It's important to include all potential sources of demand in any SIL determination. To do this, it's vital to have a systematic approach that covers normal operation, abnormal operation, start-up, shutdown and demands initiated from outside the plant (loss of services, power, etc.). Many of these may be infrequent but, when added together, they become significant. Demand trees are a good way of being systematic.
Estimating infrequent demands is difficult. This is especially so when the interval between demands is more than about 10 years. There may be no member of staff who has worked at the plant for that length of time.
Three aspects of SIL determination deserve special mention: team competencies, alarms and personnel exposure.
Team competencies. Effective SIL determination requires input from many disciplines. It's certainly not something for the instrument engineer to do as a solo exercise!
It can be done in a similarly to a hazard and operability study — via meetings with a leader (preferably a trained safety and reliability professional) and appropriate representatives of other relevant disciplines. These should include instrument and control engineers, process engineers and plant operations staff (preferably actual plant operators).
It's essential to choose people for such meetings carefully, to ensure all relevant disciplines are present and the group will work well together. Sometimes the presence of more senior management can inhibit the discussion of what really happens at the plant.
Such meetings can work well for initial screening purposes and may provide sufficient detail to justify SIL-1 safety functions. For the higher SIL, more detail would be appropriate and, for this, it's better to appoint someone independent of the design team to carry out the assessment.
Alarms. SIL determinations often must consider potential risk reduction from operator response to alarms. However, there's a tendency to do this without sufficient thought!
There's a need to ask questions such as: will the operator be available to respond? There may be insufficient time to respond. There may be too many other alarms at the time. It may be difficult for the operator to decide what to do. How do you know the operator will take the correct action on initiation of an alarm? Is there a clear well-defined documented response for each critical alarm? Is the means of response still available to the operator? If an alarm has occurred because a control valve has stuck open then an operator response "close control valve" using the same valve isn't going to be effective!
There's a need to think through the scenario and decide what the operator should do — and then ensure that all operators are aware of the appropriate action.
Personnel exposure. When we're considering potential consequences of failure of a trip, we often need to look at the proportion of time that the person most at risk may be in the vicinity of the part of the plant where he or she could be injured.
Usually, for a high hazard area this intentionally will be quite small — less than 10% of the working day. However, before claiming benefit from this, it's important to consider whether the person is likely to be asked to go to the hazard area to investigate just when the incident may occur. In that case, the probability of the person being there is nearer to 100% than below 10%.
Are Results Right?
At process plants, most SIF won't require higher than SIL 1. For safety functions requiring SIL 2 and above, there are questions to address: do you have the correct formula for your reliability calculation? Have you considered common cause failure? Do you have a method for selecting appropriate values for common cause factors? How do you allow for physical blockages of connections to the plant process? Do you account for power supply failures, cabling and instrument manifold piping? Have you included contributions from human error in your calculation of PFDavg?