Different SIL Selection Techniques Can Yield Different Answers

7/29/2019 Different SIL Selection Techniques Can Yield Different Answers

1/5

Different SIL (Safety Integrity Level) Selection Techniques

Can Yield Significantly Different AnswersBy Paul Gruhn, PE, CFSE

President

L&M Engineering

Houston, TX

[email protected]

KEYWORDS

Safety Instrumented Systems (SIS), Safety Instrumented Function (SIF), Safety Integrity Level (SIL)

ABSTRACT

Safety Instrumented System standards (e.g., ANSI/ISA 84, IEC 61508 & 61511) cover a variety of

techniques for determining safety integrity levels (i.e., the performance required of safety instrumentedfunctions). The 3-dimensional Risk Matrix (associated with North America) and the Risk Graph

(associated with Europe) are two qualitative methods. LOPA (Layer of Protection Analysis) is

considered a semi-quantitative technique.

Experience has shown that the different techniques can yield significantly different answers. Thequalitative techniques can result in overly pessimistic answers (e.g., falsely high integrity levelrequirements). This is usually due to the difficulty of calibrating these techniques to corporate risk

criteria. More quantitative techniques (which can be more easily calibrated to corporate risk criteria)

can yield significantly lower requirements.

Spending a bit more time in the up front system requirements analysis using more quantitative

techniques can result in a) a more realistic (and possibly lower) system performance requirements, and

b) significantly lower costs associated with the design, installation and maintenance of the system.

CASE STUDY

A valve in a pipeline application was recently modified (for fire considerations) from a motor operated

valve to a pneumatically controlled, solenoid operated, spring loaded, fail-safe (closed) valve. If thisvalve were to spuriously close (an unlikely scenario with a motor operated valve, but likely with a

solenoid operated valve), it would create an overpressure in a portion of the pipeline resulting in a

possible pipeline rupture, vapor cloud, with a potential for an explosion and fatalities. A safety system

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society.

Presented at ISA AUTOMATION WEST; www.isa.org


2/5

was proposed consisting of a sensor, logic box, and valve that would shut in a portion of the pipeline in

order to prevent the overpressure condition.

As an exercise, it was decided to use the 3-dimensional Risk Matrix, Risk Graph, and LOPA in orderto determine the differences in integrity level recommendations, if any, that there might be.

3-DIMENSIONAL RISK MATRIX

The 3-dimensional risk matrix is described in a number of documents (1, 2, 3). See Figure 1. Theprobability of the valve failing closed would be rated at high. (A failure can reasonably be expected to

occur within the expected lifetime of the plant.) The severity would be rated as either medium

(possible fatality), or high (major financial loss). There are no additional safety layers to account for onthe z axis. Therefore, this technique indicates SIL 3 is required (as shown by the dotted rectangular

area in Figure 1).

FIGURE 1: 3-DIMENSIONAL RISK MATRIX

RISK GRAPH

Reference 2 describes the Risk Graph, which was developed by at least two European countries. See

Figure 2.

1111

11

00

00 1111

11

00

00

2222

22

11

11

2222

22

11

1133

22

11

33

11 11

33

22

22 33

22

11

33

11 11

33

22

22

SeveritySeverity

ProbabilityProbability

Quantity and/orQuantity and/or

effectiveness ofeffectiveness of

additional layersadditional layers




3/5

FIGURE 2: RISK GRAPH

While the wording used in the reference and the right column in Figure 2 is intentionally vague, the

company involved did have a corporate document that defined the boundaries more clearly. The

exact wording will not be replicated here for the sake of confidentiality.

Cc: Number of fatalities between 0.03 and 0.3 (personnel not always present and not always at risk

of being killed due to a fire)

Fb: Frequent to permanent exposure (occupancy more than 0.5)Pb: Almost impossible to avoid

W2: Medium demand (between 1/5 and 1/50 years)

Therefore, this technique results in a SIL 3 requirement (as shown by the dashed line in Figure 2).

Similar cases were run for environmental and commercial impact, which also resulted in SIL 3

requirements.

LOPA (LAYER OF PROTECTION ANALYSIS)

Layer of Protection Analysis involves identifying hazardous events, determining initiating eventfrequencies, establishing tolerable levels of risk, and analyzing each independent safety layer to see if

the overall level of risk can be reached. If the tolerable level of risk cannot be achieved, eitheradditional safety layers must be added, or existing layers must be strengthened.

The end user involved had a corporate risk document. The desire is to establish a system design tolower the overall risk to a level As Low As Reasonably Practical (ALARP). For this case it meant

WW33 WW22 WW11

CCaa

CCbb

CCcc

CCdd

FFaa

FFbb

FFaaFFbb

PPaa

PPbb

PPaa

PPaa

PPaa

PPbb

PPbb

PPbb

aa

11

22

33

44

bb

aa

aa11

1122

2233

3344

FFbb

FFaa

ConsequenceConsequence

CaCa Minor InjuryMinor Injury

CbCb Serious Injury, Single DeathSerious Injury, Single Death

CcCc Several DeathsSeveral Deaths

CdCd Many DeathsMany Deaths

Frequency & ExposureFrequency & Exposure

FaFa Rare to FrequentRare to Frequent

FbFb Frequent to ContinuousFrequent to Continuous

Possibility of AvoidancePossibility of Avoidance

PaPa Sometimes PossibleSometimes Possible

PbPb Almost ImpossibleAlmost Impossible

Probability of OccurrenceProbability of Occurrence

W1W1 Very SlightVery Slight

W2W2 SlightSlight

W3W3 Relatively HighRelatively Higha = No special safety requirementsa = No special safety requirements

b = Single SIS not sufficientb = Single SIS not sufficient Safety Integrity LevelsSafety Integrity Levels

WW33 WW22 WW11

CCaa

CCbb

CCcc

CCdd

FFaa

FFbb

FFaaFFbb

PPaa

PPbb

PPaa

PPaa

PPaa

PPbb

PPbb

PPbb

aa

11

22

33

44

bb

aa

aa11

1122

2233

3344

FFbb

FFaa

ConsequenceConsequence

CaCa Minor InjuryMinor Injury

CbCb Serious Injury, Single DeathSerious Injury, Single Death

CcCc Several DeathsSeveral Deaths

CdCd Many DeathsMany Deaths

Frequency & ExposureFrequency & Exposure

FaFa Rare to FrequentRare to Frequent

FbFb Frequent to ContinuousFrequent to Continuous

Possibility of AvoidancePossibility of Avoidance

PaPa Sometimes PossibleSometimes Possible

PbPb Almost ImpossibleAlmost Impossible

Probability of OccurrenceProbability of Occurrence

W1W1 Very SlightVery Slight

W2W2 SlightSlight

W3W3 Relatively HighRelatively Higha = No special safety requirementsa = No special safety requirements

b = Single SIS not sufficientb = Single SIS not sufficient Safety Integrity LevelsSafety Integrity Levels




4/5

lowering the event probability, based on the consequences of this particular hazardous event, to less

than 1/10,000 year.

OPTION 1:

The initiating event frequency (i.e., solenoid valve spuriously failing closed) was estimated at 1/50

year. This frequency would need to be lowered by a factor of at least 200 in order to lower the

hazardous event probability to < 1/10,000. This would require a system with a Risk Reduction Factorof at least 200 (in the SIL 2 range, between 100 and 1,000).

OPTION 2:

In order to lower the performance requirement for the safety system, the original valve in questioncould be modified with a second solenoid valve configured in a 2oo2 (two-out-of-two) voting

arrangement, meaning both solenoids would have to de-energize in order for the valve to close. There

is a commercially available solution of this type. This would essentially lower the safe failure rate of

the valve (i.e., valve closing spuriously) one order of magnitude to 1/500 year. This assumes a realistic

common cause factor of 10% between identical solenoids. The proposed safety system would nowonly need to lower the initiating event frequency by a factor of at least 20 (SIL 1 range, between 10

and 100).

Note that accounting for the redundant solenoid arrangement would have lowered the SIL requirement

by one level using the other techniques (risk matrix and risk graph) as well down from SIL 3 to SIL2.

CONCLUSION

It should not come as a surprise that different SIL selection techniques produce different answers. Thetechniques are all relatively recent and many are qualitative. The qualitative techniques (risk matrix

and risk graph) do not have obvious connections to industry-wide or corporate tolerable risk levels.

Determining corporate tolerable risk levels can be very problematic in itself. (What do you mean itstolerable to kill four people every 100 million man-hours?!)

An unscientific poll at a recent industry conference (5) indicated major end users in the oil & gas and

chemical industries have a preference for LOPA. This is understandable when an organization hasbeen involved with any of the techniques for any length of time. The qualitative techniques tend to

come up with higher (i.e., more conservative or pessimistic) requirements. Simpler techniques may

make the analysis easier, but the difference in total costs for a single safety instrumented function can

increase tens of thousands of dollars when increasing the SIL just one level. Spending a few moreminutes in the up front analysis can potentially save tens, if not hundreds of thousands of dollars in the

long run.




5/5

REFERENCES:

1. Guidelines for Safe Automation of Chemical Processes, American Institute of ChemicalEngineers, Center for Chemical Process Safety, ISBN 0-8169-0554-1, 1993

2. Application of Safety Instrumented Systems for the Process Industries,International Society forMeasurement and Control, ANSI/ISA S84.01, 19963. Functional safety - Safety instrumented systems for the process industry sector, International

Electrotechnical Commission, standard 61511, 2003

4. Layer of Protection Analysis, AIChE CCPS, ISBN 0-8169-0811-7, 20015. Panelist statements made at the 59th Instrumentation Symposium for the Process Industries, held at

Texas A&M University, Jan 20-22, 2004



Documents

Different SIL Selection Techniques Can Yield Different Answers