Do You Really Need SIL 3?

Process plants rarely require that high a safety integrity level for instrumented protection.

By Alan G. King, ABB Engineering Services

1 of 5 < 1 | 2 | 3 | 4 | 5 View on one page
Many plants rely on safety instrumented systems (SIS) to address hazards. Determining whether such instrumented protection is needed and, if so, the appropriate Safety Integrity Level (SIL) is crucial for achieving the required level of safety.

A wide variety of methods are available for SIL determination. International standards IEC 61508 [1] and IEC 61511 [2,3] provide a selection. These are found within the "informative" sections of the standards and therefore aren't mandatory — you may choose one of those methods or a suitable alternative approach from elsewhere.

However, certain issues and problems are common to the application of all methods. This article discusses some relevant issues, with a focus on implications of SIL 3.

The Hazardous Event
The starting point within the process is identifying the potential hazardous event — what can happen should the safety function fail to operate correctly on demand (see Figure 1). Here, we're interested in assessing the benefit derived from the safety function. For SIL determination, the consequence can be regarded as the difference in outcome between the safety function working and not working.

Normally, the consequence cost associated with the safety function working will be small compared with it not working. Occasionally, however, the safety function operating as intended can incur a significant cost: lost production or dumped product. This is also the case for "spurious tripping." Such consequences must be considered when assessing the benefit from the safety function — and reflected in the SIL. The difference between the function working and not working is its true benefit in risk reduction.

During the hazard and risk assessment phase of the safety lifecycle (Figure 2), it's important to identify all significant hazardous events. For each of these, an assessment is made as to how much risk reduction is required from a safety instrumented function (SIF) to achieve a target level of risk (Figure 3). The required risk reduction or performance for the SIF is expressed in a SIL. This assessment is often called SIL determination.

SIL determination results in defining required performance or "target SIL" for the SIF. Some methods of SIL determination also can define a target Average Probability of Failure on Demand, PFDavg, which represents maximum value permitted within the range covered by the target SIL (Table 1).

Principal methods described in Refs. 1-3 for assigning a target SIL or PFDavg to a SIF are:

• Safety Layer Matrix (SLM);
• Risk Graphs (RG);
• Layer of Protection Analysis (LOPA);
• Fault Tree Analysis (FTA); and
• Event Tree Analysis (ETA).

Each has its strengths. For instance, SLM is simplest while FTA and ETA both are highly flexible and therefore suit more complex situations. However, all methods — even the seemingly most straightforward ones — highly rely on the competence and experience of the user. It's generally reckoned that SLM and RG are suitable for initial screening assessments. Any SIF with a target of SIL 2 or above would require re–assessment using a more detailed and flexible method such as FTA.
1 of 5 < 1 | 2 | 3 | 4 | 5 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments