This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
2. ABBREVIATIONS AND TERMINOLOGIES .................................................................... 8 3. SIL DETERMINATION METHODOLOGY ..................................................................... 10 4. SIL DETERMINATION - PREPARATION ..................................................................... 12
4.1
Charter ......................................................................................................................... 12
4.2 Timing .......................................................................................................................... 12 4.3 Attendees ..................................................................................................................... 13 4.4 Workshop Duration ....................................................................................................... 13 4.5 Role of the Coordinator / Project Engineer .................................................................... 13
4.5.1 Before the Sessions ......................................................................................... 14 4.5.2 During the Sessions ......................................................................................... 14 4.5.3 After the Sessions ............................................................................................ 14
4.6 The Facilitator .............................................................................................................. 14 4.6.1 Before the Sessions ......................................................................................... 15 4.6.2 During the Sessions ......................................................................................... 15 4.6.3 After the Sessions ............................................................................................ 15
5.2.1 Establish Context for each System and the Safety Target of the Process ......... 17 5.2.2 Identify SIFs Needed ........................................................................................ 17 5.2.3 Determine required SIL of the SIF .................................................................... 18
5.3 Recording..................................................................................................................... 18 5.4 SIL Determination Report ............................................................................................. 18
7. SIL VERIFICATION ...................................................................................................... 25 8. REFERENCES ............................................................................................................. 26 APPENDIX 1 - EXAMPLE WORKSHEET FOR SIL DETERMINATION - LOPA METHOD (ANNEX
F - IEC 61511 PART 3) APPENDIX 2 - SIL DETERMINATION – SIL MATRIX METHOD (ANNEX C - IEC 61511 PART 3) APPENDIX 3 - SIL DETERMINATION - RISK GRAPH METHOD (ANNEX D - IEC 61511 PART 3)
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 9 of 36Rev 1 (30-May-08)
Mode of Operation: Safety Instrumented Systems are split into two types, based on the mode ofoperation in which the system is intended to be used, with respect to the frequency of demands made
upon it.
For SIS operating in a low demand mode of operation, the safety integrity measure of interest is the
average probability of failure to perform its designed function on demand. For SIS operating in a
continuous mode of operation, the safety integrity measure of interest is the frequency of a dangerous
failure per hour,
The SIL ratings and requirements relating to both systems and their application are shown below.
SIL Continuous
(High) Demand
Mode of
Operation
Low Demand Mode of Operation
Failure Rate /
hour
Probability of Failure on Demand Risk Reduction Factor
(RRF)
1 < 10-5
to 10-6
< 10-1 to 10
-2 < 1 in 10 to 1 in 100 10 – 100
2 < 10-6
to 10-7
< 10-2
to 10-3
< 1 in 100 to 1 in 1000 100 – 1,000
3 < 10-7
to 10-8
< 10-3 to 10
-4 < 1 in 1000 to 1 in 10000 1,000 - 10,000
4 < 10
-8
to 10
-9
< 10
-4
to
10
-5
Less than 1 in 10000 10,000 – 100,000
High Demand Mode: where the frequency of demands for operation made on the system is
greater than one per year or greater than twice the proof test frequency. An example of this
could be the braking system on a car. The safety integrity measure of interest is the frequency of
a dangerous failure per hour.
Low Demand Mode: where the frequency of demands for operation made on the system is no
greater than one per year and no greater than twice the proof test frequency. An example of this
could be an air bag within a car. The safety integrity measure of interest is the average
probability of failure to perform its designed function on demand.
Necessary Risk Reduction: Risk reduction to be achieved by the E/E/PE safety-related systems,
other technology safety-related systems and external risk reduction facilities in order to ensure that
the tolerable risk is not exceeded.
Intermediate Event Likelihood: The Intermediate Event Likelihood is calculated by multiplying the
Initiating Event Likelihood by the PFDs of the protection layers and mitigating layers.
Required (Target) Event Likelihood: Corporate (Customer) Criteria for Events of this Severity Level.
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 10 of 36Rev 1 (30-May-08)
3. SIL DETERMINATIO N METHODOLOG Y
Safety function is implemented by an SIS, other technology safety related system or external risk
reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect
to a specific hazardous event. The safety functions in process industries are more often delegated to
electrical, electronic or programmable electronic (E/E/PE) Safety Instrumented Systems (SIS).
The functional safety standards IEC 61508 and IEC 61511 propose guidelines which can be used in
order to define the requirements for achieving a specified Safety Integrity Level (SIL) and in order to
evaluate the actual availability of a SIS.
There are several methods that can be used for SIL determination for a specific safety instrumentedfunction. IEC 61511-3 presents information on a number of methods that have been used. The
method selected for a specific application will depend on many factors, including:
The customer
The complexity of the application
The guidelines from regulatory authorities
The nature of the risk and the required risk reduction
The experience and skills of the person available to undertake the work
The information available on the parameters relevant to the risk.
The following are basic and generic steps to determine a safety function SIL rating based on IEC
61511:
Perform a hazard and risk analysis to evaluate existing risk
Identify safety function(s) needed
Allocate safety function(s) to independent protection layers
Determine if a SIF is required
Determine required SIL of the SIF.
The methods presented in this guideline are based on IEC 61511 and utilise a Workshop approach:
Layer of Protection Analysis (LOPA)
SIL Matrix
Risk Graph
The LOPA methodology as covered in IEC 61508 Part 7 is one of the WorleyParsons preferred
methods as it provides a logical means of evaluating a large number of SIF, and includes means to
consider several key parameters (severity, likelihood, occupancy, and safeguards). As such LOPA
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 18 of 36Rev 1 (30-May-08)
This step determines whether a safety instrumented function is required. Protection layers of othertechnologies should be considered prior to establishing the need for a safety instrumented function
implemented in a SIS. If no other non-SIS protection can meet the safety target level, a safety
instrumented function implemented in a SIS is required to protect against the identified hazards.
5.2.3 Determine required SIL of the SIF
The required SIL rating of the identified SIF is determined in this step.
Select first SIF (hazardous scenario) to be examined. The facilitator asks to explain the explicit
purpose and intent of the SIF including any safeguards available.
The facilitator assesses the first SIF
The SIL rating of each SIF will be identified
5.3 Recording
The SIL determination process should be recorded thoroughly using a computer software used for
SIL determination or MS Excel to ensure consistency.
Refer to SIL Determination Worksheet EPF-0267 Appendix 1 shows a typical example of how the
worksheet is used for LOPA.
It is highly recommended that a data projector is used during the workshop such that all participants
can view the record, recommend modifications and agree the minutes and actions, thereby
minimizing any revisions and modifications required later on.
The study team needs to agree on the similarity / equivalence of multiple units (in order to review only
one unit).
REMEMBER – The minutes of the study need to be understood by personnel who were NOT present
at the study!
5.4 SIL Determination Report
To comply with the standards the SIL determination process needs to be documented.
The facilitator and/or scribe need to formally document the SIL determination process, this need to
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 22 of 36Rev 1 (30-May-08)
event or the action of any other layer of protection associated with the scenario to control, preventand/or mitigate process risk.
6.2 LOPA Steps
The method starts with data developed in the Hazard and Operability analysis (HazOp study) and
accounts for each identified hazard by documenting the initiating cause and the protection layers that
prevent or mitigate the hazard. The total amount of risk reduction can then be determined and the
need for more risk reduction analyzed. If additional risk reduction is required and if it is to be provided
in the form of a SIF, the LOPA methodology allows the determination of the appropriate SIL for the
SIF. The method is illustrated in the figure below.
Steps are:
1. Select a SIF identifier (tag number) from the Cause & Effect Tables.
Develop an ‘impact event scenario’ based on the HazOp workshop records. The
‘consequences’ identified in the HazOp records are listed as ‘impact events’. Each
‘hazard and consequence’ is a single ‘impact event scenario’.
For each impact event scenario evaluate the severity consequences on HSE, and Assets
2. Set the impact event scenario ‘Target Likelihoods’ after mitigation to meet the HSE and
Assets tolerable risks on the basis of severity of consequences on HSE and Assets
3. Initiating Cause(s)
Determine the initiating causes of each impact event, i.e. all of the Initiating Causes of the
hazard determined in the HazOp are listed.
4. Select an initiating cause and its Frequency
Calculate the enabled initiating event(s) frequency. The hazard initiating cause likelihood (inevents per year) is agreed on, i.e. a likelihood is estimated for each initiating cause.
5. Independent Protection Layers ‘IPLs’
Independent Protection Layers (IPLs) are listed. Each IPL is assigned a Probability of Failure
on Demand (PFD) value.
Among IPLs are:
General Process Design / Inherent Safety: The general process design to reduce the
likelihood of hazard manifesting itself, when an Initiating Cause occurs. An example of this
would be a jacketed pipe or vessel. The jacket would prevent the release of process
material if the integrity of the primary pipe or vessel were compromised.
BPCS: If a control loop in the BPCS prevents the impacted event from occurring when the
Initiating Cause occurs, credit based on its PFD is claimed.
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 23 of 36Rev 1 (30-May-08)
Operator Intervention (Alarms): This takes credit for alarms that alert the operator andutilize operator intervention. Ensure that the alarm is independent of the cause, and the
BPCS (if credit given).
6. Other Protection Layers
For each event the following probabilities are also determined:
Occupancy - The probability of a person being in the area.
Ignition - The probability that a release of flammable material will ignited / explodes (given
that it has already released). The probability that a release will be ignited depends on a
number of factors, including the chemical’s reactivity, volatility, auto-ignition temperature,
and physical state as well as the potential sources of ignition that are present. For a blast
to result from vapor cloud combustion, a reasonable amount of obstructions and
confinement must exist to cause the flame front to burn turbulently and reach sonic
velocity.
Fatality - The probability that a person will die given a release of hazardous material and a
person is already there. Allow for escape and/or avoidance.
7. Intermediate Event Likelihood
The Intermediate Event Likelihood is calculated by multiplying the Initiating Likelihood by the
PFDs of the protection layers and mitigating layers. The calculated number is in units of events
per year. If the Intermediate Event Likelihood is less than the Corporate Criteria for Events of
this Severity Level, additional PLs are not required. Further risk reduction should, however, be
applied if economically appropriate.
8. Mitigated Event Likelihood
Mitigated event likelihood is calculated by multiplying the initiating cause likelihood by the PFDs
for the applicable IPLs. The mitigated event likelihood is then compared to a criterion linked to
the corporation’s criteria for unacceptable risk levels. Additional IPLs can be added to reduce
the risk. The mitigated event likelihoods are summed to give an estimate of the risk for the
whole process. Mitigated event likelihood is calculated by multiplying the initiating cause
likelihood by the PFDs for the applicable IPLs. The mitigated event likelihood is then compared
to a criterion linked to the corporation’s criteria for unacceptable risk levels. Additional IPLs can
be added to reduce the risk. The mitigated event likelihoods are summed to give an estimate of
the risk for the whole process.
9. Select other initiating causes and their Frequencies
Repeat all the previous steps
10. Safety Integrity Level Selection
The SIFs required Integrity Level can be calculated by dividing the Corporate Risk Criteria for
the event by the Required Event Likelihood (for all causes). A PFD for the SIF below this
number is selected as a maximum for the SIS and entered.
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 30 of 36Rev 1 (30-May-08)
Hazardous Event Severity Matrix - SIL Matrix
One common technique, among international refining, chemical and petrochemical companies, is to
use a risk matrix, which provides a correlation of risk severity and risk likelihood to SIL. The method
allows the probability of the potential event to be considered during the assignment of SIL.
It should also be noted that many companies already use a risk matrix and have their own guidelines.
WorleyParsons recommend that for each customer the matrix’s compatibility be assessed and
calibrated with the customers risk management requirements prior to any SIL determination.
A corporate risk matrix provides control of the SIL assigned for a particular severity and likelihood.
During the assessment of the incident severity and likelihood, the available layers of protection must
be evaluated and their effect on the incident severity and likelihood must be determined. The safeguards must be independent, verifiable, dependable, and designed for the prevention of the specific
risk.
The SIL matrix given here has been developed based on the guidelines given in IEC 61508 part 5,
and IEC 61511 and also AS 4360 Risk Management [Ref. 3]. The matrix identifies the potential risk
reduction that can be associated with the use of a SIS protection layer. The risk matrix is based on
the operating experience and risk criteria of the specific company, the design, operating and
protection philosophy of the company, and the level of safety that the company has established as its
safety target level.
Note that the use of a SIL matrix carries the inherent assumption that a ‘Low’’ risk is acceptable.
Explanation and Use of SIL Matrix
The underlying principle is that for any system, hazards that present unacceptable risks need to be
prevented or mitigated against to reduce the risk to ALARP.
A SIL 1 protective system moves the risk associated with a hypothetical hazardous scenario 1 column
to the right or 1 row down (i.e. reduced frequency or reduced consequence respectively by 1 order of
magnitude). Likewise a SIL 2 system would move the risk associated with a hazardous scenario 2
columns left or 2 rows down or 2 orders of magnitude. And so on.
Therefore, to determine the SIL requirements of a system the risk associated with a hazardous
scenario need to be determined without the SIS in place. Based on where the hazardous scenario is
then located on the Risk Matrix, the number of columns or rows that then need to be moved to reduce
the hazardous scenario to an acceptable risk, determines the SIL level(s) of the system(s).
The two essential parameters of the SIL matrix are Consequence Severity and Frequency of
Occurrence.
Consequence Severity
Associated with each hazardous event, the potential severity of the consequence without the
protective system or loops in place needs to be defined. The SIL matrix has a few levels of
This is calculated by determining the proportionallength of time the area exposed to the hazard isoccupied during a normal working period.
NOTE 1 if the time in the hazardous area isdifferent depending on the shift being operatedthen the maximum should be selected.
NOTE 2 It is only appropriate to use Fa where itcan be shown that the demand rate is random andnot related to when occupancy could be higherthan normal. The latter is usually the case with
demands which occur at equipment start-up orduring the investigation of abnormalities.
Fa
Fb
Rare to morefrequent exposurein the hazardouszone. Occupancyless than 0.1
Frequent topermanentexposure in thehazardous zone
See comment 1 above
Probability of avoiding the hazardous event (P) ifthe protection system fails to operate
Pa
Pb
Adopted if allcondition incolumn 4 aresatisfied
Adopted if all theconditions are notsatisfied
Pa should only be selected ifall the following are true:
facilities are provided toalert the operator that theSIS has failed
independent facilities areprovided to shut down suchthat the hazard can beavoided or which enable allpersons to escape to a safearea
the time between theoperator being alerted anda hazardous eventoccurring exceeds 1 houror is definitely sufficient forthe necessary actions
Demand rate (W). the number of times per yearthat the hazardous event would occur in absenceof SIF under consideration.
To determine the demand rate it is necessary toconsider all sources of failure that can lead to onehazardous event. In determining the demand rate,limited credit can be allowed for control systemperformance and intervention. The performancewhich can be claimed if the control system is not to
be designed and maintained according to IEC61511 is limited to below the performance rangesassociated with SIL 1
W1
W2
W3
Demand rate lessthan 0.1D* peryear
Demand ratebetween 0.1D andD per year
Demand ratebetween D and
10D per yearFor demand rateshigher than 10Dper year higherintegrity shall beneeded
1. The purpose of W is toestimate the frequency ofthe hazardous taking placewithout the addition of theSIS.
2. If W is very high, the SILhas to be determined byanother method or the riskgraph recalibrated.
*D is a calibration factor. The value of which should be determined so that the risk graph results in a level ofresidual risk which is tolerable taking into consideration other risks to exposed persons and corporate criteria.Note – The WorleyParsons default value for ‘D’ is 0.1