The standards provide some examples of the methods. These only demonstrate the approach — you shouldn't, for instance, simply use the risk graph shown in the IEC 61508 standard. In a real situation you must create a specific risk graph that reflects target risk criteria for the site and application in question. This often is referred to as "calibration." Without such calibration, use of the risk graph is erroneous. Similar cautions relate to the SLM.
A number of issues need to be addressed during SIL determination. Let's focus on three that are easily overlooked by those new to the process.
The first is to identify and include all failures that could place a demand on a SIF not just obvious ones — some relate to normal operation and others to start-up and shutdown. The standards insist that we "ensure that the SIS safety requirements are achieved for all relevant modes of the process," including maintenance, process upset and emergency shutdown . Without this, the SIL determination effort may seriously underestimate frequency of demands on instrumented protection and therefore indicate a lower SIL than really required. This could raise consequent risk level by an order of magnitude.
The second issue is acknowledgement that people when interacting with SIS can make mistakes. Not all tasks will have the desired outcome; perfection isn't attainable. Likelihood of human failure and its impact on risk must be factored into assessment calculations both for determining target SIL and calculating achieved SIL. This is particularly important for safety functions designed to SIL 2 and above, where, without careful consideration, the human component may totally dominate unreliability. For further information on human factors and risk assessment, see Ref. 4.
|Safety Integrity Level||Average Probability of
Failure on Demand,
|Table 1. Most process plants
require a SIL no greater than 2.
The third is assessment of dependency. This sometimes is referred to as common mode or common cause failure but the term dependency actually is wider than these other terms would imply. Dependency is important because most SIL determination methods inherently assume that all measures (layers) being considered (demands, alarms, SIF, etc.) are wholly independent. However, in many instances, layers aren't independent and making the assumption they are leads to an underestimate of target SIL. This underestimate means that risk reduction is inadequate and level of risk will be substantially higher than intended .
Proper SIL Determination
Working out what the demand frequency may be is always going to be difficult. Clearly, the more frequent the demands, the greater the awareness of the plant operators as to how often demands occur.