www.safeplexsystems.com safeplex@safeplexsystems.

com

Determining the required safety integrity level for your process

Lawrence V. Beckman, Mr., Dr. SafePlex Systems, Inc 2001

Copyright SafePlex Systems, Inc

ABSTRACT
A Safety Integrity Level (SIL) Analysis is the initial step in the Safety System Design Process. Where the HAZOP process normally discovers potential hazards and provides general recommendations, the SIL is a specific analysis which defines the Safety Criteria and Mitigation of hazards which can lead to a significant economic, safety and environmental consequences. There are three SILs utilized by ISA S84 and four by IEC 1508/1511 for Risk Classification, as defined in terms of Probability of Failure on Demand (PFD). This paper provides a methodology to evaluate and classify risk in terms of Consequences, and to determine the SIL for the process under consideration based on these Consequences and the Process Demand Rate. The methodology can be customized to comply with existing company standards, and should satisfy many of the critical OSHA 29 CFR - 1910.119 requirements. In addition, the paper addresses the configuration of the Safety Instrumented System (SIS) and the impact of field devices on the system SIL, including the necessity of redundancy and testing of field devices to achieve and maintain SILs of 2 or higher.

KEYWORDS
Programmable Electronic Systems (PES), Safety Instrumented Systems (SIS), Safety Integrity Level (SIL)

INTRODUCTION
Recent developments have dramatically changed the industrys perception of Process Safety Systems. The first of these was the enacting of OSHA 1910.119 on February 24, 1992 (1). This regulation mandated that both the process and related safety systems be reviewed as part of the Comprehensive Process Hazard Analysis (PHA), to identify and evaluate hazards associated with the process; and implement safety systems capable of mitigating these hazards. Compliance is not in question, as failure to comply with this regulation could result in both civil and criminal penalties being assessed against the company and individuals involved. Per the provisions of the OSHA regulation, the design and implementation of the safety system must meet good engineering practice. At that time, no consensus process safety standard existed; and as such, implementation was extremely subjective and difficult to audit. In 1996 the ISA S84.01 committee finalized and approved a standard addressing the implementation of Process Safety Systems. With this approval, good engineering practice had been defined; and while the S84.01 standard is performance based, it does clearly define safety performance criteria based on Safety Integrity Level (SIL) requirements. The standard was recently accepted by ANSI and is now referred to as ANSI/ISA S84.01www.safetyusersgroup.com Page 1 / 1

www.safeplexsystems.com safeplex@safeplexsystems.com

* 1996 (2). In addition, an international standard IEC 1508/1511 is in the final stages of development. It likewise uses the SIL concept, but defines four performance levels for Safety Systems, adding an SIL4. In order to likewise clearly define the relevant components of the safety system, ISA S91.01 was finalized and approved in 1995 (3). This standard addressed the classification of safety critical instrumentation as differentiated from instrumentation used for control. This clarification was necessary as all components of the safety system (sensor, final elements, etc.) must be inspected and tested on a periodic basis to maintain system integrity; and these tests must be fully documented. Given the above, the task at hand now becomes how to utilize the results of the PHA to evaluate the risk associated with the potential hazard, and given an allowable level of risk, implement protective measures to reduce the actual risk, so that it falls below the allowable level. Or stated in other terms, to determine the required safety margin and SIL for the process under consideration. While this methodology is still somewhat subjective, as regards other independent protection layers (measures); it is consistent and should be deemed to be in compliance with the S84.01 standard, as regards Safety Instrumented Systems (SIS). Refer to Figure 1 for further clarification.

Risk with SIS in operation

Allowable Risk

Risk with other protective measures

Risk with no protective measures

Necessary minimum risk reduction Actual Risk Reduction Safety Margin

RISK

FIGURE 1 - Risk Mitigation Model

Potential Hazardous Consequence

The Safety Instrumented System (SIS)

The SIS is an independent protection layer installed for the purpose of mitigating the risk associated with the operation of a hazardous process. The SIS is composed of the logic solver and related field devices. If the logic solver is programmable (as opposed to hardwired, etc.), it is referred to as a Programmable Electronic System (PES). This designation was intended to differentiate the PES from a standard PLC, which lacks comprehensive internal diagnostics, and as such is a low integrity device not intended for safety related application. This is the case because of a high probability of sustaining a dangerous undetected failure which would render it unable to perform its intended safety functions. Of course, steps can be taken to implement PLC diagnostics by user enhancement as part of the application program itself; but this is undesirable as it is both subjective, and unnecessarily complex to implement and maintain. The safety performance of the SIS is defined in terms of its SIL, which is in turn defined by its Probability of Failure on Demand (PFD). As such, PFD = f (
DU

, TP)

= Dangerous undetected failure rate where TP = Proof Test Interval

DU

www.safetyusersgroup.com

Page 2 / 2

www.safeplexsystems.com safeplex@safeplexsystems.com

* The specific functionality (f) is an attribute of the system architecture selected for the SIS (PES and field devices). The Proof Interval is that period of time over which the SIS must operate within the PFD limits of the specified SIL. It could be likened to a mission time, and should be as long as possible to reduce the possibility of human error associated with frequent proof testing of the SIS. The Dangerous Undetected Failure Rate is determined by the Coverage Factor of the various components (for normal mode failures); in that a failure on demand could result from either normal or common mode failure - as both can initiate a fail-to-function situation. Comprehensive internal diagnostics dramatically improve the Coverage Factor; thereby reducing the possibility of a dangerous undetected failure, and consequently minimizing the PFD. Coverage factors are typically highest in the PES, and lowest in the final elements. The three SILs (1, 2 and 3) defined in the S84.01 standard, specify an average PFD range. This average value is computed over the proof test interval. To satisfy the requirements of a given SIL, the PFDavg should not be less than the lower limit at any time during the Proof Test Interval. To achieve this level of performance, the SIS must be manually tested frequently, or have comprehensive internal diagnostics. Given this guideline, the SIL performance criteria of the SIS is now defined in quantitative terms, and can be used to select the required architecture of the SIS, including the field devices. The required diagnostics can be implemented in a proactive manner by functional testing; or in a reactive manner by comparison. Other less proven techniques are understandably suspect. All Triple Modular Redundant (TMR) architectures utilize the comparison approach, via 2oo3 voting. Functional testing diagnostics have several notable advantages in that they are reliable, deterministic, and provide an option to resolve the discrepancy prior to use in the application logic.

SIL Determination
Arriving at the SIL for the process itself is yet another matter, as a quantitative result is difficult to achieve. In lieu of a purely numeric approach, a classification methodology based on Event Severity and Process Demand Rate is a viable alternative. The S84.01 standard offers a classification technique as well, but it is not process oriented and as such is somewhat abstract. The following methodology comprehends most process hazard scenarios, and defines them in terms of Event Severity. Only the Injury category is addressed by the safety standards. The other categories, while not directly related to safety, have definite safety implications and must be considered as well. Refer to Figure 2 for details (4).

www.safetyusersgroup.com

Page 3 / 3

www.safeplexsystems.com safeplex@safeplexsystems.com

*
INJURY ECONOMIC(1) ENVIRONMENTAL NUISANCE TRIP(2)

EXTENSIVE

Lost Time injuries Local Medical treatment

More than $###,000

Release of Toxic Contaminants on or Off-site

Significant Restart Hazards and Economics Intermediate Restart Hazards and Economics Minor Restart Hazards and Economics

SERIOUS

Between $##,000 and $###,000

Release of Non-Toxic Contaminants Off-site

MINOR

No injuries

Less than $##,000

On-Site Non-Toxic Release

(1) Property Damage and Loss Production (Process Down Time) (2) Loss Production (Process Down Time)
FIGURE 2 - Event Severity Classification (Typical)

Note that in the case of Economic Events, the threshold values have not been defined. These values are highly subjective and should be based on corporate experience. The next step is to determine the Process Demand Rate, which is a measure of the stability of the process. A highly exothermic process will typically have a high demand rate, while an endothermic process will be significantly lower. The best source of information in this case might be the process operator, as he is quite familiar with the operating characteristics of the process. In any case, a realistic value is available and can be used with Figure 3 to determine the frequency.

FREQUENCY

DEMAND

HIGH MODERATE LOW

2 OR MORE DEMANDS PER YEAR .5 TO 2 DEMAND PER YEAR LESS THAN .5 DEMANDS PER YEAR
FIGURE 3 - Process Demand Rate

Given the prior results for Event Severity and Process Demand Rate, a SIL can be determined for the process under consideration, using Figure 4 - the SIL Determination Matrix. Please note that the effectiveness of other independent protection layers can be comprehended as a reduction in the Process Demand Rate. The recommendation of the Center for Chemical Process Safety (CCPS) of the AIChE (5)
www.safetyusersgroup.com Page 4 / 4

www.safeplexsystems.com safeplex@safeplexsystems.com

* is that the Distributed Control System (DCS) not be considered as an independent protection layer, due to its accessibility.

SEVERITY Extensive Serious Minor 3 2 1 Low

SAFETY INTEGRITY LEVEL 3 2 2 Moderate 3 3 2 High

DEMAND RATE
Note: Other Mitigation layers can be comprehended as a reduction in Demand Rate.
FIGURE 4 - Safety Integrity Level (SIL) Determination

Having arrived at a SIL for the process, it is now essential to utilize the S84.01 Standard (Table 3.1, Pg. 21) to define the SIS performance requirements necessary to meet or exceed the required safety margin. As previously discussed, this must necessarily comprehend both the logic solver (PES) and associated field devices.

Configuration of the SIS

The SIS must be designed and configured to achieve the required SIL for the process. As such, the PFD for the SIS must fall in the range as specified for the required SIL. Failure to do so would require that the SIS be re-designed. The PFD value for the SIS is obtained by combining the PFDs for all components of the system. Each component PFD must be determined based on its level of redundancy, dangerous failure rate, etc. The overall equation is provided in Figure 5.

SENSOR(S)
PFDSIS =

PES
PFDS + PFDPES + PFDFE

FINAL ELEMENT(S)

FIGURE 5 - Configuration of the SIS

www.safetyusersgroup.com

Page 5 / 5

www.safeplexsystems.com safeplex@safeplexsystems.com

* Note that all components are in series and that the weak link prevails in all cases. As such, if the sensor(s) are SIL2, the PES is SIL3, but the final element(s) are SIL1; then the result is that the overall PFD of the SIS is SIL1. A simple example for this case is as follows:

PFD SIS = PFDS + PFDPES + PFDFE PFD SIS = 0.005 + 0.0005 + 0.05 (SIL2) (SIL3) (SIL1) = 0.0555 (SIL1)
It should also be observed that the use of a high integrity PES (SIL3) does not improve the overall PFD of the SIS. The SIS in the above example is suitable for SIL1 applications only, as the final element(s) and not the PES determine the SIL of the SIS. It is very important to comprehend that typically 85% of the PFD value for the SIS is allocated to the field devices (given a high integrity PES). As such, it is necessary to implement redundancy in the field devices to improve both safety integrity and availability. Various redundant architectures are available, and can be characterized as shown in Figure 6 for dual, triple and quad configurations.

Sensor(s) PES

Final Element(s)

Configuration

Operating Mode 1-0 2-0 3-0 2-1-0 3-2-0 4-2-0

Channels Needed to Operate 1 2 3 1 2 2

Channels Needed to Trip 1 1 1 2 2 2

1oo1 1oo2 1oo3 2oo2 2oo3

2oo4

FIGURE 6 - Redundant Architectures

Figure 7 provides some insight into the relative performance of the different architectures as regards both Safety (PFD) and Availability (False Trip Rate). Note that the 2oo4 (Quad) architecture has the best overall performance, and in both situations is superior to the 2oo3 (TMR) architecture by a factor of three.

www.safetyusersgroup.com

Page 6 / 6

www.safeplexsystems.com safeplex@safeplexsystems.com

P roba bility o f F a ilu re o n D e m a nd (P F D ) S ca le - S a fety

2x 3x

H igh

2 o o2

1 oo 1

2 o o3

1 o o2 /2 oo4

1o o3

Low

F alse T rip R a te S ca le - A vailab ility

2x 3x

H igh

1 o o3

1 o o2

1 oo 1

2 o o3

2 o o2 /2o o 4

Low

FIGURE 7 - PFD/False Trip Rate Scales

Impact of Field Devices

As stated earlier, field devices in most cases determine the SIL of the SIS. The exception would be the case where the logic solver itself was a low integrity device, and was employed in a SIS configuration with redundant field devices. As such, if simplex field devices (single sensor and single final element) are utilized in the configuration of the SIS, implementing redundancy in the logic solver (PES) has little effect on the Safety Integrity or Availability. While this may be somewhat obvious with regard to safety, it is indeed the case for availability as well. A simple example calculation is provided in Figure 8, where the failure rate of the field devices are as follows:

s = 12 x 10 -6 hrs, and FE 70 x 10 -6 hrs.

Various PES Configuration with simplex field devices (single sensor and single final element), where S = Simplex, D = Dual, and T = Triple
CPU S S S D D T I S D D S D T O S S D S D T

sys(10-6Hrs.)
93.7x10 -6 92.0x10 -6 87.9x10 -6 88.3x10 -6 82.5x10 -6 82.5x10 -6
Page 7 / 7

MTBF (Yrs) 1.218 1.24 1.30 1.29 1.38 1.38

Time

2 Months

www.safetyusersgroup.com

www.safeplexsystems.com safeplex@safeplexsystems.com

*
FIGURE 8 - SIS Availability

As overall improvement of two (2) months is achieved by going from a single channel logic solver to a TMR architecture. This marginal improvement hardly justifies the significant additional cost incurred for implementing PES redundancy.

Conclusions
Compliance with the existing OSHA Process Safety Management (PSM) regulation is mandatory. An overview of the methodology for compliance is as follows:

Conduct Process Hazard Analysis (PHA) Identify Process Risk Comprehend other Risk Mitigation Measures (if any) Determine Safety Integrity Level required for the SIS Configure SIS to meet or exceed the required SIL Document your work for audit purposes

In addition, as regards the SIS, one should also consider the following:

ANSI/ISA S84.01 mandates that the SIL (PFD) of the SIS be maintained over the entire Proof Test Interval Utilize redundancy to improve the SIL of the SIS, in particular the field devices for SIL 2 or greater Manual/Automatic testing must be performed on field devices without comprehensive internal diagnostics, in particular valves Avoid unnecessary redundancy in the PES, and focus on Field Devices to improve both Safety Integrity and Availability of the SIS

References
1) U.S. Department of Labor, Occupational Safety and Health Administration (OSHA), Federal Regulation 29 CFR 1910.119, Process Safety Management of Highly Hazardous Chemicals, Explosives, and Blasting Agents; Final Rule, February 24, 1992. 2) ANSI/ISA-S84.01-1996, Application of Safety Instrumented Systems for the Process Industries, Instrument Society of America S84.01 Standard, Research Triangle Park, NC, 27709, February 1996. 3) ISA-S91.01-1995, Identification of Emergency Shutdown Systems and Controls That Are Critical to Maintaining Safety in Process Industries, Instrument Society of America S91.01 Standard, Research Triangle Park, NC, 27709, May 1995. 4) Donald J. Leonard, Consultant, personal communication. 5) Guidelines for Safe Automation of Chemical Processes, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY 10017, 1993.

This document has been prepared by: Lawrence V. Beckman, Mr., Dr For more information see full contact details in Safety Users Group Directory

www.safetyusersgroup.com

Page 8 / 8