTRODUCTION

General




SIL 4Very significant impact on the community leading to a reduction in danger from 10000 to 100000

SIL 3Very significant impact on the community and employees leading to a reduction in danger from 1000 to 10000

SIL 2Significant protection of the installation, production and employees leading to a reduction in danger from 100 to 1000.

SIL 1Low protection of the installation and production leading to a reduction in danger from 10 to 100.

SIL CategoriesINTRODUCTION




SIL’s are correlated to the probability of failure of demand (PFD), which is equivalent to the unavailability of a system at the time of a process demand.

INTRODUCTION

General




Definition




DEFINITION

The standards recognise that safety functions can be required to operate in quite different ways.

In particular they recognise that many such functions are only called upon at a low frequency / have a low demand rate.




Consider a car; examples of such safety functions are:

Anti-lock braking (ABS). (It depends on the driver, of course!).

Secondary restraint system (SRS) (air bags).

On the other hand there are functions which are in frequent or continuous use; examples of such functions are:

Normal braking Steering

DEFINITION




DEFINITION




Selection Procedure




This section discusses the application of two methods of determining SIL requirements

• RISK MATRIX METHOD

• RISK GRAPH METHOD

SELECTION PROCEDURE




Risk Matrix Method

SELECTION PROCEDURE




This is one of the most commonly used techniques in the process industries to establish target SIL. It uses a risk matrix, which correlates risk severity and risk likelihood for the SIL.

The method allows the consideration of both likelihood and severity of a potential hazardous event during the assignment of SIL.

By correlating SIL values with a corporate-developed risk matrix, there is more consistency compared to the use of the Modified HAZOP methodology.

Risk Matrix

SELECTION PROCEDURE




Using this method requires the evaluation of the existing layers of protection and their effects on the risks of the potential hazardous events. The next slide is an illustration of a two-dimensional risk matrix that correlates to various SIL values.

Risk Matrix

SELECTION PROCEDURE




Risk Matrix

SELECTION PROCEDURE




Risk Matrix Showing Tolerability Bands

Significant

ConsequencesFrequency

/yr CatastrophicMajorMinor

Probable

Possible

Unlikely

Remote

Frequent

10-4

10-3

10-2

10-1

1

10

Tolerable Region

Transitional Region

Unacceptable Region

SELECTION PROCEDURE




Risk Graph Method

SELECTION PROCEDURE




SELECTION PROCEDURE


Start

Select SIF

Define the consequence sacristy

Categorize the consequence sacristy

Define the pre-safeguard likelihood

Categorize the pre-safeguard likelihood

Categorize the occupancy

Categorize the avoidance probability

Identify the required risk reduction

List independent protection layers

Calculate required SIL of SIS

No SIF Required

No SIF Required Obtain Expert Review

Document required SIL of SIS

Required SIL O or less?

Required SIL 3 or greater?

Other SIF?

Stop



The SIL Selection process is performed using the risk graph technique in a systematic team approach.

Because the Process Hazard Analysis (PHA) has already been completed, a dedicated SIL selection study is then conducted utilizing the results of the PHA as a screening tool.

Selection of SIL is a team exercise which should include individuals from the original PHA team along with new experienced personnel.

The process utilized is represented by the flowchart shown in Figure 1. The following is a detailed explanation of the SIL selection process.

Risk Graph Method

SELECTION PROCEDURESafety Integrity Level



The study begins with a list of Safety Instrumented Functions which have to be analyzed.

These Safety Instrumented Functions are identified through reviewing the recommendations and safeguards noted in the Process Hazard Analysis reports.

For each Safety Instrumented Function that have been identified, the characteristics of the accident being prevented are defined – see Fig. 2.

Risk Graph Method

SELECTION PROCEDURE




Parameter Description

Consequence C Average number of fatalities likely to result from the hazard. Determined by calculating the average numbers in

the exposed area when the area is occupied taking into

account the vulnerability to the hazardous event

Occupancy F Probability that the exposed area is occupied. Determined

by calculating the fraction of time the area is occupied

Probability of

avoiding the

hazard

P The probability that exposed persons are able to avoid the

hazard if the protection system fails on demand. This

depends on there being independent methods of alerting the exposed persons to the hazard and manual methods of

preventing the hazard or methods of escape

Demand rate W The number of times per year that the hazardous event would occur if no SIS was fitted. This can be determined

by considering all failures which can lead to one hazard and estimating the overall rate of occurrence

Fig 2

SELECTION PROCEDURE




In sequence, the consequence severity is categorized using the information provided in Figure 3.

The consequence definition and selected category were then documented in a SIL selection worksheet.

Risk Graph Method

SELECTION PROCEDURE




Fig 3 CONSEQUENCE SEVERITY CATEGORY

Consequence Range

Qualitative Criteria

Cd Personnel: Multiple critical injuries or fatalitiesPublic: Potential for multiple critical injuries or fatalitiesEnvironment: Unconfined release with major environmental impactProperty: Plant & production loss in excess of $100M

Cc Personnel: Potential for serious injuries or single fatalityPublic: Potential for serious injuries or single fatalityEnvironment: Unconfined release with medium environmental impactProperty: Plant & production loss in the range of $10 to $10M

Cb Personnel: severe injury requiring medical emergency care Public: Potential for severe injury requiring medical emergency careEnvironment: Unconfined release with minor environmental impactProperty: Plant & production loss in the range of $1 to $10M

Ca Personnel: Injury requiring first aidPublic: Odour or noise nuisance, no direct impactEnvironment: Confined release with localized impactProperty: Plant & production loss in the of $100,00 to $1M




After the consequence has been addressed, the pre-safeguard likelihood of the accident is defined.

The pre-safeguard likelihood is categorized using

information provided in Figure 4.

The pre-safeguard likelihood definition and selected category are then documented in the SIL selection worksheet.

SELECTION PROCEDURE




Note the pre-safeguard likelihood category required for SIL selection should only reflect the likelihood of the causes.

For example, one should analyze the severity of a vessel rupture for an exothermic reaction without considering the benefits of a relief valve.

This allows the required effectiveness of the safeguards, including the Safety Instrumented Function, to be analyzed.

SELECTION PROCEDURE




Fig 4 LIKLIEHOOD CATEGORISATION

Parameter Range of Values

Demand rate (W). The number of times per year that the hazardous event would occur in the absence of the SIS under consideration.

W1 = Demand rate less than 0.1 D per year

W2 = Demand rate between 0.1 D and D per year

W3 = Demand rate between D and 10D per year

SELECTION PROCEDURE




Next, the occupancy and avoidance characteristics in the hazardous zone must be analysed.

The frequency of, and exposure time in, the hazardous zone is categorised using Figure 5, together with avoidance details

The these parameters are then documented in a SIL Selection Worksheet.

SELECTION PROCEDURE




Fig 5 OCCUPANCY & AVOIDANCE

CATEGORISATION

Parameter Range of Values

Occupancy (F)This is calculated by determining the length of time the area exposed to the hazard is occupied during a normal working period

Avoidance (P)Possibility of avoiding the hazardous event if the protection system fails to operate5

FA = Rare to more often exposure in the hazardous zone. Occupancy less than 0.1FB = Frequent to permanent exposure in the hazardous zone.

PA = Possible to avoid

Should only be selected if all the following are true:Facilities are provided to alert the operator that the SIS has failedIndependent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to safe areaThe time between the operator being alerted and a hazardous event occurring exceeds 1 hour

PB = Not possible to avoid. Applies if any of PA conditions are not met




The probability of avoiding the hazardous event has to be analysed.

The probability of avoiding the hazardous event is then categorised using Figure 5.

The probability of avoidance parameter is then documented in a SIL Selection Worksheet.

SELECTION PROCEDURE




Once the consequence, pre-safeguard likelihood, occupancy and probability of avoidance are defined, the required risk reduction is determined from Figure 6.

The required risk reduction can take place by any combination of safeguards, either instrumented or non-instrumented.

The required risk reduction is a value that defines the number of order-of-magnitude decreases in either the consequence severity or likelihood of the unwanted accident (usually the likelihood) that are required.

SELECTION PROCEDURE




Fig. 6 RISK GRAPH

SELECTION PROCEDURESafety Integrity Level



SELECTION PROCEDURE




The required risk reduction is typically accomplished using a combination of instrumented and non instrumented safeguards.

In order to know what amount of risk reduction is required to be performed by the Safety Instrumented Function, one must know the total amount of risk reduction provided by the other protection layers.

This is accomplished by summing the number of independent protection layers that are available to prevent the hazard.

SELECTION PROCEDURE




Practical

Example




Determination of SIL by risk parameter chart

This practical exercise requires participants to determine the required SIL of a proposed safety-instrumented system using the basic principles of the Risk Graph method.

PRACTICAL EXAMPLE




The next diagram shows a reactor with a continuous feed of fuel and oxidant. Two flow control loops are operated under a ratio controller set by the operator to provide matching flows of fuel and oxidant to the reactor.

An explosion can occur inside the reactor if the mixture becomes explosive and a source of ignition is found. In this case we might suppose the source is a hot catalyst inside the reactor. The mixture can become explosive if the fuel flow becomes too high relative to the oxidant flow.

PRACTICAL EXAMPLE




A safety-instrumented system is proposed with a separate set of flow meters connected to a flow ratio measuring function that is designed to trip the process to safe condition if the fuel flow exceeds the oxidant flow by a significant amount.

The tag number for this function is FFSH- 03.

PRACTICAL EXAMPLE




PRACTICAL EXAMPLE




Assume that the following information has been decided for the reactor.

The total frequency of the events leading to an explosive mixture is approximately once every ten years. The consequence of the explosion has been determined by a study to be a vessel rupture with a 1 in 5 chance of death or serious injury to 1 person.

The occupancy in the exposed area is less than 10% of the time and is not related to the condition of the process.

The onset of the event is likely to be to be fast with a worst-case time of 10 minutes between loss of oxidant and the possible explosion.

PRACTICAL EXAMPLE




PRACTICAL EXAMPLE




a

1

2

3

4

b

-

-a

1

2

3

W3 W2 W1

CA

CB

CC

CD

FA

PA

PB

PB

PB

PA

PA

PA

PB

- = No safety requirementsa = No special safety requirementsb = A single E/E/PES is not sufficient1,2,3,4 = Safety integrity level

F –OccupancyFA:FB:

Risk Parameters:

C – ConsequenceCA:CB:

CC:CD:

P – Hazard avoidance probabilityPA:

PB:

W – Demand rate in the absence of the SIF under considerationW1:

W2:W3:

Startingpoint

The chance of death is 0.2 per event (Range >0.1 to 1.0) = Cc

Occupancy is

less than 0.1 = FA

The explosion has a rapid onset (< 10 minutes) (Range >0.1 to < 1.0) = PB

Demand rate is estimated at 0.1/yr Gives W2 (Range >0.03 to < 0.3)

-a

1

2

3

4





Documents

Section-19 Safety Integrity Level