Embed Size (px)
Citation preview
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Methods for SIL Determination
Alan G KingABB Eutech Process
Solutions
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Outline of Presentation
SIL DeterminationWhat is SIL Determination?Safety Integrity LevelsSafety LifecycleRisk Targets
Overview of MethodsProblems & SuitabilitySummary
© A
BB E
utec
h Pr
oces
s So
lutio
ns
What is SIL Determination
Applies to Safety Instrumented Functions on a plant or proposed plant
It is the assignment of a Safety Integrity level (SIL) to the Safety Instrumented Function based on the necessary risk reduction to achieve a required risk target
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Function
A Safety Function is a means of Managing Risk in relation to a specific hazardous event
Definition:A function to be implemented by a
Safety Instrumented System (SIS)Other Technology safety related system orExternal Risk Reduction Facilities
which is intended to achieve or maintain a safe state for theprocess, with respect to a specific hazardous event
IEC 61511-1 Clause 3.2.68
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Function
SpecificHazardous
EventInitiatingEvent(s)
SafetyFunction
A safety function relates to a specific hazardous event
Safety Function
Achieves or maintains a safe state for the
process
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Instrumented Function (SIF)
Sensor(s) Final Element(s)
LogicSolver
Safety Instrumented Function is the complete end-to-end arrangement
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Integrity Levels
SIL PFDavg(Average Probability of Failure on Demand)
1 0.1 - 0.01
2 0.01 - 0.001
3 0.001 - 0.0001
4 0.0001 - 0.00001
Note (1) : This Definition of SIL is for Demand Mode of Operation
Note (2) : Applies to whole safety function not to individual partsIEC 61511-1, Clause 9.2.3 - Table 3
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Lifecycle Approach
Design & Development of other means of risk
reduction
IEC 61511-1: Fig 8 - - - - No Detailed Requirements given in IEC 61511
Hazard and Risk Assessment1
Allocation of safety functions to protection layers2
Safety Requirements specification for the safety
instrumented system3
Design & Engineering of Safety Instrumented System4
Installation, Commissioning and Validation5
Operation and Maintenance6
Modification7
Decommissioning8
Manage-ment of
functional safety and functional
safety assess-
ment and auditing
10
Safety Life-Cycle
structure and
planning
11
Verification
9
Clause 8
Clause 9
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Risk Targets
Safety
Business Risk(Asset Loss/Product/
Production Loss)
Environment
IEC 61511 applies to protection of people and environment
Company/Site Risk Targets required for each type of risk
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Overview of Methods
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Methods for SIL Determination
Safety Layer Matrix (IEC 61511-3 Annex C)
Risk Graphs (IEC 61511-3 Annex D)
Layer of Protection Analysis (LOPA) (IEC 61511-3 Annex F)
Fault Tree Analysis (IEC 61511-3 Annex B)
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Common Themes of Methods
Hazard IdentificationFocus on Specific Hazardous EventIdentify initiating causes and frequenciesIdentify protective measures (other than safety instrumented function to be assessed)Assess the level of risk and the contribution to risk reduction required (if any) from a Safety Instrumented Function to meet the required risk target(s).
In terms of PFDavg and/or Safety Integrity Level.
Consider whether risk is reduced to ALARP.
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Layer Matrix
© A
BB E
utec
h Pr
oces
s So
lutio
ns
EMERGENCY RESPONSE
Physical Protection
Protection Layers
Relief Devices
SAFETY INSTRUMENTED SYSTEMS
Alarms & Operators
Basic Process Control System
PROCESS
IEC 61511-3: Figure C1 - Protection Layers
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Layer Matrix - Two Parameters
Severity CategoriesMinor (e.g. Temporary injury to personnel or damage to the environment)
Serious (e.g. Serious injury to personnel or the environment)
Extensive (e.g. Catastrophic consequence to personnel or the environment.)
Likelihood (Frequency)Low (e.g. Unlikely in life of plant) (x1)
Medium (e.g. Probable once in life of plant) (x10)
High (e.g. Several times in life of plant) (x100)
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Example Safety Layer Matrix
Extensive
Serious
Minor
Hazardous Event
Severity Rating
Hazardous Event Likelihood (Frequency)Low Medium High
Unclassified 1 2
1 2 3
2 3 3+
Safety Integrity Level Required
Based on IEC 61511-3: Figure C2
Note: Other protection layers having risk reduction of at least 10 reduce SIL by 1
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Safety Layer Matrix Calibration
From IEC 61511-3:
“The safety target level has been embedded in the matrix. In other words, the matrix is based on the operating experience and risk criteria of the specific company, the design, operating and protection philosophy of the company, and the level of safety that the company has established as its safety target level.”
You therefore need to fill in the matrix according to the risk criteria for your company/site.
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Risk Graphs
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Risk Graphs - Four Parameters
Consequence (C)Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event.
Exposure (F)Probability that the exposed area is occupied at the time of thehazardous event.
Avoidance (P)The probability that exposed persons are able to avoid the hazardous situation which exists if the safety instrumented function fails on demand.
Demand Rate (W)The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration.
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Example Risk Graph Demand Rate
Consequence
Exposure Avoidance
W2 is a range
X per year to X/10
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Example Risk Graph
Generalised arrangement:In practical implementations
the arrangement is specific tothe applications to be covered
by the risk graph
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Risk Graph Calibration
What is calibration:“Calibration of the risk graph is the process of assigning numerical values to risk graph parameters.” (This includes the layout and the SIL numbers in the columns).
“When considering the calibration of risk graphs, it is important to consider requirements relating to risk arising from both the owners expectations and Regulatory Authority requirements.”
“It is important that this process of calibration is agreed at a senior level within the organisation taking responsibility for safety. The decisions taken determine the overall safety achieved.”
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Layer of Protection Analysis
LOPA
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Layer of Protection Analysis (LOPA)
© A
BB E
utec
h Pr
oces
s So
lutio
ns
LOPA Essentials
InitiatingCause
DemandReductionMeasures
OtherTechnology
RiskReductionMeasures
IntermediateEvent
Frequency
RequiredRisk
Reductionfrom SIF
MitigatedEvent
Frequency
Failure ofFlowControlLoop,leading tohighpressure
F = 0.2/yr.
Probability offailure ofindependenthighpressurealarm oroperatorresponse toalarm
P = 0.1
Probability ofPressureRelief ValveFailure onDemand
P = 0.01
Vessel Loss ofcontainment.
Frequency =0.2 x 0.1 x 0.01
= 0.0002 /yr.
= 2 x 10-4/yr.
Target Frequency = 1 x 10-5 /yr.
PFDavg = Target / Intermediate Event Frequency= 1 x 10-5 / 2 x 10-4
PFDavg= 0.05
SIL 1
F = 0.2 x 0.1 x 0.01 x 0.05= 1 x 10-5 /yr.
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Fault Tree Analysis
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Fault Tree Analysis (FTA)
OR
Init. Cause 2
Init. Cause 1
Init. Cause 3
No operator response to alarm
&
OR
&
Safety Instrumented Function 1 (PFDavg)
Other technology safety function failed
&
Frequency of Overpressure
Event
FrequencyProbability
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Fault Tree Analysis - Common Cause
OR
Sensor Common Cause (PFDavg)
Overall Sensor PFDavg
&Sensor 2 (PFDavg)
Sensor 1 (PFDavg)
1oo2
Voting
Sensor 1
Sensor 2
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Problem Areas
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Particular Problem Areas
CalibrationMultiple Initiating CausesDependencyHumansSIL and/or PFDavg
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Multiple Initiating Causes
Hazardous Event
Cause 2
Cause 3
Cause 1
A CB
Safeguards
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Dependency
Dependency is when two or more layers of protection are not independent
Multiple Layers can fail “dangerous” because either (a) share items of equipment, or human contributions, or services(b) have items that can be affected by a common failure (common cause or common mode failures)
“Taking into account ...Common cause failure between safety layers, andBetween safety layers and BPCS” (61511-1 Clause 8.2.1)
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Humans
Causing Demands on Protective SystemsMissing out steps in a processFailing to do manual tasks (e.g. manual valves left open)etc.
Ignoring Alarms or not responding in timeCreating problems with Instrumented Protective Systems
Leaving isolated, calibration errors, inadequate testing, defeating systems, maintenance errors
Failing to take mitigating action in time
Assessing the Probability of the human errorand its impact on the risk
© A
BB E
utec
h Pr
oces
s So
lutio
ns
PFDavg and / or SIL
Some methods just give e.g. SIL 1 for performance of Safety Instrumented Function (SIF)
This implies that anywhere in the SIL 1 range will doThat is to say, a PFDavg of 0.1 would be sufficient.
Other methods (LOPA and FTA) provide a PFDavgFor example, PFDavg = 0.05 maximumAnd hence imply that the design must achieve rigour for SIL 1 and the PFDavg stated.
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Comparison of Methods
SafetyLayerMatrix
RiskGraphs LOPA Fault Tree
Analysis
Initial Screening NR
Detailed Analysis NR NR R
Multiple Causes withDifferent Protection NR NR -R R
Potential Dependency NR NR NR R
Output (SIL or PFDavg) SIL SIL PFDavg PFDavg
Need to include specificHuman Factors aspects NR NR
Suitable for SIL 1 1 1 or 2?? All
NR = Not recommended; R = recommended
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Summary
Check that target criteria are available and calibrate “tool” to be used
Appoint a suitable team to provide input for SIL Determination
Carry out screening, using an appropriate method, to identify “Unclassified” and “SIL 1” (identifying any dependency)
Arrange more detailed consideration of SIL 2 and higher (using appropriate method) or where dependency is an issue.
Consider whether the remaining risk is “ALARP”.
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Contact Details
Dr Alan G KingABB Eutech Process SolutionsPavilion 9, Belasis Hall Technology ParkPO Box 99, BillinghamClevelandTS23 4YS
Tel: +44 (0) 1642 372252Fax: +44 (0) 1642 372111E-mail: [email protected]
© A
BB E
utec
h Pr
oces
s So
lutio
ns
Further information
“A Process Industry View of IEC 61508”http://www.iee.org/OnComms/sector/computing//Download.cfm?ID=D5C9A65D-8376-4D5C-9D7F6A38199CC57B
“IEC61508 - Initial Phases of the Safety Lifecycle in the Process Industry”http://www.sipi61508.com/ws-material/ciks/king1.pdf
“SIL Determination - Hints and Tips for Practitioners”
http://www.sipi61508.com/ws-material/ciks/king2.pdf
SIL Determination - Training Course (2 days)Contact: [email protected]
Risk Practitioners: Hazard Assessment - Training Course (5 days)Contact: [email protected]
