Documente Academic
Documente Profesional
Documente Cultură
com
excellence in dependable-automation
On-line Lesson
Welcome to the exida.com online lesson on Quantitative Safety Integrity Level Selection. In this lesson, we will present the concept of a Safety Integrity Level (SIL) as well as the quantitative approach in establishing SIL selection.
e ida.com
excellence in dependable-automation
Prerequisite Lessons
It is recommended that the exida on-line lessons Introduction to Safety Instrumented Systems and The Safety Lifecycle be taken by anyone not well versed in these topics before proceeding with this lesson.
e ida.com
excellence in dependable-automation
Companion Lessons
Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis (LOPA) Qualitative SIL Selection
3 Copyright 2002, exida.com
Since Quantitaive SIL Selection encompasses so many different aspects, it is recommended that the following lessons on specific components of the larger SIL selection process be used as a companion with this current lesson to provide a more complete understanding of the overall process. Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis Qualitative SIL Selection
e ida.com
excellence in dependable-automation
The lesson starts with the safety lifecycle (SLC) context of SIL selection and a brief review of risk. The lesson continues with a brief description of the safety instrumented functions (SIFs) to which the SILs are to be assigned. Next the lesson addresses the consequence and likelihood components of risk in more detail as they relate to identifying the existing level of risk in a process or piece of equipment, including how to determine a hazards consequence and how the likelihood of a hazard can be quantitatively determined. Then the lesson considers the combination of multiple outcomes based on the risk integrals approach. Finally, based on the difference between the existing risk and the the tolerable risk level identified and approved by the organization in question, the risk reduction requirement for the specific SIF can be determined and the SIL assignment made.
e ida.com
excellence in dependable-automation
Process Information
Potential Hazards
Hazard Frequencies
Hazard Characteristics
ANALYSIS
Phase
(End User / Consultant)
No Exit
Safety Requirements Specification Functional Description of each Safety Instrumented Function, Target SIL, Mitigated Hazards, Process parameters, Logic, Bypass/Maintenance requirements, Response time, etc
Select Technology Select Architecture Determine Test Philosophy Reliability, Safety Evaluation
REALIZATION
(Vendor / Contractor / End User)
SILs Achieved
Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic Diagrams, Panel Layout, PLC Programming, Installation Requirements, Commissioning Requirements, etc.
No
SIS Installation, Commissioning and Pre- startup Acceptance Test Validation: Pre- startup Safety Review SIS startup, operation, maintenance, Periodic Functional Tests
Modify, Decommission? Decommission
OPERATION
Modify
This slide shows a more detailed drawing of the safety lifecycle. In the analysis phase, hazards are identified and risk reduction targets are established for each hazard. For some hazards, a safety instrumented function (SIF) is defined in order to reduce risk. In these cases, a Safety Integrity Level or SIL is selected for that SIF to achieve the required risk reduction.
e ida.com
excellence in dependable-automation
The SIL selection process is essentially a systematic approach used to: establish the difference between the existing level of risk and that which can be tolerated; identify specific individual functions to address these risks; and assign the SIL to specify how robust these functions must be to actually achieve the required risk reduction. The quantitative method shown in this lesson will help determine a specific numerical target for the risk reduction. NOTE: The qualitative methods introduced in the exida.com on-line lesson Qualitative SIL Selection group numerical targets into more broad categories of risk reduction to achieve the same general purpose.
e ida.com
excellence in dependable-automation
What Is Risk?
Risk is a measure of the likelihood and consequence of an adverse effect, i.e., how often can it happen and what will be the effects if it does?
Risk receptors: Personnel Environment Equipment/Property Damage Business Interruption Business Liability Company Image Lost Market Share
The definition of risk includes components of likelihood and consequence, which both contribute to the risk for each hazard. Hazardous events often have consequences that cause harm in multiple areas to receptors such as personnel, environment, equipment, etc. These different hazardous events are identified and characterized as part of a Hazard and Risk Assessment process described in detail as part of the exida Process Hazards Analysis on-line lesson.
e ida.com
excellence in dependable-automation
10
-3/yr
(workers)
10
-4/yr
(public)
Since risk is present in all human activities, some level of risk must be tolerated in any system. The challenge is in determining what that level of risk is for a given organization. The general principle of tolerable risk put forward in the IEC standards is that some risks are completely intolerable and should not be undertaken, some risks are broadly acceptable and should not be worried about, and some risks fall in the middle. These middle-level risks should be reduced to a level As Low as Reasonably Practicable or ALARP. Specific values of these risk levels are often a point of debate. The values noted in this slide are from the UK Health and Safety Executive, the originators of the ALARP concept, and are provided for information purposes, not as recommendations for any particular situation.
e ida.com
excellence in dependable-automation
L i k e l i h o o d
Increasing Risk
Consequence
9 Copyright 2002, exida.com
Risk reduction can be accomplished using different techniques, including methods to reduce both the consequences and likelihood of any harm. One specific method of risk reduction, primarily directed at the likelihood aspect, is through automatic protection systems called Safety Instrumented Systems. These systems carry out specific functions to bring the process or equipment to a safe state. The ability of these systems to carry out each of these functions when required is measured by the corresponding safety integrity level (SIL). Thus the SIL corresponds to the level of risk reduction required to change the existing unmitigated risk enough to achieve a level of risk that can be tolerated by the organization in question.
e ida.com
excellence in dependable-automation
An individual Safety Instrumented Function (SIF) is designed to identify the need and then act to bring the system to a safe state for each hazard scenario. The effectiveness of the risk reduction is measured by the functions risk reduction factor (often expressed as a Safety Integrity Level). The required risk reduction is the difference between the process risk before a SIF and the tolerable level of risk to be achieved for that process or piece of equipment. It is important to note that a SIF is an individual function and a SIS can include multiple functions, so the SIL refers to each SIF rather than to the entire safety instrumented system.
10
e ida.com
excellence in dependable-automation
The Safety Integrity Level is a measure defined in the IEC61508 standard. The key measure of a systems integrity is how well it can be counted on to do what it is supposed to do when it is supposed to do it. For the Low Demand mode operation common in the process industry, the average probability of failure on demand (PFDavg) is the variable that defines the SIL, as shown in the table on this slide. The risk reduction factor is the reciprocal of the PFDavg, and the SIL number itself represents the minimum number of orders of magnitude of risk reduction that the SIF will provide. For the High Demand mode common in machinery applications, SIL relates to the frequency of unsafe failures of the SIF per hour, since the systems used are required to act more frequently than they are tested and repaired.
11
e ida.com
excellence in dependable-automation
Calculating Risk
In quantitative analysis, risk associated with a hazard can be calculated using the following formula: Risk = Consequence * Likelihood Example Hazard:
Consequence of harmful outcome is two fatalities Likelihood of harmful outcome is once every ten years
In quantitative analysis, the risk associated with a hazard can be calculated by multiplying the consequence of a harmful outcome and the likelihood or frequency of it taking place. As an example, assume a hazard with an outcome consequence of two fatalities. Furthermore, assume that the likelihood of the hazard leading to the harmful outcome is once every ten years. The risk of the hazard, obtained by simple multiplication, is then 0.2 fatalities per year.
12
e ida.com
excellence in dependable-automation
Environment
Toxic releases Clean-up efforts, US $
Equipment/Property Damage
US $
Etc.
13 Copyright 2002, exida.com
As shown before, there can be several potential risk receptors for a specific hazard. With a separation column rupture, for example, the rupture energy itself can cause fatalities and injuries to personnel; it might cause a toxic release with other injuries or fatalities; environmental clean-up efforts could be required after the rupture; and the loss of the column could lead to plant down time. Each of the aspects of the consequence is measured in its own units. Fatalities are measured in number of deaths; injuries may be measured in number of injuries scaled by severity; environmental impacts are quantified individually; and clean-up efforts, potential fines, damage to corporate image, and down time are measured financially.
13
e ida.com
excellence in dependable-automation
Tolerable risk is a sensitive topic It is difficult to convert between personnel, environmental, and cost receptors Organizations often set specific levels of tolerance in each different receptor category Combining impacts into a single variable allows more rigorous mathematical analysis
14
Because of the sensitivity of the concept of tolerable risk and the difficulty in converting between the effects on different receptors, organizations often set different specific risk levels that are tolerable in each different area. In some cases, to enable more rigorous mathematical analysis, all of the different consequence impacts can be converted into a single value, which is often financial cost.
14
e ida.com
excellence in dependable-automation
Example:
Maximum risk tolerance 0.0005 fatal accidents per person per year, 0.005 injuries per person per year, 0.01 significant environmental release per plant per year, $500,000 in business loss per plant per year, etc. Valuing loss of life at $10,000,000, environmental damage at 1.5x clean-up cost, and business losses at actual value, optimize cost-benefit impact of all safety systems.
15 Copyright 2002, exida.com
These multiple risk criteria can be expressed on the basis of a plant or individual as appropriate. In most cases, individual tolerable risk criteria are followed for personnel safety. To combine risks into a single cost category, conversion factors must be developed and applied according to uniform, agreed guidelines.
15
e ida.com
excellence in dependable-automation
Explosion
Pressure energy Chemical energy
Toxic release
Concentration limits Weather conditions
16 Copyright 2002, exida.com
The detailed methods of consequence analysis are beyond the scope of this lesson. These analyses often involve extremely complex calculations, especially in the cases of explosions, fires, and toxic releases where the magnitude of the consequence depends on the dispersion of material. Further information is available in the exida on-line course Consequence Analysis Overview, although the detailed practice of these techniques often requires months or years of training and experience.
16
e ida.com
excellence in dependable-automation
Different potential outcomes identified Magnitude of each outcome from perspective of each receptor
Personnel Environment Financial
Group consequence components according to safety instrumented function capable of preventing them
17 Copyright 2002, exida.com
Once one has completed the detailed consequence analysis, there should be a list of potential harmful outcomes and a corresponding list of the magnitude of the harm to each of the different receptor categories. These can then be categorized by the potential safety instrumented functions identified in the hazards analysis that could act to prevent these outcomes.
17
e ida.com
excellence in dependable-automation
Using the single variable approach, it is possible to express each consequence in that variable as shown on this slide. The total hazard consequence can now be readily determined by adding the consequences of each receptor in terms of the single variable. Assuming that the hazard will cause all of these traceable impacts, the total cost of the column rupture outcome is ~140 M$. Note that in this case, the decrease in company image caused by the hazard was determined to be accounted for in the other categories and no additional cost was assessed in the analysis.
18
e ida.com
excellence in dependable-automation
19
The likelihood of a hazard is defined as the frequency of the harmful outcome event. This is most often expressed in units of events per year or events per million hours.
19
e ida.com
excellence in dependable-automation
Protection layers
#2 Operator response #3 Pressure relief valve #4 No ignition 0.76 0.05 0.15 0.01 No event No event No event
Outcome
Explosion 2.85*10-4/yr
5/yr
No event
20
Likelihood analysis is often done using Layer of Protection Analysis (LOPA) techniques. The LOPA event tree to determine the likelihood of the column rupture with explosion is shown in the slide. The likelihood of the initiating event loss of cooling water is 5 per year There are four independent protection layers, each with a probability of failure. Inherent safety of the process design, probability of failure is 0.01 Operator response, probability of failure is 0.15 Pressure relief valve, probability of failure is 0.05 No ignition, probability of failure is 0.76 The column rupture likelihood can be determined by multiplying the loss of cooling water likelihood by the probability of failure of each of the protection layers. The resulting column rupture likelihood is then 5/yr * 0.01 * 0.15 * 0.05 * 0.76 * = 2.85*10-4 /yr
20
e ida.com
excellence in dependable-automation
Risk integral approach can also be applied to the personnel and financial components of risk independently of each other
21
Once the likelihood and consequence analysis results are complete, they must be combined to determine the existing risk. In order to combine the consequences of the potential harmful outcomes related to a single SIF and compare them to the tolerable risk, they must be expressed in the same terms as the tolerable risk levels. No matter whether the consequence is expressed as a single overall cost or loss variable or if personnel impacts are kept separate from financial impacts, it is possible to use a risk integral approach to continue the SIL selection process.
21
e ida.com
excellence in dependable-automation
22
Risk integrals are a measure of the total expected loss, i.e., a summation of the likelihood and consequence for all potential loss events that are being considered. In the case of Safety Instrumented System (SIS) design, this would be all of the consequences that are prevented by a single Safety Instrumented Function (SIF).
22
e ida.com
excellence in dependable-automation
RI = C i Fi
RI N C F = risk integral = number of hazardous events = consequence of the event (in terms of fatalities for loss of life calculation) = frequency of the event
23 Copyright 2002, exida.com
i =1
In mathematical form, this summation includes a consequence times frequency risk contribution to the total for each event in question.
23
e ida.com
excellence in dependable-automation
The key requirement for using risk integrals is applying a single loss variable to the system in question. This can easily be done if all of the harm is expressed or converted to financial units. Risk integrals can also be applied to personnel safety consequences through the use of probable loss of life or PLL. The important aspect of PLL is that it can take on fractional values, i.e., an injury event can have a PLL of 0.1 or some other value less than one representing the severity of the event in these probable loss of life terms.
24
e ida.com
excellence in dependable-automation
Advantages of risk integral targets: Risk is a single number, ideal for decision-making Considers multiple fatality events Diverse risks expressed on uniform basis, essential for cost-benefit analysis
25 Copyright 2002, exida.com
Risk integrals are only now gaining acceptance in the design-engineering field as a means of measuring risk. Risk integrals have several advantages over other methods for measuring risk: The single risk variable is easy to use in optimization and decision-making The risk considers the impact of multiple fatality events Different risks can be considered on a uniform financial basis for costbenefit analysis As a result of these advantages, the risk integrals of Potential Loss of Life for personnel safety and Expected Value for overall financial impact are ideal for risk reduction design engineering.
25
e ida.com
excellence in dependable-automation
What is the risk integral for that particular SIF in terms of PLL per year?
26 Copyright 2002, exida.com
This heated vessel rupture example considers the different outcomes that could be prevented by a SIF that senses an extreme high pressure and acts to open a separate dedicated valve to relieve that pressure to a safe venting system.
26
e ida.com
excellence in dependable-automation
Multiplying each consequence by its corresponding frequency and summing the results at the bottom right gives the total risk integral for this pressure relief SIF of: PLL=0.21 fatalities per year
27 Copyright 2002, exida.com
This column rupture example considers the different outcomes that could be prevented by a SIF that senses a high column pressure and acts to open a valve to relieve that pressure to a safe venting system. It is important to note that the risk calculated here is for the system without the SIF present.
27
e ida.com
excellence in dependable-automation
28
For the column rupture example described earlier in the lesson, both the consequence and the likelihood have been determined as 140 M$ and 2.85*10-4 events per year respectively.
28
e ida.com
excellence in dependable-automation
29
The column rupture inherent risk is simply calculated by multiplying 140 M$ and 2.85*10-4, which yields an inherent risk of 39,990 [US $ / year].
29
e ida.com
excellence in dependable-automation
RRF =
Given inherent, unmitigated risks resulting from a consequence and likelihood analysis along with tolerable risk, the required risk reduction factor that an SIF needs to achieve can be calculated by dividing the inherent risk by the tolerable risk. As noted earlier, it is important to make sure that the inherent risk or risk integral and tolerable risk are expressed in the same units.
30
e ida.com
excellence in dependable-automation
31
All that is needed for the heated vessel pressure relief SIF example is the tolerable risk in terms of probable loss of life per year.
31
e ida.com
excellence in dependable-automation
RRF =
= 210
32
Thus dividing the existing unmitigated risk by the tolerable risk gives the required risk reduction factor of 210.
32
e ida.com
excellence in dependable-automation
A low-cost, low-performance SIL 1 SIF can provide a risk reduction factor of 10 for $5,000 per year net cost A higher-cost, higher-performance SIL 2 SIF can provide a risk reduction factor of 100 for $20,000 per year net cost
Considering the column rupture and explosion example developed earlier along with the safety system cost data, which SIF option should be chosen?
33
e ida.com
excellence in dependable-automation
34
Putting each case on an annual cost basis clarifies the choice significantly. Since the first option provides a $31,000 per year savings relative to doing nothing, it has significant potential.
34
e ida.com
excellence in dependable-automation
35
Although the higher performance system reduces the risk cost to only $399 per year, its $20,000 per year total cost pushes it to a lower level of savings than the SIL 1 SIF option. Thus the SIL 1 SIF is the best option for this situation.
35
e ida.com
excellence in dependable-automation
Personnel RRF = 1000 Environmental RRF = 300 Financial RRF = 150 Choose highest RRF = 1000 for specifying the system
36
For multiple receptors per hazard, some companies calculate risk reduction factors for each receptor. The RRF for the instrumented function in this situation is chosen to be the highest one, since it will automatically satisfy the other lesser requirements.
36
e ida.com
excellence in dependable-automation
SIL Assignment
SIL selection is performed based on the RRF calculated for the SIF For the heated vessel case, the RRF = 210 Target SIL = SIL 3
The minimum risk reduction for SIF of 1000 guarantees that any SIL 3 system will achieve the required risk reduction factor
Safety Integrity Level Probability of failure on demand, average
(Low Demand mode of operation)
37
The final step in the personnel case is to select the target Safety Integrity Level for the Safety Instrumented Function based on the required risk reduction factor. Here the RRF of 210 indicates that a target of SIL 3 is required for the SIF. Note: Even though the risk reduction factor for SIL 2 ranges from 100 to 1000, SIL 3 was selected. If a target SIL of SIL 2 were selected, the SIF designed may have an actual RRF of 100, which suits SIL 2 requirements but would not be enough for the heated vessel example, as a RRF of 210 is required.
37
e ida.com
excellence in dependable-automation
38
The lesson began with the safety lifecycle (SLC) context of SIL selection and a brief review of risk, including the idea of defining a level of tolerable risk. The lesson then presented a brief description of the safety instrumented functions to which the SILs are to be assigned. Next the lesson addressed the consequence and likelihood components of risk in more detail as they relate to identifying the existing level of risk in a process or piece of equipment, including how to determine a hazards consequence and how the likelihood of a hazard can be quantitatively determined. Then the lesson considered the combination of multiple outcomes based on the risk integrals approach. Finally, based on the difference between the existing risk and the tolerable risk level identified and approved by the organization in question, the risk reduction requirement for the specific SIF was determined and the SIL assignment made. To be sure the material is thoroughly understood, please take the time to go back and review any parts of this lesson as needed before moving on to the quiz.
38
e ida.com
excellence in dependable-automation
Additional Resources
For more information on SIL selection and Safety Instrumented Systems, consider reviewing the following book:
Systematic SIL SelectionWith Layer of Protection Analysis (coming soon to the exida.com web store)
Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis (LOPA) Qualitative SIL Selection
39 Copyright 2002, exida.com
More information on both qualitative and quantitative SIL selection and some aspects of SIS design is available from books and other training classes. The forthcoming exida.com book Systematic SIL SelectionWith Layer of Protection Analysis provides a detailed description of tolerable risk, likelihood, consequence, and general Safety Instrumented Systems with SIL selection process examples. Also consider reviewing the exida.com on-line lessons on process hazards analysis, ALARP and tolerable risk, consequence analysis, likelihood analysis, layer of protection analysis, and qualitative SIL selection for additional information.
39
e ida.com
excellence in dependable-automation
Questions
Questions: Please send any questions to info@exida.com. We will respond as soon as possible. Additional Resources: Free articles are available to download from the exida.com website. These can be reached at http://www.exida.com/articles.asp. Additional resources including books, tools, and reports are available from the exida on-line store. A product listing is available at http://www.exida.com/products2/.
40 Copyright 2002, exida.com
If you have any questions, please send them via email to info@exida.com. Please refer to this particular lesson, Quantitative SIL Selection. Additional resources are available from the exida.com website, including a series of free articles that may be downloaded. Books, reports, and engineering tools are available at the exida on-line store. exida.com is a knowledge company focused on system reliability and safety. We provide training, tools, coaching, and consulting. For general information about exida, please view our website at www.exida.com. Thank you for your interest. Please consider other lessons in the on-line training series from exida.com.
40