Quant Sil

e ida.
com
excellence in dependable-automation
Quantitative SIL Selection

Safety Integrity Level Probability of failure on demand, average
(Low Demand mode of operation)
Risk Reduction Factor
SIL 4 SIL 3 SIL 2 SIL 1
>=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1
100000 to 10000 10000 to 1000 1000 to 100 100 to 10
On-line Lesson
Welcome to the exida.com online lesson on Quantitative Safety Integrity Level Selection. In this lesson, we will present the concept of a Safety Integrity Level (SIL) as well as the quantitative approach in establishing SIL selection.
Copyright 2002, exida.com
e ida.com
Prerequisite Lessons

Introduction to Safety Instrumented Systems The Safety Lifecycle
It is recommended that the exida on-line lessons Introduction to Safety Instrumented Systems and The Safety Lifecycle be taken by anyone not well versed in these topics before proceeding with this lesson.
e ida.com
Companion Lessons

Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis (LOPA) Qualitative SIL Selection
3 Copyright 2002, exida.com
Since Quantitaive SIL Selection encompasses so many different aspects, it is recommended that the following lessons on specific components of the larger SIL selection process be used as a companion with this current lesson to provide a more complete understanding of the overall process. Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis Qualitative SIL Selection
e ida.com
Quantitative SIL Selection Overview

Topics: Risk and the Context of SIL Selection Safety Instrumented Functions Consequence 1 Concept Likelihood Overall Scope 2 Definition Risk integrals approach Hazard & Risk 3 Analysis Required risk reduction Overall Safety 4 Requirements leading to SIL assignment
5 Safety Requirements Allocation
SLC Analysis Phase
The lesson starts with the safety lifecycle (SLC) context of SIL selection and a brief review of risk. The lesson continues with a brief description of the safety instrumented functions (SIFs) to which the SILs are to be assigned. Next the lesson addresses the consequence and likelihood components of risk in more detail as they relate to identifying the existing level of risk in a process or piece of equipment, including how to determine a hazards consequence and how the likelihood of a hazard can be quantitatively determined. Then the lesson considers the combination of multiple outcomes based on the risk integrals approach. Finally, based on the difference between the existing risk and the the tolerable risk level identified and approved by the organization in question, the risk reduction requirement for the specific SIF can be determined and the SIL assignment made.
e ida.com
Conceptual Process Design

Event History
Process Information
Identify Potential Risks Layer of Protection Analysis
Layers of Protection Failure Probabilities
Potential Hazards
Assess Potential Risk Likelihood Analyze Potential Risk Magnitude
Hazard Frequencies
Hazard Characteristics
ANALYSIS
Phase
(End User / Consultant)
Consequence Analysis Select Target SIL
Consequence Database Tolerable Risk Guidelines
Hazard Consequences Target SILs
Develop nonSIS Layers

Safety Requirements Allocation
SIS Required? Yes Develop Safety Specification
No Exit
Safety Requirements Specification Functional Description of each Safety Instrumented Function, Target SIL, Mitigated Hazards, Process parameters, Logic, Bypass/Maintenance requirements, Response time, etc
Select Technology Select Architecture Determine Test Philosophy Reliability, Safety Evaluation
Detailed Safety Lifecycle
Manufacturers Failure Data Failure Data Database
SIS Conceptual Design
REALIZATION
(Vendor / Contractor / End User)
SILs Achieved
Detailed Design Documentation Loop Diagrams, Wiring Diagrams, Logic Diagrams, Panel Layout, PLC Programming, Installation Requirements, Commissioning Requirements, etc.
No
SIL Achieved? Yes SIS Detailed Design
Manufacturers Safety Manual
Manufacturers Installation Instructions
Installation & Commission Planning Validation Planning
SIS Installation, Commissioning and Pre- startup Acceptance Test Validation: Pre- startup Safety Review SIS startup, operation, maintenance, Periodic Functional Tests
Modify, Decommission? Decommission
Operating and Maintenance Planning
(End User / Contractor)

SIS Decommissioning
OPERATION
Modify
This slide shows a more detailed drawing of the safety lifecycle. In the analysis phase, hazards are identified and risk reduction targets are established for each hazard. For some hazards, a safety instrumented function (SIF) is defined in order to reduce risk. In these cases, a Safety Integrity Level or SIL is selected for that SIF to achieve the required risk reduction.
e ida.com
How to Select a SIL

Determine tolerable risk Identify potential hazards Identify prospective SIF to address these specific hazards Identify existing unmitigated risk based on consequence and likelihood analysis Determine how much risk reduction is needed to give a tolerable risk
Quantitative methods give specific numerical targets for risk reduction Qualitative methods group numerical targets into more broad categories of risk reduction
The SIL selection process is essentially a systematic approach used to: establish the difference between the existing level of risk and that which can be tolerated; identify specific individual functions to address these risks; and assign the SIL to specify how robust these functions must be to actually achieve the required risk reduction. The quantitative method shown in this lesson will help determine a specific numerical target for the risk reduction. NOTE: The qualitative methods introduced in the exida.com on-line lesson Qualitative SIL Selection group numerical targets into more broad categories of risk reduction to achieve the same general purpose.
e ida.com
What Is Risk?
Risk is a measure of the likelihood and consequence of an adverse effect, i.e., how often can it happen and what will be the effects if it does?
Risk receptors: Personnel Environment Equipment/Property Damage Business Interruption Business Liability Company Image Lost Market Share
The definition of risk includes components of likelihood and consequence, which both contribute to the risk for each hazard. Hazardous events often have consequences that cause harm in multiple areas to receptors such as personnel, environment, equipment, etc. These different hazardous events are identified and characterized as part of a Hazard and Risk Assessment process described in detail as part of the exida Process Hazards Analysis on-line lesson.
e ida.com
ALARP and Tolerable Risk

High Risk Intolerable Region
10
-3/yr
(workers)
10
-4/yr
(public)
ALARP or Tolerable Region

10-6/yr
Broadly Acceptable Region Negligible Risk

Since risk is present in all human activities, some level of risk must be tolerated in any system. The challenge is in determining what that level of risk is for a given organization. The general principle of tolerable risk put forward in the IEC standards is that some risks are completely intolerable and should not be undertaken, some risks are broadly acceptable and should not be worried about, and some risks fall in the middle. These middle-level risks should be reduced to a level As Low as Reasonably Practicable or ALARP. Specific values of these risk levels are often a point of debate. The values noted in this slide are from the UK Health and Safety Executive, the originators of the ALARP concept, and are provided for information purposes, not as recommendations for any particular situation.
e ida.com
Paths to Risk Reduction

Risk after non-SIS Mitigation Inherent Risk of the Process (i.e., No Mitigation)
L i k e l i h o o d
Increasing Risk
SIL 1 SIL 2 SIL 3

Acceptable Risk Region
Non-SIS Consequence reduction, e.g., containment dikes SIS Risk Reduction
Non-SIS likelihood reduction, e.g., relief valves
Unacceptable Risk Region
Final Risk after Mitigation
ALARP Risk Region
Consequence
Risk reduction can be accomplished using different techniques, including methods to reduce both the consequences and likelihood of any harm. One specific method of risk reduction, primarily directed at the likelihood aspect, is through automatic protection systems called Safety Instrumented Systems. These systems carry out specific functions to bring the process or equipment to a safe state. The ability of these systems to carry out each of these functions when required is measured by the corresponding safety integrity level (SIL). Thus the SIL corresponds to the level of risk reduction required to change the existing unmitigated risk enough to achieve a level of risk that can be tolerated by the organization in question.
e ida.com
Safety Instrumented Functions

Specific single set of actions and the corresponding equipment needed to identify a single emergency and act to bring the system to a safe state. SIL is assigned to each SIF based on required risk reduction Different from a SIS, which can encompass multiple functions and act in multiple ways to prevent multiple harmful outcomes
SIS may have multiple SIF with different individual SIL, so it is incorrect and ambiguous to define a SIL for an entire safety instrumented system
An individual Safety Instrumented Function (SIF) is designed to identify the need and then act to bring the system to a safe state for each hazard scenario. The effectiveness of the risk reduction is measured by the functions risk reduction factor (often expressed as a Safety Integrity Level). The required risk reduction is the difference between the process risk before a SIF and the tolerable level of risk to be achieved for that process or piece of equipment. It is important to note that a SIF is an individual function and a SIS can include multiple functions, so the SIL refers to each SIF rather than to the entire safety instrumented system.
10
e ida.com
Safety Integrity Levels
Safety Integrity Level
Probability of failure on demand, average

>=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1

11
100,000 to 10,000 10,000 to 1,000 1,000 to 100 100 to 10

The Safety Integrity Level is a measure defined in the IEC61508 standard. The key measure of a systems integrity is how well it can be counted on to do what it is supposed to do when it is supposed to do it. For the Low Demand mode operation common in the process industry, the average probability of failure on demand (PFDavg) is the variable that defines the SIL, as shown in the table on this slide. The risk reduction factor is the reciprocal of the PFDavg, and the SIL number itself represents the minimum number of orders of magnitude of risk reduction that the SIF will provide. For the High Demand mode common in machinery applications, SIL relates to the frequency of unsafe failures of the SIF per hour, since the systems used are required to act more frequently than they are tested and repaired.
11
e ida.com
Calculating Risk
In quantitative analysis, risk associated with a hazard can be calculated using the following formula: Risk = Consequence * Likelihood Example Hazard:
Consequence of harmful outcome is two fatalities Likelihood of harmful outcome is once every ten years
Risk from the hazard is 0.2 fatalities per year

In quantitative analysis, the risk associated with a hazard can be calculated by multiplying the consequence of a harmful outcome and the likelihood or frequency of it taking place. As an example, assume a hazard with an outcome consequence of two fatalities. Furthermore, assume that the likelihood of the hazard leading to the harmful outcome is once every ten years. The risk of the hazard, obtained by simple multiplication, is then 0.2 fatalities per year.
12
e ida.com
Basic Consequence Analysis Concepts

One hazard can lead to one or more outcomes with multiple receptors Each aspect of the harmful outcome is measured in different units
Personnel
Fatalities Injuries
Environment
Toxic releases Clean-up efforts, US $
Equipment/Property Damage
US $
Etc.
As shown before, there can be several potential risk receptors for a specific hazard. With a separation column rupture, for example, the rupture energy itself can cause fatalities and injuries to personnel; it might cause a toxic release with other injuries or fatalities; environmental clean-up efforts could be required after the rupture; and the loss of the column could lead to plant down time. Each of the aspects of the consequence is measured in its own units. Fatalities are measured in number of deaths; injuries may be measured in number of injuries scaled by severity; environmental impacts are quantified individually; and clean-up efforts, potential fines, damage to corporate image, and down time are measured financially.
13
e ida.com
Tolerable Risk Level and Consequence Receptors
Tolerable risk is a sensitive topic It is difficult to convert between personnel, environmental, and cost receptors Organizations often set specific levels of tolerance in each different receptor category Combining impacts into a single variable allows more rigorous mathematical analysis
14
Because of the sensitivity of the concept of tolerable risk and the difficulty in converting between the effects on different receptors, organizations often set different specific risk levels that are tolerable in each different area. In some cases, to enable more rigorous mathematical analysis, all of the different consequence impacts can be converted into a single value, which is often financial cost.
14
e ida.com
Tolerable Risk Level and Consequence Receptors
Example:
Maximum risk tolerance 0.0005 fatal accidents per person per year, 0.005 injuries per person per year, 0.01 significant environmental release per plant per year, $500,000 in business loss per plant per year, etc. Valuing loss of life at $10,000,000, environmental damage at 1.5x clean-up cost, and business losses at actual value, optimize cost-benefit impact of all safety systems.
These multiple risk criteria can be expressed on the basis of a plant or individual as appropriate. In most cases, individual tolerable risk criteria are followed for personnel safety. To combine risks into a single cost category, conversion factors must be developed and applied according to uniform, agreed guidelines.
15
e ida.com
Methods of Consequence Analysis
Consequences can require extremely involved analysis

Fire
How much material What kind of fire
Explosion
Pressure energy Chemical energy
Toxic release
Concentration limits Weather conditions
The detailed methods of consequence analysis are beyond the scope of this lesson. These analyses often involve extremely complex calculations, especially in the cases of explosions, fires, and toxic releases where the magnitude of the consequence depends on the dispersion of material. Further information is available in the exida on-line course Consequence Analysis Overview, although the detailed practice of these techniques often requires months or years of training and experience.
16
e ida.com
Results of Consequence Analysis
Different potential outcomes identified Magnitude of each outcome from perspective of each receptor
Personnel Environment Financial
Group consequence components according to safety instrumented function capable of preventing them
Once one has completed the detailed consequence analysis, there should be a list of potential harmful outcomes and a corresponding list of the magnitude of the harm to each of the different receptor categories. These can then be categorized by the potential safety instrumented functions identified in the hazards analysis that could act to prevent these outcomes.
17
e ida.com
Consequence Results: Column Rupture Case
The consequences of a column rupture are determined as follows:

Personnel: 3 fatalities (3*10 M$), 15 injuries (15*1.0 M$) Environment: no exceptional toxic release (0 $ no fine), internal clean-up activities (0.5 M$) Equipment: new column/installation (4.5 M$) Business Interruption: 25% lost production 3 months (50 M$) Business Liability: direct customer contract losses (25 M$) Company Image: no additional cost not already considered Lost Market Share: customers go to competitor(s) (15 M$)
Total column rupture hazard consequence is 140 M$

Using the single variable approach, it is possible to express each consequence in that variable as shown on this slide. The total hazard consequence can now be readily determined by adding the consequences of each receptor in terms of the single variable. Assuming that the hazard will cause all of these traceable impacts, the total cost of the column rupture outcome is ~140 M$. Note that in this case, the decrease in company image caused by the hazard was determined to be accounted for in the other categories and no additional cost was assessed in the analysis.
18
e ida.com
Event Likelihood / Frequency

Event likelihood according to dIEC61511, Part 3
Refers to a frequency such as the number of events per year or per million hours Note this is different from the common English definition equating it to probability
19
The likelihood of a hazard is defined as the frequency of the harmful outcome event. This is most often expressed in units of events per year or events per million hours.
19
e ida.com
LOPA for Column Rupture

Column Rupture
Initiating event
#1 Loss of cooling water Process design
Protection layers
#2 Operator response #3 Pressure relief valve #4 No ignition 0.76 0.05 0.15 0.01 No event No event No event
Outcome
Explosion 2.85*10-4/yr
5/yr
No event
20
Likelihood analysis is often done using Layer of Protection Analysis (LOPA) techniques. The LOPA event tree to determine the likelihood of the column rupture with explosion is shown in the slide. The likelihood of the initiating event loss of cooling water is 5 per year There are four independent protection layers, each with a probability of failure. Inherent safety of the process design, probability of failure is 0.01 Operator response, probability of failure is 0.15 Pressure relief valve, probability of failure is 0.05 No ignition, probability of failure is 0.76 The column rupture likelihood can be determined by multiplying the loss of cooling water likelihood by the probability of failure of each of the protection layers. The resulting column rupture likelihood is then 5/yr * 0.01 * 0.15 * 0.05 * 0.76 * = 2.85*10-4 /yr
20
e ida.com
Considering All the Impacts

Outcomes must be expressed in the same terms as the tolerable risk limits
For the single variable method, this involves the conversion factors mentioned earlier
Risk integral approach
Risk integral approach can also be applied to the personnel and financial components of risk independently of each other
21
Once the likelihood and consequence analysis results are complete, they must be combined to determine the existing risk. In order to combine the consequences of the potential harmful outcomes related to a single SIF and compare them to the tolerable risk, they must be expressed in the same terms as the tolerable risk levels. No matter whether the consequence is expressed as a single overall cost or loss variable or if personnel impacts are kept separate from financial impacts, it is possible to use a risk integral approach to continue the SIL selection process.
21
e ida.com
Risk Integral Definition

Risk integrals are a measure of the total expected loss
A summation of likelihood and consequence for all potential loss events
22
Risk integrals are a measure of the total expected loss, i.e., a summation of the likelihood and consequence for all potential loss events that are being considered. In the case of Safety Instrumented System (SIS) design, this would be all of the consequences that are prevented by a single Safety Instrumented Function (SIF).
22
e ida.com
Risk Integral Equation

The nominal equation for the risk integral is:
RI = C i Fi
RI N C F = risk integral = number of hazardous events = consequence of the event (in terms of fatalities for loss of life calculation) = frequency of the event
i =1
In mathematical form, this summation includes a consequence times frequency risk contribution to the total for each event in question.
23
e ida.com
Risk Integral Application

Risk integrals require a single loss variable Can be across all receptors converted to financial terms Can be across financial receptors only in monetary cost terms Can also be across personnel receptors only in equivalent or probable loss of life (PLL) terms
PLL can take on fractional values
The key requirement for using risk integrals is applying a single loss variable to the system in question. This can easily be done if all of the harm is expressed or converted to financial units. Risk integrals can also be applied to personnel safety consequences through the use of probable loss of life or PLL. The important aspect of PLL is that it can take on fractional values, i.e., an injury event can have a PLL of 0.1 or some other value less than one representing the severity of the event in these probable loss of life terms.
24
e ida.com
Risk Integral Advantages

Risk integrals are a measure of the expected loss
A summation of likelihood and consequence for all potential loss events for the SIF and category in question
Advantages of risk integral targets: Risk is a single number, ideal for decision-making Considers multiple fatality events Diverse risks expressed on uniform basis, essential for cost-benefit analysis
Risk integrals are only now gaining acceptance in the design-engineering field as a means of measuring risk. Risk integrals have several advantages over other methods for measuring risk: The single risk variable is easy to use in optimization and decision-making The risk considers the impact of multiple fatality events Different risks can be considered on a uniform financial basis for costbenefit analysis As a result of these advantages, the risk integrals of Potential Loss of Life for personnel safety and Expected Value for overall financial impact are ideal for risk reduction design engineering.
25
e ida.com
Risk Integral Personnel Example

Consider the case where the following results are available from the consequence and likelihood analyses for a group of outcomes that can be prevented by the single SIF:
Outcome Vessel rupture with pool fire Vessel rupture with flash fire Vessel rupture with explosion Vessel rupture with spill only Probable Loss of Life (PLL) 0.5 1 6 0.01 Frequency Events per year 0.1 0.1 0.01 0.2
What is the risk integral for that particular SIF in terms of PLL per year?
This heated vessel rupture example considers the different outcomes that could be prevented by a SIF that senses an extreme high pressure and acts to open a separate dedicated valve to relieve that pressure to a safe venting system.
26
e ida.com
Risk Integral Personnel Example

Outcome Vessel rupture with pool fire Vessel rupture with flash fire Vessel rupture with explosion Vessel rupture with spill only Total Risk Integral Probable Loss of Life (PLL) 0.5 1 6 0.01 Frequency Events per year 0.1 0.1 0.01 0.2 Risk Component PLL per year 0.050 0.100 0.060 0.002 0.212
Multiplying each consequence by its corresponding frequency and summing the results at the bottom right gives the total risk integral for this pressure relief SIF of: PLL=0.21 fatalities per year
This column rupture example considers the different outcomes that could be prevented by a SIF that senses a high column pressure and acts to open a valve to relieve that pressure to a safe venting system. It is important to note that the risk calculated here is for the system without the SIF present.
27
e ida.com
Single Event Risk Example

Using the consequence and likelihood values determined for the single event column rupture and explosion hazard, calculate the inherent risk. Consequence = 140 M$ Likelihood = 2.85 x 10-4 per year
28
For the column rupture example described earlier in the lesson, both the consequence and the likelihood have been determined as 140 M$ and 2.85*10-4 events per year respectively.
28
e ida.com
Single Event Risk Example

Inherent risk = 140 M$ * 2.85*10-4 /yr = 39,900 [US $ / year]
Risk = Consequence * Likelihood
29
The column rupture inherent risk is simply calculated by multiplying 140 M$ and 2.85*10-4, which yields an inherent risk of 39,990 [US $ / year].
29
e ida.com
What Is the Required Risk Reduction?

Now the required risk reduction factor (RRF) can easily be calculated Input parameters are:
The unmitigated risk before any safety system The established tolerable risk level
RRF =
unmitigated risk tolerable risk

Given inherent, unmitigated risks resulting from a consequence and likelihood analysis along with tolerable risk, the required risk reduction factor that an SIF needs to achieve can be calculated by dividing the inherent risk by the tolerable risk. As noted earlier, it is important to make sure that the inherent risk or risk integral and tolerable risk are expressed in the same units.
30
e ida.com
Risk Reduction Example 1

Given the heated vessel pressure relief SIF example with its PLL of 0.21 fatalities per year and a tolerable risk level of 0.001 fatalities per year, what is the required risk reduction?
31
All that is needed for the heated vessel pressure relief SIF example is the tolerable risk in terms of probable loss of life per year.
31
e ida.com

Given the heated vessel pressure relief SIF example with its PLL of 0.21 fatalities per year and a tolerable risk level of 0.001 fatalities per year, what is the required risk reduction?
RRF =
0.21 PLL per year 0.001 PLL per year
= 210
32
Thus dividing the existing unmitigated risk by the tolerable risk gives the required risk reduction factor of 210.
32
e ida.com

A SIF is being considered to prevent the column rupture and explosion event described earlier
Consequence = 140 M$
Including personnel, environment, equipment, etc.
Likelihood = 2.85*10-4 /yr

After accounting for all layers of protection
A low-cost, low-performance SIL 1 SIF can provide a risk reduction factor of 10 for $5,000 per year net cost A higher-cost, higher-performance SIL 2 SIF can provide a risk reduction factor of 100 for $20,000 per year net cost
Which system should be selected?

Considering the column rupture and explosion example developed earlier along with the safety system cost data, which SIF option should be chosen?
33
e ida.com

This example can be solved by calculating the annual cost associated with the risk of each option.
For the case with no safety system, the cost of the hazard is $39,900 per year With the first case low-cost system, the RRF of 10 reduces the hazard cost to $39,900/10 = $3,990 per year, while the system itself adds $5,000 per year for a total $8,990 overall annual cost or a net savings of $30,910 relative to no safety system
34
Putting each case on an annual cost basis clarifies the choice significantly. Since the first option provides a $31,000 per year savings relative to doing nothing, it has significant potential.
34
e ida.com

Considering the second option in the same way as the first:
For the case with no safety system, the cost of the hazard is $39,900 per year With the second case higher-cost, higher-performance system, the RRF of 100 reduces the hazard cost to $39,900/100 = $399 per year, while the system itself adds $20,000 per year for a total $20,399 overall annual cost or a net savings of $19,501 relative to no safety system Thus the SIL 1 SIF is the best option, with the greatest savings of ~$31,000 per year relative to doing nothing.
Option Do nothing SIL 1 SIF SIL 2 SIF Cost of Risk $39,900 $3,990 $399 Cost of System $0 $5,000 $20,000 Total Cost $39,900 $8,990 $20,399 Total Savings $0 $30,910 $19,501
35
Although the higher performance system reduces the risk cost to only $399 per year, its $20,000 per year total cost pushes it to a lower level of savings than the SIL 1 SIF option. Thus the SIL 1 SIF is the best option for this situation.
35
e ida.com
Multiple Receptors per SIF

Occasionally a set of tolerable risk levels and risk estimates gives different risk reduction factors depending on the personnel, environmental, or financial receptors considered
Personnel RRF = 1000 Environmental RRF = 300 Financial RRF = 150 Choose highest RRF = 1000 for specifying the system
36
For multiple receptors per hazard, some companies calculate risk reduction factors for each receptor. The RRF for the instrumented function in this situation is chosen to be the highest one, since it will automatically satisfy the other lesser requirements.
36
e ida.com
SIL Assignment
SIL selection is performed based on the RRF calculated for the SIF For the heated vessel case, the RRF = 210 Target SIL = SIL 3
The minimum risk reduction for SIF of 1000 guarantees that any SIL 3 system will achieve the required risk reduction factor
Safety Integrity Level Probability of failure on demand, average
>=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1
100000 to 10000 10000 to 1000 1000 to 100 100 to 10
37
The final step in the personnel case is to select the target Safety Integrity Level for the Safety Instrumented Function based on the required risk reduction factor. Here the RRF of 210 indicates that a target of SIL 3 is required for the SIF. Note: Even though the risk reduction factor for SIL 2 ranges from 100 to 1000, SIL 3 was selected. If a target SIL of SIL 2 were selected, the SIF designed may have an actual RRF of 100, which suits SIL 2 requirements but would not be enough for the heated vessel example, as a RRF of 210 is required.
37
e ida.com
Quantitative SIL Selection Summary

Topics: Risk and the Context of SIL Selection Safety Instrumented Functions Consequence 1 Concept Likelihood Overall Scope 2 Definition Risk integrals approach Hazard & Risk 3 Analysis Required risk reduction Overall Safety 4 Requirements leading to SIL assignment
5 Safety Requirements Allocation
SLC Analysis Phase
38
The lesson began with the safety lifecycle (SLC) context of SIL selection and a brief review of risk, including the idea of defining a level of tolerable risk. The lesson then presented a brief description of the safety instrumented functions to which the SILs are to be assigned. Next the lesson addressed the consequence and likelihood components of risk in more detail as they relate to identifying the existing level of risk in a process or piece of equipment, including how to determine a hazards consequence and how the likelihood of a hazard can be quantitatively determined. Then the lesson considered the combination of multiple outcomes based on the risk integrals approach. Finally, based on the difference between the existing risk and the tolerable risk level identified and approved by the organization in question, the risk reduction requirement for the specific SIF was determined and the SIL assignment made. To be sure the material is thoroughly understood, please take the time to go back and review any parts of this lesson as needed before moving on to the quiz.
38
e ida.com
Additional Resources
For more information on SIL selection and Safety Instrumented Systems, consider reviewing the following book:
Systematic SIL SelectionWith Layer of Protection Analysis (coming soon to the exida.com web store)
Also consider exida.com on-line lessons on:

9 9 9 9 9 9
Process Hazards Analysis ALARP and Tolerable Risk Consequence Analysis Overview Introduction to Likelihood Analysis Layer of Protection Analysis (LOPA) Qualitative SIL Selection
More information on both qualitative and quantitative SIL selection and some aspects of SIS design is available from books and other training classes. The forthcoming exida.com book Systematic SIL SelectionWith Layer of Protection Analysis provides a detailed description of tolerable risk, likelihood, consequence, and general Safety Instrumented Systems with SIL selection process examples. Also consider reviewing the exida.com on-line lessons on process hazards analysis, ALARP and tolerable risk, consequence analysis, likelihood analysis, layer of protection analysis, and qualitative SIL selection for additional information.
39
e ida.com
Questions
Questions: Please send any questions to info@exida.com. We will respond as soon as possible. Additional Resources: Free articles are available to download from the exida.com website. These can be reached at http://www.exida.com/articles.asp. Additional resources including books, tools, and reports are available from the exida on-line store. A product listing is available at http://www.exida.com/products2/.
If you have any questions, please send them via email to info@exida.com. Please refer to this particular lesson, Quantitative SIL Selection. Additional resources are available from the exida.com website, including a series of free articles that may be downloaded. Books, reports, and engineering tools are available at the exida on-line store. exida.com is a knowledge company focused on system reliability and safety. We provide training, tools, coaching, and consulting. For general information about exida, please view our website at www.exida.com. Thank you for your interest. Please consider other lessons in the on-line training series from exida.com.
40

Quant Sil

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Quant Sil

Încărcat de

Drepturi de autor:

Formate disponibile

e ida.

Quantitative SIL Selection

Risk Reduction Factor

SIL 4 SIL 3 SIL 2 SIL 1

>=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1

100000 to 10000 10000 to 1000 1000 to 100 100 to 10

Copyright 2002, exida.com

Introduction to Safety Instrumented Systems The Safety Lifecycle

Copyright 2002, exida.com

Copyright 2002, exida.com

Copyright 2002, exida.com

Quantitative SIL Selection Overview

SLC Analysis Phase

Copyright 2002, exida.com

Copyright 2002, exida.com

Conceptual Process Design

Identify Potential Risks Layer of Protection Analysis

Layers of Protection Failure Probabilities

Assess Potential Risk Likelihood Analyze Potential Risk Magnitude

Consequence Analysis Select Target SIL

Consequence Database Tolerable Risk Guidelines

Hazard Consequences Target SILs

Develop nonSIS Layers

SIS Required? Yes Develop Safety Specification

Detailed Safety Lifecycle

Manufacturers Failure Data Failure Data Database

SIS Conceptual Design

SIL Achieved? Yes SIS Detailed Design

Manufacturers Safety Manual

Manufacturers Installation Instructions

Installation & Commission Planning Validation Planning

Operating and Maintenance Planning

(End User / Contractor)

Copyright 2002, exida.com

Copyright 2002, exida.com

How to Select a SIL

Copyright 2002, exida.com

Copyright 2002, exida.com

Copyright 2002, exida.com

ALARP and Tolerable Risk

ALARP or Tolerable Region

Broadly Acceptable Region Negligible Risk

Copyright 2002, exida.com

Paths to Risk Reduction

SIL 1 SIL 2 SIL 3

Non-SIS Consequence reduction, e.g., containment dikes SIS Risk Reduction

Non-SIS likelihood reduction, e.g., relief valves

Unacceptable Risk Region

Final Risk after Mitigation

ALARP Risk Region

Copyright 2002, exida.com

Safety Instrumented Functions

Copyright 2002, exida.com

Safety Integrity Levels

Safety Integrity Level

Probability of failure on demand, average

Risk Reduction Factor

SIL 4 SIL 3 SIL 2 SIL 1

>=10-5 to <10-4 >=10-4 to <10-3 >=10-3 to <10-2 >=10-2 to <10-1

100,000 to 10,000 10,000 to 1,000 1,000 to 100 100 to 10

Copyright 2002, exida.com

Risk from the hazard is 0.2 fatalities per year

Copyright 2002, exida.com