Alan G King

ABB Eutech Process Solutions

Methods for SIL Determination

ABB Eutech Process Solutions

Outline of Presentation
SIL Determination
What is SIL Determination? Safety Integrity Levels Safety Lifecycle Risk Targets

Overview of Methods Problems & Suitability

ABB Eutech Process Solutions

Summary

What is SIL Determination

Applies to Safety Instrumented Functions on a plant or proposed plant

It is the assignment of a Safety Integrity level (SIL) to the Safety Instrumented Function based on the necessary risk reduction to achieve a required risk target
ABB Eutech Process Solutions

Safety Function
A Safety Function is a means of Managing Risk in relation to a specific hazardous event Definition: A function to be implemented by a
Safety Instrumented System (SIS) Other Technology safety related system or External Risk Reduction Facilities
ABB Eutech Process Solutions

which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event
IEC 61511-1 Clause 3.2.68

Safety Function

Initiating Event(s)

Specific Hazardous Event

Safety Function Achieves or maintains a safe state for the process

ABB Eutech Process Solutions

Safety Function A safety function relates to a specific hazardous event

Safety Instrumented Function (SIF)

Sensor(s) Logic Solver Final Element(s)

ABB Eutech Process Solutions

Safety Instrumented Function is the complete end-to-end arrangement

Safety Integrity Levels

PFDavg
(Average Probability of Failure on Demand)

SIL 1 2 3
ABB Eutech Process Solutions

0.1 - 0.01 0.01 - 0.001 0.001 - 0.0001 0.0001 - 0.00001

Note (1) : This Definition of SIL is for Demand Mode of Operation Note (2) : Applies to whole safety function not to individual parts
IEC 61511-1, Clause 9.2.3 - Table 3

Lifecycle Approach
1

Clause 8 Clause 9

Hazard and Risk Assessment Allocation of safety functions to protection layers 2

Management of functional safety and functional safety assessment and auditing

ABB Eutech Process Solutions

Safety LifeCycle structure and planning

Safety Requirements specification for the safety instrumented system 3

4

Design & Development of other means of risk reduction Verification

Design & Engineering of Safety Instrumented System

Installation, Commissioning and Validation 5

6 Operation and Maintenance

7 10
IEC 61511-1: Fig 8

Modification Decommissioning
9

11

- - - - No Detailed Requirements given in IEC 61511

Risk Targets

Safety Environment Business Risk

(Asset Loss/Product/ Production Loss)
ABB Eutech Process Solutions

IEC 61511 applies to protection of people and environment Company/Site Risk Targets required for each type of risk

 ABB Eutech Process Solutions

Overview of Methods

Methods for SIL Determination Safety Layer Matrix (IEC 61511-3 Annex C) Risk Graphs (IEC 61511-3 Annex D) Layer of Protection Analysis (LOPA)
(IEC 61511-3 Annex F)

Fault Tree Analysis (IEC 61511-3 Annex B)

ABB Eutech Process Solutions

Common Themes of Methods

Hazard Identification Focus on Specific Hazardous Event Identify initiating causes and frequencies Identify protective measures (other than safety instrumented function to be assessed) Assess the level of risk and the contribution to risk reduction required (if any) from a Safety Instrumented Function to meet the required risk target(s).
ABB Eutech Process Solutions

In terms of PFDavg and/or Safety Integrity Level.

Consider whether risk is reduced to ALARP.

 ABB Eutech Process Solutions

Safety Layer Matrix

Protection Layers
EMERGENCY RESPONSE Physical Protection Relief Devices SAFETY INSTRUMENTED SYSTEMS Alarms & Operators Basic Process Control System PROCESS
ABB Eutech Process Solutions

IEC 61511-3: Figure C1 - Protection Layers

Safety Layer Matrix - Two Parameters

Severity Categories
Minor Serious
(e.g. Temporary injury to personnel or damage to the environment) (e.g. Serious injury to personnel or the environment)

Extensive (e.g. Catastrophic consequence to personnel or the environment.)

Likelihood (Frequency)
Low
ABB Eutech Process Solutions

(e.g. Unlikely in life of plant)

(x1) (x10) (x100)

Medium (e.g. Probable once in life of plant) High

(e.g. Several times in life of plant)

Example Safety Layer Matrix

Hazardous Event Severity Rating Extensive

Safety Integrity Level Required

2 1
Unclassified Low

3 2 1
Medium

3+ 3 2
High

Serious

Minor
ABB Eutech Process Solutions

Hazardous Event Likelihood (Frequency)

Note: Other protection layers having risk reduction of at least 10 reduce SIL by 1
Based on IEC 61511-3: Figure C2

Safety Layer Matrix Calibration

From IEC 61511-3:
The safety target level has been embedded in the matrix. In other words, the matrix is based on the operating experience and risk criteria of the specific company, the design, operating and protection philosophy of the company, and the level of safety that the company has established as its safety target level.

ABB Eutech Process Solutions

You therefore need to fill in the matrix according to the risk criteria for your company/site.

 ABB Eutech Process Solutions

Risk Graphs

Risk Graphs - Four Parameters

Consequence (C)
Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event.

Exposure (F)
Probability that the exposed area is occupied at the time of the hazardous event.

Avoidance (P)
The probability that exposed persons are able to avoid the hazardous situation which exists if the safety instrumented function fails on demand.
ABB Eutech Process Solutions

Demand Rate (W)

The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration.

Example Risk Graph

Exposure Consequence Avoidance

Demand Rate

W2 is a range X per year to X/10

ABB Eutech Process Solutions

Example Risk Graph

Generalised arrangement: In practical implementations the arrangement is specific to the applications to be covered by the risk graph

ABB Eutech Process Solutions

Risk Graph Calibration

What is calibration:
Calibration of the risk graph is the process of assigning numerical values to risk graph parameters. (This includes the
layout and the SIL numbers in the columns).

When considering the calibration of risk graphs, it is important to consider requirements relating to risk arising from both the owners expectations and Regulatory Authority requirements.

ABB Eutech Process Solutions

It is important that this process of calibration is agreed at a senior level within the organisation taking responsibility for safety. The decisions taken determine the overall safety achieved.

Layer of Protection Analysis LOPA

ABB Eutech Process Solutions

Layer of Protection Analysis (LOPA)

ABB Eutech Process Solutions

LOPA Essentials
Other Required Demand Technology Intermediate Initiating Risk Reduction Risk Event Cause Reduction Measures Reduction Frequency from SIF Measures
Failure of Flow Control Loop, leading to high pressure
ABB Eutech Process Solutions

Mitigated Event Frequency

Probability of failure of independent high pressure alarm or operator response to alarm

Probability of Pressure Relief Valve Failure on Demand

Vessel Loss of PFDavg = containment. Target / Intermediate Frequency = Event 0.2 x 0.1 x 0.01 Frequency = 1 x 10-5 / = 0.0002 /yr. 2 x 10-4 = 2 x 10-4/yr.

F = 0.2 x 0.1 x 0.01 x 0.05 = 1 x 10-5 /yr.

PFDavg= 0.05 SIL 1

F = 0.2/yr. P = 0.1

P = 0.01

Target Frequency = 1 x 10-5 /yr.

 ABB Eutech Process Solutions

Fault Tree Analysis

Fault Tree Analysis (FTA)

Init. Cause 1 OR Init. Cause 2 No operator response to alarm Init. Cause 3 Safety Instrumented Function 1 (PFDavg)
ABB Eutech Process Solutions

Frequency & OR Probability

& Frequency of Overpressure Event

&

Other technology safety function failed

Fault Tree Analysis - Common Cause

Sensor 1 1oo2 Voting Sensor 2

Sensor 1 (PFDavg) &

ABB Eutech Process Solutions

Sensor 2 (PFDavg) OR Sensor Common Cause (PFDavg)

Overall Sensor PFDavg

 ABB Eutech Process Solutions

Problem Areas

Particular Problem Areas

Calibration Multiple Initiating Causes Dependency Humans SIL and/or PFDavg

ABB Eutech Process Solutions

Multiple Initiating Causes

A Cause 1

C Hazardous Event

Cause 2

Cause 3
ABB Eutech Process Solutions

Safeguards

Dependency
Dependency is when two or more layers of protection are not independent
Multiple Layers can fail dangerous because either
(a) share items of equipment, or human contributions, or services (b) have items that can be affected by a common failure (common cause or common mode failures)

Taking into account ...

ABB Eutech Process Solutions

Common cause failure between safety layers, and Between safety layers and BPCS (61511-1 Clause 8.2.1)

Humans
Causing Demands on Protective Systems
Missing out steps in a process Failing to do manual tasks (e.g. manual valves left open) etc.

Ignoring Alarms or not responding in time Creating problems with Instrumented Protective Systems
ABB Eutech Process Solutions

Leaving isolated, calibration errors, inadequate testing, defeating systems, maintenance errors

Failing to take mitigating action in time

Assessing the Probability of the human error and its impact on the risk

PFDavg and / or SIL

Some methods just give e.g. SIL 1 for performance of Safety Instrumented Function (SIF)
This implies that anywhere in the SIL 1 range will do That is to say, a PFDavg of 0.1 would be sufficient.

Other methods (LOPA and FTA) provide a PFDavg

For example, PFDavg = 0.05 maximum
ABB Eutech Process Solutions

And hence imply that the design must achieve rigour for SIL 1 and the PFDavg stated.

Comparison of Methods
Safety Layer Matrix Initial Screening Detailed Analysis Multiple Causes with Different Protection Potential Dependency Output (SIL or PFDavg)
ABB Eutech Process Solutions

Risk Graphs

LOPA

Fault Tree Analysis NR

NR NR NR SIL NR 1

NR NR NR SIL NR 1 1 or 2?? -R NR PFDavg

R R R PFDavg

Need to include specific Human Factors aspects Suitable for SIL

All

NR = Not recommended; R = recommended

Summary
Check that target criteria are available and calibrate tool to be used Appoint a suitable team to provide input for SIL Determination Carry out screening, using an appropriate method, to identify Unclassified and SIL 1 (identifying any dependency) Arrange more detailed consideration of SIL 2 and higher (using appropriate method) or where dependency is an issue. Consider whether the remaining risk is ALARP.

ABB Eutech Process Solutions

Contact Details
Dr Alan G King
ABB Eutech Process Solutions Pavilion 9, Belasis Hall Technology Park PO Box 99, Billingham Cleveland TS23 4YS Tel: +44 (0) 1642 372252 Fax: +44 (0) 1642 372111
ABB Eutech Process Solutions

E-mail:

alan.g.king@gb.abb.com agking@iee.org

Further information
A Process Industry View of IEC 61508
http://www.iee.org/OnComms/sector/computing//Download.cfm?ID=D5C9A65D8376-4D5C-9D7F6A38199CC57B

IEC61508 - Initial Phases of the Safety Lifecycle in the Process Industry

http://www.sipi61508.com/ws-material/ciks/king1.pdf

SIL Determination - Hints and Tips for Practitioners

http://www.sipi61508.com/ws-material/ciks/king2.pdf

ABB Eutech Process Solutions

SIL Determination - Training Course (2 days)

Contact: Contact: jackie.kendall@gb.abb.com jackie.kendall@gb.abb.com

Risk Practitioners: Hazard Assessment - Training Course (5 days)