SIL Assessment Methodology

1. 1. SIL Assessment Methodology

The common methods used for Target Safety Integrity Level determination are:

• · Risk Graph
• · Layer of Protection Analysis (LOPA)

Both these methods are included in the IEC61508 and IEC61511 standard.
The risk graph is a qualitative technique, the results tend to be quite subjective and lead to SIL levels biased on the high side. The Layers of protection analysis technique is quantitative and more accurate and it is becoming the widely accepted technique for SIL determination. It is to be noted that the outputs of SIL Assessment Workshop by following LOPA Method are the RRF and the SIL level, while that following the Risk Graph Method is only the SIL level.

It is advisable to consider Risk Graph method at the FEED stage and LOPA technique during detail design phase. Appropriate methodology should be chosen by the Project group after considering client guidelines or advice. In the absence of Client guideline follow LOPA methodology for Detailed Design.
1.1 Risk Graph Technique

The risk graph method is a qualitative approach to determine the level of integrity required for the identified Instrumented Protective Functions (IPF) for the project. The approach is based on the International Electro technical Commission standard, IEC61511 [Ref. 2] Risk graph analysis uses four parameters to make a SIL selection. These parameters are consequence (C), occupancy (F), probability of avoiding the hazard (P), and demand rate (W).

Consequence represents the average number of fatalities that are likely to result from a hazard when the area is occupied, and should include the expected size of the hazard and the receptor’s vulnerability to the hazard.

Occupancy (Exposure Time Parameter) is a measure of the amount of time that the area that would be impacted by the incident outcome is occupied.

The probability of avoiding the hazard will depend on the methods that are available for personnel to know that a hazard exists and also the means for escaping from the hazard.

The demand rate is the likelihood that the accident will occur without considering the effect of the SIF that is being studied, but including all other non-SIS protection layers.

A combination of consequence, likelihood, occupancy, and probability of avoidance represents a level of unmitigated risk. Once those categories have been determined, the risk graph is used to determine that SIL that will reduce the risk by the appropriate amount. Figure 1 contains a typical risk graph, as presented in IEC 61511-3. The SIL is selected by drawing a path from the starting point on the left to the boxes at the right by following the categories that were selected for consequence, occupancy and probability of avoidance.

The combination of those three determines the row that is selected.

Figure 1: Safety Integrity Level (SIL) Risk Graph (IEC 61511, Ref. 1)

1.1.1 Steps

Prior to the assessment, the risk graphs will be calibrated according to Client Risk criteria. For each loop, the SIL is determined and recorded on worksheets as follows.

1. Identify the loop to be examined, and record the tag and P&ID number.

2. Agree the function of the loop (i.e. what is it for?).

3. Determine the cause of demand of the loop (most commonly control failure).

4. Identify the output actions (e.g. close specified valves).

5. Agree the consequence if the loop fails on demand. At this point no credit is taken for other relevant risk reduction measures.

6. Having gathered the above information, use combined judgement to agree the four parameters C, F, P and W on the safety risk graph.

7. W is the frequency of the cause of demand identified in step 3.

8. Apply the safety risk graph to determine the SIL required on safety risk considerations.

9. Agree the economic loss parameter L and use the economic risk graph to determine the SIL required on economic risk considerations.

10. Agree the environmental loss parameter E and use the environmental risk graph to determine the SIL required on environmental risk considerations.

11. Determine the SIL required for the function identified in step 2 as the highest of the three SILs determined in steps 7, 8, and 9.

The above listed Steps are repeated for each of the IPF loops.

The risk graph parameters and criteria to be used for this assessment are outlined in Appendix-I of this document.

APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA

(1) – IEC 61511 Safety Parameters

Personnel Safety Risk parameter		Classification	Comments
Consequence (C) Average number of Fatalities This can be calculated by determining the average numbers present when the area is occupied and multiplying by the vulnerability to the identified hazard. The Vulnerability will be determined by the nature of the hazard being protected against. The following factors are proposed V=0.01 Small release of flammable or toxic material V=0.1 Large release of flammable or toxic material V=0.5 As above but with a high chance of igniting or highly toxic. V=1 Rupture or explosion	CA	Minor injury	1. The classification system has been developed to deal with injury and death to people. 2.For the interpretation of CA, CB, CC and CD, the onsequences of the accident and normal healing shall be taken into account.
	CB	Range 0.01 to 0.1
	CC	Range >0.1 to 1.0
	CD	Range > 1.0 to 10
Exposure probability in the hazardous zone (F) This is calculated by determining the length of time the area is occupied during a normal working period. NOTE -If the time in the hazardous area is different depending on the shift being operated then the maximum should be selected. NOTE -It is only appropriate to use FA where it can be shown that the demand rate is random and not related o when occupancy could be higher than normal. The latter is the case with demands which occur at equipment start-up	FA	In the hazardous	3. See comment 1
		zone. Occupancy less	above.
		than 0.1
	FB	Frequent to permanent exposure
		in the hazardous
		zone. Occupancy
		more than 0.1
Possibility of avoiding the hazardous event (P) if the protection system fails to operate	PA	Adopted if all conditions in column 4 are satisfied	4. PA should only be selected if all the following are true:- • Facilities are provided to alert the operator that the protection has failed • Independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area • The time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions.
		Adopted if all the conditions are not satisfied
	PB
Demand rate of the unwanted occurrence (W) given no protection system. To determine demand rate it is necessary to consider all sources of failure that will lead to a demand on the protection system. In determining the demand rate, limited credit can be allowed for control system performance and intervention. The performance which can be claimed if the control system is not to be designed and maintained according to IEC61508, is limited to below the performance ranges associated with SIL1.	W1	Demand rate less than 0.03 per year	5. The purpose of the W factor Is to estimate the frequency of the hazard taking place without the addition of the SIS 6. If the demand rate is very high (e.g., 10 per year) then use failure rate and continuous demand method.
	W2	Demand rate between 0.3 and 0.03 per year
	W3	Demand rate between 3 and 0.3 per year

(3) – IEC 61511 Environmental Parameters

Environmental		Classification	Comments
Consequence (C)	CA	A release with minor damage	A moderate leak from a
		that is not very severe but is	flange or valve Small
		large enough to be reported to	scale liquid spill
		plant management or local	Small scale soil pollution
		authorities	without affecting ground
	CB		water
		Moderate damage e.g. Release	A cloud of obnoxious
		within the fence with	vapour travelling beyond
	CC	significant damage	the unit following flange gasket blow-out or
		Substantial damage e.g.	compressor seal failure
		Release outside the fence with	A vapour or aerosol
	CD	major damage which can be	release with or without
		cleaned up quickly without	liquid fallout that causes
		significant lasting	temporary damage to
		consequences	plants or fauna
		Serious damage e.g. Release	Liquid spill into a river or
		outside the fence with major	sea
		damage which cannot be	A vapour or aerosol
		cleaned up quickly or with	release with or without
		lasting consequences	liquid fallout that causes
			lasting damage to plants or fauna
			Solids fallout (dust,
			catalyst, soot, ash) Liquid release that could affect
			groundwater
Possibility of	PA	Adopted if all conditions in	NOTE.
avoiding the		column 4 are satisfied	The same conditions as
hazardous event (P)	PB	Adopted if all the conditions	personnel safety apply
if the protection		are not satisfied
system fails to
operate.

1.2 Layer of Protection Analysis
LOPA is one of the techniques developed in response to a requirement within the process industry to be able to assess the adequacy of the layers of protection provided for an activity. Initially this was driven by industry codes of practice or guidance and latterly by the development of international standards such as IEC61508 [Ref 1] and IEC61511 [Ref 2].

Within the LOPA methodology the concept of the Independent Protective Layer (IPL) is well defined and important.

“An IPL is a device, system or action which is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario. The effectiveness and independence of an IPL must be auditable.”

The SIL Selection is based on establishing a tolerable frequency for each consequence resulting from an initiating event. This tolerable risk guideline needs to be reviewed and accepted by the Company at the start of the SIL review process.

Once the tolerable frequency for a SIF is established, all causes of the initiating event are listed. For each cause of the initiating event, its likelihood is established. The layers of protection and associated PFD for each cause are then listed. The mitigated event frequency for each cause is determined. After each cause is analyzed the total event frequency due to all causes for the initiating event is determined. The SIL is determined by comparing the established tolerable frequency (goal) with the total mitigated event frequency.
1.2.1 Steps
Following are the important steps, which shall be addressed during SIL assessment sessions
1. Identify and list all Safety Instrumented Functions for the unit(s)

2. For each SIF identified:

• · Define the worst consequence if the SIF failed to operate when a demand occurs.
• · Categorize the consequence severity and tolerable frequency based on the Company Risk guidelines. The tolerable frequency will be selected from the reducible frequency band as per the table
• · List all causes and likelihood for the initiating event
• · For each cause, identify all available layers of protection and assign failure probabilities for each layer
• · For each cause calculate the mitigated event frequency considering all the layers i.e. F = Fe*PA*PB*PC*PD where F is the mitigated event frequency, Fe is non-mitigated event frequency based on the best industrial practices and PA/PB/PC/PD are the PFD values for each protection layer.
• · Calculate the total event frequency due to all causes
• · Compare the tolerable frequency goal with the total event frequency
• · Assign the required SIL based on the additional risk reduction required
• · Document the results of each analysis in the SIL Selection and Analysis worksheet. Include any notes and recommendations in the worksheet.

Typical SIL Assessment worksheet format is given in Appendix II.
APPENDIX II–LOPA SIL ASSESSMENT WORKSHEET

Unit
Area
P&ID Number:
SIF reference
no
Initiator Tag
Service
Design Intent
Worst
Consequence
Safe state
Process
safety Time
Risk Considered
Severity Level
(Consequence rating)
Tolerance Frequency
goal (TMEL)

Initiation Cause	Initia tion Freq uenc y (/yr)	General Process Design	PCS	Alarms etc.	Additional mitigation like restricted Access	IPL additional mitigation, dikes, PRVs	Intermediate Event Frequency (/yr)	Target Frequency (/yr)	SIF Integrity Level	RRF
Combined
Note 1
Recommendation 1

SIL CLASSIFICATION SHEET
1.2.2 Independent Protection Layers (IPL)
An Independent Protection Layer is a specific category of safeguard.

Independent protection layers must meet the following criteria.

Specificity – An independent protection layer must be specifically designed to prevent the consequences of one potentially hazardous event.
Independence – The operation of the protection layer must be completely independent from all other protection layers, no common equipment can be shared with other protection layers.
Dependability – The device must be able to dependably prevent the consequence from occurring. The probability of failure of an independent protection layer must be demonstrated to be less than 10%.
Auditability – The device should be proof tested and well maintained. These audits of operation are necessary to ensure that the specified level of risk reduction is being achieved.
1.2.3 Typical Protection Layers
While no two situations are identical, there are few protection layers and mitigating events that should always be considered while performing a layer of protection analysis in process industries. These protection layers are as below:

• · PCS Controls – In many cases the PCS control system is designed to automatically move the process to a safe state under abnormal conditions (Control loop or an On/Off loop). The criteria most used to determine whether the PCS system could be used, as a layer of protection is that a failure of the PCS system did not contribute in causing the initiating event. (Maximum Risk reduction credited shall be 1 in 10).

Many times, independent alarm in the PCS with operator action is provided to mitigate certain risks. In such a situation, credit for Alarm can be given only if the alarm signal is connected to an entirely independent initiator and I/O, other than the one carrying out the automatic controls. This will considerably reduce any common mode failures. (Maximum Risk reduction credited shall be 1 in 10).

For PCS to be credited with Two (2) IPLs, initiators, I/O cards and final control elements must be independent of each other. Only the logic solver part could be shared provided, logic solvers are redundant.

If the initiating or enabling event involves the failure of a PCS loop, then no more than one PCS loop should normally be credited as an IPL for the same scenario.

Maximum total risk reduction credited for PCS as an independent layer shall be no more than 1 in 100.

• · Operator Intervention – Operator intervention to manually shut down a process when abnormal conditions are detected is a common safeguard.

In order for this safeguard to meet the level required of an independent protection layer, the operator must always be present, be alerted to the abnormal situation, be trained in the proper reaction to the abnormal situation, and have ample time to consider the alarm and respond.

(Maximum Risk reduction credited shall be 1 in 10)

• · Mechanical Integrity of Piping or Vessel – In many cases, piping or a vessel will be designed to withstand the highest temperatures and pressures generated as the result of abnormal conditions. In these cases, the mechanical integrity of the vessel is a protection layer. (Maximum Risk reduction credited shall be 1 in 100)

• · Physical Relief Device – Physical relief devices are common safeguards and include such devices as relief valve, rupture disks, and thermal fusible plugs. (Maximum Risk reduction credited shall be 1 in 100)

• · Ignition Probability – When a flammable material is released to the atmosphere the probability that the release will ignite will depend on factors such as auto-ignition temperature and source of ignition present

• · Other layers to be considered – Use factor, Explosion Probability, Occupancy and External risk reduction facilities like F& G systems, Dikes, etc.

1. 2. SIL Target Level

For each of the safety instrumented function operating in demand mode, the required SIL shall be specified in accordance with levels as stated in table below

(Ref. 2):

Table 1: Probability of Failure on Demand for the SIL1, 2, 3 and 4

Safety Integrity Level (SIL)	Target average Probability of Failure on Demand
SIL 4	10-5 to< 10 –4
SIL 3	10-4 to< 10 –3
SIL 2	10-3 to< 10 –2
SIL 1	10-2 to< 10 –1

1. 3. SIL Assessment Report

The SIL Assessment Report shall be prepared by Chairman using the company format and shall include the following as a minimum:

• · Executive Summary
• · The scope of SIL Study
• · List of Participants
• · List of Assumptions or Rule Set agreed for the SIL Assessment
• · The systems examined
• · The results as captured in the worksheets
• · List of Alarms considered as IPL
• · Conclusions and Recommendations

1. 4. Follow-Up And Close-Out

Upon completion of the SIL assessment workshop, the Chairman will present the findings of the study in the form of a SIL Assessment report. Recommendations of the SIL assessment will be generally closed out by Instrumentation discipline.

It is important that Project allocate adequate resources to not only perform the

SIL Assessment study but also to ensure that the recommendations raised in the

SIL Assessment report is satisfactorily closed out. The PEM shall be responsible to ensure that the adequate resources are available for timely completion of SIL study. In general almost all SIL actions belong to instrument group, therefore as a general practice PEM will nominate an instrument engineer to own the SIL close-out responses. The PEM nominee shall prepare & issue the SIL Close-out report.

Any change in process design / cause & effects needs to be reviewed subsequent to SIL Assessment for any requirement of Re-assessment through SIL Assessment Workshop and shall follow Management of Change (MOC) procedure.

1. 5. SIL Verification

During EPC phase of the project, SIL verification study will be performed. The outcome of the SIL assessment is followed by a SIL verification study, where the design of the safety instrumented system (SIS) is verified. The risk reduction performance of any given SIF depends on the equipment chosen and the redundancy levels. The safety performance evaluation is called SIL verification and requires reliability analysis of the equipment with a view towards a particular failure mode titled “failure to function on demand” or “fail danger.” A piece of equipment used to implement a SIF has a certain probability that it will not successfully protect a process if a dangerous condition (a demand) occurs.

This average “probability of failure on demand” (PFD) is calculated and compared with the PFD average table to obtain a “design SIL.” If the design SIL is not greater than or equal to the target SIL, better technology or more redundancy is required.

The first step in SIL verification is gathering failure rate data and failure mode data for the equipment selected. Thereafter, the designer calculates PFD sub avg using simplified equations, fault-tree analysis, or Markov analysis. There are two fundamental challenges faced during SIL verification:

• · Gathering the failure rate/mode data and
• · Building a PFD sub avg model.

Failure rate data is available in a generic sense from several industry databases, including AIChE and OREDA. Failure rate data is also available from some manufacturers, although it is often difficult to source.